From b0608fdce4be6a266f759c9a9ac1a91f92ba42fe Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 2 Feb 2025 00:03:34 +0000 Subject: [PATCH] Added chart versions: jfrog/artifactory-ha: - 107.104.6 jfrog/artifactory-jcr: - 107.104.6 --- assets/jfrog/artifactory-ha-107.104.5.tgz | Bin 224332 -> 224337 bytes assets/jfrog/artifactory-ha-107.104.6.tgz | Bin 0 -> 224367 bytes assets/jfrog/artifactory-jcr-107.104.6.tgz | Bin 0 -> 469740 bytes .../jfrog/artifactory-ha/107.104.5/Chart.yaml | 1 - .../artifactory-ha/107.104.6/.helmignore | 24 + .../artifactory-ha/107.104.6/CHANGELOG.md | 1511 ++++++ .../jfrog/artifactory-ha/107.104.6/Chart.lock | 6 + .../jfrog/artifactory-ha/107.104.6/Chart.yaml | 33 + charts/jfrog/artifactory-ha/107.104.6/LICENSE | 201 + .../jfrog/artifactory-ha/107.104.6/README.md | 69 + .../artifactory-ha/107.104.6/app-readme.md | 16 + .../107.104.6/charts/postgresql/.helmignore | 21 + .../107.104.6/charts/postgresql/Chart.lock | 6 + .../107.104.6/charts/postgresql/Chart.yaml | 29 + .../107.104.6/charts/postgresql/README.md | 770 +++ .../postgresql/charts/common/.helmignore | 22 + .../postgresql/charts/common/Chart.yaml | 23 + .../charts/postgresql/charts/common/README.md | 322 ++ .../charts/common/templates/_affinities.tpl | 94 + .../charts/common/templates/_capabilities.tpl | 95 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 47 + .../charts/common/templates/_ingress.tpl | 42 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 32 + .../charts/common/templates/_secrets.tpl | 129 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 131 + .../common/templates/validations/_redis.tpl | 72 + .../templates/validations/_validations.tpl | 46 + .../postgresql/charts/common/values.yaml | 3 + .../postgresql/ci/commonAnnotations.yaml | 3 + .../charts/postgresql/ci/default-values.yaml | 1 + .../ci/shmvolume-disabled-values.yaml | 2 + .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 59 + .../charts/postgresql/templates/_helpers.tpl | 337 ++ .../postgresql/templates/configmap.yaml | 31 + .../templates/extended-config-configmap.yaml | 26 + .../postgresql/templates/extra-list.yaml | 4 + .../templates/initialization-configmap.yaml | 25 + .../templates/metrics-configmap.yaml | 14 + .../postgresql/templates/metrics-svc.yaml | 26 + .../postgresql/templates/networkpolicy.yaml | 39 + .../templates/podsecuritypolicy.yaml | 38 + .../postgresql/templates/prometheusrule.yaml | 23 + .../charts/postgresql/templates/role.yaml | 20 + .../postgresql/templates/rolebinding.yaml | 20 + .../charts/postgresql/templates/secrets.yaml | 24 + .../postgresql/templates/serviceaccount.yaml | 12 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-readreplicas.yaml | 411 ++ .../postgresql/templates/statefulset.yaml | 609 +++ .../postgresql/templates/svc-headless.yaml | 28 + .../charts/postgresql/templates/svc-read.yaml | 43 + .../charts/postgresql/templates/svc.yaml | 41 + .../charts/postgresql/values.schema.json | 103 + .../107.104.6/charts/postgresql/values.yaml | 824 ++++ .../107.104.6/ci/access-tls-values.yaml | 34 + .../107.104.6/ci/default-values.yaml | 32 + .../107.104.6/ci/global-values.yaml | 255 + .../107.104.6/ci/large-values.yaml | 85 + .../107.104.6/ci/loggers-values.yaml | 43 + .../107.104.6/ci/medium-values.yaml | 85 + .../ci/migration-disabled-values.yaml | 31 + .../107.104.6/ci/nginx-autoreload-values.yaml | 53 + .../ci/rtsplit-access-tls-values.yaml | 106 + .../107.104.6/ci/rtsplit-values.yaml | 155 + .../107.104.6/ci/small-values.yaml | 90 + .../107.104.6/ci/test-values.yaml | 85 + .../107.104.6/files/binarystore.xml | 442 ++ .../107.104.6/files/installer-info.json | 32 + .../artifactory-ha/107.104.6/files/migrate.sh | 4311 +++++++++++++++++ .../107.104.6/files/migrationHelmInfo.yaml | 27 + .../107.104.6/files/migrationStatus.sh | 44 + .../files/nginx-artifactory-conf.yaml | 114 + .../107.104.6/files/nginx-main-conf.yaml | 83 + .../107.104.6/files/system.yaml | 192 + .../107.104.6/logo/artifactory-logo.png | Bin 0 -> 82419 bytes .../artifactory-ha/107.104.6/questions.yml | 424 ++ .../107.104.6/sizing/artifactory-2xlarge.yaml | 185 + .../107.104.6/sizing/artifactory-large.yaml | 185 + .../107.104.6/sizing/artifactory-medium.yaml | 185 + .../107.104.6/sizing/artifactory-small.yaml | 184 + .../107.104.6/sizing/artifactory-xlarge.yaml | 184 + .../107.104.6/sizing/artifactory-xsmall.yaml | 186 + .../107.104.6/templates/NOTES.txt | 149 + .../107.104.6/templates/_helpers.tpl | 673 +++ .../templates/_system-yaml-render.tpl | 5 + .../templates/additional-resources.yaml | 3 + .../templates/admin-bootstrap-creds.yaml | 15 + .../templates/artifactory-access-config.yaml | 15 + .../artifactory-binarystore-secret.yaml | 18 + .../templates/artifactory-configmaps.yaml | 13 + .../templates/artifactory-custom-secrets.yaml | 19 + .../artifactory-database-secrets.yaml | 24 + .../artifactory-gcp-credentials-secret.yaml | 16 + .../templates/artifactory-installer-info.yaml | 16 + .../templates/artifactory-license-secret.yaml | 16 + .../artifactory-migration-scripts.yaml | 18 + .../templates/artifactory-networkpolicy.yaml | 34 + .../templates/artifactory-nfs-pvc.yaml | 101 + .../templates/artifactory-node-pdb.yaml | 26 + .../artifactory-node-statefulset.yaml | 1695 +++++++ .../templates/artifactory-primary-pdb.yaml | 24 + .../artifactory-primary-service.yaml | 61 + .../artifactory-primary-statefulset.yaml | 1884 +++++++ .../templates/artifactory-priority-class.yaml | 9 + .../107.104.6/templates/artifactory-role.yaml | 14 + .../templates/artifactory-rolebinding.yaml | 19 + .../templates/artifactory-secrets.yaml | 30 + .../templates/artifactory-service-grpc.yaml | 49 + .../templates/artifactory-service.yaml | 68 + .../templates/artifactory-serviceaccount.yaml | 17 + .../templates/artifactory-storage-pvc.yaml | 27 + .../templates/artifactory-system-yaml.yaml | 16 + .../templates/artifactory-unified-secret.yaml | 96 + .../templates/filebeat-configmap.yaml | 15 + .../107.104.6/templates/ingress-grpc.yaml | 80 + .../107.104.6/templates/ingress.yaml | 107 + .../107.104.6/templates/logger-configmap.yaml | 63 + .../templates/nginx-artifactory-conf.yaml | 18 + .../templates/nginx-certificate-secret.yaml | 14 + .../107.104.6/templates/nginx-conf.yaml | 18 + .../107.104.6/templates/nginx-deployment.yaml | 221 + .../107.104.6/templates/nginx-pdb.yaml | 23 + .../107.104.6/templates/nginx-pvc.yaml | 26 + .../templates/nginx-scripts-conf.yaml | 52 + .../107.104.6/templates/nginx-service.yaml | 94 + .../107.104.6/templates/rtfs-deployment.yaml | 349 ++ .../templates/rtfs-properties-configmap.yaml | 17 + .../107.104.6/templates/rtfs-service.yaml | 41 + .../artifactory-ha/107.104.6/values.yaml | 2125 ++++++++ .../artifactory-jcr/107.104.6/CHANGELOG.md | 209 + .../artifactory-jcr/107.104.6/Chart.yaml | 30 + .../jfrog/artifactory-jcr/107.104.6/LICENSE | 201 + .../jfrog/artifactory-jcr/107.104.6/README.md | 125 + .../artifactory-jcr/107.104.6/app-readme.md | 18 + .../107.104.6/charts/artifactory/.helmignore | 24 + .../107.104.6/charts/artifactory/CHANGELOG.md | 1406 ++++++ .../107.104.6/charts/artifactory/Chart.lock | 6 + .../107.104.6/charts/artifactory/Chart.yaml | 24 + .../107.104.6/charts/artifactory/LICENSE | 201 + .../107.104.6/charts/artifactory/README.md | 60 + .../artifactory/charts/postgresql/.helmignore | 21 + .../artifactory/charts/postgresql/Chart.lock | 6 + .../artifactory/charts/postgresql/Chart.yaml | 29 + .../artifactory/charts/postgresql/README.md | 770 +++ .../postgresql/charts/common/.helmignore | 22 + .../postgresql/charts/common/Chart.yaml | 23 + .../charts/postgresql/charts/common/README.md | 322 ++ .../charts/common/templates/_affinities.tpl | 94 + .../charts/common/templates/_capabilities.tpl | 95 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 47 + .../charts/common/templates/_ingress.tpl | 42 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 32 + .../charts/common/templates/_secrets.tpl | 129 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 131 + .../common/templates/validations/_redis.tpl | 72 + .../templates/validations/_validations.tpl | 46 + .../postgresql/charts/common/values.yaml | 3 + .../postgresql/ci/commonAnnotations.yaml | 3 + .../charts/postgresql/ci/default-values.yaml | 1 + .../ci/shmvolume-disabled-values.yaml | 2 + .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 59 + .../charts/postgresql/templates/_helpers.tpl | 337 ++ .../postgresql/templates/configmap.yaml | 31 + .../templates/extended-config-configmap.yaml | 26 + .../postgresql/templates/extra-list.yaml | 4 + .../templates/initialization-configmap.yaml | 25 + .../templates/metrics-configmap.yaml | 14 + .../postgresql/templates/metrics-svc.yaml | 26 + .../postgresql/templates/networkpolicy.yaml | 39 + .../templates/podsecuritypolicy.yaml | 38 + .../postgresql/templates/prometheusrule.yaml | 23 + .../charts/postgresql/templates/role.yaml | 20 + .../postgresql/templates/rolebinding.yaml | 20 + .../charts/postgresql/templates/secrets.yaml | 24 + .../postgresql/templates/serviceaccount.yaml | 12 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-readreplicas.yaml | 411 ++ .../postgresql/templates/statefulset.yaml | 609 +++ .../postgresql/templates/svc-headless.yaml | 28 + .../charts/postgresql/templates/svc-read.yaml | 43 + .../charts/postgresql/templates/svc.yaml | 41 + .../charts/postgresql/values.schema.json | 103 + .../artifactory/charts/postgresql/values.yaml | 824 ++++ .../artifactory/ci/access-tls-values.yaml | 24 + .../charts/artifactory/ci/default-values.yaml | 21 + .../artifactory/ci/derby-test-values.yaml | 19 + .../charts/artifactory/ci/global-values.yaml | 247 + .../charts/artifactory/ci/large-values.yaml | 82 + .../charts/artifactory/ci/loggers-values.yaml | 43 + .../charts/artifactory/ci/medium-values.yaml | 82 + .../ci/migration-disabled-values.yaml | 21 + .../ci/nginx-autoreload-values.yaml | 42 + .../ci/rtsplit-values-access-tls-values.yaml | 96 + .../charts/artifactory/ci/rtsplit-values.yaml | 151 + .../charts/artifactory/ci/small-values.yaml | 85 + .../charts/artifactory/ci/test-values.yaml | 84 + .../charts/artifactory/files/binarystore.xml | 429 ++ .../artifactory/files/installer-info.json | 32 + .../charts/artifactory/files/migrate.sh | 4311 +++++++++++++++++ .../artifactory/files/migrationHelmInfo.yaml | 27 + .../artifactory/files/migrationStatus.sh | 44 + .../files/nginx-artifactory-conf.yaml | 114 + .../artifactory/files/nginx-main-conf.yaml | 83 + .../charts/artifactory/files/system.yaml | 185 + .../artifactory/logo/artifactory-logo.png | Bin 0 -> 82419 bytes .../sizing/artifactory-2xlarge.yaml | 182 + .../artifactory/sizing/artifactory-large.yaml | 184 + .../sizing/artifactory-medium.yaml | 183 + .../artifactory/sizing/artifactory-small.yaml | 183 + .../sizing/artifactory-xlarge.yaml | 184 + .../sizing/artifactory-xsmall.yaml | 185 + .../charts/artifactory/templates/NOTES.txt | 106 + .../charts/artifactory/templates/_helpers.tpl | 638 +++ .../templates/_system-yaml-render.tpl | 5 + .../templates/additional-resources.yaml | 3 + .../templates/admin-bootstrap-creds.yaml | 15 + .../templates/artifactory-access-config.yaml | 15 + .../artifactory-binarystore-secret.yaml | 18 + .../templates/artifactory-configmaps.yaml | 13 + .../templates/artifactory-custom-secrets.yaml | 19 + .../artifactory-database-secrets.yaml | 24 + .../artifactory-gcp-credentials-secret.yaml | 16 + .../templates/artifactory-hpa.yaml | 29 + .../templates/artifactory-installer-info.yaml | 16 + .../templates/artifactory-license-secret.yaml | 16 + .../artifactory-migration-scripts.yaml | 18 + .../templates/artifactory-networkpolicy.yaml | 34 + .../templates/artifactory-nfs-pvc.yaml | 101 + .../templates/artifactory-pdb.yaml | 24 + .../templates/artifactory-priority-class.yaml | 9 + .../templates/artifactory-role.yaml | 14 + .../templates/artifactory-rolebinding.yaml | 19 + .../templates/artifactory-secrets.yaml | 30 + .../templates/artifactory-service-grpc.yaml | 44 + .../templates/artifactory-service.yaml | 59 + .../templates/artifactory-serviceaccount.yaml | 17 + .../templates/artifactory-statefulset.yaml | 1789 +++++++ .../templates/artifactory-system-yaml.yaml | 16 + .../templates/artifactory-unified-secret.yaml | 94 + .../templates/filebeat-configmap.yaml | 15 + .../artifactory/templates/ingress-grpc.yaml | 80 + .../charts/artifactory/templates/ingress.yaml | 110 + .../templates/logger-configmap.yaml | 63 + .../templates/nginx-artifactory-conf.yaml | 18 + .../templates/nginx-certificate-secret.yaml | 14 + .../artifactory/templates/nginx-conf.yaml | 18 + .../templates/nginx-deployment.yaml | 223 + .../artifactory/templates/nginx-pdb.yaml | 23 + .../artifactory/templates/nginx-pvc.yaml | 26 + .../templates/nginx-scripts-conf.yaml | 52 + .../artifactory/templates/nginx-service.yaml | 88 + .../templates/rtfs-deployment.yaml | 350 ++ .../templates/rtfs-properties-configmap.yaml | 17 + .../artifactory/templates/rtfs-service.yaml | 42 + .../107.104.6/charts/artifactory/values.yaml | 2041 ++++++++ .../107.104.6/ci/default-values.yaml | 7 + .../107.104.6/logo/jcr-logo.png | Bin 0 -> 77047 bytes .../artifactory-jcr/107.104.6/questions.yml | 271 ++ .../107.104.6/templates/NOTES.txt | 1 + .../artifactory-jcr/107.104.6/values.yaml | 77 + index.yaml | 76 +- 285 files changed, 44810 insertions(+), 4 deletions(-) create mode 100644 assets/jfrog/artifactory-ha-107.104.6.tgz create mode 100644 assets/jfrog/artifactory-jcr-107.104.6.tgz create mode 100644 charts/jfrog/artifactory-ha/107.104.6/.helmignore create mode 100644 charts/jfrog/artifactory-ha/107.104.6/CHANGELOG.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/Chart.lock create mode 100644 charts/jfrog/artifactory-ha/107.104.6/Chart.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/LICENSE create mode 100644 charts/jfrog/artifactory-ha/107.104.6/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/app-readme.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/.helmignore create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.lock create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/.helmignore create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/Chart.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_affinities.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_capabilities.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_errors.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_images.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_ingress.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_labels.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_names.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_secrets.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_storage.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_tplvalues.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_utils.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_warnings.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_redis.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_validations.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/commonAnnotations.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/default-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/shmvolume-disabled-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/conf.d/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/NOTES.txt create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/_helpers.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extended-config-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extra-list.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/initialization-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-svc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/networkpolicy.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/podsecuritypolicy.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/prometheusrule.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/role.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/rolebinding.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/secrets.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/serviceaccount.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/servicemonitor.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset-readreplicas.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-headless.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-read.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.schema.json create mode 100644 charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/access-tls-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/default-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/global-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/large-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/loggers-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/medium-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/migration-disabled-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/nginx-autoreload-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-access-tls-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/small-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/ci/test-values.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/binarystore.xml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/installer-info.json create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/migrate.sh create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/migrationHelmInfo.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/migrationStatus.sh create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/nginx-artifactory-conf.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/nginx-main-conf.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/files/system.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/logo/artifactory-logo.png create mode 100644 charts/jfrog/artifactory-ha/107.104.6/questions.yml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-2xlarge.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-large.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-medium.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-small.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xlarge.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xsmall.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/NOTES.txt create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/_helpers.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/_system-yaml-render.tpl create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/additional-resources.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/admin-bootstrap-creds.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-access-config.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-binarystore-secret.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-configmaps.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-custom-secrets.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-database-secrets.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-gcp-credentials-secret.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-installer-info.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-license-secret.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-migration-scripts.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-networkpolicy.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-nfs-pvc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-node-pdb.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-node-statefulset.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-primary-pdb.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-primary-service.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-primary-statefulset.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-priority-class.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-role.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-rolebinding.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-secrets.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-service-grpc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-service.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-serviceaccount.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-storage-pvc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-system-yaml.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-unified-secret.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/filebeat-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/ingress-grpc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/ingress.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/logger-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-artifactory-conf.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-certificate-secret.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-conf.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-deployment.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-pdb.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-pvc.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-scripts-conf.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/nginx-service.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-deployment.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-properties-configmap.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-service.yaml create mode 100644 charts/jfrog/artifactory-ha/107.104.6/values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/CHANGELOG.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/Chart.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/LICENSE create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/app-readme.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/.helmignore create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/CHANGELOG.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.lock create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/LICENSE create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/.helmignore create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.lock create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/.helmignore create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/Chart.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_affinities.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_ingress.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_redis.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_validations.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/default-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/shmvolume-disabled-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/conf.d/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/NOTES.txt create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/_helpers.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extra-list.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/role.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/rolebinding.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/secrets.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset-readreplicas.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-headless.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-read.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.schema.json create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/access-tls-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/default-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/derby-test-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/global-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/large-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/loggers-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/medium-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/migration-disabled-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/nginx-autoreload-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/small-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/test-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/binarystore.xml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/installer-info.json create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrate.sh create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrationHelmInfo.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrationStatus.sh create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/nginx-artifactory-conf.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/nginx-main-conf.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/system.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/logo/artifactory-logo.png create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-2xlarge.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-large.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-medium.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-small.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xlarge.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xsmall.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/NOTES.txt create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_helpers.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_system-yaml-render.tpl create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/additional-resources.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/admin-bootstrap-creds.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-access-config.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-binarystore-secret.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-configmaps.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-custom-secrets.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-database-secrets.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-hpa.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-installer-info.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-license-secret.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-migration-scripts.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-networkpolicy.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-nfs-pvc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-pdb.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-priority-class.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-role.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-rolebinding.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-secrets.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-service-grpc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-service.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-serviceaccount.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-statefulset.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-system-yaml.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-unified-secret.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/filebeat-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/ingress-grpc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/ingress.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/logger-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-artifactory-conf.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-certificate-secret.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-conf.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-deployment.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-pdb.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-pvc.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-scripts-conf.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-service.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-deployment.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-properties-configmap.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-service.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/ci/default-values.yaml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/logo/jcr-logo.png create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/questions.yml create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/templates/NOTES.txt create mode 100644 charts/jfrog/artifactory-jcr/107.104.6/values.yaml diff --git a/assets/jfrog/artifactory-ha-107.104.5.tgz b/assets/jfrog/artifactory-ha-107.104.5.tgz index 90d33db65a1400c02ada19ddb49925d184a0039e..38eda485b1335e489763d9b3909b479adc8a4494 100644 GIT binary patch delta 218105 zcmV)SK(fEg*bULx4Uk5EK;_(PyEQ4vk0e!_-s?C{>P=$%Yq{P9XOs_x~8BY%E9ELdfEy*Y&sj-qTh{c#zV6L^bwPOl1Kap%V)Zy~Qye zlN9kRNmwdqJVrQ*&=mi{Qk3A}43Fiz5lg37@QoHi!;D5D5{yM0;W$Kl2S_4_q}*>! znC!ag;l;&;?q0yA9S7%~77b*NMl>S*P6u;N1n8j}>jkSV57AJLc#97QDM|7$yHX8;HvdYe~7Sf~Zs zs$E5#Woe+M*kE8x#UvZT@BzM_w3e79vVM|8G=QDfa;DC#n@_g?>*#;Pg0nkpV*&l| zZf*4{^uM?DK>zRKDbuUFq(^j2xacE3!J9je``g`r?SOQtB*j9WG40Ln=BC%( z^14q?yHEQ&+x?xM|FpZ)+kE^@cc;JAZGW;2^@Tm9{eO<5jPN^V0O#)i&CTuZ&g1g_ z-+Jk6V%JSHb(Ou3NsN^^qT3t4bR zQcJM%vd38z4M>m@!4(9AJT#pd5U9x3%pVGHjD`fUbCS|9Br(dk z9J=b3ujwN99i$?b+OasVedv)d@L08U$OP%5qckKbVk4BKWJFRD2SiRpZ@t_C+FYN1 z4;5{#S9-5ng4qQYg>Zx;&R`kHDZEr@;%Lo)hPOG;^_=$eKKgJ4NOYRl^Ac0B$8xSr zzDvbO|Mdr>@oS=sPB9lGwLkT@d=^Tj+z&3=1Riq~WL&W6L80;IWK83Yx-a_W&n(KO zr1^}9Jet9n z8hhJEf3+G*ls@X-*S=MwD1EAo#(ZBv`dSxYA(urM5_uOuLM|2#Xh#<`isZ-xmQeNe z(LZ0F9KCw?^0X zx28TC;fND>Rp?@AiL9Vqy`Tki7bMJwTG|NFxX@A@ zMKjppDGf=PK8~^|l8h4)WST@+5VQt(G4~K4WttQLhqc~Xfq#!Qz<#UPqy%`4=2|Pr zymKKUxlZH_RL^Uxx(Q(yE9|C!%Mi^XH<%6Sx1DTAy(x|96h}}%;Bg;)>+krzCtF)j z9zS{d_zApEvM4%c5e;U2bTB$(;y5Lo!~!@>d!15E{FxCh^e=f|pF(r(o$g!O)-Qu3 z>!WtBJ5?_tI;Ax=daueA+AVtzl%?Tv);&%6X`V9|J9%?KL*!_}%>J1<#5 zP9SFwWCN0}B`H0Zt6VRC8A^Do?lhf$mcmKz>`Ff4f=qwK)5s3r)bq&aa z0#3aliP(jj#u$-HJWVv;xQNTC?e*rmGuopvPSrA#?2g7QYDQxfj6OXiw<^(?ae}by zmS?9-AAZ9b;t2_V=xC-;=r-O$r5Am}X%X0YugT2t!b7#sfuyq${H+_11(D=(gOtdd zuirwZG7zd077_FuORhsR%@Rc^i}X^?7xGy)Bxy_p;UI@)0q@{&O5+aB#Dt~v|9~~= zq(dBZTJpcLyQ+*7YxD=RJiNrS9IyIwW!`WO@{$yvxa@m1M_5sH~WoTzh2 zL6dt)q#4aT~Ch z(~zVjL|9&$Pso^DqPKEo$ywQeDZ=PDB_n!?rh3ICSWHeqTwD(s_FyJRdW^-Sk2*z- zjec2>y(73~)qK&@(UG5Ju^_^n1MiI5?fS_^#pNv`?%@C`NCdZ`h`t;ur254QNy;u~ z-jIcVGmq2%ll8i?QiO*j${P_W9*t<=DY3aZd1^jMhD?7FkuzbM|3K4>3rSn2IL;K$ zridug47ps^Ji&q5H$YPC{Q-f1)6>V4CnBz818Q;TA3(sIvpQsw!LM zHKf;?q=7A9$Mh#4ruh)8utlDf2}voegb0m)2o_mNHq_EqdsgyB>a}7pV1a;MN23dg zNy@VE1O|Nq%LmR8%H{S@FP_g5%(>Z4z*#6l&VXlBN3iLC%bdt+JIeKDm~zh`@-ZpSCbduUC5+FX~Vha@H=3PiQ%%WVf8K7@lAAtyO-Q1ENp1%!0Z_RIW5s-M#NudX2*|5632KRm5`K@~0M~SgG6zUP+uMDHAMU`D)`NC+YK};lzg3}q`Yl7o3DU>px%)tV?s6Usa z=&GKn+J{aJ9_ZI6qhB!*7c4zX^iBVNx8GZqm`IvrKuFGnC~6|RUeU3_8LOjWyY^5^bxR|X#MM;r>Hs$aZ^EU-&8v0ti#s!IY!%!|XxzpQUE4kVfU+(3{Y#+6IJ6)iP2}wCr3P}CgiI5_qo89g! zs)f1c#=I9{I+fKlm#QGhbEl7XwzoDV{FF|y(k|2paA75nMsgL->QP|#$6%S#pfV|lMpp{L(cY$!j;=WJQ6nH-DTqi{ zYK5eEy&b5hE|Z5xr_KfOSgn%5|My0nLy|KA+nKd0-FpVxeSJd$nz0PM{b_J&BqoNZ z3=LfgiNG{cszSulf@~0f7+cv7E^sPZrj8M*FqCF-se+JP(JTkg!~~c_9J@mRQh&(e zeO>YvJ z>;1#4aw*gIXOBLd9KG3pw|jDU^}dBKfTCy+4SKqU@%3Bk++=YdW!xi}3$Le-e=R&V zgb``VSUKivByIxpGu|<53h@#adX~~!^&`9@m!h-6iSWdKgm~pIz{=pfs%-mz<%M?I zNVqM-x3B-rm2a!HV_5_*&Ej2t$l?>m1n^L{>@tvn zY95;^`#ivr;^h{$(^PYrRs)C%bh#C*W)`?ULX6SPS+FGa-n%hVQ54Uu9*;&Ym^7_PPF zIHj^2mn@Jd*sDmaXE8C;D41jfQV`;Cty0LZ$MO`DQw4`R!W@dhK!|K}KX3A9(_&wX zC)8YjzWw#x{^8H>e%?LNM=U_nmy|LWU1WHROlwyg15}w^m({IfbXQz!04wA`5gn0W z7DSR!V`u8Vsd18@0VpqKm%z)EO$*$oHOPA6?`-;)8|W8I1;BGlDN#Za5fB^B5KBmm zvLs?S;W+H0-`afA-au_H zkpI1y(1@VlenXGef-H^XA&;s2hto*Tujgs0sV4~o%LLklv$o&qL@dCO3mZ5PFWg$WB zk{uHdCS*$5$VXRKh4tmYRU6QEDI&VM(nP#r-RS|yD?7!}3lia(?oc1PGeVq9&q=z+ zrinbO+TWk|{LQZ4^}223@3~CG>)gr2H|CyKSG}j*4<8VTI6+re@Mj#Nt1I1qZbDMZ zLfc}mtKS!K(_aRAx~9Z?mXgy+O8A6DVIS@2FFb?8#`)6IVh#GRR_3i0i=vOdSib$d z*9u5fvgBc<+-jxRiL0Xj+iv|_@7!vtE8WNCw~ElWhl<#^jAgS%GAM!UgTQX6O~ zwsAPK22~eC$v|>5c)`$^2*sm+OV+xh*&xkgDGM?0+NO1|Xuo+$LM?G!QE&1W-aZ$2 z7*Rf<@mNgA9!-OYu+eFnaiQCm*XJ5z=IdK8V`#i+yF6l1sC4Q9G<~F+b`6*dCSX|% zuCnUgfik~TH-u4y$9n&9#A!T^h$(F(I&x7N$4$w<6erAH9o9fT-0H91BWh3Ep$5~f-AOU2PEEFRF$CFSL7JofCJ$SjhcY1X4t0HKUfE9{@nTv$-;`yiP*U>U}FH1Z*4y(fSxE-f6zJ`BoP(s)R zOV3Ek9TcfIb=VP>ZWJ8s!cg7^ByQwYF_Y9*Lq#ku6eZ_G$<);M<{pActfi{fAu9y_ zTX6-zg&n>eD4-dRindD1baYpN`(;Ank`=9XRM`OShPwQLhln~8%yn~uUtob>Q0v&@ z=N9_%t_dx%QDM2r8cyFO;d6gKzoZe7^F{3GGi9M-`f(7jRPy_gs%8rC2?j&ZDbrVh zn1#e}?+0R4S)Wd)3PFMy3k2JFZT%Z=Sl>0nuRNzQPG``cf0@A>V}`t^cBq)=iXJdc zbk7Xumg>hN?uV*%u!%KYX{61Gyv#z$=Qudal4Z)Stf)RJ!j*uKy~11u$u&rDFe$p9 zDW1o<@%EKqU*1}_AN!ZZ%M9ND_($>nIZ0=lVFDvpCbUij*4r@0rhhq&Hnb@$jxO+w z8!qFV;*x_j?AtPUxGcKd6)aWNf+gm!;M=3Y_f~1g= zI0}ZI_?MEfPfejlVt-whcy2w;ug^+zoutGAf^3A#@?f!mm0x>qBqW$&DA7M(Jm1si zcrc@HXM;bZ&Rd*P{9@QSN^uaGixy~4aVqwV!mvF(3u%hH1Ua(P@{O;SrgqdEcOp9c z4h7+D>ZAYuZ!H~Xw*k|c&iJ2^XRp@YANU-5JATjK?)iV<)PHiHDM?t*pW<^8`z#%I z;IByPvp)ozNWcxvPIKH0SCTp|;mz9TA{~4`%L&&ea?nTgXFQA54e=n)Em!;7UodkTwKcACT8X*A-lXn^+46uf20YBz$ds#ujlh^I?=3i_&FvgTXbkWb0H-r~Zd zudi?qwuEz6UgN5AT~Q~DovD)|8zg^g)n?jdoy3Bsj&rr0qGJn0O_uUeGZED*rAu;C>O68s0n~+PiwW)upz%k|= zQBWC8NHkToS3M8n(71X;6S(o&qYrO)2dDcd?_Tf!dZjhArHEFu<=m}wkR+v2QVn?W zP0`J&CS;^0RBw-uPEL0ZPy23&Qswukux3~e3ql35k~~S6srXhQNg_6zl309Iftm+T zm3YK3H=t)r37;TM1C?s@60LvjCW#RP znwU!MXg?EmE}q&zO89rNSiL-4I6B2>@Cyjik_Oc|d;+AN#H9bwPWS zn!pv3OoQh6i{T!CFe=MO99bK>{KDae6)vCUCPiq3P7u5DVN#KeQ|p4h7$- zg736#ZY$@{z?qE*lJ@#)@Ac|FZt9Pl&Ar=f?B1rYnl1G3FWU?#{o&wnXBus4uBl}w z815Gv8hOf(Dqt~Z5dnXRyHY;JOrVq~^(mm*pj{W$vUdIJ4I3Bq#-Kh|R~)Wl5-C-t zF&eP8W=8+1Dr8()bb^6MW15RbGZZjz{07J2H!8Z_3cSE^sD64UL|HI`!K!w@+m#K= za;f?V&VBNoVlim~?D!ME>v#R0VuKuW2q@Xs%Fx_J+IU}UXFh)uJFvoAXl%S7!Zs1AeeEe2>^U`jy%Mz9LQ7pg40zk(!KlD7lqypW zBP1axQ*)Jh2H{vSH&ANL-{xpSK@%P^97-tQObeO{zkAvD!IjBugtTyuPTk%V0NjwSVRRoPZT8CmBT-j>KbPJ;Kt0t6tqcMc727|gF5VEtHb8|nYt!X_0Fc|qFHc-be$mY)cw)* zEnTh=XrsOf1k^}9>^i&?~pZvUk^6p=6-@J2=5_v_@m@ux(PrFZh?Pcn| z-Tl|Q(;t6N_IF)TDX{dwctX!JNuFbLu*+@Bi!cWcS_P(c#O3S0xCG+P+Cu zTjy|Jwm-Mpi|6l-kB;8J7Xdj*W+!Ci^3@8^bmlp+RGiPiCFfty$jpBjn}DhY(xxC1L%4JlvkR0GPD7$& z!mGgUj?%|33TB*`<~FFZ35;fqP%p3!U>Amx@v@=DRTHZ&HvxNKU_)Q8>gF7CT+IZO z3hK8=TOit>DsqINU#c>CHe;jwo{Uhjkiq&VWkL3BMNR!6@_fC~B6)6d13Pqd73^cWFAmv43qeHu4*PBx)TrYjX zyse_doN5PvcU%-%R2rt-nPc#jk+)T421|cMJys;wT-&HKJ|p08WLO6y1Fn>4px}6F zym^kSpbIRkB6eZomG!!t+wuT&&%QK^IUH&%_CVPQp}ryLDH>A614=l&4Ct$-P$F}K zjyO%*?>(nd({~%Pg2k^=9FXIp5A0S~%Z^!C4UcpUf3&58Jt?3%-cLab2)&vU%gKM< zv{2yoZ#htvFir^z7Y1;;F8rV5Ee8H`@WKg}8D1CA0Av(M{rBdeMtlLBmX3P5ROrJ7 z1-2b{AN9Ih-TWQ2>bx9P-mI8+dk~4(sNUPVV47_%pPam*advr>l)~N@BOo=0K7ykN z^t5p>GbG3as!%+twjI~b-d}E{k4k@-m&Y6R+>%E5q~OVWr82}`b2NeLh^3~fIE$hU6thZmaAQZ*jtI#b8z`7C zW`1=>tfwUhi+n&*;C=Q9^&>fxyApy8djY zq&j-9ZKq{mbe;LeH#HytsPAkPoFvfC@FoARROym#3TgBzzN%JA}`O{ zMm^7VXFkRwi@Y&oV_DMrF4w&E&NmxBcv?xkcH%g{%4^4~y#eyjD=3flB9?__J=$*I z3-0kP?|jR=;9EK5tww*ya(V_^>-CkiD#$kRfAWSpjM%XH##U1e%_%Tvn7gtxdLFT1 zad;}&t1}BOxg8e$eVzP?mJm14TBCNGC)QE4wj$VJqjI~H*9dtU8ZK7N$@(9t{i>%39;htw%B%Rw2#Gp1`f&N$@+97|=rbCh*jrQFv2VAjf zw)KJ4CSw##Xyk+vkyyK?5wnG?J+H5C23-gzB%$PS7lzg?dmbm?sbXz+kiW7FP4P@+ zn$Eam52hX413*n~n<38>SWW=T5HU@^v~h=_Y-@+R1E{G5**dwD(j&?DFAOy0S1u9E z^@$;wJB~*xMTvjx3c^9kI7cR^QQ@ewPWP38nIs4GQ?3-Wp-Le$VHao$@n1(eaDD?a z1XE0qkJe1e_GhTK?l!Nj2#$Z=(~@J$biI`=XqE>8ZYfg*?Kp8xlz791g;0~Rl$(QC z8%BYTadIAb-$Q3T2wH%nA8rg#O|%5*f-uqW*HqB^rVW!bB^Mb2;dN&$(>c&Cn4Apd zybbICyx<%8dOH5ulVc??0=^uRl_fPKt?UvQzu*8ufE*mljpg*pwM(9dlz7B_nml{- z;qc|)-NEsdlkO!S6C*+!-~D!x?X8!j3lOQG-2eo&MhFNe%lRqYFf6xY_ z)89%$Af?&K?3oPhO+$k`OhC}3qwxvcV}d# zEBudq=9iSkJo!A|e|2z(j!zDL-aXw%ulIk2xBrg+M?cS={X2$N`-d-Tiq*6dM3lth z9hqVp>E8VBAMO}@il_cqV?iT9e@h7iEaLYv;X=tiYSG zaUGy38#2*3@A>j+7a$rI*Q9>#YwKW1Vhx*Egl0&zZ0;zIWBtd(w>hES^A}>igY7&sI14x}DRAi?;n@LF?nITD166D6B0FLVN z4)x6QFWKOVN-|fX4I>k{sa+TZFiyOPfQ*v^ZL*Q~sZ>Uh&jB6BB>X9jPPBD)36qGM z0{fQO4g?OP~-; z=ze?zrw|j5f5zh?!d0NWEG3nd z(RE79Svv>?5zE4tlCgdPX-nPnEdTbJ%#JZl^8x0cj@3D04bPWc)~b-a9S_7TA}Shn zu?R5t$2b*^_*B15a4Pmy9^Qd={#$Y*SV_=Ev)HKiQ;`pY0?#8hG~LoCjEg?~s(_i| zVznj~Zne^|^WeDie-L10(+jp~AroX>=1U{y+EW*agJXkQZLVPAS<&Prp3-Qh{pa^= z3TB(ir&MB%B}%xpp%#xd(poPF!t^Ch^Ns@u-VGw#4amt%(ia(y;DzKEPn094eP=)| zvUdqs91w8y)xLP1PPj|saVN}hx&5$M7c%8l|a?TlW8r}dA>(R z^Udj~I0P>SPmer2{9vLgr50Kx>EK*2ux zZME0+)&F)nlOrlG16Ds2lT|8K7J)Jm0-8@bI%FY%^c2RA6WpoMh+Yzt!73Iupq3BR z@_|}DP|F8usi~#FLaskHwO#ayJALOdE9<#dWK2WR9$sVrAeUI{`h6p71(apAbgTuey(Q_QiTd<5QBee{AI zGBMC;L3FVQ4@qPbuv_;UP+Gl_-?;0NgOjA+?9}f~u#D>1dO`D+e4wNL-mEu*!giUx@R)2hv<>>`Z8y zM~Q-Jf8cYI;wxeqdlgB@o6bzypL*PR-S_4W?e?W;V+WgXPm^6NgGow6u4zPAb2~NZIcaw}QFEJM7{Vb`h8uzt{Z1)D#v`mm2DXe=`|A$i8GB@%-VLxvQ zD{p#rImlfG?*dctlBLI!>@6VyKa&nFBu($+$sx4eYRqB}&W#NNx?MUv+U{u)GXaN> z|F<}wOumu6O$}?_w5qG2>^uCVdy5bsrk#%+-{bACb+I7yJ}Q&!xmh-9(rhfsv+=5v ze=a0{Mq(X9P215)wtzs?Nlk~epU_(ctB+Q(H?Yd&h z@)J@0t~n3o(WjzDoW2>L;S2>69FL7Zn25NOA}=8l7ROk2=9|+ugKyllv@7Pz>6?>P zFC-e#pc_~YDd9w@3E$g& zO=dj54!O%9B{r})EQMWnhGF`x)1mGQI#WTRt1aaCzCl{*xw)oyZk=knr&CRT`G@t> z?sm7M*8itEl&|SCf8S^F-1vVR`Fi<6XL+gPcc*bOwi-^~-tA`Ti|2#x9pSgb_ln71 zkze*!^W>EFN~|I$!%cU&s9hN+sW;AONIC(VCYd0fy>ROoUB3{N@eDkQZ7O3B!3bu( zD~)4)QSE879V-nueEvkc2|+ z;9Rtz-7F(2go#^kJF_7P$3%AEEsd$ff^VV^hRnulG-Gk9Wmd*f@OV?;Be_U65Dr0z zrev%f#YD~$PG=ihtv_YwCIovL&CoE#ffW_3=E4mV_tAv(QoN@9?yE_KD{ziv{SxBV zmR1L!56&(a1rUCa&;ftl46{}yQ+E3}F-X;;j83*nX? z+@}+5k#iav6^<%w-n44Yud-lor&kj`aA)%t2r;dHX41aOT4|8?RRn&eHCZe2%VmD> zqDj(bQS%^adyurBo^aUPj=KIwU+ zl8q{Lp_3N$V06gDaY{Ieg*GgJEK#$*F-+uM$bvJHYB3;Xx>&+E6>tt!!v-WN(^dll zgP7}+=)RT|=FCw{*_nGdE+3A|8giETB5EY3Ytz-l%EP&8Vy8B17Xf5b!)uUWsoST$Y*pD{OD)j{8LS# z3m~z0IM4om=h-q7|2ZCJHv4RTpxIYT9BNy)u|2d6Jsd*rA(W%#?{W}* z8HOAp;*KSU{BD$annG*&um>cOZm(zsBpb}>z_yFM1S^?HNfOn%d>j1W3AW1aUPX!_( z@U4Qr03wGFGQ#6kVU6203|R|I2UM)w7D5>6+w_Ho6vN*LfiaL!!`|s49EMZ{%`wgROP&&vQoka?^`8@y zKAL|J8^1t@s+$#AChE67C~L`nugP+*`8c@y1WPy}Mm^#>p^eIGhkQi>~mS-Q^X6AHhb;^z<`3m_G-TB#WAd)A_T%A~&6XW)81? z5Soe&^avpyOo&|AKc1c*FLlO!`s?SNQurp+E47Xo|P5x($zpZA8~O zIA?!l;q@{y@7q{B6&iamd-{y7!i9->IB`Gw6ZdnKOBNQ=f0|%==Wj1|zRvXCzvy{o z1-(5O3=WPC-|Zb8o}L`NX-xr*6=##hH$IqD8fs@^4SqD_D3qhkCrxrB@H$m9?bm=JJKmxPU6il(KV zX7MiniOaikue+VUdX=&)k?)?syHW9lJ%X;&${~wS7!%IxB&FvxBIBZ?telIZIGV}A zFKI;7f^|!P#^Bgg-sb^UNsRWvHYY*ArgHa>oLE{qR?>e- z7Ryzvb1b%NBlZfCPH7CUUZpr7$HmTk*Wb2xZI~ZA#QH(t8geaGF z>e7SO6s0^rjYBQFk7m&H2KZERtC@e%T?B_rIXc;)`oS0QqvIH3P_`Rq&kLfI@=0RO z62Z`z2*o{0X0CItJ`_318#9f7D{n6AIG0}y?QT~^YvVs3r&I;RfK<*Z0HTw&l*SGi zdHCwwT%ii%3sv(Z&@DHlG<5%_!KD9IL7`1-=hd3n&Tc`g>eNLGdnz{N=ktH|5RJsn zOv{GN*GWb$DX8jTl5_i`aNfQg-G1b*f|S)xqJvsy01vWX# z1=9)2)!876c(MrSH+3k1Gcr?0q)CU)GT4e|a^>ml7?u>UC@dcA&@%~F@|*GsQtlQm zW#Vt{olE>aLMI*Yrmufy1`c8>@*B1m^5`6-YO6JT{TZVE*1dy-y2TGp%;J?5Wb8`V zIY}>4DooHVlb@qVeC?XhERx|eV441gR-x4D23qyT^1mS_QwTLW`fe2g)hMJT(=>dl z!#!;1Ft{o|iOEf|0e9XDNB|%i88@*>D`!J1uQ`v{XcRGA;F^D{*=X`|FIgHu9zm`m zlWGQC3qmTzop4^KX;#P_9T14VWy3cBeOLQdhxN@8E>fbq0U@V#D6Jn)Pmc#1z$2om|w0MSHp&Z!Y}xeyMH`}tCn zqy$9E7Yt#WU7VQ&>1};2ZKE}PGN@>U?KdpIQCpiL>3AroiV~TXwJ->r=(@9m!Mzv!2ACb=~oWTA)P znQwaC$2))Cn_lWXQR7 z_V-@^TDS$$BY?Hh? zKMh+Jl0G^iIQ%80f*i$@2s(} zErxFb^NG3ak`VTwqXbP-mXI`>`7P68t)W9T-a&lY_`S#erk3Ia%U=JKlPWwTf2x!56tp)aK1V}|RF60XTuYhU3vb8V32Tg7 zTaAa9<|gWSjJk8GmQ%c!VcT^I`Lb9hl1$vofIqI~V^f`0KH^`ekzu_eHXhS>>}!P* zjYmq`o?tQYAt<2BJr!~rI_I7}ekBJKv2n-QVheU4LVso?BR+?e)2)1J9D8NCQEMPA z6Yrz$lgA3T28K`LBr~b(JT1^ydO_5XOD%{PC+`Rw_0gjbdvA^g`+cAmmP5v3!X56@ zyAck)_VZqhD2YM`q|s!c_8+6vCJTeWpyE@4P4S)tRH1IJ>b zm5Py*w?+P{jdpwo)*^*9MM7dVWeaSY1s?ZN&)@cYPg_XAQWU#gYy4#dCnuA7JsvKf zk(%BxrRU&I#nQ2#fAn9#dsQa0okU>t6Kh^dZ&{VGP`|hikDTL9fy#d$!;{86Fag$+ z_dQg9;8^dN(t<^3oF;*N_1JK-B?VKH4gl>cG5;Fj>*_uU`DCMrU6fRvlHGgnDqP;1 zrsimd1m6EOFRsHnQzTD+-i-*(~#t2TqE~%j^FdYSd ziUsVvn-ASl3Yy=pLdLwaM8Y2uf&Jo~;tO7!ARO- zbKjRKZO#fdieQ>O$d6wf0=EdhBUSfthbdfHS>PzX0@$h(@u*$kx{J>d7X9{rduwF{ z?P>!iro1TfNK!e^=~&>ete~GbL7wL+!p(_9h+rui5^+IDjHX#6XcCcPrI##4ILL&Qz9lLBLK!9O0J|FEY>VLIkM&pU@lr~3n6T#DPb(d~A- zkGHqs-)^^C`ge0{ySMd!kKXo^?I$~1n@@JO|IzL3Jl@**2kPF%02e)(yl(xYd+WB! zgZo0BJr<8sEV9T5cz!kdZea5je@H@;+TGEV|G4{AtM%c7hv=wQ5v9(t*JLKIX1biD zkZbZHHMc@;>$8s5$e#)^F{9z3fsHOtCH?Tv%1E9QCWKF!0s;>G^I1vL`{$Ni@ryq?@Dk!!R(6 zEKnvpY5<;m10QqX^G2J~q-T#l4EFa<_D|m(?!MjE17FzlkN5y_)#kL$pYv$*AB@ID z%G^L^O~Lm5f~WmyXsGPp?I~!LhU#%YTQuyY7w$)U?vI9l{`2VI@a`yRiG~{BcSAux za~f(^mox0ud+Yf}e3~fHJW|AoC<*jrmF3&K0U`NX5tElGn=0|Tv6@7^?i2s%wtu;S z-dFqe9!)SuLqcMdYL_y>(EF-H^!)~48leO%hs>UYz37N=jB&LV5}*y`JT6}y#3P1` zEJiTfFAXYxV&jiKmkLWY=LzueEUo?@75`Is&C+FAep_xFu_2D?Zw01|(p>$Dr_qtJ z+abPT095hy#-^+Jag3>axd+W9*Ylp>3+_iWATcM(Hm0t-O?G;!h37QJ>5L1Ol7CGj z(|=o6MHiWu*5_Jysq2#-fY0ZY$v8=mqijrL1&ObJqqU}>Q8=8^SVNmrAjAT{CbRW9 zkX&qy83RXouwwVeL81j-yFtLRSX8F*rf{@$Jx6czV$uY?c@Zc^cg5-8@n&`rrEb72&H34WgO;n3gcRuIC_r}k>OM_$dX||Ot z^hvZ?CRUv5F=#OV#w4vZ4Hc3yo8fpnQz$^3xxj#R(RZXYCI_nH(H= zW>i;g^cRxje7uc3FC+mA$$Cq(vd*}QY|vo;^rz!~tLLLv+6v6Q${ZZS(fZTL8*rl1 z6QPv=9JNglfObO=KL{3}tROUk5075#zdJrUIlT#bOPJsZ3Bae2|JME8H-QGO+Q_PZ zFy;nagPxAED9S^xt(SXxa9rxAicNQu-cmuP&`~b1$hfaVK@fPSe_XXy59Flj=&Fx& zKl+a>>N<8Zz<0GUBd!hK60>r6bh_V12Les;3<-Qj5Jn?%fu=OhB>gisA%&PANj8jV zAQy)=TsAQ(zJiXKG=&#f1d6Pw5gYq|U}O3^oXLF%(IHn0+vYq#-o>@&Zq=E)!T!n5 z2YWTs2e6l!yz91JnC;aMW|CdQNuS1Y%ffuq8RCdh+Yl;jEN8|&nW2@j}VE%IH z=VCS&db#Bny#Q5-HNGx67pnvTvj8XhNzSEEj;2IR7zEKuRGnjRCQ-MxV>=Vu=ESx= zv2A1GJh5%tGqLSVY}>Z|e0kq-b?w!)Yp->!``*%GQ%-;PnP~4hIen<2 zidHr1<9Z9R0g9WYs0RqJgOp;&KajB6pXNa!g4T$#3pe+{lf)#6t%u%^$#W20<=k*P zbW;pAM4*a{!u>YbV`!o1P#$!z?h7el|0_c)cBcMvjsG>}i!TR9bod%iw^4V2f++7I zfQw>Wh0Vyw*toCITWZ)qWOj!(152Yw%6Fcf-F@-V`W`dh<`=Yola(|jNr*x;Ki;8@B5#YUioNs@f4|z%Of21)I#vG@Y(XOG6WA%V?)261c_QjI=|A!21-}E>wtE;rR^VKBXX$9# zteSZ2-@>G_w^yV{0R%O0jhyyYq1gNDqGx?l8mzP*q1n~@LBkkSc8I%jxHYXQhzgFg zKC%eg#DIM3)E=-3>og_1Y$6f`V#zBW+1DEO@@X=VA|k~YaTv4FBt?ohaYPe~$wBzx zW0X@NY%A-dX}19zHseMI>$U?+!7U zBymw0_mb#n6gjG0H{}Cpp1Sp--^F1$=lYxKq7T9pl`TNl%3_UBI>=9X&$m7=Gq1Qg^HxMxwq&@dt(o!^+JUgA zMK!#=9uA2`f$PN=i`G zZbRK=`thL(6no7C8X4hf^kCUV^x!yBr&0xfkL(cC(KDrcx^6XD^G7H5NC3x#NK>OFIYS+3j>J*TWM-i3-#PA`G`dT|-SPNEJjR#v{q_PchOw;Y zzWNs})zhMaimB7xOmFA5N6qD#LSL^*_BJ{6@l>ECOjvFAKdoY4+Ly!?MvbhnGa2;n zCFhQ}1ShQ1Zd`SGf5+!V3Eys@bE6TN)5eEn>3k29pUR~D0wBGj3E1Le<6Nt~!P0P) zT&smob$Ik@vJXAb*?Dd+??O^{h?=q4zgx3hD5$Rv5!AC_*+aN#!=}U1##NJ_!AjGO z#=nGUIBpfCAztQcJLrR-U?CYhrf7jhGPPkN1Q%)viNRD;A^k+#NF?4%;x&LH zA3Q~)nYzEV3__{hgG_*x!ZLwc^%GIhBv znQdzwI$y{L(@ZF-izrWsZ%p?lgsAHkr44Kj*8GJ(vIl(|&Yvf&K>%toBJ?G>AFoSF zm!UOWo4Mz(&Z<<_42B`5PU=z!{m1Q7oDwOuk6GL>9z-zVz$<;_ zYMT;s{`>f=T}8AR7pv)3;g7-Wk|$!5nsZ0^5JY)MsfjZsp_d;zxzhI5d z`Wq4OYQxKyd^KP#@B~sT!si=o@<$2QvwyWl*Bvs$@P3H7Seh*ya#l?NZo4}j7=o3K zAPs%srynyz;Si3E%kN{)@I-qMpJS5-H36FR2kTCW>8I88jW$B)+e(Z|9orH%G0W%L zR{%sgoR2+i$@BB`#B9m*D4y7XE~8~q(Q!}L$i|I3Fi8503?H~ChhX}Q%hht(H%gc* zw@ZHiUjfM7BFpmAQerbKk?&JD8Mm=gKN+P~zN*>(tF1V=^7mWDt@|<2g&H&ay-N=# zs|n*V&UEeFE52`vh~3K}10q}yPbhNtyfVFBzqwPJI-h@qcA{Dfz7c~OG|gUb)3m99 zP&}UV;zQsnJLbJro2_;KTp_SyHvY%VpJvkP{o)SI(uHkhK6Dr8JfdVGm2*qKs7sYF2gH^I_SIv4KgO9e$~24X}>+-Ezxo;C8G(> ztmDt2kUbY^bW$b=4&)Q}RgZt4RxMqP5tQJfh7p4U?N9MVcd|{raN7zg4Okr4Bw*3L zeXEC9`AA-!v8aFV`urD;h{a*;Q0P9p#iqML$W5hy-?`2vF@;s+nq035i0A4|f|5iu zb}s7@lnAKbXib6wPs_3zq(U^R*+i7VQp`7mjaqrJ$1ImB9HL`u&1%A--|}b4sE-$O zZ+I@X@(n5}e9SI*YOTn0R6or@dQ)W|qStO6KMM&^V-u!m7;QUB@d+3nArRl+t>P&a zoIY(wqOTmI3E&Y4{LZ}qvwMk6r6l&x#OZx&^H=ls$EQzEsV3xEMVsY{S;O(nY28d= z@0p|_atTf7%2k7S*1q)b(O{)%%(Iq^Tg>I&&1uw)JkzFyr5hWly4#rr5-sJaCovK% zl0$2%9uc=2MN|&fSs{Q?iQB2F+kEytT+N2=Gn40*M8sX9N z)Y*kPG5mA5FG!wJ&HPEqqONvF_NaAj%|E5PHYS>Ful4b|SRHvRk#w6n(c9K3S;Wsu zL_s75_CwZjZPRcGivo+HH8k!7$(Os-Bc%IMX<@7yMxL!w4ML_gu)?VELsRf0ghKn| z==WHs;lo_Gn!TZbF_K!Q%tTj&uXrpPjN&bY5!l)-34u5Gc1pmag-A!9`S|kK=T76uL&X}3{ z*-lIQIenat9%85rcvmqpR&vda{79RPx>iB7`%?35``D6>V@9WrSEA|lk0!W8%9bD> zo+Be8ujQXCU0d|YQGmZV<*w&QwLO2eY9l&xi^)miLD<~`@_K-9OXdG6+n-4F#x5;{ zeN|nm^rzAQO|@V(;3aScjC5&1qHgy}3AL$5i)z@zJQu2@$-d=0-ajG_>eECPYz(S< zbvYx}E`2cEW*0Hu05-sTUm3KgAmHR%kMBMy>-J1xZdUrdT1#)&?}sBJs$na%bP$VY zLV)qr+-#0l3Z=08OSswPl}!<3Ykm!Z(k@T9+kQ8|k0X3B=M6jD&icrN%p_NCcVvatmoheMp3{8P zUzXK*O`xi|FQwOqMP)N8kTRdk+8bv-V1Psakt%c6Od8N1)F~(!AlZ{`1QqB?Hgnd9 z@D~E?nO0q(Jbi`R=EEos4q{40sBPG{=HiK9+>&tzjobz? z3#yK>m{ze5gcsiyY#ZG5@1gZkvz?mGzzT4`)ZC+&nn%{WtVR~WFPoN*HoZt-`>OAT z_ZiH<+k9j8wBf&@>(!BDUs%M*N^Q+z-F8thHr@aPlnYX;xep`Ggdq!R4HYfQRAK@QX zCU}<6M*1uA*M?bCSWJE8&8^_EQnpGt?LpGOI!J+FUVOjiP*x8ly5_q8zIzC80Wt=z zsAC$6eqgSpf!OuCn*X0^^=SN zDK>_Qjg{@|(O$L|hVsi6_i@%>2`1mRT0N&O@CeY6F~!&f4Evu#5;q!w#ksbaAqlWW zZ40QArGtEz=k1yOx!w9t&*3MG{`Hb@vIdco+V1XHt~@(ztm@P5Q#5>P$#l|0!-SS$2Qu zrpKxW2dziGSUowsn3C4RQWtXdQqLb&%G3Hl*L;(wI$yW(6(+j<(@CjD798^y(6yCx z_vvsxdNlCW6K4^S&*)f~f0xDTp*9bgI-;zu*3LclO^(_p6NQxHDa19N*Pr+y!)%wf zFi};sDpH1)MM+OtSN&4HbSULkt4E<2NBeNf^k6Y8#*pKs+WcHkal9cw5jZu1pr>~V zPc`DE_uDR)WVB3w3VE76ujHgh7gTg&6j9M%`~mRp)FKBYau7HHTpc={01^P5S=`HB zMEdPp-`%TDGB0@?@dGi}KqA`Pe!F!o+{Mm=;?i<8N?*CUqD>fszxw4uucET|{1~#` zzrjFkxgP4-RJu~+7`>9uUEn0+U3~N4H5Cd&CZxUG^EXpKb|$0F*>9gwq`znQU%*^& zqNWo5?fIBL);NH3{BD~H`3|uC?kTVkykU(36^nx>X-cda`EQU2dNe=TbHV6951Nlm zznkG>J@+S({1hKjBGVHeH7jucTa$7Ua|P_9@DrNrOz!m9MN?iIEGh2E^RoEh&n-C- zRMUwlCXA81s6G_blfECn%e#dB1a|S6318{W4eiyxqE!^(cv*p4)&n%%dX`GQwVHpL zGMG~1O_{4B)hf;J)l#(O!`2`z*;5~yI?q+!1q(qVUSnK=K+Qnl`4jCku<8mN=*|>3 z2b@p?PVZLYo}XY8g+TwNz+|*_JACY^5e9j^E$(g4$Vw=dT&9wavzAs-OYhJOUv~{* zBKdWE`M2ZXi~p(#88GcUt?~en`A2i%5eH2pUrh(1Uk*G^eFW%i{zHBM>gRgSMos+f zFp3f=B@i;p@ExTu!bP}!9Xy$(mDANP)@w(}I!hiBOtkbewAX_dN{N~VMo1 zC^U0K{`W5p_&xb1q>P$gskPxy4ZJPDYdZ&x3t$Te(Fw2%z{hUXvN6h-pd|z%&8H+V{3PfI*=IP3!mxl{^wi#RMUld#rnoKi; zYSY3}t=T{Y?150V_+NT%ZIeUwIX?gfyAJqT3*LdGZ@|`dhI!ys67(0)kFYE1n-jS4 z8mFQx#7cHDxQ~pD$&eVn#C1p|zQ4Wq)qxiMtk~Xy8IYao85|Fw7aA~oKaKuDLh+cu zt4sl0E|XD+$C5MP+oM%mPzF0yfAsD3oHzJk=|>1?yb~{SG>72o1I75s{!6z4`hA?d zCGj$S4KCH$*?U~X&BOB~c;_Z98P53!v{G@*wkrv*L&wBi zoA)HMc2V@7NwApcW3^*4CVPY}2#4uX^)vc13{gm-UCK14*@|nh;5xNJ|cKnAL(t z@Je)PhKNo?dpq=h%Ap0JJT(|T`C&SFm!Q#rL_&Lc1Hpa*Vq1*0(5%3rgjZ6hRu>T< zahI=0Y8S8}-b0$}gXa&#iJm&b)_a!V{n`UrRBNF?>@3wkxPWvH)#zP4CI}{R7$pS99*EPYQ zzzv~(VoyW`yAm|oI89OBGmJ{RJw%|HLxHf7l&HPl=wN6Y6BcI)rQoT)`crrMk zH`a_;uWA%MoSMomKGR1(Ue`wJnHpUR`bwzFUcQKA)_95H%^{@XW~ZPU3OKtBV^-?@ zK+vAU)?v+5=EWgY8Y#LtlLt^!nR5c{(Iz9)DiAXF9J5tlnIDx>jTVF#N4g^O>Gt#? zJ?QtHIrCQFPyXtLADW22t$FB==A>jZ!f|*)geSx)x0Z5D6Lt!di*0@AesB!QS!YM- zLDs53{9+l9^0!mZuLkLBCD-}X_PQ&tFQ56_BxWYIw`XiewXTomMFJR3!zU{k!h`kdfi+9oVH8q8)sJYiTvP`#R>fpDio%+Bk7tw>n(AW&N&Ddh$2H zK;BfCs=mI)c0sQqOAww-dacTyZ!Bb)Tvz~nGFzpbD7rUb}bIA?mirhG( zzJT0gks^2ChTPh9Z}LOKCejv~&lwd~7}?dd|KuW^RM6=5B?6#^^21s1H||4Vag|fb zMXMsopERT2=#4%cigD72W&W+0`d%?-fnjNwT6{lxPS*DFwyA(nhMtGS2<@QM8TLRumvr7qjq(}Nx}YG{A*8?e{#Fq6a{IzF-O^_^s$<|h8Hr6A zxQt70;zPOQ!;2=t_#*&B;KTk14M_iWTW-66l743j4`Cy(AQ?l@nq#^_bG2Are7c@5 z6F|7^c3G88JKxny)ZZU$fql(LG*y}Jg@zBQ@%4$Fo$I$z2;jExTIlAzcj7eU?F;q}FPg@X{vHdU#(1rOzYCgSY z^51WG&8FfC^VtR6&egAZ7TJ4-fdpU#`hpcQK4YVDqJQ4_w{Q(OhxF&9?j&Y&zB_yZCa{S7ym`Mi)UgC>zfr7(|9aVngu$BG|AV@R z;nVkgt-C?~cE8Qb)QixyqjP@%i8AcygIp=g=pt5R;SS~JGsfTeNnBS|cc4gzsY)B3 z@YLCnbYBgK==2K_jZ?P5O1<-&C`U+O^oC`yACje6*QW>gLi6!*m6wD|Dbc)IAhnYT zYJwM(+qxDmV$1M+iivmA=9lg~Wb~K-;i{zt2kFp6B+0CdYpuk$X4wa^xtY6u)r$Dd z-P%B_a$kgv`y){jmj?{eeFiAzSx<_sJ_IzAYy}-EK(|%A@9L1tC^r-wLnB74)pIDseFV4j~EH^;he} z{eV~&YjN8zM^#(XlyzhSX|%&??LPF!c}gSpyFKe^?2Pnv{h3L!4o8x3Z%_%7 zBT-bZ(2MD1=Rf+Map_IiI4~U%-RIicCs!9zg?Y}@?vj_X41bO{c+?j=>u82uK zxQajU59O!r(qr$_zdjGIJ1<8zf*3%D2XDGu*nU)AXpb-0w!^TtErID#;8s&P1#^?U zV7LF7TX4V41rsvGP%8h%C&aP|R}w&av{*f}j`XfljEc8XT*y&|)hZvCIr1KiS*F$% z#H0iO<9T8Wo*Q^zx+t+G_~F^137yAhIdu@@F_=W>D-%JC=tPz01Y^ z3e?K_nOU-E@v363^ah4|tXz}gscz!F5{A{}J!wm$iQ#7|mbJ&OTZh~`aNScef#L0PpJZ%3=Yg4Up+I`-x>&SbXb zXVK(G`nQ|`Bl?auOlEbPa4#Bj@T<9i*O0$`WR%+}`Rzq|I7A)oS8gSI=arN&soYOS zne!SFT5sS;@2)7KTHeoMm2>pw)~SOxL&DS9}KvD|&7Ka?VVG23rd7(ohOXAYIJx&*=& zB-gigM&+Cce*cL<*F+&GOBu2N&`q<<`Of3FdxBcvr{J^9o4qv{F?_O4UnEd!Y`A>j1O05zuWU2Q?FZq7h5;>mkkeo9-;zMtU(16L|8t$w0TTDwNb^N4;;z7 z(EO+Eqs?XbL$(DnOFt!)xSw_gn1Do2 znVsM7Dk#-E+9pgcunVNsqOB2JVs3kGvXx_+o72ZX^cxmz^A~)S#ZILGt8;Qu6HK1& zCA#KZL~@ipvBUpbh7g=j7tat-pSPoF(5M%&2ZDXZ@l!I$^vAxnRb|FzL(cY@Jos}4 zh^;@EZR&LA)JtRkP&6p!s^aEtWeO!GDA6!!WE#4QIt6c5&QV9%jXNxcp#G+dZ;54{ zmiRXiMFcg_(D!HFNJ4-d5UFb)&)x}J$No@_`qV}7&~HE=P1>D`@S`rZL)6AG3N#9r z@7@>2^)YZyaX6Ib$2w|F$gQa1n+y7YDco&(m}(XWn~!!QmHSDtmiY=FbW9~-Urv=d zDT4#e)SZb6xLH>5<&^rkY&cPn9So8|UU~i#=C=jVnz4*5alJXK=+VFlnFcfAEp!@g+bGHIVfKdgTE;~M=;1*4v#){ESaY_610FIX?h z>5l~VcULN`vAEs1N*2H8zHEIKQh~kILEfa_x*7zK=@H(D12YbA&+2e@FN>8^R z`CE&b`2SVU#B8xu>2@`1nB%rx>y3J0y=lNq;Lel7a|-_ZGNT+qKK!-&Og^nbh=BRW zmQ=C9TZ|QUT$qr2Fg#(SKR5}jj7{Cs=CIHvJt}jdH#h^q?B}347Y{oBzY7UcC8s$+ zt5w_FTf#;{u(BRwKV-iGXRTxFm3KGzDK*=)utHfnf~AT2R@pT%+7pvT?tcH4w@PV? zRw9Mz@0NPG#^Ky#kJ2oX6P^r9-Y@=^$J>S8WTRvjVRXu!WZ!GCt4){tXrlp#pH~b} zDRlZtdX#j*0X62^N{gdnl3YA9{#r3_F2|G$77 z$jwYr+@Ip)yvmb55?t3ueiVe&XV8eWR@s?GGWS}o{7Bds8A~TEKG#Vq4aau032T+r z@$NjU<0t*<7$HoE7q*GByhOFb&*YQA3tQ4AUE^weAHlCe1Z(67@9c8epAnG7&(!L% z^@X{*9pYatvBr8XUYEdf=TDvlFkbaHnHNQMfGP}Nxo-!_ZU=C~&INBO;sW6 zZz(S_@vd6cQ@0OO$$uL;bg~_t*uMOB<>Tw(;?Ix^vk2PXuj9EPIk|W`0kY}a(KIxn zjkfOQ>5)=&sLGR;&^JVg&55qck;3A)Cy253TEVo%e6GvK<36_swdZrmRgLQ{)Tg8v zMEosY&*0ef6Q3}`B>`sg{dug=Pt^W0Hi(Q8*>w9d5 z#P8Cmz>)7(Kf3x;DWT;F#NM*md2A|o2^`A)S#&4N%)M1_!*qYO$ zP&V$q7sINEzSvoge@A3(^CVHo$4-wFE9CG3$2qPv1{dvN>912+wIpC~?w`5y>A1)= zSp-`*E4XBztxnM^KW5;ax|%Cl;+y@EtSMAe!E|iDN0ukXA&8CC+e~Eat^NA9>3M>8 zX3tx~9htr-nc_$<|6^J+MqrOWxW&>KA}B*ZM?(@_E7#v81c1$*Odsb~XYl4&y-leJ zx3vxBI#vM5iAd9uqDhyf zBW@cafi*r0yWEDS@0y|SGw`+Ou)Sl-1#_F`x>O>}OK?QfbjpMbszya@eDM@}+);EQ zAhB&Km8J5a4_%hWK7+HeKYQA@EW>KtA2*{7Ooj86wE>8-849pHLG=(rB!4Zb{flgh z;|hMkOUHY07yD-A`nHUDwV$$lOr>IQx-=?!|9i~GnJa~^1Y?ox2j=f0utLa#HfhvZ zY*!tr2TZsKOq5#-Cd$eo#g{@xgCCe@e+RIE3`0Btg+mLQ!Oi-|mx~&zF;4@Wgx1PPS5^a23rMX{Rn-D3rySV0~z+q^-Z0J!5s>cX%@qTv#WBx_KmbOYR zRB&I4f~R)Toj9!b%BOqLOpl2DL0o=N0MS=#_))MO5hpd}-^DsIUg~m-a6_PJh9oN` z&(rvq4mLl=e5Cp(i#6AnIPa4^DuD*Xpi7qqIXhs_URRSXbg%RHDrt0RXL)q!baeK{ zHqq%#314N-UODgfW^(j|eqEeTRZz^>kx+Uon&{9x^b#h(AgqQ_AvVlnKIzl}Yk&9r z*70s&$n|0V=3?)0w8EZMobpNlcrAWnAUw@{IeU6z%seI6d4Wg%ZVGAK_S%5#+a$7d z2L^a&oS5IcV}n6!r9OE6&H5N;d@5RhjyTx=A`a>6(*Erw%1vDEUP3s0leW9ssK4AY zaJu8cOt5hN>BYyBg)|-e=gB-L?BBqxp%*L9AI_H(wMNSz4XQHKlx48n{qv&P)zurz z_R}}X3H28DM8O7Ehh2(}(xmE$cxXw(8#ZKjd2$2hu zy61xylRLy2`m*Fs<%p`SEC-Yk;p=I29m)gWt;TD(kR+#F23seGUfg00yfXFZ3Co zmQd)V6nfVZ6-G}rHyP-@Z*X!(WyZ+Beg z2?aEKwP)e+*kx2!y3r?~2P8DWW);PiktcutGJN}Cg;V|&*C7b$PAPrPs;a5xc?1y1n0>%{{^ruWnJ2(M(L$9r z3DZ`^t}&crVtRz)juYr5#B<>WCimQ+4r9r{lnp+Nk+gJpI;n2iHqxM=wngjs$l+$A zb+^?}+#jC-;x99?f}8=p1z=L7{i_tld7thUs_Ow;wn)|P&w3w(b-EhK7D{F>Ea62H!s!Xfm$dP5PrUvkQ8-oNZ@8xmrZsq?v) zaZJ?CbT!)C>;+M@w}wi0q5EN|#%(pW5l1x=&MY=NXrW?0L91R`$%rG4gwym?Op6v`)VOd-!^0@CjAC-oy8t=H zOtfTXx0oRlvRi2zb2?N%@you-jv3MN0HPv(JXD{&<@h7v`mK(oZ%LAV+c%)Yz`q28 z59)#-X$Hdr`Epc4?UNb&RoOS>i(8sZaj*9-*G_r&XFozhjE(I zpuJx^zf+OG{oHe-tiffWD&^nGzWmC_sM=M>te!s^xgwd|D~~hsn!n;I(7Nr~?Cng; zDrK`)`D*gDQGj&y4NhGtErhKI{f{h(6UGpq(7A;atdi7`Wa3r79uRn#L5_Az)%F=$ z&4IQX)sp4`Meg5Bb6g}1 zR^MIBY_lB-*w5b zY=;1RD~u+C?25l0NgF9qpwjfG-3m+&qTRFKKbhR7s1+whJ=pi% zRL8d-N@l8Lzp7X=Hp*Ur5{zs0U!wQbn6%E%6}CZm@$r)RoqfP>LEp7Eo%c2>A}zjW zlQ#Lm@)|}Bnf3se)u@H|NRx}Jt1AIsu6*F;=B663!~F)!_SwN3dKx)b(6=7=aoV^2 z`}sMS;Nml>-+cnWzhXBH?0C6p@FB#_z2TBHl)B88{2GI=(Bj?z?eLcgg5DXF?L1nk z_<3KK9TzNYv`FMLtq1fy2Yty9g4V4b8bg5y7Rdj-xWG;H^0N&{k^PEY-)nI&*+&~M zHuy-01@i&(ml~q+cwB=KL@0sCyp!6NU~f4*di*fp2u&3LSAFQ|N8RoLXMnxIi=6Dj zjcJVBOMYglQ{4dt5t=M!++M7hSb!X>nHZkrA{3A1+am-)3`UPUXoW_TF-*_`a_N=+ zdn3^<9MZn|f`;vMWA^wsTxT8jw<|-U;N&U6BfE0E!haE#g2j+g~!8IJqOaL=K z7k?p>xLGfNMC!MgEebikF+J6-2xc$}+*B`o$~8r zofqKgEr6>CZ80x;bN`xkyW;^v`Mpbez2Q=c1xKhMqo4_d*UgLX0j}c>*gyz=+tfi> zd^dd+adwq}6NZhWY(yRf?W)_?ZiBI zceb}Oi26mDV;Y_4V9Mtt7H^Q@PXd~HzyO$`hT^0tU(Sczv)|b?7@^s6xWuJoyrQ`k zpj`nq`nyctYrKGw1mf`^Xz1|ldHw3%l|_KU_!otqo)lpKoiuofuRX(WxdT)H%DdyE z=l!Ec(Tg*#Z>~Mi|1Wcw3kr6iBWOTZKbN*X!{AJros<~v>^7?M$y3@C{Kq<84B*e? z<$K!c0b$TH9hyq#U8oe%jce5)7S-XBMLq31`2t2vbo&JTL7+l~e)x@F>A$L01UTlhIa8g%b)p@y|^ zSjwVVZQiq1*@Gr?y{SJE8+k%uRhIcbhnQ7=MSehv0MLvNCfUEdNV|790g!w!Iq3!a ze3Xqyq7Y-oa)d8Pj=Sux-l5}GP|)o?y^meogQtwoz3In#B1ThYgYG{Z7Xjb?wGVy< zF2$~XgIAZKDKWiLvTZHzrY+#Vf5W{^#(cW!7~-xTbYcp}#Y$YBRlege5(oT6f=7L3 zZJ73P+24f4a?~;dczGNmj!Z-B{Y&xc?E9i+_U1D8p47x5;7=w++yYt}dAf{L@pwfF zh;N;l|B!N83&AS`cgW0P9Rz%?&(kK&x~3gl?CfBtCci}=sgLWq$lq5&$8xOVhPsG} zbTV3}9F(Iii>`At9)(u?3023Rnv3@=J?6hNl+fAT<5Fwk8TBMzB`SI1!W9B z77IGMDJI)6j9=!d)uYIC$RZT`cQ5dSHbVZ4oUOtsXWMaX(HBc*>q54xiv6+ssR~Z% zH`|Xk2D=6;Pr)~QS#`j;pGs}qu|z^NMI2akCyMQ}am&RPU6fE}pS%q5mRf-luW=Y8 zT|!6`@Bv4Qp=lq!dhan5GiP=6R|hJSJq_`GQarqSFDy~Q_Y>%2q$3tEF)TeQ7U z4oerWWz^o76mLmtHI*U&gUNd;YmI4S4;z{cRfDvK$_K(X2G)fpuVgjcTdn{Y_ptgI?xP5%1gVqV1c|n*5YX|r?vn~F4P(qLPI|E5KX$igHcnW25rG#?s_fP_p*G8AxyK>al+db1wLGy? z2#`iBfsdu@b&QZ!Y&t0u({BDhjNg4rbj@t|vskc0F}e!W6N@(Fjua{a&0fXVK$Qc=%-$lc#RnSm@=C=*5-C_Zt~Rx9^Z-S zjbC<~s?m|Oc}KsOm`XKwv~x9@8-$rA=nXoBk?jPf=r1QCyY{&Eh?-SSWm9DIZfgIF zcmZ_inE~4XXg$qW@}e*s?UfPjc7mIKL`*`h{`x+qMEDCl^%Ujb@Hpbme{|-X^xoU5 zG-AMf@`y?syPy}W{>XkI?g+G*E30@bxF@CiXcAwI#79|!dA&&A`>;d ze%CV73wJ5*pqE9#4b9eihU3Q3uoDVv+uH*bf9Hj@AY@L=OwNp7>x=zg$ct=(9d=!x zx?>4a*gW~ySbId5yFl!upr;;dGT>_7(_m#Ogiq_TTEFV;`g z@UYczn-?b`41Paun@l@4QB#0Di5{{o06)5nss>tee)gp$ib#^m0!t7P@D9=K@cYEC z(bg=EcfNZ%78^tUldc?@B|a;8RUXG&RFdR5x$G!BiaF57JIpvj-q)9nhZm1fo~g7b zFVrII(r$~Kb43S}yK?vJKe*a_YKfgiS(Hapez8Z(yn4990Xpf_5ulsqO<`_!t~65J z$oRz1-(bR9aOH}gnkWI+HQcR|lZvAZ2s~%WCOEULWw+aEA<6Pjr&}>Sp6H!fxMss~ zGP#l0z#56pVNU{g{N~T9N55-!-WtY{7}Q4po%54btAN$v!{P|}Y9;@Os$opgG|2Cr zOEC0$*k(Gj5#dWK1jr*MGey$le3g>L0-k$sb{~mAy}_Vrd=Vz%OeCnK%`h6Sqjve* zK-1C-aTL(@{ct|ANDgEa(YYUmT~(KFem11Ga(G*f@+mbOr|vCdu8IpiS7yJf{Cb%w z6qoa0n2lxps0PTm>=)RHcn~0Ma0=S1NQ6ACy&Zm4f+!)uD(sT~E z5wpncd;8t>bYAwE0zy~Nw`wp82~B?zMP(R^3I-zg(W0c#$j#@@eZ=j}uZ2N6lf3Y* zl=k$1#7_GI3~LWtV^J6idf@s5Kv7HcZGxtN4+I{Y$d~yw(kKhxNL^0@QahRs=Vs$3 z2Mc5ikbe^xtlmn>)B=o)2D$g$!p!t%{6N1b^_$=ty?P6*QOQn%e$gN}%R~r=Hv)MQ zn~A;dTjxT(7Zv&=S$@v0ULrr)`k+E`%54mYIGQ-J7BD2Fv}{W3X}REWSkmJv7i;$y@**MR`&=Yn zKg9!YK_Pb>76O;MWugBN`RtjW8~#Zz-egx4)l8#5Y5U=ZtCCr_gOy~obp3~4Z3TP* z{};t`LSFqZiHGc?m z_MW`|>QZT_3UIMr=j?Zi%GPrl2_4_eB)gUDIeDm9Rzj@X*EGCziB>MI8|H|P>F2gb zVUtApeO7fr((|48dfSD>xTT-&%zuHrU*Lav{Bp9 zdNi@ceHd_P_PkG#R@Cc1t!^fs7iBKtb!)J$5i3{OyWT7f2v`0yazDozHpKvaidH9JG9ciYpDY^y$_LaLv%|(@Y~#>O(F8Y_G6)UP%7~=Sj&x zU&L`wcv`><@<~p`J!~qZmz4lDDANxj$c6t!^Oi9c5bnFOo9L-4RPVMGTJSn~WPG;^ z$htr7CMkaz`2Cu^P~V8cXqZl3S$&{L3Sa<+kIueiZZSP-@v&dWn5lSf3E{yYyV$nv zakdFOh;))5`5c7kb;s}h`E`^yzE19@F8()(3DK?Z0Bf<3%VgJBASt|=3b0G=tusv` zDv;J%$XW(GBWB3n|f9y7;#{5^!3^)Ewy^HNo zWWk#mg4(qSdqpNQ%1(;7?4&mH{&S!$YVJWlE3SGg6V5e)_p>SyZvSx0MU1NYL>f;L z4};xkOL6s4v0y93tX=u>iSuW%$@f-K&d)itG3QBBe9oenm9(`j%?zTWHAzY+BhVok zQ^g*yF+>@yi|5g-c$D;mE7DZABN6lBRh#SMPi>_38wKW-dPMe8>3J4+tV<^w7NCcQb{QnxtuM8|rSrBNB7w?>{c9Q2F@Fbu5#MzI0FSc@HYl>>& z<1nQF9K|Hxntw)C<><#p4?yYE##=5kkq;&CG>0TEInGH!j^#JZ0s)ny1<_wRVkc(t z<%De*J_psD_*eDfkm>j1ORKpd!MUxc5t|zE0W@|c%(GTOO{nMS2l&znR%&cv`@A^2N@G(=f@8{TW&M>ddm$gdR4;8@P;k{KhZHEGGitP6J~kpbdKpE4kf?*FR{nEij30XBi!H%v>BQwfI0b?$UQ44C`>#H~k7 zoOQeI%qmkE@#d>1*j1U=mevi#0AH>NJ#RbVkXti8%yE~}TE8 zTjDpiSCm=1k&v%}QVYTf1_1oji*T|CS5H@cT|d)hNw#D$V7DWv@8#!DcAsR=!y&#V z+8HeTSG3bEcax8PVJ*4TZhWE1%(@l4j#2gVTW749H9Z>MaxZ6P^HlGZoP|Bc$5!_C zi~FdoNU3mK3Ei0h70wCkb`@;-K}pG6t5krO6_hcXbbX5h1$&YJ$-*D3vH1YzmN{Cb zPL(biBknd(493e*TlCipH|Cq{zQk60V&LIl49UrRL)))z@zD0m`zN5cSP2YlkBHiz zePf128Krp0R?c=TBnw`L28)GJva?5a_61|T5W$!n<;C)gKg7-9?7!oBcRL7Rfh*u7 z($M@^f|l*;;ATA+lj}X^S5SrZ4<6VcdsHG(c-&PEO8vjb zHO3eG@woIRIcSwJ?il|J9A#D@ z%(c|3pvz28o6AQs4E4$F>EG_YrzfXC+J`&K*RHQ9)IxglQbI`6O#0aw|EN^&a%PS| zov`op$9P2oyhQqlLuuhDe%EH%6&mXHA7^4)uxc znzy;W&r|*t9|_9O-!WA|!Z_yfwun19_I2g;zFiyKf4ejFc47xUse06p^D4L9`pbo|0gGq@Zr&Gyn=vi`rn!$BFg^D!hbx0)u$(D|BojC$PxvH z5bXyIx(%F8wcdhxv6uZKW!4vWi+?i#vMi)&uOD+MPVC)Hzx!lZL;qZ%ZH5*+1eY&* zo8u%Zo~GFqbu6*9-%os0KTg;a)ptt{pUIr2Y`mD+yx0BVTQsvMQlObU#!gza(^j3Y zE0inrGAd(jUP9=+7hUH22?Xi`$7z|OQL-c#WDbX#x`!oF244&XL)p(|uP5JKe|{UQ zDP(EJDp(t9&bQnD;Q*mFJt(-xX?SPQvWP;qV&2ug%V4nWGemnW14NhPtG!lUj7d| zr+9~(s~uje3GNfr^>Lh-OZzFsOl{)0UdV-k)Wo0QBXnhtwge%kV!q!WdcTZNO+YH{ zLdCggc*UWv^EN*GHF%be(-sq+`+DQjfP`aqm*m~v!>Ew=Y2h(5fOXPGKK+CEr{yN^ z#k_k*=5RA^m?U-br9PaZid-UHMLRz3_Nc-nn9D^lL}^QpdklDi*a zr5yS#&Ts}A{HVre0fgoT09(&h2+yR`H=~m@zw)1}_pp)%pOFhA9Z^ww%?3uce^vj- z7X;vj>|Vt0XT~rAg!cd27j)bw{nr;j3tYk>{7+wC^63lypS*y$)%mOQe|dqdkIG_y z&PaF8QjwYjkaz4oDuz|RpV2PSplXL-&T5MGVI={wR+WBP%#>IRMA*wH5tA1ig%Ght-^&)g&qHFZo7svGTbK~GggxYB#?GZ;#+Mq>^O`H>J#}^wX=_PwB zXaxYn=}QgVE2n9W>qw6zIAkExh3vZVpNI0A=`|-cE3THNad8G*lp0^)R<|!B8hxkB zOx)2VFKOd>ocoqbXf3NnDckG7=WkNAYh6;foh@@+?JmA8=lbEdx+19tb451+SB#}t z*(dSCHnD`vn`yp|(Ca~Qky{gglCF`_p+-PM9~L81Ye9V$*rwIV%WyO|DkyP_$l8$w z3*eCp@CK)8$xi#9ZlR};Dl}Un*7Cn>A%-UBTl?BC!0lr(=cE9-6zh+W4yx)MN$Pinst$aW5-&X9n~&k(whcZr`^DK% zaQvhQw6(4oq}mBV5L8PREu9SZ9nBttT^-svCdb|q{SUMYg>%iqMdWiZFFA_WaGW$o z4%KoKDh@^JYj)}4fo+dqa9R9~RiMRe)Y3FXJ#2_m6lU|6N1Dm8qQ1DSsy1(czjd8u zx1w7wEpcGimy`}*QMOG6hr!5FA_IGxJii#T()w+H5t&q9W=|##>~B#=8`VKbcsTho z8HG)4_=3a}wcB_ly!1BTeX-cgEHnWDLCWlG-KTT_r}gWl0aacKJHz^a@iYOPKxcD-Y!;?A&%(_2z7RhRBI@EjsIL#bg242pP;uVV}Kg?P9R_HxL-^ zn_yP8yAN=6O5c~U4t+|8i~1nQm#vMBANSquN{=WXO&(Wo+t2gVuhZFI-|Rd9(CF9i5&IIV9L%w-CO%8-phs%Aoy}47o~x zlW8k8_O~||Yz%{F_8#PNX_cfz`!U>wK=0!BLW{TyvVfV!`q=WjvF%R8O?Oupw0Qk*U;}#EmETudenG9{Hg~)&Zlqq29Gf^I><{xfxWR|jt-82NS_HE5G zM}2e4lwN6lK88=WZOQ_mk3b)Z#nTJ7z~i%h;$C_`@F_s-4nRMAe?x+Kxgf%MVc5C8 zO>Ms4S)Gdb3W2i`2XXD)lBXYA9+3Xo_$p79;$BALvL}Z$xb1?l)!r?Q4OR5%{e5iF zjK3+{OUPyjp|GQ*@)UQptS28m=i**4`6~ZrorjVdlIx-MZ(|B4fY;ZR+piilmAvsd zOkjrw4CMvuVoO|XwBukCh|uVv;N)V}oM-3kMfD3HkwWCN=~*=YMSoL_X!F2Ze_|uz zlVU))9QBd{-H|=i>^0eT>`$wB(q)eSqb7r0ZqCq5w(;T|z<6O2Z0hiOtFwP;gjXPt z`i`e0DpcyR_$f7*U^+%MYlvTfrpvECPiCL7<7~8y0Iazcx`h2B>3qJg zq)OF`v#Ky+|6YCft2-QFD8gfFE;ZbD*689{CG=i<9)HYe_Z?798mf7lMl^3Ks>=lw z%=PU1?S?Z^wo3U$$vv|1sj1C^>_1(=|@;zaQai9N>T7OIP2qE_GN`YyNA!7DBgnUS?zPr!2WS%erz3 zV%_T1`{~a=@ASjCrKjH-t^2$9)^!?M7LdQzDRH)KlXxlztt(j13AiXn(iC3Sq$n>N zW5&o42hs+C@zSP9A39m5P5-*QI&+g7AjP@#iS8RF$9*^5OZT7{A;AM^V{L6i^Sm48 z)u-|Uz#*1sL#0erKZPqO`>36k^@beD$b?@vPFhH{)K%vNA=o1mctU8G&lJnF9#p1N zT{;vYjh!ramHJ6!J0A%}lKuO#?3M+Bp9UTI;DNF&l-6!Rih?|a);Eb$S0pIF#&lWD zj84cu>gZ29&>b_&N~>qx89lvQhe4q7JFegQIt02mq)oWLO{98or+`CLMs6S;-&p$K zY4)WypAtf9GKG{KGVsH3G3GQGD#D36cmjP;5QU}F$T1@M{f--$M zN8Xf+i|q2d(t<}tx^Dgi?ymweqEQ{sEC&2d$iKBwdJS~HNVRVwdL{G8G^Mw$dWHO1 zI-**9a6!mcIqJ^9uCRKYu75u&`{)Mkk0w66bw?`2B&VFd8k}P~@P5lYwB$mL&pKZ# z)5u;6&At$&Uezmatd)DvIr+6UMR+Y6gK}N6l|1d8TX;P&-2wF{L4OdqCpp&a{O{~A zGYoF@%KQuE!5=l~L5(1n$1lV~J$mPd=AmS@A#c89kUm(@{lPaR&R0cfvPhw-mydPWc|a&A#> zKp#OJZ!ojEp|~xU=K`wH%u7(vlryU`n(SN=CEU9*nyA#vF2afWN#SO#lSZ~#<>+?{ zUmlVSBC7f7s#PqvQm|H+(<##5a4$i!e_so+7N)?|9YI@u4{DR3rq_x|&}ZO2c5o28 zZKLX=4ZvImG*?C*byW>>@!IV!Xllb8n%*XN>B?mTG+bWZ!;dFxlM zh5XqzI32!y9~c4gqc_-3R6o&fgNoaIl*~T1eEhFE{6O7_N~2F(C99l|Xn70%Pbv;- z%)yss!X=RZcE*iyP7BDT7(HCk{5Fnfjv_tK5Z}1Bd9*%ppl` zvc$qG9}e|4bjGK2;DjbRvhzyDx^TnMOacceI)|;H0Y?mS7rBG^gMXe!V;adU|IY_n zqXl&?+v5bsS@;*XY{B0Q-5s)x7TghbNa$~)YC#sA(z@UdE2 zx$MP?>cB1TCu;qy6t`BFR?LGTUHibPk?=ZA9cPeT(~&2q+2_^GcKykR95K@CJPcSV zYW9|lqg=eB9}=M19^V9`{IL6;@plRHaS5xEc4H~yX6uQz4P@tepP&8nb?f#WauDQj zxjG-T1iDldd@(6n+EC&+xAi~RBO0DxPMqlB&Om#2gjkn(j$aH=p6_HU)&6dcR)rA8zev#N2wDjSElkH0_BMBvb zIph$W9LazByO{+Vnq!}G0Qmllj^H?;ip;n#Ie#2KNct4{;B)o(L3#6HS}OtKC+ckF z7R2jb-<12{C+HyRTHh=Nva<=hO_7KL3>Y!zerHw*!65gM+~qF@V9$ROWQarPz1+Uc zISn|ECA^}(8b;WDa)NF99LTPGkGT~2@)vup*fKLVv|8!o-uV@+0l*P-K-+nMdxM5` z?Gc-cEir4~$`)D=kN1t{hxvsd9gpbO1_3v)OkLccvKFfc(dI*Xe2*v3IaLgcy#ng` zTz=5i?7WdV(P2`nQ>kME(c1w z14)HHXEIeg^VLdIz<(0Ei6$`+=tdNY=Kb=F`(zGGO@>b9vvof&Y^MDi@91`HRf;DQ{dlulkZ(rJzi;FFf%}$QT|d* zSbc4)#1VT!S>>0YSD)$ZrhCxkej@M@%7g~Fd?(fQc20%}sX~M7Sp=IrxozzRR|_L1 zZQvlfe1)o~APM{X^&lcNme}PD@o*-;o?>EF7~n)mR>%C@O;$BU?H_U1y-}R@6x&H% z`F^A*Xm;2AntSJW67khwmLJQ(iu9X7vz(4?!GgqhYfG0(%8%36&)1eL`ga= zKwqfDH)?)-l89SN+_+fe%IItsboXS9IoMR75uQPmJ|L@P1zVUc1|K4vfl!Cr-+8J%)v>&hG1zBzo;^E zSh!Be@Ql22p}_NBH26l)G!2@N-K;Z100x zL%^<4KavR@|;kmqFI1%5My@H-oI&A zauS~C%?);!@`lE)t2Y^Gnp6@~bIZjwRLkCHkY3w!tr*$+h<-V`{*rbyg0*{?&jIzx z`ZdNgMu?3m%Rigt=45DOYBd16P{n_)Lb}O^1;*wY_PxjB{n`6}yFMvVThecsQ-~&s zw&&^2IfV!-%{;gOIZ80vfzC*f7Pn6WTX<&m0MqXK_dlY&>y41!e8TO$I%@4s7n%_L z>N7Is2rg?G7HB8f1azCTxE%_MkFYp1ZLt>a>!d#sqRWjNogPVy2@l>$gNhK zhWqkMCX7sfCIh(V=ZC0YlHlaz?wrnkhOW2o=RW;d#{PW%>pQv($juDa+aNi>l~P-& zlUx|BdibG#2(bYNJl~+W$N!u6qXSP*#Q8~)U`<`1I_1eItDEl1#()pD+z`>XW@$Ql z#L+9^QDf;eMaV>QeQ(B#NI<82rIvhdPM>=`_*ir%nwxxt9s*?&BixTulwYL$F%qhs zC3n-YcMpUpj*0421jbkJNNL* zV&IZURJE?n6p5pI%*4{ymwnG|tQ>bCZu^ceo`aRv2-$Qg= zQ6cRqQWzzP3B_1So!4Ji_}5Pe%LM<5P56XpqRDGABFVx&{;+(VI z0`KH)C}b$;#sl*9Mm-AP^O){TZ6U2AG5``{%cwA2zT_6VO5POiqkKblEgGFx;Vc3x z%FW#x?w2Yvv6 zpeVUL}j&&0Rw?1g)9tAc~U-luAbl+Pl8`n7-nBmP1Gp zX%UosLiMdMU*IZP4~FNu^_nVV9hK53f=uwO_UW5_oLBt~VTGZowU^hp`3efoh5%Lf zw660*8peYz6E`fZKe~^U*6PhGwh#c1$G>mH9@o!N35tTO^O5SAzwZvr^zH=U7 zCAyOt!5;Izs!`E&w@y3|C)SOuX*#~+)}(UQwmG+QqYEAm$6_Ks-O)OAcn^paEt2r@ zpZ_$qd`=y0TFlz;xE>V(5y*h_Tt6;_RHs3mM@o->|8vmQar4N(n|`FfoCh*9OLVFe z(9^Qqkm${Q%QB8yCBIr&<;de(kV-i=eMd7+Fsy_x(;Lo>By)oM@ej2hGYu zGargRnHWb3ZFa$?!U;(^(*p6T z`-fSA@UGJUm_}F?DQtx!sjq|A)Dq-&FArb<%bbx*aLgR|@R<1(7x21B$1a4!l_d$l zZ5avbtlYfbH%5QKwHE-B`fT>_`7CdNb3~=m?c{-fy#wLB=yr~SwguloPmzNi#P0@g z)U6LMv^jF)T{_SVw}VSu0ym^9FP|dmhn?R%LQ3xv7s%r?X*Ae3Vu0r8%uk`)3HExK zOJsi^2U#g-6Z-xL=;j+thwP0mX~4=zzhwK^$oXM@2)!6NKA3y*de7_fMn}hwgFfFW z&dmOG6P{f(-y2-)--5k8;lH{t#~p(aN?5zzfi?--K74Jq+nh2hk27HNO#;gP%KY>j zZr1$7TonzNcEaNmb^@MY{+~V5n`>(V#{%z=uD!9zFb^oe*P!=}_hQ|xfWSRr7|$z6 z+|T#{m?l*LagqOa`-gAk`|RWPoJY=|XXV5%!VGxK{arYs(_V!roK^>!4M98P*5RF z-Fl+mUbsX6Q20wakq4P&g`-V`0t9VS{mcbP_)sj1NY<0|R7B}@xV<0b<_of4L&0L# zaY&6_j5)R+7FTpb>3B=d_7c}NM_cZ^*=1r1c3_O>drtp%M=Nigc=iXMb~LMu=Ve0> z9%Xb;r9%%c)4PrI@cVK?zb)mTqiK}%jZ%G9!*`~7)B$b`9CxqEEsxkmhqmR{%MzXZ z=iE~g#Pcg6-FSy=e_eNpF29#^Mb^mFIZ+{>U?V6>5|fux2GJi1rUZRd&^`8%guC#v=vp2;;F zV$WtXTx55!Co+*T$B&{g;?DLeOK8sgA2woUkULP1Z z-l&|fhz=0h!c^IbtkvZoi&Pi!=*h=l)zjD;wva&iuugLAU&kFa)@j z-Yi9L{A#OafM^#oNwI_42*NV5WX{~)=)D%M9GKo|edib%G-yw5? z-Ooct8pBDjir^TY>m~sOK0OLtwBMLMZhXWPtT|aVT**jp4odu1-T872&5>4P!qny> zS%J(Lnq}|X>vaiLg=G|$J6SSt+iyw!h8LG!-{^BRDd3ujo=#^*hH28N{9P#4mv9Fo zvwKu~5c$wjT)!-$RJsd?nCbKR;?TwOf3tcHUEu|Shzx|v-!y^y<5D_i2-x>RJLT&D zO?@bYV5lcz{=k1)iHu-f;N6lpyi4nyUJ#s1+t*{amT8Pc8ETVJ!pdx5=Uh^HB9Tg5 z>B;PK)a&dMQFFcp7Eaf4mSm3XVw?gpwD=30?xtR6OgkcutzQBM72CcuKt7~4`3`$i zjuv_Qw*)+8-su9YU2l!rW^$YlSV`!b;!>=K-Rr|9&z@gz3|*QOSfeE z5}_w5ui6A)AW4mM@a!?GeWxgVBpiv{oy)2alr3`ikBpkZw>TrS&w*X`KC=bOE4Rp& zxB%M?&p$`iEFl*kx%e_DR_2{ZS?-nu+D)7Uj*v4H%gz z^eR?J7EI#65jF!k^!ITc-v<>AMqE15QrnLN+00Sk4uqV#T^XnPMHr>J1N=EnTq+BE zt^>Y+YsCQi&637aXfIk}?`8`RCyYWFxoTm$<6rTJ?nYE9J1w;SNrFB-*@d@-MBl;0 z<5Z%!!lm&C1>F453kl{8PvFdF>+FN5;_QmgU!SG5bKWa-ZG8`i?#S$jHkkVi80l%_ zfHp56@wZ|x%$XFrHr!z{@+pIQs9>rXipru$D}1njpH?0jTKAkw^!XY(J^@k0UH%Xs zKIZN+D`KZ~z>EIG#Wku@8R9hsKG~AJ$;v;Rviz({wXkRWorXN6HX2rn62AjwZBO)ouDsHd`X8#!#OoiDSzRVU+ zVj5HBAM$bi9=I12wzSn*gW5WmC}yoZf*Saqh>OhoY^;zCx#jK&eD1mEDIIXA(L0J{ zdEB#e9JwOTpyxmeyIPv72i2N(82A+rWU}}fB2|$)Yoe2cvocr)h;0QhmI%&C=UxC& zX9vE2c((6aU%pU*>*vsyi06@4d55q7RW~wIhfNYaLx978`Ia^@@aG6Yy^eNnECzA9 zE9YC)BfkF6_YGEfeSB(_oUZUjEK@gz{AfyQ^|C3LDCU+*Hmu*Di{OHGQ$)RGa?q2U zDB7j!4Y5a&CzoI2;%T>*&DRC^xhOvTbsDFur zeCDd@;>?Ou)!9z{jQMNBzA`Dv7PB6y623UekED04qtGo2aX6I?mw~WfiFkpYk4b#5 z+XZVN{1b2$x<|8LcJJlD79IR7U!)xPibyJR>DC#BPx__%8%YQc-|ow8)q(Z}uQ;b0 zok5=?xMl${5uG1)kbx!3n@tEDWdW8f?0?pEcXxjJF?S!ZQ#`;)<)rTKqh)7})# zZ<`&ReT-=*MqcRzYeS^Ald^LDw~J(JQXR}gXREzKV#)zILZvA`_V*ch@{WWUz=IM3|aioVrFEt^oNO2QX>sU z$Y~NR3Wyc)4r&GQf~MpX`X85?lP-a(>(<~Dl?D*CM>$ZDHn1Mtu=dUEMDN*IA4)CSTapnv!<`&S=2=Qr_Wt9R4lf_FMueZM)sPG(s64!KmyZ$A^g`+BVw z?^4%N>A||%;)lqU;Rgs4-|h!Xx7?e@YhQT6)YP8cUpg;U|I%XQl=9-w_nl{nKX-WY z&0_fbq|=UAmpSe(h-F7HEQi<2pctt6r^K%5`pjnusSO4YDc+dnMSQtMGk7!Ri;k3V z%bjHE92Yk+8okBDx52?JW=Wz*;e^7jt!n<+a9C5-+$|v~s8H>NE`?uezFw0=;I;}X zoerrd8{KosIv~k!+*X=YRzlA`X-M8o&q##g#Tu)4jT*4XITL%#b$%DlyMMqC(9#ZI zA(%0+fP4Wy-(FG2uCmflolL$7vT^a(dAk8-Td)4WHjH%+V-7A8eR~l#6jzy3ndh?U z*uGwYHGb?Z_SL;nA|;|)hZ!VN>GfdxPgGyp5s&WqzpE#wp^tp8nM+;I{fc9g{rPX( zIfw6qukVkd2gj3lq`cVR`nuymg9*~`3yQ3{hnoPk0X**<-_0%$pJ1KE!p09sqPBK% ze4;a$SER%))Mc`9qY!E;l3gaRnQ=RJQJ7QtW5YMW&#PGyhdfxk}B_C@A{I+#xf!rB?UM_Zz`W9+-};qkGQBevi>tXn|{3j-kxj0T(g3cWI&Hfh@j#+;nQ97<2s#De>_| z75`c27A=wie&#@@)>j(bUnkI9#_UNqoe&IRsusslmakLo3VE`WsB9RqES$m$X7S<* z?#c?il~xN17fxxHshJMDg0adfXe6ckb4~!0sq|7+LaFfhbLkQ)7Ti|;#0fl6rw&^B zQP^(L&+kmDip6`_zUdUkeHiX(7EYw=Agrv?I2Ax!hJJt1{n*k6m(ksA~Kv^w%A!Y}15^*)>Lsly_| z{KCDZ(uZq!{$|CAHdZh?9^! zb7I6WmtHPcLMMxw86d{iE;?yjC2=YTAM!F@Cm_*g&SDa_(R8B9bFK@@ITT8=kVwTz zo7o2uE&3-wcw9f*YP=r_hWEl^s%3Marrq&`;9~vIne)nVMGTv zZ^JCD|6y^!($FOZ{-tUX*d1lJ@WQqcjG8AE$;Y2~RvKo;pm=3}`Ou;g+Y2^2-rt2||#~KUT*Uk8~TWk@zwJeppCYh*p<&r*WV*_ zh+s4x!qy1ScUG}rY;ESG?dnL8|&b55krh$RB0DN=boYtV{+Z*)gw28mb1<1$CdG;ZU^ zuEIb6x85(Axv}1dK+KHAE^CU*JKZ2{6tb907Tl>R1|w-yRaE_i;Jz`zBAJN)1 z6!rmlJyZ@h8P%4~!Y(5rxDqgPv%KAAVh?fzb;QC|Yv3ENQ<-8L2igB%V6ZYSkYz}Q zeZnNCC*Ob6nUiCBcr2ktwDTb;3mAs%yI=|#=SKAo!6+q40ISJhhzs1XuCb~ZYcvoX zgI5~FxJhGrB)3rR`OS6~sO#xisRGK3oQMa$*Hi+n*sHtfmCsD#Bv=qpIIQL91oRYF z`yt;j5f1cRCQnoAWgAGKOr}h!R;+lF8R?IEzdS63Y5zUF57(%5*+$FZbA&Y{m%!i& z7wZ(@;$Nbm1#EN$4{5`$n{1_az4=g%76OT|wdYC{Y2$+k0IlehNY(crgL4s)XBFFI zqL4TG#q*dtft!PNPW=yy)x0N6$9|fHlfQf(8`#wtjOVAIiyubV<9q zNOT@JzS1H~#4q$(1(WV5?#&l#kkRL^D3)1^F>68Qk61rat1Y9cg!-AJA?(Lnv*~uS z>0tgE>Lrbf^>3hlWD2iGFf(6F>sUyj1U(FgxK$9ThX|%lvE;dXgogo!y@qPt@>a57ZuKfW(y${^?>p8ZiFT zB?LE9)yucV`j<{nLq*wcUF|@_N)0LQAV_QabU`O<6dgT&Y1VK_*LK7~P4_<3t$jXQ z+<$di8$Fga3vCf}ct~~iuX{7HUQWPmGZ-m`byvv_IkkXdG8Zb?e?TT~L z6QGBGt^)G6_ztB%$DQQGuMd`P0in{kvok#Q_dK#yz8Awtw7S96jJ|?*4-)+-Gl}QM zuvjb@*?M%#&9xcxK~c`OePyAisBg9*30}AP;;5dh!U9$xoL@JY+qmBn(o>=TQd^ShXxpJN5l z8G6;%`wTNGUmD1iw{(P|PFe|it)9@_yrg$$%Ezf4gO7X4#+el#Prgl^B;_%CZR11dxlAv0UB2o?X+wRv>H9k( zoa=yFsg7Y&x}=M=Uur(--H1y;zz#6o!Gu}o5eEvnUXaS@dKP23jZ!6Ya#bPw3iod!tcS8LV zWlJ5Rt!dTVZ9#Phpa}v4H?~&klno?Q0h@K>jMf~yi9Q1=C2!j^3@MCWNx(1d2QMGx zlOCfAV~fSE-WXJWHv@K6{0#f?!#{8>rnOMpGz2CFDJ*1yKKNxB0is)OT2?2H$zSPX zP!b0}S`JZjr4J1Dy*nld&Zi6!b;2aApU%$9f15uvtfKW@pR zZWN<-;CdS^Sf}UlQW%rJ-KB*0SX5J*wv_tJi)EHq{LecgZK9>lPfOrI*0k!2=F~px zlDC{1jl%5Z3mgY_k9K20+!Eop*YoU`M`K5s8phuN^qC>MD>xliJC$7xY;CBL-H(Z- zR%Qd+xFYU3(*4kNqJ?IjaC>`Ol4jAAor{ppT7Di{McAYKvf5eKSDhpBRdC-WBpQNr zO1dI2q)SryaICaUWz>Pm8%$?9&jcmA)SUSJ6Te$c4NzGyR(qq8HrH_)H?2871jF}w z*XM`LC{c_0V$@M7!phCwetxA9qRCwZopD|7wNsuModflPa>dpi`FG6Ynp&rzmExA zd7i;(q0YK>?ZVAHq*2AI|9wgXN2N{{9U5CHkPfd^dIz2?JW)HR+0!x)Cm<0_BRO$_ zAvWF-&XXo*?h1vhx!VwqqiPpbR}wV)_r?kjg&wL&1eOrpZ<-?G`KO$sKKtM3WD5=? zOyyQ{1$>c5D+%C8hyhJPFt)k6oyx^^O_qU5=QW0U!;EMSjM_q%r@}l&yAf+XcYR<& z!tMU{cWHL#`Zd)M|_hY?T7-s=2J+Z+y=LkmmUOn>+ zf6WhqZHN(7kV5r$MDNn^bMjX0rpR8*s&TekK?^l^dcwY{2@juQgCoRH5x3ix{*;7e zn3ac{at*+DwW+hm?8dU4nxB-!+U?LV6_bCr6!yM#PV_xbp%WMB0%5Po5g9=TVd}5} zZ=ngoEp8-^8hajOa=&+ay;RIarV<^b9P-GX@U z?ivWu1xw?EVmTzuc*a^E+aE7X48JUb?5{u}$b)sB$(9)mkk% z@(5}tjW~CW0_5i$nQj-9amUCeHyn`6(q^X8V5``hW2*PW<-_JD6BR~aAmE7E|H|T+ z5dxQeYGVkynClmwq6g7p1)Q3I8QX-thXui#r2<}{#`^N>78Ql{mwU)5N_4v4Stp37rvQ@pMKNdTEX7yj$bZ@aVo!8=76vd^??;0+$BF+y&M#a9>Wtu}Xar zi`=Nw*SyYMe?(2OHdy^0x$<+-$n-e1O$X|9IK*?t%)|tD>Ab=ib({-pjp;I8rwoyl z`lkYpK_O1Mw`)Xa#}ZUWE@-v&iRB(RQbMnupRHbMRM*uV$A*2DgSUyx=pPX zEi+$?sb9UlZ@&NANQ+q~zjtVNQ}`xUsTmVp0U3Vl1P^Kn-x_A(-&zsnpe3CRwRt@h zNEJe7{+0Fp_8T{kRkereOGhX6+$8|rnb|`e<-DrPA6b(Zx%gZeV@9=8F@k*5dxf@+ z?rz8w>9i78gI0s|Le~fZvXUiW>_@*-=h{>>@IzQ&@5dB^%H+2`ixX`WsIFPXwKLh^ zm^D*IJ1khD$)+*SyG=@NzfIl0PZBLl-=_+8jhrY{I;^`a+C9KFNth`+W&x&G_>s5h zH726NZ_J|1j*H3Cc)mr?8z{_<@!2rMm(IKl28~6xCVrr*?lE&9<%BH2$qPVeY&f~w zJw}&DD~QsuqG4GL%)fQXljtOC2X_B07DGNchcBCoC(X*;3bmhkJXR)kXb@-A=u!V) z09!z$zaowFI5M42GiNt}=|Fj5V9nPtf2WnINZWz~91IF>mh@^{fTLuJqg29P&!?Ig z?!)c0yT(mpf>g+Y)LKFz28A{VV93OrXQGV;xwbPm=k05-)s&Qk827CU*COf!&myiajM_!%8^)`Niq$ql>=`A=I9jG9c9=kwwH@f2I-K ztl8Yig+3-2=~p~SO=9?bZhtY#cRkY87@TF=T%=?-=rq)yX_QS5pFClW*}H^8(`Y6r z5)YTJ*XjHaLmkkSczUnQ(|329rGeVc47;76A9VMJWnRnL`m};um*aCLbD8Xm90 ztNOvN5oCAtA3c9VySp_Rk!G8e>5l;Ee;e|Pt<$N$ zZ~UB8wp^S*m2gD+tzBmn=;AID4)>?_JZ!$EI8BRtt<^%AP z86~G}^KY}JGL*hzWf05le@KREJLl@X+IBTX+H)CsyBPW2DsXM*rDz-Rt&Kx(e?x%4 zH+1bjnQ>>Wwf7!9VQ=PnJd6KXRV%%iyAyP~q@3_QEPG5I#cF3FS5Y0i*w=fQ{ ziyK4%98@IiA1|*iZG{mR*a9&W?&Tf(@^edHr zS6j#KmvB>d$xS)%SDq}S-pU5GEfPc8Hf~^0qp=KFtZX5W$b;|NIEC&(RV}>3+~i{w zGz=H(K(K92V1&F`*kzRJDY^}E@1yXg;o6%c(7!bd&ruLZ)#=ib+l$>F~p zbl~URts<)AxzN=|EuA=998TZ#(MemDP1uaaH<;KznwG~~;fGNbNJg0zwKb6PQb+OdC zNGP=^)v!lj_d|R&M>Kqcy$QTx1%QVhy(M2EK z=h=ecCXb%5b5rq4OW)^Gv4 zO|&pZD%R$Sk-$tLQrFhl^tjaLO#2yQ)nj)vx-S0eU_G3o;VY&CA`;sm2KoR#F4sNH z^k9DJ>%W%MC;WtbK-k_|6I#hHN%hYiltf`DPZiF&Ql)Uf>zI27f>Dmamm6L4G{j7b ze-K3IJCcKZ9UHf2R-6Izwm$xO9D)a^nA0k8&ShbB7dQJ|JNtDGuJa{`(H$a2?;!05 zsz!OY@zJ02e0rHL5@8U?r&wUg_O|LbmFu)_V?Rp2KFTV)^#w414l(8KAP<1bF@7P( zQ+boJk%uJ?U9Hl;~fICJtc6NVXfoUDV`XK0h_Dkvgq@AGK zbG5W~tE!y|%ulN1^!Vuf-SLlaem59y`>*nkgZBq}x=yjol61!mk#2R_A=^0J2rxSEL%a`xsf5ys@vj;BO zNdq`=@9$K|j)_-7deBCS;Bp6Vc$~kK*$X4#9GV;hk}_ayohpx$1d7<%t`~l6*SDfq zXY3fz>7U(ecvjy*QtI%oeHtuz-7IqHd%Nzvs&!%(=kdh9Qgalv*Id0$v@ zC{l=>A+{m#OaeAT5E^*D z0XRg6%%C{HVlFihY*u8`*)jBf4lU9#JB``KR3qrDaHEwRNY}G9`i<^Su1K#^9d0Gs zwD$!#HTHsiN}cR7_A6(zEV6W-N$U?_o2ER2X8K#DD(!(E!QX#kf8}Z5SFQuOYaDDE z$eNzFCYLJDOkM9JR{1hm#@2@+OPR@IL6dA)8pc}b(3<4CZo{%m?wUJdg$>&z2tbWq zOTz2#w(9lER=vIEIC@o#8iMBzv=}(lcy{nR#L69DoLsGH`a|4Yx3e^4?(SeXb6NUU z;vpFXD^iuu@3Xe;e<=EzrtG>^bShM3Sp^74>2}&$xsabz!~-(KjtQ8i9waMNO@$@+ zwn4MB(FT{7ud1b*Gcit}DfCn@9_9s4*k6ubzoI4c{jhyEY;|S6i%F#+v#->k!YrQW zio)wzc*Mi>!gNz89XRM!wwMBi&~*^16nw^Sk6mLzwf+`&e`=78d1<>u0}Cax^Q4%> zsiD^>%+ty5d8h{tXh|4g`5ba%>qNm=rUJ;mjj#;RP=!;WRTft1q2HeJ!2ITi+;>Cv z*FUqes7nfs(5sB~WTWPdB(xoV0WK&NuOk#lzvD^i< zQ2ETJbZ}*;61XrFbKN)CGmBY z9?CuI1=nZZTf+=H2)dtvJaq}<(s;d;bJ^AHT1J#oO9(WYNF;Zi=*~>b-%Riso5`q1 z1RIHve`~D4b^xio0WV%A%Y$Ro_@{G@o(*2sxeg6egPSV2~I9S~p ztI@g_>5Noc>2AZjt~n-Tfzo0Gaf+Ggu}nRP9S33!pUQ5q_sLOVH`w#D?%P=t29WbS z4tavPCRi%EQtcCDuw1fZjJG>I54^)y)t&}De|RJ`AX`>qUW}4BOiHbiUP&H3=Lt_k zk>Ln3Wzd_8HgR+_@6~5+3U!%))3!6$R8o^s-jf**6A_I(#BRBH9>GO4X`R1#Zcy+Z zGk(uHZUG(E!G_&Wj}3R;I8v<$JzT4>v<7-Qv>UTy#B|8!teV$M1I`)0y+YA}{U`0l zf9YWyI1p9O4w;rwsnAF=Waq9MnuoLR;8abu6+>JmCLBd6FKOGNmJZsUtD|~Q)og4> z;~BqwGZ!gQbNuTrp|exA3=WN*N@S<$SPrd42}zKDeb=P=&~3dJ<92MYTF<(kD-cXb zNs~K>$;@ORWJStGVvPPM!8Uy9iYcene=9c1HER6GeK+z>dFjgn!c3Fbpt)}2kkD$U zGVugEz?clzdl7iAguuOKcT>;$p!MXtUaG~C-OM;~XV{|Jb>>;Br}eDsxB_lTvhyUI zS26+NTN*6q;dUI{HSE7TLDxbk<Y*Ug5;yoxIrZvie+MOf1jm> zCOgd-_^2Il*l?nCBjbLs7xdu}sRzm0IM>IBUUwNr^o)%|?{(G0LE9(#A`rINv3HE^ zbo&_UrwG(e9V*uMs#$DIVIJ)LF*IFCFk{b3L=`=>jGU)se_gd=qkAx@YO{W}2X?ZZ zx-{k;hfL*> z$lz8bast7Mre_DX-1abgf0gV`fH|Khi)uf$Qu!z7-PXpSy|yMy!xosG?hG^vf1-Dm3~E?Aht38N z1Y4EG&G^gQhnWpKFIDOXD;%^-7*_4h0gUA?dzYZ^PKhlO>&nS(4vgzqrsH9$?y(_( z#41ziMnwsY2Y5^$8gBW?IK1!Gd50eN^70jv<1yr-#nw||w9QSbMs6{nodG*dbEs1U z^>-i=*gPI6l^9S%f76Zz%LPlB2%dr-8u*!cwCPuPuoKe3I-vKP792z}7%Mg|v|f!H z7XK6KXFA~3?yM_GX#JpPA#{SiquG_XLyNON9G^p)nh}(PzblzCUgT5#MOd-IKMJjPgU?15BmaeyA2G=6(UT>0=v~D{b^|pT!h~m7oAa`7FQHe~kV)AZzG0tO11vEkiwQoR*W;0~FL4{QlM7`MO!IsWa%4d^f34?`u&nNZ!$?zYn$z~q@r7Yi z${p6FOkCe_j`jQWziGue3?DVEx_lI=Oa%*5*I5cC=McO(78Qa{Tpx;IC{ra9@k&li z^HZNVFvNTf57{Mnm)*cL%yphg@FNZ3lDy31Y-lal&Am4Wc;AJ2Kuy;fQ5RqXs8rAi zx(5xff89%hdtOPl9&*SY->XQkkhEhQ{Mb{b$-^)-k;nR~bJGaL1`?-6nyH3)`QbYa zqu;xLPS8OJU1y(z)cgL@L%+QIvBEZ3x%sq*=eCq6{E)?sLc@#apby;0OcO1jc$Nos zt%Xj%y`1_F^LgTGF%N59NjbvTrL|6OojNONL+ojL`3g=^GFgp)ncxcs1pxw%a^4xEe{(e?!L1-H1tiKoiWm` ze;WuJlx642B-23?0aJUIh^L7rGMSi*JkH~5;V0O06YP_n*}R)0+qFmHcgU>Hh~6?(4kHh@e&Y1zq@i_9%`on>OE9o5OnuE8R+|p z31wccb+%hRo0}R34w zfi214l0it1FMTD!5R~vDg_;&Q&~r88Ht=o|B}xyEzi76PmR&iZ6L2p-CC!v(>#?I<1tI(_riG* zBN<|)cs}F*lqnd_#e204Wn}Yhe@$H{MI4E3lVxRV&9=>;?Mx;jnC7!&%P*tTu#Ef9 zaMzz<*T_jev(=&G5IqUOEE?JZ@SDa!lI!cbMPPIrV3;$od|8$7(NpdUEko~B$1=&%4K9jQem@c%qFEbjY_jiL7oe^}27_y+tK z`)-Wh8t37hI~v5^-%6b)EM{8QS!7~7xoaZk)OZi0l0i(5gW86wz8Nimc8$FWPCQv| zN}^s*J)}$fZKed}Ud6`blMoBhC5S5*5Tk_J#mzL%MPkTCIYp-lSiYEx@2Smc=qKms z)LIo+tzorn>SPqDvJ@&Kc6#)hX^KK->n^dsA3yu3kYT;r)3Ak-T-gnj^K2qaz8N(J zK@9}xKoVIewFYUGWVF1v$@qpuYh5Hq*gAeWl;Qi?mW|dZJ`dpYNizc>@@fL5o1cL9iR#4g;(vY`=~5KBSO6 z8NR>aSwt!dKY3y*U1*UZiQGGz!%lDz><(cLXVT;qjAfF@8@(@2p7@D9d4l1xCNt7B z7hvoOyRtr*3f-M@Wiyffz%GSgeF0KGDYSQ%^*5#!(z zG)~q_k;C&a5ZTYEo3u|CnHHl!e;=r+%?MH;D3BzeE!UNmU-LM@>Lv{pH#$%o)m<%5 zkci*2>NqFjmv8<|!1)pd-KCVYk;53JJ-~STCWBw&YnsZh@(#K|?1O&3E=Rn^#P1@3 zeJe`<3`d=+e`49)AUY1jfMlooQ+VTROTLfiV2EvxW!8>H)eK{}A&=W_C303ttVP1} zm<%;&80wyFbD~6L`vxSvwZGnRFU`28&|PY3Z@Cucpf7V0Q-D4lbscT2XPr&}!)2Bp ztOcS=Ky+;aRi!TB05fZJfj^mO|&Rtf(T5f)FK4~8u+bk(2FMK#!BL>nSh#5Flf`1 zud#xIf2q|3Z)H4<=v(m^%K_Oq9+?W$_P|f;e|!^#0$@Yla)a~OYT5cL7^9L; z_4ZUKiNYioP1@1hA4#EbN*F^y_tBxT7n-d>le8i;tmhG9jCBKcEYoXY@~x~#LjTkY zFzd&+ex$)>`iXwv4A{$J9dKTq`n+Dq^l@%`f7|+N=8TDomd$D|m<6y890Hc`54FSh zVzKS?MBkl`)c1lwEv&I)JdWO^>jLn}aQo#PKh&n<**uBI3r8vPVvcEPQ<>!gk2EfO z?x6Rz2kVpLc58Rh=HicJk+Ug!&NxKjli$YmG!|f6fK0j$4Nvs=mVA>Y~HPCbF z=!Si-&|IX9T1OZOk+PZ1doA}xY)`qH+K$hcsYqSTrcj=;({pci0RGX&fGOY3+5_)5 z0Jnz0YL!p&TCd?Xb7K(|X%oDvE^q1Yxy*6`(`A)Z1VS45fpXi7CrOLVL=+b@e+&ua z*+ewC{Q$5(TOz0{!H#YAh9WMJvNlI>(s)d)*R)(L6mk>0K9yx10k0G65FiKTM6df! z+Z!J34bO^%5ZAuXO>2;zOuQ?~g~)%S#(X!;D5~O6-zTLF)>>}A)RWjmgS9altV##_ zK3lCmNMlH^<`i!)Ucu3U>gxi3e+basQU(+9d65Xi;iFMt3I@go@v7EwQ(}lfbhmUJ zdsv642Yu4LZ5=w+A#|*7BLWu`1wqWvk~Y@so7l=HEawx7zV21ODVI&=VVYk8f!DS( z07Q{N@$$4i&%`WN!d99meughCx#9SFw+aV0|&Hs=ibyMJPO5T zmnHXr85QAsk)LS2SPe1CX-Q5J!gV=kL>#;j^Mr>&&nZiWmOxt%`OQS+Llzan^59h5 zm@0F#3h=(0bZ5DH7kQ4g95;ycXquec^g%j+PyJfMR(3!r8_5+)e@ttFW><@0Aklrn zZwRx~v~VNHRQl3t%${VD5PhG!Q=Ss2JbI73Q~jr7Qy5W;|LBvptQ*-m$cJ}{KHDr*!x2IDsismR z2#mJXbm-Ca8(`zq&k$wK5o0PD5v8^puEjA0-1D2V+yqW`qiVpQ*&2g8q{mRs7mT}H zf0V3q$&N0rPG24!U%k2b%ex=nygq><>lI0dCTFZ6_8k!Zf88}a1YndI`0*)30at1o zg`(xeTjlIHrsppO>w=Pdy}Oq0eH7OJRnn7cDBd;9p$@r9)t?du_Ai*;v*4-g+V(Ho z$n6=n51#XUinUu!RHbp8@O-L#UeHwVB%fAIFSya1jqQi6QARcNcq>bOU7v=zj^k;cI6p|vTHR)Q2ZS90p`6~($d^K%^CV8WRxy2A zAVpUfe}27&;pyxGqOK9D4$S|tb!AT zJ6Z|TfiYZS!#ZZ5ePRmekgk4f?UgNEWFwE|m<=yaE`B<>c=ungU%fl|ud9orcgJte z&Q3IwAF@JGTq8*l-L){qvGxO>I?!Fi4zlMDfBC>C5G>b3N{0*no*45;O)Z4?`-<^- z>|wgd|3QiNGzC{fzdvG`ACjVyKV&=<=OT+`Wc$GSF?Q@2%S{r$d5nI23}c_b)FqA< zfAj-b!zId!9*9HFwN9w#0k}~7-rmyfT;4`JIbKtMm&zJ17578q-EfZk#e+{2w zVPypZ#bvz=s!)b8r1<5gxcSg0qYoj56KVxU80e8KSUhG^ek~X`1xB5TVd>B=XU5Y8 z!%JSoD$n9kfyG{EJ6s#*9}qYm@2YVA#IL!Pr8e3x=oLsLG_49Ojlt;fXtZJCJ7XX7 zLe+F*)2GAxDB?A6Z8ta|AY3SOfA4_ei9j*_+FN>^TeWhNJgkETP;X2=G*lxAlOift zMqzP^6@q<|9OlS*sQV32eN#MN<<>6|$}n|31edh1&Yj*3_B{ljvanBiNwsg8D~M;* z9>YcNFu|i7T{7|S`D_KF;H@}ca{FCMf#Eaz&PX?x5#wndw{6jFUl|~me~m}vp}K?t zLQ-60Q7I&~9Q&&GCM!~i-mzW!j2^^;`zI` z7q7MmcDtxrk2}V|ZLWg5vsV-VJ3yplW`nG6^Yd#?eucahi1 zpV=$733tc(eYR+bbz}p2utf&D?)lLMe=A2?uXwu%gx$ZDnvv1lf8};~o{6@zdYD}{ zf;3b>@(E`4U7n5NJi}^YK7mh`i;U3_Do7E2!cNk$%t8T0M_3ZiT$+gOQ5WiSHqtFR z#~`Z|Jezj#p_1c#$h5FFTZBdBvkiJo& z^i{%aItF@e+haBKf1-PRXGvfK*&=v<>2UtseG|IsO}<+!^ALQmxxJE3ax~YoXT6|P zZc4A;sdRdScR=L7?7N_*a?7F38?Kl>#!yB!@Oh~ECbyH{U`yjIKZFnF@0JnTDQ`{) z8IE}PUZl~`kR}^X=SqBtsO;-850KG14Wq5FjZQ$`_1oz0f8YNuWbWg-s2L@tLI*;MhmWc;}7V7J=N{vY@x*JQ_30gzGV~Yfr;Z`f=!?JcfcI=Xt zLVNeUA9-63)Ly(NN|DJ;tsOJxfE;Z_-hMDF(+2RSi#eewM0*vcJ^Lf?6% zk_g+pk}Q%pDbyXa=_Kq=FPOnhiM^ZH*BkE{t!bK%$`Y z=szAlU+SkE1iSs}^!ViL^5o-=(dl$LgPk4tf2Y%_8T`LD==OL2qr0=Wv$xyt?d|UT zN2lBGb@!7{{Tl&glWhGgf9p$jboPQBzd3txdUg8d>=M#}-(H@y*u}~D#hVvzkM-9r zcZHq44Pn3`%0YX&tHA)h9jVNo7epxZ^ov^0Nq zWsh106m;aECLAb*hsAhC3wCL{(sZ@{CX30G9bhhXtek1AIxm^ke$vkLti+OGa4A@Is_qNF9 zQVHdE)g8D!qYVRPe*>1H*k-(iugV*dwTzKpPa;n7-!0HDxsmk^6qDnjcOYXkp7M#n zbn`J&ML0DRYiU6rmOonH>^Z=uJ986jY?2wgl9yN{U7#%du7i=yvNVD18?fhR` zFq~EpaN{kYB3C(2LH$uvo@p@&A;w#5BvLVs!h4h9(&Tp5Y~cW2vDU*0|V!+8I?$n`dGyvJ7K#W~Q(Q zRF}mh4pbABJzz8=>7Q-2Nzh9%?M7>wHyXV#&y;B;rB%spK`{70%ijM=C@{Fg-#|LUu*54#f`{fL`2f($;3p6k)%M9gg9)o6t zO`>p_KBlm=U`oA0Nc2;-jxgTcnTTQzB|ylsf0o(%8c~3#O+90vLmJck6^K*240i$E zxE5Bk7Mnq>1SiYm{U>y(rKzb#Kx~6GS}^YDf~9V$f6Srxiy?2uq8MTEHOBLtLwzk1 zm8)lKKy3P?(^77xDcN^4pNlk#Z`nvB@@C8L!V8hb*Bo5GdPCGk6$A7b&3j;0Zy@0w z*oluoG?yt{#Ym5#u|JbDq*Zz-W{sOz$;1-_5kdSqPgo|dV>rqdwd%B(Ncc!*_Ai;) zW2U#se*n{5PAHM)EetWfnaTt%1(R7kiJ{hL?ab@+*wU$S>H4==b^FZjX>7LE;2ZcJ zHYO7@9=rPqCG0e&=zVEn-M~yF3zo#`d)T;9oC2O`wR_7RIut=0^AMOsi||OdskKSz z-4Sx^PyJYva>L^rPrP~u+?6Hcxec^hlHsLpe;yiG=}Z8JP3*GWQdkww@hzDxoqUU2 ziX1Cg@+7fjTNR^OoEzd{UWKL{mqVSSf<*G$lmJ@}re66A+9K-swr~y3EJb}lr zIUhOILpMf3?aO@%FS&w05lXvZAIY zX4;Uo{5NxvA*)sJjS(!U-bTfIM~gvNu8r8h&Vjbz0rklNopWdq{PmyCrnn8oJcmv= zxxI`qLDLs{i_LMZqGVg0hhc zfy~&IL3<83BbN|0pC?+~gb)qbWlg)x)Jz00K1&uiS|AX*yN+(AA{0vTEQZ@T&f;`p zH5w6H-bXL~rrKgWfqH310i2C&k8I@iaaMi7F348T0tAHSxmw68PtFW+f1{7W^16VX zj`jIFT}b6|u5sEON*+&4^v#6ppMl63#eLH=EGJuMQmHm<7!)Uwg_fW2?>J?gCHzJe zajut|h>0sNZ71(#f(li#6RpT(l~Hq3 ztfJxXm|=NVszUBy14S*ae{f|5Ht?n!Rgzkk+>m-&7%(|g0&y-f%m|d`#zFLL zX(e@5UEZ{43kxTjfAcqrpFZl1vo}|#$0r*M(m}8dm9k@Kk(-P|Zxvv6Jn zlvO=BRB14k_$<%5?h;Q3J|=3xOrHR@qkqrg?`O_Z5(h=PVIiX?2QP>CG$t zwn754I<(W|c8-3p{SK9|O5Hh!?wF)avL4ngM{^7NbugY*WfZTK`Vasa@;VRmcKT(6mzpGLalS|Dgit_ zG_mIS3Dmq*B`)lw?oiH9l-77uGRrtkrJ@Ox4rCXUe;r$O0(4a`1*(9(#nOEG&}_N! zWPuQggT&c47F8*d7_*2OYpLnVOZs}msv!qOy%DuOucMk7F$<>D1nFx)j>HUv(uM2s;Z&kYCJ^x#=7xYq zCT>MYe@HwKUbi8>sdP>EFus66z^<$SqD&0Am7`r9LJ+xW^$`=J43mcLK!#-TnNUQc zQ7zYC!2Idk&6qL;25Ie#Ti)tq)Kr&y0+GOiE19~GR*aG68HVyf<5Cr7@yHy7Q##^F zT({5K+hotpaDxUGfIGDpuotlc)k$Rfsh@eKfA?kKE`gisXn_hWXx>`I@?-!`F~WFh zYXxih12cDD`KfL~ZBHIft12peI?h%3aJLxL;9?s`m+bU%gFQdGJiWA=`}675k8j>y zv7e7FE{@KwPERh`n+xiefAf+Zo&AOV`Sk2Xi-{OLz_)V-5l87QAW>SBHz)s37 zf1O&e8{8^Th_X6~m1A~wdiCn0#m?TGwNKApUYwr&aPs=(?5f3HpIjXOcyxAk^!)VI z>D6BVg7%p&gX2ke#GQvK4an2+KFoad*S^D^j5igDfmBb6)xV`n}UGFuQ+i}hsX5C`o| z2C0}N@kFGd*lIa%cdKN|b(Wud@qH5o1;rwf#3K;sU~-d8D&_nZcF3IZFjwFme{a4Y zNIgsJLuPDbk1WAP2F4yID9IQ{XpoY7UdoRcbNVywfLcXQh{&NJQ9)l+jI` zP}|{qrgAx-^NDDIOi<*eP(YC(e>dXExJbQl15B_X5(K)QWMOGPaA2XfT7ZXIK(89& z3=C&X=h1ZxPEym0Kq?iRO|ZcY20Y$?gMb}{nkVR8u#{JiOge~=OY!qmi|*y?T6GrQ z>29-9XgHM;t)O7(EIHf3=E^u53!o=0D26hJ)|$A8IhsKY^;-bmiCG%wf9^gy?`>k| z&g3XDRw$5Lwl&$&k}tYiu%)uquVPhl_lSV~C~veTgsP<5FxXE5*sl*FTGE7gL!8WQ z+#+DaHD7B&>d7d~7bG3;Me!8fTZ#x87@M$3yaW2IFFf9N*qgE2n@EgB8sQsLnM4hy zbDqtB5?SHe?V`WVMV5JQf0?lybEO2d3N=R5R^4tqS{Px&FKD56!0)LO=5Gi#60yX`&`E|o9DG3iPf45s$WWuCO)cS}f z9k5L-6K#w(8zhN{ z&QwO977YkxoB9D4bGh}M24VFP(;65#9&DWvNB>IguYDnFfnJ3sFkv`Uv_%2Dm}1Fe**uF;-x=&a z#Q%Sa&o}H(FEd##NBLtsnKF}Jg|a2IWICSmEPq71dHvzZ6ZWRa$j>a2p)xLisBNtU z;39*f=9MxKe=5#Jz@Cdl-T)_n{O56;qL*#N6|`C)jjqtR2jwk+z!oX}3;Amz@=9?{ zj2qKxpfnn+6Czp+LX7ns|9a{`mA0adYy0ttoswGTzQvQ~BbbyI%Gq`(({WO0Re0OD zCARN-m+z?xW?Om6oS3ReEL6&1>2-2Y=lMSpY)mcTUd`n%Cg!xvFr)6&&k%NvO4N4w20F1 zuso9OMc8gzXk}3XcXqq-WxEaL`#BFq_4#%iH`qVnSAZ3sFR_qYrOL0_M7KDv&XT23 zyjP824j;X=oi6G>eTq=x(f8iim%|PL%71T>sa*&j zEe=_p72**=jl)OGcU3=RFMs3b5u>H%55YEPYPKAjHh#NUmDb3+RH^P7tom+a)?;?2b&+FvzWv(Zk#^1$3^@&sn-7(>~uO0^#4`&X$i;+G;X*bO)dL<{MvvG&QatNT3s$U?YK{ z{68L-%n$)90d<%75CLNW{g+%30oef^mo^dss{*eHm*WxvzyYh5q!R%>0XmoB69GVf zqdpi%J}ijZJ~X|eS3}1Ui4v^sK&_4k%ZJ6s>EKP{rUX*s7x(VK`WwK0{q;lEzTVQS zD_?!p2D>1f{=YZ>*V9bQ<+I?ATmN@(2j3bONuuA_V1eG|m7gS&$e`h*=UUhf8+(-b z?Qt7qGy=so0u72j0he)OgZ&FK?bDopb@ZHSYa!$NZD`jvrtLQ`9<$AF_3pmAeK(fb z4bLJGAsu4hv&WCO+|G)!Z2OvL z+licP!@-wgH}I)IKb6O`IGudwA&4xK*?j=uA^pC6F%vggoD24U=wsXe>sz*e4do{? z5$1HG*td|{@rUpAQP7?7a5k^I|GMsNZEprowpa-&pU2zSo^l(&Y=7I`{fw{A!6wwGbuIiX8iWuNJfiy&<3*eolUZK4Y0S#Jm;CbUA)T# zkKX0+OvoZ#K>O+YsZ2SE85pF~h&^ zi~sI-d;MzsS7-Mj{_B%`zJU1euix?enS-|N-r~ThWIN`&)g$H_g5U0ckC^Lr>Tm7e72~&G ziSg@pCL1KN=%a5`x6^r)$s!lvX*N(CkIW8Xn7=;kV+4${XE{N8=1i z&qkkP?3u{9-p+Nl^;6FgYMXwJ&H4M-V9npltCHlMDtYbQNsR~9$JfXof5e!%`KZgA zG7!9o;yg&?gnnt}Tm9PlyqjOLYP$Qn(Y#*!37B}}FW4=vEpGMy8lR}mlUClTOvegS zwU^uv)im^U;85iUDJ$(I$v5@C~Jc(2OiXIjUtZn<717W@g zhw@aKAxrnaPXDoq*r&_?()xd=p8wTHG(-yZ6}ebqeas~422X_Mt7C6}dSva+no2lxFo zCkbiz*e}2Mjs|x}Mq)Z&y9}3Eit<{YE9>k+?7-50)aWI%Bk5!il`rSHxvUtQZhwW<8u~Hc{&kx3foGY6bt@Z*(x-30;CEttGuFND;>bKp0pyqYx_j-nP3v!`y_*?HaBwkwCBGRl& z-UPRce|pKQGXIhnp*qZ}M*VKxsNek{e@|GS1uzM-OX^C}`VF{E>$}E2)^tC_HTKcA zinzu;_1J5>ygt^zAMADdSQGf%T=eVxESLX2S^Vc-uh#!{urqk*|MN*c5AxsdDSUl@ zWri$Qye5gqB3y)tU{fjIW9L?a4nEQI5%bUDFj|zm%z5TY9*J8K`WcW4MaIOk(PB`i zh+(0kA4QT#HqPV>+w+rA9cVV?X_SZz>K5g*`SwgG#V5AJ&^!~Dxi6ITX(#X?`2G(P zeDAssFi{capYSrcz4<&>VZGtMHm%`guCvBjeZrGA1AdlcUSsUfscGGHUUpue@WkAZ zpXJQf8vS$XsK56y*tLD0V_0kS&!(>b-e&*{`#cA*`p}=|{I5^)S>69P6L}Vgsv?6J!~9%EmrWfn z#_ESm7V~3>CbjJ}Hr}KcQs%E?HRE|W-T3GtQ<28wSm+sLB0o)4&Xa1FjRz0n?=)eR z^IVLJLi^eC}uHDZ&vY|ZCHVPV@4$?ah6588t#fuF@V7D+@v+G@#c zp$&w`-5K9{@34oi2wQ|AJdY8 zrxDu}|G1ZQX^O)((y`juVw+75Px%X;^A~YuQ;ndl+S5O@+nNWRLdiCs=6}$Ck;3=v zOh$sam)RzTsihhZcni}x(by;=#ua~?^9<_8=TpJdLgiv+td5XcDoO*r)EKTYTZ6&Q zP>j!HI$=CXK!C!uQD~Z=e+xsILI0Cn!T^umOdg|&GkDZ)KYR2Pr^K%HZprlfjoya- za?0cM8Pn^xIdR`_=u6hdd2Z-eHPL%&44D~=qw*8Lr^;V#KYR3a8$s)Tz`%dc9z7x* zGJeakrZR7QVad@pt(*B~C(US5Vu$?pn1@qw8UItbCVZ>!Tz&VT>sNcM?AE!zpAjyz z{+7GZ(dRi6T)0X>Lyj={}--FA-=3AB4e)hT-qjr5ae)*+grtH^W-4^9M7j1sSGeP;|9i*x0syBaq=lIzJ z7kc1ApN9*<7u(zH652*COz;4YfU;rBMU`hf7n22im5HcGBc6r}ETv%j&H`CLecDln z2Bcn2ef)0d(VvSczm8@0ER#hVUC2?KKHV<;;Gc&{y6@*A3q_jqiFla_aXIIqc)DGF zgbrmF^Q@=gyT6*Z>C2*Q+uMIHWyS;#r>sQRHo@+;)iRwx@kl*;uwC+&oz6PcaG3<+ zMq38#J~^X;v|j9>ddE_g>_eID3T(3-CWXpHRz+a2Is>a)Owvaqg!PN_=HFnV8AkfiQnHy*`wgf? z-)esQK{R*}4Zar908{|Ynj*z`g!aOO5e3dG1LerbW{clFmvk9J0W#Yjt9G}EbHMZZ z`aOf$J>7YmrWuLEnMR(ZDY#7h6s{966hI;I&g^&c99B(_A{@xRf9 zf2ATCqYjaE?4V0&P}Qwc@vAI-?;|^lKJ4u8-zRGE27WAZHsiOe=C1)SVcbm-Nf7v6iMMDtASrimXK)h`lisMW~BF$r- zs1ouvKk`h=)=#&W{8&az;$FWCA_VHK2(o-fpQ1zTGM=O&dYdH|0@=ta0UqxzmM_Pq}L zp#XRmPUC-TLA2EpZ(NdNrC==)!rS0WLROlG|d$R<+fv{s{fmm=R7XC5m-_g@42(o;{j$**^s)G{%#%f^2isbW%E zX4ML`mSJa^t)^rUyT``mF$4Mn(iP}000fSq|GIBi5mKSVk9j_?+AQ^V9-jSTHIU^T z_bRO*KluSF->)`K=-#+O+jJQ-s=xZt>OX(2HlULFgqsE{{o)5If4$lu?`P^#WY;3Q zj3aT9hS>r-PX1XePRmGp*MoivcRsc9jQ%VZ7xrS5X5fA(jp)B!d4yvu7~3ob!BonJ*H7-MbnlPx_%N@= zKZ{JXM~NJ*<(2TSIXSf!-*=>+Vb2pe@>zf%)kWc_zM7AsKIxBc1^x|@e4ijht!W27 z$UCtdPQx!>RNUI9aZ)V59(QBv^7lS6qJHQBJ_MgV*mAylTh2%0HX6ST5oUjuDmSq` zQ`D{Eb6b+au|5m={Enc8^iFuBl&jWVmb>;lIe>m|@6X3^{VXG#HN3K1q8V-0BIsm- z919Ju8ZZUGG;RmvMId(+Pz}6Qd)9@H`ji7+(vQ}PQ1g)Qi%xUBe%9ZT(yP{fMS$I@ zqpUniMfF)lwOOv6tT$>^0a|}uwP~_juRQjO2JTg(zJ7}oM{)?-O*zv2QjRpcQ?m20 zwyQU~BL0+xqX%K=K^XeDj;;Gx35oS?{_%mKtiVt{8Z&vu9yrOT;v|f*MrQK4D{g*S zpT_#HF_ughSvyY0GWffa>2De1p8Eg2PIsqL|8=k1>p#?g{S=>H;Mxvs%rhAkVSXBI z9I}lcMVB2Y0WFtOC;?1=nhr30Iy@U={&LBnO;+Qerf3{q_kbFVYXCc;ndf_dI~=rV+B_Ak%uBB%)ms_%@hFUM zU0@;U`$Hfq>H1EjULExBrW!RCTGML`*DEUT>zY(yE#P%VJS{4J_23#&on~Q;h;>Fk zVENKrgNdy34_LOYQmKl-^n<{?RUhn*;{?9l0xA7fRVz}_LajCR{4kCY)l@1OY?+2gi z-knGPJg$2&{j)cJ_(VRHX$wUEd(4}4`h&*F$zglH@$Rry_Xfv}fmbT+pLV;g`F-u{HRm^=a_2ad=Ab7-Trk!aTfx#)B(-HyDROfaAe{Ah&^N zdO@CG_X^)-rQW9=^zVIWbX(2A&j;Pk`_t|rb>-ur`rnsnGCEBo&urOi?Vonr{ZE6R zJMH6NTAxIZj1@##o=1&dztwg26-AQBMD^~+on~v$Zi+sj@58_v=I6%8 z#)r;POHRdqzxF>Q6KsQQHu{Zsja~}~FWPH%lLcPuL&-ll>Gb;VyRBZ`lg3eT$7Z+v zvDLMQ3)1i!r^Wr$~+xv}P|Db(XIJr0+`dLm4uQf2^n&4Bb2QuHpmto9`-i9$^ryrIWG#sLA zn1<85ihAQ@76pj;Zy;eP1R3WEn#EyGFoBeBM017_MzahD=;98AaTbooITY`~DQQkK z#`3FwA%94e5vw)ReX4|<<^{npXoQ{#vTgDl+P zDQ$=*9e_F{s1|^VCl#Ie*38o90t=DfHHyekY;})dpivvGOV(cj`8215*>K-A4`YTr? zb&o3!K%{k>6VZ*f!i*dlwnYim43(tr5&D$><;fp4mZ*E$N2M8G$hyb>@=7HRZgALt zc-K0tD<@sAq_Y}p&{Db6D+%skKX-u}Cck;5Qlr~%A2jy+o$e?8YeOws_4C2eKL6o} z7VtvkJeVetS8BF<{cii+X}{e$=8c+RmZ#yxj2zg!(%-uc0r&5zf2U4nzjNGgw2#T2 z!uKC@I!Y5f@123<#j<9_%cZ`@~M2&`q~)^ za};K1nh*;mi7`<(X^Mw=MDz$vBt1+qj!UH1fWfNoRDU2W)0xs204a_j0e_wV(;#|3 zm85qvuklH@b9B-N-WxRA-N9jJzd>kP_q5}0llSyWMCKjMr3jIs20@q>7$hHm8m(hu z3L19F*k{LOkK@#6HV6F<7aGDGP|=&5dx4HI{6*07X^kE-Pd`RHMYPc1Ou_zz;%v}*^s#Z+ZcWz~LrrZ43zoyFu>EpvZ)6=WUK^T#X$LQZp zF$!=Nl5>o6K&}HMP!QEZh?4$_Lvu`z34G4F>CJA4L0xfPbWq$=wGi*UwN3qCG=;9H zNZXBCxBg@r;X3>}BoMuS@=3STJl*fZ=I)^|)#}TW$EIBeSBGgCX4$|B_|VBnfampoYR? zZ0!B>DTxv&JMnsW$z6LrDit7doBDUb#mXq)%%>G9!%K9AD*uCjys|y0ht7W@EG@YV z5620r#K;ot)9#^%Hqb!=X_A=-{f<6D;3qPWbbhcBAXA*rQaZwASXwy9ERCv&;kJj) z92lQ_rFp5_df)o{zr2W5U#JpQeeo4#s`|ndp=HB8ozPTYXfm>F;73SB^#v1x1!D-d z7d-Y42N!)V6EA#C!h2##mvEfu z6ObL2`I5fzRHO^XoQm|`Xj4%-EOTvnrFL&1-Kj1R)CsJAm;{PJp`Wl;vzHx*OleE3 zXEQGXC2Wx8=oXo=4)DyDT@KT>ZH+^xX5KD`XPCR%q1>}Qa!xWX zFzOsGPA3SVBwQVqxlPI8-Z`8UQ`eZfa2Ix6$?;l*f+8C(6m+31?7EWI))3D^U_wSW z&^~iMa#z8BZ!?^M^FXi!cUq}lHI*OO>3TCm)Ypct@LiSYIwF-97+of_IN(kT!wtd8 z^InE&meV8rEDmsrYB(R(_!UP@_2DrRyO27f!^2ewA(g9*Nk{vJ#h{@Rh^6DCKa%LO zpOY{qR3JJUJT(wb0N;QUF;5WAa{nR9J2Wc`wJV2)U zIo|pt^xc$h8!*~0_zqpB$pkfmNf@KI=rqGAI`U(G1gCTK7WHsWG-4)C=n`uVgAz`D zUq~)?m1Pi1>Bvb$txoyFKhFHh|1>K9wNv@i`Tg#jmvdrO=r)CH%bist6`;tq42vtPceJwxqP*WEpDzPAD#H{k8D7nc{ z`CdKm%*jfr28JP*h^Lcq3#b4tB{YOGfrN^SL>0Y7`_{&~O{{P(!Qv8H48lZM{9uYO z|3!$VX!#HD5&i|v414!GFXv|sfp0VZmH zq_;?bD5D;uDsNVf`jJA1AbIV{(ntRG8L+rv>92ogVhvCx@-U$@@WX z|3eFOM}&#_nc;jkwN5*5y3dAVJn@l#pP>L}!!*30mq%;5VVMs;j7NW9Hz0oyHz1|K z2XbXHczIj6mU4)+Jd zUfoCZiH_RBLvK+nz}K~S7DedQ+vmIJ%NH?f`7fSu)SMx&OuzR~y^g#c51pGX8Wp_* zut*pS5DZRx$EZM*F)a@bt^kpsl%^1TXTF8xj4QIC_=#dbK^gQ@dthC#fU zqsvgvGD*=jV-Dwx=ODA))`8%E&`FpLtCvwS3bW)g2R6O%vvDmCr-NYRY2Evb&vqtWY4{G_dw#}eumAYd4?n&66Zx)-gXS!X;OpI=Uhk6cK4GGB z`B$%5vv+AY8t1bA?w@`Hph*q%Eu znS93`SncD3j&!N;;A7gFIY^qVcc<^|HV~bBR=y|D=I2Q3@@u1eZ1*VN^Xbo@WzVwm zJtf$j!12h>0Lnw20Sy#y5jaYw^#FpqXKqpNNk~_|hjk|iReo5E)JjyY{HW1+Z8EQg z#EO(&3nnM_2HN+hVeUtNVTLp1)Dz*H7*@<~WG)|dW#~7?;v{J}3S&Rwdf6*8?;fu> zm}dF@*iY-_EiiPv^1abzZ)b0J?x8Qpzqvx2Ebt!X$!t2s=~j7X8_hSjb#;&P&ZQjC z0=Ub9huMGvhqB()qtqZ~S2o2% ztn2Px`4wH&xhgUJafMv^XN{dFuxh&d`ylWU;@5BKCQj$HA`VOApHl~Y&uQS90&EC z5&*1J*y~-V`Cxb3CAR4M<5MmvWvj`yw(Q}AoZTl=K|0ufy1nu}1v8f>NWmphd5hvX zLw|U7(0|siK6`!qUsTd?l;P#=cXoDI`^%70Q?)9AcUY(z-LA7*HVxw#r?t|6{I#`R zqL{O<>t5~4=g$@RAG%aG<1oT#5B?4kI#iOPkO zLAJm#@;>i>?C!|#vk2oU+GPM^EdQ97O4&HM=}~xscE!u-&4*67H; z!pJ8ggNc3(^9-G&3FI|vH__HfySYuf^-kKygOhf%UjB}C{UwYd>bs%f`SBi-@jMcdZYNkL^wuVvdel{f0e^1CUqVvMgX~rEP1!u#2QJ z>&K2Qn!2Gh=(V~Z+xsHC8`OwrwCQ&n`!ue9-1_B1x7BFYJ+l4D-;73#T7$#(aZ8#f zg1Fouq4r35ms=q=00;;!0#G^dYMumhe4xTvnWRG7ZzJ_WzfHbO<{@V9!M>e1c zBLtPzImu6iL-t+2lAXvo=Z3nfxjD(-DR+ z?z%%Nx~*orOIE9M%vD(XfLYQJMqx%KGxf6!2QQI-k)*jHXA=BsCu)E$?ad2J^nE%b zlSkJ$y+|^QCP_deIN*;kqq8UH?I^i_!KsCaSHAz)>b~prS_5`o_^ytGyBwXP=g$jU zL8a-%O<;6;c5GMOvXV|Kj}S^CAo@jweZg-h97*vl>v= z>o6Jd(@JKT*q>u^Xs{KFhu*$5c#s37hV@9UL6_f&9D#gE>OD8h3i$~$JaCFyyfJDtHp0h_z z-qV|NWW0w$fukPIyEs6Gg%rlqSzg!uFBObF!$Q9%3lA;kpV`Wn<^<6D6ytb3P_GI= zQIGt3uwJ`hv3+ge2f<+&9r`vBF_tC0d%J&=@lTX;#oQsw=Ty?|;{Bw>i7o!zR zFXu+T)9iqajeNQ$VEYdJXgG_A?HA#Al#db1=j=z(9m*2wV93B_Lz?3_AjgI)e`sZ*GsFvM;5mCK-1IuE`qeA=arCd>Z|nQaM1 zZ^%e6S@22WTRcQ>-YQ-yKEz=%%8bLYYO`;MYaGg(>`QTfLwtY9j!T-8OzTPv?=Y>G zw}OzqGVsczlef*AX@{^&`}nm1*54Vb1f&54$A_F;1!0ORQzU*M-+os5ZL#?f)2V&@ z9_^uhxYHr$=pj8OPW_a~feZ%R6418E0;m!LOGOr74+&&{5;I5JY-D*9-FSoIQ#rKOSMY4i}-4wcYQ3c=N+<&`Fs|fdT*>?iuH@lFLlTalZ_(SW z9Ai}R<%(^yo5e96UXc~`(I~ve5NXJsr)Sh{%~M@}pe#?}@nlBmpHsJZX#>6Ew=L3{ z%VbFgWe0djv{aa9jN@5=Ckt7@5M>Z21RO#=crt)yaL(LAVfG8Y>j^Bp^8FRQn|tW_ zbKdYGDfmFI1)D_mBB-0hX zvx&swxWWwi!+Zu?95@ZxD`v(QaOo|4jG%;nnICdQm=rD=hCbP{W--2$Z3OofR3GkBEq9m*Ux~tr zKOYQuJmQDWQERcMjGf9IE>#N-yk(7&QH|-?YLtv9x^7 z*7VbXTBKodbkApZ=0sm_Lh6PL`6))zaLTuP#n;`=(U7QAV&!V@Z)Fe___=eOPQn-* zosQTAa`XY%r43=0Br#G*O?M-{L9kl|!!}UX(u%kna=i~O*I7*CL`OKMPql%?sNa=( zDfMVOquoQI?Y=9BwgVT72V1^~M1$LZR2c7*KZ!ozXo}M+>Rp9Xh}tCN;FN$z$%ek& z(FEAQoo5ml3L&EYmO-!8*D=5U)Hph%BFlVZ)UjsIf%|T{5-9|CpNyC4! zYzz0K{Tsp9mVQcaqcy>H7W>zJ7!j6zFs&b_NZ@}g9Y-P4I0MLgQAtr0#`q_HHKKsI zo;ROmpW{u~1;dzFesAAuNOZw5SM%FN7|Jwsr7$;e-_h64foIU8A=pZFF z-Bx^UxR!oCXvNp{@)oQ(j<0!8!#@adEwf0PBi3f_kgisIy>!2%Ta2HhKmQrEjz121 z{YJMh0;NlZv@0ZdVGjp%#KLQEoYPn~j9S(aSEQ%t zy1*d1wygDQ-Av~&Okwsu$ImLSS*#le=)t*8wU$H}5JCGVFq8ZsI7~*}B&Ui*ZpsQT z(aR>}(Xe<_zCSoU-al>}wa#|V=X}?k_;KLFi4**lnZiV5vu7$!3k`{q5&Qa;$B&q7 z4544i$_>J#GsP6GteTB~9lLIr3^JU5`rC=0j|=u(X0=mRR+=vy+1gs2qp!5*tK&0A zM2df#;dppg_X0nR?o`@9sQ)!SNTL9zb&q`vypl%O$uz}Tc1Y=%)fa8z%>1vWWU0d> zuJYaDsVEr%Tx=M%^g#gQ@pH0mo|U;IoC|($1cA|y zm_gi~BIReFJ5jfoLOtxf?{@l)ervyTd{E-!Fqth2)}qIbFw4Stlw83lhHcrPDD7yj zCwv{I30r1FgB z=74f{<$Fo|d1+qKXSj_NhhF(!p$V~F5dDUpjZ|?XIxgYLqn*9G>-iIWnpr`B)bb%e zm|BX)+rdxmX1%->2B+ljylPnA2P|(hKeu+tv5@UQwESY@lQ};>|WA16`^zFw=65yGTK?sg46lJ#HelLDn>DBcjkhUSJ<+mg{fe1F zUqobjSca3JZsD#;d8Lw3J*JX~9GGxEbdiQO_s|A^#Ij!`8H+mtVMS$i#hp9&J)07U zqTW16Fr6KE1*%jg7VHh$+<#(O;TeN<@g%v%`g3P;LZhl1e&hxl(XASX5aUlp%rhgb zy0cip35*Wp=jhezy&rx+<7Ad*h77dh9H-ZQRQG=P0lj*SUcmpAhZEfrk%>8vl7MJH zx6U^u_QE66QygwX>_d22>!w@ssP z{q!b`7x*3z6@*MPeeCnFWE_iG;Gl}M$LSM4hU=GNAD^)fGip78C7~?={b6G$h#YpI>MoRf!CCuDua1?@nCv*4) zL(t2vZ!%0x_)nf>yvMH~XA=*70|IF5=+PsAB2;UQ#->g^v?4uBWDVk#c>LdwcC3+PZNjGF0_uCgUzrj1w9>R;nGiP+B zK;bDD_&+tgOWAl`pifeAHo!5Y1&D_%>3K>o%I;VyqCAXe*mz-0cXvNPl?)BXNjNkf z6ML#>W#i#TG^^u!?wBMyP zge-~8ga&o+x6^q74dDiVxdaw^A4XMz4Av7S!D8%UeZ9+h`(7TF_ja13IofaZ8;9-V z#-MZBuTy2uTFpK7cwsi}!De}wjIsw$VXZhPRUsgwd6gZn!+5kPFO&9A(Tv7nj~2NP zFrqq_J&R}EEvjh&OB-kdwV;Xz4`$2I7Cq3_`0J<|*%Y^F>JyuP$qc*%R2m~KQ^i7X z14QEE$<$91a=;32<>3KBRYejub*8Ybw2yoJ%Bw%^lF43%w>VH2f6?pP^?0lZ;86=o zA@D?zpaz(G1bw1GO;Q_#8GCq}LCQuXif5O?tV?aTHvHBQ6+?|{6Hp_&_3{=~OWAK| zlO`+t{N-wPfu~7-kZq#cG);!J-P#b0C+5H^|7F{R^GbswkP#4wtk)*VjBL}Fi2;Z0 ze-t62!Xa3betsoBS1yrPt5OtkeC^m9Wx@?kLrXUsO^&$%fC#xo+Pc$Tt6TrmpZ-)j ze&0U+JN>x3^F90czS}uHsqgOmSmI50cXoDIog2~hsB`>(z9T=1e2n57vi?wj>7>;? zYWJY%-<$7uN+<26{SgH?_=1DQVAQC{y= zgh0$ajnhE3vUEs~l=LHk>S8-bU>7wo0trNj_@Y2a)0Kh@hwR+@8O!&7CXjha>!$j?ly_M=G;dpX9B_eCo@r@W zGhiH#90Lc6jx~22B4mn}K!n#_hU9;#9zuxv3HQ*i?c-+W*B<%{`F3BNzb5`IN~Snw z$_kR_l8@{<6Vu>m_K1kaqm{s_IXw&~M3opO*(8jQ{M*hH$23r?e80O_dHrfox*MKG%;*!|nn6ociS>K|`?Rr1@h}sSH!2+E7*)P^{62?(hgl3` z;Xu)UE?}q<o=q-jZcK#; zE~E)%qU7c~U3B=)VJ|%ovgf`@R|{!GtCj+MAuWKluzU$QtdoSG3R$Vi)|#@s^2!61 z?<_Z=eiNpHRyb9#(`*SlNlvv{O2G3}&r?yG63yUKu&a#BzXp@ z5}_st&WF@ha+9Q2OmT9;%CUf$gu@h?G-7okijiy`Z>ZOYY(y|*mZ!5}K1;EOw3C4_ zIOSBh&8QA5Tzfng!ZjFgV-3iE{%KK9U@EdOg&39Z8Oi7#rI>~E`?^M$8gEYiQZct~ zJHQTRZQb%D)CQRY&EgJ7?IGDw>!3as6p;0!(t#gF)Vswf;{e4tkH5ny~FQloXV$y>!#6QQ@8_vC3k6iJ3(|n zAM5KqYvh;8RH80|GokXgh@K8FS@t}fwWYwa*>H$)fP*UPV;YT@ zVn3)>t11f&{agpHKzF5lo3IC+qQeqBRTpBUtf=mj(wk|AGhV`(zQ=RlY!C*nXzwr>WO-WmLNX|6 zH1~8nma~Z@kcr$9g2B~!`JN7>oY}uag`#VWV7fFH@CLs^rp_}bcZfT?d_WX#y}U*K zMwP=M^2A#1p=a?+bt-%4ng0@E0@6M7?36|P?4f7xJri9u6)B~E;Un_ycor~|{LN0Q z2QC{35S^yU6sJoU!3HV_;`sF_nZb3c2aiIB$k^9=l+ZWhgvZyAnL?>Ij!Bi(qxU1|^8FqQsav&Aahz>In5`CN zyFr>keS*>kn|PPc6I?NBEpK`|&!Wnth01S+!wV02WWED`D7J+>m*NXtR9Bvr8Dthh z%a3F1TYeN%{QP_j{@O9m@ni~?je6V={h_&fWRZ{yuXiYrK-v&zvfH_5h%SUrYhgq( zcKNj#lnhT7PTS4edm1dw6IjzN1Hydet3~y)kw^M}F^>!TRz&^T8F^ZM8ih1NTbRL1 z9drZC!!~X@Ci@oGBKMdomMjY&m{lq@oxm4U@85b`nEc$rm@98f(2AT@8cV?-b zJTW!7!|@L)X^XZxIxO;0mRu5RCcZLgv2_0IKK9Vi$5x6bxSb*p>*XyX)MP9cFd({r z*=H$uP$&ZD?k3PnU1gfjk16&uehWs%nJZQMsL#S8s<>{4`z(2&05KI6TK#-X@2r|( z%HEFJL}5+=xauXOq5BlSW7ZnXdAx%N#i8j5$WFt*p&5u+4ZZ~y3X3^(8YeEB1FoGF zbK^>O|QQKQ*Jhn@HD+sE&XlxLLX2{bp)Uy8^EjornXt6&Y4=;$}M`i0eNCC)MnccnO-wYSssQ}WLn+0AWUS}CEH)n%@9?hZ4XL+9PKO! z(vz7>+!1<=H1-C*JT=Jw9>obyyaP{-9P-_zD}ul~7w@9|{kEItt0 zz(nYeyzQLr#o&P8eoR+#iCG$dZEmYZ(VEjVL7LI8^tXOOpVuh5dhBOo`jkg+G56HK zB-M|R*UNuV-LfeyySu}cou2LECz|R*&F}G(SYHQSW@$ucpyg?J05t?4`H;vYyGI() zjW8CV{rOs^O1n2W?CduVKXiJ1dRC#?i3#V_ z;>0t}m@pZPaNf=i$-<3)lPq6vz189BdR(=lK6)@Q%_3qfapI>C#(!2;8lG#ba)ZJ3 z9AG~ZSq2@{_C$s-&bi1_fqKY`_#ENA-MwmYGjwPzY|&16LV?a$T)AReyC(lhdCNzW zTtZ$WIYcw02US{+8t}Y?`dAz{)rmtWNWN^J)IlGNaDFnoh{EB22l#S(>6FW~_mT;- zR^M>C953f&o36<=SDkEgrO7tG`DB~U$@0uo#&pTo_JrLtruOpkIg@tZde(p&op-?& zm;33H>~I3kf(q`3Pb$M? zGWAnj$#0Shwa>Fk7*~QMuZSQ3USqvNb7Yd=FZ^tOOhEmx^X7*Q_TN&N4QRNk;D@1~ zVdRzHHF_TgA6wmCyL0TJP%h}}>TdPLwx%{u8vTB&dtBfA{EyFPJC#3uKL5k#@}}10 zr=P^fqR#&yUC;mE?uavgDBN0b=&JueRAznA`8gpg-CPN2KGMl&T84@K zSjDb?$jNMhNf-}!k$N6;HVNZ!GMg-{TG1fngNj4%C#wcG2#_l2*(P}U%1`s8GyN4D|y{>4!e)FdvfA}Mp%sdSzm78&x zV+g>hT&BsS;)CQ>6z>?Zm8Zy$A{1dC692-rXzGV>oP@sF1I*1doET={wXfu$G zo_Z~;;~Y<>NeU^-co_};95Us%Qelo7y~astgV)1{jDoD5QXHTZPa}d?j&H$D%Zhuz zmwkMj4<_M==B^lwlf=4gOYsQb+I|E2lK^7gX z91t6Ga}!GAWwr9XGO0Oy6cd@(JmpD$o4D7OapHoUV@Xop-qt*9=x;GD7v+a>!T3=dYiTI^JaPTbNu-;`HjqH?rp+1n~RrIP;pH*`nE`LPVfV^-sHG{f=3~Z zS5neEmi)lE_-uuD9V`6mUvPzYv)Vsu3K1z?YfH!o)LC~Ozrs*-wZde;q?2I>k@lv-1+G@*y$B1U} z=CwOeljj2?+yv9o9Hdb9v>B$ZVv6F&)hhhi_l!LI$Qk&iAyk_|oO`GOzAGg$Kg&T8 zXd$e3ztvfyidDOBE3<%JcfZYRcfZ+lV7Z_^{cUj4=zplomWq6p)RH%UUwcW4Z{+WO z)9>S#u7>8fDy-}VQ9_hR%affkzH~Nr4^0PV^qrewN%#Amqmxdrv!AlP9ZUxsL)yqdgx8{Rv#zKvKg)_mm^Ow$dBeAuE`8>oG00eL+#^#IPdh_KMp>&x^?eI zs|H1!R^FF?-Htf+>61~3DJ!D_E@WXWb)UIJCnL8IR|RNB+*R&;x{GiyI*F9wWq8>~A# zwPt_ImjxRe{7nc-J}-?76yz?tB|Lj$f|sGxTg!++AM@Ht#xpSWd*ju}u8e z-SfHbhPY?lnLLQka#V;TC(L#xUb(34Ez;5sg#smm?I&Rd!8%obsVYI7TMF#Vf!UsG z^z(vjnM<=%xV1Or?A6paz0a>PjaWg)on!e_`{~txIn}o!%{c&lK!U$}&BB;#%1RYDOx$lGRv_#G!#?Uq5e|rQ=gHh(@>kTI z z&a{RsWJw!2@ulQR?el7EX=6^AQUSH6efk=#e|eO|qvZEtO(?I^eD@8Q6DIj!=Ctr! zhdu4it1_tFvlb z{>4R@AN}oj($Bo8)HhJkY@!d>(iX03DQdg-%DUPyaIv~}VX1zvC~f1b74^1jB20B_ ze*pK)FLd@rjUXT##G`b5mJK(*Lm`wixDEpx@GnE0iKxj=%0hKHeT{HE4u?KV-gW%K z0@YsGKZQ7>xhmCEodKrB5O~a9-4i*6D60|{^y51o-pPD_eu@#EO!GU+Mm!!&!Oo-k z;_WZ%b>#8nJBm}xgaPyL3>f^&)nKp*e|s7X@udTX3@h;d0o6|h;`7hhi}Jl7*1Y><&F!PL@|!{s=SpZN=_#2D=$CF2lA-sjjDL>)o?#EVJ1eQS>h1E^u;UzQ{OWsOn4 zjDB*=lQMY^=aR3JIJ#47aAi1WURBP?v;2 zi5JyY;G@;JRK_lI%`5n3DMWaW-~cH#u62DWGBWaD1R6q1xIv7&XO8Tlx6j|G7oMQR zeVVD0*3y*)SIHh7Z|3@jO!W6*7-K_a699ue8TdiqD*nhSF>vN)x$e_DmTATh0*XR; zmwbe*I?vz8g&X?0xB>uBA_Gt5e*k%9WpEEwZhq4{^Hu+@j&_hM$^(!gb26$1!_yD` z9C~Q0Rf3pnv{LKtp zrD1=_^ZwYG%E<_<2Hu`XFxR4$#F2OBA@2@-LNPk_O6IR-el);^{b&}xAwM+;*7dFO zD>dT#GMU8zOVC8DXiWRJ<8~b2TS7XhHY56<{q=nA{lt=DvzUIPPrZ)H8Zvf(KOI#o zg)Yjz@ibA;rfBg;m?p{He-zc^t%Zb`R3cN^m5BIqtS2<1Fd%i5KOEv|{?f5j8R`8x zwR?vd&2Nn_{aM6;p{+b2V{)S&0&}u(GL2}-<_u@36%!s*SO9H~aDJNMbf3cT8YwNY ze~B?XF^y)!tGmCTlUaQA9q>ksKA~gsm$zBc`tog;7beGt$*2RFf8Q9D{a}!X6P(QQ zdih@cxL4V!{-B2{5rB0s_RR-eMAU;Yn@0Yf&T)*O`Zmr8G+^+UWl9K>@$cyVHj8tp z4r)k4nKtsoUzw-nXQ!_qJ#>guxu3<$$zfS80Q%y-x9O zvoIwmEI%J-WEzd>lx9q(*t1CbX1iOLwJpm#+v<-WI!CR#e^=fb26_R^d&maS>zsD? z=}CGU@&-(A0#*yNadHBXy?+kv`2L@!H^Dyv-T!Kz(6mI}|AbSo#Gfh9uZGEFnq=53 zeP|sXvG2w>ns}w|3ICirn zvn=%<+3Q%1e`Z#NS(+4TDip_)1_eG}NOb^E^RDM|bU2N3ocZrrL)Pvkn(_+sN*+O0 za0L$UP?bgX@#F~)mtk3R;ElcV>}Lb9`qYBc#yFbdG%JO1n17&uTiY?z82#i=BHEzt zmG2p^%xmV4)oiS()^V5yCw`jWK~WA~nOAhLR+qhZf3hDlX)xuxro;BTzaJgGDry#m z7q^q>RqY~-Yqygq3S*WMk5|rb4i4Mzx{dCqWe}o}IVUxSCB}t83wZX%6U>UV1SpIz z6LjZKC|Ap>&vtg~Bi^SSUnT@DT^hw=q5LYyDF*p~qY3F$CF3~WB_6fkcN-9`-}}_- zw~hv%e;P-JgZA-3r@jI_0j7Q2>o*P$TV2vih`e|+x){g*3a3wrq6W^5Ay-{1BG{ci zDGfDnZUniKToJ)0zIaLmHE?bOx!PV4!F{?NJSCDANH?PDw&Z%ltQJiqQYgiUMWx1`UaW@=AJ{B$-(99 z_-|J2OtL@HvmDg0D&H5c1kZak!nvHGKCZX8zm}JpPx>Ajd~6(^@+DF$(esze7RQJf zcb@(kyi32*imwGpgs7#~noRRMK4~aLCT74^cflN#2y~gfNXMaf6;2BfP#k9#FIu+6 ze?-)n;6Ll-V#(gnim#C#?M+nm0Rl(U08H(9(|wMzbp0R>tzbhG@1BIryuH}9 zY^%u=Vo+sOBEhmy?F5=f#?v?RSsdVpZRd=WoYn~cO=eGF-$4G9JVl#ld$Z{jr+ep{ zB0EOje^kEMN=Vz$V?Y9pa`~6P$6G~E~zNpp&?x9=T&j%2$P*CDz=t9}s){5B5GLgpnfAz16o?e;?i$9`I{2H*`WRXi!gA1p;<~lg02T*5 z0@-3%yW60QQ2BlVGoJnRe|(N0$1iEPf7 zr|%7w2*D2RxS0&E!2A4z>-V}>ep9SU>#9GSRzA>mqu7w#MqH6_QpcBqev#GeumI|& z1yGp&*xGiW+~Y6!PK|7#GOMAoZ6;kd7}*V*hGr~;WZ3JBqFzQziQ0}5N+yK?ipaFm zOgSsi8Ea4tJUL>Qf5c=g7HBgSygK!BV$huF!<@_e9_~rw8OE6)Rt?G%aoe%Qy^#AB zT0{R~y_Hzc7||MSfyzg!ch%Y&>50zzT8(kz9Hl62V>HDV1(tmgi|BdZpInw6E<g)YLcPRg7>V(J1zl;69y4Ep7#m!;b$?RbaZ%~j@e?3!+0`b){q~kadh6|k* zOT=tZLz$QZI&kJ1pf#da4Wmd;_2fDeu5Q{FoPOwy5oP{@IQimi!}7apZrZ?iH)Arp z_Cc?{S>I%#Jt?}v+(kn3E&%pd_zt2Qpq~3X8W}4#Fsbig6HJf2iUYHQuIPcJ}DP&&TLyj8n{Fir@mDrv+m5(=(j+L>vuVT#J=g{ggaLM_)Lc z4{HkO1#9-*^2Oj=iHa+a9jC~`t^%_(gkWy~@sbkJ`HGJuj#fqM@wC&6l&x@3)00$&d7%Vb9tZ%*D4NYnAtoF)B;e z)nC$lW!-GP>@<+3*~8^aPVqr^vZ*vH4su02I(rrdXcPwM&wu_i&m=iSn~;ZclLv~@ ze=8=9$V4;F!hj8~lbifDg5PM|Hk3%oC5=ri`N|@_x?GtZY}K-Iic3MS4`)u?15KSw z^V)x3rpc(LbX5PY%EwbuoRlhb>h;)?0gbzD7@t{Y*|K47Q-9ffOz;^V&eAZyt4;hY z$7%Hn-#I};NxV4{hM^V(&eoI`3&H1Ve>%n+?e%U&t?(-!<} zm^08veY6Ae1K-jE*bA@jz2Fhcyl@b+;d#|;@)eZKQl3&!hZc?hfd{>Q8kflbv@hwG z4!g<~e60j!JI+!i%P+df#cc-|e}^#)z>kLyi!?TmJ=)nro{(IACw4F*s~9Dt{bYJa z>$F?XdzeREr%jZMjzqw@MjbL!`O|A{aotW|>rO-h=lNU~J9YV4Oc|QJtr;fMJ9u7+ z<2<85XzUeLo}d6{c^K2EO44wD5?GUm##Ti?cs*uC?<4`XN{6w#WWgJ-U^CfawT0L@Zerc0%uK1<=#)w zL$IPjU){ig>S^vxgZ%W!O~cwCCfDrF+&ROQIe7I;R*jL#j8r~ef5vqyZOoFxftIU5 zr?q+SCQ%q)G1|#D&?WZ6V~J0p^kx^d5ajDc9&_C*qIDGnzMwTDt($@vRk8(|X}LRF z=Vc3=1`I6+r&cVq-Q-mI7O@GNy~!$k^~gdcQDDo|0++mGmmXVmz1{*%hOnwmV+azp z#{TTYk5*|8c6mD8fA%oWBL5UwC{&CLK=B>Lav-+PW4U_e^1DdGvhvK@%{HaCe~~58 zEO(yG2p_u6W^@Gj#dxZtLL+2FpKC81m6BzDtB*Zxy*0;4zjNj1E!mbHx}dy6n&td# zyyR$1kC^;)Y-L;Hqwoe_kbiT9DhFQOL!0;0G>mgp-kooi< z6mvRX%Ms?P%S}jog=xOUtS+L5bqA>8wqt*@w25DMfAYz*e{7t~k7qCHFV1;U^CU$f zEl@AUnQMuAPaBm}e^f%ksk8h)<Wf-!bK3$bqO;ikn2r4u2h}(Ua5bdY4B?bc*NTU-=Pk}2EY9Oh2X{{2 zZ=L~6P#0EgR{_aPGz*r(jiz=g;+QEA7+TcJf6tQZO_j9bx`tCxE(lq5o#2oopX8F$ z703C+jf)H(S3;qMK0N2qMj!kZBqR&qVY%E^St>%(iV5L~h?)T3rR&z^FwFA0YXf#| zzN&M{pDHesW$(mchJZsAypA67_~0H(%EC4dhS9RrGrVDek!Wm0Ec}AUUYvA0`>kHD ze|`L3hI69M0Xpe+PFmgmCv?z0`%+YRV*pDjr*X1Y1V2_`O`TtGu7M!yKd{AKUcnE+yD9EEs~z~34-#V zznWpO*bRUj4?m<3N&)59hJ|CE>k1Hpf4D$Zjky3*H3gc6XE`7H70|6p2LCXFB(6Bl zO$};j0*$0v+qKtv;*+g{{;##diP9}Dmxr(Fn==!3V*;f$IjvpA=x_Ci--NyVH( zQXHfb=dpe}Tb>hratK5g%wf6;-tDD_@O zCMve3WHk>(c#v`9yFsO0kO^v9gixh`UPP#t{Gmpif;qub(Wl68k)dDB%JVN*`dxwm zl(-m+ODOG{bDD&4&T3$Y8#6MB=FFNH14-$ni>!6Dop9VZX@;ru8tS`Z^F$nMDG627 zT{{`ueV6+M6_ob*1<~3_f31FbzalD!AL57%-3QAv+hNsG>l50XeLgv`!DytYLC&SFq_>AVu}pV0WYBNj>a#3Eqb zDtqPo?|HuCM~eo(C31;}Jo>psL`#41ze`LU`xc+=L-sCq27LJbe-)XC)YOp6U9<97 zfi3)W;`Tt1L;4}y5o3h!8l*FceNcZ9V&fLP>ED+hdJXXYrD`H zN)~}SqTjz-pV5pve}MhY$tP64=P>80&wpi3a=|=m^!K5_t^#~TrdWoe@(o-|Se+q(p898b z)oKD?cH?TaU+v;mOjmkx8E^9J+#(~lnyK5$&h6MRG&VOh?HV#$c+pjK!S!!o=NH_l zDSqxJxIvSie}!f7a{7c;2+8CB1n((6LK&pagq}U+G-B9Rzhv_YFDAwCLOrR&GxhTI zhIj3;4&7dG%CH>v-|!}qEi}c?dGOJyX7cMlI^m<_8W$QBYrPeKwuM&!@B9qMBBQs*|ge_^njx3s#wzSI#Qj<>7%0-E+? zBZ-%Ni_G3AJsPnO9r}|lE zQtO*6fB&%u{`c4e`u6zmYXvwhfDP17!wI4pxqiWS^!_+QBOGH|AAJV#lw*90UcW-6 zJPjvDqOqxU_zz@TF34nd?WbC<9Hn~_1p;)vy!Geuy$W!yqz&6H=ruUR@hBhjvrqYc zL;ZEGc8l?i98A$WkYw2eI7gLHPUdgPp`mN~f8F*GI%@R#t?nu$`ko9M%nB_OA06i$Ver-zzB0V4c9h!SK6@kSJ?~BCyTK)A2w4(#Fob^ zZ}Gn!1Q*nC*sJ>6d=ZaxVcXrV*U%;}f9UI8OteJ{X24u`rL6AXYKcrjQDwwoKSf;L zq8L1Ps2!5AEr=x)(2m(Y0+Ax8jUXwE9V?{9TCrq{kLB)lP=deKJl$;|8CNUks~@n8 zDKBBH;`p6qH`osgHB-_GSg#D!3d)MVXJG`|Y6CkJL_Ez#42fI z)W4-uL}IYa9U@vj$Pv=}badE0fBt1nUx*m<|E?EAC~d}-t7#3H52#2f{>Rs1DUGEU z*8c{M7F6VHp-627Spjagbqn`Eea6!S$LDZz!ue};ZJPO`i` ztwVVwV(!l_qHy?ue0j2MG!s4b!{?LMM&L$v7f&O9h|ym;Irm=v6=oP*?7jReUl8&q zq1PT!7k|B{bD8g3K=eRS}#t?xz*X)tG zRKsv|CKx_s@0(9KvCDq>iRF0_e8rC7F2zrlqccW z$au1W=ysZk4aAQFS)4@KLD*@XuM~9w6IwRLawEeWz(bydr`a23f6Jw&huPslR>9AJ8wYPpEO+M1a96j%pL7hdwmWH;<)r`X)|phc1%ci?!?Tz9$&zrf5hJ z+$I>A6r*I+3!~@`c}F-OCjlzoADkZVA2*I#XFKQgoK1Td76%qTTM4t_tAYp@OtjZZVIe}%t@AD|$enS48-fh+FB&jAFf^Vc{*nASemYQ{m0|I@*K1;-@ti8e`R zMM7h`R-3O`{LezqEYh|B%cAP)NaoF4R3}dG5Y_)0CdOAVq*fiyU_()MSbLJhdo$|ESLSyOUTC>N4EZF_SR^u3* zo)ED`M6}inuCTCJ-)LR#?tu6|ue?S6i~jKJ)3eF5;Ms>~M@(u}_2n#-%KlS<@*LbJ zK?%{GOp`SC;~aS};2-Kl0o3{+C|ri48J%c`fBY1)X!F^W8J|)BRVk-%RMZrEaq(ul z+!S{x^FmEfWVwD7yHjy2e*YhP^nbrS`X5{L|BNll-iB(qZIzpVg)`TmhZqLw+S-VM zXKH5cVn5%)Sk;hp8?8o@BI8wFf7IPKA_eQQV9jO!huN|<{URldaIr~SWWkC=G=_F? ze-O?%@fa6I^m)f3#{8=0E%zrEQ0FmL?n#TNEKhQ5Z^#`-bZaoyDTROG)t_i&Yf*w$5RF?-3X5 zrkmKgAFUMD?cU;6iSO1f?6u2zre26Pe}PwQUnllijBjdi6$yD-`HGkrcEw72j3Wxc zihM@!_AU3*Tn2^+6>C0G=r_83tx6Dh{&5^E?<-?k$f4x0)o(RX?{t5^)$1Lc9v*)3 zXvUi`5B(_oALXVk!+B#$rU{=0Q-7A>)-4{+C|vO~Q?_xKf56ccr=WRhyrzYcDJQ)MmRr7lVCQ?-F@ZnqCN8}6t?HS6bO^@Lxs3BjF=q|)F@)*F~1%+ z$!^{o@^|sG5>gq2S)PU$fP%AsQ)%D=aGUzhfx{&Jd+J+biV#kG8|G+-<~(S{*(}8w zn&8~0-ik1z_DWDX?7SbmYkg>Ze{6TUgGRGCIBNA9b+3GI*mytq3`nq*jI394fs-icI$Fy-(I8`8~%Hg)nPUp%`auNmyR%1SLPOZk`=I4eFs zQ3Ba(HU6;Tw`k8eZYrTDPy^lZ_@+2gc%AU~T1|O8g1img{b$pU7ok_wJDSqn23_Mc zBib5PN@?(ses86T31hZTf3XI2?@e{5x}!Z2@^8&HKbmcL)vb2iOomrDt$W0HIB4wm zJKax%kF9PG><7C;UE@WDy(b+UMWVQhMitp*)X>z%$q7|j)oQJZ<7?A!O`$Ax7`t3&lulC7$l+ty)G5A76o@_o^PWNwtBEWF(f4qyJaWAqo`?$Q3 zGqfpVEY+_mR`hFShV%;sKl+6!Yx=jMxc~kv%aaMSDvc1I2Ue0l@Iz+*staj(5Wuc` zk8>jAc`{5Q`BZ?tC`?j<;om3GKL32en;Hr#d~A($j>AW$n9GOlcYi-Rd<8*-s8YFw zSk}#2t%uWVoWg&?e<7|3%+5B;;pTbmuN=@ODv1786ZfJojw;))pn`FpLIrJ)RWGLR zm@r#HiK6Y*blN5NOvR~KQ#db9*?G?oY7aLrH(GM{RllX90y(OXGwfAPW=q8 zK-Hev<*8|F;`C?|n*hHep`ExZ^iFZ)-{OFbyg&BSRk*loc6n-gn>an1-X_4OruV8! zyl7&I8h19)e-t@g*MfHDy8dm3)4MenR_XJVR#uMiR7)!%{?2P_Pt9IjqfPPZS`F#G zb2<%Z9w_Cl2YnDC$U`^tQik(|`}RT~1nFQdECKsTdup`mo14Y2b;N+h&vg{@gkMU$ zL_<;fnEA+P3NYh^u6z6qkQ5*!zy>k`-$C&aacn?ge|(w1uSF*eZRRS8j7v$4ddu!u z)yAt4)P8ehz%U5C*4rZul=J-&Ky|)BT8(9;;i2)ZFq&3n-dwSRtjaD7)|2xv#5kxH z%__YW4xIS6h}(uw#E8~ptt)bq7|Wk489g4#mo7jS0oP(r8=}dhD)2{escBGYyt>R3 zEn-=>e}!olzAzen6&^0I7uV!w%Zh&@mM$WJ!P$kBTE^f-9Usc)3*arF^;(QyIE2an z?$I7038o3ENy4&2LXjl6O=Lq7%tl{D5(+HrH6_71Up9~=e}!8ZWUH?!4c3X|Vd9|B;%VicNVM~sUYT*K{B`hXfCL#i|dR4WiQ~+p2 ze>R9Pa2a60R}=%R^(vA8`s>$l)#xKUSO#J|O!D-p#Xz5SfkYUzSyeFfZmUgP%jmZd zn443PmhI2bgTOy46nIseyU;EcFbhl9`mddCuK@bFDk(#`i@0*`;V8ohDN*k0%;B?5 z6=copv-kVVOqA(k{!FWr?%?FHfx0fSe@slpQExf$T~D>dc>BpL&aM096>?r`Sd<4dAMw?b4$yXYqrqCeL){)ef| zJ@V5Z{;<8RL<_6WC6Mz@+I0u+l|vDpF2zH6LzXyq8 zI?kn3l*M70-L#mg-)U-(ot9I=rFmi4%S^QQB?G(6W$RLo2ix@Trj}ewo-PW3InnPZ zzIQe{a=4CvSYoRyP2UvUA^upPf13X21Z_H7l>z?b>|pw&R108tXTGS9`@FcjJ68fa zH^dzjp)xmJO`UP?q%@0kQzA?pV3i9JR2=wG9CNao!gAlesEAvuFT(!xm<|Jd%X5yF zMp!J1^jLpJ4iNWCIclN1*0oZWYZNUFZdev%vHnyYAnupS0=JLcKC;iAf9Ia5;`*|t zYF~*jjXQYoWHlJpY~8Mw&&AFbGGAlDM#N&CNDGZ9XM8)vQx;42QVJ(}Y2S&ww0y(l z^t_0m?o)JeoaAa`bVFSjG|1kzY-Y777=N3p?%MQfwb7<*BGnc&G}MII+9VV7af_bW z)ud76(1&Bab1(dZNn@uNfz2L z1@?$;#Mr?)3!@;|R-F6!jHMuW$bri7_WbD%QVs*x2Fc^?R|m_^e`X3;_8_wH^T~^% z+}=e8xV-vQP{*8L3;Rt!8VHdrfTL;;o16a++q zQbekNl@dcTKqSe;OlVTGDt2)dy8`OESg|XL0`}h9+QkNTEGVML_spG1GD#+YuI~H3 z|Ia+n`!3Ghd+xdCo_o&koO|cqpBAC}kF*F{@_5bFak=Cfe@If7I_Eg6LVT9n^W zf#bPx2!g^;96vS=Chs{UukxVe4^Ww^IY})7NN0fC`!T3W-LG`wQ{_hL!xI{(9thYbz!^6(7R zdg%7*bxnj^iM@5+8sw8N(19 zL{VPvfA;FT~9Qf2Y2x|gZY32dQks*ny2rC`K;S1>B92O9v!H-7rIB-+bQgU!l z5nC(Q=13cM$OV27SeO4af&)@K-UC9Vhy*MKN!33*hB;gk^wJQ4V&u|^V=nnr=e*$U zQ7d5Mt4s2XK=T&FDMJJeQ7E;o$<&6{De*nIf2IycRM;k8M+2!I{-+K4<1ryI<-oL3 zsi-w3&{netIk4fQ5DH8CLLwwdZr7jy)ulv5bb}L;p9_RbobtqB^)Ru~?ls~(8tK}% zAPWVKBBLS?6ipDqxGIstJU$AAg!NUEln9Yx($WlMenuew7jV&k8mj(JAS1GO8_Ypr ze_oI%5D|Hd7X!bg4t+$*SKsX%7CAMlJ!Rwtj_(N;lqq?w>j2u$sUwMi$m7^S+K>e` zboh^=3k^^DuX33}KDdgKKjo==0Jg{QMLZ}Z41}>BLzEDWj=czxdWd))T&=sRzb{ZH z4tiDSzpa*eVJpu*#==r?(jnt(1px8#-$b7e_T4a&OOyod8dvu^RWAv31stIOerPRze;kduM({5Cpwp1LV z#OD&=lL(ddZ?&tj8&d)5d91N@qEQ;(qDKF|faR!1D{_d%x|Sf42F2j^TpjV?JM^@C zN-6h`8t@!oBy$HUgk;`N69ENke}bL=&(Ms#{p?YNRT^t58UTs}u2evm0$6cSNRz`KhOadI=XX|;e^U{@hXVYkKpKA0HX;cV zpg)%$kpV#gLYH8X0X_@_1qONz2@48gdyV#&s*wRU4`wK_N?{EhR!_tW)Ol@&m+z4Q z7k@u=#%ORV-#jFiXxV4n$ZGU2DhsSF|G3gv0FATiG z<)_rxAES+$5+f84GcdN4m-yi)tpy?qlH?N!@Q9Kx0=7fz-0zFV^TlEnqk{$16a*>0 z#-W_6O}H_&-jQjk9aR?+#tsV#7~&De9)B7Z792{lNr4`N{k=RfdiWjdUwtB7lcZIT zfyG+UJnPklJ8KnL`Ua>=(`a5{V>&9F| zV7h!am-6%srDFrq#C%;}OwS3`#C#wumzO9O;^W6dQR0|y*(acwQB-^@A}GSKHGk{i zO06d08WV)&^OH1_LGd4&75yJY>`D?eB$f#<>V*h@=n|e@)AogD!7}XrQs!5=in$V9_4C}rX?q-mLubV@0h0d^FE zA@5N6FA$8Xra-DWF)i~-gvjNC?}gVcov)v33fk)Gd``hH(#Lf9d$DP7m!iBw6-cUG5HwLEp43*aeu)$spAVjPV zC)`N)h|9TT;+-BX6fkkG&wo_f8*1RuJSxgP#0pwku}JeMsvn@Jpi2dSnn#j!qPHUA z`YMT$Z=F|&jT(u61u1peHHOgLESgPLZB`D<>bF* z@JWOKru3h?y_@d)z`3WS2Zq0s^UkhibDS167$RUIVP)_DI& zu%r3?ONdr>QG#IBjDIhRB|I6C7Bp9I_RU?yrZdq+;!lk(1~=#a5faX7){Q)32`q+1 zJSfm>6x-7y%!BRe8v-F1$mYi=T7~#1IBHnRPlUmu38<{*Ld`7+TAq9g#7Cwt2MqXI z)vZF7c$$kZfWa3rAW~CpNCj>%tZ-zECp@+0f&qF6CntEZE`KRf!SZz=wT2?qzZzG| zEo$sxP;8!1Bcyc~gCaW62spK6w;|OG_xDO{YalVz#V?ZPK&tEbRB2TpmqrllR|tqI zLEL0@Z3z&nbfZe*zHxO?L_3YC42EC{)GD93SeTYhm!FnMin2zau*Mo5u^lKy9lj$1 zUNG^B@?t*`oPVVLUM2CJqUDwbCI6%k<`rtG-l}3pnR;{0yD2C|<&abg;$OXDkwSSv z9TEd3fn1j0Mrz`3iYw~0ssT2?;y9vM7z{WyG2)JKk*Y3G>H+Drgb-LP;Bz??Yq;M! z{-p7BAV%@K%Krz+UO6v@aS}N}Vz4aq-!>;yT2%7srhnQL^$P$Gsb2w4=LT-C0d-`kM2t((Q=VYt+8m+6 zxbmNTdT0tp;}*W=ja1`SGD1TjTCaLjIa*7dIe*F_mfu^Z&TDr!sJG@o$WM}PnqhT{ zQ1kncmZrTAB+XMlwT${mFm2lRkCldGT7$$=>bMsAv4DY)0MTn)DbvZZ2%gO+Peyr+ zg1u@2Vhr;b>A?;P#zN@OW@3zVI$eHrI6+39Y*q87ut+M=aHT3PPsNE!Ig(gdO1zU@?M?f}G9;(F3lC`AoZbXCcar2npk|&oE_h^3`IG~ zG}ogjidm_VccWa2QkgiaQf+i8E4>MM$w6I^3S$_4Be$rA?m!URl@4t8x!nBbuym*cpWLAj>S|h&A%js>2?@5o=@@8V#yQuueU#qa>kjSkzTYK}{nIiRT1_95K-g z)$BwQNdWnpD7X|(B7wP>%1MMAX1@}Y$CKWM+lKVw*P8;&Z&KVT0|V^&k^mXfd7AflRzM&mdVn8(D_r@5(U zTpg6FC*;0EX;7>L7DJ3EKF>wtY)J_m3nzz4C45mVxD*5^&P?rV=NgNc4g+(yt40!lgRJ>>=>3=vGj)(`vaje16kscFw&&PmS z-dNXFyhU?4AU+YmsQ3N8?8NZF)ubpa9m?^-H%H?7-sA@OZ!;pAyf$G=)EDMR)`S@+ zXZc${&ZQ(qtYJ0zA+7`#B8dPTX#LDKn!}Ax5Ca&k`Q3nWO{g(Z#>nw&BQoNOA!~7r zvNZOWqJL?8cHo%Ao5L62^PG!_QxuCNF^a6UN35C*Kh!MF>d(b;p|`j|7`5fjLrmFenogN1@|z~1G*W0^VcIa=3VaMr!dSY8OPnIPtIq_9$Z zv{!$pDoKp90Op8Bh=T+?B463Wh-)jZPOXtaP%9+YH&Ql5o3@dP;I*hDDeCIfWeHa; z;x#eD$t8gCBJMWePlV}04qv3x%pZvh>o|@L2vlqoA@@*NAjFshn7g?oHGa0XwziJ_ z`hox2+S;oB*WS+7R>!WNQ$MHv4)#v{`{{q!+Bx-i>aPRYeshao@k_vLrH<`CZcDv$ z|06%eP`l8<1|VJnSL#CE<3h*RpYhq{0@);TBsPdxYBN4Yg2a-2I9h!7sz~=H#;OKC``F32G(JsVR=FW4`smdcOX1b_-U|cLu_g!7SdFf%s^bCK^}kO zS$h-2>WF3&1k*x}7((Na1OX4L&KJqkzHl-}C>FpjR0P~8_$ClAjywoN1CD*w#E{TlcGpvZ8Yis9i7zuziq#MKmGr|@$1pu zCYmp@iRPejbUOZh131dh(khiMU!;*@&fLwG-UABYBtv0*A&ey8SJZ(W<*0vR5f{pE zaJ03h%l927V?~1!q`o42>pALXZbuK`B!>_b%`GjdO4-=iLRMDv9?&QbA1ty$o`b>B zDOgYo(NO^miy;SFdV)yG7eL_$Qpr^N0(YBL5!ZMaZ;(6&Bd>w#{PD( zv9YsvV%joonRYG%YzNre;KzS1*l@&rn?ySsJjZMk2Xh3{xN&&u%ih+O0Y$pf!NNCK z3d1<#i(&zD1C|AN4OHq6kLgiSI zI0%&@VuGeuGA>~X8epA7NyUvpjYn-bVlk%M47yUs+|2Fin5si+d=TL*#)G*XF%8_z z-RbgyB0l^f?)K=_3$lNXfiP%g14|@`gq#k=xmTW_AiqZ+ciAuxVltW3eZwL@Vld^I zTGfVaHQQ-Y4=KhBf^2}N7bAR;)LLx>deI?>WCbAeRHg9J>BI_xdLOY4ieOAtIFgj6 z`)5m!;s2-2-p?QLqxAoxSiUHktQyu_L=^MQNr1-vzn!gw!4(wd!kF^# zxg04BL8+-~^u@3Q1*cVTVWtpC5J^F7mY!~dq5>PK0A+F|QVlxncsS)-XvM=RI4u-L zQ9dGKb2(fr_ym7T&Mu*${w{VxSE7e-3@l;eN7t~qd~qBsK_Li2M6Ps9POu0Fqlf(D zXVo)B=)}WRI;BkcA}K5paRkALL^>3cFGh;8B+3`X3gA#Fha2x3oai`2kbp{I3053G z;sXkIafx)%5Cl~N5Q+*2-UTQOSu1ILZFRisDwLY1I^Tb@i#TyIr(f5{rs|VAN%?1! zgZiV#6iQG3#^F@f{F;&ckprnd4qq{bTB{d*$8ne#@)d!-fJ{tLnq88fnhHt90?3l8xV#?-Dn%I((+bpZrDIsr(j0^< z$?O#Wz5NN1$}Z6S!bbTMVaV2%4kBtGJR87?Sb`*{uq7~u$CeV& zIOKn9YwN0bCFYYjtn=+_VN)2jSJ^{Q*Yq z8`{<~@xPuMErb;O;Wm@REI$T9B#tvSZr0k}T?k1Q?aFqvf?ABqm1rTH~>b3@{dn zo`gyze6G|w3^VeWz^y}JZi0j_O@SCfPO>#87It&6>+j%bYisK&H<_Uc(VmEq!xy0p zh$BeiqyTH7H2h>QL+nXX>%Bx8qk@0DA$(V&rMbLY2@*b(q2~Gs>u7^j2L8+(l5csU za0f&N^}8E-tsI%#$q%z4TqyQux}x_A;p07p8tv-8-aAr8j;f>bzTx~+xZZ!6AB>xH z6`d3F#jt=cf>F7~X`et8^Ld0gR>I-I#I#Sq|D~lYamXmKIS7ZLj#$WoSj@^6wa(Sk-GqR>o*?bmGdhqWo64e9iBdV2HnKaJ%7Fk|%35`V<6 ziS@sJ_I4WUe|C;P_y7DWzaCHkhcAKxu@P6htpL*ndJ-au$6y0~HZ+VvP(N2XbuIvl z=a{IJ2TMQ#KpC1r#6yjU5!8PWz=^OxGyW%4Z+^}XBWR-t_nOxrK54{!p4{w$NK%p@ zvLPDd^E7*`vTTCJk=<^O9#ClLP$KAphNz|pr4pDUB%)~|TS#HPn#!$!%@>X3S1^_u zH%->6WWJJuh{~Y;V?PB1sh&T;tr@9RI-CfLq$rRap`BcX_dp@Y&engv9~NrUF;fdl z$+;qi7nX8~B!Q4GgqhM5F$}O4v53va9zYOBnX<4!xKdbZjSrqHoen9!-9y=N95fCD z>>yUh+tzp=oxqKUrFaoXP=J(r`@DF)uqR(!Sy!YTK=sfmNT@*NjV#0<3g7SZX9>~cm9uk}?OG#iKBXYzpAfBPj{WgA;9tck)!HhUF%e|4R2r zkw{gs>cI4fzzJh=kBEq{GCibRFce5gxHS6SA|lwUwiPRR##pf+Hu;I0=84yOBGJ7bLERQe0+2y0GjU22-6I zybQ|Z@OX%bNo>G#Qy*5`^?`#1s2UPW_(F~(g*l#(yu2wnZ(KwI2P23e6oZD;LP1kR zT$OS_5>yp6*uq*!7AhLG9xX(%x{60yDkPICB;ys58>ui}n5-#DE+S;23786rII*x0 z8_<98!eks2Hlql*#SC;5qb|mSx#rZ92>IV!7exh%YA7nu>?MGu3R>8hg7%2}8s!JM zxDiubS;bs!HLQ6gV4+w5j&|T+0hHHOoO%%h6)RYxU`dMd~h)@;&}Ftwi7gF~;+v zxh~2#cz?Z8FDpb|UC)5!UgvqV`Ef2n9d zG2o<$semeogwhejafmOh6k|tSYOwrZ0o5@UAv~Z|jrcTW3t~K6!{yFVe0r$`DNxm; zoDxm&tJQt4Gr77ClU=B`4{ZiHDQ&X?0q)EDzwE5&nl`u*%5(JY7 z504PQ23ox9Sg;?!7bQqx)t<{MFp1JkA}c_Yh0>r22?*}aa2JD-lO%|OM5KS^N&I>} zRi<$tMO_j~Q=ZMmQCN?!(>a`elj=syCJ`cqEWe32E3JTDZK9%L0bfeo!;OX^iVrDB zcyP3fFaFtoh(|y$EaAc;DJK?ov$s{e58x!LzH_prvJa{N81IfM=KW`mRplS#8Qbg$ z)vS=AIde%1p>LQ*S}3W_AWeS*tfpy{V1UtxYN|Ls940hUIzb|6)Jv+DS8?AURqKAG`4DoOHXVE(ah{-D+nc6I zs?sb6*xczP#L`CH5rx6tuwJAgzNBJk{E?+%BM8&3tiBJ@dNQr;&#>WtxDRc(1 z1oj^sxEa8aa^oOI6tlM_f}&|$vDlgmr;X=IteCyc8I)Sg7jj}@rUVuvC?9)Z1$=^{ z8BJv*$4u14@W@EKO%yK2oDyh6e9^u{$9~>r7y$yqBL)cIvg<~5FleX zLLwYe{@Vp))9_b~RZD+^M0^ns7D*vT6*odXOe*`|e#i)6Ei^tj8YMJjt|l!hB1QyA zYzo;N$)9N(6{Oc={ryl4dECEc$h0d3*x|rTf}`UQ zBpz@Io?yh~4*_+xDWq0SZT2+Q9G?dk3rWn$pEa)Tl%>>F{y%@c#PRdj$WLwkPk_WC zD&Njv513+6>_2Iv(e*$3ezs1I>g#__cKz*tuK)cTzv;n&KJ-p>9UUFI?@-SW9i3l( z$NpzP)6vnHqnCV1M@OfXc<2~ZM~B%1`=4&|8uvsUoh%(+Pmi!<-RHNbE*o*>y6wxm z?DkuGE{$I08x?=*Y3$*dYdLJ%?6}K%{l_2noPGHHuzrU-ah*7Hqy0Vhf4IY`vNdw> zcmI6#!|ROfMUF3?rzh?~QzAQ_eZD$m@UcSGfEcA;{mX0n>&%hXBDgR&{ zrZun+zlhJ%e5E4`Jt>|?Rp%k?r1+0^hAho@td4=dsuF(ze@u&Db!1ASbqzG%Sspr} z*|IL}4@1jCUV(inxYC6OI8(F?Np#`j3YUet8#)mW}sh*+)D)OrsD@K}w|L(d4qZSRUsmUyB7+>{ZdrNjz*@1SMlDe|gUiHrh-<*6cKkw6q z&7FoOr-rxEcVkM9W!_$so=`Hx;@N-Fpoi$3SxeCy9Q0JNt6I z)3{q723MLb&4~Z)xS^q0t4Z_`2W`vO3-hNQU|w&ylD&Gv!RqiEV=ubRoESv(-tvzu z`-p$(_onp3r7+Lp{P~HJ%=)})->sY9`{!+WaVl6gk$Zjn%2LO)_xFPHpN6N5c-lL@ zO+xL$lN(;;)n2-EW$*A)K6-1X-)!ig^y>1JsU}lhB17Z3Zyt}#kqdW?X>fL*`Yu(v z@{Y1ro;MlhwQ^khQbyg8qe*unz8s6KbgO^9weKTYwuLe zG&D=+J$_NPxO#OLlOt{WKP>4L)$sRekIblde}CG*Ua_VA)Pk0#-CXvR#f27imrsAQ z-}Q4V+75Ky>x~OZ>JO!r3(rmO>i7QKx?68f+#U7BIc@KYQK1uSm}Py3KeAY{XIgo{ zqfxh@kr-Jd_)clS(&ZSwt^b7xE3(@rIy zoU<)>vFr7aMKf=gL#=SG{0%G*!O@-QzXPf~uYyhIckPdP@NNb7ZdA=h2lRhc*M492 zuDUGhH;*F|Z{Kri%APSL7S9Kk_Uu#g`vgMl9oq+IpSt&Fr?!Bxp?|PKF)|8@qqD>BNCc5+c<7A8mXU-8ZnG{hTJ+*$ ze;2%m17y`bFD+Y|TrnB`~3fxQAwRfGon9zg_{oIN-t{=Pu0mW7A23$=}&ZvLc(faDX_qERt zr1#l8Y;e7onZfctV!uaMFf%YU{_f~vBt{q-AWfaTuoWR54_3#(PI3)3jF&}D+se*gN*`B; z`s2V%LLfeRxfL#}c%AXliI-(xo$vSIT)p^3rn_T&@T-3}r!Iy2UqETMO%1M8 zijN)2xmus_=)jbfy;nRNGU-4&TmmcF2WLMsUwj5ghc!s=;OwoAT_f9-iaYiG)oB6y zLjC+OVbw!?6)3&Lq9#kcRjjlo&4leMV1GCyh7$G5AF z{W9xQ)cYB|ygh#*7un4XMd>N8AA}~2?7|+ev;hir|j5v=Fj)A5N7aIik_XP@Z z5!$jL@!6uzck6F&bWL5vUYK7u?T@z8LZP&kpQby1$Q6Hn*|Jv@+i4EHZYbgU`V<(M zZrXem@A@jeu{V}3GF$94@sVLt&}aVgBL-Uyj1BS~)01jWZTQt%WWA%;(=7!KgzN>h zlj5zz4RP%r)+_i@GVkfxH>3qP(VTN(uo!aZ!7jn+-TV1)>Z&-Me@d_Oo3M@|A`^butijw%e{1|D8ouA{AVDmBQqiNuR}n=*s|)Cix;#s-Cz3d$rooC@*~P@didb@}CGWw&Zy z9;kczylefeX?VR5R!8RiOXGt`A8STpUVB=VG=0dGV>(no*z z+}YG|FYm0g7M^+H{N{-jUK>LVb9&tj#-s~vr7fFN)G8_J!@VgRO?+m}WSyq9*ihQ= ze*L0d*9890J%WzmBRB{%rp~Xt129QVH(tvh7_#f*A#qaSVw($7daxi1TI+zao#UUy zS}e`6xIecLH+|3t+DY-AAYA|#jZ1%6@hcN5N|$7gtq!jJWlZ3B-E7}1RxACwu!xTr zSKVd0+HMYxn^~V_0pWJC+DsQNZWvuV9iM*ITS^jdrfy*G;eJl&xeqd3sw2BazvWy} z_GM4vL#^E zCYz=2{et*(`Ze*Rapi1ck{4nI_6W?yt$cTxxW!*ypJLoxUwz4g-6E>nK`iJ5aC{jD z4xMU!`q}vlXS|83PI|c&du4x>n{eaaMaG>ywe0WOvytsK2fZ1wyR;3&x)&j12bOjp zSh8o=y2r~~EHfp1%Y6gOLmiF{?*nR%t66!(hMBe_>Eolys9O`K=;+e;Z47coq{AoX zcg`tF470#J^$cc#(I{yMy)D*usouc{rhmQM_?zP<_SmAWHP}q*+9rRQceLC&wbxFQ zv2PRnoyOwmZ%vkcMDE@jy#V$wyxgzbM_zq+x3cqpJWIK049yLZxmtX#WiPw)HsFeX z{u!e=SX=ko1!vDZH`W{|->mXoOX-`f)9e0v(|KFK_!hQWtW1sffoi>nnk-lWlLPui^5stZc$7;WY;M2BsJMCV#M7rWia-wZ; zw%^sXDmpNH0nja-mxp#Dw_M(rM3zR?c!TLWZrqg*?suy{v^#%uY<}Xct7dqMqjllp z!-2EsVCut~uK)hptCaX7Z!ysHux7hQ8;Dh4NvrR@IV1MU@gDS+erd-|@FkHyJy;!? z^zDD<0LgAHf4_8g57XAKMkMlw7Y*+}I7>%%+VCB->~qbUbI+Z(y4_j5GY+3rFzuw+ zYMJeA40Xwd>W_ak8{1aI%KK;-)54sU#cEG;J2i1&*}aMYpKG2I3$6~pZR+MM`-q8^ zf#eoL|k1HW$? z*JsC>zxy)>*4QAXCyx4M>B!dVX9twQFYl~d;clDS5;uP?8?)>qVhXR812w)+TdCue zeyw=rd}LPL;IL0vf$iljF4djA?b zRS)x0N^KnzF|TI@Oy~`VF?KIASIquA37|xa0;5G`&Q8%ZJ%fj%q4xLwda?2IqlcaE z@2hPOf{cGa!&~k<&n6k@&dUi(l`R(tOuIz%z z^CBG!1+JG^n9zmJ&bl3YfqvDFWp#WRPj?4e<)}YcS9EfYy?*hhg*>>0-RfNLI(9 z?a{liX)XKHaHHG4=SkaN?mK@Z?;0@gOK2FdeawxYpE2ixJ8qZgx^S`RUP>RJ=>Frv z&t!kQpDuALn#%y$l0T;#M%WvB3KV{?hrstYc zpk=Z8qTXfqUySIHe9!E&iv+N^$|JDZ+s>rafyX`C4I;W&c$=OsO#o4s7B@@DvO%i{v zoin?GqsL*^1xBNub~Mh%{^8OWgOU#DtAGbqnYZS0h?>SOJcvz?-FYki`9aJJv$ zeHhr%Gx(gtDz^Sm+4;_|yQ>0UJz9SS;zw3{T8pFUo1;(pSPQKKm*8f?ns!pmUt)#z zn$=DJ@$)6^MW?zRIkLlW_aJ!Q-3B5%+6z#tVeU|K?v11GfBVC&goy25`HxvRHfd>4o&rq>;Cx5`+txhO?&t zf6=};{(enG_AgHcb$tpD4{sE!BeMjJ=V8q*D1Xe2#|+ofJYatv7}p7g{dVM~ zCDpJeE{Gg^V}tz#(1ts0|0$b>xZCVyH<#WYR5=}ATR&?YobB4;5bi7Xm#<3S{!7rl zLGGp*-ot>3w5fgcu=B`n5x>>%3Dg5~Pn@9(7r!k@UV!_1aqUA{rRnEh&ZgXnz@mR_ zpA4Uve{9*D4)y&CJ#c^1P?TjKQR3+c#``6GvX9-Y+jS?b7mTWWJMr9Fz#X5~;%KBp ziqDv&Amk2?wp^?VjIR0GE(3~ap+9g&cfM(U-4N_uq5i149F5PgEHE17=^p@$X{LYP)h+8-=kMrGi_KNoq^~76)D7ViN5`z<&O-tu?-`J)X4&rp=Glks0}R z&2A8oviyI-Pq|;+*Da56?Z8ZvWjOFYZSam+_I&2-S35e~7?x&_qoj~N1xAZ*th+P; zlRIb~7neP+raOP& zJ*S@(6Yv}}e&t(_9`YLWWIRB%_SOYPi=I5`KLGQ>;p2`LO{hPXQMk;s_Z?h)?X7IL zJpJ@`Lt(-v-UhtcnOXJ`Q870Lv@(XykCDx{POz~_Vay*D@QW9r@YRpsxI6B2Ong5u z9{7K_dl%bTA$uil(;NZZQ8(PKds&1qB`dhor?Ip@t2Wk4%F`>;B`bT`QWz+>sr z)#py{-&{4SS10qiu`-VbnFEsV2X$N4zv_SW^-1ig&$S!;@+NYxZ_nSD`RrZh{G?e+ z_HJi<-W_*$(Ri1Dw<8-v_FgXT%GZ|dIZPnroYf^v3uO-1g|pa0wjOi zNS|E)=*znF!EVp4^eoGay>k4V)4r}Jqx{~VYt?hh?VUFV>u=h#$;x`_yrWmM&sRk5 z3?EWy`eIqvU*0^ayO7ELSQ+eO)M8)KuvfAX?#G`F>|`oiWr#t7x*mNlZu|7iLT!o< zUCWAJSu?5s=9<3GhQIS`LvK5DC#HWtgY}=T+nk-<`j08CbEn+Dd~%ZEZnL}6KP$!! zPI^48B%$hI>8Adj7n&`0O7R(^)5>gPs^sk4mGe{IuPe5{(r(jRy%|i*7zHo2X@7%p z$ErWDrB>~Nv;D45e!>JM+jtPIUFous@A??i+YbGMRd#a2)PS;{X$$&ZUVVQI`NT-; zB1k=RwB4CwGfPY0;sXx?j_v9eZdTgLRrIXz)uxO`AN5#6?Zmn&{$KHohvqhh58ZF+~|gy%_Sd3N{K zc$L+QUv$2dI5OL2&Xs=MeCvPnmfzFuA{?;eef75LCwnqCrqmyqlJjNa#LQ#M55Mf{ zVlt(?eElmMS6iC{pVk%uXSslPoz3tFN!)yvMDL)!xOnIF zyCe4*4_ejX{_9YRx&Z!^xA@W@UTs2bHa;nW_7rbkTqEvs=IPrZDG7YkSBeo%TJmmD*1InA-{oS~qm|_$ zubvwsF)KL|ig-4$igSNq^X7h|+sdjpUTpKW+vmy~!{5FSG)!{#e;!!KjWqr{HM;WF z{?LQB>+)74W!8pqecSp6(~fi~Mh|8R2W;DBSTbohFefosXyvfrm%$+4Krf`{BekDq z=S_2Y-1*4GR7aQgq{CX_`j3b9eVUo-ys|%SxZ&j3 z#e9AK63RZYZ4Mv+dXX^hK3hz4vz>Usgq{n9$QA{OOER zb{qh(^K1%?7JYwqzBmMf)*j<7UFbh4J>&4ydm#)gG-I>tP9J{Ja3gB_R)g!Cr*Aae z(c#9ftAe#R>aK6_%V^kOwSPvG-33Tysh1sCI^o#sGh^<$&dveQ#w0k~HT-Z{E08=} zFU-Fimf_WYRGS;-!R=*H@S;KX+;O$MORLhiKT98Mo_c?*AlXN{>SOKiPoE&0JAHii zr2bI5-ZST|>eStM3ab{Xe7A!8;I_Lb?sW|<4=qThO}1cVvHqk5Y?@v1p!@KMfpPO$ zPWprS0|pj-IJ6V#>uS4sWex97*WZt#eT>)do%!KRMrO?h%s}0mzhRm0vln`+jB9Vs zFdb{SY0rOcUpnSVQ`!Y*pSn4#vyCpzx$OX{q~VamFP;<56a>&B+ZiOxy?bWw+xa!f zCYK!pE>A;uICUCN(;K`q>7y*AV$a^3v-=LsAHR2(Vd^MP+M(FiMf`zFv-W$Msx8Q} zeD$t&i%L9J`;4)7-1)w;z*dvPq5V7Wf1L6u#&LhgD z_oBji*N^Hk+8Uf|xIIx&KW6&Vd^{zo3l~2>v#w1Wh;{GsWFfn*ZiMHkVM|{WlxI!2 z_BrJOcYe|==h19ozWH39EIpy*klovl`ejet-{0)&k1T65ZE!)*kp&Kkv;E$jU4;M* zOV@vei(hsgkGYRlZR7ayDctMZhevdao6qvmJJ_{&P^7!dz$H!|sZ)xKs}{3Xp5OK5 z_>7#Z^$CB!3wN3KVpn(LDdi;_*uS=Jcrp6yjTr!&VX=Iv^Cd2ZQik4(JGAmx41LD^ z^{i!jOvd@$Z`Qk8C&!(fvyD4@s!i_lD2so&Oqm!t)9PkfTH>AhiWb96eKX1!##72) zm310>Gi-iQq&LzEhaxA%T_GAZ2#Kf?XR`CVJ?o69cY)?_GPU}9(v=} z)!cWthcp;SM?eGpco#~quUE5-0E|y4BvlsK~EGuYZ!U?;S~@(=ZMnQFRLA1iO)mEE6Uj> z?k`Ik#<*qwW~xhbZXcX|s^ZVi_PVr=Z48o(%^WwerOz^~D@WdI7678q_*VKu}9Ul9c$*k%Bu}^ zdUW~(=df)n?3wnUaNmHFh2fQ`K|q-qN3WE%Y8ClRQf;>x9iatYa@4tZ{Kt1 zw+^xp1Hp#t)nA^DdbPZo{n2^eZ~V)&-C_Q)QT%R31q0I>Zp}ANW7+vGrBe+=@ zziiHw*pc4*w_VHFrQd&T@kI3FPI?93k_3qO|e;Y^22dQQ#p2WPpb z_2%{7^78nbhN$;bGZu`BtvSw(7;ZSZY-5)}DbTuBMQrsT^F)6egDdmJtv9b7_4dZO zJk~k8MFVTDoF7wS(Ql_?FN^$|$vQFz{Z8SX|9Y|U9jEenSJ{J(!;^oRcC0XO&ybHx zFaoB**?wQTJn61W+ha0%ACh=?26ANkQq!IeV7=z{6`QH8hd-WJX_rh}*VZ7Xcenj- zj(p*k&0o^u57~d=9>$Vh1Aj3eaiVBDHU>Mh>?4W_@7`-=JhZs{&le4e4zH4#T>Ey9 zwl0|z^SslwTUT?dZ(Vhx>7DIkJgCGa<=En>u|~&Fdz@fJ8yBzpJi|G)*9xcA`@lk& zFNVr)%&NiynJ+%~9wZ<~w+{<;`dok9dix)ry*;vYWCBCWLvU)w>^ayp-(fPA&90MP_Dg&bI|RD5s$~4l zO1gE;y3+|Oda>@Uq9vT!*&%$;o6%PUU5dEB9l5!|+k`GOJ!4g7uIAaw$I$4TEb^D6 zvW;dYbPs>AHttqt8+~U|pI?~+`ec5duOsuP_r2ldI&ebID?ZjMa(wO`nUb^D#-mqj z+Am&YD8e$)8{a9XxM%P{)80>JU)=p>ec7gD&a3Gw#vD)PLaYJ@TE&vZs~66$4!H8J zTls@0AFHoVI#g-tI)BVAkT|Q=%dNP--DJ9sF3o?`bZya1XWqqg55}yXInP^mpxtJ( z?N7{@Ma)vOkJhr&hFuVs_aC!&x18O;>6F8*>ylHR9*Vd~C7F*u=z}bFC;i-tiv!~8 z{IgiU=pQ^&^Xj+E$blQs;UN~rd6{)r@=gd}*3Lf=d3UaXba=s+ zH*?vu`R(*ZFob?ATK zGB}I%MX#5rVNnqCa9aO)55+BxM!tQ$*C~G4oJYtg+i05J3@h=**VQfKqn^3Hzv(;Z z{*&N%OtE3yiLfaDIhJ?}Of#{ZHz}m752Qs)+7661r7dD0n+{ z_9pu6Q&z8ffyB(y@TaAJ*9NYAW$}Ohd?9xNeX{$ffWO~A%6xMu2-sGJE?nI9fT3R& zt5pABW&8UPX)_m$mQ^R;dUK{hFkX22!>^oodIp|7&z}!zcyu%g37ysX?d-#O2KS$j z9-6&2B%lNU4m(}Ac#iXR3@UiFwQPUG+uE#6<@(Vv@XlOP)Wu1R@#45cni0;dF`o#u`HUVv+^TTE0&L{1b4f<_#%_PsR z-4c4m$gV9M)OAqa-3xzi1#GnsVs$J^UO1M)$||3tKlaAb{ACT#7Mor_*wY8P)zdBF zLmmC;l%zIg-C58`S@ntHbB?p#_q+0Nd9VAgPMn%)*4pf1PX8Br0P%l@7Uov)bitlD zgCmRFPnWoV>9A{>uW?m)$`zky-dFnPPaAkn56{$%UpD>@yMBEBj6UUJ_bU!)`g2juTva!X?iz081yeLEbY{(;l|j*^9*l=WgMwmU~{!!H=&cS z02m~C7yf_& z)*Upbg*C|uCqi33-M~HLcmS+X$o5+#mhPz9?RG38--s@I0I7Jn#MwlI-1- z-wD65dTrHf!+{PT1|``9oE5FL&@zxy>_0laM-<~>DSKv-M>h@{`{lmuf0K%t{^yW**@;+g4fp;JT2}m z`b^6?*R6}_uRqofyxftdXTS?$b!4WZ<2^AjS5UO){mLi1kCsg|*=mj&{yVDmH z9!_0Rt!Lob!}w)U^@Y7c+2)Ej)j^2c7Pf#VXRvt&sG;{fl1~Ycj3Eugjsx{8=BpKaVoB^XX#$q|)%inOU~; z`vqj_$n-Fy_~dM>h7NCKql#p=nam1ykyUZqh*6k>;h$`CW9nfN?qopwVkA+OXC}_ExK9rd|%7^1Am>_ zp^P=)!_E#jF3!!V8>+HDP{yP0*s-(t*Xa!hp|jII1U}jS=H5ZxU-?mOAXdQ++RXQ7 zy4im}$sUk%BKk;QTghwjg5rxW;Z^ORxtNWc6|lC#7&6|#s@--p-(+C>x4(}r{#&mu zr#|ue-Tug7V*|rlTUxRT@+hB8M8K1&%k(SHmml=muV@jk0wqt zv5b*nSnuGv!S<2>8?Yrs7cQ2b%fHhO3hpi2@>@E5V!oZt?^9;_+TqA%iH{7Qobh+VT$4mEw_=`y>BPZVtfhM1o73zbKiYpR zwgai&`YW5Wr|SG=Wm<#5N8h$l>?3*? z1{Ah3w%k;1@$Bx5l!`tPMzox>`?#N82doLOzR=1TnoE}j_*^qumf>eKRn$G&WbNN? zhC7B_#$v4C-nwvc$cdSLS*)@8y?1}7b$L5)RPkE zM+dw0=nB->&jn@xOVooYtI%-_y$)KW0w7=GfIQBJYW@E=|wAxACB)&xQJ}y(W&k zmb{!+-+S|~Njj(Fc6Bnrd_{lz;Ov>kqb}(g@VueE{SHYS&R*Fx`a&zCP7Q~u4;(#h zUMRz2H!s@uq@XUNYwD}!RF9n#I^B z7O-jdq1d|}D*qo>R~Z%M_VwktgUk#p8M+ikx>KZKL_nkwaA;6U>Fyd)P>>Rk4rv5w zkY*GF1PN*B?nb)aHQ;#f|NS~^ooDwxzkSX=d)OZru!6oSzg~Yps&<$LQJ-LJiT5(H`XKlZ>6r0826ZHl`^UcYhk=THJBsBSG31C37{+T5>R~poD;)`G=hp7 zs%1kAkFZ7YC7u&4CTJC;B%Bz#S_m%GnhZ=t7 zul3TWP~RcTLB!R5J2AK55eR+#Kdqc?FEF^t9O5Pn>BH4_vG#bDlXBDKKPu#^L0 zc*HH#R$QeR0GdE$zssp`<$NAOmUIc}u~(iP^Xt1T!)?qadcnf$J4%r}2_@m^`$z z|1pxwrt>c|yO5WUx^m|kf*m({Gh#PA3Q6lApF zt)B$@Qz2Ymq17%1D4sw{Lg3|P>LU1NZjrBhi@$A(Or3-|YHN8svT;oJSq%Dr@?cUGWzX|MDE6WxF^AYLTn8?0 zVbT;CbM!+ygZZ+qZMU~T9kSp69z??iwViHyPYqwW3Fu#xOr{t~aPdGalP=F7o}j2| zTlPL3J{D5tn4rzUWY9oD0Yi6%GYmBIAW{qL=uo0z!2v9wH|<1SyE9Y2RUeb)Cjw2` zd-;Wbqb>`K$MKi#M3-$G^%|aTyK^(^4$v{F3RNFPgOsSjVF(Nk!`K!F2dE|iPg+2P zC_=MEJEu_=e`Rglb*UffR8Dgw}+K~Inv8LDCY zyPYDF`;x^pg4o4hLau-Z>EY8^F^59IZ!2NwaT33pPv-Y&`}*T94?P6{ny|v-Z!hUw z7T?a+J3uvU&I$zjtn@J0QUO85tT# zMGMnHI>>)6R_Aom)Sl7sZGI6(zJKbXJk!-3 zTW@g;#OOSbNr1`SvspjYWIxQ-HVd@dQ>7X=F(5F2NTOArc=5%f0&Z|!^=bI0SC5yk zWC>=1HEbQOyqk2Jj-KOkfR1SonjE1#z9l%XWA?Qppxyp^DuV!QPmJ|=mR9W+3StTt zjIrZ)(~%&sGcxT{&wfAhzKNj>bchXA%X03#xXm@5{CxAOS!o?&EmCQJ+jB_gy25BS z8;5JCeJDSz`Jq1kw-*K}8X~B;_cWee1A&u}Q)dH3Ep^_cg&IJ3=gm13!J@JO5Ajty z)AR>uQ}$$Uo<>Zl2|32o)s^b+V)hkQ9J4AJ<)AJYTuf zpYnvGK9ODZvhbm{Dq5v~y8LoASU71~*{crhTe;c(@V{q2$%hIKl zp?!-2JpWU5=we;kY0>4X=QR)Up=W<$1u5z~Qfl@C_>460%A7XN6iIWq?1n>76_%f; zlfczXQQ3nnPx_9()tQnO1^_}aMtoKWhxDq|3s*e^EV#^@lq4yCedAxEVmqIbAFdY| zm6Pj=iDccyY`d1A=;=oSTA~X6hzB4;qhqBXA+pn=tT4&+s+FFZFr{>xtFQC}iu>Km zdLCMMs!#5Q=uC|d_`MOuDaUMuk07i~F$#wI04SJ;*Tur)M~BR`D69SAOS({=l0(NsO&AVC83Dh7$UuiHk5zEYs)Q@P z(IepOsN?rFMk)=ry9PdJ-y(JQ-k+*jAW>JYbG`b`0Vqs==$4o1!ul=oykDFuD7>6K z{Daf=iQk?=H~@&4C5<4qitXoZ08|6tI(-o|t4|R;a1RwrepZ?FsT!YTh3l%}?JlZi zFmQ2!aCIuL)7$}yft|y>2si)&H#4LWP=uGUg1|DYYL!P#!pN6TUDV)XM%DHoVbjf4 zSI_uJAEteO>bYxq^!i51lr?z{dhV8)Y=UVg=F>!&dMfUEG8~cC0j!2`ZW{RNBz4>? z86g9^J-$)#le;@l=&E1l9oW0{{F7_9!`;_9@UbH|z0SaQa{+1p1HWKV=r;?qZpw9% z3-f9A6ckk@1+AohRbkHwVV8#q!JKN<^HC{g65PIj*}J20xW0l}$os3`>ATAp{`W+U z4>U&1z2IVBJ8jF}_;h0;?^~Rn%~fMeFIZ_(un_qxYdvMh8kU1zwIxO-)Zf#@I7b=* z(p!Uz7!C_ZAKDl-SD%yQ8=x9ukX%x{QYpVEUS0LuvlOR!${li>*0M;_G_zsw-jca~ z2SyNoWds%XT}u=g#+r=|n@#)_KC6FHNn?es+O!d_`55O^z;)IADT>kxB0tEls~PW0 zg+3)&lG-0VS#gc!W{|<4Ne58$bnt908339geP(G>XSbqU!gT_&L>l)TuDa4r5?kDO zebpJ0PCo4H+-Wmg`22wJS->!eHlD9I>l4#|ipP*7rg|Y$3k-=y&Vs-)^t_fwuZPLK zfeH>@)86hg7twbzLzn&I(YnUS^+7R~)2eZe574J1hsK>&St`(N$p0L3ZR7tK7h|f- zNyXg2XRPLo)eoq{5d)v67Jv(ih8EA;v zyZeB4`()i|fBsYmyjkM&@h`(yX?at>bWW3JZ3uo!l#=BuV@2k6Ui-wR8HB3IS0 zyRRQi#aADYtB}noT`R#TpA*Nd>ghv&%b;thHr(@SS50v%G4&BLclQ>5lFn9!RL84# z#fYb%uPntIsUtb#8kx`;BFeJmfac7=FbpRo7*5coY&ZZDDF%awnn}#)48L)7Ks_*@ zFdXtufB7AL=T8GI;*j#N`1u*P@B81Q?jX-tqlQoB_aF8m)Bq6J`2m8eP|S0GLeU?g zgh59eVK=+eE5}(IllMZRxLo*@>v*p;`~;{_7My07UQgk+fdwEA?Vmd7X?!J?al>S- zFn@l1F@&$OKZ5u&KN5t9+#VsruBr)lU*E&zM>Z|$ z*NT`L3c}jt(%D%HhP_rbo^FVL=i{7x`3yPrUF3d(F3oJBd*qcy9^rn)Yobf`cu5`1x?iy=OL&Z(DGRcI3d zyjP>U-z1NKt7IaB|1v1>!qf92B=!E;-Rmgid-3=snV%v62%K~~jlk`CARPoIABV|Q ze4OK$FW8xnErkDoj0!jhUG{9ytBpFZp`QEj_%iQ}Qi2vXlHWxq^$-Feu)ZdOY9n3T z_n|*x8MHsNxs3F1Ay~bCdz+hntLL{~Q)sSYEH3@k+n$;8=11*p&M|9RY~z_B&o;%1^<2yq}non%jcke=5Wjog7HUp<+S zo!a{T&wb```$&>}qi=BDC!?{?A5xw%BH*8acKhmN&wp4V^ik`rLVMhe;(-+jFbZO@ zU$4}lyKpsIy2X{3c>s8;`FN_Q-(PioG7P_$X7}y${=mA5q2&@04gfl5NFz9)!&=dab?(^f|hX z!MbUdql<5ppvm+IfAj^BT3{3&2+SyN?6zJhNrsfG7w$WMe+4=YKieNPStW^v)kt4G zTVpNWXxrIZZ^KWvsi&<#G`8mx_9Jt69h~E@q4dG5P4iC^pzjdups#)EbnzZu{Tu@8 zM)Fe&!FGirb$7_}(xa~QG7Tsmbh~7X;&X{SbwA513S<_)?;L&&H3nsEns;4+CLv}( z?RWhsn@W{`UhhJGb2nOVH~f0j0l9V6jF?9jS7y;0Y9`U;HL~}V0ElvX`_N`%Nf-yv zAy*6R*jb~dL6JgU>QM)&ntUr}CYjMkrI<;Wuct($TmQUz)fxdsJsiClclyD!nBq}S z9DukenH2HfL9p-0us~pKG5-Aeh1sLV5JpY7c#q|O;acre?Ffj2A!>WHLH?Qf68TmC zZ8f@4sNQcPs))h_=I%Oi#->U)&VqmkV6b_T=6(7IQB;YZ)SD-4%*`ISlB2w$E|83- zD;3BBo1c8=>vD{FTHw4si^HT@!G*-|2s|9KD)Aqse8lqQ=<{O}{PpchAwSmE~Hca|*UFekuXR5!?513I zUJzC4*8<02$W-e*MU$>20UY2LiCSRCL=rU-svnH0VJXQCrIVO=i&yYYR$OzK75}_{ zkvEk$UfkyT9Co&$lVg7I_8z8)6^MQiDD963#*LnSB<@k80v`Z42)Wlp7T!@lHjqwY z>-jvRml#&~&}Css{7R`6=#~45$C~;c3%`DK^MS{-2b+jl2gJgu_aeZV z57VkYJzttj;p41+DSUa-8gkI7qLIFT#BrsPbaawLl;`_B;oY0-iYHC@A8czKF-RQ!itzc{MAO6akZyBr#KwSKIjrvKCvJG<`boqycU+EFh8pW zDxMImNTGg1)(Xd6HIB&m3d&y!YfNo&TqHH<|Gat#7-4`Kik0+Ph#%?Z1ONViRJUU6 z_75)?@v*_*O5+Q+ghtT@xf)+?bVqb)KeJNrh6*4# z`A$#APM=W8)82<8;PpVe{c^IH1WSYhicPHjskSl1AshWq-*Jj{o}yXJ($xmtR*taI z2(6t@seblmanZvo$4vASK^SI#gJErA^7M2LL$rV_sl#tjx+#m}bE>Q0kMW(08a1>H z`V;8Tq}* zcmB+(DCI8RnM$9SkJbC!%*N|EAEKkmG0T8}e*oI;A<2~E^br!MilEqky_-%Clkf|Y zTA?FO`%3MG^i)Jw+^3-DZkaeX*uL>NtZ(NYH!S1xdSfaB0y7#RsJM@uGJ`;+a99c< zueEMt9EG+B;lc9pPaXMNCRgS=g1Ou6aflezG>e~3cGd{c#hXQgz>JCrDsG+K4?>_) zcD0JVvbfmCB7_GsUmuizB`CJY{^{XXV=b2uIA}=XF@8#W{=+~k{s&V4Jp%q6Xt#fu za?6Jyf(SK|ZL%S8bFq|PoVwz}o~c}EEAJJKum!CoSow(@1qu%lh=dD1J0+yiU2%#s zx~|}lpa(@y6Z1hu@4-hgNu=$Fo~LU%$l~Wl(PY&6TmC--6tqx(1{HcIT86h4+ix$H zOc<6JE{MW3#jhDTm)QKyg} zMJeX%q@yEj;u)^pZ`O}G_!*cHX{JECJyQln9D)`E&4Gq@)iG4Qibj|vO8vNRNOd)) zpsf~@T7S-IX+|%g#N8--eVD?~3 zQs(<7SBU2aev)-wt((GT5|7AdE792rBN|Bp+x%{H$C1A0tb+ zQXFZY84nQN7(`m|1`%An5}wmG-h7jcspc0$l7<5>z8`;fOtK18@ke+A?e^O`Au@0z zFfC$K-@y}NGatQ(m@XmUxWV0~0JlyC}rB38cKY z?3*HEjvjI`Fd@8kt*b<~QCsV9FCs1Qquq!%&j840QAQMX*J3^e(GVj8Vz<(u%lw93ROa zZz&Kh7aoJ&T?|Qe50tX#&ODuuB_e^tQvLb$y$9)u+5!;w73&)ZTgv1LMvir8`P(V~ z3?k`&1B`6Fg;E6Nx-!NDmMyq!I!nW@;Q&Ms)+Sj{z78NlcDOjAE@D*kP2e<^{ERz? z%6$0BVTyoh+hT?V3CeB-hDG%j>tlG4j``SsCJpT{*e}hUCvr5z@4Dy_G&Q;@Y;NT> zozBHX5?{r44z9`_x<;=VRTFLNIdK^bXqa$+RvILNBj8XRvnp22iihwVfQQF}elety zGH^0yru|l{(BhpYg2XGIF@%p%Rk|I`^Kpte(mws&PT`npbqx%Ajqy0*$Dzb+AJ7XX zR$etuTXA+W_2#!4*F$ca$KL)k62l1p)T{4Ay-28hvi7u8f~C^WW&;lZfk_n+RE64q z??!G%xS^)Y@bpS#xwcMU1ns6+v|MFHM;@3h@j*ZGeukmTvy1AZrYo|n4gUQ4+sYO4 z@E~9}KSw8Dmdk#qd9~@*6UR7%K&3w~+?nhPwzn>ekNuwWkM~2m-yNu8YAp=}Rbit4 zgo-~puTomi{h9wO-Atgqo!h|8z1o_8;m_ctByw$6tl`9)uWW-1#i{ibqkd{#v`oNq9G{K5Mzpl|C+$BJA07tE0}hqmB(q!JdbI(_(bf ziF7-m|Gf{I(@gW;mC7(Yo2xs+6dH$fsHE)JCx4VpL6%!M>Y_M5AY#NRD{-19*1;nR z@qOrj4W$BRZE^uRvN5{p>3JkoymF$>qU40-&%mfDE7Wpr%e;39>E0He zYMrF_#jKUR6sFu21KRD!f9@K80v;5H&S#V9h6i(XXG5`)$p?%AzJDfhNT4VvBolU- zH2Ry0hIiDxqNWZ&VAxWGKfiuZoVAQUx*BLr3_Bv0$+T*yWjX(CsyJS~V|W{@b~d$9 zXX~CrI=LFo?;f-NO&Q!zRe#OScvg8~Q0na~mBU&Jq!5ArjA(Fv~ziv2DC z{2k%)e(mDpVw@tqLDF2EL-?mndD@Y{YbaOT=;;xrQXCv$kx1Ct(JwWa!>NHf#QBh} zz++u}!;tXNPyYElr;hUvqBo7;lDVrXOSF%Ly5(8z@FN7MrC_UpvI{I8+P zaQBmjC-T>NlZu+sY0j1Bk!!*YN7l|4%zxM@XDQxZvJ5F-B7Z(z3!kRBy{`OXk_3*J zdJ44LQ}k_%0iZ69t={xWxz7zhcjA;Ugn4QyumgG4p%|R@SmP&u8h5^~nrQba|d^j2^ifj*F&DE>?ncuYZ8r?Ok_f>-1v7sQ? z_R!DZT>pXjm%EpLPx<`$$2@fE-besMr9)E?w^roqVzqz zgZ$RVTtr;DcTN_9rCdzOt?&C^Lpfmt5Zs310E-l0Lis&^^{Ur{$l0>y~|RJ2E5UGH{$&yEsE6J;-*IWUCMOw}i8tQWdJsR&nB=Z%V@44(CvXU2hMF;1NbRW>u$M^^qh?(dZ7vl(t<3 zj+&An!Lh=TPss`RG$dH@S&NsK5)92^8jy-GBmm0`#;s;FJ_rg|SAc;V=Oavly)jVWx#qiJ|i+?Rz-5>FXD z^?C90GhO^o2604o*f@4pOUtWpSei>A;xc!fSX+vbgbjVUQ%;2gTri{&u#kaa&mN@J z*ye2V%ak;)=?t38{v23eIuZPng3?B@MGxzsfQX%dH+)0B>5FZ5`1SuzXK_}Z3N`Cq z@J5k;{oEQ?&9s6n8~o8d1<1Slb~@R(SH98mS7YH5#^EwE#~pGFvU19J1ZFlowd z*w2ql-JLh6FPe_u*WBntg<`#bocvGe=V9n0duLydy{OQtaDD&ung2CZ9hkLg-Yh#b z3NZx2piLRY_enx011aAP5{WjkDa2XXxIL_YG>HdIPkp{fGqEx9*8RV)1W;kne!*0* z-(<+M`ge=wsmX4B4;Im`*hyIQ5K4ML}&Dlg9d$k*%9=={w(fLg-%x9O;R|7-I2w*ZYesITs(SFOGn1UsPrPA zyZf~eF+73<$E+$zsr(7?QWCm&`Lj&9=y#j4>G-l%YC<<#YHMZeOi4MoIPXV))o(G? z263`?wpuL+!^~^S75ovdpy=sRfmk`|G;KifpgZ*0^LLBp9YTKE1(4nwSjkU-)B-<_ zZmY7_Ee+Fc?Hj70*jat*yU2Zd-PpOxUtT%CZJ%2$&v?7jU}sGN zsO-U(T9)%WpF7H4Uq3&65yTLG$DvFNkGO?nR<-scD-y;UjNVTOoqh-qeNuEBU26}( z58)T1#zq~fy0PzG`51RMJ@sLznZ*9kCfm%-=fT%dZy~HrX4cZsAcWiHb-YZ-yRo|` zU%x)65#yLp{VVxp8M98$m5yqxw=})ul%)lLO5te)v9EOQTnD}p=ROyIpE0lhW)Ly1 zzug(IH}EY1zK)$R8O%|<*t|b6A4}nO7PUKg9DcU{{e8`hO4J}2_U}0a>Ak7Gy$q)Y zYxd(UsZrhR`pqJLy`)&>F9FjTdY_R7dShB@U3xV9%Zsn1^?q6?1c1P%2m}@P zKT*%XpkM}G8w;~83ME-OOu70kp5_x)gmlul;`NSno|ldjQ!iGi)Vty;Au#!Te|~*k z3zbF)se$qEZ#~BbUG|MFzuk*6x5-V{0j-(C3kC=~d)Mn=pFjkE8U%ipNpX)+0soOK zj15pABFch1o10+FJdpO>tQYF_stw&ddMhw#k@RG1!)IT_qVd411uM zU@S>sJ~$=Z6Ur0y4>p)z;X5BVU)axl`_?7>MYYzgrQ%iWcN7S$i9k~q0n*q?nbqcb$rJLpd5JY;!7xQ*!?h1^Dk$itWg3Gn7l5UntOQ%l7ip^ z=u(Cqo_Nt^JW>bF0)5Pfwr#%kx3FPXn?tN6OS_b``w`lIVv93RQYD-{{mMQrih#hG zw~e8(a>+6e(>?%2oL;49RFk@&_P*);)p>iYD+GXi%a(4J>7xLkJ+%duWvl}kw`4o%ABZ? z)_4Pl1}$YU*aQth4V*GSHw#as0fvLr^xyvp5qowE9g<9h@MrUi}&ov1@(j%!}2EW+`owX z|A+GC;iTwxt$AHKh}rtN-Q#8Pplhf{7>R4dUoi9tqf){>ZEyNLQ4e_K^nN{Y@=~RL zR(qqWYjYB|gNYBnM{^_?-BZ0hL>RPZ;tY;|0N=T9ygX4Yt4!AAVZ5N+nHz6`jnxDW z`^Ely%=PJ@K|0-EV=EriIDi>xaUh3@R`A*sVmr15d1&TqA-jztF$I9d%&UHDR#h!_=!e^a=kXtG$9LRd>i@?&L>^?#** zrAOgeOx*P7<={OyZ<6w>o7E0!Un&8Cqh-<5g`6=kJd`=Ku6AJ_co5w7V9#c=Y<;Q4 ze6Xtwi!M4zwcYGx*WE4{y1j50B%d~ob`~UC5W&@?ajdF{$z|n1)EsIjj)7J!zO`r% z`W)N@wJ;Os;<$hrX2x_`(14I zaj(6jjb2 (dCKRrCl?vn=gVaA$qsuTv=I_j#h?Kn_(d8R@i#fNCe*qcvWl{c@It z@qx?)4+1Q`EP(LnRaK=b8UOEws=1%#{=~2%E^X3L)6}ey`m*Y%WOi1}Z+ifw%VrE6Qt;_!?(s&Ys#KTe z;?VDiR2aP)^)$V|+p+itYvIR#kOGk^&YeS~@y3Cly-9xXQZ)!%u8*cJoM(bvLoGn8 z#cE2>IP^Q}zGQ_S2CEPM5Pc4!P4aM>gB0hES^1^a9yAyBYHGnj;5%Aq>cYG+TDi0e zporV=WA5_p9g&Lf&pRUbK5=E`{EZ@>;$!r?w)@7Y>c+C;`GweS5(tccHNam`pXww0 zI?xGQT3J4x$SoolmUt<#QX&$NsLtDs9n~DII@LgEOCSa!k2~C(J+EKPNZE-&%7DOk zFnmup(<0Is0Vh{wZhPm~-u*QJ914##p8O35&SK}yu{I}TR5j12P~-QCU10#!4mXA( z1KD4r5CS0D__JAHF|hc5!MNCLjk#ur0M;MP$SB3ljEB{W(anDKQx;~QimSk|XKDU| z`u{lGQce>Gf>bs)h1U9TyP!|Pb?Yo1d$h9?V-xKzuK7k1%$1arcN-H7>AUV%Rw#dr zrY@{FPfP+>(_H*e}8wwuc?owhG>)?8N*4W+jdoqlFDn>W6SU=~niu@+) zkH`QOOj9$h>H}HCTW)wzsyOpCO612~*o#*4M zl+S+YSTbnpLZ&rZg|s|CC~T9)ql%63;9f?zRG&*tp4l!hR^T_dDz3DRr)Pd#rai&l z^6MEU3i_u1Lzo@qf`^nzu?}wcSsFnqYCZmfHLx!CR!jSTB&nd4tYpqU4nG%9)-^Ef zS%SZyeqXM{YlIcZP-owCt|U8R>?Hi~>vmYir@YjhKc|17c6PNB{W9MsNsYEDvZII* zyte3yuQT+BGedWZfc*(#_Yi}6Pv6aE@ljUDBcZDg=mHNQX7+7|sW z`^9ZUngcLsA6n+Zk0Qr+c22EcJM-fk>}M->?_MK+r|6x9{55Y}h0~+t+4rMXbPO6N zyz#^oI?q60Qf6Z)k}@j*9Ib4;(DlYVK@`_E-u>aPc6M5VlUNuFxPLf4~xIYg` zDrIY$krChkP~zf1D_DUEq}*_7yV{NN*$OFTW7em=SEM*t1&v``Tz#=;et(kFGj~ju z{1y&>@C~fpL^iub3Yd`y_qo(uyyl^Nwn9|p*dJ^4)-1ok{crS<2v0azqhC9%#@CMN zC5l@$BDE{qgM+T2zTy^4Ls?wls7K(#h_K_JY9XYgQLru)3+vQ8QL(X-h8MrdPG4qu zExvE)0vHi#hB#JLp19+xX-SxbPV60)CvfI}+a&2T)j#1#j@0~X7s#4uLxr7JswiIZ z)aS;kxu2ymTH+uuDYr2cDV+BYq}(vAtai5appo+O6RiuUng0(q#i`=j63J_&s%B>1_F=^drAp7540%7<#A{ef*#&=7b`D zrnpp^9+8H?v8n?2Zpo%`0^Qu+Y3H}$I}o9;&Cy+TRh@RW8(8Z=0RssGWayFH998N0 zn32xD3^a?J0S7q3EtuXJt&T#7;9CCEgN|GrkOIj_e(*V?nddCb{i|hicdtFgNQ<^( zr$*1U&!0*!W=%pZDY)oMxfIUZlV5Fb2 zGw&CX$D}bC1ui83v;)>|npbxsMD;>BCxsfjDEziY?GnA8KM&#fn`Mr0E$M7rn-1|` zgh#t%H!g1_>`>^w1cB#BiUT_q7q|f?GIx*VS(k>rfJsU7-JW;vA8TX%LIyN4SWoMn zSs-xs`LRT*eBP^v{s?m%tEwM=rnYc3bCgx9Z%)@|-?>ptlKI{>YgSk^j8*bHg|PRr zapRNJH{x1@@h3J>*P|QT=@}95RDVHzNg+2P)(rF@1I>!}JYM5jJnlhkN#Rqhq?yc9 zA=E4J`6rdh6`OM#{g&K@0LYWc7&^qkOhF_sZM-ysT=kf&bvtUneMqW*8-eBb9sZ9| ziB4;saP*S0AJ>&~C2_2(ylpq=)#OmM*=K1fu|8W~Rz?b1Cou4ay@H$t2dJkg4qUB|;ebTz8t+s_?$s>^OzMpqZ-^Z|$;0Oq z##-qSFdAvmbn@5POj1kEqFivEZqP{Fk4w>f%Xp5kzzPHfeq6R+_A6)zOi z*i6re)fN*5`+f=f;o0lw`?I@`{qr*jY$?=VP~R?E|9;vUkUXA$99w_EvsbqeFe&D9 zGF&>O?ftLZEjGS9hY>oe$5NELE~)xSx*Z|0Xeo-~z>`I}Lb#eQD$8qeU^k4=cM~0H zw6Y|ran2qRft|_!9{s&*_AJOx@-SCN^_b?yCx!f(bSA`9Dpb4aOoN^RCXbjR>_{nC z#HBl(hd&lfn7rE55WX+DcYguPncL$F?k@@W@z+qQ#KnOpjJGaA5$u@V zQ?DCe^040O2B&gX&&h2D~vU;iuaX6$+Uk9a-fnZYN|WAw^FVDD0Y!7-MT!y*td%-wyEt9o+P zcFfh;1P~;r$2x}&rp8MYal#iDxkxeP;IRill5%M34HLCf4gdmic6IwrxBY5tb8kv$ z;_gxJOG_?)O)SIdz)*NC{BSs4?2O}qPu5~aip(mvH2^yQ>@PTWad+DeoXJ>hJ$X9D z<04e~$%`xNX-Eu~+ibL6z9Fy20{O7}GnWK23c>#h`4TjteUvz6_j^ic-)6IHb1n!n zpqu+Q@^M{nj^6a%DPTEk{B&ZH?m}@F2e{BfQ*ZcxB_0Za9uepIgm_5s?6n=-i1$@i zh#}{|%4&uhWig`l*ePH+IFYQnJ>MRZd=2FXD-JxtyK#YlbD=UUZWs+uAf-_e6Cg&xcWd?x-wfjAA`L#(ExC#UCvN)^0lcC&&+DK|68@&F)q4 zoqEEq(Q`9kww*74q_!b|3FlbK~Fk^&CR;?vmdvzTQlV0j4zaDhm zR7h`sfpug}Ipgj(20o)*!Q!tLy6P8PxB45}onOd+Wyp&IL-c*BbGUdNXT_?G=Dyg~ zxwW`FA2R%nHPId1>#9_g-muQ(^En%azJlsp2<#9K$EwP2YKss=OzdvDAMVunEnrfA z*mAZOLiVq1+rb0|Czf0H?zkN{8g7-fm!tlr$HLju*C$~=7wg#gjbT#zB)IS&-z=%= z39Psg#puFWJqE(`y*b~`VLK*$_YWlSEhAvi{(@=R55mY)yu6j*IWZHtS#LE$_>R58 z7z@Q>h!1~e;zU~f^mLqbdTNoSdygM~Bn{PWdc|3r*+)THGQI9;I32lptMa___bSgn zSc`rHHVb@3b~traH=-)T*vzs){g+bv_1=VaE!|cH42EFHGBi$(AXM zu45Hcj%%A>ul_@)ysMyy&h6gFD+&o5fX>Ghnu8C{WSI(wIjQniG=d@x>t+93F2i!) zqv>KVL=S{1PFw!T*?*i*VR|2)ThBd=?G z)PP&vT0JGCGAb#$+>4)b4aZ70-|{|hi#^veX^1o|`Il4@0;xKLjx=f) z`ia}P`s!P_X5lSH8TfmDLHz>Hj!J4kigI^vYWG3IZ)L85B|n`%1|WmEJDy7%G1pAF zjf;OU!u`mD3q;};Ow%KcHXcIPL>mMTw<5*PJZf`TbR6$tYgl#`wUds2nChUKHlckR zvDK~RfEX)02oadk7)p^l{OD64`jBfqk|lhs+RyE9vCBERP>!$-3rZtu&?R9E6cwq- zUgaU)vpw(OKSx#1J#s#*tJGjN;C6{|*@lw+SPxZ~^gWW7Q`DO~Gey`Jg}62t@DAa<@rL$u>BD95oybJiDd?1G5@K zDTIj|5wg6xQ@$qk)Xf-QjyiHC|nt&<%qVOIa~#UC>7!V<_^B zx}#VDIOwXnyMvAtJIL}{e4GcJllK2hZOtIckgtkYl;yxT>{Ui?A$mK^q(W7+LugjE!K!CzH-D6rpFzz5 z$EqrrLfcb|c-Y(BX6`wI+Xi7*UA2M@oB|t#F`$j4yQ~Ls6h|!*EUsD@j^JVbf*7!H z#{*T8ctP&b-3&HleOzzQXi>TerCYG7QLeM`abY} zFwC-(_YAA~{ns6_09*5+@c`=E<+6s-weRc|D1C4&sNhLiU+iUJM)sy zehca-5=EjN{~iiO*Qy@Y#mAa;yRj))bD>4A`gAHm`l zb6q|=m62r2*Pg@vx+<^bY;AQ=eVb6BL{;6Tlv?D)f%%Ru^N*QOZjT#pdbG90dQDcA z-AEZhX5Edz$2y%SP#b2~DYS;$Xw@7jg)E{nl}X!w0S4`3cuGJV^jo_+Qcy{YIr)nP z$Qk=1-+w7`*$>3o%~9^ZnB4h&dOOAz`kg2@+h0&$aFsoO1wyIp_*RF9(>K#I8P0&U z;2tO?L5i`pnBw&P2t}1v5y^i@<-_d{e}9>}FW2xp$A(Vh)lLTrTUENC_!5H_5)bGn zUDQv1ep%G0AnOI^9;8_UgZ5hax!&w-#cc-ymKd~Fu_AjCW-n2er69^btaWL$ufU)^8FyhnJAJX^1wDz}W0X~kZ$ABh zeC%~BN(e-BKalw6K}xL4ij$9x4^_rJ(}!vFm}P94ci1_3p9V~Jcb^L8sq$2P{>pV* z5UUX;T-x|E6RU~>K=Mu2J1P8kAB+73^R0M;?YqwAZJSIcozr@S`OY1Er3H~V2 z!8O#`mx;R`$%+*Gc@#!_Zj@hM_>=9l!lglnr^(ddZ6e6>ELdi|WwXO;(O|Zv!Uzo9Q5r&++cR_#>a}6^e=Oj66?&Ara#k zxzS6nb`Qs@3QDe}phX;4W1|@+-O;-|+4D(07vG|IgoljMPjt>|t%SrGEFpaW`j`luA%rG-3r9w9iATosv;h zIe1Urw3})BtS`1NMz#rA{_B`ry!LY*kvYF^Ru4(474_b_Eds<47YF8RiZE&Lp~5x< zFk9oS^39|7EDPgWC3hpR7sv2u^!+m1H{zWOZS@zgc@9ha)ub5SDgU{DZflqU5($es zx2bRVc5FfIwCcDrvHvHYTaFgXH@YF&vmo!+{l?%bHDEHeizQps3PfpCQnXb}_>e1~ zkTcJarR_D=h7XK?rs#aZ8@ajMePEX7;45vKP~|VEKZ8r^n}s`}f8-tJW^DY3^Xtcwt{;rH}=?n_y0?2LU&I(Or3X! z>mRwK)s9CdXAy08b#SbzOchzSKH?uH^xq8V@2z*rpP<;m-rH#!8SfW96p{Nf_4%;0 zf91lst(X{-ELk%cKeFw zR1vO>V^wu$m3ifV8sKMeg4ZO&j7be*2qXDOtnQ_ar`mS;Ltk*yR&0;Ml5al*-r#FD zF&QGJk;tj)SA>+z{19=`#r>7afFJ)#<$HJbSSced#7Jk~w17O43v~y#V7j*;G4~(v zn82AOh7e}!N#n`H*4yCQTPr&`0--Os3w`RXUw1_?qMC7k3#N&A(zfzBc%S_qA|Qze zEv%aO9 zSWAH!i|5-ex#OYoRZ&%SOCyhD|I1)Lck$7dZj=l&3WuR<{U|qQ#pkvZHs6tAvQ5ZH zch?P~Z~5Lt=Ry zG&T49%A5L{alFj2YuEg*J(Rhp33T%uSM$+FVUp^9$I%=7SRaugb+;PWjlV8Uap7=O z#Bet_3Bt%^42{*S2GPh(O;8PCi2j(AkWg}ykN(%z$NMFiHBzFB`{mQ0G~`Sln^-bFcs3Z{GWV&t2^&d#aJqZ6%^ zKfO?Y=L`)~R*#xay|Khz)2k&0`{-D1KA0JaIScZe(7ZX{dOzhmRJ(~uPZWhj8n>2o z#v6X-rWH3cb{V~Aj`iUxpn+3xHP>&dzoBZK-U(m>Yd2-7G4Wj|(XO+2JUC>twd$j6 zSxiT?{O3YJ9YmWbAbgmXD0o(Z7yID(4G&^}c?~o*cW2F;nqFY`bGe1j`1QtfyVY~; z<*En(Hz zyNh(N(wOL2LE=N>;bWnUJ3-=*Og3X^togW%!E+3vjKHiJ`TR_)hJg{A6v6DpmKRTd z%WRoZ$oCRd<;YBBI1!Fjl?;^WhdglLV{ek}X0sK7iRO>1rkU3x|DI(8qd)YW1a#Nv z^j*x4rON$3!5U!fedT=5eh;ya-*|`hikIY+yfb4;O;5H${6y#5d)DbafGmpQKn|Zb zAWGG=i>+?FR9gNlzwY1pvwN@KV(S5ab&zf19eAHT<>^yDnOpOC|FM(i)KdKYFAstW zmWL!2iqh-hTmaTm;g)_K{HxxSN5>88KBBc^zo9rl7Fls1hs|>kxu)^#v|!|7;LYj_ zmvy=q`@!W{VmKhob{a;+x5Gu3GE9U?5pXRWt13+nmW_|lAL9~&J3SE$2UKEzEm{>+ zbJ#vAIIpjw-sPf>1FoLCAaL|!G<9Kl7Lm3ZN}XmhRQ%3dn@`gRt$SXwBUlEn0Ui6D z-F)X>MFo|`{{k$3bVC%Kc`{*u(WZdj zX+Mm$%wJGHKA)lT_08+Ai)krzQ$8I-Pm8|@m-1Q(p^?1EBR=ICopKgJfPG(Kwjm4*pGbC4UO;h zd;Z;IU<2>wJSzMuLdZ_b(^MTDK$tAU(iXu5{(!avd zL+VO)KF7;7Pf-|&&Wy>A-$nv&Algk#k9nsb>rGAN`FsfqELc_@m8==zx-ItCHTV(( z&69}(jQp}!%PVgq(vpCGLHqfFklYtgYstF1hs_a!XE7%fxa(xk|5YOo*qlE zxCSoYctb3&gr?>$c>(!6f~kI>l6n}t_Z--^XXUkA@k4p$*5+ve(DKKdNhD@nyfc%-> zLCuE`2LLkkNUq}Kp6lNV&yOP4XC1MbBZCYZJx%HQAE{2C9|;5oPT-I6?Va4C`PT!D z0jVT+2h5stvrdjL)G{>yjX-k0pm#*Yfr{ChKq!3c$BPpJXg!6yb=MTw;P!*R+B=b~ z`f#9;&S7MDT$S=abi{>sf6edT-^4Z4KMhF>rMJQECcLPe1;XXC=%sd}&RPNO0Qp!1 zKQL(jJz61+2;?h%#E)5YUbph?f9ObYdX-}61SvJjb;IClDmYeEj)StA_iziTPPi~j zA~M_w4>A?_~x(>173XI(_T>abZ*tkuV!+fFUtlDWBuSS zs1FID&rHKqyCLEne{*eTGK<@3_5W3#4~x_fK5n^&`L_7`Up!@M{zGdj{E)x%VJv|Z zi!`zg3z`sV%ss!xr+4-El{;#~PC^)box#!SXzIeZT0|O3s4TBVbI-EtjaB=fO8HJ? z2C=G$1O9p7%XWAziS5h<581r-e_UO8IMiPk=i8_;dTJ2Lmu?{fJAX@SM9W)(6fGN_@g{41y^m>GeC~9C4AjVL2{HJQ`GPME`&J;Ojkras zP`2QoJozN2^!=Rs<9%5ovEpp6OZQXi6W|RL=+WEeuu%#c_XiF4;)l`I!oH5R1*imt zOp-j74$~-tJS6n@FM2nT!L*df9WWyLifUIVk`v^)I^T-nYkw7bD;fXcZ0Sei$VoP& z=qHN-;~)Pg#j|atV#HPV#Lq&yn6yfvpVB-;ag?Q-(Ggfqod9|e+`>^y0OjE2 zeSf0L7A1?gwOmw4_bgCz%b{vIqU_Hmi(LLcA^KjPoF&R$&U+h9Fapv6OT*@jn*xGP4+tO*i z@^&9o-jeiehzp_>j*vNF+v3x^oQ-;`I0L%PZwWEz_y!h8z$TnfEg)`iF>Lm|>kDtv z20AzOEA&BpnvsMxv<(1-1VcU+m)B6ygT! zrhkU1vlS*(N#1t}+x(WJ4Qu2w;_e*u*2Wyiu{aU4{X?~f3LzLOBp zw04>tu%XQh6fjZzPOEEK9VB|lRI~rizkf^-(u9@MiDH|2r|3^TqW?_G`xz-_dW(t^ zZ3nDA)oj`}4)@-3p<)Z`VP7G+4QPfB96^+Xz=m)a0ivm68FL=eQEO_Uq{=SZ61BUf zD1Y`Zhz6o}w;DDhs#kbGLLO0|k_5j+a2m$v?<&&1DRHst>9wDjwJ_Zc{fDXa$$zuK zMD;cdOL+#8q4FsWYhtoF#whs-IX^nLyT13}QG@WmOeGs3EQtFfr2H78j~b~T2`=MO zSl)YLy@e?CTtP1mQgU+=-!k&S|4uDY+v{9 z(4U8OVvuDf3Vm=$=fwY6day~*p?@qin^J=RmY@6GWlo|f+J?n${cGtzoF23hWj-sA zO!cq)9yHuLTr?=f{(tgY8bHLSL8>4O^QUfBl0=t)90_c?D!St+DK7@PO$b=u-h=tx zBijO-u4>~SVqVB|J-$eCVfcp_HPM2$K&k`U6UUJhfZ)@*)Ht6z-G<;rIe%=9l!A1+ z-EviQCrwvgOY z_{k~g7vp25lNfi$(x=W+_Hk(+Ym&j;dc%>p#atuQAEa^q<>4V{2yZ(J_rROV~cOL_gWY6X zF#M!F1|dkGP(HJ9O#|Y)9C;A}{zrs0(R84WMOxnK<8{ffpd2A2|;q(E1oy!Xpur<3$cLz6iH>G9mez>=@ zqs`CGPL?mK6Mv+8=okEm@^M2VpfHHozTKq}EpgoBPsNSc+BryA|HZhqtz*WcP#9$W zhuoROeg=>2mV_O#dsQsucRy+#r&k=1UCZX)f=W|P3yU4?(7$D=i!!S#R!a6QnDkwJ z=6gq4aTs*_k|o4oW(6$t8Vea0uHSwf?!6ar&*a8G#D98NOsR>)aC|2Mh!&}XWz0!* zrPjNNGT~WoBd+QXXySYtoOoP}p@^MJq9v{x>dXo0=Ucg`Wl!#a(T-C_yaV}OTlX@u z$cfIiD7V$m*oYGRbFQ0{XgM^ij9mOIC)J7P`cJBbtq{#=A`%N@8Rz(i*bhfv;gz+w zVw=iSgMX}rIuq)tT|f`wlTak?2BnP5Y!6zvx4t*>r_5DdFO}G1^G|gga)?eJL6^vj z`Kb^s@-ac(1w!vbc(uHA?)#J|Rqi{@?w|ihWdz_(l;Zx_OXUwwL&_;%8)F%Bx_(ic z@}lBmWnzgc>ot&J$du(G;R>*jrE%-k-KsAu5`X{46;ghr>8fFQ9zObCUGYqfyn0}I z+IQJ&cK_V}vGg_DOBRog;@jhy9HRS&%2GSpL?k@4S~$n&gW~_OblF$cWXXtKXZvhx zxs+90{jnd=!?k`6AgM)O>yX`~J1@DS z8vmmf$B-+H;jmAye+&Oia5`qJ)z4`R{p@UrTO{PFf9uL9wV>>S(|{3i;o`MQvBx#_ zNyl$#p40ZZdJ}ka*ygzw88k~nN%D+0Ab)exTX%bmuHe^|TbUt0`CeYsdP)f11}fgp zponCtbKd&(36=6=p{t$jI>%NRsF0Q48WNqGyEkcRplPs_{Er~phdSpa=0(+2vo?ey z`gs315L&~f(J-|DtEJFWVUiN&k@aujj6e_KLD#L<*Fi!o&X1OY*>$!>-84>joPY1& zI(AlXFs|-t*RSAf4Z^qX6P4CMpjC7g2<1hr_c>9doEP~d@7Zbb_X%4D?H4UX#-FUk zF^pVWF8imtaGC=#Fri8;9Qk>zt6pbRNcf{QKf?`cA~l6H3tFP@_)|rbkzAd`(JG{^ z5pdn#_9#ODb`4i~Pgda#Ru{s0Ie$eiMg=0pOc`BiY@jGx`auS7tNPdb_gqe%dT{yy zDMj$78r-Z7C+@MTd@b%UP77E<4Ej63g71m#KKSoZe0$RAXZ~@-v>2N)ZsM{7o0dgl zk(czw?ZVAe$D!G3oz1>aY@QdP1a(}>8$qpM}EZ8 z(}vt+;4sy$;}9F?KO7AkZVe2#1?4bb{{M=nIj-@Jh4{5KbDW#1uhCZQ-#q0q?4mbU z-wEWhxm_n3q6i@xm0Yt5sTQNn1MSqKl;=I~!^)bhF z$QTCv&#>9>GZhRN$CXbpPLz~?45Q1pB8#wy?X9RJ5qZQDP@gHw7e!(jMk#2R%Jj-g z`QJ8p9+e#FDa5+*lfaj^^Rn=_|Ep2=>dQDhspmrEueukS+&F&zT@UPNE;L+aF2(0M z96(F%PG}rgB)(CG4S(Vz{$qcI{h^Rm;~M;oB*44G4Do^FljR9V&i}84OO>UaXAz-n z?z@unSHT!=jaoM87l8x`{3AL^&&epl#$2e_GQ15`NbSNy8&b!a6(}UEe4=kH|vxd&*AK%f@6R=c#U=5Ce5CNjg6c<2^!j=$&ea7I+iC7=D zL8!N9{cGQmqJIJnwqY#tWlGmTSuLlOzxvZIGO z{>Kf5vnB^h|3~Mtuj*TJj#pT(*?rx=?nq$y#5&+r`hQY<0L%EHwk)uWIlE#scO_A^ zUiUA+4zD{AW*m1(3MNDK^Ca0YQkj)c;_}IS*cAavD#IFXQ<--LdX_u?sh@nI22?^b zGv%pPIF23Q)zS9^cFrdDGnCtY)I2sl4oKqkwV~pQ$P4c`ffGuJ1FLs5zndTD52>X< z(hv(nVSmcdPJDaJ2+O{djjyf+e zONIT@ohzsjAaun%Fkg5F^Il#`-2rA>ZUAF4thY;|tO^ZNauo}=Cv8SPEFAVup z6BkfQj(c$K$#Q-8;`ETpR32;;kauTGM{QGc8<^P(hUfyr^jGvg(EK7XrN zqy;6ELn*k6xKHdK%H+3%7<4x_3V5Jef_f8p@*#pl(!yKcj%#R8bIaD82BRr>@1oQf zQSWgwSQHW|W(p|MSg9Sg>^LUZbG29Qhrb!(aQM?9Ic&bCoyOi?yQl2^Zt6oa|2onX ztgDA*%*l+2F`xrIVjk&LiN1xK-hWca)N+@C{z>aac8b&#QbSK^UN~Q7W3737pMwM< zTT6xrYl3Kn&-C#eXNbCLxS1~_jaNaX_;`v<1N5nn3aObu4?-^+U7iUeKzv3%5z4N8 z#>M!YPQ8o@X7F*Y5s@hM`T_97Sshp5>KD>4ymB$>4N}b1ih}kLFY5DvQhz*uJ_Id= z5!8Kk3}3ab5L}8)5}BF2)8<-8A?nHBY>Bg&-}_k4f7z-gB}>cen63B3N6%>5)L9>O z`z|&HkMyGm#H^gUu_++@aPeMdJ=fCr^0M(KFVy~6hr4^vrT8E644Z8G9u}{RE7(96 z^hm@ML66S+p{hAvVO_`fvwt}X|1`XP#L{uLHC^2=>FfO%xO+YN2|*g4^)&{sgM6Uy{fYSY>J=23?SHG}cK9P%2nMg6y%otiXD7i&!!hgLSPoG+s>-~Rl zT?pmwqXuD@Fu!W2WwFn6JA6?Zg%s$~Of!q0+`@VP#eFKW*;oC%*@_YR+Xl5$H?G)L zyV*;194vj0h-%?@0NjEY)^Hn%U$3M7{adcnsW087JdATh#PWNItn83;!p$@iMSF1K z^fkw|mTNyOjG27oXMa8`ov8PRgUB5)V7=IT{eXPJRoHA(-}>7~v})PRd!9e|ztHcC zlz0|awlg<^$XXs!%=B9=ttSy9r>xt|ZGU-tK>tzp<1Nw&BX%0Ld@-W%ty(jPc|aBn zeF3wCFuZGgtY%{QJy71(=R(3(d@N>P& zXie*7E&bJFBSZ#E)R7$wD4soJ%Mi;bG&)8p8-Z;v%$;->I92uQ$Fk4g=Kh(=+iz{F zx~`XbI`6g!)`+wuCD=0`_4SX?gypO)X;S5Ub zRP4#wbJH{`=2%9dEt=aff9z=IsmJ9pLn1yqec<`yD`5Bxa8Kf(WiCMv_iaNiy-eei zx#u$Ni;I>JhU~Ewbv@jvdzH!SwR77H3to=GAoM7| zw#oxtbAQ~ZQSp7BD`opZw8A;w_l_~17C9=b&bNs`?DLiazm_K-^e;+D-BnH7R!@CK ziVE!gQY8LXm4apOvg65KW}rr*oQ~KYs}1xZV))ao`33Xr+R)64_lwnr#52E{{ppUS z04X_bXMGk6!X^YX@oV|~L(9GHzsh-^$K}ZZBY!K+{yRFCN-!kJUpeeps!!nD3k~uq zDk$Sr3aEbx|3u(UPoqKCBz1!wEj8R;?ey8FP_eM=4<7$WQR-DH>~&z_ABmRgsJb_^ z`6{OjNBN8{FObT_GdP`RY3|#p$K~&a^4IGF*Fr8?{b_CPJ{9}Mzy(~MKNox+!l4T2 z5q~1AvEnbCyQnK~11H@T%53_!B?JcPv`O%l>k=-sekFXivncXb>4HBGR3FPI^l+Lx zIT@Q)IzO zxGt5&&c97D{Pg^|b_2U?+xr@K&%SbvEq-sDY=~VE=suShn04RGMo*8B+q_-WW7*B= zHIOm*tD72Th8nrFWwUfe%wk)iw=&_;e~KC~3{uQ=>133z72xtzy>&D5jBoG!D}P~4 zbjLUDV{DGOyGv1B*X2FElf_EzEBVpTh};3w7^`m;bB+MpiCf$*N+R~87d<=fNe_n1 zNfvSA!xDt|Li^j~x;;4ldr$TD=*7(yVq@kAl{DULT)ZmoFYYqF!gsbM{Lf}=bsYTn zkvwLBs)0I#u+3U3!HOA5nF`#nw}0>)&P`Tir)WkjAdEzA8Zsz7-j6$BU%BSMmJvtb z4v7>?WQ9e&!QwADZkhL0FV4vCuG*Gr@aR7rrTO#rrF`73>Tb#zxztJ3g8-Isf&O#< zJby{5E1LAWTjsF8Fs(NOI)1~@LHDN82R(f?2tLml>5xL7^l0dqVlp=MKYxp+<<_T7 zp`m{NJSTdO?OY9dqu~N3pnd+LfJ88eCNGdm_u*%KC0wwF+b?(9vR^Y_Ml#jTsyrh( z$Q-zv<|a0JDqh0{EK`M_n(i^10D-$e=+Up_s5Ow1(8jg!ugyk^p+0=BOLPQ%$b`kqf4%) zU@Kp-T{QEoriEET(ocau^0cqsX^Z(#nYh@(vYV5lv1k7GlOAJ0Li0C+H*ZVa{`&ZS zg>g8H381Dxk8$$?vt zwY4V}`}hPQfd_$i<;fi+ zec&)Xl=A%%{kBkwB*Sgnyp`pnV-IqlN%fMbEPC zOUrtB{m~o8Hs;%fOJk&se&owroLK1Z?NLs?;WB0JB8{-OIDCwH0JDT_o@L%g!Hoff z$UXf9H;*NzI;RJkSv~JbXZ@qlW$zl3YUTF9>5*&8Wrq^lHN!G$@IX}zaV5{sPWr~3 zs#+d3D&`_SMt?k9M{^G2)vrffc5wISD@uCPdJxz<3@J8Pmx?z4X;Z(c^m$06C(OF> zbDTw4hwrQ8pSaw$uVFK?AxB&IIVh{K%A)9_3__Lsw(DO1jmVZknTyEP0%oj{U_3}7wlIu7u zd|tN|&B=wIP(hKQs;CTWra{01s`ARQ65>N$^SqH2``L6;_X_Q5}TrCO0|GbIEIqlY6o0{$H{mDe>6p? zWF%LE*30_?M#{$fCPf$w9+EcOMZAvj#-VxkcqWHpJWsqxAwwMqSwc2P#CH9FTaeQx z2THQJ8@SEN!kOn>SweQC=*a=(3VMm)u|}HP}|S4v*M<0*>R zhIHGqWbqXeVO6QkwRFcb^d6uVk{7OjsG|4AH7EIw6cu=XGVItBcK_=!a|bQPcaWlF zWZ{vi7sA7nn}Os(U=%2Bucw8f_&HD0Fi<|FVU5k|V=>fY2qBCQI=M+ymai>8 zj(^qD{ljCj5u)mWXfZa$pyJIDi|m$=O?mh(CyI+=_sYG6(X^-IbewIoa|QmZYIes{RP*yJ^){01i+7Ks!yWfj|m^1g-Jx=q%k& zln@eh3|isyvlKJ&?fxUuc57R*Z0jF~Pk)T@z;S+H!9XS$!>st$_r>^PY1mw*3g z;7UzBxJ-#*m27jVTQ*H)a$cQHWJ?~UE`b9E$^hsvGQTWTk`nSx|U*s zhku6fACD?}4^+yclS{sC#Cv*a&fWgH_U$4Z_lg2ND)+O_k2~rOR_tDtS(|`7zT$*Z z;;g77&8#~qy8oh;^qg$3t&wB$&O`I;neeO&Tj(j?M8dBCJ&0P#YtP}gK!3i)6LIV1 zD?`%0swTH?^PT=fwx*}*ZYElpke;d^QvEY%;g;pk$}QqD_eSjNnM?YlWep%txtS8@ z-REhIo*;2nW3&8BNDvw78wfoL`S1ja5&?HrzMg5kWAS+^dvVzHl)>wFudPUZQXhHq zo-CTKTFU~x;XB3WW`*tpAb(FjOGvLOZydFX60SIuHD{`J(cGddN-dY_D1qWl!3t09 zcgYw*YH`(%v;DHh;necoN|HbvUW7 z!ISv9s6S{nCO40R1D<-B+yV2Am*r-v4A3Ts$xZI9@^VT*-0{fdJ04v{0~DU+tMr^J zR(rV)E-znO=CZ$}0)QS<8P@ztbKyj-K$?eS3kfS70M*S_0VkB=@lcl(Y@(S?ShOod zaHKfZ`#BvoIiLtJtbd{VJS_-t6Vi2;=@%}u%z*#MK7LU8wzm55oUWHpcf@2%^{M)6 z#Ib~4o~5rc3SpGc`b(COxVNq0pxc+0zL%HHCZ6ygG2eMI8j!vbQ~JZ7lpnlSvfNyr z_Zip$vB7554xZOWzD`R9*x{*nfF4BnOIIOO52Sfe>Rqc8c7NW_eBH_+^!GH$_;o?% zMjIcezi6Opz3!)LKXRslMVVk3g(Q-gC|?`np7eeugn%ht=A^ zob}Xl)9``S(tlrC*G@&qyC z3B_l>F^KPtd1>u3A7%S3FSBQ$5NKYYz>WVd5d2WH|9?(E+tu~-gZjCFMq_hlQkT22 z@MY_5v2{(;YEArJhecs!6bB5R$_Mly)bDOUflD+Qdyl=A;*X|Yxq3T7 z#Uz*e^M4z&b!P3`H$sS$G!1LSRQp}PUsX~!1QyoMo~qV7e|c7Swecrbd_m%U%}@M24~sMB(@hV6pHBS36eJ4 zL)EpRoc4X2;wkgM;I{FK=zgfL2`MCC&>MZ&?JBLa|JV`B8se(Y#P?ACT zmVXjEr~ZV3(8EO+T-R{^IXz|&_^Kk7F^8|2^+swpP-x*6DKmC1W~Vuc*4XS;8>#m7 z)!cHd=dNOlL3CS*+Yi_5+)rRI)Gh}pX6jNQ8x9Wz*;g&FdVJ^O->lX-S(JffC1r-Z zq3||kSqaVG23_8CTg)jQ+Of&>r%)FmhJQ6;)B_*DUo~*J&pr%=DJ&k1eEgfAyrznB z!jeg;mt6&R&g@l40-7Ubb!aq2de|Ag{_7k$InY8lK{>_g)OJbOHrqYkl~f(wg-svC zy;=L;4S%$>`($SGaP`_Q`_ZOLkz%Hu4YE=2P|*GPwW-(?e(SCQgq>cf{U3v*r+*S0 zk*JD7HL~wVD2AH+9H;!Mf@RE6Tw+yCodybpzm`7kic^2f1q!J1fo`Po0UyLGnYHfx_BvkUL=L$GonhVkyfjwm-cO48~3E)(L-ie1BlXE=#(~Y_~*( z2kGzVVcuUHzB@be5K+RciG=^8K#w+>voBNIJ;S1OyoBxL%Q8GT@KS|s{SG(76G^3H z-hjiF!#TQ`eYYULoDIhZHW{DKgQ0fskYc7(%d!b@0SeZ)q8Q>7SD%5Mhu6x}VhYzD zk^=ZWkp8>{vv-HU<$pa}2D$b({8BMwsMjF$sCH(oA>}zTPRTcHg`FKV& z7vQE@mWhq#!{4b)e8**W=`@f{FskgTbXvQ3;^7Xfg5fXgT5bz$3fmi9`ok?5YO5@r zK~j)HerBT~P9pVY1Q#48OYVSKv%hEsC?57X$>>^cyQ%M7zklQEd^{BV7f>jlU*Xt+ z1cE-{l*0#h&6^zf$^M?t=>UpImU_~#+aTT!#+n6e?1w4alWoukhjT z#8n*BcABM!2t}`gp(@%~Mxlm$$^`fwpvruy0H<>YHGN>$f$UFVV$frpI<_qC_U_JK zovM&T8VmF7CV%~y4i`!&?^~pp=}&$RRzRK3(8ux?iZ<{=nj_m#*S5!b(#FYwd*Wxs zdg-{^i|5gf$`azKw+TGoB6q-WHC?m=C?NQ*$oKcr{ZhS=WvK;a1=tzM5R$m8QKDw) zewQa_DbA==N0!=di>c?N)=|T>?vp!UL=2Q4f)dy--+zB4KfkMs>Kv^PU%dL^VKV9S z19oB9_QG6xNk*y64L+}MzSlaGf3b@K(ywWnUK=x|)xHB5L~O4tN8F>JufId`cWIQ& zaz0pV!!AQZ=_#)dmHj`5{`?G(&YqG;(bmR^gU4Cv2Ae_$Kdc%>Tl{sR&yIh*db$CiSF#(|;s>$3UK* zrQ!aytvQ=&Ri&71$zU?n4A`(nFFjU-T`L{?J-a4^MJ`eNULEFI=-5-z`J)B>aC#tG zLVqW4*aISYOsQn@t* z+UM$>wVd1M;fj6X66wY)@LsYN22b?|dJuGinXkcJoCI7L!g4clgMh_9zwr8NGPrxs zrL;mT3Ul*q_wkuu)&NMGAumw1!heiMD-ZiaAuE*SW@1nAJo?wpB!ekW9SKm*(0{)v z_DZ;uZHTIz_j$@PqVHzI3`fFkDA1$)CdR?k^_K{Mvo?ZLqs(>8%}32?A@B+3kwt+~ z{k<+`@(X~A@fRSndEc2ce=TzwaD$GKoB$5opPk&`tqgPV;m@`T!@DVp07J?KreSN#>6Acgcb9$UpP?*+Tat92A!N49gLwEU; znAL5j%VUE+Jo4yb@dXmLv}WjY^`7OfX?yVf8SQQ}HPdjbIm8VLgWkb13R!jkQcH~k z>aIm}Jyog>%2fJz5c;!tGan>GO0>@LE)`tpm9Q$J^u0gt6qUGeO@Gfao>>ujd|6G+ z3&(Z;(xgbqVtl=yX!eSVHYVgt*WiSh0k#LC`ravUUmL*jQ5;ire~Dzv+O2C=d~%ODs+ zKseCEGHS3vVN05zr_2N1cfC?@C-gZxazE$De_cuWz0*drw^EAOMH51_QEC>gZYy{1 zv-MfmADW*g1HORJqgLG}MW7W*88JVVr3+ctr$^+rRu+;Mynhv)kH_^$94Wpx_3lOd z7hxffuM*q{2sr@S_ak?}9He|ZV29%l&h_~|d1dj!q5bt%v8&&%{LtRF)jwv0j#`1t4 z%6u&y$vF9K7;`rZ;eN6wl<4 z&4hgvA&r{66uLt)0yg2L)|oh_tEG|~Teb2B?oSS4$$!X!6kbcnX0XgYCpmDSjurkc z_GoNQes{Gj!fD5;Z(o=sKOxj5<(^*Ods)t%suQpF_)X2Sr|$z_DA1!;y%rlF5y-Cn za8k5#PT-`R^|qKS+q$*jizbqLWaHG@;oqp%IVt|+Nw7D5HFTGMumb1|iIrbc9g{h42Mf>Bs-912|x3V7-%#Cj-%q{O5*BPBzyu$;1!EXs+ zC|p^&7-fK4E^z~;R4~TvBdMnnW>&=0j+jOfHL5e8)yE|91th;!9Lm~b4+8%wtN25@ zI@|EN3C4LwR3|f}vmn>90#2 z7qudh7B3urlU=i_Ntyi|aTE_w^?;wz>Q3Mp{_3*_E$@Rk+~Ni)p&1rf#vES-9w?Yc zYp1b`YG4P%_Kh*lcit(wYhUOVCgeV z)W-n!75Sm?||>KehR^-jO#S#$XPf@XJVM0iiHzV+qR zzlu@LAo~$6t({dY?t`I1r=QEORpZ$TX}nSX*ys%u7MH+1~KFX zQVo-J@I+Z)GkV+auD#zV=w&ucsFGRWI)82r{wZA-XD9YV+{>YxDw^?j4hVepHkL8x zPJS!5mItaP{p=ds^7Ft5>FTppcXuh$OEvT>qq&YAjd$@O%Ey1}-K)Idjj*@dHVBhh zyg9Xet!aV)Ee>xK$$>43VdHgg1s>L*syux3?k{H^Qr7^kVQceE0waHW(Zc%qY=16Q z0K_O{3F$>xorP)LMfImZ&Mw|{{`c_#E8<=qeIDY&VT&FXMjwsqalj--CQF5&j> zPS>ff>(zB1mD2sj@l+12>kLhlATShPh7?QGfWcGEQD5F3^!z5T-%{wUG{H<-u%5PVLQSHQ>A%xN&5)l+~&x0 z-z?8e@TIVT#Ypc-UxciMKYx3vX28S_$5D|xVuX2jpOc{~shaz)RSq`62CD83w!Q5? zyIG+!e3TP@TLg8}01Es%2j?lo` zsZeGu1H!BxPfH9Gi+}tEo~iaNf(g1yrof>oU|bM+os0s%~=7hW#}Pdn(I(R>8IW zIT<-1OWhtg8~m~t3TxLvEv0-lh}ge-vWZh6Y+&h*X4aVNk$)T5r?BrSf3Wuog^dba z^_hnql!cxKe-}uFFgQ8hRDz`gA9}0esv!-~(VeQ%h09V&T;GnOlqYwd_u~8gLR-TF zYuIJirZ?s>KSC*?uyz4*M~u0%#}#sbhk+2tw#N4_2);b+T!TrGD3nMp=Q2Oa^Cpa7 zgXwb#U*wBc8h_w8iC4M5<@%GR8aSQ;AS;IUz|e{tW1LaSs4eL-DXn^5;B8!Ysp z9)rr?4@+vEyzN6n>jTpg#v9f!Ej=G&%uHU8>#_&{0gn6m$^~$s$yCe6X41VTxUblNq0I$vScCE(D&F!k=^sPJPfn?-BI!7wR zjo))v6^RW7?QeG06&Q(MuvvPux=}bMcjwCP(Z|;6-(p)Qvjb+ToRVIJ!!a|LooH{C zgTNEoaDOJDI2+olC{ysW^i!r%+oyh_6T?IvuEflnIhMRRPZ}t!!QbBDF;NtJ0*%P0 z#^j9d_O!;nqOYYQoQWBrACdmZjtT_!&cwtfWW4(v%_d}PxPKcn_;Q#zH=i^`N-%r zKr*rH1_euz)-pD3Lm@7 z5r1I}U~<-pS#qX~!lKzaem_e!`Pw7)-6%40z=ozhP=FTQLIYb8Mg?T=2=W$~Y7Jj` zU}<7ITLr;69T8^*B}gYc+Q<0CIt2Phx~{)j_4i;+3p`H=RZ)gB2_+dfK7%&{t_~x7 z_-n%BYbgnSe$A`bk1n;baiG%3r}Ec!Hh;nxPE)Ww`j!@Lk?HS8L;Mg#KjIgCkq-dc z=WG8t%3@L6Z z^651g)kpE|!->pHO#!^WaMN1Nt1I`NQqJ#ug|Z#_y0zaQTh@()Xu{}XZ#kS5lz&(U zLt#-BNO9ARNhK~VQ`D0Bt)@yrij!fxvE28aHznd}4<#-)u+yMeXlqk)<8qH`sBg-v zpX_P?NSn4jP&NDg3Olp_i|VO}i`-6*v4{nF!}gYkIm@h)>8uVj6Gi&IpXKWz+b#vB zOy?bz-mE6{pJnjqX-FbNK_GTDdVkQ7c2Ed!d)}x*XjK@+w*VazX_FAifupC0WAxw_ zSfo;myV<$Gx0SA@gR3{5fWRLGQz3DWU4JRTZlDkXgI?+8ul78%aGd*hTa$){%&1#W zu^)aj`WxigDMMMwdv?`vyg$K+xt~B z{P-76f<8rtt7=7ur~DBL;g#<%tdXyI@G^Sj^av2)W&R?94E3Gj>nM$I-WvEj-_oS* zLDJs0rWb5Z=wKJQ7l&o6bLy58{l(d8`3!i(`mEyH2P@ogm^is3rjMV46?hJ{n|)Z} zJSd!R;YH{D9YHa z?P}=WH^1b9zQgjA-M6XQ6&bT}okB}vM80joxDN3l6h*fq2eAnMda=PUH8X9b(I=Ej zr0(M_B)plxwt@0P5DkO-<6)l*x!BVTpp%hX|K&{12e(~197u`crGF@59d=jTE1~E5 zN%c&6Sy74;q=WhF|=56J{7UOP#HUPrGJIu3lygHgxnGHzKv{) z_Qmzor!8+OEI9Qq??viYQP(g-PaJk=>EY&o3F|JwEtcNZIiYX4nm2@!p%Ni>HNUc^-KSQL^F;0vtLud#}SwwLcg293?Y6z@YI)p*^rr=I;(ZJA%7o=+;zmf#P1fjE%FO7p27Kn zP`5Uhc)w4vSMLsvb~+JaapS|6r^ta@ly)`TdKwMT`ZDYf1&8h4WTR?DljC^0I_F5Uq>r7ezZ|SGs3VV2Ibn- zu5aI+ihtaSj&ZO_tGq+l1dI~Z5SMF-X9qKa{iVY_bn(aDh(-an&28khuVca zdEz=Kx7+~{8anMWjbPLvpNY+D8+<|0oLZNR+WUL`FZUnC*tV zI_ntpH~JjcN(&e7TX=F3B7_0ZkEj@1u>wFMG+<427V%&FSq+VlXQz6_3)xyTCIS!J zTz^XFz;RJQR1E@NUE>q8iqiA`fkm9DOkV|^N7ERyqS3a5FjS2brz`F~c zA3yL}h$??QG$d6NVi})1)KgUY&0yI=ZpOxNwERL#6XiSkpD}m-#Urop zSo$?33(T}-<79nPbRb=@b!^+o#I`2JBok+1CllLdXJXs7J+W=uw(VqYzL$Uf>)y9s z-RI$)?mE@`)ZSI4#y%|W4M`ARXFaXAfLuA8aGPpzVesA{FxKaQS!$%Heny6BZkLbv|8RU(LPX-fEL zHzNrmN<1S*5oClm$l`2ML0e5WK*QM`mdy3m+vGHNP$IT2iCi^aLtGZ5v%vguyW-&` zYOM~%uj%n^$p`{rABKBf>plC~8=9b}`mvq-h1CfAtAZ#jolqe<-OW#a24C<4eUZOi zu5(Hddvylu%au^=)dyc-0(i4L5^l*ip(Y{eO+2xE-c{TnzgYYh#c%fWdRKnAaaAQD z86l_*Qc=kbG|9HwQpcvV6++mAy`wBpBb~GUdE4mYo*DDcFC0a6b#=8E_DGD}XqG}Z z&h@iC5zr8yj4@9;!ts%3^AldcbPF+kwH#Dg7LGL9?lxa5?EqDy>ZW#->(p8I|PDa_|)$i)W~hoWxssj^lwBV zpB+FwHclAG)EH$I9m2p#?DD>4nD4Y@RMVmnLDlOR6xlE@@&JTMDcn>*;?xUS%HHlb z-XOi3wc3SgHTbNGz;ufDoL-#GzJ$@ z<)1vQnu?hSFMDtxzZ?IiC_+I~n>9YKQ#`a}{BOSkA`L?$OU=cg|s zay^Vpno$mm20l#2Vkh?iYQ#hCcT#g+*9idH# zSJZhYxOS53)rb-`%RmPlmz{HvwIqR>Z!9&O}=LZQcpzL;nB-Gz--WfQZ46FneB{p}2##H>#hdIXJ!?$rCp+dz8ZkgAU>*J|XNaU7e1X2@R}zhpG<~@|*_QXhI-Bh9e>*X#*Eh%koC+H1 z{#4n4^>nhWF@fCV5zpVf!%Q^xnqQ07{05U>NtJ|__NPBg5t7yIpOMo#=dl#cUp&cT zPf>igV{(QP#IX)6nBb*yo#_o$wP{y1Uz-Pro4|7~XA;9)jvh+d1DUGmpd5uO5i#Mba8MeogG3?dmka068Y5T5sK~c0K|%;a zRhnp8AbB$TZI{B{LS}+Q=z|U$O+oPa?opQQhRxa1aX~BwDvp=%1VfEWBx`?o24=Kx zz6`o)2gYa6_|DD4Zy19%`sRmnMv^@L=crzy>j+COn96Z~HKOU|ebAH#N^+XNu1nSm z0Y(4VvB@$NPMa_pJ2&~Y$cmTs{7%K=;qKpZ+pSwk>%S?!z0gv%ABv^xCCaQO$z~>C z#6ZAoRUUb)HEk)3G1a^7(`L`I$k^Za&Pze#%kM{jGaLnu95;{dz9-B0RaBagQ=V(C zo0_-0!H1pe!crQ@aCBKwH0~pgz#(|q)$imqjN3A!$9<(PMI~gnwo6MxttLAhElZbW zZ_<%*aj=FQleQqj=N0THKi7m)l~Y8Uy8$i@66%gKDYp-o-x419p7Vqhnd@~TqxlY8 zlpa^B=8Ddb1ZvUYkYMDu#YOlz7|`~NFohIAT;LS5EEVV1!I(8?Ls=Gx^G5T7I}Vt{2h-L}enjOsNZR#{D}^biyL*z8E0~ZUQ1O7k!k`>qa4Fc}oNZgGIsuLm zE%x{QhxqXRxg1+y%&T8OHoY?2O|86cJ2(EZ2enI{95U7<$6+Oz&?Hh+`l=yPM&i2l zdk0bDVH&K5t-ZAcR`Psn3nvEd#PKY zKU2B3MutHhc7%UmZ|B*i%?obJs(%H-jg(pT+T*n@Iex82OtraeD~mO z-}5?G#2*aiD*r>ElG|oMW_?v$rrjqDp@+KX&0HDD&5hb#I3{2_Lb?80-pUO1U8g(M z+(xZaU^6N1Mk936$^O-##(tpUKRy zu{&!pT$2)?P)qCeG7?uZLdGwBvKKmVG-%GaviyADM4j!*5W)XWK|sL<8-xETpyQZf zcPh-$gA!dmcV}Y`yStF9BmSTm=b+3}{o4kG1|p4fFS~Xr@Vtw;9C*3WLbT;qeLW(B z3zDGUh5I+IWYZWrCAfE#a}Tx{ckw}^O5{gK27-nXGHT3~A=s=TZgZNH@cZsg^T@Pp zYUR+0{`vm&uD`A}um)SaX^ff8&_ij1eIMgQmWIBe> zFk*L-)VlGd8JdxsIzZWMyhSOndUky?Ia!c?GY6#DoTx>lEcfjQ3ta6yyP97T&6`$k@Bqn5^^@VO!4@b4V9v_Auf}A_^yBVxVEXWP-sPR4F zaRrnkRkm>!M{D~vZwqOkj|93Dz;zO{%5JeDvWM9yE{eS^0tbY(i-CPzN=1@_9)bVv zuS;q0KdAW%?Yitqpeh^#1l@2#VYN&&tcZRXNa}QD)yPHfY6zU-Sv05X2rVout|nMQ za&}@bND3D?+*i)i*;MJ3gjanfB%X>E92b`T1{sStJ<}UZq-$<=()5>X zic?KMwN!cv01i_ORFwrLN_XLT=&G$SEm&znoKT^_FEddPp6>8*j~*yk4@bfe^xa3N zW5SV0TlwfVx#ZA{`A&^hcZ;K+<8~K#**9UMs3r;$7Uf~a2;r_K?|;Gd6Yia#;y6~} z>j%x83f7-LS(; z2f9}m0p7*f^|OPzeOW4SLBg?^Q|Lk4oaLpA`h39l&;anQlWCA9*ZMQgrT z$5{zPB9^8^`>QzQNlS$Ghq`d4VYskE+FI2&Fn!81iewKaPg@u2@gdS4s!Xjmpl zwmJolLI!jJ<*{hLb<>uJZR?@nf3PtienOHX!1J%tgTg%Js#^?IWoqwK1OnQG{pLJ+ z^+mIx{xDh05%qr#)w#w})9=**heH?%3OwupLG82l?f`=; zAmdFO7)8rl$4r$q>QAZOk?ULOpkXLyIXZWONxee#5PrnHF{Yalj}*FSZ$K96fM57; z-E-jW)iD&iX-h$v$+oofeRsr%p)h&m8f{#dpU5^d>Ps1O+|Z(1!uS0Iw{GlVJCYsBCmP)TUJsB>5dFz|LbLdcx+Ntvl@^E`$kdlQ)t ztShgzS{gHyH?sGQ1b@Se#UV~sD4Jd*!<8jC>b2!oVtI+%_|*6^cTLd9^vB?Kc=3`Q+;^!A|f9l zT-XUOGw4Q%CO1`-5#(D-uki{XzBHe8f3IWAYDi3#{k5mbC@-n)=w;(~57oV#}1HvT#c{y3&9WQkCJSBp2XO!7^g<}NY2ZzIqB zu>j1Y7nHO?xp{9gH&~4%d>cADYyN^?aPuHl6rr#_+euUj-d0i)9muI0dc`+4g7yL(-?_C4>uDjiLXO+DlP&wg~LKs2exq$&HB77Cc*`D)H~(Ybtg;C zfjLvMp2or5x5*r|uh~Z)$SZ<)s}NmGbpOU0PIX3md(9uv7XlVge|o9wqiYwrM|(h4 zGCAP(tm2fk9SH+jR=4`?QP*3N;b@uji; zmTsw~T$kKu*^ZP~KR%0~#!-;Q#-Oa!5KVtzZP{LGN<6e1JMH0?U>L_s_@M4d2SY-7 zY=R@2&%Hg@D{bxszf8Z%!5-08lXNutvc=ON8>1d~zPt94U#)Y=OB&`GHpmU3kD6n_ zz4|7QtOkhUj!77kSEmo2T4v^1QjTly{LzW%NhOHzm1T5&%3K?CbjhoW7WkRxOykpF znK9EB8aqq90y#S6;ONqXXC{=MvZh4FB9$=E#Na1!RuD8)_S>th!6wof(fm~B|umCcxayt#NP6c%$D$^;{!^!s)TB45)XbK1{%tYyuQjDa0XU3 z`v>wg2!Y?oMyP6^K-N=}iY#>@Gv>Jix`1Q(*kC;O5aBu1#lGAX@&e^m`JgH{!Z5^@7Qh6CshWk;D3=oaQP8Fv!sfY+e6D z=L0P8`j>-U(oN9t@K}HBq>-je-<@GnC>*<^ld;I*NSj?3aOVzn;_3dr-WfaVy6vew zzJgea_zX<+@O9=CsYKMP(wh^gr*`HIhJQ^#18-5VfWEp7r)9Gh*Uj`E{U zn0QnLsf+h^ubC!30~>nZM76Zt3y)vJI~wQ%HT!)G%kG*`Mo`7`ZVJLQQQWDyVisLf zgS7z{xj``elyZ>>$53qPbgPO%%-{AYGSEnaJJPV$C(cm~FO$x!gmy}~APwsyt0H>z zjKl@-c#ZV;qOMk`6y6V+V}+egTUwD*Rv`W55D~dnJY7t0J3#G67dE#nYC-KJKmweq zWHTHeZDt!QbIEh(D-R*R5X`2g?w#3ipLkJ$uCalUp8SUe8K{31YgTCvv>_T?2mVO@&7v zm6EN+O5U$?2(b~Ll045!G%n~cAwadD*JWBY(c77R`Pf@=Ox9^Mbh~)qm~m*;Wzhw~ zz(0#+7pv~|uwfV(eZoPeoeVR-g}HyU&mja)nhNa1<4SnR3Zx@Mh&gUY z^kr}Bs5>rX5g&N#kSaUlmEb19O<^M>O|9;0r{^#uye2XkH8u5?^<76?(xH)RgVZQ+6cXn0Rz4}Ilk&f!0ugBjBo z8J+au`4S>@b#ZpM)=I}KtAk@@ zI4!$oU9lwGY++veJvcGPV&S2ks*W>@ur%*7h`1sD*5TkOR^%N!pupoe`QvV;C^-74 zL^yo_@KF=^NT4xM4G+qUB%RWn4%f=hZ9Yxq1mq4x-Z3^$tqYPzLFvq7H6_9 z4K9(+XY=7BHJM}rup5&6Ie&h47ai45{#IaIcYHROz-w{x(-xwlKEt6`X1{O0Zo^5C zPH60(Q^wD^ui9FhKPAPaA(}_Vl2y38>jWwYJ1<;0&``o1h|;a`#v08g7Lcs7?pL6l zW%zrV7@4j@lZ8M@KuzKzxbGWJ;uXxIUMVbImtG3xRfl52fW!QREH$nU$$Nlh^Wb+c z`vfL6yRg2b*S0@gbT7++o~7LAXoFmDrum50I>w=#a=$u+GaTqQv83F|C3A}Rm0d+v z1j0N8jrtGu#3!)GB3vG{xRM~$um2;mj$ymaWJH=qCylz8z+?x#vOE(lgZEpB`Lt#Q zUa0*lFOzjN5RjvLiZ#>?lkI-Z)gu--6T|@UF<85&eFcrA2ssqcR4Paq#=f6vKIB0e zt~&7(8kR-vRZfI?3{eZTe}fv_0TVZdNVW(TT`M29P@ZGG64^b?Df>q4+|t}Ib(Yk| zk;R#{*Ws!o9aTnd@i5Igwa!H03g!-XhPgOtp-m4Bq$)cO#w`7u`wUooT2P$nt(^RX z#sq1ZD`@_?|7vkS=6G<=6z`=p`h|1H_B6_)jTr5Pq_3PIZcS8v9z$mS+rC?UeA*vL zyc*MOIc+}NlmNalKrb`I8};*R#lyc4-uXrpYcNc8aRyE$dv;L-att7Lt!^%?^hpnX zlr#_kB(5>{pY=!`opmnK>KAL{7)&Sq%}?_AqxqL@dM16>y5D#-m+QzDFa#3G7Wf&K z)@&79Kak@p<}0}p$1?HD4Hc2giDX(JW5UFxP=}Z-J)U1TV`9YdHI$ro^~9)mdY{AK z^~#I*S&T|WrMH=#>SKgR^K!+!%5B%IR33Lt3 z4~@5-5|F@Vm4!cF0V8PQE9wphW{XGQhhhOwnUmYR=Jj8{Ya5B~@^G%kLiO_I$iYvI zM_)}2tj# zKb@3Msf`6skGVviml?{5p3-bies=Y7U#3|%n8<$$QKK<>mcEl5Uv-wNQ+}}mpw@p; zh7Fa8tYR`1eiQIso;v15WcXl=3{kyB+g;>Czn{@py9aa)CV7hxJC|>z`r;n3L5s)P zT8bGYfVrxVBgUaXj9x1XAVxD>zj&+elPfn~qGA@w)YTkoZyRdo;L+TEXSe=%K|T-U zDwdtpXO_dr4M6`K=GkgJ&tISg02~%LWYSi*u9QkCIMPfpd3~`L9IZ{6F8(XK@FFl5 z#PVma@0&XrH;%UE^}e-|SK_^A22F&OB$bmh8hcVw)6S|MQ6v6X&r)O03b;My?@;v& z?6r?-+;?GHVJ3n|I@N=O%(8>! zG-(LA(3avH+nL55g>a)Uv zK*~$Q2h-|f;?vWQITmnbNOkA~H|MjoPagQ2qW?PFXZNhs65w1*-Wv|%H?zW@HoWVP zHWGT}uFLsvzI@LP!`ZfxBY26ZDzNz*oGkZEu;taH!!}dXwxRO%RN`crrmxowzmZy> z7{^`SHiKq4oD*ob;V#=X(^)oJ^ZKA#Z3NABGJ$KqY)Bw@W!N>U9|U&;Eb|gjD=I+{ z(_<3yE!ZNXEecc5JFN29S92Ry_A+UrvR$^7txtnl@q6oW&<+y2Pp_>E{lom~qvaX1 zRhzpCN&=Jkv$C#~4=vQflakWUBoqe^`O=#RSDD1`3;~&{s_Tw&0ebaH)-2^K-4893 zn!bS~wX4h9t9?no9RaX$lw$l5;)a0Wzf{jY1={KXXjN@ES;UuW%~zaW!+S+Up{0B1 zi^5>h_^mxa{2JP2T0AFu(-d@pj>%$Kv1JtgpAD4;E=%q0%~*?t#F zb4G>%6oA^>-Ts&7^K&sXIlE+9;ELnFGg@O(jvN>cm{#^Z3(_AM8m$NYMKMuGw&LGG zFXwop6wTV)>TPoT-xPROc}>K#gclm(8v}!Smo$|oDaJBGWoUZS8QZjDQ`Jo#JYol zK34?Pwms&2N?JrZa)sjbxV70jCs|HjSHlEF^DIg?gS6-=$Mlu7tK8}_c)TlpO(q{O z051N6Lo#xj(tMlOCO%c}AJqRq-EE``^8%5HJv#oJ@6wY*|8m=TaN4Tee&ff%&Sx_2 z9S{E_;5ys*QlPdml4gw^0Huy9XN#T+ zGo&1ZC&2I(0Jss(6B0o?;Ht~g&CTlQ0NfiA80=G=_bHYCs(IusB})`56p>LXYqtvT z$z9L%d79~zl_FH})v%1S=Tt1xjxR9Y?H2Jz&lM1!lLSBd-B9EgUGt{vD+8tEWS9E+ z4&3LP(fLPoiMB4y=7Q_mJ0GtY18HdJeMPII?-iqn>GOkHM_#=Xo2LZsjV-s)fZc^w z?P8@a6JtOiC!^Z;20^S-@rLrV+idKJs=uiQAw~|+s5(iE`sax;KPm^UxZgeE7t022 zkf`tyF(cDp7EBB8Ldun@kaUhPwD2dfGNK&5qvaynWa?%DV-3GmTnr}it3^{7>?=)) zOI2kW+0bi5xyE=l-B3|7Yr26mzz~PWCw$cSN-^yW9DKzs#7hi`4OANhv?{G;ft2T-x4AJGTAOj^zr$iB0~*D)+EtV8il6(^sn!Ty0moF? zs2L`}1?RrtIZ7j#1FvH6e7tkM{g}SC-tBJskm=Z8;kq z{p}82w*(sP4mLKCJ1c~+i;;`(V$ z*biKP5$R}cA;l=oZFo#K%iAyrE`&&o%}q`7;{ z@fLeP9^NQe4nL(~I+Q*wGSC?w*xmJVmOb(veq{=Q`Q z{V=+ucWbAyXVHc%G?`diFb3P)nIY%Q+D5u|)rk$+DGTj-150uQAwCRdJI9l!Ty1 z#(AmWd7=AbtLUNd{b` zwyKi?R6jx>R-VRb6DJy!%Q0aR5vdu@(~jd+92L^l=eCz&e$i@jcO(q>^K`q5?S(JM zO_62TszmZetUG?`Eyda%brYxj>RXG)wmld2T_8|(oa9C&MGXz`-q5;K{%E1z+E-&% zUCjDARocsEV-rXKjt>Z4w`^K*r~ub1AA!mJqRBuT4sP);|L}OJh!BaiDJS|hjt2db zsra8Sy%cuS!P;IZGY6Fk?+_(R^Q^iaYEd^UE}h1Ygljj7%xc9dJMWNz?K+D{WGoy~=yQDx@rldg*YSukv+}J%C0$;X}QTT%m zlG~?Dk+J;8NdHd7<2;w$0Q{&3;EkijWLU3s-{C~7d}aQPe^%qOUo>|(78{-j1D79) zh-?|eJ#p9{8Bpy(WG=246{p*-hp2cG5s~o@wKHT@$$}V7%>N?I4sHcP@YXUlbbg2r z3wvaXn3@hZRhNEj_H8isLzqY)TZ$XQvO=jrZ)bQIN{swRtn&SL0ifYgQ$u<42*HTo zIo7DZ!>9J0u)R{YwDbD#=@)qAgPLgySt*ewYoFNzG1`!++|j(HyjYcx*g>7VWUr_u z+ulp-Ykbm(^Ob)??+{0?eT=6yXntj{CDmNMJ30|N(X~(=_VSv4i2L&lgWXkB&-3j# zeijNYbgX~zXlYNM5kTjsFaJw;kd4FZvIEZT{UZ=fV8AHT_CYtz*6!*!A}Cb??V~ec zcra|buu{_T+S8IR^;%|PTZ(lziswx>$h}4zHN|D#aGtrcf<-?YMG~Yj)wwP%bSrc$ zTS7Xx4K4O})}Ul;ij^~|G-gYenYe!Mn`SvPxBwcR6W*BI7T`H2?GmIqQ5D=Ef!D7Q zVQTT*GR&jCWjeD|O||Z@>LhLcSC;K{hC1a8oVxfI_+q6}n;hP*L(CX+kuD5r>vRMz z?{<|ILIq~~mKkoVu(WV3TnEgjnPpH`&OzFc+V!80y_?12rHHpWB-nP+uW48DO#~`Y zMZXJ|QPEdq15Gv8Bi7tAa2?KYHr8Z^H4ZM%47dEI$&mhloxK3&I|1s6n`jNqKfN1maASBygg>yJ zP|eO?QYp9|bs~0#=97jxCPmJ{p%ce8T~&}fp^7|4fUtX=oj+r=da_GvK3^LOCLP|6 zB)s=mGQ~QF{o3Z1*Nl}_-G(b^Ma;xsiP7as2y1_RV8_-$enb)F_Gz_ot9_8X!y@#E$q*?tud(*$7uUiq8 zo-X8&2t1has48Xzk7hSk#^PO|AyW28m+M_NaKX#RVGj6M?p^SZYyGBTw~3}+SqPu( zMn>*J=`JUX&IDl#5zpo|J)5F|adS>Fv%?>;X^xD-8nw*W5zg;Zs;M?luD`rd)8ue0yFB zLsv&R_jZawr!A8g`DN&+u~t^J79AP%GN@n4ZOPQ=QLeE~{?3j!TMp!Jv^Uv|blIqx z2TFP39y|Q!_!hAFUsK8h&97po1te$yQD%A!@0-C~hh;+d#!xvHVSF$fX~Gpp^}EN@ zbo?z9-H>%Y>6rUiy+p(i#PD_os5nzkD-AlTIZ6HdVx1)muE~R%4{*R40mH*{T%y+7TE6 z^L<+i+3d2H(-u-LB$Fb%WeP8%&ujG)Xkgx@8eJ@U*{zduo~)9phFo>Cc+ul9jG4_` z2#?sRxr1#{#mClmQ-8e;A!tRCo>SM&`U+I0|aEP`+Z*hAH;esE;NoZh) z295O4ifFg2Iagy(S~2h@(IJ3f*)du3b^NY28REKbWGrnc2M<3!%db`%V;i092hZG$QFh}kt@l7Pm{&LGcYa&+ zkH0F~NS$#yR6>5MraAe6YUd%>b&oDPaF^+46!{{XZ7*$1O&Y+^7m@i3%3tt~OmoO~H*>(7R+e;)QeNcup8{xwO$91+*5}6P-`p$~-&Hxr zCyWjL{#Zsrv|&5aYsGnDdd!=tV+W~2`OL@l7v2BTPDA&*icqyaVET)lS(G^8oZ3S! zo(gE1i~W;52m};GN8eORXIQpckli+9GyVFR;I)p1G&DrlzOQ&i7-d#9md7V)>7M=< zx2`e_tlE>oR)u}tp{}}wYK13C2q6*DsH7-!`p-%hBTOjV%eEIXdTrIqIjTFrFnkls z>o~bTSLEMR%VUi`#R@l)cwo4%AWch*Om{oHm^N*RInrYFsU- z^*G3jpjfl5*CfAuTdc$JmbSMriI{u@_j!D~%ydNX@?U&s(7<%a z&n>;_JWqtCGhm-{H*c>DO`{I>nB>?2Q(jy88FA!BHQ*z;1aDqf?}0Yq`{QdxmTq%- z4*G-??n(iMxP?L(k_;~MB5>OD^m{SzsRgT%A+~w-Y(tmqN4nz{YKVgCde$Fa~)dqhfu!~{@{Iw zNF3v&^cKEE+i?Fzak^0)25)KkMWD~H=RBQKXG0n$ubUaY1Sj!Vbi7V0CAew+iNdO) z0ca*Ir004N>@5zD?EX4OV_cRR=w-lE5_qho2b>k$21RsH$;{`b+rmG~prj zgF6KbcZc>05;Vil7xs$w@1;#hOnO`UF|gu%sjxH(F$Uo(um$~I7fwnQch5VLa z2^CTRHv1l@L!5Dii?56!QATm4rDgF5jprZ8cbzY7Z<#%>DJ!w=es}*83d2%MNGcR2 z^8+?NGKyfuNN?iP(Y~e*X*p@)=0tOkv6^~?2u)8M z*%BAc{NJIn<#znE#Ae5!ZsU@%am~5K{?}jM+{HgL0_t0XFwOIb(AIcHL0!~A(_`8j zcjfu#ir`G0lgSDj@WYHKdxFsdr2(xhZ!0-Zb;CwdVP#iP+T=(*tElxdTyqF(UXkRb zz^G{xohR>fvb}sq1J0ZPG|dfv1UUlngLt*5Gle~{p9-8W+NEZ>WrvT_5{6L6S{6~) ze5oZ*vm-ZNw^i0}t{|S`5^WO*B!VjVr`AfzaU&Y|$!w4;miS+E$8vD|AwU{YjY@9= zC*6AUAlHkr;$BQ7Pw=OeelJEPbNe52xwB+n-{1q@UA(bgX_!+b)kui6b~_2G{`+?e zrORu`mjKrr`~@3hT;0Px+jQ{U6044CV|;5Wg7$Ge%Pn$kWqTHrDC*!YGJQ})XwIuH zt-dE(gllhmP|c#t1sficJ%G9Tc+}YjzG@$~v%aQ=gy-{OTnT5!Tbtc{YCazRh#qs} znI~arZ)$kSrX!}4U=>Mqvqj(v&;HG;TZegmjB@2D-$pEO>N3Mb$A^P$un~lMlE(Ybpqu%uU zeMy~Jhi+>7bY$>WWWuh$`@f{=NQ7K=6-~ zW)`#%!(v}gPX{hCA6R->R|}fFi`UW%^XQ+1S&cMlSr_v#!Z}U3Fy3nI=NT#(d@`

mJI4_ z6mqg&6I09}ypxNoRC6)tyJ!yx*L@wKNV~cIYZTq)Qg)jfYkR1U zlIFqR?r?#*Dqz4j)TT}M6SKA(RP(G%LgjWe1kum>Gm-;K1O>RJ>&ZGzN6;1{&A*xCOsS&C@Okc zTP$UEd_gp&wJ-?kEUi_>xj<3h%)nhxHY?AIBhdz|hXJ2|#~PckM{5=54qu0#$ak_C zSqZS#`N|rKqVKJE?#S#;n~B8a^tnIWTL;ZB>4;??Y$LNuFqfZi5xPj5oyx3a+*_MQ zmIqG3=q`A6a~tOJ0uIE>_*#CKhK557UUQ#G+c^ zka$PF41H#=m0Uw9Z7s^4i(WE5+P~{~9@LY5z3g=MJ^o$0D$|owj4BhrBx~(E;v{jE z_;-B`zoQ0@#V=5Bw5ZNN_r_iO92gOI-kf$V=mso()*r5NEESeTX4oZM5xA<&4aaGt zI6T%kaAps6Mcy@U_`qMkkmQXi3UYr(za6$B-HVnFXT();**~Gsx3E<Mzh)NHc@} z%`}HY?Tx#y0msvPEhB%hy+Na5E->F4UPllp-O8oA@4DdQk_po4w}EZykm983qLt=`0WS6+Y3-%5cf`P8K?rgZUC0!RTf^$mZ^rJpVbB-8`AV#AI$z51$3HiwlYParJxz`>SI*|Ac=4OK?@zs8oxI`A`|yhZuxcJi99&4WFx~X zDWWev2eBNp33nWPK0~SqB&g(|6m7NRC(Z}c?^neNwu_p^w3}S6LV6hS&hr4`tGwi& zn}MlSmMd=)w#7CVJ$5<6>97-yZ z!nJAy-OWlLy*?=#oiq!jlCTG6-*j45naRs zS)F3Af^8YhsC}G@bfG%qrfD-JDyXlf(Pa_ZUeh%-;WTIgd@DpHYY-b>Z>=)%)w?*R zY)i8ERf;$8c!IHDo4ptl&2Y3!_cNoRGCrx~HLmRIi5|w!c)uqYULYD8Td@X=WH%g7 z&H1V-UbT2|AiWV*^=w{YT~3={LBXZ%+lIz|RMCUj2)OlCwnV5S2U|>Mqqy_0ZQ(!A zkVF`6|KG(GN^@Z?H#=#~&0Iz|V^)`}LZ9A0?mJkY#K#t zs)niiDL@Gxao=Utdr*$PNAgA=rL*Hd{=yP_COAQ-Eotf;822XRmdi`242;rdrDpn? z59txYD=djEQ#vp$g z0n*Ze9v{-r`NZzC)k{G$v+PzwtZ4m)pkC~qF0%` znJs+%sbE5aP<$g8pMTiwbz@@@gK!D=K_kxaS$G|;LyJdl-N)@v3gCGqT%~2aMiX+;&uxc3@8nX>y)|j#g z`5qu$^9lR*8nn*wJrgtw`+~CO0>ZRHhG2Xl#IAUR5W@s0+p!%<P9M=E^ABulDXF z;6xud9Np+fib4f$N5G+%nG;Vx{uutgotZN2FoYMMFeM1<2;B*arv$I`2tq4^B1HeY z!G`0C6W$cjzS|r%$2T=r&n(ypTxGzliC7?+%M8o=y zX4)tuY^5OX6l3@h$Lw&!`+nN$3Iui>*@LJL1lapG{jWV41Ayr*2r`ny;U5CuBS{l5 zH!IJzVXZ2vaQR{p3vji&5hvdPRE0mS;X}KzCm``t>aY$ujORJ$vPCmrQzVg5m4Pd8 zw|@-+LG>4=W)yLQ#PQ;Z9xU?r)%YpqJCWxAN(8@s{nf4w)=ro+RrK%=NW2(iiygQX z)ONP>w(;{qznhuoiThW*LS^GVvjSeq3q+uyRQ6s2N2jiIif8{2`Q~_FT{%#ZX>S+ zj)!iy#W-$Kd%S4073dX%+>3c#Gjd)SMHM|XsCdjCGt$R8+^O!S{hNlK61||is0XKd zZL8Iwp~fo4|DfiX?;8JM1OsmP;BmH>Yv0J1k2P_e%uv|2gftw{VVDmKdhBlB*NApW zy{Wve5)dXz9ivo2@jl*#MW{_uQ|PFX!Gq7Ul`C@do7eDib&VlY%#7-+BC56Y#9~L1 z*wN?%|Dha})8`8X8$FN{<30?63fs3^ABhdMvIMF>gEDQKjC6lsKYUoz!Ui$_Ewje` z`kqyF0NsvT1>_}kK=?FF7gZS)F1+W^SDP_%0AN=&ZfPqABRtg-GW75zFjSFkf38Mi zhZ_F!NI_{q7gWu@1Gl?>TL#N6jd-w?Re~Y@+_%MzL!xft8tG|q4zph!6PfYs@y456#= z0+>zNw#G+?MkWW_oNF$z=?7@gV`7{p@ayy@&ZW?)nkooTMCLVFZ8#xShr;X=YbNe* z1lSrulPmrHh%m-)o&`Nj}N6bqJ+*Jb&+~tPbm8<~Nhk3oy0sQo_gEVP~8#0tkZ- z&VuPz*o%UPUoMM#=1$7!Rdxx|PMhl2I)Vh0!TU_?-H8Zd+VC1Z2my^((l#bDZ`f#(Ff@jc+k+ZoPy=jfAs}AH9$z0%R^9hRl3>_dA;zS^ z*;^xf_i5@2PwM{xVL+b0bxbs3`~CtMEkvE3#!^q^J3I}2Rm?vPS`0ov?dco;`%!=N zuW$Shk0W%&|8O|%LHzIUcz!Vkh2VevM*n^Y_ybrRfWh*He&VrU2&oI*L0IrdVZmPq z3jU3dp!UBO5+roT_V9f}g7_YgL_FcwLxM!z{zHQL14IM~KL!Z)yKXOlVDA9tHvvIB zp*NNE1qkZ=G(b?7phM8t?-LJ%TO5A~8lc-BI8gszj0WO=CK{;!L)-lC0ArA$^$&tE z_`e5?(f)~G%#U@_zz|!V?r4O5A3%tHkJ#iuG20%{AMHK}YySk$w*SMS2L=g!FxU;l zz<(EN+XFyE{2Nf)9)Ky`Z<5vRK|=`L@4^FrBK-m5fw}{Q1AC|a{|gT!{2YHgu-gDt zg(dhFBG?@e#Q!KDNF2liMGgF?@j#+Z7dWu(^rGj4A9f=51>c<7Xx~_KM~I( z{Ebji54c2MVQk&P`|#fb74@`3{x&kuLmVQqIUg8Uq}y-kaNt-`&#HeJC{~2m>mK2! z^F4(BDWvE-AZ5LO7*X#3sOYL_tnRlUWjt25tB!smsQhD=;{O4l_r0Wl0-i_g1I{z} zsc0VI*Q0qj9HTor*B7AI&G58gfIkB15e6YWQ3L;JNKc#41=7?17NRFsTCD>D{HGy_ z!RK#$`o{lYNamNu|KWe|I^E*`2!r_F-}3wlFiH%TLXg0AR8I^Dq;V0zkG2K`I3R_^ zV0455a`;Rpjp@;8-GFf?xE&ryW(;QewrTi(9{9r#0)K7^B@jc}A;szu6{uiIV@xLFw{;zNRPq+L1e>lP*{`Yr0zZjiD@V~+9{|14_;sBvN-T&mpeZANFw_e;g0H}xfpTD=St$Th5(*L(y z>GeIizPkVL#cO}~?+(rSuU@?N!^yt*Z{E-N-%j=I_h|U%QhmE)M&Czx5FQ*%^!-;P z`gYIS)#>BnzwYqh4`2L87`*tet%3hGI!Ms(0uO2vzKIWtl~)tHD)65MD+ZsR{`3R? z`{4k`m! zr~O@#fB&*Cd*Hw08o%#G2MIq04)$8TFKqBTp+Um8p+Pas04ZTE0@*;SIi1Yq+P9Z9 zAod$W)W+lVy3y?pArkZlgdpnn13>(DPm6*ZC;-?4 z=<>J32M&K=ObqmE5Wg-waG-=mpTHOp0{HWSUV_tC$u*xxsyzwW@F{$N7z|Kq0%{zqoBH6cfo0b&`{ zpGD)__#Y0hjqh^*A6`dSdl3KoTOKuF-fRx5bE<#sT$+a`V1^(uus;IK1?ddH+>^}V zVK9rCG;ff@CDVaLAe+Ud!BwouOtJ^a0l0iNo5g{VA~Ky0FvzP|9Dq%xc#%Dz-`rUo z2ARj50j%WH=+GL$qH|&R$=nLQ*AL`yu^5b+8bS-O0C{8@or{6tLJIs7jKfip&wIGD z=yZRU545~uFw+4GkWFX#brQsr=HW^A69bhfbUv2{a2kV6F= zID9S-uwwF9z)}{U11uslDV`t)SU_IM1+0JhbRJF9oX+A?0ec>Y%mY3AkZ4CS@m!~R z@_1~np_bMvcMi(~OJOmzR?=A>TAm<>s>y@e*Q7CdEKNTapQFh^+SjC$S8_FBpiGkj zwXew)wXX@auPJ5^v=9l*C_I`snFk_limTU($>oum6cE5zu$byRz?19^0^~L@&lG>K zql08F2yj6r719#OAk*lOU*O!v3(U7>8~8_R7sGWbRFuau?5p53s5uXi2he!f!PBYl zdAitt*n@z9G{5h^@1g7SZTqjSO~C1Nwf}m=!T9gLfYd{p7qxD*ZzHlc=qs<^d5XhNymX8~kzp`yuxY67V0T_H0lcg)y5Dl?9@SZ|k5NIdY zUZ;(+_`spU3}aW)m^=>I588j_km+n16ExJuwuQBHmez_%<010Fdv>Hqm!4^tyG!9N z%!v{Z%MZx>r?-vphg0iu2K@`ow?P=&m@p5j#Ge zZVys8AdlPA=!dI9WdNj5ALGAkameztog2fh?*bN?I*UvvGbxZI?9=)~4l-68`RcR^ z5W1UjoA!fVdyv9nQX#+F2J*6dH>kZ<>CH%qtYU|~?IIu0E}$x=vvKm^fLtyXIdGzi zi_&KIItydz%Vu#wfXshpi&l;WWIvDt=!sJSIe=zc%c?z?S&@+aYwBl6+<~99*Za1` zMwH^o;_|r8IM*)oz?a6x(t4bbb4BPBWK>Gzc9S*1vAF^VQRu6o(Ypbno zX!s&?sK=3tOyeH9v&VJQ5-x{S67Ar=)nQ2KHtJC6AL#+8SD}BNRP8bdjgjNd9>fw| zevgIt>on^+rZ6HvPxeVv85XWXNRY{A^u%2!Yb6p5a6ssGaNbGV#!%HMQ+ko6--<$Z z(4s-9YL4vLt?X2hzacAN$Kvore|8qUca71-%30ZU(p`6b*>PCjG%5(#^T<3J1+cP% z#&cUh5Qyx=Va0#+ZorUZbCLSQnFL_!-_~IF&Ndcr;zw27T}wPV7g-xb>ter@W4}PO zpa5-C{s&al(b_K_U)_bL@VPt|L(Ho|7_%m``>6>^TlpRofk+3d1EB+~5MN87f-Cw` z5!A9fiz8}F-2Fn{|6+|nJ3}#=_B<8`@+kWB6WEXw#pQp2ObUqQ($;hySGqVPp1pT( zw7ohH@Mh8Z4CJ!F{_Vl+I_f$ib?p%bx|z8)4fG(PYQH4wW{TZubWjrs2mCPsMV9&7 z;N4DV0I}Ihw-@PIuwj-a?lCXG?`qn*$qfKxDkzg0}l- zei6ejB8^?ir+D??4R#*mnjVyIbhe0@wgq7p+#(FTbXQ9k#u4i6kj~H1QP-7i;7XxU zK_-8%>u~6|0^0UaW)un>A#Y{Ts~+szI}oWt7FD59|4r(ka6nigWctrh$b7H|YtV;A zyuhDm9DiITY%2)+gNiwV~8Upq3F>%-zuyWsvkA^zfFzoJ^=*gjjlrQWf9u~s_K{-(&{z1+Qj zjFH@q-lgr1PKn7%z=;B3dzZFX^rrWtIB_w1L#TeDRLFFI)64qNlUD8kpGgJXX-tp` zus8sdPp8iS_*@Xl(`}0`uor6;+a7;Vz+=JXJBtq&q_mS4DZ!$LhG2NJ(_sHGHMECD zW80#lu@pAHixLR!*YNh*$uuO-3ZSt0ZSmFp?qN}m7GQ3-7!HyLxx8N?7ZSPMMKs-x z%Y^%s4Qb%J#X}Mee}RNZfO-%8hVMf#sI%b8{gwslq6JWmpU-}e-GiUgSLc6-I%QyD zh`M4xl5~nV5?R^qn080??vS=G59Bb(^!C~?r@+*XDl-6vAN&uCL#EI{$hI)J+|~4H z{XT@WY@^Y>4v66HzL&(_q;Ee0=?ai{78U*pX21O}M2e1=T=->=dgODu`-NSj3A$=; z@uCG-z{(wtTjPQ}*!J={^cjBu9VB~$@L@T8O2cMxcmT*?^Za^uvbyVS@uL2D5`Czx zM`4*rG$}{z_qo5cxF{@VOvoz!E@}2HF>kMRk5% zUv&6`1MCkmceI-`+Iz2bl=)$K`V6T>UQ%rl6V!L?k-aC&r@dC^8%lq;Vy9nlF|)Q} z=ADZ5H|VqL@n~CXB3@Pd*j9Afbs?!1{d3B6dvVG-9h{2iZVcE(>vWJRYRLv_sb`1n zJER)On%}2f198v#6s?=H)|Yf`HxXcc8C~}fc#i?e1GNM!VQ~AgP3l#Qd2MZo_DcQl zn_ivC9^;F96{4T6Wv_n%h&!4CX1>Q^r8B@`)qlsbS0TE%nFAO?zFnFBt|8?66NZp) zUqeU~3eNePg3>URKbG%kew12@3l_i%zvM866e34wyA&Xm>IZX>S4?b)GqZf zW<+KQqXt+pMV@Joo}(y~8su0p-C5#(qq>W~iz=JLqVg#`E2@jCA>g7aN-doW(iv`D zfO@NO zT>{j5kJIWV2QYutf(0;HJb=NX(%k)~4PGnyPd;771Ds^d)#}*NXu+A-KlJ(UKJ))| zw7cg2>k$dK!Tis^;~_JdEFQUi3r8XIKo9sLkhV=PhRmipBH2)efHwg{X0zM>#N)Ae zJQjzcf^3jU1(_5Y$Th^Y-J?TcF&Hf5jH@mG%MfTwSx0{c8g?a($0RdoNbWlFe+&S4 zw-dnnVtp~4j4*ODK-VpsBY9*dmCT`XH7P6xn@)rF!&rEDwJg&y&AWT%5Kk#p8gW7Lpp;{;Fe|VQ3UcxVC1*)k5ZSK^|9&%Og{~I?YTP z!$a&(O}Kz2fq?TRXzO6vOb?6~=;y=YP~k2SBh~Q-MziBS15E&VC(7%BREW`RyD$O6 zAk*4!7sY5Isr*n6xBW;G;}`>o2EZ&)hjx?)sT_YAg+v9pP;(5(_As&Toc0QxUSN>l z#29bC?MCxk`WF4Gi6j?lb`rd;nvai<*l8!0#qrR>bPPHiRvU}g|KC`a`f2~^EQ;56 z)9Azg(4}3<0hunV?HFq*6efwvK_mzBV4G2Wq>! z<8go5?mF&xJ*qa@U58A?gJf-ro`He3t}cEhoN zw*2v-g7nuE!1NiOvud7GU)$V%# zJ5CQjIRF2SM@vW70kFv&G6R3)ft>$i@87%P$dyEK^#0AK&?)ymhCWmQ ze(vF(p0hB}ZdL>4P}n_ld-{SZQ&pvLRw`Rkf~$>xpZ&KKk}{R=tfIisJGEwZn=C05 z3WY);DIQ|&*)tQ!XH%WpAbOwF(J~+wlL?5f<9g>CZz39cK@15RT}iW&3Yd$y*bWaA<3qOaf9o*|S4v5RJN z`)@E+O=>tGci}5SeW&uTWbSxWs^49690k_3e}PC#MqhGY^z{I3G=gW(5GUhQ5-Zim z#86ODxJA@uAS z8b-vU<2k}9dCpisy}AC`Sp7gK_UC)S4W5hVh>p{s35W{xJiw9&`Fshuy8MY=A_cd15OTg!d;g^~n}=Ahw=Gob;nO2xvIz>u-MmN%25} z>MnA-(mj1J@w|dL5_X6o!kptdV&eiY3=B2&UuYH!iAHb)i2;TOG4oAU0v)vif`kup z;}YcqlURHfTgmF_N6hahYWS8Ki5^@(;t;i~Z)bbUj`kUhH{o3Mp^kIya9}1RkBOSJ zIg8N^#P<*AXK;8Ggy{IHh=zYU${S@6{WD+_O=xr^k&JmL(7V0iFKTISF^*36PL7aI zM)3p!#2Knk6C?%@hF|TAs9FOtGxQfp*Cyvq;5!2`#A$rL50vX=_$&UWa@usZC7|k_>7v^ zr0Vz^PPDLOH=&M@q5d#-f7TRn#^O*$jD|36=W)0vJ_^Ej$KpL_aiqF00$)QW?7E-6 zKPOV7N^X=(4tod_QxXLFLR5*5B*#I6yjZ!!Sf$J`Y?+lC8b9095;9|Xsd4{uBN=f) zb~H&3z3?+!j*?JV`z(Kyq}uyx$nE53r!VKI@3nf18;viV}7=V-A8g@j8IENBignBJ7KK`@N6Lo5<1j0;hTsICIi${dfeyU zprDOat~%_`Xh?-5yl?K)oP}s}*7TEpw7T{z?O3fOy$hW&zqowvy!tI+;1l^Gq5l$U zC7Xk>4KkYv#MG1> zO;?FStP@)SD{_MUIU--EfXKQzAIO1yS~IH;?@Rou%z|n zPm$5gw%md)9t%AZ!3Bb9vZd&f%$xb9Xb_1AUK?Onb5*;2_#zNzCI!?mLoHS1+)Yb$ zHat`C_y~V{B>{2?%zznL^rLmW^7J}xhV=$=Z;9SEKI?}&Ui^V+jrksT=*6|}L zylj$P#KKL)#^X)I$&5*IiK8f(Cx6{=Dz)$mmf54N#edIXwLp{ak#4v10K9RDK+QcGt^x}3jQ#Kk&=B| zgE&uNA`>18DeBs9ijN02^s-_T7=~IQNro^7Ed-27)AOJM3PdlO%`csAW`QJUbP(?e z=b(S}SP)+)hr3Fr&zi|z+08Wh?P{a2vKD#O*ct_FWFMB!5BCmE4hJ*;nO@l8q>uad ziKh<=E(`l(%7yInI7I8}*cLKL{>R4JGv_YEj80f%*xme?6)3b0xq%LK5t&6|XvjUeZJ=iDAmxGd1rP&!1^f zBHR&99~~cv@#~0skYqo~5!FUuxd$Y(tazY9%j}}E>pO*o4#RHGkLt|e`{uHxY!ZLq z%Jyf*5&42=Q9yPz1L)j0@JE{K=I0L|^oKOR%?R_JCQ{la`4{^A55Oi-Pn-y4Mgh_s zXpmD#i7d2Fn2Y@rbE{$w$M)ukN`HhfpNM-Rx;ybl(AyrLh%7GH#%WXgGVBj(2T{A8 z!yJ<1P+&-ug90{rFm!*zfnt?BuV#Nd0o=hDJt3FOG`(ihOWdcPOpcp)MuL5~?pMbh z1?+22Ofk2a2Sv~L7ryI#1I9EbC3;PidNXIS+SySQOC15!QDGDo;A5)k30~q`X_TJ= z6{|ELPd^K62?)=aQ-(kh%2O}n15qF!F{zM>blekG^%=zyDJ=jhUczPQl)!&QVo9q8 zlKfas3H5Q{=LoV4M?Hg+df&$6=u6fgk$%9iPyGIvvsoWH>_cL~zMSF^b|Pa$=m1g} z%8)Z&?CfK2w7;852TqO3}Cfu52O5amM25Xv8@&gTZn!_YThXQ<&yfVRnkjI%2 zwnj#U1BW;pjWJVeN+(nMeguE!JOKGWS*!tvM880#0UM*qFC(1cm*mFVTy*Gjgh?u_ zO(ga8325@A_?e@}03^RA$(|T061nI>D+>FBiq< z&k9+iIkPatwP#t-2?o0j2vv!y2hHrO+K5iLT%ZI$WuaQ2Y-}r-MXJsRSRzoI z(1*`$PP6e{jfTlU#hQ{8u&m=chRkRaYfJm z$JU63TViTI5O2y*?|>n}W<*YDI2rWHXxd`1m2;iJF^_YO_$ESbn?BLH+DsI`rgzB# z2@(pb2=2bDZRGG%lW@cMXM_U=&u9)pi17*x^QfECK}H?QDL#M6u@3m!o;#FKgw%V+ z3?RpF<^$ZlC4Xg4GkdX5Wg10l>5Wf;fgJPC*5Kc}`o`dxO{|2p4#&xHKVTE(z*@BLB}AV z1(6%cTehxq%qD-vOV$nqOB}FC7E-a%zOJ^5AZ>HnJRsLZU!`a&CPUGGp3v}w2!SU= z>>|QBGmj`2_SsdnRNV(OBq-u!Ouy6)BVdzb8j>@pnH`Bz_5NZZajIUJPf!t<7xY!t zky3h4Kt~*N3MV7y;H7Jw=}O18&MxXj6Ck^Wb%MXpSv-F;IqTio%m6#dCeO??b-BnM zCTvSsQCU#-_GRBmnmwbk8K!+DEP_0M#a9aOV*d<%CM3cEy(R+DP!fKPgKYZ?FZwm9 zb7ZQNxAy~5*VYe6X*+wrTh&mfST%3)SZZr-sndq%rq%vzl8Wm_=VZpNGg=HVqtKE$ zlTJ=Qx%GbqQRgH@&j?Gk?SWWYPp>WYMV}Md+X23jo6^a2gf$93(?CD)uQ?CJ$WL_5 z5DCb5Aq<=NprdN>1FwW?Jxw_F2v{PtdWTBx<<%acxLs^TO#jc;GYgfnu+PSQNX80V zvGc=w)!!N6l=(UzhuB3g^@G{*!QNRxPg)Cn9F>3Hx$|HbJ%0}GaY~SyKO&{mntz%_ zuPepl^be)W9h}-fXy|ADNN($Q0XXK~^b$+SlkVWl7|3tGc~hdKKKvmA0XASc#o9iZ z6ozPiFgwf{6Kbm67AA@cNGa_dmEfZzk2y%Eo)Q-m+mI-SoA|871z*kV!v%YQxN+K9}_6U7#3L!cMbM7K0XfT z2>WVh23~i3PRt|p49`I$GEX}Lbg0G%YY#3ctU1jfxuSR6R@9uOMoM{#xI|EEh+2O% z7OKUwLZVp6aM13L((EmUI@t^qiDKd=jj?|&mG$Fq@#5@xM2NogXi@U=tkXZ5Q#0?6 zDJM5L2)3SaA|$7t>>Ds+#$il$NcLH?d}u=$!#NHo#F&@$(a!cj|DQT`SsBh{ayy{d zmJ{r+iw!05)PIy*WwF%0poUpkh{SYeyhK6py_+X-$+R*EppvIpUt2IlOb9v(=JtPz zA$g@XH%9{0Y3K=EZTaMSOH5~1id(MUygIqk&m{2pFQ;&6{k!Rm3K5eu52vH58r4*5 z9`oczcMDpGtyep5HUL!%&_THxXj;krrvdr$&Ffbin+lj-Qy$pojo^I;k&wlcsnWEv zy1X_y3jz|r@quuGrUYM8y|1h#b`^iS=?c3_jV+9D*OZbxCh#w?Jwq6Ut@C}SigTd{%`lw zznl8T2&vcal{M-0HqGoO@Bh}M2iCb7p*|g4yUn-CWCe`+HoiM`KS zjY?x0mf3Zv(_?BWr+xkW67qjTp5Xw~nXyW9h=2BJKe4&9N^}BoM8=F0%fxUKFd}Hg z;?TG3Ma-T|1tR5=dlLz^346AAmDx-T`QY%bt>YDO2Is~em2ouCIhPYTYoGC87=V!|dA7G3aDthLM;fo^&jF2`m3^OO(Uz9#*vRDNm4>*-C*^>XdDMhT!QO^6tJxd_m|?^TDt>- z+Hp7wz(7qHaDvFKXBsD)N7|gSvxx2{8t^#-Yub{_fDlA3s@iF5I~q><-55B`6)o%M0(_i-p`^2JCb zZ7Zqeg4jiZjpZhqV(urGF3jIEO~6oDhc&Aoq1(?B8fGYIeyFNq^EvZgI5(+>1O7q0%vcUr$}9;$STRsY?V;hj;VYO_T|a(*0j-bKQ~wTV99qQ zo8$EWt3hu$igGT$4>KE)-tJjo?x|OcP{lkdgTAML_IdTss>6ULTaeUTKUaV4eK)c_d zQ7q;o_9gwEBr5;?xzC<&qUTB5=YJ&UsFGftHJIMVl+4^G$Bjs20P0`BVoZZ;4Xq4L z76cO1Cmw(1$y-are20t~n>U(UWB84tHW`=f%rciP~xrPbcJq>quLA>8Ky;HBD2e27L)>^i;i(^Htn?a-&YIEjq&fUhoyhR?KH7}Nlh%n@84S&bHz`YLRR>_ zLMzMEdl=O$rQ_q#&hCoSDipN))X)Cb3K~qF*`>uIYTBYetF^UGU0Xn1Q>49%t_FSm zHYMlhjnS!FEd@M4AC&Aq(kb1M zIrCuYHr|DIl(jTM(_@(xHA#0EHqds_S|&qYIAT;?Lb)@D9&bJXrRfY z!K~+zMLrSIdYLOUHd2!Ur5D zhGd2=XAJClutb=XB#MJO!Ouk+)ggTYfhPKi!Mt5_Dha1pKOeD>7_dNX2%*H7ucu)X zo+>!Oo+iP;JM$d+E|%Ilmd=RSL^s4(wnH6boT?{`f}K0FMt_>f8j%E92=b&Kb3Jey zxzR6LHXMNN6E^dNW)Q(a{abY^NCtnH8)T}6Mo3KIfg1+`5VkWEfT;=b2hL7(nAwG@ z=d$5#hBNSI<6t`PXX+k)QAeXBjEZj1M_)nBSM4?t1G7%0q#cEusU~j0{qZf`a4Ye% z&p@fT)Sgo&hY>7%Au*S6w21?)K5C;8zg`Fy0fik z4iMY@nyGW9K9t9v(UIT}NPy?A)fsGOt|i*eYo%gpYro{9`ZmTih&j2Kaw4WI@ORP9 zHar>vce|h0*6b*X_?UO*_ULT4M(0fxHVG*gL+ADVU<0Apz{GK=Crxt^>~ZjY=+0%r zrMk(n<-=T?;|#%bjn0Y7u4#Xx^DJFVE3hX$9u{r%q*=gre^r&tj#=t;19csB%Lb;? zwu;Y%?uABE@OLKgdhQW{IMywuSc`ToFrULawXQb=2>Z}fq_zvtq4lOzEsehb2*AV# z06-Eh>6m(0f^P2qX}x;&`7(_y8|{#X3JO!s;j;_d@)~W=RiHC{k>#J$#~Qk z*O3)xhIdY`txxDNg`5-~4^kjm$vh*HQ%@*y&bZVD+2&h?$5&pFb_`6*3`n!b<~4nY zi8!1yNep6KcpR%{&lP{WJuj_d3~&E!=bvwNg`%0F!Q+I5)NGO^=p)C%Gjnpcfkj{| z+eI@C#im7gmKdBXS!x1kA&s}S-$pyzMvE}Q;Vc=!d8`$b5wXTRsdBrdNseyT$|k4M z=htJLFtL?Vx^H*?XIhNesn&rhGR`4UW^jvB+oARIB=p$@s9AqX_x$fzNIPJGcpNC5 zE7GIGK8~bbZ<1+;F0egME*?+tXM%*{ZtXHDB*)aKjsVJP_|_3LU6YoJ(uifMe&!An z2SoAWFY$yp5k8LbB&`J65#L483yU;qmx*iddW$Na zY&(klIST7Qile!LplI=fX6SFen=SZA=UoM`fzPjn6^EuJ^4nTiyy7u|To5d`TdP#S~SxiJo zf@GpD?L<9OAj3&NBsX@c^{*-JV;i+dX$$(o3pzYWH%EnbG`aMX*c|#3LVw0YF-LEB zczn2jf&77w;U*954T0>NXn${bh<^L!@KgaXUT=db774J+Bu>qG(tHy=-~VuWdboe_ zd;?wN8asc8TnhS^(`*AB9uE)EHaa{#P#CCRFGq7p1p4{>!$}1Y1TPC5VjBYPA(M)A z)}Px2zx{j@C4cOwKP+*dL(W`Hi&>Ul&IPCQMU_~{XFZW|M!;!0rT6}w% z4$?7Jb@P7j_wo4R^5pR1{Ahn@$z-Fi z*!0pFsOhs#X#l_#h?rtdRTm2zMp3M}AgR9>G2<@W1{4qA zHAjE&@-r&73nn+0y@f*4tFo3qPL5_f{5r9qwOWXIZ$-Q zK!BpZQyIVydk|MK7KEoijv1fz94Ys0GvAdBE3r^lNu%bD(udTt9vqVB>P51^cSscJ zeyPSXhiTEPOo7T&c5u&p=OpwAhb{u@J7m=;!M76{_IA-u*)RA@4>tFb-#&&^D!6|( z+b2+L&Hb;XUvkIQhI+}UlbEmPN%N$Vqgkq|H807fv)edTN$ZN~${}3`3x3nD%!Tju z3{W?(&2yV2W;U^Iv0{c1wyS;yZg{c%>Yo)AEK8g?EP+x+NNRgg{2giGq)xsgA-1b3 zSVGKlbXY6Et$C}iR;alJt?wFUYef`=; zbc_a{^l8|U@HSoq`u1%htl%zdany`eSr#)ALiZNSkV&*o{zU6K`CgXtHh^Cb4K~sr zdK(BJTre~-QFM~veq+X+iipRdnE)-@(AkIK#ryNa;pN`J$fRX92Hgr~4-@;oNO)Y3x{!Ejje4xHT5^Ekg=t*N^nwH=zO z*Lp1&E6IMJ&rrWFFOb~tZ?X~bt?ffc8OL7Y@l_u_R8yI>`OO{xajxwi}C`m)|ys7!9xK`Sr_&DW+G6( zk0SABfckxigWLKgx&INUYOpWf-as86kiTk))_!^Z3gs9w2*GOXaP`yb2%pne~S@k2t5N3_y4m%;BDR&!(c)v{ZXPH2Yb zNaD`~VKgQ;Xhy?W5>Xx|@#xH&x!c6TgXA3c8(7<$5cPjD)~kCLJczFKlXuo9rwC=jS*zc$HzJ6635r?z-It_jD1=;21+64}%@jlt!fEgaB|1mS# z`(_tmYYtzQ!BZkx9&d5pc>KJd7J#1TnUk`aX@`6iN;2?>=&w=xxB$Vq~SyixDL5>fhQ?H zX%#tX`-3I^Ck>yn@Q`!H1={_o0QfqoBL>%bswC4WdT8CJoL;)> z>7gGss)q&<#>F6xCLH@D?Q%e7k(?(TU*`tXL+gJ5RdSPD%|>U?eI%vLe}d0Idg@tEqT_UqFSxm5I-Zf^!o0n6(BgMwxoxhDLtAwY0}Xx zl01J7J@n=!{FBax5Dgsl`YA9aG5ZOMX^J`1htAgiXN&_nro=}$igbF&wcm(_4)vw# zLk&cr5%F*=2zW@MUlXG>b0tYh;0rLM2bW|W0}{??>mwbe+gx8l{=JBJ8}*d2k-}0b zXb1KKbh!IddvYZ$lQi^B>-C7!P>xaWAEJN%54Cf+ih=HIBLSOFSf7AyxC6D-a($%; z^~`vC?dDePsYRGBz(rW3$S&tZ#$4ZL>Gz;Q3{;r*+8H$WNxFl=R%HUIno4G4g1^og zllcv~HwoAX2kB@1H(W|Ah`oJ)YB>s1eMO_mK)ds((jlOAdz{PVTi4Hr{V07j)vbRv zY6o2m{=AyuSHQh9Ar5rZ@go3cP5Q0JASn3Foa#6>G>tQItGc62G^s52md}0zQ8t#N ziW_Cl&7_j1ZLO8M=AX`?qeQ}KJO(B0iWzd#=b!#^?K3j3^h8qHB;RM-9^AGZhyGp= zP4Q_wLp$5;i=ya0c7TT=BwsF}%5-G;L6X1pMkou-SCxvXIooy+hm zrF3P*d!w~|z^kQi`pUN;=Q`I73vq7Ju5#=(R~vU_xmF}`XKF$6I87DK3$q(EY9ve^ z!R6!{=4mx#w?X4@?G<5^slC8ZtrugGox5(>iF4SZ3&MZ7Hd|;x zB<-3-d8TUhaw$TrB-Z=9Nr1l7sz2JfkMgaElugp^639LKtjj2955!z!l@Tmgv)`t_ z2I!SAT3r3LKdtc?#&MIx08+I#=7{n36mCIIzGsw^6cRW%GYZC%+fdl{awu z@(bGdl+wR+KQ^85B0QQ+L|o3B<;jYhnX{r@3+_}c`(`++Uf2~xGuy<16wAx=cC;wj ztxHk0cZQ2hsA=O)r9)V2kiQg7v&iKHeBNm#>1XccPM-lY698 z@2g`5uq36lNx;{9WaPlS)$*Y$E1~vJXFC}LK8`Yb>@zbPkYBl2YVMsA5M4wD})C;+vFBzyv25EY&D3@ zkHC^treOYqj>bsM(jevmqQa!-n-cIGK|TwgONeErJa=ASvy-cGH+ea-OXf^I&76`ez-Aa$^H_r4)a`-DLQi$f*aa-hZ+fnY87C zNHk({imq(+E5P&0X>)~4@Li#Vq@*)r9cdheBAeA2#UcGOCg?^7=t)EI93SkR=_V%( z!X1y90@)O-(FBdt0UH4yh}L*#zBn76IfmQl{N3KZb1bl*C1Z;)04&yu$&N&1&fi(P zb3VeJ`JsO>duf|ZDe2>kZ?dYbK*E!9xT_?^_Y``$>Qx z^X-|MB*y7qG@R&fl!*4P?Kp}!i#P@2i->+ATqFsOm~T7NeU)wp`8p|(%&Z79yCz)i zM3@uQ``k`giaH69VudhmaqN{dZKoS_~ZVd3R+>w0HIB;KjB zR8U9)rHXa$NFd|AP(z&5?k4N#(27R?{?pFjReyUE{qLQ@+l6RVMxo5jW3H$F|H2)l zY1apz{|O9xZM#@fKwKOTQD29eSO0YVI|NH2{e8;6T`wXjU=yy86t1G05fznrsSAR` z0kMCHDw}}-C>bVfk1$M=S)u>|VS#Q)5a{d^5d71PJq$Ku0^-j@A8=Holc_|GF~*=h z~+niqBMff>MBba_U+n-MlJ{%>L_p%hRV;7TEuD zPq_Wo`ar|}zw`RdPHz8y{rb(zZvTIX;+#pV6aY2P1Apts>dpPou?om-;H7^C0~`0c zeV3aWbo+S2J`QFPjni+WZLR1}WU>ZX%PtyIX8ep=Y|?|Ly7NBH4Qes@&v8GXLN0g! zY>@xkJ8ug9pKo5j=;Z%Hlyspv65EDdSNz)V_sd*_N<>&zf@NK)AN3meS1t>z|EwWX zd-bnT|9kTyzy4ppe%-}?e2{Y* z!;A%5PAe?8)Vt?v9oNXO(*{em!8$##mJRgugLXKgA?EXgM6WbzT!iIx6aApGBc*!W z*RK$NQ2&m;eFNlvu-y}Bez--WH?K(OId)$a`c<<++lHUNEu`r7vzmWyhPw?M$^H}1 z0^p(=Fb}^!E+GGH4zGpZ0h;9h_RgD}{C~CcW~Yjc4V^VSrcnmjGDAY)YMK}xg7o8+}M?eE=$ONaqTU30nm8=`!;|7`*M4y z%m4HsB_|&9vcF2Y54C@@@m37w==9FxHemb zh=`{MqLYU^k8Am!Y+Ol{33g5XtZ$Hw(z;PuIh#`4?CjYz<8{cDHO~+eqVnoQh&J`+ zRLaOZeYFKLX!y(T zAKl@gR^ms@A38D&AxBj0R&IVxV(pDa#6*9#DaQALfZZS(j#wP}PHqxmB(fu((+|}w ztAZBXUY&frQ6# zL>l-r(GCEY!i1@`}<)6I(R|BCNFuU>ZVzYkM#OUQrmT+1E(vJTI6?pK3UUpRv_ z<51D)4Bdu*UmHHB*EAp#H!Z*R1>NX&&KGfRp`|NfKipNbR<8~~f-|EpK|_n()ldME!Mpe*tJlk&m2 z;)9B-!Wj#xWSoYRfyX#uAPcvW3&gVwkh^RPh39|Q3OqwsY8GT`PPtpvUeg9K?E6&h z4LHzxaoXB>G_Knwp3_OZ$qpy-M5@J~vw&2d1&r|UTo-CT|~GSuA~JSRFmrb)mSs7uVui+}+)+I20)EFu1$BySuv~nj1Xxv`$wC5N&c>C z{HD+thiv-$3)1=4!bO%o-AEl1#6 z?kb;%#xeP8IYkG@+6&6IfN^~4J9o|Y>E861;s@_!nH6v(#BeRE8rl7B{;#H^QW!Bt3HQIU;rW3 zVWIB%k7jcw?Mx-`p;LMu{ttF7I`=KBHi}G$A`nhDdvDyx2v$UxXx$@Wq`!2czlU$b zk{Y(h1ySZag`-o&T92vTIwZJRt239i-zbe^%F8xD5i;|JuVgT|)osb3o60nc8c?_N zUEjE@tfs5~l%X5tM1qL(maqLCEj@`XeE<4+dcIV1^FdT&;QH|oS!Fe=M6HTwJ~JnS zOQ1y|*y53DkC^~v8x>kw+cCD2fm>jW@g0wBt{xjQ1hPU_KBRc8_D;BbX*Js*Dlg^Y z(sg;m9s{vn3yYT{LKEf!+;Cl=2?!ZQVUl!t{mY5=teGm~A>uQFF8_XIk6TPnUx3A& z%f7aEY@}bQ;{Wao19p&ww>v?3#z5_=`Pd{xIZW26@DcpYYORs~1@5=>8z=GGJmCJMoSuEF z6;WS~)s?TDl1BKWYYRc)j}`&M3)(+BmAEuG{Gble5o0`ME>{bq?nZv(#PFmWc^1EY z>6PPO4Dkg43jN|%9KYh&&@BDXU0c8P@@~ z?jKKIIzI(F*uYFuk1flEoiI~X_Y>?Qj~K7o@JS}sdYdkSW zjgkq2R4-2NQUfE-cyvwm$wNI-apbihsbWkV?cd{WoakIOXqv26Bgs|0F>&otM}OOE`;z6-OOd)t}G6%wzJ?WJxKeMK}|{0SK; zl&Cu09k{9->+pb+UIy%I4kWKv7Dr|B<*!8GtvC&7NgVU9;?3I0$T}LlZl~`xwnfCK`4rZ(U=M2EtjG2M-6j?$a44R zX$PHlV7DPZfNDl@KaIci`?N{R*Gpi$@f@x4oumbku@g|Q%KzZy&1hvPMyLM zEi+MIIHnekozS5Qf30KLZuxlUu|=SF`(?j(+8pF*+(t1|iPiYKF_(TJ?M7;UO|biu z#)iL$&BfnCim`|)MR};4X`v{zaU{>C#~tq1A1W(jfI6^8OOd@n+gUzIonocSB}GwG zl(*c*%4hmVrQyPxRvq!T3UM_I_o-6pAR`_GD~SB_jNOdxjH+g+7*UU8a0hEvo&E}R zr27E9Bah;eMzHM149lQ2L(fdzwoBG4WO%3{tvma#JNwr< zpPeDt0is|XLhp@?kAA5iU1zSPTG#4pJDEDO4nixMZVr{pPBI$5Z-9zprPRtEZ+=O#oZ4k_UXPJ}E{^lcx!Si-6HH83mzbE07E z%W340&&Q{mxscr$s*n_DiNpQ(2kkS2u44Hq02J8L&GzASch#Je5$WvK&uX-7GN%ab z5?Jn7t{`^=XYJehBI70Kj;Th=k;wavVH$ZlI_BY#A(}r^Kii9wvywOn=8C9WvB`MWieUE&*0$Gw`9OFgvr`^`@`C9*xNHOPt%OAPL$Zb|LEdB%{AR!K}> z`i|zmK&8u1OoEnVT{Xxz!t40&k!|OBK;AQ5-Bn|?8^)1et_1<>RdXj7FD+jGF(w8{fssKWTAon>DP*AQF~sKC z0J>EmZyOdBT;UICgzeM#=JU4S&i*d4Cv?h)#O2iERE)M$R(Sh1hT~2SV2{RhMl^>y zlBvEM+v6$Oo4LhUy>21?ZgMGrg{F|Cw-MH%Qfhu+KyzfwT~LoWKmk2w!U=i~mBa#c z*F#s0g&lN3jQ`b8$b-F`TQx^{2SQcnB_`roe}oUk|B$*nrCVs4T(uGJ4dVvL$kPwe zG5p_<7-Qrak*5FKbz)?yyve>a)%3Y-D>IRVX6IJOAk<*PxWZ45Q^evWqm^LkT<+lH zRoYRt@gU-7=(h>FxG)xf&?0EYm9&+95b)yFGohpKu9jYwD<<=jH#+#GbyHS%*0?z9Rs_FZ08)zKv;@vN=cgErqpsn-t~0SO5Nh%wEE zT*1^)=0RpEcT)c2A3mms;S}d_Y8f0~l?qK}G)*R~E6atdg7w7id!u%nJDdu|Ol2du zU!krE*H$wV`{j8#NSO-ba&J+2Q6oua0S)=YisUa8fSOZvYsbS!i{io1A@rI??z9D@_;S{T(Rhu1T#P_8&J$1D#*nccF zB68E;st^XxPG``%R3Q_q&24%2ikJRS|AaCR^y|6b{W9_XLmCM+ z#Guf~6aaF9XzW98?f(_;SoO&?>lqwgmZ!C{c#2>})Az&6S`7W!II8tHD{7)lnM18E zmLHA-?PlGK!=!xfnesAX5pUFE=-jN7`0ZcLhO$jEG)IufjG}#|UiI{G*fZAJ_5ZC) z?`yTKi=e9Lmz2wY&4f)&G_xh&Tm?I?9k2+F3b3x+OCM=9ST?RP-O0ypr2b8Lq|iT< zdD?=dfAo04RQHHKW0L9h7=WtT+Ht0O*;o>K`rGGIJw#NgRHXegBK~Lj_G3@w=iCduC5~ExogKVlZwgPVi)UTSRv=i7u^P zH6R=#(>^w1E$)Rk?J^6S#>_t*pYS2Jm1T^5-dRHbydDLvn}4~#17R+AJzky?MO%T- zAk|;~F1feXxIQAPc9oCt-G0wlDmdO)ijs0G5^3*(x_CvJyE_cb;!<)nr_@#63E@Lu zZy?Y=6A}!OiYRZ40dALAQ=}-P!V^=Y7^rW_;@!A)PN#k77l&`G`*G`6tY{zHb5Ow0 z_6;*1IF5(6PX_n*syqsrHt7!Y@s%Sw|4{8@48c2E`;m&FQX^lD$=|x2fzodWBk30Ce;TFi!JiK#@fRlz?y=@V0s6jT zcz;L07HLnx?kU0Ww~61CJ`vw^nu1wzk_(5iX<>_1R%I$sBn`4=UJP;!85;I?fNGY{ zr8Nyk{jRZ*&rSE0eE^8P$({W{OQgz~^^?Cw7EYzTSp&su?oJ2G|8G79T}u4pXvkLM zF5o}=!r|H*(j=fuq4fs>;bIn6K(l-x=#4?S6* z#<_k@u-J8vRqS-T@$crzdPZ?)zI6$U>Aeg4 zmC|hbFBo=D84!1G{D&+34W`(`b7>7?18&v){RaVqaFaDV5cCu*Z?oCTZ}?DvyOW2L z{ndrT<=Z=H_Od)QEpS7%gaQoof$iJGeb`*K#;3DeWXN9xazaXq|FlVW54y1Xd^h}yD6Te3?mdgS+axtq7OmE(eTPS-fdlF)UPT?ByYHwR%mW*pWAzTNBNY? zE@FneM*ry9nJHRXa8jSG7iHHk2HZGgnI-GF|1rNkc?Wyg{+QIO+!MR<931yas*8sY z)N~_i`|K)!2mW})fTf-4zn|=IU>-SKRma<;`~8z@3)ZO~xN2`)jen4Zok$j<)@H0_ z+q(acxN*xa#vJOjwQJEAyOc&b3G;nIw()e>22Kz@)NBK*p4+%F0DmEq{QLFh=YH+b zL;3YXaiJH_B)S5W&CVPcc#_|QCyz|oGwjN05d2~wP=Sc9E7cw&&~hO(xJ%*T*7Ae5 zlb6$GDJUKZx}-`7Btd0p+F;9|mF*dh1_B$6Sk()7jg0BVR8J};?YCD`| zU4A;Wx!TWadl_EHG1etknT8&VjQHx7rZ9{8Sg%cw+#ZBhe&IU^%B`s?TQn6sVj*_I zMQKL>VDz8@p$Iw<{yV1Y|KE|}t8fZf-negU3M1$&!`FT|7GhQ1PM?0=vmA_x#_%P) zcQzxv<05g7B2-AVu0(Q4x5zZSz(L(%B{_`WE#fI9dE;|4`<74H?szPx_wx4ptg*>a z-*dnmLQ-#VIbFl4bNm{ud7tyX76RgUo5#o1g(a8==0_}7PVrp{X9`mFuDEVa$1GQk z30Hbh*$iJ5Qv41-Sg%we79Z0d)2{eoDRLwtgX?R&MTwU`G?+Iq0H~8s=!BkbF8fF4 zqP!7Haxpxup1Z?xPb|5wM>UL23+qPXoZaeV?Soy4P<=*Um=7_GxqBK z5dVE$L4%Wk(ii#6R5(~W6Im7F!H;PrxPK745ARvl5wGm$RO?#j%Jp`2?e$r^Sw_3V zmS{Ym!9oH^UkZ^9?<;&>Dbc}v9utA5<)s7tO_3jm<}CjesWk!Aor(1fYwO0VTWLvc zZT7C~GT)@O1DdP`ZV9{;GotAjJgH>GUyno|ivok6QkL`41jp%;!CmtMHZn=m-!@k^ z?Vj|ql5hSbZeL4APGetdeK#%Q?rBmc-+*6uDO2G1aY)hLI2vz$sr=;X$g6!^F{CcC$n?J!HLU*Jr?Qx;giC96!m|9^^ zHR4C@IC|9or+bL_5eb{~m?U~+lb_vIGJc1EJLUnfA-4d-aFxpC7}mWX{{dhtAdT8N zl3_O0t=CV&yO|_%NG8dJPU2d3UpTs<>2-az%RsfKfv3X!vB_L(>0YMq*5f$k&RyH z3GcK!0W)d;x)n(*IsF=^iGeGUh?A-6oPN6@A1oOlB?484qdb^Ie#ICn@C`qvNjQXfz2*CNC<;^1Bp_le z4Nep#*=su!>c$DRH5lYA5+Hakg^GvjJijGsQx^Xu$%K`!M5h*k!25kBv|$IU4 zm}xSD@LR@tPcPKpWUne#7B_PJ^-Fl4jgSV&Af*FJ7WoQKiMFKG{TQGr*&j2tn3!+z(G?-DRT_GQ@Gd@s zh(ysZpUn0LR(HDNrlDg~;1nmI^wa?1pk zUij-KphW#iwfE%$reJm5r+&ocT1jXSfn{GL=b;K2hUB$ELg)0ceDzfMn!^o+PqtHr z3t<<)t~#nTx=`+Tu625cM}M&UojC`kj8P2!YQ6H1JwKOa=($23SJPd~?o$H+Xr9^p z{IuNsH0btzC2jfaal3XYS^Ff)$Jn%u0K1Q3`3R8PJGGAJ5Fm-!_JxTt$p&nA&xA-{ zvcyNfNsj)0*EPq!4Q;%HL<>CZ8yMkTHx7PxRW}Q*R5b~7x?JAiGR3skTGZ(pt zX;(Q;tE0HULeMs_h|s8yN19Qbu&f)_`=0f$|ot&S7htkuObo2=D`7PYmH zrbZ4jt;_S(2BlAYSt%x~#Qla<}si^xm&3Q?TY9A2vWXl9eqYXz%nJI*PL5?fQmN}k02Pzd<@?E;`K=AFi zkdIYXjQB90I_;$u^U#_qH4sVvi#JRFmk~*$Ds^6{9mY&7!Xf|#JuseUl3B?o@>&}^ zQ}Rx7LxcS*05(bIst51Asqcuf8}jp)fGm~H32>IP!@VvI7FGMm6^)|lRsGJ1@?&;2 zCII!L^I=zTD!+;7GpEV?2>l>&2>jbOg77Ax!4&{qp&GGN;VQX$WCaiyY6%;@2Ygyx z?Ho8$pT{4SI)D#@E{|7-LphiC%gzn=j*Y6%5bEhO*8QtbLXfI<_Q&-|yZ2RBTbq4W zGj5Kx4YAv*xOL&8kO8AR)(){VT+TL%0&zDhnj^_5LKVO%;O5G*J_An}5;~DjgQZH0 zMOw>^?Iim3`(dtEEs7SR-W?xD1bF#fdf)2mbYy|S1HhpK0Y`xrnEP+LE-N9l$c+bi zVNq?kwq-BS`Z%+lLZ9uOW>Ztg6V%`Yp8)dI(qeUWH7^z%R%{bd>?&d&QJ^^s5V{qCtpB<5p;Zc|`bTIf0ofIL-I|%o@yQkwFva zk3T6WhL1FOx75Pu$JZ_5^=#5u6?9w+_6%;x;x zY>a^Z%+Uyu>ntq=XpNDOF1_MDvowz(*j(-hw zI^(uKe1?v}k`5ly3`mTy=_{!$Jk}l{|{)!98<7dwIk|$LjL9!aAlT++Z1J zMS2m?VHuLQ`?qD6il{-%LYI7+Yg}`wa-sLK+={jT7y6YIkCH%{BmfOS`If-j?4WRF zoE`XvTsYhC-;&ad5(czi znhMjyObpy0^rb2-l__wPmF~MHblaJ6Ia#Q29?{VONwyNBcfGQQvj(BPR@mJv z*uDE)P~Q3Mtam%lK#891Y!U|pj$$(cy6G~Nk-zj}uOP+Q*B=6U?*98&dYFh%SX*Qv z-sIVhmYV(iXs({~b9607C#OT3o|5&~Hn7*bwF>EoW=h9jwbcs&^iijMnj{@3XEuJ* zn@Dt_{(cHM$5*=7`Rq397?A|I!_v|`*L_RO3T{TvJBQ^Fs)E*`hopMsZ)6t6)*-Q} z^*F-fBtpsT#K&U+$vRH#!+y8K-4>oh{L&x_8p9hN*hYRH#IE?LVqjY#C(Oa0P3(MS zrh>Gk0sWsmG0JQUnwz(DK=W) z3nbD62SaHwAeq$HB^JUxON>}1>u80eb5`b}w}7IQ=r0@DTQ~Tpgy4<-(87Cy^QIT# z)lAwcwrjBT;Z^{$edqr)oN9W{9;~cCm^zB54cEGV0&k8~byy6vE4|@oDvoJx5z+Nt z1v-zcm47#=`J?LND+a6{Xxe10r};Ocb_y7$7V?}Ozh3S&SE`Ql7o~)quatBsdEJ4U z{obY7Q-)Tc=}g5VZ8_V!9e+r|z;<>)-!9;=sm0s*e0+r}NAGQfwqyhu1%i8@NC!7f zk&)6DXbcnBA)|X?Q_9LRL%mj)2(6}50o}J`N=O&~aK1dk^|4NRZ{Xzg#RV^%%t4~o zITVa#n6OnySk!fh=l^Rnq3%)_^M?;ilXSrTi2GaZe2@Yf(5KE+rO>o3M^>*$>jf)R zDb+QEoAfV3qQeTdO(ZQ;p}2u0$#74AEc#i1lDAt_HS;AQJE5`GXdmB|y{hX%!s+b# z>wow{3L%8{8}f0um6BBfswHE1^KXV#^KvD$F^!dbi@3{F2j{)(R+~?5K9S-k!UKxX zPre)06Hl@MuX=BF9Zl?}!XMoggL6bWWOSiKA0L3vh_VBBIK}hsPyxFI8wbDi;E!4#jziF2ZPx29Ftyl|6!y`q}DW4TQvVLLH#4D=i)z$j;DoWv_ zx6dbhHN%u01=HdeP0+36nL5%R>sFiPyw9A1DNXcS+Kk?*RL4X)L5S7fRE=;*Xh8me zx2m4|Ax@~HVkFVq1#Pj7lMo<9^YGdnit^Al4a&eC+_9nXR!(64bylRJ<-bOAB>Zv^ zd!2^($HflLb(ZZeMZAf&f{}K;bLYDMETACTGuugPe-z&Fw?|p@0^&ok=fhr=Cb)0} z8E+pO2Fr-p0cQ;fW0aA`MO|eka0e-i*sBwY{L4*vshJx^^4qstl~3TKM{sLPQ(lVN z#v-ViHyiYRxIcxEEbz{r4o{Cx$Trl1eNEgusrF=LSGbU`DC)Qzd!(mzcW_;y z!a`&;pdcA;zfp}ydjrOYwQ8(#%yWj%D;R|JG_p18&gO(IX@2LJ6a9DxXliwwtg>ZB zVux34jY!`mK-b%Xs7iSnryb)`LpBo|Vuy@!Ce0ej$4+7;_f)?!ntq>+d^YiY0KuM6 z{&5CeMzXq#F&Hn?twKIH^T5(%n0X}$T+q%e_;Lp&98-9-A zQS4CD21YJ}DVTskz_>=yNna47AqNK{e(rO~6~Po0A6>#fOnc##4L zs;(9gV_LTT-}nx9CK}?0ZhXM&=;a3)(I~Ag*BTs!YEXN{C%$V~=#}2asdv>0qHg=c zNeRaw^s>Gqj30}8+{F_R1uxOd9X$4P`BR1lE+sagI7}EA%RAp3{-^c_p^JEAodjM*9@g2rH=+_SoTZ5@y5nHnx;-&Qmz+_oA38Ky^Uk zbQN9pU->i>BI>Txvf1?h>_z*PXYxYr^j-?8Es2|K3`(240GU|A_%RGJh6r7hutvAR z>{-B~T&(lE*VfdDxX7Qj$~#TAc2t{{NC2Df1H1kPF^En=qM z{|&ej?8n5AXv?Xc+Gy{}uQ8Czxbp%x^(PV$vl2pXh_{W#IqL(S8ic>Jm|u0>W@`dP zIdhjp34-FUei7`g9R8;nByUAxRbFMtrsuxpP;<7MGUUNfA4BBCc%c9^u2a39HMEke zSowMLs-0Kw9*w!u(3<7s4aQGMQZpV!*0!E;x<$_tHSF|i_>GnDx%CTTE}G@_{9&#zBMo`Fblz!D9L zFfQoeukMwM(gx1ZD*=V+3{lb=gx!^~-qFYGuwf{OZz}!#ewHiO(<-#ICOMA&-m4P= z6lViA^&B(}YLCI9refnI5#EwYT05a<>G?Vbv6l`J9x#aE z=x2VcA5%!{I6jLuWKxJvK=1kQ1G5gjr}ClLFZOAoQ~}AMu#~WTaJAD z`v`BjjEqk$zB`>3p&pMtQiEDG=A2X%d-qi`82E#|BUD^WBlPv!{EKJo6DyAF#|h3U zY6@n(Ld1+>`^e2a)_*&*Dm!F&41ePEp7l-dGnSOg9c`g$%g0vU>*fN8q_p^6*@iT_ z#M*-ovIzbOdYR)hs>LcQO4VSxM&agIep{_g4jCZlr4}qVF&gH%=%}ejdq52|P>Dg< z19+``-dn|bhROOxNW%n0HqgqFWp-zhF4aL^F6^AQQ?rv9#yCIf?&MTC?t)g6Cen2^ zZ!l=N@INgl%j<-nIkC@sm0>~BMKLyQba;Bt{H8@2*oEo6_XqqaYfNRyF(ki<>7(Q| z2%AB+tma?!j7QMJGR`LH06%D`@&E)|GZicFzm=Nt@^=G&2}0(B>wV)%`rM;=-7IJBuJ6O%p;_|#ObWR&HRK)Smfu`U=*1ws^OQ2-N0Eml6q!?YD zM_($W!{4@vHi!F$YR^63g@lY_`_kuJ=QovF^D&n+q6BJ>z3aam74952#jFQQtmuJ% zL^b;-N&KOX&evMh=_n!_<*7(^2Q|3=CLJ`g_M5B16nU0-QzuESZMf*(Z<$h@?G9)E z&PiFbG)2gs=09hQkkIG`WI%sjs>$zHu;K=m+LoiphF>S>fdg#p>kDZ?Bu&I~=Rbr< zoof(cnkp$(g|!YMtQwf_X(2X)VCZ{^wBh?V?zhot)ykB#Tc#UgLM5ChzABVl|0&6I zi?AXLKqsaD1*qK7C1biI9R+y;4dFZDN* z@ScRIJAuy&ANt|m54m{C_uL2W?Vx$@-ABIm6Tc+h3x==WFu6GYE)Q6s-O)OBl>dkf zi~R=AHwo$xAJ5s<$}enuIaoRJea0m`4FW?(+43pB4PyDpzZA7n{vDoCowZab{4q(e zJ%`TwSHi84p+ps6%iipe8Myp!C=q5%YPK#7Taz(*lZ%k~*Zz(_+9DR@4+H0*;@=VN zeXS5Y%?#w<{x-tfT#t8LKvV{Wdiyy1A2Ly3S2R(F-@FQG@>YG&D^N}aLud_*+d-e+ z8oL>dS6#4*@75amuhdySZQro64!45+)aP#W;Y7co2q1L|t;@Hp`1j*I`f2f_*1s=! zf@&o$S(7>iNxf-8fgb0m(xtH?b0xmdhw_%->ZA|KO%(htZDMW%q-(Wi?Aa5rkl3wl zSlcefve~S%=2Gh_m63sK9WHDWl1%uFp4Q+C*)Kd3HkH=V?jXU_-amnq;oLW8f(QS@ z@R4^@4M0+_?+vysM{I~!_k8Nx91^D)AGWz`)cJEiF$`ng#D4b5ft4Ps8E;QO9oLzy zzow(?w7RlOL%T3{XZ8ColKssXM4jVSXsgtn{>@9<94kO<#dF~fXS(p_xK8bVvabNT zSW%e_aGGY0aq+IHr~Ueu&#E%Xdnp}klt**|z&sS&AzX4Eg(WWVUgLd`7?6)hkR-jX zc68GvL_DD6p`=nXK{ZRA%j57hIgIE8qJ7LNkWtYgjT`HlK8puPkp3yyAN9f9kbAEYVF4)O$K%c2WI- zIE4}8ektk(pT+7F?f)jxvXAxevXY3O~HXU0X+L_vcaHm`Nu>cMW>BJVY5oPD?Sf%$Y=RC*>w?c}1ucxJ^ zB_*B<{`p^ISSel7OFH&Ns?HyzzY$Uzk!)@OqwN$d!F}MCx$m_+j|-s*sKXexQmqr4s*Qt~O}`p=H#t-l$dKk9NIf zD{jJQ`!+wK=VIB`Mgf**H>IV0~sCEW0>Pd7x7P4j{ z*P2T5^FgTpywo$vjn|ao00);r+RM9~l_Jx7otuPp_%O^EWoPwX%^K24yhw0@GFPKw zEQk^6=m#EzMPz_sVApi`ZFM7xb4RhUv#Ami}N!scvbrZUXLUCnw zMEaRZ3bWj~=8=7h=XO4zO}hYzsLBK70lrVzTH2@X{F8MdI)>0&>)rHc!qACcq#94K zN2VzSrGOYid7X~lrb*Lo-iY=^Qp74Azw6uW;P^>f>1c2htHJwglIK=Fl+2=7q^4f4 zE3T==MN6fAhi$#N&9AXl`@hzEitXh3@3OEXw~9t zzeydJc5wX<*Bdwz`AFco7il;4MslrrgxzQ@$y@CMl9-4^G5ECzg(QRyX+{7oWUljB zIvyUV`2Ol$J;D+5tmlrlk98cjE(Stp^l;^AWLUXu*PQU`f8ad=SwNo1Iy(Qt~6dO2oX^WO))h4FFv$n?LYMirY<-Tl$-H@U2 z*P@Po!gA5ZihmkDreOr5WXi{f&zQ8=j!a2)`-loJS!mRpiIBVa$(RZaZ5szdSm)2T zTU_{34I&_BAc?=kwxS62XzY=WHjZEGp--sS7O6+FUqrV*739AJO;fD1s>sJ;E22s7 zDpt&s!~~ICH}Xhm5V~rGon$8P8|3?XsFw3di!PIq?hbiIJj~QwhhD`>lA=7hw1!<- z-x@|c!SP{G`p%>_;I^kJ{|>j{+!lo)=OTWg5X%ZVIf=otQ~19ABYlGXFD~Z)pS07^5-I|MZ6(H+ zHgbu7`6+8M(M3jrN*fUzcTeygLe_LrrHhWDPpQ{w-CKHnCL8%#ORiQ1II)EwQh*j0 zKw5hblLb}^Rk5~eJDWAE!jj8eEHp7Xl!(r3D)f_iBOe{_uNJS0P7|>{-7&jRv0D1* zA_A7JlA2h#ibT1`poAM8tb~de;z-Q$EzEUO%_IG)7V|im8wnOctmOhPsfs-T^or7P z9MZh+1q&e`aYwCASexjWsrCkJ7~K;laQ3nS#va<{ne6bNZH(um80SaK7~{L7`Csv! z1XR><8$z1exyU~|PD(nG(R#2{Ouf)DI2jX3*10>dJ&!n>%gx@baPjzIn$;(ZdMzcG6HTUFiRW~@%(eYS$f{XJ?-T3(+8B}!pJKIUN0*`8PS z3_+AYEYfvt3A9phU(q;2w`ZaBf;ldGuw{W0lEFZx#y#8UY;Np-;2LIS_x;?ch_PWzt8JjGL^_0u&bn-fA>4KbSAJOe_lpFuo&C@+`+}ESP{;jSPbKFm!*-0&&Y{096Npzl;Q--ztG2I}j|9P^ z4meuFR$=!OCs14-yDlU_dmPRg*vQ)FdPi7g9_oFw_N%(K+*C^wh4#F~JD;YP8y#!I zanQ5Ru6H!G4raz3a@zH`R_AUm-_|yE=iJ?FTs;m_F7SoO$@An;t-%uuq#UN-@g7e% z6daJ@ko_^rfDn2f`5HHQR}-`t;XK9C?-=EaW6J?P>caeFq{?`7rJaB{Hh2m6&rwTp zW$1BEQlg^G?(W>zDn44Jb;Re12-ONtCx%kpRxqoj=^u|?;u{58uos7muGNQA@<}<5 zZX~t2e&`B`MMsDcYQDQ9eLqDxf4I6Vt-gr(sJFZ00xbOvb4FZ#uN(84@or8s&t}ch zX?M9f)1|MYsKQ=jF7B~Afli7lg}9a%iQQwC=eY-u=h)L32JH)b=*$G&gQ(E~V^70F z)1ePa(!yi(=NQ7(D$(sVnQ$#LXiL*$IUQU4HCnQeGQY@=r;orV#xe3|tTI{*xu-(o zf}QZc1E;nOMh$_5n%xEh$UANDvn#O*+316E(;Ca2vf})l6}`+SsEPJyq*G%~5Y0J+ zLL~cO_ygOXzju@uU!LKnrENj1+L*3+gLZ^>j@dzDcw)R$+Rr9yi+A3^LxvxWc<}Mj z(BVZL%zIW;fq6wjqJJ*w3e8=Vqz z{HrC-xF@q}i-Wg{*-7yV)dgARN*h60`A2jV=H?^cn|qhyZ@&WS-?>x%9J=H?ro}JT z-+uM_U%5oyX^P_DltijTD|!;8KZH^}IgGH~hj8&$>p6S})!q!#ac|EmOAmm0E(GFn zzF)X^g&_CXAO%UfnY*@Fq#$VZW@&VwVg*KQ_zrn<|50XAy4(pZ^dAmDo|(T$wlC9A zZ4U4!fvujwkx1JF>uW%biMKfKs2ek z+Z44MEN@WVm|h3Fvb`V(EA6aL52uJ|xD5zDp0+2qPZKgiXE65?Oq2@q=NKlvP1F)A z$xHy&Y4dr$^PZnObQGC`&MCjl=4&X4oYhKhikHlt;$nRts2D~|J-L7FzXCd*kt=qr zCZeWOy+1>b?grt4h2ur7g@qGqV^7cUAa7t<7?zKkUMlz(ON<|t*effBU!I4v7hbpl z3>yBhkxRP`OciG-Ei4go!nwpDGBkL$VVa??&@V~SFKYG+OBd6~@3UqDaxBA2P{~{q zsN(*S@i6c#KLQkvCw}>v)B>lx9zeeN5E4E-c|er{_^C%lbj8n;hWO>+g*_GY9lLL9R|Jb0C)d(N&MvJ=r&D;r5-Vi+*$P3j+4IIDT#~eLc zZNcAsXbz_XM(f|6{$;f9k{kJoI#_iP-pp7@}l!yGzJ<%bS` zWpA5=jM)bKywI|rPNFBkllTkBoD1$EgO2($+jFX}r|bHE+1gQH3~> zwnt>}LL87+Wk-o{A!$O2j?Q*uZ4H*_y3$YG8-2R_8_;gR7zd2)O!Wf2kmfKHP)^B8 zLo_d4(ONHRkJ7_Q{s_>7!5kEBX4ufv0UL)8Q{@2S?z6ldlPIkGb*N+<$1b<DK=rY18@nYB?*Drd0nIpOSbln>cl)PQM{N~ z9keLQ?7T(;e3-J2n}~Yz)Z1Ul!O&y&JhQ;X9z}FrFWm8zs=4r-s9XBdqGu*aKliQP;sNoc~_GF)wV{eNXOL(Rj+W8Xz1@h z5ar`T%WGF-+91;G7=FS?(NRY~MbGO6JD>vQnT2-DxOMZOcAyQeyxJ z@p@ur`wgJwipupkw&6MnHjuZ%?iw2XD>%)w7FMa#Vqi+dpY2{+@_t3<4Y#6sB(m^) zji+2&`*!y`8B7sMf--;7vn1;uN0vY{UQ`sK)1Lk_ROK&=`G{B;Su%zQ+uTQOYVk{k znPZDY*egs-x2<(nWUXFr#A>42*=lD1Y_CJa)d7F!(1use^ z_cwzw7IHqUbeL`id2;I_Y^ntq1UanWlte1zm-b!Z%L19UaLI{2a<-poGWmb>k!CTX zS^LB_X9TO(eSEwPw!j77?w(*&uI zt%WAjI&HPY-dR>+r=E*3)DfZs12n!SG>Bp2XpJMC-(1{FGiiL3S8B`%D=%ZC@kf$G zlya*(eWL^>XBon^B&RgLx5glmO;vvFDP)DcZz7L8VP@T6hlpf9KP%M+;&qMllX0lZ zA=fY^gRlsqp!*c#Gm((nA;@k%K{^F@D>UL^Nh zx8ECKmNJ(QByn%5&pOv-tQFsl&qIYTT2@)TnnVkng!OIaxfW&BsfMIPuue{|Fa<|; zh~}K|=qA5>9ZzcTZIc~juXpJ6YFnOVkcJ`(=BxaO_oPTM3NV7Gu_vXV9$U~acKy9l zHB|+}W`tF#EwUt1eB;Nd6JxD@G5xdjsiB*v#KkN)edgR2wy`)9z@}zc&<^X2Eha~y zW2ePE$;g!^qiLcU8Ujb2?b6k7Zh9)MZ8H3zAY=ZLA?08pMgg9g%!rV;#U$#UOWgv( zghU5!qloaIB*cI}2)5bqB<88s#X|K<+JF(p9l=vbOoUHw2_B z=u|B+W*Cq|)AZ5-IJKSxrK9ojdgq&1VHyAJL8<=nmbbMt^PKziu)4f;V6#2e ztEVtnn?Ddb6}p|ZjMT&{2SvikU|I518p>aY3FK#}cZKCT(2QsZwzyu* za>VN6s!1IYS;NG*rEsE(Jfy^yZwIR5&;AU;*ej<1MK zd4u~DF+J$rR&kXUN&)O4c<`~+@lB*d5Oa972-AX@gPHx>CH6T*WO~y09J&LdvyIF& zmg7Tlsj}72OpS4p%5<=p8GEtAB4bT@ImjJ6H#q|N40ifY$H*UZ3lTC|XOfl2opV;r zj0SoD8(vBcgEgL&oXW7=oaDV=9^d#l{fpS(do?X9H7x{Ax@tOmmFIW&&S~PX{k4-aS@ zDOPZiro3B_GwP~U5@u?v^E1pFR5IinRC~4on6oT#WBhkP6$Tes9IYa-0k_I5K4SMB z14HpFC>+Lb4RLR`-%sNNMT;pm#(W3Ki-f?ivqM`;dOWk&uXtB3{Ca3*o`tlZwUNs2 z@W$(*u((pkNy1#u(8}|xt(KF{FCz=d#(rYr)^nj)7Kd{-s(NwBQ9)0p&vL*gP3)EZ zKLDCQWxs#oawx^`&iv{kS7g%6hbw>lLvb@n({h!+E03e&3T686jpveAUJx;tbt(B{ z({imMZE*;^$b~W+`RG_hBE~Udu{U56;qNKu8L8ZjuWar!_a~I+yHB5gzqh}IQZm3P zoEYXs3ed{I$|;sp&H5lwD~au*_FAxFv9RrG2GW0>ns!JC$zoVmnp1%RFJZ7zJJYlY>Jg6JcFaX(mZFFa z1`;TvBX8w}}RM^R$~Yyl-LRGU;9`rl3iAp@2C?ZJ6N2m1Fw2J_?#AZ_^5{gl5wv+=e%=rFp* z6As@%x9`AD)3AJHTg+iUgDgnxz5OTEU~A(dZ@BiK2M9dy0ZEBE29Od8)b7j@d(;C$ zp3Yb~mEo(;QuIELyjl~WbxUp7wsstX6pDW~Ve9?A{o?tSIsK6>b18l*qXo^EO>TfR z?MPuIU{Rz#gYM%9!dEZ2F*0iTgab(Mi;if7K>}6Ekrc#wxrp*!Z*p#=Y8^|zpyO2X zC?^oD^RpMR-tGuXaHKpACyOdDt?tV$?d6=ypNyg{EwEX%Yh5Fc;9d&N1h{ZGfFys* zKQfY1DN9@sg`guj(~mjoI;SYzQsi5h2ha&3VKAeuYp5`aN=#g*EF(N7ku`LEFx5Ad zZtTV6+S5>bV~RcODFnkdy`|zTFtFFa$&KcnKP%2Xh*%Ftc|;*lB%pY}B=jE<4@itt z%J>etCTN5wXo$z<4PK-~S+7YVmC=7Vpt32sJStC?zw-*uch#jnmye?>tAB@(ng`|S z_g!VXpJ%mO*+-#}Z7}b0PK_BaA9{^(RgH?52t*^S<%@h zY{iSL=LLoaK9^qY>54b&u}rFHntTgmw4`Sp3B*t?4uFND9*NksUM5oJ(}#b^M4j5D z!jQ6${>iST2(*KE*3*^Sz)SXE5t>7pfWxqNr#L0r8}&J=4}z%&yB@ zanV13A*uAMtqnMfIy43Qve6p#3B6g9R*$Js2PB>xi&}+ehag%{Z(?>Ngr^xg(8ILeWu#=}1XuZu{cg&b==0r(_8h9`!;M!@+b_IVPoF;9GKNpfq?IIfg>i+99h4|v637h$ zlrsVx{1GVyU<3++a>6RQ;GsT^DIaQ=BPIhPe*tI$SV$Nm0t8l8W($3SLYq&4Bfp#c z6aw=rzH6MiNa|_jWH%&1gj3>a06YcihPu7%O<3mj$biOMih3nS>&9-^`6YUr6jht* z9AL+7|0(+K@}FmpEdwm-B1>brn-|AZvW;t7=P`*VZq^T*0a{tcJC0SH#C?_q#Krsv ze;h?0ARw(#v}{wIk|&ul2Nn=Tz{MTkj{=u2@ z2K%+y`L*ec>(}O&FHOasf03I|5g!`KJJ#lH7q#(^>?Yo4Y~8RBT7e-uB3K`WYol~nmMMO5-o$j?+OUioVCQH7lR zOi6?%xdzNKkz@j_)$XM*ymizH#*e8r9q=!JLB!r}MEgM(vKKXCqP2LCjJTe=2hZ zOh|QPTito?1zLt%<0K{M?Cr(nkLM>BAAY_#Ip4|uJbvl?advod@ypxuW9QZBo72nV zmmdz#f4rD}`^(|0~CyI$u? zNU`2=meI~*K7QjR;Z%xkf2EVnm|UC6d9E3C41os*0wwHd|CnkQJ`fl~P9LY^Mf2Lxhbt&Vh=lWpC zP1g0nFjZXVgn#|(U%q({XU_yg|4qK-qaUc$7Ub%nai8hKc-&)|D8XRO#?FCLjdip_ zFbr56kVNouzB10~Aoda#dQunI-7vj*I1W7=3+kCSTYjT)$l=r{*Mo~*0h%`^DUnzy zDQ!|VgQFzf-j4dqf9*mEpAwLK)VYePIpuq!Zb)^d#wKiwfD*eaQbLSbyja_emr5Z( zUp=_Y?Lbo%+a9^<9pq^wF_BC@JSMWtrR=hm1+`Ycz^v zkrwD;$gb6GGaM0v%J_gu_ioqI0RMh|^gtM=m8dn3C2?^jmJ z`>jx^3gUzJ=O<^cPLB>RPv5@D>zP|LN)>bUZl3kHpu%{QfjjIFe8f2VPzl2awc2Jyk>(7EHdt~z9)vnOH%eb3B;C`@kjV~mRi|> zaxE;w!I!2gd;eHpQBj`g3c>O_K&dRpdehVb1&sriCM-2hGWoTGKEVPm@!&92%9k4I zzLE~|fAAd2I%bg$rSu386`VwU$M3f>b52$Wwe~&QM7FcXd7^#-ZeaQ2zIYDi$Pse z_AjS(g{JNf!lq)xf~#%iFip8@7f`adAq{XHQR_1^23C8EMNf7SN@!Rsdk*o+adRb8 zf5g^>&K-n;MM{x9LiAw{2@#HxA?^`-B`ro64cUlEh-K&3cw#M|uKt{o7C=c*_g?`a}6N6E%hA=mN2i@>QJGQ#7>xe3B7MI28g zN#$T@S|(u;_of|K?Rn)8z~-~yc53Wff8(k(6N8AxjP?S>YNXVvg)`p!Fy8+#q600T zZrGn*#)%hTE(JBUMD(Y4pvc~gK`=DlmoxV>C;co!5sk07nwVO#Mr4Ae6i0kFC7eZL z0>aE5{C^(|*LM{rSvD9N4x}Ywh?JpjJHr`+ zf6>Z(1t3yNUwRtt{PDalo+vv)__9@0peqEhK(`htZe z^4yiz%Jj;}Vr2y@Kd58p&Eheve|1pd9By7)bB&S3AT=xHt}NKy>g3na&!CufUd5<~ zgR3l&yPLXEYi_mcFrtPJ<9MQWK*kBefw?>L7UZ9)<2>VQs4t}VZ-BBOOM%_$ft4-g z%A*EV$Z!XbHjNp5Km@W*v(u(@M_%<9`kk{lks5gOlP@80PBJ|sfqrSCf6qvw=h+kF zc_9f{NVck>d3RI-BpC$vcCaB++ji2e{fo?&^2ncj7JsJVM;r;7o$zV>1(mlyCVhizsS}!`Sr=9km z|MYuw`sRnX2pt^!Lt9Tvv!t9ZG$n+|vKWl!wWaxXPq@Bh^sl##Jz*3XJiI(0S zh7KZtI&&(T&Uav5-k+VL{nlQ45tC7pMbWM-3~r@Zpb^3P(u8E;*EkKq{|^fa@d74B zVjE;Q#jzlyR>`*le^o&d($+Oto;YP$96Dap73A;I_+}y6Op&#qeuM{#c8qC6H5YD~ zO~>xX)!{d^nOa@5!AMzBB$)k(UBfjNZ7jzzlG}`#vCS9$zx;n~&5GVJkJFf@Uij^n z-`3v59(wEa0-+_;ReiO0R`nP0#+$>}C(2{(ukz=`+2PU2e_zi}-kn~YzJ2r8pU;jD zFHerE{QBJIuNRkxmp@-1^w*<*9-dzoza5^Pp?4?evOQ;o{MBrK=&vTu;$Qb#do8c^ z!fQQ2?fuUF_noIt{O2$BpS)=8y?BPcYqeS}^z-G>UrpqizdF1}qvEgaw*Nw|lbmH3 z9^nkN{G6X0e;)rEA!LRj-&|ZCo?pt}hd-V)YWN*OsJ*MeKi3ipLQcrz=g+vAn@eY_ z(ds~igO+)wSPvaA7Kzj*rM#gjSf`+L9b@0r!DQT7V~_IpL`MQCFv zzoFnWe@EV&CHcs2)idq2^0|H(Y^nXdW=lp5i|xf)x%91_ZEDX1BcchSvgu+~Vmo2s z7OX#u-yXO;u(7^VQmAgdUrerSJdiq^wX$|yV(*%8YE~S2p~RuHl=SIG zW~kJ9nP35n)Rheex2NFqDHjy{bjDI)RGOp-f0$5ov(DQ!u?jd5S+avh_=+HP*1|Mr zvyOBr=||uIq>o5r2_=jO=9aez*y*fTTE1nR#bzsQK{H%_Cq+}E^CRJw> zSWE{ElIkH0fC`QV;DoR#+0oWcE{KfV+OG|G{pPXt=iJhvfRr;Q=FkXuGHAQ&PgKfb ze=J2mzWd2n5pj&9_2avrkaFoTajkJlBJ8CEUy)RqNpcsB$NCVQ_0gD;Yw#J@lAheM znwk`vTKjk6OPXa4UB@1nczkq%(}?p>yU;j+?|tNLZdNYsXBw#5vGQiBTnOh zC~i`Prk9Np6B~^1YASx_KlPta=_ES^ zkMbyj1B$Z3V=V)4%S_*ax4EQs&?h%)64W}&_dN5l-P%EIbswRuB;3Lo3sHu9oUOB{@} z+aUTA97;lPKeV>DeH)Jt4n~9t;TBpCK^!obR^_XYr zU>6L?yD_=uyX_a>KiSPS!UYO%eQ>@a)x|G#2uJ#Bx^^FH+19IX#NR^qh5ix!R;4D@|wG`Z)fAD|enRcVo zsD{&4!UbF@xRGbOYO`@6chO9TN$e96_Hb~8@^A|z<^Rh$aA-7gTgmpeR5;SIO$#<& zw7uQ11>Z?U1M7eeIxr87T`TA|BJmiFamsz)>A{AnDRp6t&winFIg%Nit|_yDP*=;* zkLu7*#bPYgE=4_Cyyh}Cf1|wCkrQ9cb+pZ$Eu6xym@>r_!^jjHgcuyEwULw-wR^MN zSe;TAf+a~2)?zc;+tZV2dB_L?~R=K}|f03@;_V=|l&+H8W z2;Po`R3CWdw`}a8HH$*mLPm_X;xHT>=b`${{c54ZMiwquEB7XSvt}mmRqk=>_+!_a z>-?b@MH|YhaQfy)@7?L4clP7)&#%u8U%lFLU^XY6g+tDQd!$vq?EHmN&;6E{K6_zq z2bfP1My_|ALX@G14QQa6iCIYe-<4A*=0n{=MTAxbxOLGkgh`rmOYa(7z!4)i7dUt1 zYkPsyM&K!4r0P0sNd;*0A@9Dv#9lrW=S2YJLc`&h>a#Rsf0v-65eX?4B$`OE`1RS_ z^UK3GmmOq-(ZPb5as#mKI;QQ|(XeD)8)M0ti7D*a%Wdeb7?Sjwnw18mFd$kbgY8@S z(n>Z^bxKp^r4L~dMv0h6^#^9J}`s}Q<5gZ%;7gq^_3^3uj5$B9p)rHXFjUB-_N25A|#<9 zi4utwZTSPFvmSvx(Uf|t!+`lS`~tcFwU`wA0aVy@f2mdJeshQ9{NO%+sp2^01D@Sh zp`g>8`yN_!u{*oTVo9gX!iSt8?pc+@G6S>XEVJ&m{D1lX>Y`qXW2w|K)NR9?!Up9W zD5>*1E=Z!3CFlIzgvqD`Z$IQW2p<^x0BvLzBc zG%80+K9T@=R3NZbf*-Cqa+2z2#0CQpFWgOCf9~ZV=~^zGVHoh_DBVp-)^k%eH%Z1pDL>+M!5e{dQwb=c8HFl@vVGt|e z(xVf{Dq;b4&qa51?93c>`BbJ_>&M@xDHks51g7c8>*wyDx$9pgxHvyKJbr!RkHVYuF?avp+b^yE*4~r#`oEXwh$RyQf9del?Xl7U zIF7?zmR98RGC386%44EKn2&I>-s-=pXTkNa^Elm%4a{5r&!3d#|Mru;{q_34k7vQ; zVYkf~78Kb`b>1+)aS3^eimAY8{JV-jUt%=MnF)uXP5(t^=p$b*`PXX`I886kzNRKfa;>Bb0TyJyDbh&?oyPqX+ZZ;D zVwj)?P7?cP+kfKkHPmUR4sLmfUeR8P(}^2-sLz)=Jp(0wWFyj<<;6TV8eW425^~do z8zCiR*Rd1<_-@1oj9Z>F!s(Tt#Dm5anSjSur{U>=H9YOn)bOlNQ^Q03ECx50hG)jw z7-4F>q-Aw7!ZhmCxlSXUdr12=Hq>9bOMR21<3wAjMT9P+y+Yl=HpC<$9TchgYmAGt z{I$t-{jB(ZS(5+X=m==8{b&E_)cNoJTK>D2XJZ4E_~6C{Iu$4n9}SLjN2j|-$4D@y zBkm+A3kc^@XVak)-buYa0 zz5egz`SfXb8;$9x0|9@fQYZKSgONl_FeDwcz5C^VOQRu+HO>iSvcQP5zH$~fp?y_w zbd_GZ@#&Mf;)$AyYmc^%-0SKKYoWL?>^xDbYN1MJ65e=@Wu9xL>|F3G0+sCrhP3?YvgQ>=ZKF z$x)>^9uVZ~kgtW7WIwWt@>^Mr#G!d@{BPO~^TC^*K!}Q8Gl2`upKRc6=TG$@tC)Rg z@#%Bj4AIO)Tnm+Z&;p<{t z!gm@Z5huk~6`d^8s;W_FRpWaG?t$ewVbFI=keTjioCNog$ls5u=W&Q|K6zwxGvyQ%IR zZj17?Nd;yi7r6%BKi7dc-`J>-pV1!~6C`g$u!KcyF!@RHpdwsD#`848i!=Atk!pd} zuZ~o6{=N*UF25Ie)g-w(f_&i;$imcrczaqbQQ|ZmE=h%p(BKTJTN%OK&sL>+TER}` z@ZHsIRL%;Sw@=+t{=d2Y7vKa#keRs};2iz$S$nU1{{K||v)2Fa;kkkSCx!$GoDPU6 zn$yIWHr6$B7>`S#;Vx-TqIBcruLw;j>`?3%w7lPwMG$1T+#0HN! zq|6^>an)>WZ!ai*s0g#%fwe%(4rZF4HplN<-uJ(4ZNLA&zWlcR<;$Zc+AN?4eMW*^ z2=L_7h6~vakk2e?``Y@<`dRL|x&E&rW6nGK{mXp)f4}{teE$1?N^DtnuaEkcad(;~`ViN3SFRtnZYTB7k!xBL#V8M{aB?B99_HD$q4tWf8-aU7HP9 z_N$>p5Kc?~%KJOR5CG2@%WHSsc___owPjRsNi4rJ8pEl7#xxdOOEiwdiuzNg{8Rq3 zj`HT(pB@2>8mFBD)ciFzk$NuB$@%%)^A3bqgY{@``V{h@xhaUJ()gIPa?Scq545~m zc-j0lM&;*?O-Vq;Bt}>T;UaDx+Z`1o)Jga@!V^gVF(IKz4M`^E?G;HN{F6<(B}@YM zAi{LSR|58b4_OM=f86Y&<=}EoOy%1plHT3O2k$BJ^B^;{XXiziH^ClnFvP!=D(R!C zLa}Lr{0!-9?)H3Q{oL(ybNLT$@~lGs+k4tBpZ`30`fM%#-OICt{O1^6RH$KfnG5NY z;VJP$6A1j%M4L!S8}R2jW1?wIwnqLDL!wHfraHZUF(O6XZd~la%4sPXP%hGml$qoX z=-WPh^T{o2Zh}=7Hy`r~0uM^1H2U+@TO0{4hGDrKYAE8_)*U2mI$mP|7i5QH7`h03uCUJNsc zF3F;QNEPKJ(zD`iE%mi`>c8!6<+NEmXGY~j{+E>ANjjN5*%ofZ?87-X>q=k;5 z7f;`?a=kPQo;Kyvk#AhgxyAmk58CDn0CV?$|L0Tw|E<aI%lLoj1STr1uq1p4 z2cQ%<%BQkp;3#q(L=MkRZH@ug^fS%EHDT#qterv!^VXIS{Z;>^zn!sEykFC9X8VettnQU@slcgxmMm>_+*yp+$B(5@l zQ7%M^V;-68UwKIW2_8jG>}PB4z}g;ySPEhGV?hRF%G7Zz5$D=DE_Dt9`Pm$B*qHld zjH68FqpRJ?%9CT|BIf|Eb1>(GtjZH0_pNkf7nY(;@<*ZZsx#xQ=~DFvys86d<`uVh zNg@9(C$jJzX0|K`>2Do-LARno1Stl8JFXxom)a>uO*NIxsXmNfXC(jyPbQ}^8jG5i zfC^`~HNCM-i)v@;FjAx$X_})%xwxgUbU8_g%I>O?Z^4li2^U!H=J@JNx6)Mm?>su3 zuI5nBX2tpKi>1$Rrw(u-I^OJ)T7{f%;Gpd0`@i;&zP5PM7iFvp! z+)ubIdY47j17v9HXQ}7r{9h4&&jRd!uKw40G8O;#$vXb;{X9$X|C5i2&9|-}@f|}noQS(E8^X7xX7IFP7 ziYDlf3`ew2Nr-Tgz+nBxFGRHt<%R4+Le8yw8zdBRc5*-w2<$4UW<*C+E1?h)ep93B z_|1hZ3z~33f-S#s+BavxI=z;0;B#Vs)$cOI_P|w@^>YW$&G&!hmvnpk zZ+mZVZ_5Ag`SZQ?{(m3O68pb3|EihSEPRG($54pk;o6F845}B}zpd)1tyl&%HUE`t zO|h>gYK|uM=PUznsVNVg6khCF-?O)g@;FyEQVESoOXrw?)j^Sej#%o%LPG;OCb1DK zG7d?ok#<#sozHPbcLN5qnE2>W1s#S9RYF%{%AjX_<2HZKbh;G>`CCw>hl8tYoQAmp zo<>wme1PCP8u!`l0wZpi@vEKzt5Xx=dhz9$RB^;${17Rc_R%#_*$FurlN3i~oN}yE z9ojpJcWuuu(&*HG&Oc=+EK4RutF;wUDiBm?`k=gbYbjy6-jdRyr>|R-={^@s;J|ds z@|+tvRsGl%Qw+?0wU{t1Gu0M#0nIUBhF>lHmif*VnJmP1AY#BRxQ>cAa7Dn6p}A%) z_rqGQ$fVjO_>H4;%0f05v8+0Ofx~QCDwPd%4pgkC!osadSU1I}9#bo)SYxZ;y)fOP z?C~{D65}Z3xJF1=4iJq)@^MzJM;7RMABnlk%``E8wOJ=_mZFr1l#;Q^4@>(9M=8PK zL?;&w7nhJq10sL-np>zDk$516P1J6|95OkFaG-;lK(D%+!ta>}$a?WlQ7rNbB>Py+ z*guM`mD!T<^o<9K6IHOK z9Yp*=M~Y$mkH})U>7!qyzMs(GN(XdG0f~;vkWO+MvPr$32KfdyE3xLqZu)q^xWFUXy3Ny z?o?_M(O>)!3+#k7EYAPI{K8Yhp6s<6hm{@Fly!exWu+-_fd`WwT}JS+Uo%0DVmZM$>_)f-qc1&@w1+ z(c(t8%%(@>P0!7{iYrR$>Q^-&jx@BYt7i4ERIVWffkO_O=a;7cLZo&qn-RMvDcY2L z{V;z@h8VTCw$z_*vJpvXfZAJVGfR@`QlIsWtq+C3T`p}yc^*(Y#rf(gkOBF4u8sr_ zqv#bCpa(a9{q+|I8>soen&`9K9=J%+(?uK4Wjv7bG$!&Ag(b&_S-&5V%Eeb5Bx!2k z5>aom(G++ynymIPDhQ{EOR{yY;&3?)HgtcCl9Y@o%eb?P>lJAvR1l~6BJ!y!IZrD6 zY9ir^MFcZi@4hytbpU~f_1wb#FIb8P&^Z&K||DK-Z?|->>bS@MPprZ)$ z%Ii3WNCH_Pzlme7=LV$O7UvXL^fFkft6bI59{@%$`Z$gIg^v|Cx60NWecxuPnj3$W zwb`F6Dq`*O^YZ>=e@&}lK3q`g{W+k(;x@DBp^RLZco9;CvcekHcSBV$ZkkyW6 z&Eg;4b94SLl1OVF^LBta{J-_ARnGtRbpOdZ|J%JhOY#3WBq>K&8wKIsk9Bh~l;O{i zv2&71p{;yFfY;Sqfif19CGNUiV7h;c5(l5M-;Z;{Mb7y|5}7YnPp^p{>sHy+b)=s4 zZ#;^&s%t->>w`C6|H?MD0{_n^t*Q0@-B#h&l2lj-TR@jip57+494?;)Uu7v zt8M!A96%9`HZ=~2(CdD-vTcGM>98!{%V8}TzjGzOwX--;lV2Tvtd^j-G zs!V0pSUQ&Tm!HO|D$pXDVK-IhvId881XU-qh^4xuwpPLtfc};}C6H%S6*S z9X62@&}&PF4k}0Q`m9c9f1q)QnqKiW0k3gBHmp4HuGqCLl9EYCn#gn~wPRWL2yI5}?f0F0M z{NM3F+5He;&T$;3xN%3wrz!=) zREY0Ie3)`NvJKW5hfLrn>ttn|c#FEiVvZR_?{ZyEIb(n1gVn*z;6T77h^^u3N6Z|xqrC~_U`v*h|-q08hg=q9JG zRTSFOu6YYJq{^0B2zx(slAficPd_fy%oUmVs#2*Xvlwd-#0oGc zlzsjo`jmeeuL}NCya+JmP{+$wsb!oIr$$rjiC96K&3S<32CnIE)oz8gDJ?6gaFj)Y zCR5??O}iDIi>@nR>AKat^v#FaM;cL_PEbFKm6)VW))2~^4u-F&0PsL zUv51&`U+fOF4zUjnV*B`CRi+a;O1?rrBl8_W6XcqB}ao z)sw#XWSDjqm<87cSU)3XU^8%EFeXaoR^wq^Wy-!S-p%b5HQ!6&+~xE}K(L~K4!`!` zSD!nGIdfiKWmVHz{IZyDr5l$%%do`w@Ir9JWr&Ioa&-d2(fA8nHiTwXs&i3)k zl}msBhKe4H>~98IEBV9ix7$hmrjNUk`72Pml*Di9>*jDKhBp@aOKnw){5TDUR1nDZ zw+KK^@p4O<7}l!}rFJAImKAE$hI7V5jp~p(pPGeUE83C#*|-@vZDjiO-1_s?m)Z5t zNfOZjNThB!(a9c@k>XqC&xX)kuGnfG1~g#oAE;g5qcZNS6+7a_4Z0o~ksY zqTibvC%*v0*0lffs+CZK>1iadR1Gb=Q@g`g@u6Mj(sW3@IRgnbYo?z1D#|ZFgn6wy zKvNY=voZF6iXy+r2DdU@euaDeB5>b8nK#W=w09Fle!*r|tj3!`EHUplRN?Ddxut&s zZ<>AJ>buKMmsw*4ne7gh_d8r}g(2K#ow+;GG7GDw-ii$~a{Vqbv$+)gP0nf#{+tTl>@JzkBQZpZD|J$o?Z|`}pPN`PS-9K$?&qjtM9q zYrPdn0ewq5P~OoUnS!QKyPPRV*I$2$DX7?1jVWlh0jJnRjR9w_IjJxcUFeVLLji1F>8HX^BSb6Yyh#PB4i6{j6b7c~Ybczse&X3LmTTqx$Ksmt5F zl=Z>w;XxY2G#~pvz#yh7xNGP(z1nu>o8e4qcW1~YSnl2$SK6)~lr@eMv4DRuF6TP) z%y7Eo0z|LMdz=W*#tL1b?M(x+wz@4UORUc729i~8B?{vLaNoolpqu@+t!{b{OU(OC zt!_1~+}7%*n|m+^H#amcH?g7|mu4;Wo_g z?oFXz+t~5|pVip^^72(Cz&U^RzxLDT&x-cH{Z{MgI{weSJU6lbovGQr_}{NqZvS%# z>A{!)bC~K)fO(nQSpl8C?#2pOjo_sWfld>*yarOyQl%x(Dz~=0s|(L>RZ0%#Ezd1< zbNXF^^HeqJ>dgq##p_k*3gTbUC6j3=ilfsga%O*ODKc}XDJO@b zm7=1H@`TJl_Oi}HGpTQ(8Ms?VqS+&RNXCtu$@d`%Xh>{mX`MleARP@-A`_4GJ@akW##NgY2Z9Fa#6AYv5CXc;SVL|0s1ld1-8E*9peW&&WbvAy zsg4~nQ?4JL$|b#xs&y6n8>DNz9pxi zMsB=AJI!k4|Aj|%C)^`1`m;UMp3gx*9-dyBGw2q%Yb==(8H;~GTdOKfmyBykdukV| z?(q&di7Tw$jFl9{-EWwRE61}s?&czTNlsU8bxu<&=67yy$<0|_rSkd>lS}QG=8#Mc zNhGCZ?$X1oau3oVy&C&(N}iy?bmaz!#t0n;E34+qk8+rg8od%}{D@QlaCGa;8SVFs8vuqqn#_)Vo$Dd(>~x z_0z2CxO4V!m83uMvl{)+-Q%XUz^gX&Uctv zg}S<5Cvo%c;sLgF{-1gMt73X=8ki6ZT-`DpZ>A4J$5Y3kZniqP9Q0OJC^8`8C`(fk3wxH^oJxj?K2>M$!en3TKP&E%py{6cjP0)eE z5Iy!hDHi>W|BW9!lEpO_kWk<_^#8_P(#U^j-+5;cIE9IaaaCbS`QIOsXha7wOUdGW z%#r_FPxngx|9gASTI=(ldwDj{85WXLK{8J@vvS*sQ7@xWD7koogDX5B+;424%OT~6 zXGy|R!4V&lC<2!VG{Pbn(s;0gQW9Z7$9mh$-{UxJY@nD7loRcyG7)HJMfBgceDr@d zjwXo3P*Z}05|W~b#>8*<#}^+iI_`d?b;rITN?!y1g zi{W5b{?Gi$$MJ67P!9)JSpvEbZ*2SgI%#bCJ$%*J_Qfb^Z2#Yl4fGDDlw};99-r`r zpQP+}5{QORLxOizxs?6h@W(u0A=!WZhD;VquK)9s!{gT{{wQ3gkJ;=0Y5Uppa{Qn6 z^C#=|e=pAlda3e4nbq)$_EIUe9LafaG!D`Gf0AfaeEr*|$t)$e1D_8e!_=-|2@Uve zq>6sfl(QkrY=J3skg_b1EJaZhir9b#s7J&#kqk!zqU!mL#>NJ^eDyz$&l`V@ZnrBX z>qbZt5{D!XDACfp+*>=kJ=o{RB;}OF9n|ta`X7x`hEB%Su_>{1CvH+K{abbhJ@zmk zHXb1fKC&H8P?ktJ)s_Oda6;die#h;`6^+9Vk{Uc6yv9jmLsSi6Vc7eqm`8HWd&X8|X9^HW65(0Zdv6B1y`|G$b5hgL7lS zljBNA%F*?Z2169!Sc*Vk2?js-F^O1$VsfqLL#H4EYM7e;Ewf3W5svYIq<*9EvM`;6 z4uIpo|0(McoFqJN?MlCa=};sSk|bi2krWQ4u&SDeKUp6EWge;aX^ek@DC2^p+*jKa zd{t-|Vvc%}#suL~#{j#1BAa+`z?9IWF%g8LvplKVc@_&gB1I6Bl!ZQJyIW}UdGqP@hE+yH@GrdXdWK%0Zen zlz_*WM(|B5etIQq5&{2*fF%SJ!;tp-1cY`@f*jHfblC6HmNQ zh6PCEi~EKoVWCFJ6iyNr8bEgC?^w_(z$_#I8zn3zv9R#u2BL0}PU;|0D4D{^-9ZA2 z=?EvdN23Lo)6{=N+-P+z{#32Q`AhA#OK91rssneT0|&>xa%Me9GmS=nhl&1c2h+G!R zw1>hN(pCK8jxjxT?)z|4Xc1$7|Nsb;~OAyX}Z+*3n?(Upc*JS5@|-{ zs+Hh^#0s+2IA6E>{{DBXf)W`0Nt&{BDHea{+s^@M1br%8w zI`gw+km7%k>t!05+ylP3k!aWk*=N@y9 zyMa6N5sXtRgK?;AC=TCtRA^HGsS4Gjnl0t)uHej3q4zc%woX)s0<-4rR*bMXb86~l z&D^c{!o0atXA<)N-5fZ%!AfMtjzf=i8_zgFU9*kI5^u*OO=(EFb7!x303ypDr9^-6 z2V+Q)A1COK3`Y{*p;RRSjA@;5vCaT&O_8cB3@VAT+@!P6oYfMG-sxvA^IPtm-{6k9 z9H$Em3owq&UnSs$*9 zG)EKr(^btt0nrLB_3}O`)c#fjd z_Rxq3_Cn1)pJ0 z$D1i)2sQPAc=)b(9%Ybh`ffL;-|aQGP%|R&Kn$Cx-9k++QWg*L%jc5+>uw6ab0Xe< zL8|@^QguODRb>xH+Ur)?SD1Cnt)f1dQQj@sEKSThDNU0xcq>^4VS`$OK2_gGbJ16Q zIQ1<(W*-(T#RIasBk8ZR>8|b|`|Ip_t2_R-l$%I7jSHz;RWnVeK!q*mEdTo3=7v+Y z#-0PzbeX8&RI8Hf93KpFK%zbz?}uj7%`1`?oZ_! zq_Y}QRG#0(9l>7bu-8ZsAF?b8kpe+o%{ATZSOue>l0PyMi)dmh2L%PB`=~2-P^p<{ zs{L8e`38r(Jy}{Ap)YX!bB83ivZh_ytGH01cKDYWjY34?F-=)KQuicM3XWQTAgrsi z7_7vHWn?)^vQ<~Bmf7&9hf%tkA=lAaN@Ia&tk@}K%Hf`k}<{4=q>YZdCDvQ(GVx*-V8Ad*KYX0c~VyTh0ku&>CZ zT^t;U)m6jOT>Wa@j&L0Q~qiH;%h{H`~#-Xr+#CZw3~1`_mW&n1kJIlDk#xI9}O*$_rwUAC(Q+ zwb?eEt<*;sQki+@MiBUIbHm)Kg>i17IrCS%&fcw>KU1VW1_U}4DAjulMtq2+0IQrj zAW;_hdf5BY%go=WeNcqCnkx%)|$+r zmO|4V@uNBOSCyNmyY&1y*_l={h12urWE=UqQ|JT^zL!~?Gk>LcoA!KQx%q=wcYo(u z@{h~cf8Uk=-fkYJ=TC)5{JK-8VvpV9+FM}$0?av%!xR_haM}5PJ2I`Th=WegpM~=) z&!L6mzUFb>{--lZ-g5s_IZXe1N(TSqE;m7)cls-Df(nZJ-2_3c{{^QpjR*5}`UUj& zTdCM{mC^+iz}q?DI8=SDvErvJifBBz!~-b-Xk;PWW0}x5adinK@Bo;+bxQ3n@1)w; z*gzKv2`G*b1q||kU`R%oJMPf3sr<%ss=cN<4TQubAsyKujRy^c!hE_q#?{IccOn`o z=UU29!~!fx*g%MU#G@o49TY+>pRz{7xx786t8-ft2swBEbz9b#ym#XPjXyRT0uSaj ztJ)EG;5O6t+t2*A7m^;uvDa>S>9hStBgvxZj72n<3o9UhyFWo#HGgI++L)VQ9DRHk zUE>LVjA%cHL*nc)1Ys19cU1IDP6QM`?Z08-EG3-8;<189J0Rr%;WWjQ20~O26#{EE zq$Yw>G(p?|9jitV>*wI>e*8uwB)!bRYEMNVox*?u+1#`Nt^`ahqE|$Ikwi>BiWDOn z_gOkp4w@=|Y5;fVLd7PPBzzcyPK@J#=*D`a)7Y@o=MvUNAuK?VEH)&XYbJREIkSvh zgf}*j8oGu^U(Vk^&Jkn2fOOp1xp*?cT2*=E98mf$5+oiQ4X#ePk0Q+ZJQDnI$hZpX zl>;cyI~HXlVvfrZw6udx`-a4tUULVz-MoQ#2F<2_z9b$}F5%=ToJfQQDgptgO!BV+ z#7(c+Xy70qoWEuvnFsD6ltd#I<~dJl;VyJ^PH^~3N(Fff6TssxKn`L{2-rY?0RVaf4kw&$EzK64 zh;p)jh42+~M(IX+GrmX0mCPONXrf!cB9qrRNoWjgqtKRqZ-a!WHuYwIMJDP5tjZ-- zexz|75DI>EUNaNfDqe>LbpyG;ZXjfZM_I^(YyXK%EGi`~VZaiwOmeDU^sOm~+J`ua zIfZ~puogj(bi-cI*q)E=AkIbv2|6NNHgJu9V_1{}Sz9pKda90s6UI4(3y%}kEl3JO zLQ`JGhGf}hb~jKS;8)`c-g}-`9pgk}<>moSkaqW08xc;D#jC0*e4F4uGGYUzG<@?X5_v{IY0~=iZ%a=xB&|wngBldk?hq5E_xMTCDnxHdhhZh&Wygff||^Y2*+5Os)J^8r-aReW)o=sajEEn@gB<^JTgoDgKVM{1F}AjWy7vJ@-bnl zKu$9Uk2bHe9tlJQl}%h&a9Q994v4+;kW&Nl82X*FSb}%Z{NziX=R0)xr70PI9OmTN z6Xbaz30O$B8dZpB-v|+H7ZL5%AfkN-h-gd0q?MA~xXU3ITzvc>m9VWV$8ZX>A zDvBpvw5b^gprJQGJtl^#(jE+N-{9V9NY1PZ?*_v!wz)Umri!?QSR75ZeDwaGBqg&$ z1ug}r|pB5dZN*jTEa8>3{1 zdqmIx78HoPLpEXq5)(P|*LYH}u9|>tPVhHLVn>otLz1e^PemrkLlVFup_Yskah+Tde)x%W;MF=LAonALP(4O+%j2{csm+TA26GS-#&j??3UxWMxYpdEsWl_P=Cj}~B17*dDe05cu&MW~-=|<_gkm8JGO6Xjtj%6Kz^Zz0Ie8L*0AqL*tWwae>pnb?@9(d2oM{ z2gflJSWp)8ehVRIISfd8K?Cw5NjYV4A3gPZ-EF_O)j}x10!M7@2Uv)R_>^@5A}dl7 z_ECaU5tFpGSV(yi;h7iXDe0qszDn5`?d46P@Aqn}jR+Q5DuK5*+qEUmvmx;=OjlRG zdyaa3?;F4CbysVD%cmqFm=oQR;wESzG$jIuSYUVXy=Q)}g%BHZl3w5;ji{K}?>&F3 z=l6OooKXAjVzY&lq=dhnR!9;Oha?Ut;r*6}0v3lI4uNp0wuaM4G9e1bQ3cKh4i?SOQYvK@B2-|XP-H=}T8t2HJuNwHAJ zKzDP~>u!17XJ_4K{hjUpPS1bV-RW)ae%;;aZ*|+BXuJH!J*EABfuoG@du9OV?*Glr z?e5NhZh8N2J>7iV{}1u3te}@HTUvtFCArmYh?wUO(;i{BaD9Dd-v8;9DpDp zoZ3+01-Zm2L6;K}qhNw#;1o2_2}y~Mer6fs6P86GI*-{Ux}0EvW-LRpUdU)X{<{RU z7X*ZJBqqdEzocS@Q?^)Ik1vo}Sg4hK~ zX&90iWn2zjb<5Xuk^2r(5lih@oYy||$QO95S~_Ba^wDt|k`%EKN>VZ+DTxCjC!)81 zUTy(xuFr>xw$>}XS1rNp0s}%g!Vzb%4CEAEDKv4kW~0w5J!eVD5s1`A|zcVIh|cJ`2f!M9=|P!YeCiAX2%B z1%nGM#Zfea9iGyVlp{?v)!lgKFOl!ghe!%_0i$zh>4Swa1smPFzsbYHSv2!xX{1kZF~yNwRgJj zXj{JwlB|!~z3x=Ki0G8o)abn~S7^8FEl-w)t5*vliAQ;+_0?HN^1I-FVLW1z-qKi* zSngj~3IUr=Ni0_`%LJ?_Imby#E-1@5Af3blO)y78LSi&!7bHYkEJ^tXd1UgAZNa1Q zi21*97Jq=&Sw8a;sDVY}c{MlC53%kP)cQ~uzz67}+`=%s7dRFu!~(ZgiUaMV)sNS! za_zig1u1}>J-GQxx|XDW^g^z3y<{lit-8~6{#gnqy|XL%j0-aT8BZfSe3$P4wj{j3 zaUk)?Ng!9KWHwSDyD3MPI2N$ilayU(&|G8%Q#ibOtL!~x2PG7RWSPWkld<7 zW5x->vRj^=GJW`e4QGfaB%q_2LZRDu3zc5<4W~t5=e;2_!wV19J_nM{M)0?8Ko&%j z%MDT@Z@zvDnaV(@PFY0I3oN+~%`{6Cr7Y4*IbX=<*^s0$5rl&rmIb_n!zqnBI1>|= z(*Fb2q>~PD&}qs4%I>OG^Yb=kkv=RW_$*RKt19KALxDzrEQ;8rV%=q7jUFS_0^%;K z89MDDoY2=P%M$xayI5;P9SmGDu zz*TR5;EGArNWn2WR6tQm0+zxCn=r|HpkIEqRYnn$Ctq2YqICu^v5tBzQU}c~e zyTon4VopPnk`Q5eX+9-ma)sW>l_h6o1EvV0la!3;6`JZ5mtZkD17UDIWY~k5An6Gf zlRoMcH8%QXL9&kEmR0jbPe(_7mc@bya}K;SYPahr8x@zgh`5IXs2~yCh9dfMsF3Ox zDBvHU5w*!>`sN93GVm>%xaWpdoAku&&=KjO$kj;UuZ3U*$KV`2}?m{df(3SS})eyW-xRnd~RK1d34*8%a(DRxX=P zvlt{!N-&*k%g`Df)oAez^R@1b)lsqCc&Meir4dQuYASejfE$4~;ZkDgB^G#pC~tb^ z@~rk&OVKk}ke8SWZ^TkB9D=+z7d`oCKmfHsY2j!%r%6jzc*Rl!T9eh46?u!v+i(>V ziet3sw%SX$yQeNI?&#WwRK$2nwbHUPjM%WF#K-ni4zqK5u=n!afj+MSzw3o$NOA0c^?F{~+m+PZ7X5)s+ELy#Ziy4j`6Ww3O}_IFIl7yw z9$X2D)=*AEUyIkcAn{%p%7rF(diyISSDWIi{rs5iqjqnn3sf;7DThh{sXsdrQbcsK z+kH*7FxT9e_ajWFvYO^n6$E+i^wG}t)~1A?(kWKjg&F}atmM&1uELpreIZyxQgb8# zwM_{QPYFoo`CTEITdFE!q}=j8POd~f3he$EEK?d(CI!*xN18ksY;i zt~Zwd(JgYf$#5vU6p~m_9C2t&!78<=t6C1p^gu2*MZ?-@$UTP|we{C?BG+d)^kfzF zve5120hns)gTeU?I*>-N9~KJ*VdlhAo~~hh{gyg6S=>h%_Xy^~>*?cP z3y%$9M4B>Ij`cMO|Cyo80GrL?gLJd`cD$}0eoTY4GjNlGthM8+gs3_CBo z3}m31C#K2)4{)S-xrOaC)m*0404K^YmlE!WDNE2>$^~L0VNrNp5o9d0#&5-MO?c^GV1zR};eW62LCiw{MMtRLS}!?NK60dE!Yr$ibQi?n!zFs;d;(1@R=JM#Rg{n4{2f zj@_05*tZfH_502Yx3amlz%;A<)bDM7<98S7s5K{lYE6rb8pNmsOn=at(!{Kzv$q3u zK~k&!fICkjZ-XP0n|I6W8&Doc;BO=YC&2JN>pt5AZBork5%GgEwS`kdq!^L-f~G8n zYwZP2sVv7O3nU8mDiZ5iOw2S2CK-Vggm_%56!Pn_JjLWx!QqZDhhi`gBHKL3oBYwV z*w^BJ2{o7Retv&&^yB*<_fGW@3y}0BrOZVa8Qvn(+SSGYRc6;^b?X@271tWT3OP_j zMy^oaAQ!%8S`0@G51~0{3YRvYz@ooBq`X`Uz73@Z3^Ll#oOO#D+7( z5)z{XSe=jFABIuW2(37YD0hA*yBxetj-ER?(2uaX? zrYszj_OEs*D{wU(NY=mayeyA+r9AG=kj5Q%@X&+rNfa?9fi}_v0F5R%4kMDbf6bSK zzN1_ylPYCBWet?dCRM5rW}T}to^rUz?_9F97PhKST>tCyi7mymp(^8kGFUxH*|70S zt!S?4P1BkvDpHH8PA@3@REvZo?>t|BDpPy~tHZU(Ok}UPuNTdL1S}3Yy1tfWXdFaY zNKm_E$HapPnUXg0(e-s~U8`iH-QWtT z4YU;7IGkC7s!O6|Ah{X5U}#K#gyPX9Yu(XokY=%zg_w6^(>hqRU%w)umbk8{H~9bB!_c&8?R)G+wk_9 zhi1D&N5z`PWG`lbNTZPxg`WPybt?W&a_69&3M+lAHh)i(uMnT1uK081jdWWy*lL!b;9s5q^*Uso3X5$S+;}P3HmpF}SJl>ErlB6jEhD5h3f%Q>a7BucKD=X+AlfxA?e-E0x$I8^; zyZ*E8v(0wijx~E|=P#3@r9)|>>`U&!><2UuEX8AeV#u|=8n7tTZ_V0XmE&HObGxcG zS9wc8|KmV&#nywBa5`4H3A8FX{=2l1{2#c*Y^gGiR-4c0(3q){3vA zW$s>iF=3V;hcdNoi$GaMCdm6Yk|o&xvNgv2E)TJ5N^ z0oo09`2!CTbtahW<^;dQ0>7lzvBl3V^yOU>T4JNZa*;KhzDvUAe|~;NBO>RE*wbgq zLdEpsAYiHF_ajx!6yOsKhM-fXuL3a(iQ(Q4#j3JColX^k1Tz*0w)5KhH{7tkYldHW zL1UcGpg;dIgEz(uc~9+7G0zn}V4CQj8O|-$k4M}ORqJ3AYr4`%n-h7Ng_19DaGoX0 zlwDa-eN==i0U>*ZTn&@xcX2XPRLG zBUdK0P6XE5Fvq5UHH|j3DJ+gI@r)ZT_S&(7Cs$3`jmdWJO>?Wbxj6RoPImi<(%rKCbNb@YeE8Y0DHM9-ZM zAxVcb_}wxL%or~C`C_n|y?o|RZ=&q0>iQO_`l{-|9a&|m)p`aO8MFp*!)T1x&6+hY z-d2;J7#DwMMB6($)<-Ef{DP#Ak~j*6p88jkuun~)Mq*u-cy8_H*Jq`Bsby&b>j zZ}7JUWv$(+^|)N*5+vr#zY*-LWl8)y_mrjxQ*5#$_4V}<;iWky>3)4 z7WRLMBUp2U_{DlUZb~kMbHUUa4J);FtvQhSxYz{9YR4<~J;wGwxAR$X6g5W&XYWt< ze#)(bU0siHF<9l3)#3{;D7_FY3knf@nz%%(#z5EC9pk>@PG}DJ!qvYQnsap_H*B+A zK!I9Ns-Z;-`UVRgj|53?zTW37b-1m_%gRCHs{evky&>c`UiTvCxED}Etp6dYwU?#Q zcb$C3znl%hD_oT-;=$!uN972OxJO>uIl@I78?;skVzfRN0H3f+lXMy(47icLh>gT2 zHRe*EbCaPOECJP%&Ke&A{FsyP8XFbi!lJLQ@Bp@ib5~yDs&ZXXCybq|lOG!-e`nQZ z+GU-@f~JmhwVk393q(zp@=-K*@Hh`lXh#7*m3-+P3yBk7vhArmHh4g)zm$Z2-#XnJ z!{kDAblCAUg>y5D>F*iQaS+itnfd6TEYyryNR%Hr_;rEjnA}f!rN6fdv5rhg7{p@7 z{=(YSwpl`A&Lfn{JGnO@S7>Wfe^Y@I%sHZk$>^@t{L~ z4o=^{Ir#ZnYiLUmt!B%)Tj?N4N~NS4@Z_7Kn^jH7NKL5TogAN@?H!%<-4Lb9?@?jR zupAbI3S=dDk}y;8twNGSY&Ipa_HsUx2o3#?NMq1S4c7qn&&?a_W*=ZSw7;(+R)_}4mYfD z`7Ad<;;ffx;e!fIr@n?*;6D1UWtng&_+Ax!uWfT%Ie!MuY($W>*H?S5SNCyKf81>D z-DYF=HhtA>p@)CiWtAo#xS%%%^|`v@a21nCsWOexfVDL<`cG9Mo=~f)NZ>wfo(kY*>~{)kkpdlkXIZNfThlpZZ-Q8JiS{8+ZGQ;1&*OqnQ|B*2|<~ftIRV9$BMauQfvM;M-vK~@QC41 zLIG!5&{X&pEZ#>H$MRfgOGtaI&{Wy&EqwBo+R?w7M%ouof8F`Z?`#7=mM3WSnTB%oHbO2EeWFTwjX!3ZGB<=nv1b@8FEp&N(AlT4~|+MWtN^ zL*j5LAVlKDf>>FxUclzWDVy_vU1$~e^T6uBhJ04%(5j}OP0F&HE5shv zVV_zZHs8Q`f-9u!1bMISkFIa&a*aS6^-U;HP6MsmJ1LhOXg{T=^5Ed~ z$Ai=N|9bcKy?d0%D~iU1ab14aeb#F)Q}^B8zuupHe}8(g_i|7Iv8kda)kE0dKNt+= zRNk3W*J=IWUuUO#@Ar?7ULC$JL0HuGZK~QjM+dU~xz%32cz<$y{1(Qzw|{o{<3Xu- zuZ$nJ#^KAi)$+yS?|yziIM_cuIIHtMe+3cK%<5LB#2Yd@B_o%wR)D56&xxhtd1$K9oK7LU!0yKQOSJl5}jmZ7K*WMMxS^aBHd{)Qxk5f1{M(aF%z(1qYqlDE2Ck6~4OR=BJ^? z+BFuEF5z>adI1R`j5&lQt@O7zzhLn>%cs`h2*wIjj$P_VcqWU$9CUq9My$Gbs(h(P zNgz`w+B9aMsdWP>FA^Ia+6}wjoI>Gd=@aH{6(#0WI{>`nqR67sFy+o1gQtwVttvBE ze=6#+BDv<;MxF5)0f!^QIvg2rr9=Y-$5Z3Yb8H1&U|AKhOB1iG*WKKf2bg>IrCH43 zP-C$N%1#LN4M9)QkSZQf!r^5=e{TvUGB@am)3p8Gb1F4`w;?N7{5r(}IVt+UZgsWn zn1$8wNH_3DTRPa20;=Qv6tsZQt2wcpf9y>Q1#bVA162v*l(2AN0H>S6|3Thj;6H~i zonV>aO#ux+MuF6SZx3q37r<%hsHaPXK5S56+ky8{ue;UF-$AR+%TeXcig~vWk%*1z zy}bvf+2-=e$y*v{SI0>y?0qo;Qgi4dIEp||8wWE(f=r+a#iMH5aqaB==Z*AHe+d)Q zpm0~$GQZA4&`-1{{^H;=y6=xcJ|34z-79*)NW+~AcCVfb&e@s+xVVlaUT9(v8Q@tp<3;Q2`%rKU3HEjfLfRy`vq_6p6ZS;ANQve*D{ywfelDF6s3y0b57+E;Hh z&ojkWuV@5S-_j|yhJ^f_CNCjt+7A$=4z4^($>!WlK--ZU%OGVfV;pbMe|{d_050R& z1bU-t0fYYGzWUCoqhm$3y>?x-c6$R|PG~SOPL3Rfvlvflpyo$zNuzvH@Z`Nx8Dg(F zn!t6$QqxqNMbQR|S*1C+u_J0ngk+5k6igViA+wEU(Y8)fAEC8zvWZxX_I?`3QQ$bl zX^8an0i@S&4mRXx^xx<>ePK69lh7K(=sr+&V1vW8V~@~cQy)6l4u5{ zAvJ*PdudaYls?F+fL#w_5&~r4gzYwwmuGFGo@cu=ALEfl-k7nmENOk0Yu9`tEqnK`V5$v#0xn0U@gggxm7pvxE=v7gZQZVg>puJ@j$lpqAWw;x8gy`%=)?}`5&$BF& z&g}$NpIL^cc&0KvZA2Ac9Kmk8$i#E{G#$0L=Ze?)c#;UHz4BNNo9aMW3+ z`^vyfl7spwR|?utrI4AhOEiV}uOl5ezX2J7DJIBAYbIs;bJSaRo7YwZCqM3M$+2a+ z-pLj;%L4(ol&OMtoVXxLyy3z^sL5E$%|WaUqrk^Fxd^;}KxaJ&T7aYPZVgaPv;^sb zFwyYWRM7jTlP)C~83f^VXDrh>&@P#r4CTBH>;Syr8~J)V`O%YKB`^ZL8k3PFH6)$v z5*WYW078Hqp2&^m^vbnMo`;lp#C@7PfAaC@)!_Z%$+eT}B_9(jLL1-&2avQTzhUXy zo0Vq%^6QfvCKw03e}aZta88puCToAl2BXv8N&&uk*RK zH!3BQl>J5m@t%gV{6F%a-_;g|oZ|1#$xK)HANkBLDT{gXd2#Ui@Ccop9{#v@c7Wa- z{0wjZ9siGhoh<{CI)v|R?Is%S7cp&UR#(Wb5#X~z4j zo$fd91ComOSsJ-OFE2045OvosdL3DTH)G=_KvOnkqI1#n<+BLH5jO=6t`eHgifZ5Gjvad~->84RkeA=OH*S2% z2U|aG8N>*}MIN)V*wr#-t7z4EifWcXA(+r5FHD0gdbU$gUa+PH%hMZVoO~}t;snGj zMBCgk+-siU_DsopO%2Xu2TL!{r+ffB(13>IAP&+Q@Bweg>@al7faQ}r+Vd&jmu1;I zZQ?U;nOIRW6gf#DCLVu{$3=vzKzUh8Dl4Pwl$f)25DFreg|8%I{Swlay60K`?G2fo zV4CIw%s-u|bHo~+FS)E$A$dC0J1MU2`aew>OY}BXOj^s(0J%Ump@j zlvJ)qPUh>&lhG*{FY~tyhc9p>DQIfZW#f>8qm%KxI6Oi7hc8c2isNy9WwsfzBL~s| z!UUW`!9MzBlNc&C16My5lTj*GH=!~S0-8@bI$|M#^c2RA6WpoMh+YwuM^x2=@hZ!^ ztxaXRrzgQAyDw$8f25X=)bf#9K2pm^lin&B5=NE0s(D?7EHRR#1c%jx7vzGI2`e*2 zpT%6Hm_j@n8|8G0uLkGjQmHIgP+kc_EEI{$gmK}x$XrfH{6oyKpnL@0R(#D>1ae!u+10}aY;yAnI*8wfQ4U(^Suw!Tx#r0Xqrcff@;6v3zOa}Vi^Y&NywYd zOxmA%+kq$8uNG>eRF0f)y1iUc4R)~h7w1t$d!>|VI2Sb&6BK1bD`8*Jh}if5my;zeGBGTV zLNMc?Bh)q}+K`ECnuwX^6T-b%&^=Q>-{e2yh=#_e3(R;q8;Q0g2ki+?!}hn6h%GNM z73KXRsjM3Jjfrgc7Syy%kQ*tidsP32QrI##@b~tD)>W{Iq+A5Fe(UPaWUm-OqKgAoM;e zlkB-!HfqvrEXuR-x|4e@B!5m~9Yamq(Mh&|K-5W1hqRy2I|ZwcR=2vV^F!5G@PCy! zHJ{4W7epe6ClM7|R?N>>9_rh;p6D(1Ih}&<-G$Grp-KksFVfey+2!)~Zk$bypPjX#)(xRV|)ArcP9Sa#;? zv$un<-L$kT=F8dJlTj}u8sAgdXgM9L@k)#p^7I08Fr3+p=SE;EbbBY0k1rtz?Cn6p zQK;XylejM?e;*_h7l_EjKhhs%xqmpps=h;>Co%gxz1zxRgBczzvnmqAKwU~yOqd+rRw^joJx-4}GOfHL3F6rcw~o>E z6G0izz@ylvG6oThVAi|RIMx@{o;KUD(ttybDHij9vP^d`m@pa;E3buE-^P`cGel!~ zj&j0*e{BoYzo`I8DC7>#MGM-^GNMA5xb?O(8MHw8YDi(~`g5QJz-#>!Dl{$I{!2VA z$pulqx#mWv4v0kuyY(%A#NzQh`|F)&%S`;2c$nGjv-yE$UoCN{ZQaH8 z&^GjV2)Tz)j+Vd5LG6Pt~^ zB{1j&%BieLcDs^I0rJR3@Ij8lk~p*m7;rKtu4{)uWIJP%xTgfhKtc_Br;BhHQWZ4E zG~+LMN=Qomnh4i_PE7h}{y}W~0v)PuR%Dr|-}#`dCHuW5%em&`;QkXpe>I?P{wem^ zQP*Sx_f0eEdYf}`ce@;Ge@^V(@47QihB?FGgs53`h2QKhuMqqMHd>~qU)aI?C72{x z)I6TfU;Guh>HITuc;kc6RBWI}2=QP-oH=%Y3T7Pf2{ZrWF zf5G_MdQe$68*-9fC>f4(e^wS=FC+85i^Wr+u}8C~FX$>so>x}TyTifY@c8Kc{_)Y->G9jv6wp|4Hd%b*gGr^Kb|yAnymciv zKZoP*$_hFf)A*_dfqnZm2lqLZ^zkK0A~u_<<4m24P@`3fxh5yte}q0N#xIjgxEPO2 z4k3XF0S9$S*vOS=TH0wA@9`hFyes#*+xe^4Da#W1?kT(*6<^pR=q9ZkvG|lR;k-^# zdO;&HE;`D}xj2ranJoN@Mno-Gw*+VmPE6$k9$=Lux!`W=5FRttVagJDDDAy{tHWY* z5(I22cmK$VrKMvff1PHrT*W%aV!JkCuOR7^#_;NOiUV>|+zqgSboSwslwHkUWTO#D z3u#bRRuIp_o*$lE?CMzTXcXbGNnt$2F&+~YK>^lQF`leEu@v65(n6k@EJhNXib5t^ z*KFM3$dZg=gQhpYr;=OEe~j)TIAqGv$qv;IzJMPc z#~6dM-8g$*5~Y++5_6UahQ>rF?ol#xoeTA$$Wh*!X#`w(b6Ll^{Ay@-yDC~6|M?`P zDj)`=a#jHlowTJicEHHPSLfymRTy8WnkRv7xgn*Y`?n1y{g(;~ZDKpG*2H#p3tCmD zE?U@Au_-^Ff47HdBz9(6Hf+95GP+?SnBy=+7=6&(@&^E+_JlmFIKpUf`1=3*;qVON zngB$IvuC3HQN`72dPUG!lB-b`MYGRxk3ip{QU*)tb7x98$76E0Yla%W$I0$)7ddBDPU1p zJlLUU60YPoW$@pLrkU+ zYIOANDgvreNK2+^_*92`*wA5cRelnan_>g*yqAywKr%9JVv|X-1C<7YlbA9El*=0Ljle;i1PnQ(Wx!KH!lnA~XT*^r6x%Uh?XxI!Zy1&GYQh$`dZpXYx-nR(F)sdS%9OqHbv6$P|g%3 zGJ8c=RqYo;>9434-nqOXsXsvvV)}J&X^j>zVseK8FBZyWsg6W5W4B_)Og1mee~Q&H zV~QP1TrNys9C11(;-vZ^Nts{)i~8tn|HQs6vuzDm>r)~Nnu~BjJo>D=vAw+|G4ZVX zth@0{|1gXXOGwNobR_XRvH5tba;|bf97Pt&Q3<*l3SSP)_V!jC9QAr-1-(2tIX&3l zJ3DyUFX>EjYdXk655Y6v_PV<}f8N_(_vtR=u1BLxWDt}duDQU;x$Q&xVeN8X=z{s6 zKb7ln)A4F8u6ysM(z;3Btb5fB<@SkM_}6V#o`3)n%Z?D&vtPg7A~NB zXo_PM{8A}^LUdx2xH>-#I~I~YIwd&#DW!rO$CCs*AbU%#8+WrJrEcWj z4PAjYcYkhf|5Q^)WwmP6<}9iv|0!hLkvD7_ks-mNDz_JBfnxrftX*Ba&ro~!AhibkzQ@pIQ%yp4% zt*j&w=7I)(z&f%5@0hBJo@mu)A3gPZyZ)w@;sncH|B#a=JR^U5C*vt-Z%BNBh7zeB zaSFJWGPxJtj=2-o7`L_>4>8S6)bkj1=Tt4H_#nf!>lE^3u}mbHc#r{qTFb|#I<0)f zKTjjWdPQtJrt#R<3MCqkl(s#=V&X$kK$m+e_CKm&qzjm z4k@Qw`P4Y}%5n+UKw2i=N8P8plhHgFe+e7)(UXt+Z;uBDeV`VWL&jpl9q!Y+6%M}g z^InW7i9!dY(PW_ZZ==*E3xnx+uPtMocGP#ZLJbT{Tk>ui3#PW40LEa+p-kxd8l<(& zR>WpyE@4P4S)sF61IJ>bm5Py*w?+P{jdpww)*^*9MM7dVWeaSY1s?ZN&)@cY4$oRh z!BP~vU2FVh1ShAHc0C?0?~$6`Fr^pZPQ}u(pMUgU!h2OFvz^b>1dN^e<}u~5Ib z36GrPPJzmQpTLvCJum^)lk+`PfAB=_n9_npXq+a2eYI;i*^+{(Ne6)Tl$d{w@O5>c zgnY75#4by!PRZ_la1|~eOjC0-Ljv=2t}`}xkWF9Z3-SUrs*dIUJWywOn&(Wt5lzV@ zj-t+r9CAtn;b|}@Z1H)4`w1re1uJ)KSB@B}52Af^{N$yB<#yG;<>X+6^sz`SQr z-&xU3(s=BNiJU~)B~Nw9qe6qN#db~1U}_- zJYcn2E0>sGV{Ryezo2(z^~hZ8n^0mJZs=lEb^a-M9_gJ~bUo59N2NFSBF0TVM~)b9@9o=L$+;iOls0Dt8$~e99^@x4kAPbQ-;t{OxWg2#tSoR8Ujb~@ ziFnj5aNWh{2#bFCf3>x;g7&ll6H{Ikc_gWv=X5OaS60vuoFLEh6yfGXB1Eth4T-oU zBu3LL5;TcOvC=D+A{^(Q8(_MLJbP&wQ!&Ygkdjx4HX=6maEzmwpaGW`#wigKlJU+k zV#Cf9!?k5XqG_k-x1wysIM{Eu^3gaB14{U{7lQnP#3BXJe*;4pov?6~qYe=P_~3Am zRW8%}n_5faF!XfGo?u?WLXU{RgGN1hV!@vtjwl4@lRx&<-)h#7hiC$x3R>#lZmnoR zqFfcc-&)aIsy$-N2Nifbe>cQw{?35v`aOTs-^_`^|Qa_+9T8ok>!0R*owb?VFGgvG`;9=1LaB;_sjMsCKcs^D*r&wtocq%a+G zpXZ&U%i*x_?96 z`xxM&CzIE$zjg22R(WuLl4qaA;}nZ5G6J5TjlLV$e8nG<(4=;EH09s#{k_%t_|Zdj zRI7+m=hz!ElUFlcPEyD2C?)bFVWe;1eua#o%ijR_6EJU21$wtPI6F9f|K{N5=TFwateZzDmCMnakSnycxqkDW zKS6Nudh#&`etioh)C2!yj|6^#xi;&!_Fi@=e+s5p7Z5J2Dp!vB)m0ey>cjMWF9O+< zpcf>XAe5HuVtCUTZ zc->e{qF(o@|7_d8+CU$w{rZ3=n4=*fF-o;dnPBKcRU-Of12BzH0+vH&Pr_bwL^#H{ zS_=u#hH@U4uMXo8Lq--OnC+Ja6|wOrf1gW*rJC~uczBjp|Bs6QDZFOsvMj$XH;&j4 zNAMX5Vq z^5J{yXWpg3G5R#yN|t)LceeLpZ*b6WoiU|`36#p%n3Y<~&kc}k7q!WnpM3e^{mI^7 z@YC_>%jZwlOy;vO5y*oqXFS1ya+GspajCc0*Qi)U6PcxIdQ90+{(;6Re@Re2#&!AW zH_qY&i^=o$N1#j&4m>le>o)oW$#L#(BhL#-z(TU#(yXjAt|A*WI5_*^q~GfK=(V;2 zbFVUoCvdd>aQYUUsPsf=B>+cl69k~$5X29H1t=>Bjo_o>mj~}pj!(~SgWeJ*ctQg3 zDdfL&fAvkEf$KK1DvY@Sf7hU=qb!Q@&}-}Eo*tf*`l({m-KMuxkSTPO3oJ73>rfB` z-svCLZPf!gX*#;<6Wx#g6N|czoec0@EzF2(!?(n&937t>^wFU}Q#?ZgpA&@9h+Lv6 zjWbFAj7>-(CPfn&|`B%S_%)TQAJ^>PIuluHmFlW4UEvzG-s3TAk{=+w-Q_ z+Ac4@>rReef@G+K4G6%v+**!M+lCl?-V|W4-MHp$9&=ezuX589*+Xx{(o39%OOjbL z9*FtSSHUe@Ou9+Zf1Y)7Txz1X>4PI;fz;7hU517!yX4ApR@+lZW*{W7pg1bK=7BXu z28JW@0oJiq@G&rdx%6`}n+v_%@{3-8s>B*!mz;}Lf`D0o6a6ITQYc4LA|?!iXr&|~ z7dY1O7nS*&8@`jp(d_TCkHDfBe^1?}5#$UB#3n=+6c@Vof5RaJgE| zX3^HJV|Lha$L!d)t&VNm&KKLZ)v=9^ZQHh;@6XvRalz@(PS)EHf+{o! z>)vLLrh=kIeh|94FCd2vmmI6VEpq(*WuK-r1&%8NM{xKWN4-&Zfs7#Q#D{}yScOGL zPv5jJ_pe01fxzSr6=MdLQl6OSJS(T`%)95gX}rxhdjIA;aZ(%~*>1j~Z5fTT{%vk~ zxeCzzp7<_K382+yG$S|stJ|3cv!J`Mb#Dm#`g-nZxobt1)lT4?L6m>HFOqU%^!2e( zpGlnWck?Rc?*TTNrJYXT$=4>>R~Z~QrN+#L;B|UA*uRB~`yiRQp5lUvQ-=O!6inE3 z3#CY4IdqkC(jz>gd~$aS_Uk@R3eDp^%C(~S--JL)W3OL$QM|yU#`Pt8lv4$}1B>O<1-p57~UK@YqUJ`0H zqyn;Q0O#$>qvm~K`*o;Cb6Ql5v5jQ|b1jl%ogo9Nf??zl!aC>&1OnO`z--}%hxSAk ze@5Kz)1tFralDj~{RF%_Aq?Y$#9%kP!{@T3JHS>@3`I_N5!Lt`y#nG=(b8|-#<3q6 zd^z4G{O_XH#P)WJ4hS~5I*qe4htOLx+Rz$HRll~640F5lif`IvZ~4aO&4I7FsGtds zdZe>>>uGktw)yqd%j64wH#asnf=hmaz1Nqzd-V3adA^NRF&1Kb)=a5Jh@W%fdM^af8e&J=2FoT!eCaXLQxUC;~ZR8*K4BrO6kFgz)ITDDp6-R>TY zf7R5|72eqY$GD-ja>*FZtKol~m%9U_3YN-^SkG0-*?)UzpOSS}&I9QBF@B8Mo4vED z3$6a-CbRe1MVtoGGP`sYqm)o2l!`awAk*gq=2%O{<-epTLjo;|T5GKdhKceFjyDN` za|?PyVBXpxy9WX|CDzBai|iz75DGs#KqTCP)y#y6cNU0iMsyX7lQ)v5oK}yJBa%Si z^5SL?%7}?!#HAw#=Q?U>c+_DnWP(=#p6u9YXOg@V?;Ub*67NB4$|!Fl+AM@H(i9c9 z?=V?kQSQ>T6OOnil<`nRLRCpGqjnZZnjGp|y;xgwA9(=Uk_0EI8wSF}xkzrYxhZbz z!ReJPr?3Ci`M-9J;*qDGhtcxeAv)$EG$_zA*x_gNPSQ6$oH_k)wrfPZ_mr-bD2;!$ zYAD%3t#C$sIh5)Ue_=9yOo9J8YPBuXjl4VZsipD7Pniqemy(Rrb=E##*#Is!l9BOrGRIL-eBEED{TG|CHb`U=d zwRSS%xRh1?+Ld3{h~fbErW+ayP7zc2`7lU^Ng@v5?!Dl?Qh*ylkgINEz_B}uR+IO- z)V8u3$*CWFR4&PQYWGsKLuQweu&);JNRP&eS{Whj0KI3=UQqBr|C>ZF>nj%nrYjS6 z=P_y%0KSS7Jq$8qV^AoXoFvf$(Lx&baxj$&2J6r+5^?X%vqlI}=`LstHaD0i$d+3- z7F!Ak%$|3bI|lb~(W4O~>TMImc>5s|8~g*CAyDJkty4zwW6 zO0^+H_Lkf=@P{Fz##i>|Ou z@&=tDBdBG5@e;fG))G=R{vVTQ`X+!n!i+q3wDev*a$h@W{vgA$+ps0*R#!nY$Scw9 zIift?9GUe9tUWwyh(;CYp%rAw?7xNSqPG-zVOS?=KOKe(&O%D?qCqWZ8$hIq?c((x z=I3RgaukjyZ4X-N8`DejPRjKrj{@DcvQSz(18qMP4RN{4wo2b>NURCf-UHwQ%G`07 z?HG;D$eQy&ua+tSQ+U)Me< zBL)Wit7{giX?q3DCCOny0I0Mnd2Zj{FCu`n={wt5LN{!HmyQ>~j`B`m&5Z0kGb)O6)LyrfoM|V? zTogQNbB~Sev~UJ7eH(w?cC#1_q?4V9(StGV-pF}=Od2^}Eyt<1NkO4I<_JGDH_W}# zl--x~SH~AET>3_P520PqnmnJ>zh#?;^A;&vbOFiFH+*P+F|>`+ZW};)^EHC2_^+rH zMj848tSf@APr)Cx5WnN^Y&O~QERZP^Sv0y^byK&HE!jcJ_Gi-}ATkRK%qFbvQnW;{ z+c(ak{(^GadHu^YviFq_5c!hS+u(?!Qe4*td~rokXZye{rl3{2awxNcF*qhY@)?)`UYigPO|ykhkn zI5+t7w|XBjTX!xbRf72~9Kw~E4OAq%zDx-X>Fno4mxboG{$FzduUQ$dZ8>?Cif3sc zpNcGFB*s;}r-44Ytiq_ZW3>mFULK>P_^i8oMa=26Q+qXdWVxeMUQC=m|Gq_It8tY@ z*g7waY3{n8C(@$iaEWElHCo0y~VU_mbRSCvqEt~v5pO0*N_LP?4G8vJ8R9!HoC2_ zBl}4aVHN=_xwiIXZ`?($s~GCyU`J`6+W62);jZ0;#f1iCxIF;i_gzz9-Y{xjL#I8t z*Nm}LZt*gNrE1$vL&`pQg&DOc^^CFKqIt+R!aFytKavX2s#`Op5YiB_z>kPV2pvnsLgkTxri(w#S7#= zFp+}%+w#*9tg`4k;+T-I;fug#eO@>5+D5vO<`xPz(I(C-3dF zGXyda@(2Pj0Czd%r81kjYjIFaiYR$Dt|e*&+(wC?(?=9%SAqP|Q_|i~!9ixw6CC%Y zow~MYz!u3pfo^sFc3+ndPwPzotpZt=G+sre&&X_48@i$o6FdULn+^K`i_ucH zhvPhdc*c>(<8G-RdDXWHBKHd%tIq{?L}U~o*C?TE6)m^Y`Y2m zl*$Uv7XNMLLJEPJcSLt{|E$-G^C+UStXm}A_DNF~YgxTG{#uWrx+9yXOtfHf=xASN zi%*5RG}qY<*RLL$EfrKBt6~-_6tDgCC(QG596jxvT(Kj&rhu-!TMTG-3HXXn2=X}w zbbSHrwp+s{*c;1^$&Z{DX>aoIx_nl`9Wo%u|E&fN=caWyJD2K~N-F&1Gt}sKUo!`# zJNX5z+zM;B*;=Fb!_cLa57IC*<5gMW3s+Eys#SI{3Jn}C^`cm$7Mc%mT_)o1CmV9ed_gkLfNS7{|DHF z(ZU7U2e|#O?(o+=CcH=Ge1lqG2h6knZ}#}h$qI$ovJUB|EWs^pg{ubxSWXY4Qx79A z4$8Lq6CNUurj^dCZ2=KFu}+QnB7vz{5>A^bH4;|ztU}QYk}l}?iFHD^n2YZG3xFXD zeaZ&l$}hLLl=I7~YvP#AW+E22c4=#yy4Pdt>gJUhd#gvVm+sW#IuK)u5Lu)vc7^tM zE+=!@9-i}3V=mGP%z#?#f%=ZW*PQMY$QA;%%13x_={xcbt$eZZ*!*8-S%OPa#pT zbbqqk1*Q75Q2ij^ds$ngrpA#(XRk0D)v0B>cO3 zs}qpo=CPn6<()dj9^)dmwaPWLxr`KFGTu}g{UO`Xy?%wf8%;W#w{76wG!c~LKB-Ao z5u}Df6O3$1+QH+RM8+UL|Fh`}Jm2KQcOga84R5mZ&5_wZ;;-vd+w?EHCpNFx2Ov=n zmyiwurI!|*&bK@+z=r}3pralS5PPFBg*`3YhXCfpV?YlNrQ%@Y06kmC)FFNX*rLD1 zFjf!>Y-$x#>Vo$@n=)ppYe3=uO+sL!t$9*f1U{8av z3_k03*+=sa-Ni;gLtFUydCIXz?!n&6fC6Y@Oj*cEBPMe&s?0hWtJAr8^UU9Y64*$| zN@~8pE}Vbxtkp*66XAT`z&~>s6{Smak}kWfM>$*M!}FY&gqN4!`d}S(Qgt%TB<|W$ z@AsYh%_!gK)&3znIgbC-NBP{|x=c9*UL6&F9Sh=zeqoLRI?|o0o_CASefnClN`rv5 z;G7$8U%)z4`iD#oIeM0OcrdY11&T~JrfpNEBz_Qa(;%NG? z;9V&%QpCjfP_AH}h3`EM;RJCk^knq9ts+Tm4wR?Y$6MHd=?d>rjr2xo? zl1jrXuPzd}+O-aRZf>D|0%~P`|CIp2oQztnE8|qj?k|b`I>1-ddy>lqk$n+gwm_E` z^W5+1u28d;)R*_mk;d~ep zO&`AG!J(O904#S^507K8rvbSVY$b8@j>ee+H!9)F)vf?A4t|N; z|DJfR=}`mqIp6sAbRAJP<~{-6-|Dwj=0nf>Lp%_WCVowP_b#*k~iWp!>_$-tgav%$XZ|-%Ua!|Nfx>M&54yr?Xf@T*BK(c3A@OT#1Zg1ipkG z-yxamjKkl#;*D>o^OPQrg&%;V`C6dJ!3>tQ;}?;hL0P>J_-T@$HR>v311Zhf)@78> z)yd;5W&ffi1<4r$PAuOtXUI(^7<8(9OXlM&1yNF`?MBk&$RSDJ_&Lh7nIE1$3K1Dz zzo%WY1@SE{7xw#YwVsZOi$6SDS%Z4n*QV5C@^pxGrNUi^sdi(wDGrGKWw;AB3vbWg zmqh@&w&uuXotD{s_3s*cR|wdCUVoU4w2Y`xMU}bVasO#uRxuukKjPCx5HCW z2F(xYp+@`33e(BGB#sIs5ZKfE7v#$+vPD-b&IBwaxfk8DzYh9R^n8Dz@dBC=-6q(- zSnL76k&r9(EwFt(7V!MN7qM6|Vmv;z#eGnbNs54XB9&$wfDLe+6^Nd4=A9)Cd10oB zxnrRl7CA9>5uWm8l5>!iea1%S^sL@@=(a?E_+*uRbSBvYW!XsISe!pyH<|y0Gjn5h z5uvoI!AL1+O%!{-;hOGBkInzU%Er{-=&r~O!+q~3XpONl0QB#ovyWEUnQ>Rj?*)f$ zO>((bB*uusn@SWrbj-qr$8~sTzUyk7M9)_8Kik%P=eYoMwS`MvD6H=Cn*qOP{T(9{Pz!o5gFU9*Z@d{3RwwInyWQUD2S zw(>2@`H~VsGVwG5oJ%DheDAyv0;nLM-QliTG)>0{!AAZ;q`V925!^v^gfv&Vu ztH#}AoPT5Z6#FJX{K$(MsR(>4grp~ooRLJfq}C5awy}9@4s8OS&^2h^EtB}Nt^dB| z1lN7xrPM{zRDPCDk68Z2)04PYu`?IW==~GezyvlSUOlxU)D#&YD2-zzEyip~(GL#i zfu`F9fIS?zIGUC%(70tv7F5EGNu(ku!5?Fa;wr;wQ$ukU-KYSGHPOC0`soFloeW>+ zT`8gWYnr;PAz@y$mpm4P@s1I0dEsa^kUcDDBr`X1yCh9A+NrJrL^VR6$`lK>b`ov@ zoe(S4xI#}_9$y6mJ)KyA$AH<%q zpD==u_H;}iPZYxoj^dnP*%1(#rsj@uK#c$9fBkmVf9WSqM@)3$A0va6ji-1(L4(f^sDld-x*C=X)QxLotxmvurZj$Jny?K>nLavY z{JV>Wyxb>Uqo{LpGe;a5x`(Nw^>P1xunj^}gBv8s4no#Ifi@%FcsLBBbbBk*x=K2o zzS`nrVwccN$sA4%@~=r@KrV~*5uBscZkH@aG;yh%xSubo?A6Ma^KWLqKBBV$047#1 z+lb$fLnJP$Q__6b9^ITHyy=Q7b(7En2w4{wLdq(VP9*&XsT**0(Z2TO^R^J0zv)Kj zb?V65DLrSE^}K=4`~| zJNdB8Kaqf9CIIiYAYAiAe%nC>{9(^^saZbnME10m<3#TWHvg-@Bka2;ge9^P%2%ts z3W$J1>wa%EC=ZT7D*QNrXr9)5O8|Zuhc%enQ%Nv*q4H z9LLe~?5xk9Kk7<+;OFnu2-V69G#=(z1x^7U@Z2|%F7tBT-1gx~(x~16A?SYWL<2d8 zIqzw2K3yO;P{Ei%VshOZU;IpB=1{&sJZpGa0n9I0*IoiZC&(_Cr#GumX8`@nS9WBk z2;j@>7&0v%)7vVi6QmC-=33BY)Fj6I;bQ7vtbAK&GXZHcYs!bkV1N`P<6MrLo8#6a zef)Bb{Rt!0W#6BzSnOl~(VPi={$Q0mrOA3^@wJ~BG;|Xh3M>^Fa6-`S0NRQWEje1Q z5l2|EG`DO-4RQf3i|^j;La&$gG}K*G=){~<_6J+l2zPr37728T8=UHhJeTjKA64k5 zJ@!m51O#iGdolmbsZv!sOotK;mh!|vm5rx;dN^ssAImhqFw|dwLX=s!FJiMRA?BvC zv6BAsoBAl$5NROS9O2gcNFik(vsG;`ItkzJcg6=yEvT`h!D)CLFKeh!FAbx+Yp3+h$Of9-m}qwAdXC<7c9e& z$#(peFAgkud0nKKlEPa%OgrerQ+w~*`I{E`o%c!g$g02z?U@dYCWw;e(_u`7t{4UP z=+DFaqLup4j@%v3A7*#-l<5mn%&H=~$tT9*O)xNWlH>>gWpFVET@W$Y6h!?>G$Q#g z+YJ8y9f0?%;O_i3+k*5Nqs@Ft~`RXn(B;Qi1tsIo&V zNB&3p6~c8*3$^YxfAm7Cc*f2!5^0BTBt|ACh@)8`D#`LD8>I~7xdSXUDm8}kl`e!; zQ?dI-7Ny_;$x^h20j6bmIxjjk9OTd!Z+T)7irUhSbl8SvvY*Ve zx;lWR;-%D-imQw(vLpB1j%wPE zTeYDyB3=RVaWcNuMS#NlKYcZCE+w7Q4ob}eSdA5}E2LF;+sk5_W-U;llqbJxdC8xpkMDV9uh;5 z-G{ifK-I0!p~tMlAnk-DQcU?Coq=-_Gt%ZfCsx_-+o-vCWv|uKcfl0^fB%gI)=B{3iB7|cvZ)*cQPLlbRJXdHpQZ9UUN@hG$bDQ+r}TLpGEN!K z+JJ8Gryk(3uH?3?EQqncBlXH1WDm)xW6^J8vItMhO0L9QxhZ;Iyet`d-Pj?_et>M~ zenao+;4SrI@D8#w@o1$Y1{sY@GXMSwvrpZ0qi0dnYHSTXIX~dXQ2&19ey{V5B?GqZ z2Typd7kA~mXMR?QC&VNY+@3?p<@laFlRWH(tsYz-y0+DY37x;@fC~&eN@$r}r>&$4 zcE$T^R-aW$20~H>eZ+5GO05iw_*b&)>ZI`>$AO~<%d;;p&1r&k-w2*)?< zC@sz|y^zUiKpK$Var3HNS*boHs}w5yRsos{W=fkPy*9Ss&}95HnkcnDuk}-c36<*b zQ0nJ}?eCacEfpM-I-A$3c7{G%$h#%Qqtz34_uGDbcQ$tyu8EOQk@#_h`Ve-a=8!Gc zzV4PF-IvH<#ewAnf8r%aH**AAMt#LVvu-5+YF&ko(G>tgup#$e6N4{|48YbfO@;{n zKF)GJBt$;)=>RdCW&B6xah~ELNo&KROwl3jpoXuEWuA3n@mB>T-5fK-&T(0OX zI737`gE~KUl2=`Lm2}o>IK=?J^W5KCQKZhlxnLGa|1$OeH720~ZBo;_;RFSa-HTd% z`tfBFD3DkW{Q()oE|zxCo>g5Op>pnMR8qgyTTufnN^+MV=3Iq2Z~xrx(0d>S>1loV zj0;+UdvoGGfo)4xf3?BWIK`oAR6#rMzLDgxj~C5D-X-+@%ZwN4Qy=S<;j#V}L>S&+ zvQrReN0a_`H*REVwx_$I7hLC~_(UkFOt7^D$oG@RolzFx9{yWv6s2eZC#IFmR&t)hUOYYOp%Rz z`gxC_J4UP4*=6^~e29)(up4w*qB9OTAHF|P@p&vGKmv@Xus0GO*Js7&UUC{?@#(ZY%17W*@r(jvb?T?x_)n*{xqpyFGe zZE)Aj!iAa7Q>&1AdAnOFI+QQ>a-7#s_NqhcR|j=km#m!~*#B9)>|J@;pK>!$2xip2 zOYSd)?ohXN40D&inNV=cVu%8kUy4rEJfc&FaI+D%V`4%}F-s{DPj9U4y?Ioj`5>}4 z@jr8iDrilbRf)0LKN_Tqj8n@ci;_&(;w3zPXG)U#3$rIkd{2j{r4G;m`)6O*O#u_F z)TJ#_v$_6`IzHK%TdA}Irb8&UBMhXQsm(mignI6(PQpk_`O$*qtO2mwVGcD=5?c_J z&*qIX31*=#R`l2~HWJ?GLQUO`su6E(K|}wND~d`&7F?ra2}3g{g}CqQ<2o8|tHgR5 z|FkXya~SR<1o z5j4-W+9=1Sx7A^KZVdR(#YDbY%+e^-_e~G4ZLZY~B#O)j+dEESZ&Vto;Fp0aEib|Q zr-1*wNcg#q3GyW{-lWMW$i5&p?_3r^OPC%68*C^J*^Xa2s9`l#(gy{#S-iqmvyF9*dWMA*w#oq!wjzJFC%wZb^4K0$6|wA? zYYK4n5hMvTXBoF_)ZDrznc+_FB~c=l0B|JZ zM|k?#*dEj)!ZiNu`O&j8PXXe0dxp^iX?Jo_8meT}OvYv+4E=*PDIyJ{P*>mEVw3c0 zuBrxvYcCdVcV69JVK-UH}LQeU|?e|95((NXa{2u1bU# zN`kqsSagT6FOCu?lpZw1$^9P31Aut)(0%Ggifc^den|MET~Guc4r>*&4^iM5ZTdGh zBQXBNkJ1PQc~bkc%!?@+Qzgou_<{QtWfZ$s4a#HHnJx#k8@yt|0QRqBXo?FNXyfdU zRTpwG1o1ZW;Vs&N{Rltz>gR|ev5jc>$RUNS=M5jGHmnb>HV$4+oE%vuIRHU~u+$pu z88d!2Cw8_;M_A}tsKk#clF`iD!i|YqJffTPo5jJ=+Z$_7rq4@59&cWJIp5Z_7+;(m zolZW^McI;(fz4xJ7tAO133drD7oP5qq4e-npFrc>N&y;nz*ByW>WHSU{&uj3rgjdL zAQ)!w$Cg~lmm-aiglm_-IsmJuEYD6(O_zrs8sf2fp&#pui6?XE{LPgE4;QH<(6dV~ zR@`iUchzBWtMdNFodaJ+Ud-$fil8e3!{+AffTiG0lhD`OhlPv#7rrdJ4lr!>>`Cs< zEai%}(|Fl=juqu@=fs>NUAZ5^GiHm|fQySDJ7(*{m64O5H(eJu8ZcE7nAkAqop9W; z(N5f49cJ?s%=RvH9;7}GTW1pUpHtrzQ@z&V57njH8JTnz#K%y<`1W+G?3YSxT+(@~ za8kr3e>nD#4N??`cP3YM%T`Z29j!t_(yr(6UtQYtq2?Is`u~_41Fzl>Wo3OtP59MS|Myxf#fDc~3u$?&zll`xzmLv`v}Zh9 zRqw8(pAi@{{97YC)Aej-3-Nuh{a#;Y8>t6HpXWE5e~ZRj5>iR1CfU8Nj)X5ml;u#^ z9fhx-#Mgu4+w47cC^;O7fC*W6L%2TLsTrKxFyfsGgi9s0OQ`^71 z={zXIQ|NCn|1sFp{tB29g?4VoyUoOZFQL@ix0w;dhg0IBb!C^copT&EOx?dU^@)M+ z-4vpm?ISHf8U=d@k5)uZ@HHoD`3A@M8Z*I(+NL^yspj|j($LqZgL-VDmZqbzR)AB~ z1nwT4umX}qXqTMdsqYdTXw_k`)4x{3xptneRXAEqkEOq3T9DOSCAPHETV5&3SWG`b z6vDCJiSGZsUmr>aqo3WF;x|mi!PDofRF@ggtsra6&o-GH#2D=S95BK|oV=_~^edO6 zbHZ*1;MK8Wd8SPjo^Dx*O56{$ zsU-oT_PKmQ5BpD}{GR8?odj{R4F;>EqL590zlGqOX|6>^&g&vI%S`U3G;1$kJ~RvQQs8@gaFxRS+=ggp z(U%t0eyajmr)i9kz+r4OZID=0kG#AGFI>O}8Q8`G3+LY~CjC0beEMDI4+zpX1lre7q?Y^@%YpTRx< zn`^tqc;0rXnK~0~A%utOSB$qtAX=IH}Ie#+*$*tr^=z|VOEk&+Cjntfnb-Gi2DqkqWzN!t1?#q0lmHo zxnvQ(kx65n$w{TQsv5yTLgW*>UxAc9fya7oGh)9y0=j9QKWKP1!D-%Y>K18~*@E!@ z#P5TO3!y+`74y()0RMT2Vrsc`BMRamGxa{Y+7w0ghs;=%#^9LpB3a=GQQ=aKvS(Hoq~ zK_ZQgVssYS0qlQ6M)i+RbeET1@ilIF@Gr>ED)3t$bn$8c}(`e@cxaM=+ue zMP)7#IfBqo|8TP^EjuAGQJM3^Z>F;#^#tC}+|gSX075qnC&y#1{} zlRbqjc+}Z-5X%vG%bVtMrhbI6LsYfY10M!fu4nig)k8(deidplWL3ka;l)B^|LnsOSGj64~{7JEwWFy>%??*-&0#r<< z#fZIcpHQd$AZFMOy;&p$TvKq{Fo;&yc{3Dy7fxNNz)?rkK2MRIor!{nhD;zlTyff7 zM~mpyk6K&0!AFT+x)$6mQq4(kphHPpO$HVs0K2)=5<;i`F-BU7qO-r1%UxC2W&Oeh z*yXX}5{zxo*b8SPYVC5ZE9931M%$b_lOIMLW+#V5Kq%hT9jA3TEv%q2L)`Pt+njN{ zKc=rr<+T7-{Lcp@k;lF?E#X*?i-%H@?DlkC@i>1RqBg&e@672#Pe(_`8Q>W)=kg2H z=6dI~x1kieL%z`U-D^4r_am{_Z35tPSHugv-s_*f^DuYs+sE}MYI4GVrKT@3J+z0u z0HZ>{_xnkIn_*NsH8JeShYA&}0=VII`+Tl~-Z2Bivv0$o7Dh&X^IKCGEvR(~)BCnVNQKUjRsc}8rX0WK zpX^b38`xj-C`=uyhw*|WmKEBxU45H|{6P&rP2iIZ`EKk>-S@Eb5Y~;B3ZT{VWjv6o^2-1fqDukG0wY#pPQ#FiY_4fp zD6uXr2`@^QXD-rocMNaSGZAB!V;f1ARY28AkzBI&NK$!S({wS>NCm*rCFW25tTJo+ zBUy{-V@q~Q{iQq)6s8VpNS4-DKSYeH0ABO+uJ|<9oB-t!5uda^fpmNYXV#FQr=@Sq z+ZU21!egnW!g|Bfar=n|kb=0P^id6MPqcj9!#&w?xq+O`Sr6g=w0nu!myahVX&LyPCOsdLnCg>L(r#CV=?<$q9#9F`jct|9)+@lKXtB8~0UwuJ@Fx zT9oi4iM6|-Cie?v3-P7J?I`pHS%$=B0}iabQIYkdAIww#5>Vq8Or#z!QQV{LA=e0V z+U_U5%37fKj&hKwv6fq{1Ys2NNmh&HGDr%7|B1A+?z83frE_fx9RyDe0Urs|e-i|g z&l+o6vi)f57u&l<2fXG3UMFr%8r3#d6B1I(T;oE75NZqP*D%DSsKGNnSo}hb7kh9M zL2Lgkz6S$70mSw#o!-ApxY~wyJ|lwAYC4JLpm}ttZwDpY9@8tw_+VW`Nebzh;oI_* z$}x!_Pz6;5iCiP^sFy)g8RXRVlgh5s`mTC^nLqEHCB9K6yLvbA#nE}pjmlkb zZ?(ncuuhFjaq}8yD3eCiOs(geXi;IAUR|`jP$Xu@a%X!L{8HHgk3zGkX26=wBi1^jRTJ~fURvuqx|VsmhWkQMV4wky-K$vNUn zK8gSRoQkn!9iCrKbpP9G>N)jK?(3OFu^{YsO`%m7dVw@%{o+GE-4`5t_ zn7-x%-0EKi)Wr!qt7RXYv1%IKB`GORSo?B%zUC#7sIAgvSULR7)gooy^$whTF<~Uk7L@+2(KfdN^>_D*0{&KgjOlP{VD!~$#bDcT%)%;7G%2f zye){S$~Stln}NYrpJEGu{=4<+FAHbjaZ1g_d7?@J7y|th#PlnsX75@(U$Um=L&9{KWJHM zg}i39mQ5w6KoP1v#j+=9S`EN{-PC{kfVUEMhu-1tunM%*K~P!q6c#kjs5S!xUf>r87+bY zt0=aqBK7-^@X$dow$MLz?rfnqqQD)YSrWT;|K4@Qc1lz!;gc`cuP=;s{+dKi*OFKUUnhXxKOH^qopomUy4)KE%#N-O%J*;c`Cn(^wG+^4 zt?o}XUN?}4iGKHKITQYIKyKoy6tX&_IKq4QmvfIeig0@?U)@kik05$#Dnxuf^7N#1 zch%G@lYJE7DMd8KvX$#SusJim!9`YPAr4Vh>CrAFz2f$2z1Nrvcll5^Tw|3Bt)99n z(no&!VnwbDz`Yq%Tof-y zdwvm;$;fQ-07Sd@ktn%sle+cmqFz{9*#0&zgSY#q_&-37U#}Gb`2Bv`cjsG;!Hai8cX``? zWF_Vyi36>AP(V|dwz+u`IUi)aMb?jrO0w!nT}>vWg^RZ0mnKnHl$kE7kD1`*KX;Wh-)&tuX-4Y9Qv7-Rw9ltguMkWvER6uDQKMsh9us8bjXUmlM{*0 z0N#|cZmN(^BQ5iny7Im;Ui;qpp8&vlS#TeIc^kq#Wp4Vu)KjhuZeM zQJlX|tXin^fqfY_?gr=KQ>*Z@HayI8DG~AmGTdCQj!L9UqR<`=qc#ABDf5Cbz<1CWMw9HN4OSF!~|}>v6KZ^_|o`f;I9qyh1h(0 zP4BnQyhDIx%~?$%B7O4TvX&sqleN5iejjMvXJPIWD^v)V@A!0C#UEo|3W|r_`xw%X z{dXr}K6>@Y_$82pv7RWgw-6N@i9^DL4`R5Zb>JkLHN3In5d^ z{%(f>GmY&Ajq;<|{P#bFR0$0p;1KonPw$Tfe1~$Q)$9!{Q(Jt^7;^R%Ky=uDa$*vd zJr@t3ga@a6qTIRY5VM-6*<{U-Fd;YL5QFY4I5@1j9;ftpiAKMyK)sBKqDj4Tw|~BF zA=i;AcXaG)-pVE+%M$INr!%aqUk_q_8i zP88&FG^Z!vwkqr2@#PJGz5oE_1#4jusRocDdfD!yYekY6qQWN! zUEZ^M1_+>HdMQc&LG^(DUsnH~mYR>Y z6|{omxeW8Zh3dIWk0FMlCoLB7qT3GMoNNui;kox|`tuI9d_L$EXz40j!?&h3{BTSj zqIfOFDO@i53x}_5;Q;A>Q9TSmjkgLe)W{Vekq-h2mzHdQ`o1CoHlQW#j}D$Ix{uYMp%=_le3b7;$VTo$6>lEmAQ|8_jbvyv)*w`~ch|9uRly+fDSq z4C`C?j7t3uZD`HlI;r{c(OnN0#oAXK5b{`AILM zbmbiO8K}N~T&?OC*=nRNaA(9 ziAWZdfUPB`k+^BH>avMbKszGgu34nTo10G;J$A%k9d%S6lPtB`=4Eoa*j2w*{Z?=_ z30TXJ$Y_FJt`U$a@hO+7{Ko5#7ZDN^5;9|4=_q1Gdc+|i5~|^Vw5>s(jQ>20E#3c+ z_D<22yiv4oY};nXwrv|7+w5@1b~?6g+fK)}Z96yrbIv&D;_<%JsCuhi_0=BhTfe#H zY!7KGm4cT|9aCf%u?Z2DNT}!2HnRz6~t!_%Q&MtT>@4-8TbO3_PVC~)#1fEOHMDhYe@@_n8P=MLR{tr zOYO}lI?^k7cfvS(mk3I?)c%Hi!fh zoJBaYJ&+}ixc_dH2-(gQ7hCeb8;yG*(0xOgl!Bv*6P;^)Tx>02PbmKiyNxNgyBU** z&FjT}jbnZLb%{8aTF|h&K6`ruc-VU|VaCsfkBJ>Q>kZ9qSTFdVe}ONyS&C5J4*|Ft z`}_zfOq9lHGe${%xVA}rZyxR#320_W+&X7KFIbslk9cXMLoQIGd2{n&Mci&KbAMJ;TGF{aX43=F zwe}?R-{F;#*5b~I-`2u_D(5lzW3A%^@!x5@@lYj?2v%Kz-JOuDOFX4N=V>C-cvbF5 z7F~fqkL(elop4L&bo0O&LWx}SFHC-fPRmok(IxnQFBG%TJx#6>{6~#|4I2b)`@(M- zuz=)?yT%OXknYCXPKNYbCuLO3kjpD%qrkEt1gwkAdPCbF8PFN|nBPE#)n1u3P6P|y z#vQMHm%5S6;G;!jCNum%!}1SpvYG998EG4yB}E@MZr6JiVdzfxm#0(Nd7D2^3id*X zoys_LeVVZbLTv~dkhT~b1@L-E5Shi?$7Sqa!rO6N4`GbAvYy5&q!03j-YNO&t6sw< z2I7`tW~v`j5BR^K`oc!i|AFeC|3mdKDCa+@-oI5c!?0GZDLgjyIbtwlqdotw&L(`V zS-48D>$|B&{&{iX*(2KLa$V*9sSrtIg2a}&=Lx)A?#TVRt@?>a)w`rK!-@6mlgL<` zJC+W&QyP;Fyv&$(0GN+!$o#spp0o9C8IvCBmhHNOg2)9p;o!^3(WmAU}ZFr zKiz*@Xc;&mDtEX)GR(7=a3|+`p;59B>SZ4s3UelLGWlZc`)6Z0ni1GYS2BYAlrjt~ zvdx%qfD7b@?{`I=t(O7x2ygI4l8WuAG#({!>uU{OUarZiMne1#pak)WmS!JOS83*` ziySt+xrpZ>Yfa>F0@0WUJa$svkMq#Ov_B?=R6;_h5$?!fN*V6Z4!nHng)mHgq~Rdt;N} zSf{iBn6p#LxxM)}c0#)@_IHwyM9+$#%pO}~>0dT7379WFpu3%uiy&K0p}0pcDzs)~ zU^9-?!l@G-XbTr#D{q4OBmD#YH>8Dspnqk5+=XX@^6viZ^!)BieyR8$`QRe(?X# z`Ne86ZrgwO|KI!%{`Y?U-}s+ehV0!ZypsHX;{QsjAN+r`ykhsb)!r;FBn)J`xOJDNpE{y{H8aR~JH*6e&S*Qv6x?%~>QP_z$W<|(4#k?ryIbi}W)AozuNxesPGuDGFH zE)JMe^4^z`@6C4GL>IEE4-_^|5sCyb4Y3ASdj4)sTmFQSpAv6AtPvpEK;UfLW3v!& zEi=#kM&2l?LH=y@xr^QMq~?|tYrh$FUJfNnZ;5$t#J4}brGv+3D>2+ZgOrS;AS^i44GSbFmlehJ~xHUxR`K~_q|cR;-Ag^kCtH5cKAOnLEA)2qh1>zBdJ3z!$!5uHX*Iy zh6>6D)5t0svs$-51syR+6PqY>bs3Ja(@@@dLq^lnY`fgRjW1wUW3*W~H92l(9Nl&z zs@+;g4|gvvjGHJVuhompqoiPhFjNN}(W(RhW$#0NTzs8rEHv%aFTCQmYr#H5gA!3t zI=wPhK7;Tx1^^EzpjS(=AjOL?S09$B&J5LkP5X=8Fqf_R$Vhd^P})ST7Ejf#f2TM^ z%XMsre5sl-Tn?ud1kj%CSwlE390DvLaOrN&2o!_A z6kb=yzo*69 zUk+tsyXLc`>6ajzVA-TFClgofyT7vlY!=*>LRLdZhHH5nl{C!Kb!Mn%tITq3uokKDc~!EO#*21^^c zWaxhMgj%cuN5C;sBur!O4+@!IGj&b1RGXpE-e?oln6?dxEAp4rrc(t7%8UH}kTdiR z|Hv6!8ZTI#oCT$SGmZn!dE)Q_wq>GI+``2{01g1jfE;z%TCA_O0J6WC(45WaO$yP~ zmA|G;uejRbXen?uc`;?A6PlDZqQq(XyM5}b__aXEkLPaH=SWA)1qe}r@!~S8+h}?+ zv3LUIL^>54b<-zSx7VgM9^%2h1d?AwqX;h{uwJo(&#UooATZ=7)p&wt5TTAG7nIaDKZrdp2xh0+v*j4la*_M*O zhDW^Geq z4zhF~nKI^X9o3#jwy`c}YC)64fB4jiy)?#ELsj$Bk{0 zWEx4e&(1sj3GMD(f*Ip4KIS1E`;u~UL1jyWJN{eIl!T1}{^6qcH2h!XCx8}{Z>~Sx zEh%;1yta=$Jg=h>S%>XT@jz~@fnkY~#@v7{pW2F#=TbMhQdhYO7x+?V_zEZZQpbPg z4owR!R^>XjO|~LQmu`zqHF9bbItoqd=D=5tK71c?u6%ONlGfhR6}nE2@N8N%l?}kc zR|&8V&EuI%Mr`V7Pth4D2a^<^mjwyW+7gGz5POq*J%_66Lwx8(oc01*N?Hv}uQGr( zRqrIsi1fGL=%3qr#4+&i-&dEHR~1j&fn9;>-#wABBzj>eljV0vcADNLg9J+E7eZs3pei6+|>Iy7F}Y0(bD=0Ej>>iu^2R0 zC5F8wl1(WrYbEZ3HlDmT>EA|CyfWet)fmDmLLO}rhXrqJWf0cIoyl_lw6s!L!+n0= z%J095S04&0^c%xJt6cT*d&TRiv*~+#%sg2+X}SYP`iFjSoWnifAg*bs?WaP6`pdM zj=%N1of*!vvPyI~hCSG9t2e!E@PD{qa*rKpS4Hd9FH2K?xE+OQIC+Oj zd^US8!O}&W`yP?6{C)UU4G9qHIRjU>VDLN_m6Z(PV4mR%peO}Qc zmt{)+OuvUodHC@xE>A_vq$N-RM2dRC@lPoN*hzGVA%2~YHg5xkt7C&MM0aERjZ$iv zUT9{ry3cG6iz3Ti?YydIs8Rk`k=b()D0R@Xi*yuh??^B*v0!JPp&UNmI6{%vFuiQF zUd4h`dCsbSfOkq!_9YR)U58!Oe22Fn`m!+MsMKHeCP0B4{udVq|_TG&5NfLhVt{m-NBAY!J`SYzY zx5ZGE>jqI8@Ux;DO02$GHqC9nQaWC}Y3ZA1F5MoNKMPvB`vKzJ+vy;%|5j|hBxVJS ztt~k|k5UezYl4W`kCW{>3rA##m$WgjmeYn}zHc*5n?1bzNyNX7<8xh&eTNi)zXdio zy?)()Z`}u)U%r25c}ov}i~nnGi$yAW8c6Xh2%z@X02jtrMEs4>p-G9)Wz|*?d2%iu zYvySJzC`Y%6b2wVg`ZM*u@v+a&;)bg#qzzmP5L`iUx35w8cp^+j}xfdKl6(N#g-v0bB{Svhnf>20S2J2A?CkJ@ed|G@&0zI`57&; zZ|PW9l6)&!BtIZq_6ijKQt)ls?FEm89e}&6Obi?Q6ulUpAMUQdpgG~Ps>+9d#RJ0T zCH3;PGQDe&F(;Am8%ikDYSqf(DQi3Vv5T(IwG!u>z?Jh$6$sjrA(xl1)V&B+P^P&I zp`mGKv;|1`i9s7+HNxf#tSneyiV^Ds87gnn)b{_lgLTUE#DS6wDv>N6ZNOlj4i5$J3qYHbE~UsBM6n@Pt`K%Y;e%Rz z>hYr+*BQ|@Q(9Xx!Vw}~UVSS>-EdSCMM&n6cLub>i0k<}T&FN@hZ%^ZFnFI>1@0|0 z7q_-lTgaU@AN~CvR+#;?AE+SwMBDhzz9yvl0(kwD;qTje-VY-I2R`B$^5^Yo@bx)j|@d)_$$UxlI6_0tP!9X58GXO0@8$QSc!km5Zb&Y+FUwxI z*ALyRS0`P+XXn!A3laE*W-*Np*Fi9#%>f4!D`TSAbR8M#f9cn<)@P{hv8U^Jm`2cu zQ@qGnV-5L@?aX+}?Kzms8OY_t4=2SyypI?s9-mjV1ZP?gww)U#O&zr>7Vv$do(Pw7 zritx(-%DD*MjDQ-zEUGIakz2?5*VR73~SeY+wUo(=ZQlYpZ6{gM|&?OA5LBjulF`LZZA$=IbS}$P9F(u z-ax)hijpdB?O%ADP=PbC>Y&=PJukI_^k6-KJ%QDr%>qunIlY8GY}*>J7)leHfN8HO+Wk&boP63gW-RF@6t#w|AuhrMDRZ0wA@~qnz6%rs zl6gIVlEK+SM@zl|=F}E^|HXq2G!@dL|2I_;Y~O?eIE-^XL*$qV3Ny@)ypcB{H|Ud5 zI9%U?7YaYZ%VIaKAUh5{3{ZUU)%eMTk;A=n%}~G~x_~7Y1bafxy@l?iH}i>L1K<_l z`XaOQm?KNmgjiFbI|5EUxgB38Gb~skWHC9I8TQGEzT3_qy%v`ZmsIoD))rLy3hkmy z`w)Os(E0u;cv6MCPoA6~_5R>U1--`1DKmy`6=URUtjY9)|S3| z5*5B)3EM^Cbms|Q?^+@m;Ux1ochX2S*#j#U$p;DGh<&=C^#(*7*szHeuTp3T_?o|6= z9O4u_!xdFNdTyvBVqAJCTU4>-JIffB-p3w9PZ#}MYXk!dNbxsH%UcN?mw9}F3mgq+RY57l`aj8pIG?( zf-N9!Ss5Z&fc5t&OTBgkJ<2#|`E2P~s%Jr>qjw+I5ll5<;N`gm@X$aA?y#zMRL8t8 z>#OF2{gRGj+AODb8;aoqakO@*xJQ6tj&i6haUQ#ipLfPCCy)`xZqz*tDDuk`*xC=` ze2l*izM)X*4MxTukmiCbUzy36t*uxa7Yix&tGMKgY&Wz#&FaXl=rZ~tthbIej z6rSJVdV}wI?7;zT){qZwer|zHrEdEhHDDnXxrwZWtce-KRtN)$rL*B2_rI%7|8nod zM@m9@=8`f9NjNddohYe@C|`~Es3jqY&(-e71WPET4UB@(eKW4D|09O`g_@jvvcCe3 z*ycVaa{J@%@b%iYa|8%W$&EB$#@RwqR+uXn+!(08ek1z;n0<{q>q9vt|Br^fDhMkj z1DF)qqP%2D=B@VMX4X?PO;(_4OZ4ED+0le)>ww5BgW0`IE?vRB^9dI$cGdiyGTQZj z>cX>;*K(`D!gSN*aL~he{viyq5^@C}@rVt)DF+@S=kQs70l|&BVq*&2Y{s;fpq`vC z=ElT0om-{400~iwcDUm+bt4wFK4l3npqS9({oPpuPiAgV^McbK4K^myr1$cp0FnLA zh(#V^ay(~!9OUS)+(#;Neh5`!3Zh=5i^uGTC%;23kORa~*FJKvW>`8zZUc0n17KKD zPox-{s{@8_00~@RKVJmS=}B2ey+$!>>5Pg-m#WEnsS@(018hZY=DM%oXDh^Dx=%gVr7K<8N z4HV3=6o`H4-8K`H_9Z7K(UGI7><>1(#Xuqi^cHyUk#>G z;=WUNxP7TRZS10MdBvnpEb*Y$y?3_NKUYDmS?SETnEnL6^auuH%3VI1{h+|XXUIN9 zO{XQ-)3}scX4M>GK4nT5<$|^m9~B%>!ff&%J>Mi;2t^6V2E)=e`u#FMim5ODo1TwP z#KCd^B>Jn0M|YDKie@ogrCA6Vld9HA7hswY9Gtc=!Rbzf zCPZGG>VtO5wcSlm{wsSeJ^Z(lICdM|2U7k85E*PWp6ENDmkyqnJx2kWEksyn))0mO zZWY z<+EU50xnO-k*%D_apsp6JgNne_3RmpK6brzGKW?Ct~3s-;ShBucOGD~AbBmQVXDe% z*tI%~Nzu^(m7zguBo;7V>rGc-k+bW5mxA%XdyW4}?G@W#(d~}zGi6K@Vk>1K$zJuJ zg9@%oN~pl+D5`6R#jLxYzhMQyzkd5Ww|PMHl6-IflpYHofN8|F2FuEASU@&mBL0qi5H4y^KeR}FP#q1l^9>CtfH@T+NA)6X?#n~&Kr{fldX~K zp_3z-_hc*~HQtZq&)%QMut3=gA-6wk;A1m)Oo_G?d>z+&iGVMTgs--fk8MD4_P5t` z&Q`MGJ=UQW{1i-_i)TB>N&dhg?qdxhf$~EmA%{w(Gn8rFK9J6C1;uB$@ zl5On4SLogI;gp$3$63N~fjB4iQ z_9BgGE|#2ol1L&G@Kr#u$jAa?;-pxNNS;nfECMsWVP0qhA)V_3s9U3bG*RI?xRU%< zI{0b7Z<42b@rV42RwDX#&*4|P6S%_X^_W}wZcm&Bb+8LYZka(Nu{rJw1%K#0glR*# zJ0hyRpozrD@&qb|72O+L2a5xD(PMP~oFMZb+z$h;MA8#M(%cn(*}BWDg6s`+{^~|D z;1uDQF$B51=HX)m+-DnI~B70!k@C1taIGlU#WspGKA(CzO zbVhqR{bqS+@l5&d^LhKe#fQInc_?mi!NDa>`F_q8Se;k^aII|GpZ9Ex9Rt7IvOOIe5X}N}Ml771 ze0OoVe7-LAy6$u9%yJ=%j{vDPC4#-j*w-Y_z-n1iulXgXt$W@8eRQ|Hceb>6&3L^* zo&*rmAzlyycp=_9-W6K9fk8+75pH%M8MC{yfvROC1!O;a-9KNo-wUq$imnAY?h7d3 z{WO^kLVOs4vhT6NyP&{1le|1LsNUt#_S|0B^qKI^zEs8EUIx)U%&MRIgr-O~1170j21V zOB|yPYxw$R%*s|sHG=j20;uEtyNH@IkhO|UfZ>ky|3kV0T-_AX3Mt=-^gcBng78N} zmuClmf}^i_ckWrw!sDTT#d!YR?pbT~)Tia0Hhn7&2d~#p=>d}Pw~(x0;n1`PJ$re4 z7-D~=l2N%JSkRxOyDy%ABLWxS;j0@8!9RTd&DUJB#WT_Bb45~5asW@vJM*2*jpt+f zi#zR}Yl4bxmzw8or6%!vk!2yQwOyWOl5PIa=8FjL_lNZ?6AY%JVBf|mV(2<_zXR_* zNW5CZ!pPw68=0^Icz2+I{t@fpyv(XZ?6XXa!6JkC^jfV)S(yl4hj3olnu61TEjgD` z13+3r$aJ$ZXTB(gHb9&b;orbB{Tx=wIgoPdhpgP&ENH!77Lw! zok1>m`pF&41wq;62?50gONb9^3yj}iwsltSk(4c)nHGk0_<;9UuUA6X#*pjW;!$>IkU+Y(Cko9?IQX|kutT#GrJ}AQy`QgcoAr$egHS{< zO^H{JAJCTO1fVzAZ)vWu@C0y^-@s(&@Bzb#r8g2p;BzS$YD9Dnbvq_oBZ*wdv43AM zC`g>!M43xILxmajeWrX^h1&t``dbUk4KPf<4%H4x(?4Ut-PaKqNcm~+zRk2A$v9K( zOVmArkr8#-(JkSTI7b)aEGmp=%U+MUgCcSs0R@ts2-tK#9J}iH#FuK>pZk#{#&t$U zQkC?>@4;Fz8;}=BZ*`vg&&8`iodWBv6)*xPi1(WP>{2# zjf+wZdluyS61;NuQ*r|m8zS&0XTv&G(N*HT8TfUZyMed8o$sE!S+fzQinqN{rF^h7 zIrH_a0cW!+Y6f6PZ!+uod%!iFP#7@KHv)e^7V9WF#7_3vUL^ z0LY5F?*8O8JLyxZsYOI)-9FV>yQyZrt`BPwgo4*}a7^{9uer932k`lquCp7U$>$XE z>u8^Y;hB2YP=5yHH6dwfFI;Q|NMJ&m!fsUP`XxI1?>fl$&a6EHL}{d*>-DSmS=u1= z-?4blH$?^buQ&Y)*NuIn-Kw~5h+Ilj0Xq8pD>5kV7a*IAU|>03h|QYgjIk3v)j&LDYgkjodrnfZ0kjn9=W>#jTG^_^E+ zzL)~&u83z`h;i9NK(6-y3hJx?#FbdGdXz~z{3We&1Ruswg2M7ZCv=$4pgK`865pa@ zob?uRR(5W*Q;BGIR;s}oQ!LMTpvSJ%&3)o*RqQ<}R?*7Cqs^)nEtE@W)62;|V%ax* zo*C2)V_RbF&6DEj&bYKH?*BGxq?oH=@=|7}Di532*_YqIBKI8msv5E; zSZ@Z95t?oKVE_QTu^&Aowjg-FD^)tf4lEiT?LPiFZ3_vw8>?|tw zS@IZWpd17bJf>0W1LZGHF`2>2?E@I_5gJ+RRI!vVu(PpO2FTCE``_9A`$>lhGxarC zS>eB;ERv*tLoZN9x=$9fh8tvN{ubB|(GhQneNCXJo6f&xjC`S|y%srfPK0$RBWBRH z+y+JF<#qx1eP*!T9hEJ9p}cF%$Xw!BZUIJwkYy*pH7aDn_^^Z%w$43~*@WSIe+$An zyA3`b>rFIlxQ5xBsdfkLf>cWiaI3!2V)XR*RqH-j8@i&;p;_dtKM?WXn)w31QriBf zFzR{^Lb0aDE!1tRIFv4iw&G_Hg~@aBIs4y?yL91(9A zHfnoSZy4|t?@pdL4U}>}^g%|U+>ZpGPaB_up!Ox6{us4==X7yw+U>Vuh)>(|i3LCL zkpR$h!~MY^C*Cl`lrT`k_ax??#>W3qqP4>cN<`BaR%DRvy;Q#AJU?C~Zm4-J*Lnd# zkJg8v?uF8UY<3juc@b1Q$e4L*W*-eVJ3{F+Bs4CO&S|$~J-%t{^57R-q0{(e?u9sc zq}2t}VktB(wE`ugDd<)HZF#jpI4=^bTLp|e$W*uqLm#X7+>s>+9=`mkY%wQ}q*VA) zOp_dscqQ9MX0}ZgF;kL71+_lFMYk+OT!m^#`F?l3*WE#D(FT$_PZ7M}qUzhj>BmP1 zSiiKB_%12=o=3DJq^Zx+Z?SrHADv!E$*rt4d_I=Yoe16%O@-<6HiqU*H+Ss!>;gn= zvixcbDQEr5tvoh{%c2vmOhvkzx?S2bsDDG=<ovwf?-m)Z+HvWzWif}C83Eg(h~g1+z;$Ym+69TMLt3fvi)J2R%v zAc1W}n*q%?l7!_(Z6ZBtb0(+ywgb?KM120VYxBNkc@0;jaVtC8f1{7xjoJ2THpRlf z-=)r{vqWSdZ&ULOKT#1oU zz?-eqeVRJ@#No}afMM%hr3bM(Wy+Hi!Je>R6lH)>(pw?7z`p+HiSHa@GZ2tFe`SFW z@%b9Y;9Hk9Je1!)W0taInqOCY-~kie1RFJ~Yl=rUK z=1Vl|`5sPCN!yzWe^S!`{0V@7WP~#PGc6m|T8EjFhD)H;)!tKo?b9Q01Ijjop$M0f zq&JTmfV;@4)@jXb>O`;17Cqtt`|?&hh63?xtKL6k;l)T!2&xA~y`2|p6ZzVfioNQw;HiZV^n`5KVO0FHl(?{S-n zPq@l*c2(_vCg|4n zy=TVzZpXoKodgIlRRTc#g2`eZz${2Gz~)&Q|5^9Qc$TqGj-l4X0S7T*U~Q%E6+gOZ z%4~k50%I2#hv?$2LGUzi{WpXmT7FNT77-1u{~-XEDP8(i9~fh>jKxK~(dT%RLa7KP zEG>Kl3pcm8UNWDeqqKNuiS>-)xpmTga*D$-XN0N@Do)kuloNo-OlGYyrkZ>Bp=uo# z5p=C|@WYnAa|$&%bLL@+#Faa^FKvuf7SysvrN(^Ek3}zUdTmWwuIbW zNt)beiW-+?R+p?!rONaxjy>J7`Gw)O{mQ7>BL`&HOccVTQYjs;_I2s_^n{vk9$W-Z z%V2AyR$2HvSMPZTCKDu_?k#O4lCv1xP&In2sx1jg| z19W${=?=nsPN*E7^7&48# zdD;Malb*xztJ+G*ASQGN6Cc8-5Mm8>buMSb z*)^!UGXI(E@YT^#mM0ph7up=bi5GO4UEL6!fuqz7f5(*Pe z+R}D$qxoDhl3v*q64&PQO5TvAXR6-bCM^JO+7a!v(Z5hfZZZqiK(6moEVBTU9Pw?! ziNO&F7E~NL+gBnGI@d{TaeQRYZdVR3>beg0>3&OZx)5vU2UV3+W)1t9%3>1K0T0Hm@Rhwwj+WkTGMSFC$B9M3rpO(y?|8s4n+XR z;d7u}iOt0I)yyAKE@eMD+CYZ2a8(an?w??ncYa-w!sW%}teP14shI2@eh!noO5LMdM-vUo1%R$#5|WUJN?0hAy=-hgq`m2*5UT zQC*%9-b5i*H_5jOuSN)MX0YE%&3_U(d?@Ihxt42`Gy6{%S&!3d<=JOZ`dcNj;&Bu~ zGygr-CCx0Rg3IhdqypRAH4nc=P(ZSV+Jq^&5aCzd>#&>jG!nl9AGG7obX{+7E$Drf z{ruzhonFO(Idz6wJZx-ilUuV3JGz_0=e2gsBQ1iON%BkFl46Ww*?8ZuYW)S+LiY+r z2MRuOveiYCD5}8OKl&?`O@cEk7;t#5yFv6-Y5A|BE*cFePGQ>5CtAnT(a)w|3xg>W z_x>Sn_*GXY45DE7B3!39#kSlT!&M;)E6jK#YZj1IY`j_@Kwx8FADvp%rJrMg&I3sR z+zuKF#IDR5pUAne?mS>DmrxIAJ~Yk_z_OokBdcz?caXqxzNKpyTX#4ePu!!*7RZt%QW0zt@tSk}+I4ttw888a=8V*ht<4629&?+}yFm$$ z%~ONM9BrB90!0T^d}3{)Rm8ACZGhOC&9i~~c{kt8iu|+Rk=A7^pM~4++2GfRC5t3d+!LOhBbLKm-Pumoyq( z5*Qh0Nitk3EvI?dELYMdG;8a>-WJ`Q_v#z0# z5Ah~7fMyHNr_@2pXD0bA)jqb;r@fsWNX^%Imm~~bodpP&!iy0ASNqb2Fhee4evI(G z>}6l3i^Ef)o4DsdWw+bjI3^-`Z9|)TUmC~S_9(8KxIuA)cuK?Y043qxCeGIOod^<% zIqxVEhhNanJhQ=ge0}(~Di*d7l}T%XU7b;0D-|l6X+Nz3`Z;p?-JhD+dES-IJrI)TQEOz|Ksqu$(K z&caXRxTTdwis;6zdXk&`p(o)kV|d*-*c>SbZ}SUJPN%Ha^?XaHBgE(4SZU&OGi$d? z*No$2q5s7)MvxO-DLxEtzfjI1Em|HJ)So5YQd`AytFRTY4_s;dOfVDm6sFhJ{gCEM zu`Pd%MPDkrHahl*qc8m5f8karc=<|GK5_?7F*nOxK9}sDCkB$2vgr=dx zy4TqzDxeiM@mmfYJumquiP#+{>e5wnz>9xnmF;I#xJ|#1u~`t*+11e*a!3yDZ6A7& z=%7DD!0-d`#>vhcx};{2-tEX$egqWDIggrXEW6!OSMc( zhKAmdS)V?4Yll-%{4nl)_}OiA%M#(H&lwI%2?IGM~PPIKV zrOikiZFpG|7r+;5;540Pbuzht7qtwG`i#=cCxO_yAyn{Tf;eXgYN!~!^2|=kup6Bn ze_aSfC{FQHw1AlB1ZRJi#>4EtsxcsCtbOOvAwR3IIJ1w|iDJQI4b*y>IFO2s_Sv%_ zSt$iDG{~5jfaO$(m4iRaX3C@)yrc~Ev!SFzZ0hp?O_;vN(K+`8AC~qTifHa~mz5Y3 zP>NAh7pEzzq~(@&!Y<>Hpp|_@>R!iKppCR@K)+TWbXtJ13T;0-#(nup?Vl&=9!^c+ zt8O2e&-y|PNIPQWw^$YXT&qI#q42HF7~%ouuH0gnionVnPCVBmiLVgK=>lB1mP_1a z?}n1)@IQ%pBdnyWFz5^&{mMEZX`J&n1BFPlw^Z0*gx_Ua>JE@=nM0UYcz)lRpOWF;HlSS~TPko1)0cApHaA zhfgl*>%-AQHwU9Q6wNE*y$5j6buOm3 ziDUMkJo_@URYhUpk&YsuS+)wQmo~yN7qHthPf%iE^0V}K%+Y!lfXyPmX!mvvW4Zr74FL5QCSmsyX?Ql&we-68nrx8pF{AW zQVz+A_<>s`({FEOC|UGpPES(m2xU@(*+sX<8wU5XL-~v3U#A7J{B{@{ zixlsey{jztC;7EpDMfn1Uv&cb2qn)SJ-&T%T{ela(+M9Ewcfrh?5GsM**UPG30<6I zs%SRi{+p57R$A?w&HQ-3pgTU8v;i{BENv9yrLj%rp%~&Njs%&z|z->nJ#PiQ|N?(?woYjQY#UV@Yati9m`hj?-z0JdpE_aT0(d=$w!Y z|L{Rn-d&!kXWXG+Fx(2>A8Hbz%(Q~Tw|&R6#AC6+q;t^_gZ2z2p_1TjMQc71jv?Q> zf>v_1KG6mR&vaQ$590=a+|seeE2f9Qb8f6xK6;K`T6O%pg;V$4(FH2qScX~9=VQ2m zF=Z%Z-M5;_9=N8Si-3ZCH)!-GFnMKlJEq!`AElM3W`e7m)bCysJ$NoZ8ChKYVu@aX zdwco)4*2>Vnw_02(oczgcU(7IN-M$j?EAcx6?G~fv$BrZ%i##1c6y?0q0#|E_5Kz2 z+vK-Jti~o}_43Llkg$rHbSC26^Lsr=^k1$o zkZvil!jWTyj$*?Q$N8*;!0-BHM=E9Vs3e+(X6a+EHYK5e*xdK=76Zy3#CQC84jQWZ zkEzdquZ|=swy*I@)S0Iyt2%O4D}+571-sjRs{GzAOHKu#UJ(MN+GaB%ufjnt+cEi5f|>og!%ed+gx&B1oN6Y^dHBxDBF>I_^k_&+k*NMs6_7-X^yP!Qper1ST{+Q ziN3nai^U(H(~mG|%7lQ6!Vc0b^t(uXM?lW9z*IA!`)qjqw8Gv$-7Ix4G&fNq8eh4z z`52uYx4^ctgQA`GSAXUL&LQfMtV{QtlRH6TXScGXTH;1woLzj|!VrfTPgkt~Wf zI^PihJ7Z+mYbc_PNvS)k4(?NxjODn<@vVYd+rvDXoEcra=Z|6=llvT@kriHXG4Mhh zw||*LZ#mCY^<}qXQ=OEg7)3rw^q=(Y6ll>2W||v~cb8G(E5C#gvcpU>?tM)|Hsx*CJCOq+|8>;|2N`ZJBP>EV+n ztTB6+aA+FM1V!TE^7T5MA7ZEjx)M+Cm3jK^ZnHE{+nHgv6ZC`b{; z&SWlBqeL`{^OVnGD--3J5VmBO{mD<@n_RZL9SnaA{;F#zedO9nzh~K`y54u?+w;T< z&BIV)?79!x6g-d7I-)7n-8T-EUCWew6L6-_9ZJZZ_+&b*KwXv;Y&PUYE@%3mS z7ZuxALHd0r=2FF#0$z9R-tL#Md%GSHdWh6-cxE%JSH**!FJUD+bR}K4lFnKyvGq-c zCNjgxh{k*Xelnxvv~B)v)>MYlSF8+TxgCGWP;KX2y;s|=rbv4(BX1WY-&+N)?YtCi zBfhn9=mD}m-?#&K) za~+~N2>KSr0d{eND1d{Cg#GIB>e5yiae*xmL*ZWDu`eIggu_vs<{4kGA1_|}%szit z>WVnEG@O2=^6zTv*!>c2$}YJn2mZ>Fh16TwpteO~NZZB@3~Dr%0gII_1QL1hT^py+ zJ*cXMcbJ=etb&H&VjT#!t+LnsFJZ6y#!y3RjGEd21@42&GoFjdqE@JvYD#7^_Q{5N z5`AKP5*uY(@CHb38%-AB4QFjV`e%QU3HCgZBbQEIX+Pq}t_Gc~b`ZT_|MMS2FW9ek zvTF#8Hj=mxJ0zuDwXSt}6X)Sn>sb;ajf^Y9Hexb94g4`M^aLaZ=t+UIQ*HCRk8xT_ zeDOD8FF3FV(J!g}_1sig=&K_ZVkKv0ydoabzDo?=ZKUM-{i#&>Q4;I9`xk%rD$zrB z4#q@MN*crPVF;TTyG#?XDWww=C}uN$`~ZW70aih_FF+>k1%oZW5Z86Ivsd9)bd!-h z@We&2)mwKp<`$8>8T008HGO8Y)=GlRZpY28O8+NuRJ9;g$8h)A$Uv)o`0ut!}Q-7zN9ZQQrLS%I2%wt6jgFUALS5&{qM`_aJ=K)Bai@ ze0=VG4VfJN+d&6@-rXv)I+8R>NDg1sflzAS(PV+tgZPzoDl5Cw#@2recFQ)l-mb5- zFkG!grj1`SH64eBrkbbtJXRWQkQ;^2eLUhhU-A?=5VYk$9HMbWh#8OFns<@J={4^x zzg?9!T8cDspy|;KEg1YbJ8o~?IH$9DCa(n(Q1fmkl)~PCd6A{U)J5TWE@pGMbYO_G zHaHtt@8I_4TZEL|5%t&4-?Y%J(jT51E^|6=8n?tRE{n6-o;PaRl~d zt3Gh|QmK2Nt!$!&F;cNMPmBa+3X!_D#-_)mK4;p`7^@z;o6&XgR|o6i6b)Z79T1V& z1~JeF@Nv2BX{HDBOJD!BoIc?vK17646I}nU= z48Gjxnx`RVQiOjXLf?@b(sMD1QxD9cU}p{1bPz1{@as*qvOFBIN$$r0;LG_HIV>j*7&ufATFf?8fZ-DV-N&p!^!T^6g^x+i@MF!k4sFQf4oVgmY+e3`oj=v306EP7)|$ zXS-hbv0dMaUY)UHK&O9pui;sJ2T7^JyY^|Y`whS$LSzQT0Ty$qfnc*Do6e4*_j72Gj@fC{IGwm$6?tn`M!u^GsTQ0NXU>88p-1DphF@{0RR36DxmD z1HW<|$X(-L(?HhryfwL0d1mT*C$Y+x!7{c!3|Y!d9t)ae!_qL;N{7}Y-*p?7U2@ml z5i4xiCP4sd^jZ>Lf45byU$*M)HOJAbV$={kcc8_XrHwYYynJ0P)trfO0!^W(g7Gjfc*6d2^yW1!neT_~yJ4#<^Ic3T z4VitV1{G%UJXaK6&%z@frWdB0Lg~Okud>AyD1@$qP^I8AetYa16RP#MxKn?FY|KmB zB^p>Lk)0>SBu)*zMq!>#e$PWaa6n7K0L$l)8(Sv|#xfN^_HBe^fQBlZ3azrRN)P?^ zln3TFKjgj}vcLYBl|^l`J$nx7o!%_1GalQ7A0Cl}qm_T#-21!s{dMTe0O-r7r6+^H_h)&t&|K1C#NT=5N^=jP zRy!@4>!dxuXh$pj4S6H41ygcX;=?}u9IagWR4hn8hFVt4G9sD;XBHl>3rLzUo_e5&~;#Rf+`2J0N=@;b(VsK+4cSA&03oA%X_o=!>i zXox{TM8>4DT4f#L{jf1${eTqpt116?%1#}K(=DYE?ynRpvtmwT7jqgPqK{E zTK;B&&)7^xMIzWpgj|1P4YmVFw_!y+~)I+DdmD-gV6}Aq$iiBZyPXOpj&iLF_mXYxq=lgS}6V3cJCc zpLO5PnlONz=W)mr%r(JM(UoeSAcN(S9b>%R>3QHCzN+>#=)r#@p#j;l67yn|#9>lu zmGoNj=s8b#8j1`@kST-ST(pU!n|ZH3b5p3x1e~^=xu%kujPjn$c$kQ2{KEQ10gF?HWFj>M+vs!OIJ)etzLhzQLa(rNAA0kcgjm&77%8d zyavs68;68eJC%ti*a605xZaDvdnE+!HM^U7)(5R8-}O>0mh5K6i95p<)vhzoQa!C_ zUB?x0OOl-@;k=Rw2;b6RIS;qv;I3i+-3huDLMeZ)rj6N)0;H9sL24aGc@QKYjm8Zs z(NHWCgZqChH8k02#=uAIfWw9pts5ElgT0^+he$n0*2cL$M)bPNFrsH{9D1*-CJx#@ z(HDWR#g4sWY^U4DP(MYWcIr^EzE{m+V+!+N?~kGBN`e`CRwAnCp=IPeE&J=L6&u}y zK~A zD?qBlxSIWM+@edV{8oms{V_|$(6vBoTG1;jQrhTQcmvd8EQnz$tZ!R@F7Vkea<5^L z#@@rjsc0vBfs+cS91B`O@oNms`vLO`Fsaz4wzz;FBps%d3siuVY}lTPTh{NDdcfe9 z-2s0&!9gWUlCT54z8k)%RX-b=8-ECOMf6rFsg(d|rim`BWPzF(XP2ixT%BCJ(Np?6 zzvh16-G+f}*m_i;HZIC$G~?hIT8c}XX_nN4o==S{LB}RNcf+(zEgHePOu1e;wgT0o zL{3cVgF0j?k3~v?K(GY8A4;!mawWoYosi}j-MA7zRv~rM+gx2?CHDl0Xgt7U`p|I8PsZVWug*L4xR;l&nH-NH7cI7)5~FQyQZ;gm z0qqRfX_`ZwBB;Luk-+BhK&ixl8k&E0G*~WJ%0%!K^w7Z1%%e@e!h@ZV4%Pv^-?ZQ$ zlEGN9aiR5U+_3ncP(RZFuXbl$NkZ!fJqw`|^c~Hv#2s3k{o(i=($tKg9Q<9$l<^{; z>Mz2QMWYk+ckh7)K~avE=UF^s5o+6BBc>wn7{2#!#ESKMOf#O%!46z~9%_FDZHvso zk?SS#fqD*SFE5>p6AQ(LQ~sQX?~D11I5T-oQ~rYIT>njA_bd6`ol=n*L@U}oQ9)rD z0>B|^x2iEk5L9Zy4gOJRy&HTsvKaX%bL(pmkO zn$rSR7*kh_;iS873b6&ZY}26%L4e+Y14=C^XeE9jLuJf8Cf_K>sOv7B~nFK%55H88fOwNYZa^2i}gMjy4mNIY_q_cj?O9kmOI*>$p^krq|9xyz=DOB62Z&Lo z3k>!79PTw)L|ifi17L)HKTO|%s0fY8$j7TGKegTFsnIR6lnR2F zo$JKcY^$Rf4sm@sIOJl8mkd!~DgcHMtK*q|&sS0cUkg9Mo||BgT;*{LC6Z;N zNuS9XU?WHxK>a{#TE73R9+=)dXs_gNn@j&csBmBBbw&im8q2OL5Bc4d3-eGr4N&i) z0)wEt=gC0dS4=4La;>x7^4Z+fIB>{}l~ZhDmxHobDGGnkgq&0uW<#)*x)$1U48q;{ zPXy+`<>CWQb`NYx2A2#%dVJ|C35KAA7b(=VKnta2#pN)F`MTLHsfpALa#IrZdg>uv+HW%@DEBHhCZB{@h%P}~xquiY)GltOaV`==Hp(eFO~CTS zTzpS$PD4LAN2dl$i3?8`Ce~rx*j>?8)%`4bLJ{QTWLdQ|UsB3`ykP*&KF)gJ5?Eb2yVGuV5^bMBeCqdGf?h z?8y@hmo=G@rnvxPPuP|9!Bpt(lq;Kw^apk+1p6y7Z~twR7Fu$&L1W8%u~2_tas=p= zImF6flZY4xm!NU7UWy!^hk?j`PTiz^y2!K`1^W9yO>IVy0zrW!0d2Xito)kC30600 zsJPLA+Nkbod4fdzo>j*=5x;!%X9CWbDCjPwq>UWLDD45p+cz2f8eh{?ewBC74Pqbk z^L07mH70%+3G7>00$@1mR26^A?gr6uAO<8m)t|y!Ut98hJO@K;dn~hdG^%D8!wq@d zZYz8<_sj(cgwJ%#R4Q+vy`Fb92^lb8bZ>8R^y zV?FD10vIl{^k6LzT>_$O6R>(^{S?TEQzk|B4s6=U-s5Y5z79BSV|srGrc&jKK=yrj z)?1**#a)^owqKf_RWC26JQLAz!s8k3m}#O#q00*zO(@VE2XtqRnRSB!1=4pwx}}-f zu1uLMuyloKj1By`HkF=*;swSR$c1O7z&!Ypw?!UqI~PP?I;9pV7|_6PZG&DkF*jBc zXUzoEgn~hvrhJVR987<$CU`63X++u2@|GK% z$5zYMU%?oae5$vnLP-=RxoFak-u_4mg;T;93c8ODjlIxp4Vt7CnPEMT7-Os(uw$8C z3zKhUJreq-UVvFYzV#ywHq%e^182Zq7VCiX>eT1;LZ**%+uMKEUo&S+RJ3eXbHOZt zec%wVgny_Vz88yarziUEbfmr)1ZrW89piEICS4bRPlnqs=lG#E9na=TJYG0Tkr#7J zOPk6p7kH#`*>eZIuRU0w9JgD$i#8X3B#WF)(R0Qj3a4b}!H5(J)aSnSs)B^Qo=4}W z#&hTeJjBFIgj#>ZCM7d%gc%uOw_$`;NJyW+aLHz6#lML;VSnm35Y1ZZUQ}`_kU+U| z;VBrdzht-){kExPXLpc(Ku_z|^j)m@>F&$qfzt(1?gtT$wC#TZ%)Uh``{2vTc8bUR$?SYaMQvfbjWA>quhV zpaavs5U7EkQ%5)KdxhpAWz;&tNQjipY~E|RFJgPj-PCq`zDz~xYBq)Pl%1Y?s{`=jcGezvzX7;43|6arlGl0-ubCT*s7RaORdsnwf6rx>6PPZmq#_W~$Pbj;W;{t+ zY$l?(m|=fNAkQYE$?XS#{n-*hT?uwj-$A zV21!XC?|T|ciP_YXm5B{B!sy3eQsKV^km{)Q7%OO8#U&;X+}{Mhx$G#ZLrpI`=y@5 zCK{}b(O^|N*!S6L^+6g#dNrr`@!~Zc9jLx8@P~f@-7RG>A)gnCFdRM_1*TwNY!I(% z9XBP02t;>F*Rh9nhzS ziF1D`6KH=+!Mfe^Qi6#{DN@j&Tph__x#l`VM~#X!Nl9j;{Yz-p}$-${nMNO zVl%9-MhzrA6RUGH&w2;+&{eyGeJJyLXZ2Sj%yPNROt;xlJFW1NhXhHEd-EgtC!bp~Qc* zCTMoG7zPsE7yO1WJ538Wf=s0^t;Xz0CJE8^xjW@4fy$%z$UD`4IyQw7wfK)dY0J8i zorB!CML_R+(4M21GA)h8S;)KYdhAp*2bYa)lr*27Tg&?8MK0Uc-r&S%Jkck{q0^CyB9M*rTOca%tNZnbpgr}3DjMDD9bjo%zG&FtF+wHT> zLNy!_WS?p(HG;rsTTO=^O}_y)PW=o~<{UAmk`YmAyWv_KQ@}mHDa%dZWH+h?44SPm zxI=mj<$S@o%k@XeI+yI|;_CF}(ec&Wi@&^k_4dsP6j`rGIy59uzm2H=TofRYN9HQPQx0&3vACD!nKA1Kt+R;qw+|pi4m%p zni2sCE=Qc3Kt>9^(mW3%0<7t-Nu32%#`yNp02Ai~;6VdC5T5c{>m7gVg;sGIntDn% zA``AIIM7*o()$gtDM8-Z(_FD+QMO@;m^i;hfVq3Vjz?hMmh%7*?m~C_Wz?yz)H58B z(Y!-|;;vxDNLN2w$7pOnY>hIip~qWU^6UCE%yk@3`^5P{a@OiL+dCla5D4Y;hDN>= z@|-7e%C(B=(*h~Fy6}JNH59*nVuJ1Zp#2KlF!pRJ2l6EXQnkd2;d7$;G?>dh`0- z$$wp49KAb!dv!8g`I9f5?9aK7nAlCQ>?F@b|=+ zM`~&zyx&)h&tnhMMg9*;w5KV!8v6Ya%lwcOmHZ*&p*R;=EF;?o){n7c$5?KX_|0SV z>th)E1g0)=wD_YRz#1-5R`fs|daiXsJrBTz;`jEJZs+nglJim<$&T&k3GmjMk;A%u zYk74E2&;=isuP`yTisreUo=Ktl$**|4j*yT$0P=0PQ(ID=fR~A-Kc^ z<8WCKg1gXrMw5fwhcza#8+7{whRc63mbm>p(6z~&g>Dbp0+s-G888R_YW;l4F8dHY zGSo5wHs62nITlt{AW&S^%b*Hn7(O>k}xTva%B`2r&uA_C&^)soQJyK0M$3e^HpyB5}^!J*F$hg3+vqJ-C*BC@F@%X zl$TWdmbrp>M(r_N^bQj|%F!hg|DMlQFbdv^^Ch?6r4$%Gv+s;_a~Uz7=5gB=-S(9M za@l`)L>{V37$79YMHZDpQp>TgdT+8Kh3FmIrO)W$BF(b}`pUu9ru=9wwP3F{n9usm z5^r*6n=hWf`|;xS7Qt>8RqJub7`RRLpN&n~@9cEgCWdh>uo4kORtxO2>zZdK3Cpqm zps8ETWXkqC`(2<*;&#dlm5YeX!N=h5S5AMkUW$x_e1qg}qJF?)qIa#JwN?<3hPGmm z9dUs75Jv2mNWb@CH1+0l4sTNV!^7PFTd9Q_!6-1vmePAI^s7uGS!fKxdW_eSM8&SijE}4Y7`FKo7RaVAnlA+Td^HNb41E7lE+*w^B1Qdb@wz z4$m{uc2*Cw%SMof3P?V|%)ZOBQJiO3P0T0o$#Rh~8bSpr!cW*qI+j@|py&uo;+abm zu|4WSea=R@Mduh~m4au}4n9_%?=KzBpSy2DSG~!1i)9{y?=`nq z(n*fydiJarbjnTX^*fbLZ}1L?{Fi+f)KqRcw0Xl7)5jRf$Ob+SRo~=x@*8Yvyyb`R z!TjAaLObQn2_eG~58sP48XD4M~&2TBl*O6}Hg{$h&?U{r!LY--XP* z-Q0x-T7qyBCsD|=h}PQb*z&+Y3`*xQoZ2$+Akad6T~?_viA8r~2|Gb+$aid!;4<85 z#e7)Sj>nE&(o$&ezPH?F?2r_QL1_(Pyqyb`w`;X0JGM}T?_TC!YHD#fF4u!lEn3Pg zmuwcNM=oDRj#<|a;}a29Kk0wIC$&2yF2A=#@G^yExnikIp+DRzgOJGme&Zk~2Cpxk zA01n{qfzKPuT&CYn^%%W@+O74V>X?H{prQ?W7`%%W?Q8aQbY`x@!NN#c|x-x2cxYq zLd1pftrSQUbRPZ3!{X3LA#n*9EXjmDe_+bEuTakq^C^j_7 z5bz8y0US#W)v(6J2Gq`|V%j_tW07STlQT1gJ)pWQCUKyesO$lw8A<g?Xk-D=Do?b_;^R2U_<2S3)@m`FIO`nCesK=>osYgnu&fD!52Z{o#Ees*LlJ+aUH`^wy0I7#YDnKGP8fl%pNnnO@9WM=5j)bG;d*u@y%2wa4DF~ z;zm;%F9qSFNUa%C-vYYn!hdg+-ltso%L4naT6eM{N4w}4G9`0j zGZTfE#41-U%Cej&gym}$CE*y>r$r6mk>&|Je$Dw%T5+-#-SieABPA>#yA6fLViguj z*`$5UU$bK5&p`1!YZAA16Uu9~_!!Dm&Ev3;g-RA|#FvO zBF)iXDYLmmcC7_oa{Z7H^#b;T7OV8I$8PynvSOD7GS^%#S7yjHqf}Y&aLULAF-<~7 z3zXtOF8GTq7}pZsT;v5$Ec)HZEQxMnEq`mIGHt`jtN0rJY=={xO|;@97d*)q?QteV zi^W+cu4M?}#Z_)@qXD3yFlt-E*F&gLI#14B>o(JdtmVI%iws$QL!F}z%Far zWu|5#fbm(fxX}WE(A{-(GZmpwif1w0&T$r}6RXjP*z!Jl@i)~L;|bJDGYa5rWP4;I zuaC3p3wA-adKMrcG|$ySUU_n6h<_V>6qeTo>~yTp-|0dsk8_RF?ojf0Vxn&*T>lJ2 z&M5Aio?$uJI+IGZVZ)#}i7d4Ign!2=<1FDfs)%#F)I>~Nd1*U&FB4R#;#~v|cmhsb z8CBcE3H{+L?6T~6%s^7j!C9UzDwt?RCaa8^n_?9Wf5!~Vvr-ju2OB7Aaesv?E3kn# z-5{Ua-59f%BP0bo0lN^?G8DkjGrsVYtxAO;K1`Jr{rjXmI1(*3LV|wFc9DetOUIGR zYBMvfwHhf|%d0}LAs)46Lgbb5ZJu@=K5}~17Ou2VIh*MD>gl1rk%=&#$Iy?}?-o}l)q$nd3#=^Cb~FXziL zmPZcB$eGA_oVKjoOjLN#4$?(!ab#dOpht)n#D6&M*fQAN(qu6bT5f6)VFFMz_t(v= z4NVXY^Qn^5vgC%;)53tsnG%R|kzq!lG&c^SZ%Zqwv+DAuMO#=n(SMx3QT+5#Z=Aio zIz2wwV2}=iZK#wTLyO#G9D2J5323+}wVj3YBA~45$)QSvsl;cIPBd<-4O6DuZ-^RD z23!a%p|#4s5-`m>+_U);7Y4g)Jkt&@wXKcnAM@3Cbx6+d+m3qgjMR!IebTn zc?rqry)GM|SUmQ0Mt`%+iRXZI_%dtNcbQvRk65{kZqTqx;_;$nn|Ex3 zN0I(_ru7|)kpzmJy4j&sZbA!pU&T=gbwHoukT@;UsF=ChM}HJ!EMYrnux7{16+Xdn&cULe{;ORXg-w?TsU zro9H2kqKJytC!=3*|hw%v89-sRS{~Pb5{xA>7j`=&rhJ{ttxS0Cv}H%hN85_qmo(1 zX(|;>pmZR+pnvSxsuQ5AdMQu^>_;rkrw`4R8&4JpkvK@4ePdCTB8f4Jn6Z|cuDqnL zN30rhP}Cby>+?FQnGv&Kngn4G1d6Va^*-YJXEN6>IqwbdmytxJOkdjxsCSx;z|>SR z7nu@~Ku3_i2INT0Kqy_f9v@C6nq&eIe_?J2Xk_A6gnxv@1L1WW;+sm>bPwYT7zFIf z3LwhFkXt$0)gc6tn^qq&G0HG$=niB^7M}@4BpTIn4F=4gzTJ!|Q(%zR&bZ~RPDV|2 zxhD__EVz=X3u(m|X`W#yA2cpiVHS_fQ8=X|p2T(gti4V4+zdBpU;(&OdjWe9D^Q(8 zrl0zmXMcKM7VZ+bsg4$?z=GzjRV+^i;1nZ_m$p{0mOn6a_m!XOCe-%i;k2rv(x>BG zl@E7|K@BdpadgQ}FE`lpqs!AvySYD~UcGwz;}!e)=;Gq&?CSL7lD)m4Zuz$_+0ofw z*q=|&UbL8q(F1%thwwPJ5-5o%B4Q@>Hwf&c+<(%k1-rqm0);56lUO-sSEpC6Pg?Bk z?OFTu?B&Jj*$*dgPR_1c?9Iu=@vEb=tE1uS) zA739`u=5`;&fi|1Ah$(tVImS}j60X9f(nQbwJcC8ETapb&oepCVlAG-g2yJ*6Y$Sd zTz_IOMQfu{#SC;6ORi%DlwHX%c4{&bb>n9RYbXAtY5ppSho@&v(d|j)~!aLnx($Q!hAu}@m>^9(Y>XJ zpns(}+_kWfd%Q06< zK&wz=L~YgW#-oK1HvEDXdI$WTI${2XU?UM5-CPiXPtIOwzS=vWVImb0 z{ZYol_aawp>o?IYL3H#|Z@NXMqjslQNAF=`-QacmqVZJfXVlZ558oZ%-McMOdf?uHL9apjQ$A6ohvwl}+p7BNw zo`uu++EPmIO#EfBSS)^Jzt}FV6))?r@VG&ei0DjZ^l8z6P`0Tba50x#-)Rt5A2F?g zk>kPE88IFzA!~6FNTb6jC*lyTUyi_9#!DtUi^x2;=zd?wsfmAXL##eyD@o|fWDgT_ z_J~?3OZ#P~7pu|(%YP*B-za`t!5g;iQi#$NERwsvo3_Fmo5*W{MbN3hX{;q)URU*X z1rKrmU;d{O|L;27eatcLj{ooMcDj4j`2U?j=OO<8Q+&Q*e|nk8ayiOZ@np(OdKJo+ z(30tR%Cr0t?dJ7|Cr{YhA|pSuNQTO|{GqnB7J!Qkiker-K!2z>7Xf=N5_toh0P>&5 zaf)8H5m(S^fi${8;~tc^1Oi*6^e^PEiO4I(H8E~XtAWyJuuh0*F$gi%bNuV616A6J zHm>c}5j!Qd&V7p~%||dPFO;+GP^ROg(5mpZaZ7Cf>E*@SAGSU8KN9HQ_^-*gZ9U?v zBRbwzptt=@=9m8r0i^+Zm!%B>CVy8pofX?#XiS0f3;xW_gT8f|Y5^jpMw;TLuHRqD za~`0-gq7sjEvL93^`eY8fJt$ycGFJNclHgDN7Rb1okKMKL#U_Sky z#e!|p6E?!4@=yBA`z@@;t+j%fgn^l|x>1p#p5qTLc+?NrnY?MS0_!)JYJVtZ6N097 z;gc|VI1_VP=9sReyWY8Lspn*CQ&}B#7FtAUcvv3E_9ASzEwr*Ifjhfh`Lf*x^ZlHM zqWXNhjT`Kr@GHOy&zD%pty1OJY@%D7S7*u6DBi0^Fo%y`+D;espFYOQ$7bNt4=^4U z9Q&ZHVLuWYS}s%Ne$n^d*q6x;0m^?rB2&8%JX##GJS)T_f*Oa9nD457$X@=&&m%@l z%^!ko&eUuaEl-p|QaBfpW82Q-qd$v<{pEAttgqu!r~jtV&c`DD z_tXDgr&F!}G3f90AL#$5_`R@r!$RVEqkXzyA6mYhQ2a)s?TlYJ*)6PXFJV|LbWc=JHwa$F2W6 zxPxzvizLx+Y_LFY^U6<>No3G)(sM0rhmAeT{PwsFG8%zm8-WHzpMcA_vBCZYnf7VU ze>!?jwY8A({Wi2~8`Jii7mwNIw|aNq-M$;k?1pENh>#Ak@7d$WTkbyTZOqxSXW6$Z zoQj#SaP5#LZ@?AucB!p$qWmKmZ1ygZ6SjTLv+YDqw&CDQu^aeQpr6X)S)5M3^AJRq z$?QG=@Q{ArzL<%dEY1b{KlHKf|Me}~e}?iCnFw>bQS4ht?fAp@`Y7nmcsQHa-G5#8 zwzfBeCtIupmCxgCY)`ojV79;QZhzZjqfGGk)m;mxMfzSu?`+lGcOnfX)DW?Bk(rd5 zcQbzbZX~0{J7@#h`OYR;y9U_XWS;X(-Y(u{f=BQ2cqU|#Gj`DFd{=p3&XsyMVii0R z8Kf!e+f#iel=6Kn-pw@!VC=u2{GaXM3EOUhRKnq9cL=cuZ_wfP_R6>IaEVxKv#AWN zAQNk(MyAqLpj0Bq<3#d^TqInI61m?K_FrwthibpQ7FiZYqWzpJ(f%=)2NnS{e@d#H zl|BfjypQ)y;HA`GeT$FrC@RfjED2`o9}SGlJd4A;eWfp;-h%d}(Iwc%jNi8TM10@x z?)C?rPUky|s+Yy+g`8;$zQK5M!xzfkMtUD9Q6P8IlNb<}-xXQR{<}h%G*$VwM0pyo z+Gn_DBt6DnIXdxgyWf#1Q@-|vf6$40=I>|!Yl&1t84k_kKyraP9jJ0>oWVAzx7fJ> zQ+CgOI6eC>HkVPrUP^4VYRcDL+gge=Ar^AdNC^~YGer1-(`fXZK}%};XY_Z6ApgQt zQOVKwr}v22(td|ls=jvtwriT6?y2dv>bi$z7T$*~%hnlmi>fV4FKk|3e-C3h&n6;2 zuYPTns6%#jd~Uv@i~rowKJ`yM{wvW-`Wtl#O>!}&my zI+jJ6AF>_u-Rco@4Z&~se@D!9JN38r?~3u;uf+IuJChBPSoG01s@v&2%4CrX__eYh z)!lH*>UBEad}#KfV-1hx&G1|CL*J`f9*WP|9_g#gZ%gL z<-hwSwpB^;PL;g&?xe

f>wVk3V9}+e~nMn=1D8>RHkEvsoG2Khw2+v1ggE^eyF~IqGIiN^YxOa z^Nfpe{2so3#8}94f1boCe@zby1=hCx&4DoAgF|^L&5))0U#I`rMC{Y$e`)={Q_uez zJkbA7@p+*C{}%dxXDzk1cc1>>Ut9nGpp3cw`b&em)c-+6{oh|#`(JOHb{~}g)pzwl z`F~LUA3k5)r$PR+^-tPS3|*3=-zp2Hl^>_|EpMCHqQZZ0dv=G!D%2l|+1RJPgnC{DN4)cn;B%|HHSz<nLZD!0W6%e_@X!E@se0Z~Wck2chu8KXv&p z%hf!I^Y+K91Ao8#H>m0V-JJ*d?^AqMum4x~0IXA&=HFA0`Rt;}%HIEvU44B`0mc1% za+^b!9!O-iE`^Fap|^@ilZ|)?5)E|DF|#r*_MlF5g(72O*=RASQ^c@P(JPT8l8rMt!}k1SR0o<(c^V}m zgStieY`#4cO7V#;F*MJ_W$p_lecA~;2)_S=1mC;v158we`6s*#Zf`!%RakHMuT5*X zf9tGqR-f>s&48cfnAaHlb81?5otK^0Cprk)Nh2=Sj88#)Aj( zcbc%uc`n99qJ%*Ko~APA$nnh!6tkG7H>-HfHmpFtv8LZ_quYVy+;`-^o8#=0_|29$ z&VS60-+Tkg-AM4Bq-F2QKZ1S_RY=+8HQ*e+BC_Ct|gvk_NQ))wS}u*eeDZjX7K zux@{EFX#lFpnJI684Mnz#gG1}$bT9Els+4tEmSTu5#0XX^`CaT{Xws4|LgBP#D9H~ zk7-H4(}-<~f80yDG{s>X=~!)SvCXE3r~C!a`HMKSsYcLN?dc!dZOwyDp=29R^FQdn zNa1^SCL_Vz%WRXv)KZNHyoKqUXlxV_i=ZR!2xJ6{Ue*Y7Ezy zt-)YtD8^?poiLsxAV6W-C^SvbzlEX9p#MoOVSvYOCXdm?89ZvYpFMhtQ)1V8w`BVL zMsGuZIpuNsjOq2;oVf2d^d)QKJU8^Kn&>?>hRlq`QTYkrQ{}I=pFMiIjiB{EVBmje zj~yP@b(K3(-;k#o{y{ z?66;deY#x&Ms_!xY{2CxP#_Ic}Y00H+$VVH~Jgxrt?3Z8GhG%xe zY(^PeX|k2BI4jOyy^rTFiY!hiKbMyu0givibJoZmcg!h0C4_4oio@z3n7XSZ!Qk15 zxg%tE6Iv|_Xf|($a(}Ndlzo;th}E%JsV(2P%5VNzF&l}j#l98n@OxIId7RwOGVeLh z6kxs`pP1j^TlKFv&9^G8{p@uwM(z4;{PIh~Oxdr$x-H6iF53KtXM*y_J4jR0Rd0X# z&hfJcF7&{KJ`WdyFSfVYCA5uPnBV~(0cFFMiz?4}E+z~3DicwWMm!A{SW3b4odvRh z`n01C4M@G5`uN?@qdyl@ejUr~Stg4#x{#wdeY#!x!9Nd^bl=ZK7K$|I6Y(+=;&RSI z@pQZV2p!5U=2=g}cYif+)0airwzq#@%8UsfPFabrZGzoxt7STY;*omxV7ufkJDqi? z;W7!tjkXNfeR4(xX}#D%^^T<~*@rUQ71(AwObV5Ytct+y`#OIpBXpQarOrftBeVCH z=3*^F?IkGQ3}Ok6H{tpURGeIMeOlG4QG%R^G!|)&w6gbfyYzSc@mZW+&Ut?(kVuK_ z$ z_Zv`)zSaEpgJ|#|8hkCH0jL0)HARZ?2(-=q5B#D{R6W;KRWvk>PtsyYj3M-sIM# z{Z~w|WoxX=)-c9Sq?~A6LM?n_>w{lyU-y37+imPdzTqtS><4&+DQkZrSZ4kvm;H0D zy=;nokbcUu_`Rf`-%Ff<_|1YR)jh9$UkBDit@3Q)iIx7N`L+71bxbp0>OV9HNo2xKFxkhAiB zECB>GZrLDpMs*rJGba@$vWVr zqB!5H5fXSGt`rg=>*Ueff#?!O~JbpHkO&q3*`f##cVFF1Ox!{odPR$%NY% zO({x`_=I~sFdK0tA|_KyPQoM>X>Ka^0W3Bzvbj`3IlX_;D$jTBww=lH?OrnTh8=W2 ze#(QWhd}-o8u~Fw*@xTyev8fTE4lB{C^)#Xt6vNe6#CpDy53tp&$V(sW zHf|dp>^2`Us&-wncsB=sFjzhy{#S(f&@=A7S@0Wm+5f4(L<+cHV4=1?p>m&>42V|# z3h=1%RPBEhVlZIki_-SmF99fd;_0^gWt9^Soq4PT-G2@6OHV!BCcoZkQp?1|E*t-8 zq>4#tnN=&$T85ovwwjVb>>eAJ#|-ETNLQf001!Ba{_DP7MM#Abukw6ewOQ)#JUsiw zY9Pxw?p0bre)0oUzF%#e(7kbmw&^lvRDboO)qj6lZ9paU2{#Q^`o#}a{(7}R-p|yf z$gV|p8AswI4YLJwocyy`oR*RHt_S@T?tE(H8U0x-F6_l9&A|Oo8qt5d@(9OzV)BiQ zM0E)NOKA-9^(yq^e~9tFP~tojDxRcqI)VKtePeGcd8TYx<#~~bx@EQbCubyWcxxqt z?NWbp?`pPJbIlW3L@zU$<}c)o$EhK>1ezVAps!=5K{N?rl?!R=e8t;V|^C#`5i$G>7DRMDOat#EO+g9asd6_-k*=-`dLOeYj|b3L^Il~ zMbOCvITjjRHDC&WY1|ITi$Lxupc;6q_N)sX^(hCuq#vynq2?jq7oFyM{j9$wrB|)} ziU7M)M_GB4it4k9YO`EBS#Q*;0l4cx0nef<_Gj^q%un{uT4r5tH? zr)1}0ZC7t}Mf@oXM-Rf#gD~`Q9b5OY5)$j({Nn>dS%IN^G-mRQJ#dmw#Yq@rjm+e8 zSKR!vK8^KXV=S32vUZ$~W$zdP$&URfAXGXm1miUysOy-PGg*t6J&MYpVDF_ zAe=|4N;|G|IG z{eKdUQa{JlZ2Tl+EZqOUf3y4JYqS3253hdwPyL^7@^9lisKjvLXX8?7106*EC@UQt zHr@|D)xA59{&`&YV)|!q@QHjX(-w&SfA^R->+}bWlas^te&gL?tL_bs8w0OY+CS}f zTgUyu$5yx3?i|<4yQR{v-NwmDt2^lJciSiZLI2Z9YtTJ8YPR0hJ^EkI*{0dq|E1L( z?01e%I=xoiqo3JFuT<)_j(hEX`(tbHOY76%W8?6Y;4#Q>oP~LKjR#lwZZHmme*njW z0YPp9(e#2m!R{5l%SydZJ?P*2(CD_BgP#w&o%g5RL+Z-MLG`~c(`0m-MxNQS*V;er zw)>w3KX=;4zqCGy9vLf+RQ>NHjDNv*#XXN2y?(3f>??{Sk%{Wvk2}rQpxqRGK;MUf zHO$YAkBtwVqn4bCf9-!rCfEkqe{A#{?;5=p5MH#`>?RAm)`yaRaMJ1Z-*;QRx+jgJ z;*QO3`(vwX4;Q52HBO8Bsmmie%^XW4d-Ph}Kc@_1>$t(&G^WQ+iPzW;46Eus%oL~Ye--zZ6BaCJl4$#FN3gavsjdLj8 zgHzI+W{l-mL;jE`BUWt!f6mx6oAgZ>Md*Shn!UI~+T2SUtJ027S7E|#>OCrN~hgqVtgxNc&_lh;RxdKVU_MvJzlOh92}j_4=)&!KcO% z5e8Yf!&BN2O*#N|NK|L_ifBLiE7g|tcd8!E7VYC+zj1ij>at;ke{X}0RN6rAqvXPm z$SP;KALkie#xO<~vkXcgp(q)J!xBsvG+VFVIBqr$JI5_Z(-#MRl*HImS}^Vd64gCI z2=!O4Na`L}9DqpcHYcJRZG{;*GHiN~K1(-#%#U_dDHB{MUwBwCd-B zqkaCv5iQ__$ayeLBCphJ_xj!TyVHKVbIcnx!z@q3iy1kvd8NO18v^d%Q~yq#%zo#% z-)J9`J%#T-=5&-MxL`_3lT=Kr+iJG80a6@<8Cl6j0C}H%e+0$U5zFg>F7RcNV&qf# zruDTm6y_+*&@>?yN)ltDZqgJF^N8pXnn-$>VjP!9uK|Nq->LpUSf(?jF91>;K?43f z0j5Fpekw`tWM1QwZs+Kv54<;Mw!4GF&VGZ?wC-ug-zM+rm59tcnoAKPLk)s3Eigzv zG+M{R6g2FTf3eSw%O1z6(QFR-9WFG4IiR99Irjn`WB7}p=hGTJWS)MEc#3GD!I^^n z3&q_8D-j?2Ug=}wu-&ApvS&3d3v1Uam5y4yUgNzKJ+4&hUVn^{fQp8G%s(L?m34s< z!u%2?Da?*EXYVA;`3#fE)X&3<2p59+9B(PDgr?X-e~?^duU5OcxuKS7b(l=R5gyHO zJjAsi%%+ilR|C7YMzd}Ip^JZ;g(_DE8MtwH>vEvpZ``w}F@%%aDAMf&!fTVU(4+Cr5*3>zxEbY~w+*b;O5QDnnyy&2~r)nYIduyBe z!DtFyQIWPAwQl{%G{SZGbx0t3<&$owdAi?+f6d)PVXTEpmaUCu+loMS!1w+;xESs! zB}i+vKetbaPUyCJy|;URKIwG(Z);YaMgH%npL8tbcDCB^OGjo!EeAuoC;lbNqDd0q zdO!_@#n{;U=Tj0TPVv_86J)kREd!#*r(k?4{e}>1kxlk5BeQ_guqW^AnE*IB|xS)pQUt!%doU?kXag4 z5yNc{ojEW*_e%3pxAngD_kVd2tG-Yrs`}z9%2f4*DMHJJdpe=1zR+Z3*}#vGis}m{ z1PjIxY%h519}X`1TqbPP>UKNbfm`3Vf8%RE3hnKNh=H&hW%Kd^zl~SgIPUaYd#DYD zaL8*!f-Or;71&lH{{lx<)C=Pw-Df5^%lr{W6aS7JnyFil$n$CUkU+YMlbhJyaD?~7 zk}lym(I+4~Eb}FOjrL(r zH{_gTTwv5WT%1l2LP@wfEOVQZ!@YAjDWS}Tx{~9y2n9tpTqx*5S=ee)SN$9&N-8NvfU+^8eOp^&}1d}jEZ_#OnQ*`9V{s>Oz=q>8uoM^;Mp3o)M z90nzv{JxM}>?+G3meP@vh+3WUhku;;mH%l}{%fc5r}O*WH!tVJs?co;*_hiC61~y} z;vPi7vfO_j#)L-Ht;Jz2fADZ~9``#E%qPo&8OD{xfa`74Cv$c!kpn*>#f)Z!erw`()Xa!s&tuLH8w>5UPl>`&xeJf1#!>MpR-!%!pa# zM^SQB;TBKh>T!O_Vv>1em zu=v3gVg8E{P0{in;3NDCoEi4+cV5oVKuC99e(w@e(M<@c!~ky48DkTAvA}>NMziTC z^#e@Q#_7rXZleioe@z1g=D>Pz<#mChgv>vT5joXa6V3G*~a7=r>QWl1y2jcIXXS;w@(gR zgOm4z-u{Oc=#B^z^E1QwY-*i$;B=o2$9Uo+KSKe|hG}>~e=m>Lbi*D`Zz-~bP zAZ|cPgAvY;U>==WKAq*A^rN4K{zZf#)@y5@hpnatGCa0(U&h`)bd|E;ix%7UYUOHp?V#8J03bW zT{J3s2Vjvf79be9FeCpgn$^AXmfCjPTja30_9F*~&*gg+#9aEDzM~!|tBdV$vIkS= z*9?PrGe?)9oMn=tYsMVT8P7pxyR8Gkp_4EhRxhJue-viPWe#k5;b-Go9!>|tBudh3 z;K#v$ZU;nLm4^Ef_S3re8K3P;ywdO;y!ZT!&tCuWryqWL^C$9M7YEH*6v5ZKKfT^1 z-+jVF=kl*!vu5woa5TnW2S!A)y< z*ORWSe=_-wJFwcv2Oa5B;lanWHFJ z^V(!y3yBpey%tPP>-N;-%>dMe>jKxXPa1_RV#PzaQ zX5KwsaWKvD{js0c%UfXRc;$Pe%ihl3?%YFPkbiT9Hd)|3%9Gi2iqoy~&NiBFZtLnE z=bcMApapQ31rM_U1rBAst4FCp%&u&Thsckz1ZDmmTy^Ed0Lo~9%>_mgzRW9m8crrS ze*hyOXXVx7B$rz?*;tcV3OrgxzhV?5ME|8w?H4?2;Uvtf3Q>ExKfLOv{!r3Y%Js9# z>z#~>H(A%+z49x%s&iFh`r{P)fulR=H}S*R?7)KB`*&0Kpg+hlvoVe$G3Ev!irP&+ zaeoRS+eDY=2@6ZgRMbfOcC!FC3N%Vaf2y{mYvyUqx#;uXXfL9GH5=OObq_jvUfz`w zVuGQoANV=uRj_Z8^eRI^czKCa9Ou!UOksXA#`%~WJ-`Hfe|%bd*K3x-Y(V-Cve|T+ zq&W`iJ0$>Esj%0(PV>R;wo7c$_s6GPQp#47ZEe}Z2|2q@rh;^^b$jJ|3T7@%e~^Mp zqVg8SbB6x#?4bXwUw!ua_`j&6;V8q)+wbh`u=bZBrKW0C0`IU;HM(7AwQL&3F-~ix z0r_idyF@W(U)R0bm(QOo@IQ2^ZpLAR(H{IABy^}GMIjNie`feMw1a;9r}`_>?x*e< z;JtDvl!9!5W8{6_+1-)fXA#Czf3(X0##sI_FO{-!a?_*m1j#p0FZa_NWSjj)k%jr8 z=d96@e}$1xL-tL=Mbvjg!Smxi zB;|`w zYr#p11soAw9p`B470TE>M3^DwHxBa*N0&5Efh-G}O}S@-n%~*Bl!&r2D5{Kdv};L( zMI!Y4t(z*m$BiH6thwG=e-Q_AENU6&7X7AE8uPoJY4DWqUsXI}+ITE^hr9{i?;Q7A zfA8Cp&3>qtw}#-u7s5$-(mnzhfDb$G2k%-R8Xw!8F2o!iwfYTv7zZG)yk%Ly)Jogd zeqk3$W!8@!TQqe;Y0ztRKeqQpcsHmK&uG){Huh;;x%JD3ZmZF(e|u#6lfM~_7_|n6 z?cL5k?3qt8X* zPrs<5UuhKbFoB2#e-y@-VI1ZdMM*NPqSFjh^`0jvz!$R-Y?=M!AdH;nit_!g5HtBx z?x!ORVcd0xRCHU-c9*PH=a{Ro_5rh`BaFg~OlIn584g||{~}3qL(U}l)lSp^UD}%$ znCSa-MkbH0ae9$t7)_FZMsUC%VMb?9&f8IPgHsC;uYCWpf7N~0>9q#zyzpHe33oX< zN6()Zwt`C2i<`jc_Uzcuq#?CW;J8I#efeVi(rX_cezGALG*alq_1p&9Pchw2_==D{ z7X=B1l>wKy=Ij7#Q7+1S;i}Lf@?RvsagzLd-u2;o!^5Yw6cFdR>k0KNHs zXEmU#*I_c^f2WnqFtIS;DT&AX{ zDFN56h`jP&7jA$n&WsKq+>^5FCoQ^tkp=s}Xwp{7sQE<{rDRPn?VlfAg*8)JoGtva%aj4Jx=@JPQ;i za9X!vjvfmPCPe`461X>h8m|TN*GBi)Mh}h^>wr1#^jkKV3!fPJaGnvs@-UAu_rw!n zmIvqxCa0&@ug`WT<$Gv1hmSiGdCFG6(yOCY0l!%C5Ah+ug#t%CoOf}63=1iYr?b4S`(G*;eTId8O%@(n%s;c0FU<*{_bJBl zdZ1nvfTAAx^4MFvb@t_OFocbRtBnR4SiiPcEFWQQd1t(Yc^E0aO;$ zZ7fdqlPH;`>_<&9j3p#6<{K;iL+zuJPPgAUf9|7IyOi%aGA5s}u{jqlZMf=)5BTRC zTP{W`mR`<{ey7<18yop_O~CdY`q6L}5!)}q@hBf7me1LbqC1o&)WMK}%Z4<^aX^j@ zSICdTE9_XDrBbxkKi8z(jKxg4difQ6R8(`Jyq8%Y#jgqP0^th#290qv&Co1EDNpIo zf1TVncr!q8l1_j~*tfhW+P5 zazhY%34PQsksFNudzR&7ifH2BUBH9bf6G|}E=A^KB?m}yxT50)@Srxw%<|`$K7aF1 zv=zo#j{N{7m+Fyq0q>|85J#74N7t~ z7c$!tjNXuuV6xzo!nb&c-n>=3RD6iTWRw|)W7THg5Z5@AH`$lshWP%H9hWpGf0@>m z7~Wx8FK-1QeP!U4NhfccH`5Mbm-g{%1FXL@R0&7}3XTssxeCG*Ri;S%K)(H~^xI9Ow%N$?D7x_m z#mNnVx=$%b|%+zO0bpD`8y8$GDRD6I{u|iH0N` zLEoacTRFz4;>#7=W;cstJiH<+>Z4J3jUm#IJx|Z5+nT4kKv|x`7;|3IA?c3YD}1Nh2x8v9;Jd8u@mSk0G$QlM6~6nD zCs&v`D-CxML(%P%VAmB6e-|qFeTIHU##F9fDKK*4N1JDRaLc-PzDfRu4&?7wQd3A@ zB}BK}t3b(_?*F0ky*9ZyItRy)kO`?7cKKOtUMh`nenJlPB1))p`3t@?9s;R!H>fMD zKS`!5d}kAh#c_oh@`w2hwm5JavRBNEFW}N!_!vP6Ge6{rFezL#e++%HWzAxIJEgjr zZ=mevfikG>`l!UnD~ilfCd4w5mtV0dt;(ZiM?x8!V?EBYs>Kkavf2plE2uu)r&{hX z5xx?I6MsG!@OZ=zouk%bPZ>LvJ6x(39C*tbC8HYCvDGLUQFMihU(n0bd~I?=(VTh~ zrVn%Bt?8!&wMfI_f9Rgi?#zk4-h|W*8S+z%rs0%t_lmE(oueU9sl>|F-rvd~D)4jX zIGuzsI657%3*_hnuuB`lEJN6 zi&4KT^-}85c1F90MB9B=5N!u877w<35s3!3sW9Fre-eGbf6)}DRn)r*rx3MC$iXQA zkCF|2yQ2xPfjiG6Fcd;W{VjuDtFL2z|EY0wNJWo&)#YbR|*PLaU>SUQeErf~+4_o9-bD2(w> zYD58ZJ#RkCe?G^XunUGUvHae?)s%o@1EUSpggY(%IE&2GkMD8_My;R;B;ZkxN-T>8 zQX&pEHc*p2%fs*Xz2aU5UspoV`C;#y{rG)Jt>+#y}9_H?O$Y#$}oE91qB_sCr zD~}&B*%(5eX7~QF~fl&Wze2_!|PU{}~7}y#F_bD zP03P+NnGWYqfj^o;+ zfAqrt!ABP!@?QO*4wHrdgFBpC)e(*a>A5(t%u`V^0=U>PYUzUj#^dK?+dM0CNjMk$ z-UtGtA2EZtJ4MRRK6j#SF@<{AdEf2y8~xUP=lGz+$6+#C7OX{&9buM*@hG{1PYm0# zK~dV#Tu=BmPV(>)Po_BqmqY&oREG@d)@fCrU1f5uv~MnYu7h<=Lmo zvq|L{&CLPj?#lO)`18`dq|b00DGt5zy+RXWyCC`vJsYXwMs!@ll}9^!ch~bL_%ySE z0IB6eelWEZjkklJ+Rb`-D-2L&w(V|k>`yRn5^pQpW?6$m1gb1Y~dMckY@I{j5WRg-2ctADRq|lORm8~!t zFgJ1w&QEA_m?m-VUuqk2pw5jim7eCQ$#ZSJ8Bh-JS>G8T6Pf5M8&>WVve z@Ow5T5JkOtkYGAH@CsC^Of1+Nw7LJpvcfY4>*7grjrHfw#h`~vpA+VTo7eVqtJ=q zk>+r(N1DnfEz>l-4kJ8b`x=Yw(XprIPMp|+vc;4Yszf%+DCeo4_%5YV(A!2|kN{xz zuGoHWb+q+>E1G^|197V!D=SZI6QAov(&)esBhqA;#5DP1Moz|Le_eQ|5S(oMw&{XD z(}nBCWCH$%EQv{{6F>DQIL9f4QQqBy3taw8KlUeZiZ8#?zaJ;``zD^^ILJ^EqY-3_ z-9s@sw`^>n($3N>iq*7wSdEctbPWFgz(CD?wC#MyZyyjPH0;0U7!mh#q& z&~BSX;ri)K7%%WW9x4c#X8PFYVaYfav%oxnhgev?>=v^g~4pI`~O*lxqo=F|cU zq)Ivo6$3#(bgxf{fjCPuGI@GiLS1Lz-ff0t-_!;n`#hy2`HPXzQ;n4Jy-Jw5)8Hrs zPv-CqhM<>Sf8S)7n(&`I$#{=nLCz)~`UV8h*wLd$0!66S8jVeza58<4Ag|_5ifRkIx!I+9=}2bM{bv7uR)Pz zBa^fK)SqRzb&H2H%@SG=*Iw}4McGFoQZ&W>)kzY@e@gT!GLmk{Htx4CW`2Wrq&^AUX{rn(pp?fGQap zj+1a`JSO&3&&tNbk7!oM_1rOQ8bS=TPX{~@NIV|4DED^NxOOz**p`X*(5PDHO!e&&c&(0AwR^SC9 zn{}tkO9)vKn+Xl-;BTk%1RBB(atSQ-K8&gae;KSNOoGMO#rk@e^Y*-pa!RgsO@pZ0by5TWKHn`juCI+9i{{3~zCuF8-p|x9jm( z5x}DsltSQ%B0&u>_Xzq#gPNo^2s8HZHiMLnNEFX5g;|%{Zf*FjAu5I%*CwDwcI)LW zs+O|f&?Ze*`1#A#>;g}dAlpQ>X_^dcf4j9I7*EWBRsPGi3FnmtM<6305LvHHk{Q{i zFB1a}+y5v+M1@1JCjI*dQ#ur`LV>C?(XdDusS!Q>rvNudKSU*xvJ9RH8ISJL4%o~3Y`6H;KWg3z98mPJYR@?jqo~+VA zJ~`B!Hd5tUzoDiK^c~tlWl91ve+s*PL)%5scs<(Gj{`;|B2?0Q2pWRX+cKzj9pkId zx91M_gxmQEHB*o$DDSaA%mXk5zAr^q);$6h zLQpA~Ig%)DYie4zVZJdcn(ZUlJd;QBh^6x#h1WP{jIKPDfaudK4`XTye~BNs!NauX zO&C$kE@nB6IXmw3kyr|-c_*RppftL>1#~AgFG#s0X2(f~!!e{X9qJ-UFx3T869zJU zvZK7-s|bOZdm5*KY-Q_78@iS z=I6N&X?aY3FaWUn4QS8&f&L>4R>QY>>JO-e?Q8|BXw*JZDs_;9jI$rSVbZ|Y=zprW zlgQb_BKMN^2Jsi;STwjbD1Bm6qia>0YmJQ&88epeO(64<)=l+&e<|;>bZFkT?l|BA zr##crvSz?I9ytaM6dh~sI7G-4FM$ZJy9~+yQaywa^%L%)U)#sc&aXZ67xL}CIDbw2 zTa-+3%#;-*&m|w(btb04(d-csjYlhiRdae6PKYWoOtMKBANjYPDUNBNRQY~)uk!lU z&d$!<+3JLkQ!n4Yf7+|;?!5Y5ZJ6PlzZH7DS0RdC{grHjVLUp@Mh8jC$NRppg*w&` z^8NsBWq=}(`%5Q=qyr=z%yc(AjhN9VyfuTCs1ob>0`_TRlj30}B5zbU$}y^Z@A!QV z0S~hn#=?Q3|6IUOCCbUptuIbtPMLd7c83*1{)riqwg%9-f2Ta(6yXchTsiV@Q9PSm z(A<~`5nM80(!pde<)=ro*i2_J0r>Y| zGj;G{R#RF%e<`~OxQ}AFd8s6}tjy5e{&d>(b06Lq>n|?B-$laGySwFg4zs z{H0=U-FAQ-%-Xu;NvI7n2b#qlklI7Cqt-!vEGQuBN2LQljHq{uQN{s^aUOq%Q_69c zcd;M*N^F`FoU&?dmK_m<=^#%AU}_lo>j?sNc&jB?irC+3k2#f31=mfZ!KQErO77D3 zc7o`De?HdNd)CM=m8nEs1ZP6!ZxKBmUb5_YILjeKSU{YkT{FbbdTL97WwYTB;{XR$ z)WIz@*ida5qONLf+cC#5&j4r%O`aE|JAkc%}Q zUz=AyG#v+_r_=~zKLeW7XyJ8bU1($q+a_lje@=n z?uBGf(rE7Kb}VNTNgxxsB?N=3^YT3%NIA2AhYCg47{PRDF5nG*g-o4iPVNwQcKLuP z+!=-DZY_}N3x-g_pxYARAn!$;)Z@ho5_ zfBBo8Ru5b@5Fk2DlPOM@E`kkI5XAB8Q8I(;RLKJqNY>(C<8@a4tB^$zisnKVz3_vT zFcde!6v-2#iwW9KF&ZUFz%D0F^DqkYJMLVQTbWwX44gBn8xJ0Z4#&w&j4rXC!?jRW zDvV<#)6EFO&!lhB8l~h6UF{}`s_ejje|Q6xaG>@SL5yYWU>-gm+j-_&_b8!n#tDzFAv1+iZyb{?>=6D~*F4OpNf!Ab*{Sc+iX3K*KpQ|Zh9Bo=KzVDL5?;-Xan=16_ny^;)n z72(u;_p}oizjX!Z^|uuuc?LAof5fDEWH}GC31gm+x*jK7;j+?1&M*KJ#@ERe4ydj? zD>KL}gq9!2*th&Brug~!82q(kp5w_BEF1N>A^Jme^~fS27hdmBAc3?Y&SbZ9&k$V* zpVq>NWbE>5GbkCJE}XWTwf8hwnkTTPTLy&r%2$i(Wh0ODV;&dwt%&-we>3v5{4@$_ zhPE(+mpbSMn1^llgq}D+yDS9a5>9MYbe!CfkC4{v#!us{iWH#E_?p6zh%Ix0X=N6A z!z3ptf-NA5hK#HXLyIDZ>=w(9ZfL!j2^P6qU=*L{8G)!2{;-V)cS5X0oWvEPm0+b_ zYC#47Tg(%MmkI(IEy<^we;IxlWoRo)2xJ!7<3nsXM1F`zQI}D2lS$K&KIw*ds%#ui zkCRwz8pz|!UmVM6Mwo)n9fGrxOGS9-GhPZ}PXw=PcF=~%w8Se-=LxF=#P0x!kceva zKwf~Puy&M;xU|#lNmT%{xEaf0HIf0Kb@2$V==DR7oM^L*X!tu7e7yF5QwsWbt#WF5lPFVEu%HPvpbPO~V zWbe#UJ9%Pia);v|RMHl0b#z$dqb#{3)=Ye5&|>NQ*?sJxp^vQ;PjEX$AlA!UM5xJF zEMP!%v(HlSpil(Pf89->m%7R{pC41~XZ#k7j5AlN_EDdOMO1O!4)an(sY4Tof9b6X@>TrH?!t!dXIVKH zD||;9KhDK)F|0B0CA$(XDd~zUsM$H*?4w4ri4HsO-?xw78!68y%M)mBp1%~44H~

AqA8f zx=A2O#3|6lSrW0g(LA}*nv=%Ye#GnIn$xA}fz9om=Q-!8exQ!4SH7pM=U)AD`QGEn z&RKjQw1J7xA9>q3+l#>g!Tp%7AJ^eL+>)n67~v~ps~>Bq2`Tb8G-4Jhqh)JOV`Q^o`*?{W@)sI z;Dv8CO^5{{=9`Ct1GUdaJ|LfAzR(MSb*OVwy$7SmMM_A&md5tTa5= zR^p8%FB(e-TsO^aiVVrZ3rvmkm7x6j5d%Jtp;%4a3TG*nU@`M7NvAA-@w02GY zlk%32Cb@*XMskQ|NDr#C9yQ>33H7l!ZmJW9P>_7tKB6uk8uDXH4zo<#Q(OzV)mD zH#+ZvEiU)dC)wcyoCOcZNC9>Cp<2{1K<>|5bX`wcA_PiMf8nlTY)6 zH0|YnKFbJ;T+(1&gyS8t3uf@EQ74inf36fD*nk`q8_|cH4F%78Rjl13hcV8TSB>Q3 z8?#!ahQ^{mE;15opXhmNQflo6b}$x>+(bMKbQ>H+ILC_h3yNoKBq88S}N925i%sM?xM`CB+ze<(dj z@^z1WE*)c3A0qfE1j@Dx(7PlAQ?bj~%Q` z97S*=s#;>I!=S+Cdbyf^C`<+yB1hwTHkIu`vZ|AC55uD8pgbRn>~Jp0vgk!9nOi@E zZ3zk@|H0!qA1lv3RGuAGp7oeyf5^CdhOcx+Rp~g@@;wK~W_O1(^aXvUuYq)j&%F*$ z94V+j^nj*`kVBlqTyQ`ZIg<`h(fwRJqclsHK=qR38mE_0a${64`F`is>p#BUsg0AH zN}g1P$z6Vnl`yUZNnQ~_0KCR}h33d4zhC&-n1K3W=gkirf9$`dFdNWt zRlyHKKf}l?ziae93_iBHy>{o=L!n&I*VWzXi)~G9o;3RXR`+vVk=LPA4Mp_J|zByYthsX;W!C>vj>=)X*e;=z-wR0 zLCX`0h*2e`XgKy$e@HeQXiEFtU;F6>{m-*!XWyOeLEF9a^A~e(Zom}SuLATLgT3)W zg(`r`J@r~x$2p!%f0Gnal<_he{5fRGZ>7Qck zo0b*#fG_*_HXlsF5zSpO7$=E!*_PrFzP0@Z^d|wtywkX(iA7#J{k4iiUzUto=&ZH( z#&xo_WH=x;=H@1p#>;Budu38{_$VeauX)OoHgT^lbia)xY2h?`E}s)D$98y4IGE5va57I(~(r=xT+@fJrxH z5OYa*RXJl#(o9|o=qbi9IiHK)UhBWXfh$Q_T9TTUj${Uha-~k+It!zAmcAWUg9Uv7 zQhHhWUZ5~1v=FnH>%XXz(0*d)W^I+e?a~M!peD};Mz{&4r8!8U?rAejUBwi|kE>Pqv+o&s_K`F2O+%>ip9%;-Be!;Q`Y#YcqUpy zjiPgYQ4B8jW=IUQ3q3FCVf*;>?}KK$*YCF9f1N^NG*O|+zrqMo!137QBt`&Fa9Lbm}N6uRW3)KV2~fpL0pp=;y6#T6^Gi#ao*{Ad&Rz@{ z)nVjHb7JNa$CR_3x%wzY14vi+kE&?rDm?@E+?l&Sq0$CE);ddP>n&e?YT1 z)v<8^EO?U+j~By0`IWvqH0x%X?L<*p_*EOgVdcqt?sk0bM_~XwH5A1Qc%9`VTJ6oM zVd6O^MW0$~sEaUe^=tKj1YZoqgH3jbiWAQ+2*Fc2sqcFd?za)Z&*jtNGi&5?&g;Bb zg!ZFZg($D94=)Hy1f7k8LPT6yH4c+-RavZ;0-Dl|8sJOen5^Uae`mmgc zgJYTaue;}S-3@Wix-)qYpXI0!M^2dSOuTYY+gqfi9SQ|X2HQ`<41#s4{8CkdIJXqo znFF&u*XZX3*)o@Ar*La;0CGT$zsT9Esc(9pUt=1vf{r`K@~QUIt8=PvMVfQ=%73lG zrjVgsLzScDx}3j5`Kp?{wBTKx(CbU|_BtxtaY1V)gS2%o(YFp&tE*QD;9KfeMW4VAp8MdrjkR@SFo-Aw+Q2Z1n`>( zV5Pf`3@&ZGni%qA`e7O%>K0^MmGJ5q6~IoCEFY!C;=))TvX4=k%16IRiu^1KN3ruU zwkZvqdpUo@?=0>4-wp@OM!zxWb~^osv%Kr=dIqNoAPb)=WKUS9C<1qXxqq;=UPl^W zPasiH4mOOl|2f06iXc%S4xnNJK}uk`#2J@)2a z)9}S}qHltAkbCAA=Pa**_k{d>JPPC6--nrLivF+9$1ueQGqHi?I{a&PU6pmMAqyGS zMoxSw8C5BTuriz4s8bGAV1MuFkiQ0Vwjw{v!(k6%4SpXcZ5=jx{r3JhU{h_f4`x>j z-*p()?z}3?+C7)3S{I(=YgNOpt6N>@Q?^x9>ep1JT^xkJlVw0lntXjOg(*ImI}I$? z;Z3vas+?&JS;&$$a^g$LliKIi*wV(FGNl4)Py6&WSo0`}N6GKQntxDUr}^$1Fegm% z!OUslxej~UomXX0yJsy*MwugJ?n9)|$6-aldQ!{A-2(wa=^Zzl$_f0u*3- z+NZCgoc)W7FhBa+@1&o3QK@gBqS-_ruB9zp*HYAW@0E46W8h+S?ZQ(1UQyb{S1amm z*F>1=)&TCAU+C0^Tpd=*6YaQ$#)c|ms;TbUam#e{G6ZSM1;!6h%8Glyb{R66>3dHB1vlr!i zL9BW8McG5534^JnCx^>%9zXLJREaU#K}yCUjJ(gWF^D>X{D~Knc>C5K5e87h%D*f} z{L31nei{Abm?vfO9?m6SCvkMA*5Jx;&b+FelW7UAGz^S{Tu;Q(|6y92Y4=vD=pYFz93QejmT-d@ch4NzLvNqI zQ7=3}iTgBDC#|I`3$BtqI^N9n4Vmcg!!X8%$|e8?c{1>Wz*YQ_Rbt@G&2rtRcP!J4 z9|RPI@-F!ZS#_SjkqbBUb8!U#phO0q$^r7q%HSTV+<*M0cjl}9T^;QpSCj`JL*`^u z4Th&5{K=Ug1UN9z5?rHV0KB1~YV67~Nhn({ZCY$;kW5ukoG8d=Np-g9Tl^`v)V7&b zLU_uLk)Nji9ol*o2TGID2HI8oAdkYz6G))pl{S#p0eQrBqoAP3GrW=sV^P?4>Sr19 z`I{NIN`J%tkmvoeGnJDOSPi^AkzlSxD~TiT&O_cE`h;S1?3K)4&HQM93;WS5d_#U} z5UlH4seeSKvMUksMqxneD1SJ_)BL4l zsWQ_0b!ztxGn(HTU;49%14CPRLdN7qJp|@t;ba=olFb>;P%9=psIUOq9O3*l!|6VS z;WbiPV*e6jcw!pOhF5ogK_|2L>O0_#7=1#=xQM6+VK$BYJDuYgLG^8%5oo~RG0T(?Cgb1H z{cRTKP#x5ehB9sBiN7*W%g;_{&^xk=BW-;0S{`K+6GX$F9-_ zPkWu>-)3P-PFQ|E&d4+x(<#lEOtEK?^v!m+E^Awsced3ZKXi^-b+5cN4DHslSM-UO@`X5-`pAbbBD+VTBAO>csK0=oazKA~xey#EQOUWq?bpkED> z$u!BZSNhO8JYwICaWwHt-4p&fold+`v-OUBq`|*lsYDZ9(o*-X)TnA&RPjE6Erwa% zht*zIgJxOkJ+jxa8qKT+u4=Q#7f^~19xlVO=D-_!<=M{$V)dy7r;Twm#c5Uw<1qg~|F*Vcs4@D< zpG34l-7DWSUYXa-AFJ6|Q?27L4Nm+tzk{M2yfUxoUac;B?_@t_(qPJWO@D{&cYi-R zd{xve3NLOa(W}};7}stmQ5423B_6Mw-y9sa-*p?^Ps<=gA#+Y@3`>j)gBI}YjVG8D zX$epmUnc0zpHQxrRiEwb*hjoiJHAW^T)H%h#X|X2kW&ou0Y?+ksY=Fiyh}W4zwb66 zTEF+H*KZvSJ~fUG2kqm7PJev`cmhoOxYutS9=5uqmk@dJW^^%*{}oQ35=9N18$+(T zRz$EneNq}~;M@puCAlJkO?>f`2x{Qm2y(T(B7*yLJ9tVYEs$9#_!<)#{YZ~+x(+4q^sLwVGiL3rvPhV$y?;`ksPzpr56nG> zE|Y`H+40}3+L>g3q-Qy(VO72_UJ0J}XoPb)Lw#Itaepl@HJ|i7H2By!JmpKIR-)%G zl`W1DG44G5GkBMNr4?Tbk_b^ttu>kEcYM-NicHLat?q(3C=uu~dy$Sq?<$-YAfPzT zEMBy1i;1W)!GG4v#eb5$p%q^vJ>FB`Bm{w>r7AufyA5VwwBqY9O=37Q81G;S?_@Yf z7x*$s6`zuL=%w?Q=(eV(StH4o!@t8HbF)>-=Af9 zGGWzfA^%a~@SVe^Lf+L@0ABx|A@;KlVd(-%HyJYmPr98Wa+qNtAVVw>z4>Y@p@~od z6L&iuIlxjbRwrb0vHC0JVhy^=#!rIHx-wOW&A-o*K2E^a5HjWc`3UDsUM%B!nJR^w z4o4H+_9$w#P=A)Winlp^9VurAd2X_JwQ808KRe5>PcxQVkJ>uugw}DSsanB?DBe8@ znR$D$YuQ$lC&Zx2sziciq1p*FkBp~p=Ce4!58KWeCpoPV{+rC6!oGq0DS3)E&-P~1 zDNgs!H_6{oazp=C(*JJj{3HQ+s*~ z{;}@8sekVNvAUx+n#Dc-c3Fp({aD}feyqN#?jZ8NyWX~uo64PVR3DVu@)oAxF0A0+ z&<<65PXcSVxGJ64B!CY^d{h-l4j@d*FEZ_sr6>?7*xfaZt99@>-ii(j$hJn|9`aGZ5{V{I%4vR)4ZVd$7=axS_38a zQ=##}a{4L^!Nq>dn$Na8%(I98%88#C6&8M8@mcM{k7JznazD+H*Tgv<<~UICu!et$ z!Z^%BAH4jN)l6D0366PM@WsqSZI0}9rDH%U6w1CX_vZrD=TdIF%aog@{bGEhR5;W0 zUVjn=%1_@LDiMMm+Ho@(UV-=d2iNa)ul%N1mDW{%Hm!W1>qfC5xsA9Y;iQf)1^ptc z*IrI~V8pflE>8hCQVE{VxlEYM~ucz<>3=ft2n(}y{i_dVQ`#xsmFL97~-C*rna zi+dsWEwqOI!+I;Ro-v{|+5(l2RPU;_HPREE^|cz~#yLt++Qw*#FA6OCA{No}zCXDv zJzR#?6h>DxTw3FGx7~Y^DrFy0o1>&n^NPow1 zA`BNgEtZJcqJ}at2Xx@fH9%`btr|v=p6bbUCS2XLFF5_s8zaj61#$Al*@oqJ*W9#$ z?{3CqcI|^+eY3vFLVHqlg}IA_=3M~nukam2H$Xon>genYeJ6jf|3CD3qxymnl?PkU zACxcT9gP5Tg$eRotdxQ1W%(oJIDd6R12{$UTB>b6==0~)O;*p-877}DQtV$9D+JmY z?x9Q}2$C41Kg$pe-C4o&A5mV5veoi8i;TPKvTyL`K!?dlsW3~wJWNJfdGrMuOy0v5 zdLiXqvh%9oG{b2l4&JB9YK2Hn8>ZfNo?}<1XxVRQ8ulgx@ zjE=r=I3Ly&&1qV2mAx4sO|F74MU|=Xo1xpke1Ea#x0Z5#c*KC~ zF8<+n_e=oA>%ez@hJ#MrjDMUkAi<>WJncr^3Y@c7h_e#UX+eK#hH98D^M6OrE_$qxxVPVJHTv!2 z_o&wgX>WcTY1V+r!t9ZpE~*BwR?@%080$8K*)V6IkNRi_{{s(t{WLC- z|7l;+FCBK3EBIOo%66QkN|s-Ak&D|7Fb-oFfFBPZ7Jq4M9(%O2hdd#<{7&p(L{>3M zM*GS1j@D_np7$`1x=x!Y86Am$bB#J=rt+uP+TyyMzSfVBvx;VD%5nONX)(33nYqF&%GL%xq00|u|VX-YJa3yv9F6Nmm+pjqego9AAwmITh4 zl*+xIpod^ZgTA_f1J%>qn+Eymk(-9KK}@dMow;*{D|7Jbm#i8ilNqUeyo~Es+L$GW z1Ai@7gHCJn-c6z~zGAeKZ=g%;hsP41Lg~#eXd%egi#+DKS48V72z)_nMp`!oF{)$> zG}Cf-w$95II1LzD4ox0t>DbD)#z)}|z99eR3RMogx`#IJr)e1HsJuJhWFz;WT<@yK@_(lo z`xT76f%-HuNu_LwoPoPIOQP!qmsTz=2cRxY-q4ID2t8Ow3v!XWICmqtgCuSH!xr5EK;P-iC#)OCfXk7~5oA^Chcu20Oa!;zXiJxJ zDJ0tkG3r}}a9TZ#K)k}BD7u%5bhcqeQ$%tf-5G~_&eMwUv*~J%r=oiFj)VhF#MHC{ z6tPPh(J1D0zLq1*RhOHP_6pN{i&{&R4KNELftsEDUs_#rYd{tV z4I7&8kyjr&O(R+#fAAqmu78k~AEOvABT(1)=vXzd!EW>FEOn(+;s2N>$8 zM?T3Vrz?*0i5nLgJg$U73w?Obqm4fJEl5Zfz{7I6t+G^vq!kmw6A?85zDw7w%VC)1 zb=L;$+I&^#l0Q{kCd=N5!wdn3DtH||k|a!L4P&FVzCwJl7Q<1aX0?8gl`rYJUne4bO5u_A8)Ul??u2 z21#6ToSPcd&;%MuwYF=o^~5Jz1^r)Zg~>l6|3wR|E%L;l7Oy3jFmZWZp7>M!J+UHV zZVnKa+p3|yY=QYd^NgaLp>+n;SknUKd_9DOsZGp%Iz`>+Uopo+7>g9D^j80+@fn3x zEYCcAPD`yAv43qjr?5Zt0Nr4}1eL zces{pOzh9>k^{2RMSe~M8M475;fn^Bne?a|zI;6hS-qNA=0IKO7}e)%MSa@dJ);A2 zQR=;nOn+2tP04B=itr%g#&?5CyC4(Pv^9!Q2ky`!oennIyb$>LDRJVr3n3+a{1&eH{-cr}t&$d<7at^%RtTA$g?Md={GG+1@X~oD-an!7aYrnY z?1@Fdx>fed_uun;$Bz~beoN#M4|()+i-?x~;(wQzIQA_*+lTC3>xE8>BQ}UB8T)txFve#)K(Qli%Ax$EMt@xi#3?E;T7Jo4zGbC+wKT!cL1@- zp;i=}%L32NiV3l9(5^M4D+t!6(IarNLuEA_iULkE+X8$960QjMZ;S>Div?zS2M%+_ zPu6y!Gn6a>bws~^wLYU6cL4jHlTWC8&wpXgRiFRLoaBOe)adU+fn5doicGN#MdgJk z+V33qTgQDj#;&D)65xCR!}vP6!h~xMW-&lqX$6H5@XBcf@MykumesbsR|`#Ed5ssk z&dc{?`~z^p&Z|;$EcTtdESf?`dZB@}be>ko+e%ERJ8K?9Oy^sg$AOgr^~p4Zl7C_j z4J8$r9|v4PDd{|t=^fKj{L!|_v~o4A+?kr=z{Ct zz|JqYQB(ZfPjG`KJqyd?<@5=y5Py=#{|Vkxe1tMcoe4dA%4x)~t$xYo6<$n=;e~oq zhiB^L>kaSPV;#D^;FMuG?7!hnBwJ{TpY!0ORn6qre{{k}$u%xCD%N@{0BsAe0N(i- zjzv(*qx}ecoCi7DN>V%oT3TU9aVTZeU>Vq{qg!r!rlrnpa>HOZZ)tUVeSfJVKpbyZ z^93~R$3_w_`xcqKQF@^F%sn+u)CV}x?CcpPNYR_WMY9Q2jG0UEuLCE?ld1NsMCt5q zxfB=v>h4In$5~=okwF(&Rq(TJcsWDKmYGq@_jUsjva?&?NE68TZK(-lw0}_S*-__X z%TD#P&ZO2iS^i@W{O_>`^ndN~-`5IoS^yiUpN11eGjjcc@96z;hDJEXv_AR_;wi`Y z7QKFjN_iSijznWq>+m1Qwp@_O?AlMYTscbjBnkxRdU@;5<$D$2TuB?YUC?WAh~rT{ z=4YSs{f7GMT)7!!CQJG9LbKl0h9`cCW7%9Wt?9Yj zX;vFYdo`qs9_@>xRFo(3V~n!dg_aah2#}FVc7YM*a2l>{@UFCB>#wpGoKF^GYd&nI ziij!1XGt$DiJKr*gY z&R0KR8B<=uSjF)>%WkkA7HX!X6|i0zs1=kIf6u}Qw8!JGMx_Z<&k7-*KgA4IQo$?Y zZw0C^aMGA}^?!N7qq*6P95L($A3I!A%TEr>%37kQmq$ONRg;j&oHZ<_R4g%F+yXRe z=MSET7QS~O2pisT}0vV1Nrh~+h`_w>W9xKt&PBq>@J>0{t%)r{xs2$MldC(4*vPb46q(T@ys)ql`OdLRqMQE>GV1UWswHGZl%EkRK% z^f$+m3+6Hef&G4$6*g7Czuam=3=}e4=(Jv(l68s5+BzARC>jT@>UA{e2-$mq^4%3z zVr!&aVg=~d$+N^V>$o!+UEzPD>`G)Nk4>yJ!ntA{D~WaFVv^7FP*p-|x~~F@-YysD z%zqcg6Y5x2Lt!eNA_^7`q?U(-`8nvOO!M5~VtG_<84HnB6U-1URPnSj;ZVODdjwC` zPp{b{bFE|#NywtevFqr#@Ki-`)Dp8~R#ukf$HB`79|g4}EM$zr1S~MdH_E*NMEQm( zSB&xg1v0H@Tf>UERSFK%u4i{tP5nN}SbtVsiT^8kP*kfy&w-+@mDTlMD({JQDJ-b^ zL@7_guaWU&1JUg?6B~#h2eLScvV*YGI$_seSf0a`th?21xOI&>e2~V>(%$7?{53|FAtbdTx zlV+peVkK;)8G?Ro_dlRtTAxtkxQPIRRUFkON)LT#pl=>a=k!gS+zwqNyBBNM-+fOo z(oNBjBDhU3GATyMs24`j9rBKFK28EuzCSoU-al>}wa#|V={cMBE-Vf#ezp>3!&e0n zF2`=A0hUG8)sf7bxu{N@;32C2HB5}JU`VYxoWX{o?63m0 zreq9W2OYJd?s`bAHvmt&_0Y-F%vbx`g?-(5goVbkp zquv8bz)lpbuXwn9xG-`D{%6T!7`DH--on`W%y z=U5C=P;p)=4I}Kwr_+uo>3>l8eAjHaAc}&D!wPn*1=K^H>pSIXt%b(Y$F*jU2U)QD zhpomjIz1s`i->5g8C+puvA)r|+}#23e_nZu{1^S<*{5fdXTh@%&yJYXs_M&GD3$%E z0_8clPl6JnJ((tH?#DUuUcf)pi2|tgK~T61M>9In4EZT$(dM%$Gk-p%0IE_>;i#x7 z_Tu8rbh#<+Q09f2pvZFlDt4#hSp5D!_UQk9d-OlH=>Hj8l)Vkra@#650SjlYKMyes z(zUe_1<%yX+Qojpg|Vt3={8!8CPl`py#A=WZ$t{#W5Jrs{tvTdYx+e>7~x`*w#b4N ziD(S%;2@lF;xR6a=zsH$MU44X&0FqIE}+h1tlX7AyNz9^M6sWj#RxyZy5*t3_BSre zcC`>;qy6KpTIFJRooW5AFl1?}x(AuAg|;X{ilQ)-7WWO;7dneYf0vTtJr=7d^lhEP z`rach*iARFb3a-stlPcCtrFj@UD#`v^Gv-EZ33^@zE1437=Pc?;3^XGwDJ`(G3<(! z_83PLf))9U;O$%Pr@0Ia5h~VvqR?-2`&yMC@ciRASl(C0w2(u|VXNP2qTcELeyi6z zI6XZ4@`TZZ$-luQ#o4W|Aq!>wC9oKd*qXQpi9F#mv~DNZwYd!+$W z;UJeB|8{(t5Pt>g?(A+$;f!#8k|x1yn7jMR-$i@oRVZxFeJKzo<%bG!X&5m(AgEEq z%42>#Zj#-+H{|c)XCiRIodbtS{P)zi#uOo(_%_VZ4$XPc zinCdYGc>`uPrVgkM(vfLbl7=6c-Q*S_}K1r2aRTPaDUY5H|k#b;IQ$2@X0HQcrvSO zpJ6x9n9HINe%;EHRqUX8-Sg*2FDUxL3ofeTWP&}%d4BcdxpN-~_yp?Sf}9P6O4^su zO^^OCi#W={dKnIomwmZsvzUJ=i&4KQ;kVWWrh=QfrGFEI#c$D`aokiwQJ@C8^DBIMtiZGJS{@TyzwxS0&Ea9a0> z@o>=C?{~VN1|M799@r0dhq}g#40}&HIEqAZ6^$yg%c!BLjgu3qw5ruw701`6;hIE& z+FW;e;C!g+Ii*hBGS_F3=k?o-{$K5r^(dw5cw_K|h&^IM$_(ij3V!qpQ`YovMREWAS(YagW>p#?J`b!Uf8dAA{#6&! z@*sd+_a5g&$n#{FMDnQsdr_FA1jD~iqJ94Pgf}%5RQT8$=^TfTOfi=a+wcB&xUBl01e`a_m%$ck&r*X;7t^fqyNG`&rL zPfhPtm3Yy_6gBQ_qA7B^t_AJPb$|Wa45xQ%F09h$E3K>?;i;BZLj0ZA)}ETZxJH}e z)wLSZedlx<&^%DeTMzmmM39GW=A{hh3-|4XJ_ypmTv!73llIhT)i*bbU+ahgi=XQ# z<_W))c!`Fh^fB|1(G+0D3tjj48z3n_NPrDw1ipjfBjVVA!uT?QUyDu{+JDSd5*e40 z8ugalv8s(%BdGo6$bexGdabud8Yt)cBY^6BgR~mUO2b3rTVXV<%DlN^2U(R}7_2Af zVTf^1Et*w&D;zlSZxOc*pNJ8y$y!(BCNY*jS2B7$lrLR?ECQ~@o;F02M^)gD;8N3| z(s*^5DO$v`ZVS^ad|@>DDt|m&U@xx8&6XAaL@ZrI0)w*)DYcBji#k4(&lkX3KOKykJ zEWk~C>Cd8^`H8g`rD5GG|4^_q*HN)HQ@9tF&>V+Ftli83=OIKV0wB&ay>qd4YdHHGEAdr=X$R$qku=`kG! z`j+P$Esd~P7U{A6j2s~DmvYoXcdcusEY~Pn8r-lf$YTAeIzZenl?84exqW1xJEo8pNgpG*BJdqX}QO@{wh^H);?xhq?^wPc) zd1?8E$?16!LEWe5;yB6G$moW;FldmyZQ0CfQ!xHERo%7e)oPXlSSjv$aVk z=;IbWv#UwZy7zgrh?6%zyE{v|YrRdzVBNo641Z^l@66pxS6mC?KIwA{VmJrX$flh8 z$DQwYU>bki`Qt8qek)EE_KGX z=YNwIMY+9;4s?NbS}o`-j<{<7df^ez@o=r%AF!6B)u7jJ^iO;BjHbbm=Opv3V`G1n zZpu^nfS+no8KT)39oR)6+&%(+iSV#2*k2T`ffz62=bj7!x)u z#LL4oRP!B3E>h+en=%WSXZH&94Ds>^4GIh%7UB`=rAa!(%im*+mnZgY=zlPe5Q@f$ z5+g=>g^X1%qBbBLZVLv4VlMyv5z$Iib4W-`;txEAQVog6Q0+tFG4vaU#A9evL!z1C z);hV>rbs_Xb9z(FBDIM|F%`dgp8cnX^~X&6FEf4rLF>fwLdpg$fH z5>pOLE0u~`V*+h8dy)eiJ_@0*v>zlwlH_&`3Q%22R75v8A^EvLxWp+>999n#o9tc_ z&ZCL0eG9Ts;3zUG@<7o9A&jdMDa_-eP)JxmHA#sODJCt=K;}mT@_zvr{imVo{{%83 zd$%DR6y^nq0uhnN1b;E`Tk6n9qoHUb(dgKV5UGcV=fTyw ztNQx_b>g5`h5p-WnHRS5>|-n}1vg!C!AwG8uu>q;5B*54D}R&glsg*9@-(-!R1FJqFl@HBlbBc!~u{A=qBk{H7Xd<6AIu+;)#_X z6kl@3G=QVF6!%q1L5{2-t<#mlsB3ipYv(Z-f0Y*hiCwf>oiM*;Ymxs)5zzM#&3_jX zk^iW6P*QVBxqp$GG#?b(h?|)2_Ed{3@|cMnC}@ukv}TOHazZu3Y^;=;*=8K~cX!%N ziqn>gLzMVj0(=sovi_}hHFi@fKs}E&woWuj<6G3|-xshP^=L&7u~^pu*%!8#Iz5s2R=>|bQq&20iTsHVBO{Ml?-+5SDICTH}KwAlLsPZ>NlJS2N z<*0sR{GUcT?;GihJ{_vH}+OW9ty8q~m(co0Rc}OhLvd_4Q|6PHWQ8#ogWRs8}Y!^n^kpz0FE-`siDluYoB z{ypshGSTo1N||^JZC)lMol**BpdE!^$U9X23j}|oswt3aPE59R*JDR~SxigF2wq!iO}bcV4Hz}9?BkL*NvZUZ zBErDBN(rz2{XWZ^{?@JrC{FiO#04tH*lIbidW=xu%@=5VN1cp6M%}2oNhK1}GZaaX zaAALMl{XX)(v5*>K11a-0c@~W0|^nU!wEOiJ>qgMnRuti2n9^s>ob-1h8lRZjEZs( zv4WOXEYdQH>IWz)=u!comXRc#=&gvjzDi=`Tjv#GqekLiK}ubAO(AqQix!jBxUyGH zTr0T$3gQ~~)2b1thzq`+I_Zj3Ir(oHd=h_QO$`Vd8Rix8RaziH5~Q$%qyUtsX*WXz zFv8@LIB7bG)*^Cpv#n60Ci5t646n_sDitdudnTU8<`Dp$;z|omt{4!5^k-;1 zUyQS(u#?T*{va>dvZx==;fKOpV7VE=Awihg^bPcZ0(^Z!Ji>f~0-+#pXiR`VqP*Bo1ShG#S4n)QXt||9$v^3Xd4*c4 zx2o7trruo3ZVF0KIV6>W_*bu3q)=W^hs1zMAeSY$k(&6M;)*)0YJknJIF2Y51_Mq_ zjJRW5q^b*)dO$iYAp{l+_*{Pu#TxFnjz4L99f(oa}VQmF-bjg74B^3?fnOBc?m%>b;YH38-{Uh(wiDP)(gl@}XiXj*e{klr$8JVk(rI z+E9p(tzrzxzi0`}iC1~5aioTlf>Jva9i-Spr@}d?s7M$JP%2#1i~_0j5#PsvLJSrI zVnAwJFjcOs)37iUSJZ!zZ>UrBUu}+1VO;r7K0P!Aqj3vg%SNhcD;c375Up3esT{4P z&K%_s%kM2y=k-@NsE_7A$WM}Po?&&0P|N#}mZrTAB+XMlwT${mFm2lRx0QxuT7$$= z>bMsAX8{8t0ixHqQl^t*5j>kuo{aJs1$)&D#2D@|%7YygjD>&Dp)JH1>2$jM=x~CJ zJlU$|O<|E#qTxzaT%L*(m2xDpu#|X1?LMhobyIG-DHq*@f7D>glOyGL@+EF`DyBdX z;?0+!QZKB-V5VVz$fFB2enD~kC|v6DWb>lX4GQH>;z;mJ0X~#`6oQ3f><FZXTx~LUrOkP6C80IlG^!;z}lORH2DMTVj zN)|vW3M|Jlsv2N!2`6#{qc{>i*vQFHFThY80V{e-T2*Rsx~jn<4J9^5$rF!4hDszV zUkp&GKo$c9_*CnddI|N85injcxD?1v)tCfRn=h5PwF!R{0uB*S#VwSeLQAeid4+{X zNSLp;$I!5#kg@EMp6OAjdHWmN)N!x#!!s^Mu!f}q%@4v~kp$u9I! zRhvGl9Uuob{~q(9VICo2Z2zF49{%hQuV8=Qp&nsD&5Q(f9r<`@hORB_O^WK3Cn|w3 zv9E<{bq{|L@JMgf9gPT1YT_*-;886Eir^$~ipN5ZnEX$kl5TS=hUzX-`zj-Kc{inF zYcgp}Vu=AURR5*S^OG5GE>BD<`(3mBgkALZ_4jH)GMvN(6A|#he|f6I$^ag~Q{$mZ zdYnR6s08rUypUELh(}cG52RO3$em$siMe3k7%zX|cJb+=#x*u!zD_z;ct%c(P1c4M zD0%TFB~V)^malES#REXhR0?I#ocQX)L17yHmNLkBAt{3hPSUm*MYb_tqYRo{Yaa(~ z()nJ>Ka4fQjS0XOH>h}Z(wMchrhp9 zh$2}w&NrAHHa6Ic%DwgL6%v_5o_e5Rfj!*Bi6_+G#ONp zV4ZqeM@d56u&Aq)f|^Da63+<;Ibxz0s@aKVk^u5GQE(}oL;`a$m6HfL(tc|HhWLL> zSeclShYZ?2LZgF2G=;E83W*RN%;fXb&w3=j|CSend5}L}1Vfx?BoPJ*qop2EJ`mx- zzC5k_Ce@y)2Mc_jADrUWf?YZCe&V}5;y75d@-fu1#7$J>&3M8;tz~RDSaI(~m(X%(%S}R_#6+_65Ly&j~+)%Edjhh2f@fIwz zgCG@e62d>smd_|IM+8N~5GO&32su(dmm?6QKs;CqON4w8%p)KIg4=Cwf<%9UP2)HO zm5Mk*7(ygiWfYb|31AZyRw#6sM~IgvJ21%8i|y+P!JQHtr0sgXq8KCq zMo~^Ik+EnF1`Q1g2o4JMl0$zX{9;GVV#B=r1GK^=4v*+UPhdxZ&rIT=P%JEhF=xQT zzoOzrGfBtEa6~*Pj$;jmj`Wzgdp-ut@}|13;w@Ur0r80dM!nznWhaIYt|moc=`fBL zzBv-t_hvW1f144}VhyX=4{;^15J`Uo;6UqVw$U7J ze1aIjXwB~ilxspwi84lxUz?B-R}5K;W0a+_zZ6a5vjfK@-WXJ`#l`Zd5OPBuE00UHyk`q$)2A^VH$qU_F71e^t5CC`0;OOS5rLuOZFx z7ZUsx>|yP)!-CjDhj|V4OJ_h$aOo2gG%}b}Ru$4=Iu?q=Nd15LqIeGxZz#|(BKx77 zBk~~}que2Go~puBy6Pj)y2_`I-`W(Rj9=Fx^f#MSD(^S6J=ED zkrGf%)+LowsXvy}f`;XV@R|u?9!Cl*wMTn(s*=Pw3t*0Dq&P^xBl4BajJUSq>eQMT z1hqnPeIsR4v}qfu2wsailA^9oU6ydwB3?5yoLmAJFXCbxzYin!k*uOvcudS`E`hV^1Y;ASy`aAV^9MIo(09MY< zX@HZh4rKeyEq=u>0kf4lwtu@V_0Ii|{1ij&LI)dwcnMso3we(V9bbROXO|0PlgN?S zAY!S_gcu1DOZMS(4O8nP&p*2m%P@h66oyVi4w{HNB$a?a*205j+CSJ5_?3vO+qB`YHy`NIavW1 zE^Zt@5$36X6%rt^C}k<-=(-VQFy{=+*+Mflcp)Xm(E9>7TsAt;(# zT2hs=v9pD&tmr+V(HuTlWQ9D3fTL5epcbN|0vHxU4z~0Jk(4ih!Xd_ZZh}MrS)-6O z0x6GwF11dA7`;;Cq*5`Pi(f;H{q167V`uNgv}M{d?OX=h4z#zyk6p0gi1{{&b~bp9 z*(MI=2&8f2@zj^Stt|tJbftrZZ?F`GamE+L0_Mo+0tJ`W*47YUR9?!?RxT~NJXdI* zN{BWcoCa>5suWE+6d6f}NH?y4R+U*^&G;|nxfg&s%#(kO6q6tjq%fIGz6kOa@ukpEL?q?#!Eq3H-B2lle{@Yg z-Cv_LlgVVz%~MgXgfEt&_$q|Tu_AF0Dn-NuO|N8J!W1;XI*F2s8-p5;+Hk~TOt%?- zbfu2DncLGbRfp90Ai`OU2Xi}O8n~Ie)8zw2eE37$?a{k8WE}%x(8>muNDv7*9g1_W zJU>Bxk3R0QVIIU}GO7E9MSjF!$}_d94cltA)2tp+j2Q&k08cMQ_#&yb+6eTfLlDUd zK<24R;ic1w6$JG@VjUF0n5u9jDb4qP&z2s;|4*B}A3x$p>HkHsd{Hu4HLSUaDCV1! z08RUUJ6k6QdsY8$Z#%%z{)hknH-4$9)|fkDf>m9V2}T}2tVe!E50suxM^OP=eoY7p zh53gj+Ts7tl>gVB_^*R2D9nX1<>7NVQW%0#Q`P8;VF?OOtKh;+A(9}Hg4is7J>3RH z1vXLv%H&F<8g$t4aLTvPiicBhS}2U7d_=_Na=2LV36`8)LPPys?1ZjF58)VC!p4uT zVRQN7I9P&05QK6n~g5fDaC`N_|!XNu5?hpBW*nes(aSR&#Gf)R;y7$#qg6lF=2 zFNzhwp;8Vv-ZwbWai|~xmBJE#tT=we2Ndq&66vBL2&x7k6crG>3s4xcR?_&|>Uh^x zD78#=zGoM4;$%+0u8+;tCv}qY&t?bppB_^vJ^dSpQ(5zCM)IE=NcC~}iZRquwW;AF zCN!^DuU2|+I~#TR@>B{qP7 zjk%qTxjlX=1||z`T!JVb=CP#`jtIq^4J_g!JPa&jPKGPs!y+kvTgXXfMp*A!l1#SH&wa2SwR&Foy?AAPB;bsZze>B1k+R zW`mq61ZDJzvSIdtY*cGQieD32kLwAp^DZ_vEuJ4_gP?YbB3XF=OVnluKb@9|q5>o) zMu2d5>FF&m>y1c%xG?Z>pcdX~6qYI_292>E?kz!Lt%DL_iG*m|Ty0Fnr( zi;WGK39eeJd&}phHMlwmuO{ygFmm6}ww8(i_1tJ7q~H&?nIvZUF%TkwEa8cmO_Mh3 zR;{3cwpL9SCy%ui)W5%j)qhAJn65$Qgnz&++xHXWKQqjKE=nW(pYEVsPpGI3Lr^KC z^24dMbYQ#@?2$QMjKkxpun~huv>FEZ-czW_ zuKw%2BW2{MIx6oQ&Oe3g{g?T{xJg&hIWb=h3-}^`7?o?B_6bBWpGS&gB^(}1O#1}< zUs}o%hl~=NgFs1!mZHF}sG1VZsem7)EES+$s`G&?Ww|H+CixOAXaph(%~aTa%|`#R zHs!M+ot{olZ(07QiTodCjQ(EYkN7pS{@35$PGkMg&hf|opMT}o6AIw)MNl9%;%c`Q zV7fqmPeLT|7;M1LhK5lH>hDUY&IMrc921rDU9+wIvC3Jo1b1YOWj)fAyr z0&|2!G)-g+Da==MxfQVaqN)4}#!}O!$y$|v%vVwnQ5n>~?Wces)$<3qH6yi3hZA9u z6a|taw3Dmw9w-Fa+1mHVLTx%`YC$PESH$qbQZA7s5b}jEQ<@@%0oEcGvDw%I2;wMH z7B&c13QMi=!E>e4A;q_QC_9dW#({tx#Oiq48ta zA(OGQABYtK%&QTwx9zX~PLlzO6oP$!TU#IqA`OB2Tdl7_hC<_|Ji`D6MDf~b07{1Z zB8o=I5L?m3c=b0Z)ZbR)1*&*URZ$8H#ca%$u|fKVkkJ5Jp=*;70lAl&TmhIA%O-Y= zL71zAAPaK|EJUO*7OhAiYe@dj1QeEkK;h{D4-d>6n zMlm@_AqI|gz{&(HAxaYuF}iF{EG&{T!|H%J}~d3z&0Nbi(m5v;0VNC835fN6Vr<5yZix6=F8mD+l zhoE>E7IOsrL|B=NbQ}QQ^o*T<#1|{d$*nNS{sM5xv*`owD{-aM)9L?dIQ0MBj}rfr zKD7NFZ8Wp~-`}pkgBt!HFu=~?2mb#zet1mjLf{QP7Y>1A`KVNqf^Puki%^)GAc0*V z%{Wx80#jZVEVtpS>rKICE+XKCN)ZVs7FNw#ft_4Km2X{$4{`)NUlA&Q<%qa25!Aat z;3!Y+i?rnCaHy!-QVh(ICP?5gBsNw66MLuea#W<7Ske>1QVE}{T+YLNZY*CED`#GW zA_CYSiIwlGhUHz*f`yeeaB}2RuTd9hFd$>?Nv;wr;c(%Y1OXF`OOW!ABoR}{NoEob zjmaZo5T=kX5b#mA)Ko}+m>{5R8$a&?l=i`B2E!6Q!XtKPLUy*cwsQ2Z$^hY6aO4CU zCjoOea!2uk#MMxW%S=cYmVLuus&j*vL75yL4-qkm4R~(q!-~5;aL@o%Lt+VE$dRNl zClHdCHzntdi%8&L1QCQ{(2!avXo`rdQVvLhs-gy4SPRKQMWfb#V}vMHSMf+og=A8N zWV}Lh6BQ;1lQkvDMTAT=0aGCnCl(fB13E#NjDx}!6alxGfsSI-#dt8+l6n#$|C{Tg zs6bH-MFpC@1h7;=3ma3=9&ulz{2&)MVyY{vn5(UZwTuKT6brynR$7B$^JYeclOTA1N{_1YR`PMfnC#9Wz5<0gSbO9LN!3aB(db`p5QUgJPJ!N9e05k%{4WWC`vSy znyR85xM&zuVh4E|Ie&7NC`;lm6%8l`oHQ{NPz8}tI)XS3@r9LQ?5Il(ksmCeI>sV| z2b8J_pQdboL5zoMxZF94PcO9~1*&?KQ=%DuRa;d&Z=zkQy41U`)Mu8ElN=<5Maoql zRBJPeLDZ~+Q^rw*oGxD^g+&-fR9sspM_icdYi)&qB2@KNJP=o%suHp^M_U`r!Re@9 zs@igD>NS-#NtcqgoE)hVMkz*uU=rcs5dzpii+3G=3-$x}q68_d+H-jYCQ+J6WCe(_ zP#QEb0m0oF?qV=+y9uhtqFX-H6#FLZp!8 zH}Phr70|0qR8%bBONo29(J(~uAq5E!j&bqDKl=~y2ndEHTv#OK#KLa&wu<)woMhE^ zPPSBk_CXZ@sArFq%+J z6~~9egeFQSNCZuKN%it7&QhBv*JuPKRgq)9rmM(HX}aaF4E%_QovspAH+D= zT&%Wg-LEtsLT>Y>gU=(*6O?Ov^E63STI2wKTRNSD-0v`zsEB<1G@_!SHibyzDE|cA z<*NsXsMy>v5sJbQDG}a;7=kl}&OnyH{(}QI12|G{9K?uX_OV1zG>t13TXW&G30#R4 zvyVB0Qj7UQPAtrnz+wdDV-Ku=Pf#?Ysf^^9iMkjb87bbe3BXTLhMek0M6eLy!2*?k zVkDu--zz$<^ko=dl;%xQha*M=0%R;lNQ6Vmf4hKe8vd%OYH5&&FXF)>Ddec)MyQ8L zW&hhhGD27jO%IMn2@RR6NlS`|5djjLLN-V8XWB-Es?Jx=1_g;`jg|&%R#a8n9`N6d zX%t+4KU6~=_iq_8?MeZ5I53mo=r{y_i3gm5Cm3=0LqJ_^3aM37n>|f6$LE2?LK1WG zXHBa+Whr%)|4%P*{P;ETQ(ONNAhC$bw=>uSrdSmFciL!j{m;I?t&^kr`k#|s{{cVN z|Nf2NjNm{YdKbEmjt<>-m}iKN&QHH#|1+TJ=;+MVOTMh5qtiw_Y%Hpy!|aKF{ZBV} zt$U)5PL__Zr$<<_?u$FqmXEx8!}irZcE@eKmPN1jjSBTN_VCQL96o(c+!eh66OMS! zIr3q6|07+vP8_GoCUdHEXzS5C}o)XWes`H3;O8k2VLzd<{ zR_DNB0k@DO!dkx^VG{8Ty)y zLj^__ttndeWEL2iI&ag_Y+Nt5;t`cRPUz=WFf2?cM3QB{q8mla#(T4W>?0l>p;3q= zID0`Wik2Cs!P&D`jM1SG$tkhq$6)*zj30yXV=#UU#*e}HF&IAvxhX!GQ8< z7Rz$X*4-=lc;wv3X(st!kouyDp-H2rG#(SwAGdgZkKTA-PyNEtiwD)zWR^8fsCu}g zHM^?pV24aeeOYSnh8IJBZcVwKpZ96wmaazbX`d*Gw-ZTPbe8` z@qAg(BXsWUWpbViv+N^Q+>CCAbM(|CP83h~+L++8$mXt-Ywpft!iN4~#djkc76-qa zlyUIzDm_O*z4fY)Ynd;SM8CY7bEUy){OylJD$SN<#Q$=_(9o=Z&1Cw>L$>7`g!$7B zGH*0q&0e$dP<8mtahKd?O$s7l5EDp?1-!jj!`+FJHd8Z^UUIy>&BgH4aF6edX#j zlW8uIq4C_ePe$c`$c4MsG&s9&L$@kjc}H2RE|?7WS~b37DWm@Av81~ZUyjFCx>eub znNhK0e7jDYC4apr-|)I|(xk@9Cyn(;->BN_e||i4ef;$vQHcemF6U;L%p!y~ufHx_ z{KwhpUx=o>IvAJ5d+iy?a z8~w#OZQsk$p_6KuW&K7xwph7$dU?R((YKvy{;Yh`HZ}I@i4B|ct?#(+*(Vx(y!X9P zay7nUV0n0dZOjH~F3$WwYvUfz_r9rmCU)4qXY`!3m{;jTd*8W$p6O+3^`>^@aD7p~ z=XTP!b5^aZfAwr};j4c4q|$()eg_W7HFsW=E?oTn+{(NTfP93(l-1$Mtk~KQ51y{R zRq)2$pFhHP&n$**@`IZ5=StkuPA8w5yFGY`>y40q#k1~|Lv3)b{0%G*!_i&nzX7T| zuY%1Nb{~j&_Ra;LL_+MH zI|gT;zW+y;_JFZrzq3N)xwZbG#ohm6FLwV}JzF=uPth6i!4nsvjjO`nZ1#yUG75^L zv%~LyN(7N;c<9W;){%q;ZnrKlTKuwZfD7KkfwJmemlw7+U5I?CwwYy?IsVyMx6_l3 z1TSmH*h4#TikU7RS2lX_ppknYKioBKab5fP2XhTvJOQP*<^@KJ3vW1%0+fR3vg%(h z3kP&PhJ0e=4tcfmlIxxts8!H!tmI|KTV1YyFWvUy#!1&>0{7DO9bKm^Av7UFKeyto z>qqZEKyh`4f!C6gGir9Wy|({D?TdryeYXrB(%@xgu%fTn@9|a43`~o^H>Mbg5rzgx zQ>QFyLx{(N)j6<>TtkiHtapkA?c103&Yc}mTXlbiyYrsA6`g1&O@Fa}nq3|F^ptgf zzQApFsdz*1lwOF`)L&i|E$n8G~1H;ZiaJG z>IQz{DHq4UEv$9+)5g84?E0njNp(nnPL$j0-w)0r1mdHYTj8>r*A*X~cv<$f1%4mT zH;7+mx;w@PzkYlAa=8CRly=9|;A*A#_~D#u4GE7APF>Y!<@2GF4|c#Mu(D%t_H*+k zXMuEBgY^#0+2+_ivO}r3OP`;e7P2okJeX=?zzc$MA06t@3zBBny<2_!r`eyPKFsXx?FqTaZfz_|PkHk&G-*^f{=g;M z4*ym`$p2{j;OxGO{z%08GfqEn_Z91Pd2g=Gteh73s&nM;Lr&|x?J2%@W%=Ex0g{tn zwsZ;adTCO`1%z-6G+nsZAb5a(FHnd}(AJHK&lh*S*KlW(YwBY5qWt>lzqg+r3ZXC^H&@-*k)jC zknfnDRC9Xc&(0WZo-0eOR5D&gd!&oQ>zSsY7l(8#?Q7z`YE+3ZIjk z?5jHI(z>@Z(0?E7-S+7FBD0_O<2)J<+mK}+5fbZNhWEa;-k}3`7n?0p+?V?98>!JJhPPg`}O$MBb{?!RicF}8b~2E64z0$H7z388-;1`5WORj*pIu(j!d z()UllaLX?5dY8Cu!XpXV1sYE+!^dly45&bdx>X7nxtw zcxHm7GZ$Q*5De;xWNYZt`s_}7 zzr6Dvczx9PetHI;7S$zVljh$0aP-Ze+^2&-Jaq%|Ik7K)%Rb^->|eD&soiJ+o9FCE z%*lMVah21en(413k*DfrO|Qpdl#yWU!O_NnvRr&f4v3^mN{eJdD~F0_rd zd~Q*jq^OVgr*1OwnLUejhSq9hY2$|ti+5ia_`mQ7I*yOvV9c00zxEEmBsIf$9e+^B z?z+R`q{1bCHW#P%WI-0RwgF|kCOnU|Se9e)U|u0^`k;@rQ{ufrx&SU3m$2ejB~+9y z%^X)9T>I15zzMq9zFDj``t@NEb(dD(W4hXI367i9kYxekcCy+`7cOobQ#%8ne%4z{ z5^tq$WbfsEPUy8CGF_%4yG_6CTv7IAZ{n3N^=>17%%1NgpwWuatj@3Y_lq*etwu+K zJ%0HIQXf>`n2e^rLGELkT~N8iFE8)Y#=5JQZ>9|_TH-TF2*8`{gMMzsO{eYpfQPE> z<+A!`ZLjT5Ouf460hnVDrn1MYCb8##Gt4!SL zPp?mZF>bD}zvRJg5!D?a7IYFgzKny1Pq#hu{KCbv-b7U=z1)g@vdYc4aqlMM&Y4#B zSM9mT4qJlWj@(n)4r1Mpkg)?xe;rh^clY`yD_Si#C49>R1Ixpmj*sXIYL2g2b<~EL zwlk^jab?u)NmF%nY5aBuIV02IlMA}$6eWg#S>T>}CbPh3v^0d?9&5W)@6bcjKVNP7 z#c?xxT+y}~Y$kPYm&`j>?ws0tm&v$y3I0ywaP+q}%RVA^-_70tdl+8n-=mJ#5ZYsnsXfD>)gAT#jv(Aq*2g*0QeD^Z?7VGr-Ki~F$ z4Ve_V`4%SR-14)X?xmr1W=YpYr_XS1vv8UC>g84pKg6^I^Ew0?)F}0+nQigp_MP>o zM|Z`9=|Ia|lGJ#q0S!&jyUxdbijFQ^tmpq56Hs`d-(}phzI)OJ@h;Jq?p@?)j3L6Y z_wQOAun>IOzJ8b8o7PBoTuDy056<>~yOvf(2Zk>Ix~=o-@Gj)G%ZHN4(x@75FkQ!w zzxvVrUiHTgXOAyPynW3KZ*hz+Tzn*O&Rk4=STpoLTz{PsfAk#&njY2c@Ms6I3M^?2 zeYRx8UOmy1-r6tigbBVR@`nejGn2mKj~pP`E#)7U&FN{{_Vvg_{)nOx1BPUO>B!C) zzGs$wu33Bjh4VJIyK8pE;gbrcof2Cux4na*F4-{sQD)=Xi&%MehB2+oSy`-(G`G`} z29@2f2=KY?IjP{@S~*bT2eef>PU+W+S1mwh*AEH%gcaCP-s*DwxjU}C(yD479Osqc z&@sh0IQ#VBeq8}V`fMX>49&XboLKcJFQwGhF%k26R=|YbbQo**Ds$z3oX?X1O0+02 zT3qJr6iw4Jcr*s;c>m9rn?65&)b+vs+KwQ|2sFIyzU%x7w*?&^O452bO0ja0tj^5W zoyUL1n3;iDq-W=5{<@&!{nAz4FnM00W1+x}5(^W$(AinHb8pbE+HtJTuj1+MK&u?} zhvzas<08*TdCb^3IW-!LCtzaBVX z@vkzUn7gHK@2|eHGETY#uQH0&xoAi9Zfsi1{xIC+w*N)aj#vACFC5Lg4$S*f8U}2i zaN`$b%)RK2+a8;+3sgb+?Ot1Jjp8ypZOCj)|ABW>Gk6MYFFIz z52T$EADwsw%#GYp1^YymCypLYT~t$bVnCh{=p=5}(w|_;gLcN zb+U44bn6q-`v~8^^udHGGVJGW z`&zc%DXCI&E)_^|4y|nI#PDR3#OvqH?&9cixOIWi=x3dc^Ra)p^uwT}1Nu7P;o3EW z0ngj?^4QhOpY4n6J~-j8c{rLH#_G)USg@)uF__Dat*LM}s<@GIbl=R&KLd*}x*)0U z@#{@pQdZZ0)lNOvB?`CJCp!jb`#sr@fh|3Q&pE7O>yMRP@BX}}D)9B=)gXRkb)>aA zmcAwWw2!sWI&dj&Cah_v#QddJSg%<<^q;&~+EH}6`_ZGz9YLSE(#lq(9e$9$<6ZLH z{s4~;TZO?ci-5&#jG=k0Wa6&H7Ef+3nB(WU2KbqOb^3WLKW243_IP~4_~}^j16lSF z&k8T-;7GoH(Y`&S=e&r_7<=Wq;3m+=er;}tWgKEQ0q0OH||W_4zkpz%Dc*@fj# zxbc{O;aahH0?4Y%gX`j`r_ru1nLK-!J%*23mVLzCnA^#i03g|rRhuW=s>BfIm(vdI zfY92~D!f})B(`qj^6n{^43ENDotgLEA@4DNEm~QAZ5bWYlpajloZo?#^tDa<5Lptx zXW^^a7WTL$G1G+yt_R~f(Xju{ytJem_N0Z8<8E%WzX;lJryV$L(-?P$z5Ld)2ZJkT z;A`vWjDxdXTOG!I#ewqG={tT3+CSLcG{bv1P?2`Ej~{g%)g$7UhP{D$VD5=Cbm8KE zcO}USaeptaeI% z&AwBA(t6?O%6F5_uLIoiX|0Y$I;8lFO$tKp;%Ljos=(;FukCW6h!*;TX8y`I&95Jd zy(`oov~SgdLMi?(Nk6w@U*D<*LjV7Nyyl$~E#3?U%-3XKLsj;o-HQxYp5Bk6@tKwd zMx#Cb1AsBj)VtO#%7u4{?pyl)k`vy)areKhPj~Dd`7R$_l8+;X{5eD~o8eX<+gA>LdAoe>`68 z=Z=RTOKD}xF2y(e-f6GP#IF571ZGuWWLmg;45l*MS?PXv*1t`|`Gx0yQt1!9i2RW(kITf6Mn!hv`oRIu2LT&1oYk2*;_@mi z>>RcfsL7m0&Lo>{?^ggD6cGX4u9iMN=w;>V_M8c7jAV6Yu6J0&#%kPiHnIfwr+gx}*PmW_zF!&*%0li@kJz-d+sD2DrbN zO#2vcfd713jjwCZ=WT&$^J8^pM!s9S2Lz-nzwp!U*Y@|wV_ZKt%VaqYyw4cCXO_K~ zHRtutPB(|A+2bfFq;G-I;+yL)PsHTT-1@F|5$7^;^32s-8IFFL27?^Y3#I$+Y|Edb z5A1tC1IxoO$7GI7N0&B#!mwjtr&CUue-%DB#f&IQHpD^764t#_8+(fyM_;jEzXUq) zK`*yryHlaJXO@nPVc5-O@9P=PA9*k6r^Ez2$BbY3wqu9A20xtuP_4anfzjfpPX`Rd zym0vVV?`4ij%O4uH|=v5S6_Q8+pW(&z1vur@QJq(Z+2FeeMD4$%*}yqjG+r-Wecnm zY-~~(3q}Y0>mj=LNaKMaZoKJEl&k$<+hGY_j#irKws{`*!!RSaxj9`7;N$RE_T4#e80@%;RC^z~l!(J(drsdUInk zJL+@oM!&pC+#5UcH)TG5pSd7u_R@Vj7@zmV-P<&Bnn`8@JK;`ItD02TntOLUxRzz4 z)^a>*W?#0RR_UD4{Z-A{^HYA_zq2Z7l|#;%{ch41A2!5)zZ>LwEU=)8X45b2kD|TT zX8xug!LfSiFEU%=9``xHs|>mb$u`laG(7&YK7EMW^Q*neGGnivIPbK-`>80u59izT z+InZ#ts(lG_inbbo;Ls3wd@NOk-Nf&R+_$C-uWB5k_E$S>ey2B+i5a8dWi}meGVWRp0JhYsLvXf#-;F6xnZRTl52ke}T|Vl4Ut@av zVZXD=PHmhPP}VDLVZSSDjw7EKY25^=XODF_dwf=D30!>eVZia-J;KdO+qjCJ7rx${ z@wiUEt-I}JbY%0;B8Q-Cp-%WwD;=KY6wC zX6B23J+m?@R(a57bSh4Gkz|%*lBU`g~2>5GeZ-MBYuzwzLI)tz2VG8w#W;fi$I^KNa{o)B`defzL?|OW$ zygB0Chd{$5Xa5(0h1^Kvzfz+sZyyLfbf-RVWm0Bs7}vMGe=zN6r(*O_rf}f)?S>_j z_W*MegN0TO3x65{@(uJtdOlM7X-?jMbeAVxj~>{5X`F!e(Z7Cd^1MT3jtBPe8oTB9 z-K@W{(J!NMqt$_#QFa$0nWbKKVClr; zZ_bXr=Q<|`KpT_bY}fE3WoFT=L-<~~1wsfg`{a8}ey*1NxoZ;rZcYNuXCr#-PoPGM%?5;MtH0SmMrINkeeV|3Ae&uw4!klQ-Rab20!?qouB19yO2yuNIp_8tUNB+b zZo|~kp0vZUZHxGWmSr7(@HAChkY)MmUF#8*c)a#GW8e4-{bYe{ri4QWc0H(@`YFb7 z=at30B;(xjv9yX%3HmXx^R6_{@G zJBW4v$`m2HzJ8?V=;6y=7L;dAy#6`mB6mU3Z09j-VZQl1o-93oq2#dLyE^@{r|uta zb@xY>x0^nsAn52qhr~I4Z_lkpfQF^(!o{z;PQctpoAz=1_!RDq9U~%o#4TX?=pE`_ zJUG(bWzbS5kJPC}##KvLt1j&Ra$;uAwT6Vh-iN!)f4TctUa!&=7SBa<$6rUg*|UKxLYU3otnFyJ7=0r?usajc}$rY zIosw|Sz6-VhKg3hO?@-U7{*h}Uzc?mcPnf`QKUE028SZ2#NDTC?~ExhbL*R`XKer4 z5go6$x@j(sk{#@j+5T0nNgjIh_O;yicZN0^NJm10{CF3COK+@MG^ZFnlyknMXY%i? zj<&z!_T^K@xa`pn0{Z>ckCYN5cj!l&&c=jgQn3|ZS6YvW`{oez0QxJw?8qX zTvmU7ARnnM`E>kob#3RGd9U+oL!BOnFqUnt&Vyg@7|WyYGX$Ao=!HK+_y9Gu5_Bp z8mvFcY}}v;H>P9$Xxf^YcHY*QAD%oC@r-OI$S(GO zWykg1*$di|01%psb%D`!zCD7Qg$c{&PK_PqePH|bjNSS@mP|tHp0vGFSz=zYwLmY> zup58i`^U$UrUjPT-SX+WX4bg-OZR?UDOkTF9QfjAdbt%LPOytVhO0I_Pi&C9rH|P1 zbXWdJS@`jck7qk&(sOD~JUqueqc^{Q&(>Eb-Zn;kn3l0{bZpHDZo~+~DP^0w4Nig9 zw<%()2bm|^8C+c;Zo6gO=yx~I=dsS)Egn>J^}^T^i~hSDdt2n!Owo}!=ywV4`sd3{ z?>Ut(y2~DR9+CXh^y7tjdxzF7#R!-NXZwBW_Via>+Fp|}`;o+ZGm)b^mYMc{ascZ! zcdpt@Ydhk}q)NMF+WPheIemH@czg5-R^fZ?A9`uv>$dg4ourb(`Wgk&g zc<+82<6*_+f4po=ba;pUF;w7#%olh2JOZFl_s+1n#aMH3#*2X=`Y@_c^?)x)yVBgHo3v^`u^nN#; zTnA0;b=AjuWscANqf>MC*?9DBOZ&--3`JNbdK0?j6!!`qWZLKHoJ)J&ZYbNF%y~Uy z<=7L+T!>ZRK&x1~WX+;~In@DI-}fkg__VJ2#^l45maYrN?gojoTD{zg2Rlq==;+c+ zP1hCOa^_t+|8VS@S@XSR2Rm#r+ws(lS;QBL{6nM}$~^80TfyU(Guyd{w*P zVC21d2GS7)Yd6DBiu#xp1m1ZwX!p<4%5K-*mYRNKB0WL!@RWGOvkA*}bZOl?j7j3v zZRVDBy>%&~V5h;9uH|k{nPZ0K%zga(W&`6BYsybeo|TvPY2(gr*WNn>%5H5ex-)La zuQ{nx?K(g#=pgNXl($c*Oq@%+p1H=74ue;nP5U651Zpo9fo_QP15!-0~g#;A!{@T1AIzJCcI>#mwh}r1`!+1xD9LI={xG_fhZ5 zfu{}P$}IzbM^{Am8U@`hEfl<)HfJ;a&S|UHy+LB;S@^TkziI>5y|(ypp^!U~KE?f0 zz+WF8XTCig1Z*oq7cOpp(9kc7RjPlevg3n@v{?(s$f}cXzdhS1m>@j!@n_C^Jp<2P z7cPV}K0cO&gwF2zZqAWBg9k6h49i{@5>NsFhn+5eTs+tL1_l+p+FN$K>1}P+u5wxU zCLZ0WOJ?NJML8Ys&)mu7XY0sjwOPSDM&DGQVV^T?Qm4Z5)Q#-DV~T3KgEho{1xBWJ zTQOH8&Sr(Ldb!rCY!=2yonm_ZpfiYw(WBG-jHZ(Mwk+R-8Vzu5EME6w({bGYe zn}GJvg%L7w*Hd=O2mdmrX0m7Z9tpi;WY-rB?mjs0-o-z*0k%2@u{sweFB->SWtC6W zA9r(E{_@7>OH6MZ>g5C7?&TKov7Y{HYErv@vR_%yC|UK%;`5HPKlH!)XhrV_uTP$y zW!Bd0QqF*vdI0f;7Uov)bitlDgQJVx&y=`->9l*guW?m)%2l7|-d6|YPakw%56{$1 zSU%w{yJ159%)Sf6JFiTu)&H`;YTLCT@fJIdJpn?u)`g2jZ&Dm|X?iz184M^cEbY>N zrSaytBl8V!hh-eCT4-~ve-ELPuK*Y%dN=;SffH^_zx#Oc!p~dRw|ZkZsO)})`10)b zf979M&8|)#38g)+oZ*~wyljKXww*MmMK#F@Cqr95+sHlZco3{n$PQQ}mhPejoRItmBl))-(}phOsD7PYOh~rEE;t` z$gs!FktMqxrbPRJg_iO0XR~9U+zr3EW?j`A!$A%o2PfGCoD;3H&@Xryj+IR^*=CL*mxj9RJ?V>o3y-9(tkyH|>}mX}sQTi*vbzy)&d%>PUVjdIeC>;p zwBF2RD}6VT^Ubno`jtIb-0ZpIKR=IY_t3OzWa86xk9$t&lGD*aw$lrX&D(SvoO1ta zud>%;ul4-WbMy2!hJ)-Xdt`)u0YmX2(oK1f9D{H5{Ds3W!ddG!<4#TFjhi_Y-MVioD-R!9ci`N=PfHHB8;*X?j* z{_HyM&!Y|Pe7e~`tu*|2cDC(;{sCD!GCj;FK0Vi_vC})*=;B&^ETr}eM}Kn|flax2 zqjcfoo#$3$bb#hr%BpLB=2%o3&B$EXFM0*7;?=Nx;V&;+(PrGNk!I`2YV{B0uN)ll z=~%$y(MMABO!{WXDxWm&+jXH!=5I5Gsk-HXdP5?gEZzI@SlM6`yFi(#$zaLWQkS`D z?I-K#()h;fif+}s*x&lWpr2=TDq{`&xU196OY?H-hpFrjl=0|)J9q9X{&_~@A?V!n zkAY7QyuE*j_h)`oJBU@VlQ!$a*&g;!vj^s!j6T}WR`N!?u=vs|cy$M89%kca2dt|w zhKx6|YPTQDHyPCN-EU)x|I(|^X-K^Bq-}aHi)$-~+tTzd^)`M5eW=SW`?$Gwl%RF2 zEZW52{7LIt|A?D^iT(|}SkN}wDe;VzUAp&VK~HHFIfreSY5kw9-74PJX39yoOJd8X zW7lQs85j@CX4T&OGCig3vBc>nmN7C6>m6D@#9k6$1Gc2-!o||_`FA@&!F^;~e@TZ= zF0ixtZR#wa`>$rWM{dsyTp!{W0oJX?zq-4=Y)SQ+g zxQ{Me9CC7&UlwbeexE&Q-QLX~UA#`e zKBpn@>hAM*GF>)*`UBIYVKQ;+tJS&7OBaszN;kTmv4ZAyJivA65 z%n22sleTdzsuuP3jdHT2o?bCS-PxZPb$FkjIzID3}y=*xNrJa4F9 z|HBf8b5}Qyx!A_2OXK0{gU8O87s{~M&5O1pDX80+nue;m)#K)djxR5cPrND$7*YSU z4;EcR1xAafjJ?pBrq|xuc+rwQb4q%jOTfr~?BD(V>Aoj7JuOz8YX`BQ%e3Rm=QgBV zos`X`MS5d|XtD9?E$badBp+-^(LA zY+-M2+&KGjVFkv{TH3o0fhF9}3GKR959nH0KF`FM$!-Z4-%E!HS5 z&TZ-B6$3m$nv2!B$YA<1hy^X61#F&kIQCwr%08nuS?V1MnEqsR(CPoj)m27CxqW?k z?jSRRONK6mk?s^}7!eR@1RNTaQo6eiMidmJ1f)Y6K^mkP1xc6D-2oVXOoFILFzSW# zI3hJKiYMRB92Ry8;U>p<8d`o7_y=-n!#6qzN-m41>%{PId6d-0_1CY%nyP$A*`X-& zMRB|QZ96t~)ohIWQllO)A4m$D%aNGlSU0n79rtECMwVWezr2-ZX>=a%5{1B8i_nwE zbK$P&JS`b=%(mXNe$j4!7eqyc1As~xRE0D#UY`=g9_%C1W0VNc7JBk4ym-NZ;X?{R z$pzK4CW43Cpm-C`2^Zrv^V9JET%as>N!4Kj_8jyry^S{B$MUBNl5jrkft=N|(leVSwW5B=1AT2ZEvc zpLuJ&bjehANwX2LHQ!In%(?kP-uzE1XX{H0?zUlTpz9j=q$NW_!M7aH*)nK$hw$34mMMl?cJ|#QI>Aat0I5J$zeWQDpH^K=1%yK|n0K5| zHDEO~`G5!>ejBwFTOrDPDpWC_i;y8%Lb~sjB}M;glcB$Z*+egxd3;96lSfsX_{|cP zUWerj-K9D69D=muD7}^+o1LXQG4hsW+s91du9Usmz?Mms|KvbC%6(~IFb6e{>z=9sfvv>j|G#5 zcJ@C-a9Vf%Wo8%h>Ty@jJbjSEMvvSNfS#N{ax%&z1fw)k)qsx8F=}BPARAYTm3e_N z*KVAgLTk^P;8`g?f2Nv20*(jD_V_~^DTrCy>Bv3Xc{VlZhs)YcHK3+4Y?25bZjXYD z*1z)=XL}}y>m#_@MGwW}PmT|`yi8pL-^wZUaclOoNtUh^H$!bL?`hXCC-TP`U?7k( zZq&4c$aa8|9|ET3W8_m5ccVAOemf8jXpvYqI%jiXN8!*zFVX5Ah-CRwiHt)QPAIXDb~!C@HN;@|*P#NbJD zh#+~e<2dURL0kjFV<$I7gAKj`ze^WL1E8FH+?>bOf-1ZiX80X9E!oTTot~V%zlH-) zlB))E9D=B6aDYW$Sx@JesO{Nb))Wl`hK1qfTox z#4BI0e_Z?wco5b})juB@D%i~0Q*&A}5J;w=4}idP>Ih1%lwF&C&<;z{V$=RsPNxtu z?wPap)Ve19xF}PYXD+5_PNfDotvS;_ge>jkwouQKU}_+Ln#7S1tAi&1sFywUM$AN2 zpCbSgxdTi7v6shMH=}15G$4So#6)Z_W9p5Vf}>tt08~x4)m@%Gqo2Cti~H?~L5c2BeXGVvNu;fI>eX^DrLU(BP8)XQm+Fy3VAt(#V z&eMqDswSwc!RDuZ$KPvBNDBM`!DvHX%Y#EYm8ylS9s*`urcDasRg z?qywfO+1yS_ky*j#s_@gir|!Cw!+5{md0p#13dr~#LeSu?*5}gdRm0VZt)fErciy= zp?bkp=SYtx1|`2LM7V58f18yG;eO-fz!-nv?Vbe2))=tzvoGBd1a{Ih^6YGuAVoG; z$&%#x0|zSWj!Sdrp(>f2S6(9qoUFJIB#o8&XY(g~XYKJ_`;xcn(j0j`4dchkIHr|C z<=^QLa5mKOhiXIR`a4|%AGL0ixOweQRWA^$Db>1MedhoaDtOz|e`I0(wpi{j4rLTx z_8$Jh>H5TP4?!FNM8uqWBc_t|=N$l44c|I_891v)9yD+t6+?Dbk@>j_pLm7ys^RS( zs(CPAae-iUD!0?j9*TjT!@USN00KABr`{kBD`f$JrCC%fjv9rKubw%p!p97&>^{M! zn=G%M@sT`A{oHfUf8yxP&EzR7vTXF+ZBv_t8%5 zxL-U%3U+;Rv-~Glcdp=7zs!5ESIPNjmu~xeZ?xfKN3Ob^0q^JhQ~w8k!6MOb7iL|R zY9$utQ|-vfD~t16NPH_pUl7194-;h%NG9k zM2#0TM#Qz?Y*#aF!`AR@VJ6lqIwuhv7KT2wHf*XoC(hGH)kh;aC3z&1f04hw>bGYuO7)OEM!Y1sKYFs_62nC=jX{(4ps4Af*&I>;G(+;-!n)RWMX8wc1Z06U>N#9>p_wEy zzxn2>GbW8}*vYBWdbZ%j0mF0uVGvCmZ&BuF#ufJ=e+f+WLaG`N9EF?(fu-qqERNm` zlX(H<>^vsD-Dl1s@1=(>`^TenjF9VtqRgk22FC(q;dqjDS!KC&U;|&?T%m03!(ogNK-k&u9<7b+AW0 zG@CFO@=ANv2EY5KffjK{aai=?jLYZ4?@>39M~q?pXR`;7dJ(Ds2<-F_L0KT`F`?jx ze^A7rqm9s8-Dwr$EDcF}!I7NKyh^n^R~mi_lq(5L(@(D_b6Lau5r=lq9Cg*d5lOpZ zvR0@cpPnefN68OCbeSJ-1Pk98A;sj9fWgQ|auDx7?^TI%EDO9%n$a#Q@%P@`$K*#= zO{zBvm>LSg(&*gTSp$Z>Q8AjXkK^T-e|_~FIn^foAYO-hHo-08N+XYPzu`5~Cb>VX z$yTPmyu)ev^dLAgp6OTygSo*hjY)Xl6)xY9WNo*uYYxfQ1@!sU0FCC81H&WXiA_Dk zSMINavP;mIRJL|KgEe0FXEre0bfL@~r<7*K0JL_yq@N|6I6yJJnBc__FUQoYf67X< zF+bkx(cSM7N5EAwk;Z=&7;xd?aS@#I;OyRY6!L>u+>-Q9VE_b9ypwvv^?Cp;1SS`Y z$yB@?j8TkEoY3f|%H-i%u&)BY` zMw|5=%cfO(9c3;s_d^%lWBt_HDy@^~0I z5!km^a?nkviZ#vr%FEmVywyBBmD9G@U7roY?x)&*|FS=@u54hjM2G``&goNc9MIxR z62ikls6naKM*izfMXJOze^P)yvw`o@Ts;GWzrl&ur$JAVy2e-1m_A2ePij)GN7 zT|HZ4DcWe=*;;SKPqMC~DMvK4=MnTHvw7^D;;y0ez$}gP&*Gu)5p1AueQLCE?w(SH6-G^~RDA z4xmk@8ql$`Mn#PxfxObC3RE%vUc^K^qlZd16*pT?4o|cCdG)F_9Ey50dNJ??hxFxiQSmW#Wugg?5}70r$sX^F)mYbm1bXVqM9%Pg$9o+;JsFc|@Ec z>5W$^kO4M7`^?v78*w+odAt{gNiu^9h~VLPIHr|iKT3Fs4I(cP*P%J&tSzgJG?h^yRY9D+kU{gL5dR zB=R!^$i%`Hq3>c3jC4P8hP+7czT!b2;I!^k`BAkv=2(n;20QF~8Q2@m>7n3 z=Z(CHf1J_cHs_bnvkmQRvx|54F-0tY)WZNNKSU62)bwL9_iAPM0KiVbwI;mqp5lqV zR3dB7ml@rJ(1J(K3rk{GN-amPJWx2+&~sn-^{bl~Jf=0+NW?NA8rntN`p%C}&n&AK z0nT`oTJ`zG(p)kxN7XB#%ahjNgHC1jv?cZ{f0d-66U8GvKI{qY-dbOz0Qrd5H3X`g z+WYb`{o8VhvI2XRZ4~lyRJ;;Wzy#v2R@(HdJ>>=Y;ZW8=mx$7d`3+z`K~m9kVM!A6 zvuc3C$&D3B)NjaI!MKb15h-te*()LSsZI8a#CpA-R}TTh^-)7H65b1OBi+2<-=Aw& ze~i4HT^!q6|NGF@FL<%Q%X6S2XF+u4rsSqP7)Po4wpxfp$Ac62&-OxHzgjFlO(Tf8(P> z{QSfg=!oOKV!HtyCE*qK$>_P;#t!v1Z`}{;+PTIJN_josnn;7d42B3wt|P~cKu`%B zmQ287rPB~gt|d%xuzdVeTkf{;mHCcfZnk^u!iLpNVyBax)%>(^rcod;g93t*OMCaD zAgF{*wS2EMHs*;i!NJV8ho$iff6X#~dbm|t%Eb8(>Jzz*p3$8D(ASLn!RSwifVTnd zc8`*8d((##qDHceH^gr(mhg#Dm4Dnbku7QAxxx`Ppp|$_U*V$wp`jbXVFJ%j38-~e z93u^{%ljedKvB~~yik$*@KH<>X+5Ij?wSrX|G7~(8M*$B@6P}QO_YAQf9{E0T@h^sB? z6!N1m*=(I;bc9tb-KG2O`cVfTJrg3;1ZcNoOec>;(14)X(6Fvr`ij?42-5_~9}f&D zuf`O#R-ju}C(1s(Rhn9^e`;uV5uv<|1H2_t4N&NJTDpPChbWF~6OIzer#5i-h*?5R z#I7<&3@}X)*WGzhUan*XOcTGUQoQTWgh&Np2qMVeBa}fax+^w?)%Pm))Vux>zk4>A zHQ1b(@!{ze;`xD}Xq8*zD!-Y?ZTpP+e4N)&sH?Cd@&uJNLzD>eZ^NYcW!vPm<$6p*0Ed!MO5MDsL-L`hH zG#m*`3mevTa0gq@M=c_zi*K;s)Nb^CeLah-4* zdm{rP^%X{nCh~a1e+S&;I8R%vj;utyW2?p`4)gcLR~W|&zqa9cAd%bo8TGkBuusCK z9=`_wnt`bX1V7Ne0k{)uxfmH(;b$e{d6;c@Pjhv-EAY%-!TBS?=bU9XQ@oK~x7dB9(SeRe@J%owpLgA5ZN~T=QXf; zcIe$()yAjJ!iM`z{HHBuH{aW1$`cI)CD&tv5aQN!bkq7pka<$nE{kBaVe$6TikMj} zFYzC5$rmXT8iU?j3{G(ikTmbkIGv9nB!KX={OJ(y%jdgb=lU zL@yXydR9Ab#o9{OncZ$!558p5I1T%=uIvwAWRxtlFqRr5WX*|FDa6}Y&!gB3<)l1Lia34;Bi0Tc%WQ&tsw?e zL6hQ`Ru<&A6JV5a_lv-5ZUx!8YwhkQVcj%(EM?wT`nXJru;(uFtI@Bu$c^poQ zf6`7T(C&o%_daM&Bh_nHGTq>8uJ#O5XdKR=60>5S{!unLX->hYv%>sdxDxf7H^oU40!?M1H`TVzu!g$q=!5ysH zSye}!ta=VPwQ=@G^f92{VgP{_%_HzkPOv7Rc} z>5w+xeO+wBfbI_mdWfk`Qr{pa`}e!ejb9MovTt%5ZJJ{IMgu`vkp8%W9xv>qNi& zuAxeC_Y;RF^45A23mem@&z0tpYeMx$R!$d8f7mEvF4|tQ2rgS9dof)DpQgUEuJm$} z7><~F2DICe_ic*;pf2{U-n2>CFZDlnVwEn0xNFF<19{e=7@YP*{U_v|e~v`jIBO9O z4glh!OTFPrc&mX9F(n4nSbW*%SS1{vVOr!QND;48eJ&bS6N8;-bsP4avrIzF7|}(p z@e|tMdNhx>nkULbaPNN$Q7#4y12SJq+T1(5+3U*-Z4O?~)hYj(-?a1w-8HNGO`OZ2 zK0nCj&{zLl@1fb(dzVl7fBg8y+_h`vFduUnvZ?v`aJt!xKJB&s_YYxRn;V)~TbhF~ z#YftFklBN`yFG2*Npa9oA~<475@@%(DBdE*Ncv7sY;1&`4mH_z{JJo`A^~;p&&V?o zx}M%aKC5F+LQb8#CksK6&L(755B#p795Dh2Y(sH?MRG8K+@4zHf1AOi>94w;%43-Kx1<#jU|b#b7;Si#8Wq^r<(PNx`t^ z4^yjcvN!ppi<{Q82aRWc4y-So2>eMwsiWAUhh>mo*p}Z5z9HB6)uub_`hTahI4Mnq zn07CCp-6vje~qhTSVETd|LC3^4{P=O@PQ&YM&hjmICVZ+47y@C?rnJI`M8T7RPY>d2f`|m3OR4BAx zAO-9@8T`EN{i0b)lB@5-MYIcc5*8hVM42?8nAbl>()EE&i7_uSZk#p zpI$Tb@D|wV;Z$(QrgWKBn`5ard%bh2kFD#%cTcSE>Jty^*L0rArfI!-VtrC;$v>kH z0?#QSe<-AJYLYGw>w=cb*`#2*_cb)f7e7NkO?jOcPJw018r=~BBQpnG3~w2 zh9>-3PXSN~ed>*vq^i3_fDB1&o#!)Y{3tQOla=?A$mm4*9 z)+B(+8f>m%KEL~=qx8-7^V64s^s($pe?;)`+c>6`YdvWuHsD?TVle>|!4uWC-o&=Z?=gO;C9 z*7owp68YzYlEXZp+>!ragZVYS(}B~4-OTszT~c3FYFwMkU&pkeKwu37nyLVhi2_gn z=)-0Lt(OMdy|a32^Uq@qe>r~NgkJs$=N=LiE^QZ!%PohI=0?l-$07uG5O78u%gU%v zj8A|NVmGI*b=gb+mnLC1vYE7_4I6;6;IWIZA-JIrLOsmBo`tYP@e zf)}7o9=3n#Nt^yy4LA$%HXGWu{@&lrid}66v63k1Qq<~4Xo)V)e>_bQck=Kp{j?|y z0%zPYg2u=uNk2;c2o!R7mY`9MYQ9?gCJ$EU?Xa%k5ArEpx>Kr$0&EL?a_>hwaNq!M zp<0cMIzms0Srn% zvo(sL%4foH*HCky{OR}XaefdIj;-0Y7*Zi~kmSlp@#ON_21}(>D7I|4t2X5{lzTtD zn?RzUH1@oXzrgz0o>q^vDr$TZt z|E0~!<31|af2Xeo#57zKnpZ0emU<=2_#s~4=1+4g%(3|CvDxn ziuwJA^5)^B$aalcZ5oKl>V@r-WwF3(sK*$ItHoZ@_Xweq!#r$m`94+if9?2TJz?@v zrGHj?p{i=K`ym)kas*ge-ImR}&m z`X&=T$E2X-VFuFZxIz23YGlWvJqR47il!=fB|}Jr3c$Z5R9-k)q(UyFDJ}7-qQ~mL z($b;uf6OOtx%aa39Go{w`qs{B1-CC1gTPTTXsQB^Xc!*K3|d>WFb_NoYJIq8y;-`x z)ND4`Rf?xlgtU>s!}+Xl|*DRav&;p)f0yR%VwV% zv^(97n#zxwn&JTm5p0$l00_FP8Fy-tMjPeae<{|^yy7X>P-OU8jpdcsXjD><0EPW7 zR=e0YUQvdxEqx9==>95tgu6+G<|wGMF5uTG6!ZH$VNn3P3a7MG>LWmVtEVGYosxxqc5KWkqDmIPb`5+|h5=kuEvt8oQ=oE(`CiQzpuIF^-z$DSf6GyHeI z?v~|H(j5xd!^?lwt-Ak-VFg^8#G}TkSwppDl~IYT%;?{C07!?`2s$M1-ObeFg-TJb zD#^j2+Yv4|d_C%6@?f`P@h#TEPayfif0Z0Nhe)H117ADiyr88j5V%YaO;s?@2)l+_ zfLMuE7o&0LcGP@G3*7ZrAN?Wv0z{MO?l=c2${DltO|3a-D(KbFgoD6$HPKWBxnnf4 zspUW+m+z;XPH(*WtNq#KAFDt88x9;rPMc$`jz*{|?oq*pw(?ye0MrgQ zf+7Rh-k=ctAey+dSzs}s=;65Ne{8jxMh8FEA5BRq#7vEb)r!zfzI9XPrk{%{!LaA4 zegb;`*xy!46$1j5H#Y^>`f$6TPs4O-&7Zipvk_qv?Jlm_Mk36Ggo9@r6AWp)ZdX<) zdxEAaC_hhDPJIM44mM~{^}zOXXjSU-AK~s&U>9rSdU#aZ-tv7qj4DDme=%FV;I@qT zF5`zt2jx#wF|O(XnM7Nzcu>k%vo#9jrxIuYHUx=K+qxrA%7T})4wHC-Wf@*H@_q<> z-27>sH=92}@eD<~!-G@w%6FCxB{yDfByTVc{4mCf%Sg7gwn1_C*z)x|tq6juqPlLB z`iZ=r`A0&yYOSAu-gcHUe}n2h)E8s}iF-XO+W~Jv;D^s8GgyRGCZB3OZYiUr9nqcZ z?WCB;cIjBsXsQCnH5&QUTtF~%liIzKmEquidbebsb9JuiE)Q1Vx46nKG!3U`zMLjK zL0)p}>BjPUCjUd24dsl7luot^YWH3mK`LlI`HD5L4%b$5`y`2gf2E8>_C5|DCwJyG zFzk7}pMYLpj`$mdCCET~-(;>hD}3xE?C{%mX!_^el-5IfE0p_e=$IXyYkDqHv1u@ zoFJT4<-UxRA0iz$e}9^abIl9*Orllds=QU4b^iOL;^3FPl>&R-(l2ZrmO%3*%Sz7e zJ0Rs@5v-Q4G3NaW4BFxPi-aO_LCLy@e#KeJs6g}a$DiW=8d#ML<(XxuzgRiHKhn|~ z^(pJ+9Ym@dc2C!*_B@saiYpL)yLMC97fL0}RlBPfz0(;pnAWVF!r)+}BG*Cx*G(XVzk8mw`0LDinsg||5$5m1jF$tZ>D>Rq?%%@Spe|xHb!hsB_@z*YpHIe#qTh9~` zyrQWu4V800OQJQ!KwuIsBPdcR_a8`^L27BuY{@|b#pNej7EUw%BQpFp>O``#xC@8l zaNS=vW%J~5-?D22Q7fwvG={j#8r06gV|(y>>Ve|f@=3`jKG#a@**g*RP&MlKVNdi4 zd2~^Ue-s@e6@g<}3Gm*QN#y{#xx7-(@4$B;f}xwEyJ{-h?W{Mk)`0^0;`+#tBiT91 zlJhY`?R{xzCK){raDREwS$cqBDcE%#NfA0KaX1`WuJ-*Y#bn}}rc{yp=n9qP0 zUCbp1k93EMJsM0o8S(E>XDO$E!2XIW&%Sj!lQML19Om_nAAf`0+8$RHJAl3lZR~jc zVKT#N_nAsZ3ak6u*AM*=;=rKY-cnTzVi{y%Sn#_}&G7TZ9_`U90lb*#f&u`0j=(@S ze`RadFD!>iW76`RiU4Q_tkpQL=173*g>p;^Hgu8uZjIU|c)fTL%>Fma9N}8fTDvqJ z;=c@wa?Wa4-iqHL*Lej3&k+{|bSy4#0gR+>?#r{z^?Ux45@x$S?>{`z!uo|YXk@UC z#w#PA|Ln^X@f5k-*N^-VW;m9WKTK@kf2w9E%NC#Pt}i}wqnISq)-`KdP&kZL@;tea z*RfH<)0DSjnuBpC){)nv8rta?5bzW~0X+#pS3;I_^dLR;iq|||!&w~eK}>PMGpwW; zOjE&BD{*-z6-nira~u5@Tm}HhgV6{&#Lh%cC?{pKG=f}ppR92`s>gjqq7#ngfA>B9 zk5TbXEA24!l9Dgym2xF;EGxZiHt1AkQ8ig-smU?kTb`DN@|q{o(|m)PirA(7n0Utv zk&rxe(^fggK&tZi;FxPD1Bh1RUQnA1sGZyH_m7YGqbL2lB?La3hJ&Z|rfVXhaDa*v zjBaS6W58;Q5rcid2LABq_4WDL-N*LjIRv&8;wPYI8>ROkbqz=wPl~C#f8gG$UGSe2 z^*$Lc8Pf9lSMFwOAMV3&ZIxq5ie2Xvy+oak;25+dc~QX0qHFzX|a^p!Zw(N;O8zWG@`ZzhcqF_i+A^Q`3otTIVjV z)0|GMww!tX!sn2{>bV3M7ayOb_4e69@w*5FLHG7#9S#7|(1`Q)$=LrX4bO1Lk!>I1qSVCfBk0+G0Cc>m~*eTgMQLe?c~?P zu3PeH?Ju#8tRZXE{Z`+5v@1yL^+H$Og3DHaeY?|3X|Oa|Q9!VscU3kgkHf5JmEqi1 z+gjIV=NCf;zp*B|i+f##lEMqtnRGs9P2ZPal>>nt;^A0U`c7>TfQX3PO!mVZ8@~Hb z3R%q7e?Un8wQW22hW?4g*8RJ##|;KsrR`;?f9WxE^z`+K+s(x|G<>I@)H(?&_{S$x za(V(QZg>&8U{;r&AZ>5Xr*qhrQP1roF?`Dq7__@!oc4tuSIv1p>hpBXq2=080gCLN!dXX@PN14%)(e;QwN)MWILQxs3Hdl*bdY~HRo@BF>W z{SVfnpMcGLAK@Ji9hHs9icq=ol^G_)R0Ak~`ds1L1(BTmRE(pqPB**QT3tDJ+=%Bh znw3M#|3iMLbxpTpt!k;75>y_Q5LxcUPrim@DI|`7e~Y7-7shXUowvrEYZ})_7!?0YDiMKH8A3-G zwhR8mZCHK%JxrtEHiI<$gP(w2zDGv|6(C8myEnD_u>Q9a=fIM$_8$X~!rUCr#gCY( zr(DOyJ{sbF;>HCcaPz0>kcJzNplc%a0*6}>qG#?k+05Dw_pvoB8?)+3M|4$Se|4+i zzP0G;*0O)JB_4zj%wPm1&l!IFIRJggxgNnBHdf{9dbrr-lvE%~(2516;nnEkPklD+osD(t$IBDCu-jFR7f1QDjM}#Ul4Y~&{%z?H<`QA+<-W|# zK0??_2a`fmaY@H9YBQo%o6mITe~Rf{H;nHQe11&b`uZVlIx}b)%f%=diDXipL%qFVGk-olf1R?rBoS#b@Ev=VkyC))4mB=U5$O<|m8rMvS=!ATCE=r2 zwa2ln3?kR^&?Fl6a-~K`i-EvpBPhCWa$;sGk4^ zEZlWR6(?Mfx%amwd7c~#zAvl;f&UfKb5EhFrM6YDYnZnn?e-l`e}EJNvfWUbNJi8m znFI{8?BoOeYF__!2Q0wWcw{ty`hK~rzGSV9tsJEXZXzrS2v)a@W8&Uwd`te2Mqp=N z;`#5P_uRFAsSS`Wtt?lsopCQD{HB|9UhKa=U=58U%qj5`(2LGv|H208muRT4^-O6^ zm#rW3t(!8}wD_kAe_K$0Vpctw==O>#p ziqf0OBgo8q;rLjm^8ji>Z94_ma2qU}0wj@zlqS-tJHVh_e>8V7h@Eb0S6dP)VLm5! zu>d(^d+hTsMNYecSlc;@{g;zFzfbQ(+d$h0bF%yd^aNJf@>U=eN)GR|xjB3?Jd)t_ zSPSlflH(;AT8hX|Ka7x9Y8Ddzhg2Ti?(p~5sRy$4zq74r)nD&)ps-b?Gm1AMa3SG< zZqixpRz+dLg*7DAIs((U$-#_E8@rj3hoYX^~ zc5_8RW@*41kAHYU38ry51+X;Qrg}as#y)a%?f^-o1y(n6j>| z?-92ZZ^~Yq&ARTLaaKNf3^)8toe}Xh+Ib(9cF!O|9O}k59jptJ>z})|M3ynqbbFqWuHcg+wP&A5htdb zzQy~+9uXtb1)yHCq5y>&pR~eSbXKFKL+v~NNxmjp$dhxt2QUA~Cv$~jqByxUgHa5Wvmle)o_ifgZDAwJgKp zh~)IqR9t(|poSU1HviQ6a@oRKyxw+2I1Sc%X+Y$cdfH2Bo~!2?KV8DfP*A8=qh?Xg z<4^C=>5ewt+e|loIzINDe-67_S#GJ_dwATGoO?v}uUl0^5~_v0x9b$7X z4SvklIIDE)=mYb@xMuOaaO}k~JPQ4w)aI>N=R#}U#T)L!l73Z5`u9qIuG{Koe}Dvn z!p?1~n?4;|P+QGf&J67TiRYA|Me_`AO7twq`F6k6ze)|5OzmvJ8o2^d9F-7h5fwV* z%p>5)HDGRigSFv9qo2vzU-3q6Eq5Q7=Gyy6nZ#H63Fyt>lK5oePUszZg}U0!>2g_Z zVk+Cr1StosA%gI4NqF<@AQHF_e=3{{FIh=t!(@lt46#ovTf>Q8j|>{0ZdSWXHL%@# znTX8}#h?PJ-Oi$atm~V+wJq{fV860BjG!?Ndrbz;DC!o&*iC_3`vutx1i2pStzp<~ z-7}n#jB}9L8pg88%Ssak=B-cohw=Tl{QGW7VMrl!rVXRO{KpmrSJ0 zQ!r70E8$pH-d$x{xd!;^f1ltrN;6?ngDApKE&{82DWj>@UA~Z)Tr}m||)cPYpKI-Z#l7i{M1v#m%4Y%}>br z2Rz1qW`QAu*?LmBGqCkG_|DeKPBwqYORfU%I;%Hb;S8uI-27=Gf9}++Ja(SvzlUxR z$AK2slb?*cgi~T2@dLWwIvvAYy}ML{7AKu9@B*sUn5iwOhSZ`p3 zg%;LQV1}ak)=TcVDSebxR9sWZBG~>in8#Igw51a%&4j|C?^-{~$zJikBZe>>c~9T>D@MXIa~kj9ofzUQTjM5|=!sr{GBG_(>iSNmO9wcGMU z6(O}u7wA1vQGmiHy_Zn>t%+($N_swsSn1R`&-fiREG00iW#N>e53w}En-CbVbmI|` zoHm+@YkuWzUG+F##@MxMe%BsJ-`4=TxsR)O=^`;n_0#B0e?F{_NRzl(4(!HVmmTeIS8HD>CG z7bB5V@x_yTvL-}Z?qvgKFR;SFG>mp5oH0u#MRI+63?lBKoIv^0y}8kHjbJCIl;zQh z7K)#qsB`-Ie<{nyji+8%VsGeF6N0?8EjAy{j6|OW`c7!vns0fK+y>QZWYiTwA(2Kc z#hq~mU$|(*OpTmJ@0($LxDu%65LnIeo$9ZzT&HscSixG2nW~Ju*NL@i&7TYoS#Pa+ zD_IoL5-$I_P*4NWB=8FzrX~oSmE*-cd~wsANKPG1f5p{V{kFOnnEg^_?md3J;oNrh zTx&Tr{1(<|Ip_p-Z|#+AzK~;nS7q=BdoNS?8$SU(y4OTz45%;2hNxxz)fsJ3W*G}u z7545T4XijOGM1n4$Y}UjF#T?z7$k$$2pVHHF0KCpgDAr>Yev32*Q};zz$Qg7Tam@Z zvr-!-e-!eAIAs|!LkUiZV_7K;W&9xr9C+IqXSrH$1!JQ5)2d0v^@zV`8A0feeJB3i z)!Ka*^J6Kp|4*=b7+YT%@AKb7Y~wfIW4+=P83oVGm}2A8tzch~`SzZ5I(HzGyeNR( z`z?qcV-Q_T_$18I~9h2(z7r67ueF(k2fRVp0TL6UVYrgPnQf6ZFTpxWGoXtQQH zf8`vuj|$G?qo8}asN;aM=NTVJKq$M$f0kgjV%MV>2No$rw;BUCe zuY1}LV=46$(2L8XuXuBHgJIJeb&if$f0S7x62{hw-@w1U`W?56y3MEv{S8lN-al+~ z3Y3OqFdIQ*3_7LttWhbQl@fyRaXQnoaAT1Fe`L~S zGPoi~Uuug#!qSUv#eGFc!FLv~NdIgrcr)=Hi=w4m6v6`-v|AofY#Jb|bm&LEf9!_F z_4>YOGalH$`wOtZVs%p!m#YeCT~Wz*5UFLrpj{?s2$~M+bl`Mgy-9pYt*5+D){5k> zaCDH`;+-#XvQ1Ouh9Wa#a^rW9z*~q`BjXdE=_k5VQ@P$>0|WAxRYoPMM>y|@{&fxB zgaET7B7Z~QtktrLJBZXoV9;(pe?K_qCDcly_TFJrxWHNT2|4aM>5G5Wh)GtfQ52`g z;><1q%QxQ=$tj|#xQbswzKme1AE*Sci4q1?4A?;a70XJZgzIuqIbMt2C;L|_>1xn>!lD3$EDaz8zV+kf$qi^7xtmqj6j=Yx!@t@) zk*NH5pq|EVXmDJa{6BQWgm%pyJb&24HPAZ^P7R^6#_lFOsO$xT<+G@zcEipZel35w z7z7_MXxA1cpGpYw5j*0;EIO}U`Tjq2Bsn}wFmwVH8)Um-a8+d-%Swkq8IAk61(YY8 zm?g5-#|k~N|0*sP-BVt;?<4Ot|CzXfI{$u#0-O?qW#k!qz(73?Ti=hnj(>|y|3l=h zZlEa@iNB%OK&}+P%`=@fw>80otRNm)wYLp zGpH9<6rhlG4{FEGk@vD?bN#eD$ko)@&_-MZ2f#|+=H(k($)W=H5GQq*ZC;s zh9t8TvK0%O5UET(zs9F`b@`M!YC=zf>3y8QQEF(af_IvP>WZjL&qXtj((4VC`=3jA zPoxL2s)z;tdFaD>crB6j%oz{av_`B=%u?kipx1`aQ2T#eU3oavUzcGa0z`ic2SnX8 z>euc=e3v!TOsO-ZKHet94`D>-vrzxD*!T{Ma@(i)SaNu37|?^TL5IAtf`pB9#7?&` z?v9+0u{3k&}OHNYPIg1I9o8 zPl{*TO2vq)?unm;bTMmlll&$_#@?kS+zCY5nuFgDwn`f^DDMZPnCXQqjO4-!G}ZV=qoO}TGc zLV4_jQeu|#UnlwnkbX^b!o4K0!Uk6_{C7;YqB8CBecDGZ=`hAnv>7}kn9rl7P40ks zNv~x1AIRQ9GHQRlg>h@Uzt`yIEOhIbmg%*z!Fo|d&!BW^+i!xax@ZY8C<=MOlYvd9 zEz7Ue=d|#v!BhE*{{b^73i}i{dXJN>310J^Yk)*(7v*bREMv~c=hXUFQI5(I_kFUJ zD)*INo&1-Q^oDe_Ee>76CRu1eaJ}N>4w!tsn=;oadf0!Ah zxIf{+|6{6gFOrw<*L8)=dplXDdvo zlDzK{w)uZ8M;q42WyIY*oDjDj61-H_3wM8r;E=S$tb^Ffx@L2k^uJ7v8WrD6Mioq& z@8GAgEgY@@HvvLExciJw-EukE$jBlqI@iy0Kgy1U!{RuoDBm9;3VkObplR(iIbcJZ z7bsw&_?=eQvN}lgkf~<>oqw4kqzNmh6U8?5PSJm#dPM)3miIGK%=8u&C)y5JeX7~C zZ5-~s=R(C6*2BI+avRVLA2@<234smaE&@bT$1>(Tq@&i7JE8~P7Z>62%JiRx__mhucF zL*;){8rH;QbBs~)6LNlZZg+j}!J`J@f0;@)LRb*@M@acGMjtg&KN4KVrLesB#Ci)+ z>bZhm9L7QQr1o4mA+IM2UCwXwiL3$={u6{AZPce;2GPAKceFm-p4q%<_- zOceUykj{z!v-Dt-phH<`Hl+mrEkF0W%bb5iQM3(<-TK$ke>gp8Bg%YMAeri4`8{a3 zcerR!iv9oOw={r=PlHrJ80JsitR#sp0XY)bbX9c6QBqzEbej;czP$(Yy+^hMHeJ=m zKg7I{=X!jR0a(ZGlt=v?q=uDFDHzb*XVace)M1i*nc;DFx|tyXC6rPMUwN zyvSdFiw$EL7pc$*u-Gl*t_thpetaA*=-uyE`&8HA)TV`Z5%=eOqh(Pd5W||7FZ@;z z-peji-_;hoa12!#JOlaLn~kL1;|`OH)2*-fUskyION6aak{W=uZxYSSGyP;0eoIk4 z@?Tt#9oXRA?Xo=9d}s- z%bm2n?N_`1yqZaA`)|$&sEbG}o?=t^ACD>{Zi`sDBB`^Tbw)5^NI0M8*zuE7&@aZv zOeZn!j-^kXrR?L1PDZw;*T1K|CeIS z4ucJmu~DO9rGFS36y2M_-9x0UNw66)lv!A7{$&$rxje2;X)$~)0U%huQXw^pLrpE0 zUZaSNIZ2mZ`9H=od=Lsm#uk6yZ124=;~+i8gg->FX_QOi&nNQjnbj5lSYY@`dkjL5 zK%snQOH;222SnMRETXXlLWl=8)Tl{+YTgb)sq0XV=dGv6Vet?BX z!;;J2@u`~PTA8$e8#ca!?ef?l4#MdJ{5qExC}3-LlkN^~>~2cS+Wl~EXGfc#ot-RS zR3}LH&@cEA<>Q7#Kw*Cnv3Om2Yg@;RN1-st`VYA?iTw;7 z+bsz@V)v?8%I|*EJWj7TAiI{$y#4+M$2TQWs@bSFDumTQKRn`pox^wBj)6 z_9aV*!ORL+=rtBHE?mF;INW|mqbfkHPo3C($BYYQOlm(0izwKjCcp~y|(UUWRVk{Yf)~i zpRo}o_~%?VC(&|fRvEeYSx%}G&-I^F3tJ(Y(?lc|#xlD>1zQL5Z`n%zJDkID$ZohZfqv6sppo`#fDzBa}(=5+m{HswXd#mdAI zRn}`D!;mSzZOyUzC6)^aJUxcXy1 zpoeSy96(&PZ&`=WNaAn;KGEj|3b=ZJ7;almwo+ExK3AJQux_M#*RPQO$Kgw;V|Y6; z=Xb|yz3zXXaymav%bSiAGnJa<$b12)ZnRR$30U7gNcb`m@z)`{Nq1gyMK%6MEsh~q z8pC0qUjG*Unc#HHSgW7Y82Z`S5VuIkRsYtNQEEZi2d4oe;=;vim12);>XVM&(mbc_ zbM+?h=CI9kEi!19hLYqNZ$Rdxx9;{BUBRy_w=#c2e)7G%sP&W(ybV;mok0=FQs=z& z>k}&F$3j;-*>#SsFi;^YzcnN}H+OH+(m>N-Dfu5kwhwjAOU#R^t7dHoNA&UjaUisY zOQT_G0ai<)r@|y9%p>dHz!`xa#DlI|udjoISezd%1+(jHi@Ir??l|AUb?mI(U|ikP zu3vw_*BXRx-6txogFvh3DiF$xSnqS9NI5U^N#3*5;_nl-4B9VRh>Sm3i(?qMwp{j4 zb>TDzVqij*SUB?YT35Z!sF3hSYkr0s)}vb^>T__j0!}GnKHW4*g$_#w)BGx-d6Rm_wTu!JoVu815%3MPc^t% z9ZuY1Rry-nVVoAQgc$U9fCb+Z+kNogqxklu)6e|lh-oo4W8B1L2R1E>#3C>0joXEr zsg6Ul)jWY}(-vZrO#iYL7a=LpnR>I1PyhZ6x;TZRJG4 z{&=cb&RNm$7eeMP2qU6>{Lxw7^b(_j!bL*3R{W<9DTqfXrBVM^>!mRl)&+aa9rY3^ zW_r7u#^D#mndE+3yLzt6jyt~_-JXAg{&?RX4_Ol)+HryH*ZVSp`zWo0cPjg)39SiYmYvwpNRbQj6*uQzoW!Ob;uD%ne>SK=UkTHJ@_@803 z;b$rsFpevqVw@-`{}@J>Z$%bi5!+i)Nh0!yC!ju4mM@CLGK^BtFqP?*mGZxB@H{Fx z(o=|a<0pYHZ|7y(Bp{Kx(Z`$HkC#x;NV8A*V5i5cPp$tTMbj-3Br3zsTOJI^9Q+1z&}=dXe> z+#0oP(k}uD63V$G#3>OrNcq|n%a}7kL1Qk73J>ZfEWu~*Amq7dE*=-AE5}OIYTkv) z%Y5O~4){lOlAe=MgpIjSv1NE0sF2!)q58Px5;tqcGXWNZ#TA;iZpwdskD?_}D+E1N zDRG?USsEHmp^}rezI~89-TTaen(|L^dQg0;gLtiSDqK#USag30^dN49%|E`QqbFdg_`n(*10e!LmnklQ8ig$(2K$V`mlLr*Y=cm5&-&NC zBSi%oZb^_{Zkl5h29U#-Wna~|gP$aVWcuEpTy;p`LHVjlvIW_+@><`4D>8_{!>5sLJg>dW@gG$t#BMW zz^kM03GAFr>}M#q{iu0tdK{3%>1#v96_FR-ZvrQj5(ifAXnr?8&L2`sfutc8hQgGg zo%r^c5te-^9cO=6KbW;XHMs*OUUMin#TR<=!t(R z?LJ=6By5kh;DH_S(v+XW5@Ha2T0o%ZLX z$6W&8&5Z_gLLSPM_neQug^l~9v@1mtpq3e`zxU$?)5bJmm5+lFQFtum4w#uP?TdOe zlHIQPP6K~N7lYLRFCQcO7~hkm4#DsAeV*0|X?NOd8P4uJ)YNpF%ZZjnfk5a{8s3-C zdyvzNdtx;=FQPok((4}59Tz?`c?iB+?L%s)gI`dwrz4CL=%&pJ%raNE(WOR}rJLEj zspnc+NQe{A_Bw7u`$o0vyp<~&?l0u)-jh9Ac9MVWFG5|F+ntxAZ{fa31>7qNL6cll zH!Wr{fJua~#^xt&x5J4G)EUW0G1GN>{tqGGU7Hqxz+g3?H)2mi(OwwxrzS3-lpOcq z+>_<{@Wp3~jAS4h0$4~@xe>;9`CgqQfusI7W9CIk#sZV$if6`4_`ThoptKz8%-lpyrmXISocr@ZLqKFQVS#WUweC zQp^-kq_I*vYT0p2uIFm6+z)><#NqI#Lvq-BPdkmhy>?I8``y%sWd3!eDOgtz%b1fH z6JtOJdc-`^s}g++H@&5hspT#O{gc*<>=b{gDWry;(!6lK%*I;t_&x^-M7EX;5!M9J z3ZLoYInEGu)o?RkMjEezO7Za&n+E7p9~DwFfgXfjHo80$Mu7N?d?J)x`;3e6Ih}eL z70lq{Tq7b;>h%NQiL*Mc!qqRNUwGwW)ElIjsTBq7BVN?!0i}5Udnh@i13?Au6 z5r|nibz@UN_~GKc%zCb+@8xCVPhP0~u?~0lo=fpRE_B||K8CS4@F6fbnDS{rI z_d`{4yu!MU?`Lxq{%Lsoh^6CfYr22BU((n6F>v>K^b>+KKI>}?UI+PJ8HoGj%Rg)9 zieE#)=GoOr3abS@Wf@6u-Ei3xrCP``WKs!&Kc_&C@|&7|*1L`ikEyz1XifK~z~T1a z{fROtz5%8CNqeRT#jbu~y?i1UqcV|VrkOFcZcuWI*o1pIo<6lM*ZcqAx)6WL-A4_= zE@6JvPRnAS>2~;{GzuxuqnTzFKe>hT{)_umWV5gOd9xKG^tTOar*2%at#-4Q>Nr^X z9ud{T@c_65F|6S>62D$Y{rk6Er&C|LOL-XQh=}F)5?R?H=Y*SSB#QRn#OZ5}Yc1D) zSQs<;$j^LMI#KTr2a!8qz9tZZj) z1d+8oq?qZqT3SycMow9`ncM#I_JIDQ?8jTA6GrSbZ24kD;ajz45c7a682SQc31N8G z_*l)v@_V4XtZ5{9f`T5>-=bB~!!mygbvFh}M_@zt zs0u2>%=}vVoQN%bq&_;B)()~jKq=WaqJ=+iYpEZiYXJd`femYFKNqU$&`JLED0lKo zK`-9xU6lPI(ET#>xVo)r*%ZBgu@4Qzot96}N*6FMsDA_h2J|2(88m-86AbElk3s${ zkCP9vtM55k%Ub%Y z$3}<@mZ&2;7*ITW$d)0NQD}6GQZ@qHUYI-SE^w;q*NzKmABv8R&`x3^K@kY zT3pwxkT38b2tE2<&$RLugy6Cwit|m*B=*NyS5T0=8u((~cpra#fx{V;*s0i)v*)I1 zRLrrALR&PqVgA_B&Qp)eV}?Y0cKX2c$5+7c8Q`A8LCai%9`4(QTzZ+tCv(qb+7}ls zAq?4LE9!cd^-f?7Mcuzk+Ts6|(##gQ#YLZwFJJj`vlsG;m!ii=BU) zV)*I#aqR|n*|zsJ?w)<+8e9C{IN1=pBG7#IK(`z7O@K-lA z%nUVhY0GBmikQW=LT_clqyH2&U>KyB>C(w4Un{`nse0>X<{97K`B%c4=#FpP$JiWm zcb9*nx~|K6dMAsO+*k6Wp%J+QrZHCED&`ykwiCCwU6e%ZNiTYK+>;&*nUgHy#)l;c z?}hfa$#r{h{P&*f?a_;yE5ydk5h`iC*|>OB++W;fe1-39OZcD7*y=d=?<0B40#yTb z24S1ERDu;Vlrj~#VQ=9%oSUr3PSK25Kp20C+%#lRdb}TZ!oG6Nfh{ABz#S4PmdFZ= zdV|GZa@;cSt6rRu-(9sW)!@;8I7;*9?MwN%UDe%`Gjgeuss{lq;{yHX{(1hAR97_V zb+^o6e_>j026X&}p@Z&Cr4M@gY7l&$Gtwc2KIzfWF~wwT>VFnZ%dJnFLPP!jc}{=y z9^1JZ^hU!4OhEhmMFELm5KUenmF~mO`bxN954T_Lwq?I&zKmq5omF{8a*#Q2H_c6K z^i;ft3s|NKKQ-NBHUR>6fzYF0$x&+{CC6>m2)7~=d*JPv+*`TB9LLZ_)$-TAqEe?f zpi>;4sV`g~2$v*xz#zEe5EP&y)}Mb-i-q$!Rp>1r3Pw2O&zUnfSw@#!O~F>aV!LSO zSxpPGgruJWf8=Rjz0(%+p)zr?g=IGbfX6*a`2WK(uYKNt;W`D|dZ3j!O~Op^n*AZu$+EcW-S zCVihPS1y0skPFgS)XbmpCrN*jODJy#zfm7xCtG46Hu*M~!2%Bg@5+-qNczBGdMM@l zBl>NjGAk7yB=*F*GmqVDR6Ze_Jm&$)=GjbV7<~KqSFHvT>jyEcc|ZYthLl$=&wH9r zL@!n>1~6%7mmYgeKC0a(jWN;b?VgWQ%GdW^3kW|2K>IpaMhyX|ik^RE-Itd2^7^AU zj&01h3zx=78~wYuT-`k^{e8XkR+(jB;Z*lk-^#EoG**wdg9iN+$7g=SopkdE1HuF zKcRvmLsd~3)=Yzd2UO*iVWv*-dV8oad6)KyTHZ{zga`iQEO^P!sPtG|wI+NMA3Fmg~lmt0;mi zZ^rM}$Xm2|$*zA?6l+$>%&&wdlkCSI8$Q0Hlq@ydu-ACUVqtn(EmjcZQw9VsgC{$$v(C+z;$W9AN8jPD>t$;iSZQ!j*v zCpQDhgTN?I++I^}#9gTHu<>)AreUCbO2ZnP)yHC}#}GmoA9Qk)s4QPwejKZ(`-jJ5 zBSh5$(PDpWib2JjBNo{$A)E5>T}~7i#qO1R3!`aI$LToRX6F`E@|TWJ^lL+$?o{wT zXQftKBK_`gf3eAHO!*B?I4lw=X38qI3FUnYw{@GcS@gStf1|Cr%{F)5q9`FG=oqxZ z=VvKq;@ka4r0v$WWZBj~4xbp~f#dwZhBbRF4T5EDx1ojZc2$!EG2fs(;aiBE?`v&F|N~B44)& znxv|Hh#(%JloVjJG@$J0U5qXy@a#%ySkr%9J9QuUMAPSOZMNj`sdX*I1P}iV;XfW# z^d6{`MJJbh-H7+}(ww{fb?w_lIPMh%dQ|Rboga798?4y9Dzi2Ld3?nQrNmiLNt#)A zQgr`CE9p7eURxu_fnUEkd)He`%6!PH-6eR-gs(d}uc*o-NRQBSq>nVfR?_OJx`lLSc<~><7UA2}4 zdc${$&&>+m2SA>DmXKam-Z*L%C0u`TC~MAC?V`CwSCm>V)lmY)n}QXd+V7Gvio|9$ zr3f7|co*nFJil}81^gC>-dD09nW4(7N_y9&PC6p?W5PEQJuWT;uB+0wM$R!At!&wX z`b4Q`ngIe^)8z#=@lSdJHVnV#7MLYhRM*RQhNQh~Ol*V;@Fc+X>u^$EgC~FSby0uN zY)oz*2M0X$GPwih8!yYvR2iU65R;qSTjk}HfVkt4$#*=uiUue=%U9_+SFHAO9b8_% zw#;RJNd*8srZTMgmFB{UT7fhV$rch;IsmGhtpZLc#p9taDcD3aov>(Eh~P+Zs`qm` zYH~mkVpv1>d0G(QCZy{w(=UHqW|;y1k$wE2^lfeR<2hX~q3(#umg-aW*N9^Yy*x`_ zWfa0Fq4k$6A#rb8!$G$%EqyO9n@v37KVrV~WHcasBc}9+KPf+Wtz@~mJnu8G17d^C zsvSJ9jeMP!46wsf?*KiB@RzPas2)i3pwzooDeSzT`MQ-u= zXdTPtWFv0gG$j(-2!;IqLfW-9)kB%`w0-9$ zN{6#T!mjZY%1F2~;j|lF3x;oj?5hUNcj(++sV4!#!an8Rg>=-U9j^oX3yMiD_vbfe z>&)7>Z-fvhX&Qglh^h9wfWNAwZU`)_pFLHrdH(X);5bX2u`WE4gqvRL;@YS87|!lI zT)O^ce{IBg{l+aSK|uh-2(yIrlIbeb@Vtu|8a>#MotSkGO> z7K7-v61N|&*}0#9&|tJhWqz=})09LJVufs0TiPziQxcpM8HA3R74-8u|D)KY2|R<%A`ZQZKs- z?3~%FkOVYG%IeT)iuABEdi~cqa&n-BaDsA*)2Z!}ux++`yep|Xx(k~=hB2g8EYGmJ! zPz--H`8iJcRRznKqqxMXnmP>>3V$tq+!d!TvrZ)=w;7RU&~`j}_7l-vt!wINVD8Tq zJFtB*2nm7slc6RF{PqrXg1_qGVr(=SJ!cqx4-DH5{1<*H`{VIIQ)5`(0xo1*nUAN7 zSS+WSnTjTO5-ej5ND&Gg&4?Y;d4Z)}U3h<_|DOyA*=W%dN5a+f((Oj|r%W$MeaRA3 zq&xMuoC>ixz7qj$vd=#*GK?7y)h8cKF}`Y&x{-zO8EECVehu-hZ@X_gGB@VIN)CLY z&I=S!=L6kH; zfY77H?-t@g#ykl0cs+Mb8>QU#xtIIT=Y5LUhPp~`|1nDsVD@bGS{CAYb5vZ#fv|0< zhD7e;$wDZGS2~;(a?<`O z6G(>Ah8WhwcN~m< z4{g%Yx&no@-ynCu(2sdtMa5E39j-%a>(%aNwm1+xi`Dh9{Cr$-DuFEr)Y- zG5c;oemNVC4{S0%p9e$j-XXL@x;R&Rt3Xf*0tOg*c7%my7Y%zGSpUCI)kJjh5XD$ zL!3nF%?K_yOqSdMvu1zM3Q#=kbCS`u+;&snxqiph`FJS!FQ8C9zrug90|^9u!YPLj z?3y<@@RR*LpVI*pku3G3Vadfm@+L)^ywm1d&$$jA(kWD=QX7yaM z4-tx91w&P|v5Z0u`IHIpJ3y8BQUOlq4r=0uATvP>V*y@Y=gs#JX83M4SB4mB*djit^p zL_vb|#oi%UuOs2cKo8G-?fU{)|>fOH-pbnf?lIW<45C6*5q zR3{MtsDmyqP__6e2ai@c_FdU~7D-53M5A-1D1T$ZQyEqBBFofl1;sybWe}3Wh*JN<_o=a(kRutyu z+wS8tzpMd}HbY*ZYK8w8k5(S`heB2;%gw}|;(7G1ok<2$o;nhsoS}bH?3HjQ+YnVb z@AH3@Wklc2h8d28+fblK`Av+2sp~Hh0B3Ckr$(9Un46E9(?Z}A&LfKgqxySY%;XmU z7vnELWb?i=XUH!#0L0H}2{DM*zWoe-7g%-E6n@I=Y^-kiJ+PQ6D=L6w6s}aeHZ6;g z2hXX{{Z*KSMoAePRSWI{^n%}eQvvspZ78tpu_s`uTDWE)l# z8%cvhe)y??NZaS>ew$yjLN2}P1Vc%8_?!R*Sna2H{!+qDkp>mRQ9O``2m;U3zqY5ME%)AgDl_8i=(&~TL z*p7--e@&Zkm8uORY+;p-wr+T$0uruAfga5?Hu9j(FtD8X;l_9+6(qm9(Ga(j6XI4lGyX8QVe(<`_>!8_$Lum4hN=B;jHt{lxq z7b0Xyj*l1R)?3c(ecs{bc5m3;(|LcVSLgINr=T#cyW|cS2!nw=Xol|cCo!wrOqa(7 zeR$;2#o`MjY-!EV=juJnUDNj9`!m|zW@@J4R&$6O6b8M6WfZdN{-u^02h?4Q=z6MD z9h9l`@gVeP@n$|qh?HoZ<6SDa&?{k8MCp5f-YF_^;hLUhJhLM5__CUs7mk1H{-sHg zlEwIXKhf+J6>lUbN!u0l89wet0Vm($>M9Gif0;8>KL>$tGUNq@4wJ9&EHwZ-nhVns zbE4JCSxO)My5Be@&&Vt{;P(aoF#f^zjD^&UK=>Pb|CFD8-x=)v0zPJlNClCh8VP1o z`JIMKD;MiR#Rir$6XV@8h?Rf6Exu0J$C zO$K}cp+~K{O^QG(lrmy|DoYo#u1}B1ZLKUMFL*0DACK#iI8uCX>fL{f_%Fgj9$zK6 z5fE|!wC_jmfH_F{cEAqD9h~d)ee%lUg+u%6tzuWdUHPHC;~W1Wz$wSO^7=isrF#eC z2BS}V&Dc&sVNg{pqmX`ujVi2|09Mb)JrLvFQw>bf*>R{UnH^I)T8-raKa}}eI+CX; zVHZZ}I~N-2w@kURPfLFefaLVCj0^XSc2xn;emb`31Jlm-Gfa`DnAKppOMfb>pV+$J z(?q|ce0hfM_uN9cV+T@6O}KSVVouacb1t*^#sUu;fwaice{IlLT_b1CYT%FP?%fZH?A`}vv`LG`hwpQ!ce%faxuyP zw_M@|N~vIs+ecDQCCsddryVhkB5G7;KC6#O;tNQAt2mUk#~uX!Q&#bZbjjI%Cvd%8 zz8Ju?+ufBaZ+!IpNfF$&e{F_Er)mUa#Eow_Sk6L7hw^{E76n7W1kzuZIxcEOA}wAx z{3g3*Rg*INIpQcDpy~lXqt%_jGyK(O4_e*_ak#||QbIEvI0(!K zkfKO7Lim3zNul2nt-W=jHL=i{iPSZMQ|q06%d_V2`vuMJ(unY$UVZD!tA7=voI&;@ zTv|J;SlkCgg-$=0U#rgjx6+Q~UC4b$A?Ot@sJHU=?9z0=dRzk~2n=G#3#1w*>)?s9 zz-IKe-(7pZQP9h5m{29Nz;)aj{8PFv&Q9!!xR-xJH&ry_?HmyJ>TN7z&Yk>LZY>W~ zP5Rk2w&mx65z^IXtM2Ynq?c;wS4MLkJsR)gLzIvI*1K1E!5d+3w`~w6vv_lA`C8Ki z0a_g1D3SwP6vM{r-U>XdK~;J9=-pq=JfyAxT*KDpn*>Jw_M(OL^VwXg0Ekh@64HyX zItzc(x{K;hft+FXFjojl#szIUN;~W?Ow&DLCyfqsB{mM?%e#KBuzyIUGZ;ddmcL$_zbn9_R9Dy@Bx(pwO9-GAj)up?i|C^2+*fm!i zP&NjEzY=mdrr~!kgnxnqFJ?QyOUcaT#TWRc+MDnh>s<`l&Dltwm zW8A^L#ma-(jGWrL2g=o7xjsgjzBKIsojm>H+=-J`#=KX$*(U)?=xwAIUmO(nj{AS= ztymiq@r4R2Q^aBggHe9z?odg&urs#rrFUzhtXFbdoqS)1R6(z2PqL_2>{PSb$TgvC zBTgmnf%F&G8TC&K|?)DIjKk;}iyn1LHuwD9`TxTi|<=92ai!nw_n=e}8uIpxp&SE~yxJ2KSr zhgN|I0Yz4J- z2_;_#)$#3eO}gbHtMH*UbhE5gEVL#5!6(J4MH5sx0mtyrw+Bjpi5#JUwNs(YS_Xt! zJ)V{rC>Hq*JX7tzX5w|{yfA+^sVr=_V7J|kw=kxPF~Q}Rx|}ImP_=4Q@h3z527MiU zFA$6bPZ;BJo00`KztwL9U<;^No7ZKiWsVTyDOBC$pbh(L6!uh>`K*F#`ExRIK$f~a za5ng5FBI0UgIY@YY7nu1_hb{NLfF949nGvU*CRKuPhsCv{$TGF3LAeFxau#GKW0k$09 zJ+9iNqc%=hG2rC0;ZLC{4n(%G#11^*Kmee}oT-qwx7w7i;gx?Nab{zmyDif{(eV(u z+X(Yg+v}BSL3T&(KNAY_DngCv#=j~dJnVZ{H$LU*l$^*&Bfpm^kh#SA>uqqN8 z4BFr9tSc}QzhJZUW_6=*PVUZ?-J_4K)xX8IPG$$pR5>NR3WsB6E<4fQEC+!nwBbxb zaW=G9QKsN$>8F28rM6G~L??!cJY0#HH*+j`bDlI%ScAX4!(*Z-_yih}PmReL-R)_O zeMMhOMK}{PKtCe=ksTEX?46CpK-g>w+(m9f-F-)2@ofl!3prDLJV%Gz2$)8BmsdcD4$F zb2=i<3QCYpc(jl4i**R}k91vsv+D1`nihDT5~`vMXA(*>ZhQuB23#FR`0&?+$JbI4 z{QR0%uOD4%W8*-jkx%8X?QDcGoTgxV^ervgBGZ50kB0amh4V>?fv_Ow)d-M`0+2C1bu&s z3|G~P4o~?b6v8XtUsxkw^WbIl$mtOv!prRNZ%r@Q zoY288axV_cSm)F&C;E%C)$$qei1k^;w+~jh;V^M>M@%0-2P^O#YB&3^!g)|Q-@=Q| z`#XYq?7dk5)s-5q!+6F)|E9pFgF=674^k=EAh$Pg@eJ4k6ya_T4ktt10Nd5jy>EWW z1$~F*DZ6h|wJS1a<2r?w#)y2|f^i+n`_@2_%rOsGNM8mG1cQ;dSF zg)h4|d#KL`g4$Sv z0--4?F8U3JYWvQ$H0M8}H)CkAL47br~Y3ArQYeH(w-7VV4csZU$p zQdn^6U*3z}q~}MSQy$^%{=1 zpBU1~5yFdn(VjNYOWF8BXRp2U%9^-o4peF3qV5dTX^>jfDa4K+ObEmWJgE>{4k!%z z92@&%ogq?Y!1D_Sz|eoS_O`_F#<^8E^pIh8RPfuGO#5xU3EZRhrkU2CL*=sXesa+P zAR6lSK-G^?9k3`QA;1?{qhDhc3vDm;i%Fx5xF`#Nx(>FHeyJwlxsg1(McYW!%Ugl2?cM-0lft6kr|I~BPV z9phk=R(Xf82^fDRswI3jCquqB#JG2hL5XhkPdcwj&&TVzFaT*vL_Yvqv@NlmH z04Sf{(9KfupkI_9gA`rMrWKOwdJ3EU#uRykNh~dz7MOqP_B#0A`vY-dyOTXNOsg`% z-!+i%ZJ-}9-D?;KTH#%ajHyi64u|Ae)wGW$eE(4t;E^a}b%>09QZd^Nd3Dw?=x_8n zu9X%p-na1NBt!@UpdV2&wqgZMY{F__G=sA8cc`bR^qax5h1`snSL9q{{=yFqI1)Yr`Z~HjIcWw0TeDw&x_2tZ@x}#N z@G}#Z;wP*P?}vXJ1u0rPd#7@jj$ibr=@{OW+B|<8o{Vs(gz{z}#Z9kM2|EHF)c9PZ zVtwzsJjhdNkO%V*8=4ZS4^y;yrPPuS5BeqqvT6B+mL|$~@;_tl{EJ6k-?8*-N*0)D z%f_#0kd68ZI3{J=puehoT~l-)Z?sLLhK&6+h2Gi%Ow&iVGY&)$Su@ze(_3#)_A*1mD>#)9?(di}>CKP3Yi1)lV~jdw#1 zOcV;RJakxZJgLW|a81q7)DiOWFYPYoq80@fuTn6yCGQ5&>0Q zR<y7651#E1>m!-e`Rf>28X9Yjwc)!->1b z#pB{cv(EVONB-M#rZp1!_Jm?du;qrJqqi)MOHJ^m?GEg^B!@9F_|2xP8?TE#8izsP z7iTWSFBWka_btIou|a6mJ(aJ$jG$hPJ4_c*dhwV9#^-KsF814+cL;9p`L>WEZcs;* zC7@nHvRfN75uQBn+@b+AB4F?9U?OgP8x3p&yN|;<%5rqqd)G8T| z(OQ{dt2Jq6x=`~M19woeF+zfG(O1!4%HL0%WjA-$GNz`c#?-rbIu2xu{<~)uMeo>1 zFmJjDtt^SWWYeLr;GbKN5V7<_VPKMd?2aI1Q!uYtyWKRxuRk+UyoIeN&NR~QV2y~RM8}O1J3q8VH&Yv;sz|dhpO)?9 z^|{vrnc$qp{>Zo~iFuCWH^w~=2(SD(qpeB+ZT{c!qtH1Pd~^vUB<8#{WcV&8aOn%m z&a?vDC)aFs*(m#db;910mY$${ z2yHj5mBk*8r$7-$u;wPBtW~{WsOWid1S9Ffv57b+j6rE%kp(LrcAr-oKgx(J2G@q$ z6tMX?L`9z zuRL;(#~J~4I^*&57x^Y~4VkIntedE1gHKC%M)D`fVfGRGE@38^JaA&0L#-^^&(Z4w zx;`X7QSm}UhLB~Hk9Gfb6y=rUUa@bSfl#3$;snyBnEcQsrp3{3dis@JPVa|?^+%&U ztlaY%$z|WUa|}E8KdQi2#(^mD66YFS2*K@)zA|L!9D_JG)HSdK79Eai_7Mj;p5rqoLGCGp{dz`H zO93~3W$FzCo`^2Y)6Aj#RKBgpzX&=L4Z=Yb#sbjC6$Kwk^(+9I%#pbeTC5F z?4Ru)mQLamc-(Iks07lSZ!Zrj0yhjcPTp$*5#Uj*R97ep%)IHl6H8DdBlEQoojZ^o z12!*?E?z@KWcjG#{`9EBA)uuz2`-#=fG#la)A(v^FYojNIQ%Xz(?yaXbs$!h zUOCu?Lpm}tRJ=5iNQ@)Gj^>y@;j#1si1r+YHOkXM$&*?Qg;i_d+GAbvS} zFQ6I^cE}erB5Kr)Mie-6(mp-hbRMcq)tgNO;J?AkSx5cyvNGcw>g|iAgFoM)>`@`5 z?RYl)OTJrR#V?{F5=FPd3Z=&kmSg~>===EEK>^9$W94bEm)YQiUJ?8+G(1lx3~ss+ zjAVOwiOZyLhO>8St?>BKL%Dy1njTgfJdbS);m0y5Rcl-kE}-94zFil17(d%1PYjI= zm=`!{ES(?9iAdwsev6H~YyG#sjGKDFQx3lL9jkubGrAfm9VPKb{3nGqEnm~`!nmnk z)1HCVqHHX66X0*?Q}0noMAa|`AG}FflF@SW{_ZN-@rG!=fwG5@-8!`9pzAh@<6+eP zbBe{SUjDE4sk%zz!N5Hhe@TwXIzxOC09_~y0VB6=Sx_{nkUL>r{qJDM{E~b!4#&2K zuCjWdN|rroSVC41{_>`n;+sDJn)c*bSEo(?(KUUX5#&+pt|7Z()ncc!`c@e+9 z`9=i{;ez#^xy;Wza;wZRIFzEt3OevGY?Y6R(<{B&k ziMVd&%zj9)lA1kLUXc&`X_jW{K&nv4U{a~S>i(zBy z=XwTlrDDwvRa%+6&e&v4Aos|hi_K0yLc911^5NCl^QYz$y_TGJb0MUOk>)8 zKoisP%t0Hy{8pLQ>5qAS!qf$EBNX+2W|^*aF~G}r4#J|nmR}}k(#;Ngz!d=^@)tnm zTgA;>ylui9OEcxybUmdWR&mo0xzNO4M-1g%i#%*>EMBbVVw+@Mspo6^S)7mVBW~mh zTqt&Vq6u^U(NWlZW;tRpLD)2I6FX$LQuf}VBLA#+dlj*!F%OH|J8MckbUHOLyNf;F zxa$mev|~jLmqU(l^ayp%0Uv!`d2B=cH9^5@B@wuk>`&+Xp!Z;hnM4|oUf<2~&r@kU+mC(+(D^+)J0(o>5MbIyUV_x>9ty+#W0*~0Z zY+2ZXHX`D11Rb7*`Q)3E@I5n14=Q#1^q;}L^^%H%GNEIP#}l2mO{JCtV7nOD2p$gU z0%ODGGEu{+*QMq_jau+NwV*Hqv;X#e{`0m7Q_{}zQrb-p|E^Tz(uErRPL5QjFoX4P zyaX2T&8(AL6W9*Q)xYycTg-o=3fX-u_)M_9AuYEElKZs`^J-nOKf9hQB*&K&?;d4MYniClcZeeA!3dRjw%-j}pV;+J*|Vj%)AC#KD-dgZeP zx95wsZ?@a}CUX#slEaB)MJ@CY?2Q`@2uJJXaU`~Ud!Hv3E(Btqsvjhj7VP$vUMzag z$3~(hXf_v$8SgQ%)e{6 zlD=wwtq(BdPq`J)B&gsG048&?g3IZxv)=N=%;@&{rAxkE^0J-E`@?L%+}?(Wk5ANK z7CE37vycW@(vt5e|P^E?*0vN0U#RUTj$3&(l15687 zc2P(`K&YiIZ={pvNET(FlHOvRlfgq<5oqDq-l5w{T?+v94rTqjZ%w9j;cGhyFd#r|gyff&1W+V2aaB z?2?ENhhd9fW9lAg`|p^THTdZ(a;BV4rdjMy{Z!zcxBi*5+GSO>LD=1`XTu{p?oix=iKgX3IbG^pkfdzP_$}{_vmg)^)6I`DkK?!l#gDaXXq?tg{qECcUZ|`Ny zQr-63q^_E@>XY@V7ggy1ps7ZDUd(+vy|}@Mk2|1MJJWc)d)I6YtFlHl8G4D#GW!Lx zWPmyOf$IKYb{s8j8sZU?fovNPCpghR_cf3!#{)0}D_#)O(vUd=vQ5;Z%__Kt?}Y(rzz) zw=ooxH0DIupVe`U{WiI_6ucxYFkCESLYEwGk-^@b?DHOe4q+j*ey0xBd-9qVxR(o6 z_e)iqUHQVM4uN~Ovu-J?!MnErCrA`jV61=W49X|kH#XO%vxN|LMRreHzz6^~9k&>b zLxMbnk&gG1pohqMZtJ<$78o+)MdkTra+6@)ws>BjxlK@fw&xRHAyO&0y5ej#vQ89z zAPJj(7+`F3p zT*blg3g8g3-UXVxHKm_(0Pnh){~?1(P?5QUelUZ!6wKK0eZek|hhH%KOL5+c#bQ!FFEd@&HuFl7MNk_4tKFM;f0P2h-xBsxw5O7@a?nbKRiLDa>I23n z+SBcq;Q_IvXIGIjX#T&8pMc{j^YKnhl?`31FGfNoOt1?nQwq}I?fwEzjQ&@Ka72n; zyT$#e*ML~C$YbvkBT@{ia9)O)KD{q?p_0{@tzFO$mEG%d$>O!JG1XQT{y^FiB%c<4tw5@1M1lBrpKpvDi2Pw`_= zgZTMplTI??_dv!{yv1HxA6VEEsNx-SIX1Nk7tYjN^j$jq`R8V~%H4sFe!51S5><`JLRRU<2pu{yAxg%T4_$=G3yDY#C> zPosshr&{1=9^kAHDZUE5NxGJ3k0VT)l>4xN!$(uz2W;Fa-`2#apUWo*E@+d>Olx~f ziLwtuJVq8NaM1}EJ!pj0LG3K@lh2!m#u8`s@`JHX0WIuX_f!TY10#M3E1UxUBgj3@ zFK)l2ZDGc3>x=@Qj~zkTbS#n1ShyyiNU2~Z9=v(-FE#U@Y%U+=R|m1*91HsjFOl)3 zg|N0|v`!_dKRyNoJK!)*`j>pI9wF8K@g?QxyBHl78#jrnsbjH?gy+q`mjoH({WzT2 zmUI)82S)H!bDws`GkR`&VUHtzOuxm_mxX)0)WkK-CF*7$KfIlih88cJehq8SXt8Oc zE6y4W608|2{92rlZLfzX*!YuhQW2(0;Bar?L>WKz<-kORw%d<@OV+e!!_dOu_f}Vywd3bd zv(3GH7OyzMDMe9*Bmd+A>7jQlvoF8ZOH$u#`b3jyV@a7ANJrh;hLfU@pn=o|`?Kje ztL2Hd52ge{X=&P}7vMU)(!dhe)XnVaWa&9s{2huYFW1)lN1`k3 z23WAdMrfC6FY&j#FQZ}=Q{}#SKg!o-aH@1Y9R#bm@i|DDiE!TcGCM}~Vwry4$U?n=Cq?~ZxN}PxBs3Hk{-~6a1ELJtN`POYb z91g{OfDK_l;Ymz72?tWZayR~Gx@n;TcSkxdsFfzrb!Y5A(1DpaXkeuvQ=u}0YO+CM zP{T3I-B`p?L?Kr6vP0U>9t2g#ZW$iPusktoJ3Co&XBso#wgV+YrN8Ld%{(oDRZT@= z+Lb15I8(8|+HB`|_k(!N_a%BqqnnL=L_K|i%UW8)1>(k_@2tcU((D;f$bt&?F3Nvoi zd&e+hKf9Y%dYBedp$cbzX$?mMeA*%E=Z+tlwJz9RWjexhSDw!7e4Kjact4XKA8pq? zdn1k@JU>rM@lvLPA=(q>;OQc1RJ9w-B5vjfNO@h}b66KjOd6Ip9hiSgFKd2*MqA%H z5V6LRb>T=50A?jFMi+ol`Aa@N!5twjuEV^}AS`Rb5mU zx8ZrHo>6dbcC^v9mc(igECD||od-ihlu&`bewuTdWD@6oMQA5jRB#wMj7YPvycrud zM4DmymjSLt!G)Cleez&>(AHR@|SF< z)o{ojw!?Y(3>e?vcqx&o`IK#7N`^&vv*eNAI!N-IdmWWimqCbGAeZ?9oum3PTIUX8na8-_|amS#%iJ@ zd(yv^De;b`wY3y34(G=CN)QiKIE`YQ9fxCu9>W;7*d+$s%T>o6s8mOoR`X=nt$(9; z{6jF3p^a9I=5P|YgnPD?SghK`IPJRVG$kqFO-_usT!~&V+^LZR@q!Qk>;5RMim``1 zlp(>dhcAt51FB_eabJuXCqWcksxQmsJJ`imz zz+jDv*H-%7_NBWs|Lx+&3LK8lI>kj~J6wBPzX&jNCFHW?$!L&^8oG?~_!QB`($ca% z2kqyNQmWGle?;{N8{Op%KPAoc2Fmo|D`XJ(_?&{1y=Iq_{ngA)r8C)wLl?fPUssG<=7<;gp|I%Q#1wZnalPSD1xt- zZUg4w`{u5(wL+#(TGCUwHRF;&WPH9=TVA&kjZaH$GJ701VxS((8P4v#*o*Ieh}Tp? zMLX^O57&Iu@0qC-ut_v(tA408MJj=n-%V^EH;QcH*_R9*eq=_Q=tiw@ z+kSESm&rj{qbU&#d$mA{K)#B+e*?=DB|u{!U%3v=#YV&2e$vvZ*Q1PhAbB=+!`8eW zYXKk2_s~1>Xjv3=4>D6IGQcQ4DChK^vg+1jWSJ@@|8X$CIP5ik>_8GdJo8LwT?6*g zwgMG0i)P$u#q`BtnA9OK%& zP~O9)hVVK54%fRgBzvj$;uPBiT2}r;mjKD?-4exFD7~I(#GHt+IsWRAI2lxQ-Fu*X zr$z<=fR)wO-z3%Uy-1s{Ke?X=1;xGqGhCsmRQtJ5VVwCb4ZN>5r#E0pN66r za@aC|$-uimQ}Iq}@Mk1BW6Z6NqS@Db0%1zB1hc#{A1QCP1tEKquv zxL?mwZlsuq?$G6(`k~Ec*p4LdX<03<)+xUu9V?AhrL2y$#Joo9XO8wHHx%z1d{q3? z_XT=&CDS`NM+{Q%*q6)+g|J@+P(H_CrFW$v{b z>{$fnR)B-NiqyltwcX`We%F$mMSjj^Us9hH9i-DZ*BlP*UWwy8`Kisct2HxLjq}Pj zCNUDP*Ae8?Ly-KYICOSH`XOkR;lchSwu)Dgka?0@|0%7wX^XOo%P010RgpLV&x2O> z3bVO|Gg|T$up0Z>PeJt(bc@%Ic3LL(wfg&LY=gD6BQ4Y7b`b%;cIs{3I-CGYgv8W= zHeQB#sk&y|>&;4&b3IZjR+CZ##q2HqSeEVS4C);Gc{tqiITpOT(7!vp73+3kH_galmY=iea4VY+6Hhr3og^Azis7p_tu~)y@9l*F^Zo*CDDU z6;U%AfybMePb{RC$zH*ToUq(>RuzjW97-%WfjWjP;gJ z^@ni}>ayeg{^C#jl;XM@3eV=M79m7|)F{lOKE(vI;D(%3o{G^7K8*MWG&fOJ3F zoor^y=PrX%Z#NXI#LPHopjdvMO*IfCP>C}(859Zm*Jf{lJOzWSQ&w_V z4=)@L{zD+eOAoUw#@S=lQ-uRE)Tp!h&=Fk=Zlj}L7~zK&v}KpX?VLc3u^JsvLWoTf zq7}O0b3Uo|&@^szA;&>I@||_hnn7Y8Ws!UfyKa`aogryZ0BgsER|ajJse%d-2hGB&qg=$PR}vi>$AinPQBH}&3= z%x9s1N-?BdOWL5oi`s^_@ZbVa{*<=sJVjldWjvqcU|(4dN1LhsU0{^mbUYg*wr%?B zENX!zRzD*s0T->|BYb+)SgsB>mas4V<`-+CsEDxLdHKS(1=q^M@!x1XL-^#Uc>t1~ z&YT0&xUu4Ilg2{Ql4IyICF?dUwYDi{-beJNW(=PS<1J|ZdW`36R~RdRZPs~1ER~Be zdp!X~<1#)Ah3~`;51}|3t6*3Ga|#c!4N+~UgrO;uNxof)tnIy!3~Gjxo|7`!O*oA87VtQFI16rD3%pgKSC?TlVL|o_OT(t zTz{;pV4GBg5LCof)-nKh;!ne^ut6xfp&g92uMcdF8h&lh_y@8Pp|DpV2TzwfIR)wb zfCdUK-`^8yi_Kco&WYQQ!nJntVlHttK=C*zzB!<<>e*SYCZg1?lO%rrBgx{=M4bBACX zihIVflpKS2``DhUrM+l1Anlv=K{@1AF>s*$RKVUw28eE1b2gtiHJn)Y62B(Vt9Gtx zbI|Ugb#FQ+ergeGpx|qyusnHz@DAZ4(&ND$DXL!Xb-9|xth1;C(;aPCTF@qyai28` z1hBC&*ECfBWB;2}RpY9Y^H*?)2%1IDW1-3@C&EU!Qe$5 zUa+alrjuON5lVPQCjVaFMuYT6AVRgRR>A2mkOysP$}kzrr&8qGiYT&;%h|;J+uLfu z@X&};y%$!(^v*cKVuCzvQUmGkVip5jS@@{w`kd`9*DNP7GEQ;@HcOA zqH0UUeSqolxc7s#(2t`+^>9Xuw9Hj`I832D5&zKw?{=flJ<=a>dT%N-;z13A5D96J z7L;8dQpmAKsPKr2A*Bw^CY&7CAWH=H1cW{b{tjGI&~bA;KKWiVHW$o89F2Te`{{QC zpf{Fa@-1FC&Z5ztN_cpOn#q^ZtRCD-UcDloh#FyDKd;5apwo#cv*itXnm!k`)~A?$ z5bF3G8RlGwXv54i*6|B;Dn8OM^)ot6h001^8T_t*PVVO}aGuAztv8coiF#Awxbo@r zLwun}1?xMUR&GdLfp3pJ@L_sp7elKFShpg8BCepL?DYZOEg(R*NKtNVY zx0CXblV=HE8?jRDw~}DvpWno)15;Z0M(uC8)G63PWm)7}%>sg$^yD_*-Hhovt|t!_ z$)$JDRHK5t$LbAVyor8_jC7l;(ArfLXjF=o+K81IFNtTD>G`jYWx@`N`R~R90h*>V z41d4GRAlH?IeUCR^eFM#Wg?q?L6xMOZ2!8T7pZ)fQxkMoE_wBhh|@AFKE;1%KxR=@ zFN3ax`FQUOeDq`C7t2$$oE|#P%*V$e&*y#fY|wGsIyvXWan{0V0+nQ_K^LvEG$PCh zTaKniinG)n3}~3*7HWJa7wKdf01KGsaZDRksG%-1hs95Ae&qV9dd zGP!$%&YH}?CilC|cN8D&sj)7e+&F3)C zyAg{Ki(adaEMv0sTt;&;q2x*00iVvY+1HZuB8KXg#@4-UzA~y!sZt;VSk}sg!)bKS z{j`7`He}a%@@S&0ZBHw@m&5)d8nWlR?i1YtxaB|%tI}(TsQl5>`{YC}CvMZsqw78l z+|AOuxiL)Hi}yxkV;6OgF>7sQ&5HDTJatf5#%U#`2F0VVRq7SVYKO&ANc_`ih1gW0sA0b04i}2B;qNd9zwhli;|@YC zII9L@7r$8(*}$M~JByDH9PhYY0Vx!=_u|*@&ptGl7L9po55y~b#yAIY$f8EGN6Sg= z83!nyIrH%kel#w3*^1n~)JNR@~xI1kQc4<~S39FIJy_(d>-H%gtkuUVH`+4snQ8~j!M|<(d7O8CI zw8@)riFk>K!C+naCu7J`|7*8@w=3;sO#dR!?OLVQjQmg^phGCe1$oAFmAT<9rca71 z8N#&Z1lAjFC9#F*zQJq&@%fH^1U@3e4SbS# zjUfbj?RU>_KCZXVgagoT2_eDKa5)>nj9Pi_GE2)dL0rXg7+#_Ge^A2Xa3aSHtA6Lz z!eZLDyX@WqOyL#hBv0CZa)QW;!@pYLb5NwRk;#F_vy)LZ^fM8+Vt<+F#FDa|Q!Z}r zG1%JdyB$gsj~n!5#qqY3v+V1oRqQNnkNC}z7UpXJVp4pyKmKEBV3krMw}yM#Q%~cb zGF2^Ibtk5+8v>zeBF;&FR2jSS^6^-KDO{ktscaAo*knkn{JH!i{U`NsiB^(jXn|5( zPLXM@%q_?~-FSACl-m)T@=Q@&J&nZC|C0J}eE823NkU73w1uJ8I^wvKO3a^}Kim4f z`zVnACiZlMx1?b@gIWj&j+vND$7+`d*R+dAUZ+}8(aBJrhbH?TTsCl?5 zUZX7i1&oXleq2%yE-m)e&G-PLw@pyS^60hCM=qT^zx%P6uXKHmJY%IKd6TvlU0Mj* z=xe{?v=op z1Y));ho|y|#H(IBl+W)Sd#5r%hwe&=DT5xayG1Ur~OKFMxFAGt-^T0U^T zZDaA}_m~&%o>8)`L&eHQq`(;5hY15ATOXe&L$P5Q9Fu>T@X^4*M919QHpL3CRd!lL zX}XPz0y?Ex^yvcbH3u8m(A<^c4mw={5bejdp0%&!qbl=7{cZkRwKw{s*DL{cWwP-o zD)SP>c$a65)t8(H&+u8}x3h}BJ71bnXS}>W89$q~e=XQY(;wt2zWi(^ZXo6p+zHT- znAG!Tw`ooS1wcI^&h}NQd=|B@3qIGle!mP$zT}SZamQcV{^#~xXTZ3V%R3TCezhr2 zI^{PhV#7-$&|p6hggIxd6qR+#7Fk?5Pd9&G1WO8}yMaG(d=0nO&(vl9Vm6ps3reE@p{4ey0||Do+ZMO1sQITJveyRq2kc`)K|_X09bZK+(7uqwAME zf3GdJ-SL|G?JC!GyT(LW_OSfS4i_zOw$J4;*TyTiyw4PYmkxXP5raWLy`k$oHF(8* zOT$qLlYiSkGu!>9TQfpV+^LBD7DUEcIhN>k#Rc!I?9#4Jzk5_WSX4XX-YzK0^P^RIaphJr9Ug>In(T#r~A;NNfT)!XA+3rS1CS7;xdc<(M1 znsO4hf4%gWMjsKg@d284GH{)nQ2znwMdxU|Io)bLwT3%3;CO{ZzTjtg>Q0)T38uz- z*e_{(h^XFDUT)n4zJMZ}bNl#a$r@>jAng;AMZt5E*Zqsn(Q?RropQWYiU^d=-xym5 z3wYetF$SLkC8ZzXhD==UZ?5(h5iz@0IvI;eH{yl^nH5s~81qLY(&NVqIO}=j< zD->0vsw00h0cBI=`|YC(=9dI}<=bB64@6h}{UQ=tHx6~iBY;Fr7A3jginj*<>9-fX zpRRx;3adCT)g9LzqqE`|oy90ZJ}9;u0>tHXrgG>Jog~x>Li0dJ{Sm?Q>is%vRd$H^ z&;pj_7)y4VBe}qbAF>6{$m~A^LBpM zr*`8iU@s{Zhl?m1{dCY~H&N?|FpN>RC^pu|^Y_jk4zpmjhu?^Ei-qY`I$chop>421 zf}1QMQbuNPO>J--cT`fl|9pHDs!zfyz5vq*Y!=VAbXP+Ag|MHPP?68Yj%7cb?Mo%b zi`OY`H?Plmi}C~f)`FNvY~vk2s>%~a<95#iP`7pJQLT5aUQNpS7fm{voz?IWt-hJR zRoK!JGMGc5KNOS(Lk1Wn7-soW6G^4`RrNL%yd{*f%i+4zg*@rAYkBj+PjGcUS}%u; z-FF7(rCbUPd@UW#{;}atID}&Au~SO_^Vs>YT1=*%8Ov*^Xk+47Ah+*oImxRPeG1M2 z%&gM!V@93k%}Ej|w4K~OqVwqwdr28_#5;ICH>n_0==b!!96CR4a54VDrTV_uc|SH& z79=^yb8$X#ec3VKHVLZW!}?bT|3;CjV!FA7N6}@VIvc5-i8iI`c<5Non~en;Mb*@z zI?+}6X1#jF@qjG(G9X&yEx^hD<8K8WfUGRX-I_PCkHiWM@3~E>W?|!@X3oUrH+|up zT1+$`;uZ$R#7jUP#>(mEQ(=pEHm$1qsBJ}7B4?h~GEiJ5-`U*mqOKsaks2*j^AOw? zjRcLHd9J@MekqI*8?W#}wT(j%yKbcoJRKinDchJ`YX;APs7WoIXLs4EyvFu`i?8hQ zNCkbT4v9;D?A9vH+Mo1X3sq(k7Qbnm?s=FJF4rO38^m7lx%0Od$Fhg$3guuvvU=Af zXq#FeOnyrc1jaoynH)nSH#~mIjwLA0-x|S@ftW@V%(8iwEff`Y|@eA#G3GtD3iOzMP*cu#1?&o7-ry84@|OHnxO8 z5Lrp$FwaKCt8dts+2K>v^up5_JNvgh z4Zk3MWhZRcAHSozzw>kbu2oF%*OrgYvZeO;m0qqw?1V)})6h`J*umVlR>Cy9&b8&K z^@~i`Bi8R1hT<384*MPU!g=)&eF=>x8moU8mD8!*k#VNueM3%olNQIrRx_8OY@d3I z#H6wyUIvJ{Fpa)H7Z4m>Nkn51DZsxO&AJP@pFFusQ|)BQt=E&-Om(bZi7ROi$LSy{E{qcBEQ(e|HhrTe@p)3}Hc~J^o6(l*Rg1+7>6^d3MI1 zcSJ%;+;sO$e;s~0^#iu%2s`zuZ0V^cEt)wg6()R|gYM%P*(moy9W(Khm4nS`>g;hn zK@^Xvy_!P*ck=}t(@=;bui zkNdkbDW#9o1jkdPG%8WJCyX-gHyT+OQxy{#CfeJ}8d?w3Wio~ZzHzg1?NQb5r%#Aj zgh?@0W(z5*-t>>TlXaF0#<^?rw7!_J=#Z-2T$GuPkVyw68vzYAy<^MHMMIVAlaUP7 zw&_XIZ|6X;R9s?Qxm8(L2h~Iyja`lSPB|50?`CcT>(ZI@>K$3Qh%ampX|MSv(>+AunU9Q ziphD4zRSn+UvbXazt2b~+>BY$drqA0mQ$KH>L$(AUls|f<$OGMoN=JK&vYM%tt+fP z@Nax0PqVRmyoch(83@`Gej|8%Q6%oOLF!fc%{fH#HbI?}vi6m&;GKe5Y4x%c(!To> zeHGB6Q|p4UA(ULO?cm$|J6JZ<^=Ldd4_@F(P00cU7mGyDkhK(F;fJ9}oPTJO^dody zSMas;5>(!V?Vss=y;O#a%EY8jEq!iiB|Xc+oALk$`wz>}I?FP7MFN%=$Z4j-?(|<= zWkkn)Ou=*nsqX6i7k1*9+tQ#G0)zkh0FW6WZGemAV`Hgzv3a>UQir0RC6=5^WMrif zm;06Zs~K-n+2zRSd?D*j9@~k-gn1ex=8nPT0aZ7IKLsb;S4XLLeZGK3=Rr)NT1eqV?{y{EO;9!A3>48-7^Ac~3%i7Y{u_86vY0!a*T0h$uKDtRfa+ zGst&0{uB+d9rvBBmKbiZaHqpqST&A#K$7&23}w{R{KjM*rKaRe3d9;x z8>8eisjT@jcf_=`9`1QkSY<;js8I+SAA7XV^VyIP)cgfrjSh6OV?PW`)J&Oia@3{$ zw6}`Dn0^Sy)3Xzt0ex838f#+pYI6v#lXAg{s|1>ed@le}4!C;t9Sz<}0O9E*;T+ zB&zcJc6Xpx>X2wgGn~rhoMI+}4xh4$gJj$>jg$F&d*3+31#p!U9_hq3oYS1AW+|~v z{3{fa0M+AvU0flzHkEO5PV}72`+VAE_oym%)d5xc3|raQ$Frzb3&wl-Oi&VaZ?xX& zCb3mRQgt^dO?t0J~|?mjr1`5j@we>M0f5k30yaqvN)M^>|zay z0AM&ZfoF?8#bYGl;kxly&SyD}NH_oimYHni|6JS>q8E;Qc5c6I_x`cWCuP89+JuhLyfqW*MKOf?|RFIdKCp0q` z@VPKEbNt9CCmfgy@FA2G6^PC(&dr33?XX=#MjQGMJ;md$_wPAKo*Uu_$W(MVe8!8v zr1E2%{+Ysu3=)PB6vKKWO@?@f0$2GaXzCyY4OIwMEyKPITki{2$eMT|W~8u`*s4Mi z7zjnz3YIniw&)L*EMyi)_D$kTXQ__6zet_}s29XFnJqN|P`?%+aB}~qYpSnJzd~4M zJ|X(!0@Zp+BxuI0Q)b7@zD^|g_4`Z@5mYWS7{fp;Z89`C89R)FBmogbE;FYJ9E^hx zr%v3rSidOd?QhH@L`t33&Uz|1h`Z4zu=Oh{a8M>-dY42Xck@Cv)-b-pEDSR4NgQf$ zBfq*!E;^iKz#6`uugoOQc$gJrAWudEVd8xMg(2gskqAW_KQx$z4NX?i8Cl%C$QkGG~Z1e1iw{MvA4#Eo5Fj?KsdFLyc>+|Gqw8T;*vQEvHx+U zWCFu$F0kFFAI=&rP$X*lb>=~a^T!0fOmJh+)Jc-nALuQp`Ld#b<)-vVrf3OzM`Q|G z5~#UODqmlJ|6U^WRFY0`7lLSM(^(|Sdkg*X zTEAc>8ue`}$?E8qA<(o4OY0C~mLgHLB`%|rN5%1mjv6Nl$$6tlND_sv-Ee@#Y4Z9C zN=ldQ0bjW#Lb<>Ev7RV_0}2&SRA#xy`m{Wv^~xl~Gsl3nvcR+5>FzP8(gCTwylW zSU~hqA?77i0-`=A4|;A^iB=izv;k4*Fa>Oi4&Tlh$xSzy$X9>6P?ubeR9WWW$t?a{ z@ROjy;F8ol)NeI;d5}Z`Oe+$)JG7msf@X7?HgWxV%-=(#WYpEkbCrD~%Mdu?Y)cD6 z(B2nfq`s!{8uly9*Snjg<4mf*V8-4dRY-`3)@VJ?fguB1e^+Y0ZkuS(J2mQFpYkb79yP*hXxlgyDprFH{3VW4d1MEj-vM|c z%iTR{ZZZuAr{q=WTC~8m5*!#NZjYJuS)cij?zVFjROK1I(D$uw&~6j8U-at(e>U!0 zZoZzN^n;`}DWD1wRTw=w*}FP2+qWpz1C=}3RlY#r27Q@dm^l_|A^i1k1{u1}ldEgs^U42H%}pcFS0YI>Ck)cOj`ITm535(_G@nF9dflVt=F{vH*4{l|KMeo%T*%}T;p0~&iq=t6gEPC^w_nS2j&A0TONws zfuQYbZQ3UPNP?_sD{R))7aZQI%P}RAi4q!L=?*^Y953@U)7m((_n z`hNk7Pcdc7rZ_Z~!nBT0_~2z3lm1s9LUFFaeDA-YMlJw*7+{S&p0EB;1*uEdzfX!}3w2SB>ZHRTCF@}F&w8~X z>c10V?HiQIxVlq>!bi`2geo10kh+{R#?Ahm0cplPsCCcJmj&F2oz+|6fy-1HFs z4*+~XgTF=p`p5rp8u+gGA5KR{hcJZy{Th#>yQ0Koy* z?E?_(8^HV~Ac({FrIP*tL9L$#2x{ZC@VdJF;(>6BgFyqd2LcD`{)^E-+|NVR0f-2H18Um~Fs1!Xvf9092%-C3c;HW@KWIEqd$4d|-?aaK z;eq&{g9r8)ph~a=-$Dd?0)n_71q2C0c%ZO>|1=&*(CP*Uwx3?~K3PPHcYmxT_#rUx zzy0)&|ItATl}G;(0I=WqKfGr5_&*$B2><(Ao?iknA*dfRaQcA#*77)9055{wAz&Pb zPNLD^LRi2aWOJ!x5>40wR0Mu0gsz}g7)&leb|*31K+69%zBh#G;s3R$9;dTEwF!d*^fU(o z=n?+KfS&eG#PjffBUIE2F412YTaWNQ-1k65z3q^{jSTb>hlp&>2L~2u4;VTeJXX}Z zY6goH;dFXN_-TC);eQG#`VL50=O0Ft2R*Zdr#!w{R|Kig>{`bS_|N6)Ow10c#|HJ8M58;1*$McKP zDFpu;O8++m4F3JVpcdvA;d;GY(;Wb?*V{E+!oTa9E{-rrXixh;nYgd-djHnMeS?5{ z2>izB@GQznXaMhcEl$zL}r#zkStrz@y=xyXxB$ zGx|QlL-63xMStIa#YNwqw|2GqN&MFn9{l0NfB2!qf9(zYx6whoZZ~*P6aP(oP^7%F zNUFep8mt(4e)=;2{O^YY0Q<%Nw0gw<;c>Vj{O|90elZBu4gh{50+3E+Q0d4$;Q>Vg z4gq{Z-Tu!5eE+G)Kh5uo{QH-E*#q|-Y5cw$9mM|_IDgn@_5QHI?}P^N--ZT7FaxB7 zsSsoXDW)_Mhhy7OQjaiT3{exOq0@tIPY4mOJ17KEdjJ69zZ*aNw*&}&7x?#2V}JjH zk$QuJ|9)B&++YE~UO<<>B|dNvV`8vhgZOpffrBM1`~=3J5Wt@oB==na;LjufpAHY~ zD~h^%B7e^RN_e1lFVTV8{R9X0Obm$E{^8(2?IH9J`0t~C-Lb!KLVrDhKi#1V!T*n+ zZulRG#ZrSDQ96jFQ+^hWZ{vR&I89u){C_wtZOtM4?{9gOfrazf%&u2$7f{{Y0TTp? zf&CF+0Z5|*rtTy*7lT>Gpn8IA4v7XV1zAiE6@RW`Nn()PKsLbPu~s+&8_M+8(N(|8;%$i@P=_Eim8 zk$)f-@Q@8$1F{id2;12rNpxvzca}w7GXN{d9S{mIgUNyxAQEjREXXnr=*pu3G%CY` zgPBWXy6FRs3qUpnuw(N$T)=|CWdbXhJT|bD#2~waY+x~I4F|B~(YRDKQyP;;0c^Q! z5*KvyL82W+#B-kE&gHT=`s(UyUD-@GEPt6vS6@S8x~aQ^Y>FBeYF~}Y;4;;Gm^`)` z8);vSMq0yBgMl(NGSt2rN7%j^)V`XCJy1s^Fd=iPo+K`auqmou3kHWvVvs=qW5#5t zZ~=FcCkT+*!8~KYh6a*2Aix0`6i7=TokXQUet}~gU6Je>rY(M2HSwNgM=5|75!2bAXh;G+b$#v!w*unE-% zltir!LKAYuvA{g|M1ss?LyHp|B!6+349;x83j{b^Hk08-^XWWD0(_V}zzt-8Fz64N zLV)ST5NQqIao|rzA!j~xI*CEi2UM6Wkip^505-HVsJVmQfF@oAVh}kM;BcYs1_nU3 z7WzQ%jA8)5jm_k-^Z_N?c5d5stAxQQ1082JfCZi826k1rP_ghEQ9TQ{l7C$_wTuI{ zmjKL|WDk%HP@#%SojgKC%!EbS8%3m9!(`Gx6108cxHG+6IJ`CO!@`B?st>^6tB5S! zxrS(n)PeUDqJls>xsE#Rltl*)1!fq#hRWcwNj}gnheTsh8KAx<+i4UpC=|sLN?Ni_PqfVbSq1P`_seL@_Q`AUzb_eIfW4cdb3Z$%CK;qLV^q)y?;0Ex>zfrXn-9;x0CZO z+BSr$PM_X~Gy_%?vV#^5N+nZd&u(F(g!~Oz0UIWpEBv#o;C*Y1CQ{DAri<=+>dS`B z^rTWiz?MtmQptdY4K$wH1A;(gCk`v7Zv%!Ln+w$^$|L|&|F#BucDA8t6F;iro?7D4 zILO){To(tV9Dm!z!UY9rpYlJTqR!TS@%ZW~JekMgGU*~-4Z@fui8Vk?klV}mq6kDf zSRDu*V72I43Kd-4pNgQCU72iQTcYk4^8OcV4B8or(6r?;*^o!kub;qzoG1<#WRO8D zhq}J&xYE`@;@SK5Mmwr=0Z%54M@Nzc4r~u*(^=OZsefyWFwn!ywQHak36%yUSr1d} zN~M8nNI2k+2`IG8-xjaEH-whChkPQ&6t~E6qT(#!e3fE^qXzaTzhx2TOYdwH0E1k3FTfJ-u z>uI2(xPOz(NL-R-5C2%5LgJFX;rPz81)z!m62^sWntHMiH3CrDi}c$sze>cpB(evO z)r*j8;1}N(6RF&fph!dixTui6&8Y0ILVA+e>P!~57Z||(8$G3_CV z80Gn}@dkv(yFF-oVCEMw{6f;$H9WFMFWz9+F|OuD{zhjDnQ31T=E5z)z)MfHbYmQ$ z-T~?S936FE*#@r^Dg|V4yAOu}E1-Q3WkM#y5%Lyhed@usqXUsDBw-aQ<=>y zLVu$D9EB_bd$9)nXv72jiN^8ARl*{1-M=wm)FJN+YW^E;Y&U^zNL+Wof+3tf{ptr| z0H892Gw9c;Mj0S^acnie&(y$G2WVnQUf)0oO&n|iTg`8q7GarRVp7_@;(-gz2Hg-` zc_8zpt9VP{s{ILw5cnrW9Hf;LvTx#G>wjWmYHDt4>$1pvg^Pt*Uvl;+_)p3@XcH(R zgsr*hQgb^IS^DhSUQ7RzV*dm)Clswe^Cm3ztIS%v=on?#CtpM2^s#B}jGG-SwA>jy z)Elte7wp=jvWUn%I92NBh~QgLzldO+|Ft1;I9^OPr5oOCQCZ!XAYkZ2vXVNQV=oqttk19Ttw zA10ebrh$-cp>sIvXfp?V2x;C_jlWOD(K&f@y? z?PT@T+p?tt^CbFFTd&eWtbYw!-1fu&!3eRSGhpD?NCN40(2}r(htdO;!UiGoYb4-t zK=z;|fGQ2PFO~`G{JOsA^alsoA0qB(4`;ORUg<3J!}9bSQj5H#SR*E=|JWm2ccxcI zt*#kLI3lNCa50niVy0b+4K(Pp`|)UdYeHU?`q@@=*>xdTEe7V4X@B?Olyx~c6}`JL zXcw)^L8`DNE2yR39k%a~YA|blzj6)6J?mGr9?n{S(zRzIzz>P@8YwN<@I zHDFT(3-&{HN>r5ZG*hAy4Ae?>>yhs_QKI~RhlLX5eIN#^cfP;ZI*Bs>ea18E!Ej}Y`hSfoPQFe`EH;zEBXcb% zPD=WKlalai=>m{Ocj*Sy>tJy@SZybz*?^OhD@fw<*dPb4QgbMlu6*Jua9Hkbf8ebIn?i%vEE9$ORKoB!CWQ zC!m82t}sm}1^{MQFEyKMX**N+5g`Tu(pl~#4wVBi835?b1sNQwF#7?CL4h+za!Cvd ziA~|Ck(qQBjSB6Du^4wIBx}1^Zd9&2Z;hxp?Nf@&20?Y?YG}u+&S{3Bk|E*Rn-NtD ziNgW89Dj8VmqhmHGBc@kH<3Tp-~wuRyoNVkQwz&txM4g%A1@}G0(XfBsm?zzYMuEE z)Bxn2@Lm_BLX28_!UPPRMD55ficv$Z@``@ z(IMNzz`C+KDs*{)L4Ffqyd&F<+PCyA{8tURTz{z6Mez1&US3`zr=3_P+f5zQIp{R7 znpm9f|HiU3K>JT)l0CkgMnCpnL$jy-*VfS)vj2a_^9xP478Z}8P~AWdS0CWGlknOE zeF_=W(A3h?)z!pl=zyB8t~d=%S1nhZ4n>pXszsvUK$0d|M^8^vTN}3qN5<>w60~&* zI)4;RP+OCtsYAxJU*xC2$G3Q#nueyDriPt{o<2@fAFqqmBxq>j@wzy@l|ydjfS!Km zKa#-ghaA9f&wp(lytZcd{O=kBt)cnke0M9`fsF*|8z%+u>q!wA@K7URoR7kEhw}M0cvwvr6 z8cH@E;x78~b?q5KSrEHuHn;xBGh*(|4QbLN2U7RHOEn4UHcb^v}E)p z_eEb1&_*M8_6%_{P9?EYeM}4mC56ir%Pol~VoQw~K_9QJp%`~1z$8bZ&WpuaSK?h>% zS;R>{ii3cLlfM22kQ5IjsO}=SE8Ww36VEG{BVmUaBFs6SBQ`GZ!oW~N|9^#Mv5;s4 zN01m`cn~w+WF^p1Dqr6cD(LVz=(S$}v63Li{ z0=?ZE{-T!V7USr2@8k&iWPcP-AV8d<3N=Au0AcvmzKE(dFoZiM)oY}-FCc3ohP3K3 z0J;vwaS&*iTr!IkZ=rP%TJ|^topGY$l&OjvYml^7{nMs#*v<8+V7Bg0gR`GAAQe;y zO_QFYTuG*W)^>$wgwLpnO{$K+;Y15db`$Cd8R`#X_h(HJXDkk7#D8cA({>(*d*Xv2 ze0MC~aTZ6a`y%i)WWuid>HBjcHLB!Bx#X~iFfk=Tpf5y~_(*abG{}pUON>>@48xXL zxuNm1JuM+KmX{j$FE^4A7i341^w0}G!{sOmg|*K@Nj@7fd&(r))p=Z|>?X8)4StYg z7Witn7szL!5jPr!0e>;zmcunLweN>a+fI#0z;235Y0v=Tw~0kk{!h3&-!w5{OiVJdi>|1T z`tj8+{P!KYMP4jX-|wLw>W^PsY492$g)cFf26F{<90zb~_J2Mi;c!aF65ULxH$_t{ zknlWx4d&0)s`UU1>I<~42)V6*DQe;%U^m3yFk97su^7$p9Nl0oWwa7U#Uix+$)X#o zagJzcv+aO?!Lw%&N;=;J19oSmmn2{)~oHNW%N(KFwK(HfK#g=|`(;&(e<7O47T~ z8S{(F=gzC&5(Ykz&l37Cp;odv7~3GTnLw=l9UZo{dXe7`mdVeKoAZGj*rzqK`amw3F!b7V zU#+njM6$`dPr|-JSqMv7U;Y#s&1}mp=;E=^BN1F6s3u#AF3G%^Z;A$yh~TvWb~RVE z+lMa#ab{9L4KvhIRnFbCRA<981&@!gR|3$v%PysJ49uWvT^f5yYawX9ItGJk4$d_^ zp(FhpwSQR5LvPAi$YLEolETX-*+neeL~K0XM4Zf+B$qgff_d`S4X08IuYh^rK9;9% z$t5)q`QHYww|E>%IwO6}YW*7=45o4xJbU+HzyI6basT-6M-EJ z+mljr{yjt8HKgDVQy3}Pw>60K6ecp^p^&1k{igVMU_&n}Hi2QN6_R8KbI?M-m^3{P zI-o%GqS^e?`DPYKaz+R7o^TFYj|K5{a=5E>`mCAkmEBB}->x!3Tt5#jKs(i~|(CPXML-P#hX@!s=Tjqh<^PD!6LCi`|SGJ^%VQ<#tRfhj-4 zWbJ=bj5D)RH5&=>n>tUXinZt?t?1|`BB;q=k*ff&Dzs0T^*qa0Cf1eSY1GRukwI<(9#D!aZ@ zSm-e9_WY>M48CtJTgoN@u55p19Ffm>76oKiGl0&01AnBsZhn6MUVljQ+l(;pX@4T6 zZIXYX-~Rw?67|H1P-YY$&4C6vg_Oub`-r*NKQXr|=5TCpj;QoU2=j@!C!)I(e+0el z@rlUdf^D2OwJ*c|pmq?o>p9FJISvJeL^&v6lLtfhHykKd$@6N)6Tlse(GzmXOw(&7 zy~KU$$>g|+XC&B%>wb0IQNX_R#D5fXn|V<5jDO+V-dA8ub5f$$M5#A(7OR~dMX}To zKphoEVF5m-nx5b#zLiG#DNwOW1M>8@^V9%rEr|TQ6Rs zng7aRV6}(AG}Z}LeR{blK7Uro8qJx7A+9~kf=)2lZ9u3>R3$&Cra5S4U)4r*!sP-b z_$dq30%c=c!7NgBKEM)z;)F(w$u_fYLF8xLh$s?DK8I(CzD8=`XQbVlMRus+=!ezW z{8D|r)W8Q~x{Geji+?M6_CK~pG~5zX`+;~C3Jm0!f3^ny-qkk- z$82IHq;)t>j{5f^M8bfCqxK5Az~L1&Y5{cxvg919@m{T|zIR`IY>r7WVwsm$hKuX)$``xOBI>oAai^o!1b4#5zJU6ZO zXOmQ1H##RXcAe2;fEk6B%$am@`pK;?h&m@JdPZ2PZ4boKdU|cCFZ!Iw-VX4M+>}nH zBdk&QnSTcQfq%_;C`NvwYlcWb#tUKC#0MQ!iywF;RO@NNu}8oXq18K7axbs;2*vGU zD`NV8ww_t2l!bjZ?n5$G*ovJW-l_i12&c@~`8dQb`awUK9UttS74)RFz{gSfojVV9 z(evl<9;XDU`6E&~t@)=}^tw_!PXAE4+`*~+gMWs8=8xpIeiwja?oBVTlsxGUzKntV z_M0~)O6tQOG7w+`mQ$?llSyHS<_ELGoH3!M+HGN?sDPBx-cd;|1JLI^``0cy)dEdZ z;nm9@UaVz}s^HSyBt9@NJa*A%ato+k*(ONH;2~Pt7bTox8jF5Nq~aPHPVBd>X9{9p z;eTTSWf;REi{Y-p-p0qr;T&OK?aaXIj?amCgr4C!Xhh~|XMhgX7-8+f1%)-I86;Qq zj@ycwv(!i_PZ5_0Y7J5AkH$i^cveUh3mFdD{ZX2|#ZV`kfg({%+@vwqrLunfEnb{G zj|kCs9xX~c6x(uw{dKXSB%b<@lB+D1+85L?3k#8$&Wx8R2)?)TBrcg& z1_4y^6zgjXhKLD4N5R})F(j|l=H^I%It@Lct1X{gZ;9#bN^#58>z5~2`k4eC|9|Ba zF0FqzolzlTlIG!bR8^yzYRzMw+~{sW3$gWb=k*4lY5_VZR|8Eex&JgEe|Y`s<;JE0 zrq`4Q_IV?C-$5i~@notrt*kDuP0oUV1aN#HT%akz*HrH-Yl&UOZo0y*Qez7v+%=^n zj|uz>Y|juzA-O?v7LBbz2&4puEq_o0gZqJ^zWv=F+%F~du2^}y-hRw$@{-G>49~wMyO9mD1Q^}Z`}#- zw}BwJViMAC6NRkM6<9$bD)i%lAaWCVQ^rgt#WYx8(ktNugw`j~3pGo7zYRANcRHjm zRuFpk>)|GZ1^u7eNJ(PvlUAeBn1*F`9qRO$TFPl(Kfi?hkY_l+bY`s59O9pS+)r%o ztP-6-9FZ~O#4<751dIq8v41%9Eqf8OCsTn)x#ZqNf^EW{ZC+(I6GJ{Yyld-tMV!I8 zu}5Vb4Rp@sM9$i0JQ#-EWmWeOA5{U&VF_zd;R5&j@E#5?)A|^gV`bg#AA>vVTpJPq<($%jegJcOVR1N&veZ>-~0UrwqI{OGTOMjm2?FO7+CgPFC z>-lp)BWGpb>#LKa-p5XuPm(Zi=LGw|aVp9C5H>PF{~|W~eW`LGNC3lv*|N&N8WWbD z_8+yct|{kf#>=)hk`(EN$9O~nk$eN&gIzS6tF0S!R@2DprE%nANs^S%SvOdHFdD~! z5|`lmAO&oz!u_TAwtv>{z@T;<&H^w{69$|ha_gDK$>xzZr|c}EyNL#T&cK@X1N>~w zpxv;jMkB~Lpx7((-2$H`)tQg*c&vo~Tpb_;k&CK!+S-nWlRmlD*P>fk2s#PDx=X3H zM#Y1_ZD)NP`h6TqntU-5N!v@-On(zFRMuh5>PP7I^Mr;O zN}3<4s#rZ(os|9l2de&e;Ss4ux#3tV?9&Y1=KR+T)-H}-F9QfdhCqs9D`)J_hl5FC z`TdE^cTq1(3i5*V@n8KkC91LC)^*Ez(RkH%WKg$%Dk-Y_*(rW{;r43B{QDnf#x3>o z@+(StT_8PKvwviFYCZFrgL-k!n^;;KqTAqAg;lzl`KiF!o8~D}S1GbevNKyH6t-h3 zpM!mQa=bNdwA|0lRX$kq-N@#6J-}+vTaKcf%kRU?Mx?iU7MOeL)gn|ek4mAJFlRF9 zI6*P}l(3m5mD#_GJ9@xe}C??=bPwx()Rfu$vLW|S7!~T_c0|i z_t9}95*dK{7qA%9;95f~gOde;1oerBdGgj0G2bC$#->RtRi=J{nsXL& z)8BJHoqv`2^q2|}gD((cqR*?#mS8M?!r7}|O9!^=c%wTPz^^4@i%ExmNqkM)|S zsZ)c#gfx1p-biwnaoM}Z5~YiSXOG8VmeTR@Xn$vS#c34^+I{M0e`^H|CeQ5BVi7fM zQJ~e@TBoippsp#>-bGh~zJ8k$c(_V!Pb()c_wcjRdXF{BGY=LMWIfya4wvZFQ$7WFsp6mv{ zEq|@cCSl}I2GJs#c_bCfyKmQ$X}eT-?}!36Cw@u{?VUQCu`n;U*39Fv;aek<^t@Vs zOvJ|M)UB2R9-#M1b|2}K?nrXABYB7lq)i))XJp83iZ5!$7YEtvdINjLd=kKLq9~XT zwC}rl0)i%+jxLbc%Xo});+aju7}sePCV%w=G($Bv@Tr{O8FwRi2UOgdh*lOFEEIcg zx^=ZVxTkiYtPK=rGcYvJWYS>P^T;Bf2x+~{6&f3>qlSV#<5pf-e1V$9dmunA8UoM2Cr;NY!!4t*O-Z5>NzL~NoPVl3OCjxkQv6Gp+# zomrzlO=OKof-D4i(vP_wxQ*QC7cCnOK=%ooc|tRY;Gq7kIu#@X%ndSCLn9=n@W71& z0SMa}3c%Ea_ycDrI?U`s)pObKHh;qz__J{^o%b_!4?nA;Q4&T)H|V1;pysP~n}~r~ zr&7|6!p&3@x8VNxnr^t2_}OQmR9tG$DU-tp7QT>}%Q)IZ0lg-nT6I?UrSMn8*@(1y z1ZwN$ZaeBHo%9V7ecjpCGY5$6e$CW5Qy&*(_-2PD9A*Xj(mGuIMr=YN$_F}1Z{ z@=<*oV;aPqTueC;Qx^EUXlEN94S~De&ueRT6h(Z@J9B$VB|+ zP;6l0IMkD-xd`?+_&#*!GT~C)xMh(H|c7E`Q6yB3(w;hkF78v=xV zXev_M1?bRvQ>vE6UjPJP;sXF6372$CJuE>tcmK3rz4~$*K<=kMgA0aHcU7yO&7YO^ zeWk~hiZjDIC)d^|^q4|U3XcaVkgQ~$5y`11lsIQxYJ+U^ zt-|9guSh!vrey}C*<uV|J=_V2X@$NR%1e;?#C%{X7YM zb^&UZ(mnqf3uy-|5RU_;b47Y|*vFC7>rFE4&;_>V$;IOd{(nS}P~5FuCWYjf8r2a% zSqAV5GTUNF`lHAKs(~QD4JY4?v1m4@f*p#l2(wQp8q?+^)t-(`#DJ!LUp7aN1z2;v#o z*JSS%QiK)7CJ%kpwLV^%FUYY&5~`!M|lgk-q$)5SK3(&r@IBbkX^o=zIqt zH(mRDTBNiEec=Tio}`_>L@ovW%W1ZO4v&Y2Xd4}#9w-ddua~2_Bm(_> z{{Ex_2!Dc?1rD(d0r!we#X9TH?SkKazKN1QcGMr1xX&SHuBOE-OE2ew)A^!GEZ`Eg zcf9xZ@VJ-zF`MDY)kH16y-Ww`7^}K@xA)=QVSP74`d6VFNbj%U_N+Em6Z8b)isbzE zO9TbjU6!ZksAF8m9<`rFRVlsHMwz%K=99f=K7V_6dHA1a@6Rs|&o2*-hI?<14=)c6 zf8P6Wd~tblcyWHTKeS}B(N}DG=?v8LS*J7r;0i=cF}NP837S}g; z64Bd5UqD3kiqZCx-yA49V<14$->D4XhkreYs~8Ky(;vr-&w7rO`?{I$%7&F#sH>z= zb4TezYFQ5sNp$rhS>QV)igdqJW0}LW=vAgbWhy(kXTEb1`h-Il0refSYLwvH2@QL@ zXs7HK{J964d&zGfLMjzpo9z=Qw&woV(l5E=YD2wb)Je?O^Q3uF$rS~#hb??{O4stT46vm71P%KlxoXp*a#Hp`}ryPc(!Uh5nXiD@93#g$Pn ztCqlsv4G&PLS&hz7pLP&ah1|x(|=unso7o?1~impl9y-+24Jz0fM_Kvr_}dJSX{lJ z4)x5*C&$VWmQ&qbGSV$exdmps;F5fojb@pdtD;GMMj@|5YP*&Nk{8P>$y?I2yVx7u z2PRl5PAXr2TCjX}L~H8*zux1Ij;lAh8L6=+0E4mWM)_Wk#3Yi^iC?GvqyhKP@@Db_|_nO6+w zfmZ!!-Y;}+6es%9!KuE>)z(HgR8DEAAES(6B$!2_)-NQ3FJF=eyg_1Aqka(A-oVBi z)v+eEWB3+$hCAkEYhS+f5q}+{!AE@>b|k!w7lFQhT?i|<%UT>YV^x;LjD*m=#WG|P zt&=~|x=y~ArMwN`*F%Gi^oQOC0tgojO-vM>B)H$0ai=2UacCw$%QkfOet7Zj{BU@= zcW`oadU>`t9RBwH{NShW)<4A~;>iF&nvmlCermy0HTX)d5y{hq;eVYzL+YfeHr}6l zUj{yw*f9f00s|)D)xY-8Eku!e{Sx*2KJl1OHZmlvBtR8T4n5&1teQNJi7>VFP(&~s zmb?QexAZ*DuUBj8u19T$rs}m`3&u*a-{&*b?@KvHeX9Ng%Vn zN?O6MmP~yTUjNiPdw-YCO<}rv$Sf-y`e@xsfQ((Dl>r-QU9G+HIvM-Y4I?i4ef^@m zz^k>U)lcwHfKt{){l1w9)bFE6{28ErAL8J)eo5|s0IC}7i?=sW$45C?SPZ3aIJLF{ zARg$twt_pDsKwTy1m3+&jCMO3($FJ0D{Lz4ReQlCTAMyEH-C-R^9Wme+jRATVQnVP zvx$$LlUkJvR@>~xQdrY|8=u;Z*jiZ4VmH}N5-YTxjV#woC~1v4AiCPuuNlF2`u^bX z^5`rl?n34h(Q+kcg&37&CVt=kV<04!u^3?A=StmxZ|0A$y^R72XYbE1a!4%Gy@-eh z%m@8hkBzUrB!4DN>$%^siUJ*%@6lE~tLm^ZI|8a#E};x7xaf?Mb9&P_O;iNhi+PP#q-SK86KX0JlZc=KdrlNFMsy?X}vFB)JDYNtiDb|pL|Ak zxw&?M18Tfawl`pg2kL*!jP}0TMcA6dmu2vjNS4Q2oHrgn?%1>HFPTGEFiT_cRTt z_o*jQPajTt&a78)+lKlH>`Z#-yN&9hL4Nypc@!Sv92K$YC6 z8f{7c-}-*$zRLplf0t7dM1+fhjDm&wsK5Vv@qhBo%U8MkzZWlF>~!~k4^h5++4>$` z)7dU~E{)5hj!ei}eLrWe@UrE2i2DJursAcGbc?txbLc3Ma2k(6NxNc(-1PaUzg+u_ z%qu;Sls3ut*|rC_Eytn17erHh8qd(qc6+&5mMyoI>`PO7St>6;-Ii2+5Nc+!Q@5e4 zyBRM?WvA(4WG-u1Mdvd7N-14g@qgZEZ6EMz>6^atEy%gfb;ClOo3yJOd(G9xU0JRb zN!*!QkUUOPh4aGf28|jClSgnlxyHC`*h;u;Ic#%@2f2A#4cTqbI9z*07-ecNFjVWs zm}KX!8+PIxw&;RzuFV!&5J|gcQJ$$8}BLC5#qVf9+3eJce=HBr$;0aox$lFl;e7u^@+;>X|uW zygh|mkP|RoczoEJhG^48JJ>WuN$mi2oszMII?-sUWl)|ZW?B{;hg~h%&~a)0Rek?b zi+mrV;eU#DWvraL%E+`_6;oScl_&OHh-z*M;3n#orVDN+UU{{r>m(#h||bma}4zWjnVKBe?8-H%OYyay z?wlAN+If{hlA$j1Eq@!(3f}ldpgvZ0B?GZflGk}5f=^`LQ1@3d*VVryFV#KNpSq9k ztzNpnq|fE6AnTo|q~_!vDb@Spm;o$FDQyz)C2x#p1LWl15C&-w9ZlcgQGblKSR_j_ zw{6K;v^7X16!Fm?==Rn$DXE^V+8_Y;*({;~ff%{g7y;2xGJmDn(r^+efdfgyb$E79 zRUBg))C-)v2}JVhWq^Ur0^ClQ{(>V2>Xm*gUH#ck27!;G%pQ9J;p8$>>+ZcoB3dy- z8Hj3#Hp6QAu~(#~s`yVvL)824u;*0mJN^bq-TVgd-{Hr-;}3^J^l|U_=wR>S=>6&L ze~0jZXPex@jDNS-PK~VwvH1~LlFAg!f6&nwsaYDtJU~>K^n6nSo+HR-;d2SG%(Mp@ z1ZxyTO5jNd3gY8v0k*5=2uGiBB@*CfMG_>XUDs|Jvq;XfwPGG@Y*hcOLs4#Qz^;@c zxSI@r6FK!j)%!0NBa^mV5Q#=iPSKUEeg$}5Ic=_x34gvTl#rBkW~?KPqflhCI-@wG zf5rse=m0%wD4yeky))h9gh9CDF;gI$f;F0;aXMfl-~-Vb@5~ox!!yTl8=b%1+jouy z_OoPc5e9(8S~1y?h|KvrYj@5^*fT#AW-o2CiJW>s#R`mRVQ4f&jQfP^ln+C&a=l^v zQ_W=5C4YE`!03G|Vtzjf5M;hRQ^#3m0L7H}b@aacj*lXLxk^Hs)V%tq>)#<*66x<_{_T1Z zNdcR1g`{v5)r_d9%u8Jm91e(0RM`v!K*=y+dxT+{%n}6%2n%#Wf|wAO z6MqnY9{PZz8l6lfa*Qzs?HONZGGj zjtt3x;WklisuXHfU2OeBR2it%jr5a=yWDEDaKxw|up7sD@j*KwpYLzn`+JK_@?LhD z+v8Mo23!o?^W&DNo*$Q9Z2ugrGErc*&?g4|6IWSH@Q z+Xe`6gw|2w>JXD&O$Ux+1KKD@&|EZSB8XRc5Upv_+6&ZHYy(26UERT+xxYuZ$RPRx zHNN|2dF-oB8<&B+Yc74YgWGqX$b8d=v35+Qfuya#Co`+K??@!!s?yll*6T_2g>I1u z@h9RLx1yiWb2p6k^8{deIa<@!ZGW1!OfL(||5-I#ndMtEQ*OP5W~um0r6(u_s3)hc zMbgd7!pQ8uzO_7kYGr}_Klg;&Z>$K7wXcoK zKq>elrkmo=K>hz<^4C{KJ%7wtpyjl}a!b8?zSeP#{5oy0R2!_*18dnpPd{jfBN}2p zKS=aSqsB#8PB+naIy+LT$9?$%@dx$q=<8QN?mOE(k>-b6Gd1~v);w!s4U18e)`*(gX)Bkb-X?x1#FWV^|!D9e&<8P?i)nMEbtJUPMs zS}A_b%B#zu5oa?Zrz93gcpOKhfj<*X;hSI5-D6o`|1Ub-tmyu)`2O?qhwlCNVM=ZZ zIi72|qhHqHxz7D+km?I(kY*ez8l9or@b7EG=k%HeWPjqO<=4JE$;s%sXYXX6+b=r8 zQ1WMz-B@amr~LraS@J75qaIM6R_E-W#FNBVU#3h*qaUUisEOI{%LcDNDTnqc7;4w}Z$il7U0`V*Z`I4zymJwsszk>wmV1r?jc*?W!$ll%O%_PaMhKZ+J)4 z-0@v{pa3|!eiWc}OV!K$$jkqoS36z)j|V9^ z+2KT%tFEy1TynR{gb9D-JDth*RPcN7QJ>=yxYdL+=l*!xF(_ z?tc;ZHGj6F#8$f|d<0cuL2@kttyBqKU|#>#hacV)-v3{A z`u~HJw(|e2p7?GXc!b*k3&=ScE2232^%BIjyTmlTb6{l6^F176W82zzW82<1+1R!@ zn`~^`wr$&XHnyE?GQase-}n7zdiu^>On2WqRdr6CssTyDQ1G9@z4PwOWQ397a>$F2 zm_>;^^T!V7>o(qC&3PpFSFn81Y>b6AaDl-B?7xCqG^VyC7it(tflqq*TL0kYD1p0} z{{RMEp7ZNKLFqRY3v_15j)!t6UB=UA;- z=#ezllbTL)_p8xCRp-#a`&&6TYqN2W zQdP{>W~ZczWehfmIq$hE>9kEN3Ahe4Fc7TC-cUMOIXmwsu7Rz)UEkM$J>J{nKv>$E zc8lQmWGLdPw%g=WOE&^>NikQhh|bB+;MR=ZUCH{ck2>9U!xQ7i|{Mp!akJ zh@z6>31stiG=4Q~f9W-Xk#0X<^ECx9=*(bQt_T4cm)wVMg6yPzekrbv#OI-lLNh7d zo3Ydfk>#V%M(}#wu+QN zD8A*W8jI<6T`=z^HYj3NvI}2dduV84uLG%4ObKBF#{_BCxTK1Y5%S+Zfy;pB%2Y34 ztY$4Q@FtY@YG$!w#lw1Lb~-C}lSZuR1LGbSIqWtJlB$|VS|2An_bSytI^JqMGH@_Z zow`&^)lAEqY}v+cwsvGr?&XE=@|rsWW}N|nI8%ZF$^-m|J#*TiDI6|kr=JyJxG%#L zRX17h9(<|)Ya8NXN{VtM?i?V)?%tJ!d4;y$UpNTtK{49N9K#(aiLdHon@nzt=F(AK zb7o?!Yqd#0tP1ci<UDlr=AWn)a@N9&u=H`~d36}!ABuDTUWvJ~>BD|(KFyG>}nf(`aw zZg$JKd3uZ=vW)Zof70Ewz)eu8mK&M#TQG~V1VYTMc~pJUT~OB%T)|%qS)Ey5ywzn zVENpEIPBt@OH!Y&);M1u$lK)1DRH(qPd@?w_9wEHaJ;1J{Yy+lQu1<_&l~i3Q3X0d zp?r$hcehpbJeQ}alUzmSF3f_rH%+tW@zSlLFT23@V!#Sk1=}p`tR#v#Z#D0&7I)1E z7B-i6WA`U!9MR&O10>9oh4r+gbAEe>ciwU63z1N@?n#Lk~hQwq|S`Ft38+Vr-=Cf%K7wd;hk0gTxVBHZMv zSC#={06Se?e_DK@6Xkd#P$?f)!uNY>f6Zyk1fJ6iVe z?3K`0HjI{XZY91dZ=7*A0NG3>+UV>&{RO$R@nW@lI(au*@+&9HO^2KT{QK|?+;4jh z*lN>N8riDF>N4)N+fmMN2{vryE z1B#8eRoLokW#UTpa}`v*2doc{PqL{Zz>r#t&@de3du@UBa7aSw;L+RO`rZ83&hY%l z;$-3rY$#R{DtHg|6Xo>p_a9XS)(Bisqv?hAp2+1UA~R7geY5PAruB#w7CwV}4mYzX zOaMXN8hrod9drJn7W^#c2wRns-qwKz#Qt11BNDs$wolpP5p`CBbBc)5l~OZSz)p&i zY0u`NdjqD@H3+WUN(3dJSG8P(b^L+qxhUxYp{dDY#p>^+-c~> z6)jr2fFl!`^?u}tgHsMsXSS;G9=ps`6?m|cP+9SNmqK49n59*KojsQdJ7)!J_Lzv~ z4t{EzNc=Boq=<8_y9EThy10n}oEQ2o9!~sS{Cqnf4#(8GrXCJST zS^3F}IggB|`P+vd-_4(qg(VjPZDR`;Cyg!g>6(~Nqy7yKv@~^d^YZ)y?Bp`_vB|*F z_i<%hmIH|!We{9vcdh__+}s^MEnA0HzyYm)%v)Y2Kf5El&Fa=h(P5Xzk{&w%zOJ6$ zAS4t7=Qwi{UU&1^P6B!RKH-s+!caX$v9(3NF-^ zkV?}qfKiFRjeuz}+{aD$q5rnUAdaB`?njbr=QKXR_BhXqOTf9}RyHUa43rfiS;R}W z!)4<6Nj=!kFUZSNA$Zz+<0tWl57!Shh*_`+WpL1?S$W&c^2o2&(hx`gk^cXC@o zeG>tCm$`ah-kzQ<9=?xvj-Fnw-cFuhPB)$bM#(R}%!ButvkFvVyk+xV8;@-T`M-DP zqJkR!;%NhT68467hWEnJORX1ufJSKc^sXKxYz?#fb<@Jmstv%e!839b+A|mR0ee=W zJr`D!)k6#Xv8hdsBg>hc&wKZq`+v8GpQB>MDh5m0gTJ2I$1I)4#dQgbah?|aoxf8# z;9Epejnd}lW`xGUIgPBB?YnWRQbjVpW$~62jU@wcnG0kgB~7Dn5lAi=hI|?B;1G-{ z6tKYQrhc-w7X@Nm&ME`NmOl;Ol6ltBUMZdim9UVAD4WcF^?x7h#w`=bCntk=s;{V= zlF?EB5$h@oqA0eS+I2x*FTP=TA+9c+Rj_+w9Q9JHI8G zqrl$B>_rJ@gTgpDL{N!^<)p%y>=b}1@=C)6E$lHe0v+s`B0U|f%{rA^4!G)MFuj&q z`_6Sk#ku@ziWiZ!_qC-NskuRD%FnFcZkZibcK0eg>;p?bu<{I;8wgI(?)rBwZVJSI z)i1u;@QN805pnvSL3tu{06%8?N4Y0h-f8$?F6Sj<#s}hN1v^$!p2b zWfSIVj`pk=M-DgE7|gSqL<7mTe>BVoUiDySDaC6Evw}zrfLO^QEBAUmN-y~oT;chh zhe8UHNqijN18ZY+qfhtphA1nucmatPpT|LgUo(&ENEJMg(()7sKrp)FFyw3>hOp zeqvwFj_0x*4M}wiJS28Y74AXl5u(H+5GcpDw52DYTK^0{uiX2m9%NT;Qpi3fJp99U zWlHa{7-{d6 zO@x6)x2>-BwxbNX#+4NLZpo1#bwwbK+0Sqa5;@i+LOE6za0^#b4=I*ujfFb}L}4E( z*)Q>KmjaX9mvek-%tHn^OYS!?b$4Z4*nWJvZQbq4HrC|stHZOL+C|-Z9L`^P(cS4N z?7= z-b1;hGvWYUlHYoFx_s~M%>=(*W+It@AAgcyqkFX9@&?WjAH2*|(iWP#1OH~0>^7h# zVHX>=Cv_4OSzjnnKGUUE%hay0?b{)&(zr0d*{gL1dK8!@ z)&CMe1~TpJVW0pIGvH!;BH(}h29^y3bW|y0m@KOKyc*`=tyITCcHqX)BS2fT*y2Dp zmAG4h&1JlMM1Gz@^vu@f7JqIDXp}(v^!5u*dY|q4eq9W|*-9=Uxmcx@MBc3rzg`;q zy0ZvoOARoMSg6A4Ma_cRUmdu)|Mw2(pfU2U-5LP7S8Dn4&dv}4RR80T>O<`jJ1O~O3!e9TaF;Ugq?KnDJBP9JN6t(ZBmRiX6B;K8rG}+H7L6rs{9f#H z(*Ev`*U7@g!pJ|ZsXiw+*mpzjyjt->?IEuO$jILvA|D-mMw6GSL^fTWX@+QpS-;sV zPJ!}|LqATWEN})Xi6tpkmIW9B^Eq4$P$xUe+^DoPo)!||iH%;@?~$C95UG$qTOV4$ zPk%vQRb3AGz6OVn{6vcky0SgLiMpd26gN%yjkSoio1W3k@;f!FVPmd;xm0JNRMz|V!wn}#C0+yD=l;PY@9otWW8!~;N(yk9ykc(-3A{0`#k$V z8Jzrlp`nq&;plInhakZDurCj%?N9FSo3dy$-*+b&X*7xuNmzc1*&DrKTXN~Nx;Ca_ z4g{GU&y`Whx}-w`A7h_4M0&!wb0e_E4m7ZLv{PH=2F6NRi6FQ)*S zEMyH^5Jl&`1B$_GV^N-GGHPifM2a9uq!2>7X4tJHe;Sz==yBPrg8dR^zi5eD#w#S+ zDm$iB4uAP#4rOf7jBe$kI@+|#@np5c$VEmiLp0sl)RvuA8e3t~t)tepOZzLk;P=|@ zhC)uvJU_VEy|;JNZ`BE^=f}-$hx86OeasWE#DABV)4;Zlw!$9ws$VX~sv(FbXZf>^ zvBtTCYx5Gbl3;S<3rwBtj*MK{hjel94llN46q6_6g*g=Mjv~7^+4L98;*v6jK4oEs z^0QNDW`Yz=1<#-SJ!d9-%1X-qckRD+>2c$~))f!60})OSCaBBz48TeX>T1M+=kM=7 zQ5+isiwsNDyH-w1(Jo|}ITq-nzn7gCQ;H0jOf8X89<#<+7kGAZbnqkT<%BRP4Yp1# z#%b4jM9}93G})@XA;$3yCC&D=tBSuN7MUH4qY#mDEZiz8c~A*d{}2*O4Jb{#%r*tc zCUj5s70Q9S*+GCC)>~IR&kjWXm)w9-^17bcE~TIsneT7>#_UOcR}>Ka&%I%1C9iBh zfkJ8jo|eNqYw3{$6e(yI#@>sCG`AZq@r40?`IX1mIwN<@`14fP!K`rDe-^m%)>n^- zCyjI#TILlF4A?zp0;#KZd2N;wm2@AjvX_AN*FYsQB6$FTzF*s=5}w67^aHhes~(eC zLU3z?tqk;UI}EBL)JzcBQZo}}M9oQZr! zhZC4uYd?!xt+{I@MVRbDRF-Ru7)myHr%Tg3o=9csuv&j~w7XN!m>;rzRjD6?0}e5b zB{R=I#s~oi4^Ld)kp>F=X+d!2Q=w#3A;IRh0!t6&KOyP3LKzI!Xr=jtg*!>`Z>ruX=qyZt_t02lkyj-k>KNkkKa3i)M?tOTYY9olJhFU$&y;*U-+xJYTGk!tawh z(3^QMFKfV9q9S>7|F(e|(NvNQ{HAnLA=BG-z_kl1LQ-|R(n5IH(5i4WckOtlhJ35& z0Z=+3)zKB%epo(jH7rus*V5?gqNlIEhG>M?mrb*}LzwRMQMsl8bQ_my?0(NlV-xvo zHd+5Q6_e*UQ`3+65WXhS`|^Iw>u_r!|JqecDe8dnG$o){Vlnn}<)hH6jYGpQS*6$z z^4Wn;sHYq|>}*4e+*7CCsgnMAK&!F=3m_C+nUmlX$n3_*3;|P>9W;&IAeeQq?BHFkw#{0$6-PTZLG6ZA}4JU8(bTX(;LF!3Y~1B zcf(Qvt6_?kVk~8+2YmR&f{2CxhkS6+9@K(hs&TI0sqDr?tX0RUUSA&Tn~NFA4}i(} zfz=2On4jkTmmwoH{z6JCuBiD@TVCd=W;W|KQC>Uc6{sY|decpY!Y0wdqEg9cwF@OM zdy@RE7epW0yB3A-yLbRN^m^WTm&O4HTWeXAZMl`}B04X)Il8 z^^KytuLU|kce1N%u8HF4Ikra;04imv8n-kVKKbPb<`*Mgf@)wLjR|4icVcKYd8KrI zP@4G7n;?xSZuKV~zAE~wr8tE9AIYIX7BCv7O9Ff-Yo&;}u(CoJ8f&@aA*sN6)M(@K zU#5SR10=Kj$bY99vIW*~P{4s0`>T{s_cc}=$*ky|IyxA1rFYWvmh{uJfXlDMZ)h0x zPv@hnwFXuB?3ssPu=AKF3A~wVc||0le>dl7@=<8)>TL>cnA4X;$Lt6PsB}JuKIn!)Wy=c>v7F#*wD_Ycp$=K)8n6nxdIDvV> z%x7kJWY+&_z_KRl0|YL20fD#2(~(>Gv+sY#dIaoBe4s8(M|GQ znfpKI2R)CP!3(mkfYq&SSw8h=0_$3s{)XiqIBUGAiQnqFa7p=1ZSOBfavFhc6odH& zR4^;!x$Eu%t)jEK)uuRJC5?n#vgdS!_@6$#}B$zs%X`l~ea%0Ey71I5RNAI?cn6y}{~2 z-xc0>FElrKJ{?X%Q)~G?Z^$OdGxYXhoDF34dj2GzyLkOYDVtb!`$YYv+XGCdcYH(c zDZgGRx69rDy#REYuMFgD*b<(0Y6J+Ldi#^0*m&XbXeOWM^MH1}AlAnsu%*?&*5iFw zEXm>&QBDTn`9025dbY7ef?$~a){0vM?OAXS9_>%F#i_9@G`bU%9CkP@NNXKrx`GQW zIyQuJ!`Bt9LJ@Li-Ecpy=H$o8KSnNh%m|A4+Ew2Ral)MX;ZC6;ncDKAm-|x#y88L zZY8InzI~UgkASxDl^&9)+tTJ6SZC~NKOnGLK#YW?lmYwn^zY9qB=VUr8UA+8Ji&gQ z4q^+SZ-fIz^ab$W|0gPtdQ<5B+3Wju9Gbnl{?z+me)5E}{SFAbpAu9>1|E3YUA+Jv zV}(|({@hGYM_)8ezna=W_Ahc8Q#2#LdyhAw!j`MPB8GZG+-1k7A;_3pety1zq!IQ) z^l!PvO|cc~^C0R`1D4zKDDZ#sz#jbx9)zR-0Foy_hG5U6uK@p&KvYZp-LL$e=fNawq^AXD0H;Hk zVx%aJPzu6Gjn{^%kPCQ4Q2E@{i*%Uy-OweC5t}aV?4uW^y|X#lt8KT=n>Ydxyg_-G zl(!2Y>t`4ij`koeA#jIeVd#gov2j4!X77#*6=Ns=j_uC%``QUJ9CL%_0a~&tU?i$j znm)vdJ0?1Q02B{>Wp7%G0Cz6q9)^g9gO8^aJ->zFiUKTfXZ7&$ek!?Q(xHbd{MfqA zM6)e$LQVYnK6iunABYJf2}ogRFbC`H{d~IQ=L-yD0|>9LjDQ`#L}B~@!%;)8Z&~q} zVw#&VJQ)W5y0{4V_hSvuw)Sa$T?*65U12#t-LVrx=OS1u8!50o0|h^Z2RmUjCyIw< z3aZM&0>QG;y&pYAjf6wb@ZY)8WC7~VU%I39%IyZTdN2orvL4qe9spbP0Ghb)D6Lbu zQTue%66o0vi*DBCzO;q@_yMZME4gF}tp8$={aO_WjSVoS2ly2zxeMrxj47Wpr!*fMU5+MND?y7e!{sPov1S7<67SYhYLJCQIpF^QO1j zw4P3g+XjMZpO}gUA3juChxoxR&x4nxo=P{1Zn5k5ler!dBKy6aRvB=vn%U0p>jX(m>G#Gkq9Ber!W`FU6l7( zV)8;|=RF{7Qnn}-xokF*3DGV#=6Z1(Pw>h)vZl$Y|968~+V??0Gz_%{7#KPulD4 zEwxF0r??^nCVW9dNyDhD-{2dnz-2Uvn?T25LC%7`lh~wxR<5}5aoJmiJH_J#Jggsr%3=?GgHy-G_VEgudvv<(?xMN_Y8?49U`)h2KoO@R*F}h^hT=*faK)W zC2|QcKM%fU^*v^csDFhFW(?QoFAO}|Hr7p7tTcDlLcMrYVcPq5WTD_o>Me2E&Xsfn zZ|;<;)$BatD$tBv@j1qt=jwL!czd><;$YwjwJ(Qk<&c`AhG^0KWmBj_k$l?Y=osnp zS@MiBqk??_2{UY~E7eH3+_?Ax>O4}QSWZE8>gY{#t$|s(v5Z-6znfLKvTOJk8WMCY z40F?3AzdoH4hG*?@Z;f;#EAYvx;L^MupwQ0+>KtZtbn|*j~a9(fNgXgssHN-@Qp}r z{Oo(mVeBq&_GZ8Y?VpJ}q|7S`;NRV--t&G9gNDYaVBoDyF+SIer>i-j5uBEho4rB0 zK6YmoY|hXsspHUl(n9 z^IX1tyo>@2D4?qDg$awqm;TT+alR%6b5%pE`n)cqbpj#^N}t|&;c%T>C1cs^qeiwS zKguYKRMn>{n!($b<{<#iGQ~zLI7v7AX}2U6=M3@wU+%?3B!+L(86N&f0{X%cc23^)oFGVXhuB+nMie{Jk27;V;d`YR zdAur8S5mn++i@cJ1_Fe;nC}5%M`VqbXLET+8jB2*6DG9F$qj)bl`;T!YB1oA#_Yh! z;^X1R(R0iaQ=Jm-YzVDQQdnUXDyuOpe=^x~Kc+z<0MVtrZ=N>M6z57z!-}2UasWPM zW09u{EoA%8*Jo0))>LO>$`|kcsAylM*h?Mf1`~^9QOAo<7#~}J^T-v$ zYrN${Kik6^{yiuoOi)mvP5)pQM@87XSHRHm5m62Zd&g1CGPZq8?64MEo$=Ct4TFFpTviR&=F%(e)h8hBCq?*jn+@y>z7k>T*sYG8}T;QLl^?r z{zOxSm2gK{1gXvjt+X>Z@AkKO^<)X#_$d2!W0gUVs&B_K}UDl;CV$&e<1Nzm+|G7vTghgA`pKv?Rt@ z0MR_lwh|E?iaj+gtK9kdf#(PH8rLL zLvyL%{r2f+%8~?IRFFujZIpiaRSFJ*=+87pnF6U&ofiWR+8Tp`AeaTv7W|h*K=hFJ zGYV6Isg#2MCt^MOH@!D^iAI!PTq2-MjsU(&0wl7Nh6M}m;jCASEGWc}QP&}s()N!_ zog(^t=~dBy>W~!y&dj|YQnX`7wQpr{*`8iQ(5A34p9R{Qlh4}EJpH*ZZgE%>19XLh z|LFqZCCKmh!I%Z~bpif&!{z92sS@*+@I(&sKG!4jV;frh1ddHskT6P;K<#l%Eynmc zqul6uRhbQ6y6j2xqNDHq*2i$dlpUybinGX#{A7EiEe|d$ZwZ`tJqnoYZiqF&zGxp4 z^q=c)6PkC^B^2G0M`BmD_CF z!GV6d*)mP-xNFetc$8jZE+`$~?$$r@Sw#zjRnV*Oz zv6wdehi849EoTxaA)fcZR?WfAGBKCB7FD!WJl?v4olei|wL$cmr(~6qQk4Bx3H}4B z#B5YZsk$l-;5P&RY{dplszYgIS7(*yq$Sy4j zs2d3c&vfmWUZkame@LuTTJ*u0XjJN>_QNN~M*CFRt)E|{t2E1nr0b$armI7VEI!3O zwMxNiP-0(K1qzr`StYRv&^?bgL>eb+t!e#*K_$-xP{B*!3|yn7Vx0^A%FCL&4T1}x zQMa#b9s7qYj}d2s{v8=zbqc;C-#G(j`f|dAxl%nl)=GK?-&uF70O5enWJ@#A!`+Yu zAH8VNlp$JGlenrX#gFMf}au%1Ru!{z26gU2TG1cOjLV}gcb zp&Kx9w>=I9d8D1^Mx;Kaj~kAEf=skuV(HsG&x5k_zkx*^?JWrRnOGkcwftKc15KCoIg7cp|;Z5~*8 zLO9+{+fC1e?3xs+zk&d3+(X&h(*gD;ek>eHI3)yf$rQhx% zU52XRdI?wyk!kit^n$dqa_zXU0~zFgZ{EQx^i889x7c{k@VL*r`(UB^)B2u~4a=xR zG`f&v$K!V@9sNolp#;80|ESAO&=4ICAD1fngCQ z$ZF#}z4lmR^2#0McTd&*QSiMZ8P|J(jj@Wju|uhVgk#I>@p6S))63J&Tfx}&D#>?w z3leSAS!owRT^b6ebO~pFVV;hVmOL1{w?l6^d5c@AArOkk!*AGj2D=IvhT%2oc~{aT zmI4h(!l>M4)$#gR=1iKwtUM|?h7mkhC>(wsm&1-$ebSEw-t3?#41+Ui&5XqvxLjqj zr0eYGd^Ku2k4>lLKdH%eu>?Lne){&M$t<3NA8ox1#CmVkpt&yZGMfJoXZvq2YGQxSRhALI5 z6-!!e3(g9X6ECx%@Mn)uq*jr0I#d1sjZjaQE-Mp$GKYq^4ddJ%6bxHkq zX;5_2XqR%nA0YDE7aiJG(RV2P_lsu03J<*B0AGxktr^FHl#mJ%`SDHkD0`8!|48`v zR^ORlL>VX5VQ+AmCEo*EAYBi;eyuUtQh8SW{^fJLPF$3@CZQP^UEJcDv!4YVC7MkS z?hi>=L22`@%P;!;AiAsmG=lzvl&;i3!C3#3iKxmtJs0rn$DH<+r6x}!)t^uCW1hdu ze~@m&piVK;OFL~k<6B0b{b4I<{hIp>-6Bo9>`Gg%3~v%Rx!Be)gEx>F1@38BEx-|i zg7Yx4**x5iV%%MW(}_4Q0!zo)vF-b=y}Bw1t4srsw$%vCsj8oEK`2VJN=o$Rsa0#- zMS3*aj5WY!?Zu9Povfbnfcq!8mq2$*Ytd;_*!cWj9ZSgc6-jQ zr-m&VKzPZ0>j873;_akO8ESbl7xbZqHY3n+f;-v8v!$AKwMW9DB*SYb8F5%tXbJ67 zVGno5X%2(7(rcgNpO~OrOspu~OS6ZcHZ{%_89RK7T!~W!?+Q7&q(?j!O@xVK6m;S7T zM*ntdiQGxB_kR4V^FH%D%n7qWg800%p`sxnN*MZ!g~Z>efIa>-iS#Ma82Z2+MHz>2 zb`G`a6fxFy>W+KzbByEx+%>)6Y!$jl8Ss|~_z!79_B9maGS@~DHF_igFOwebvwz^P zjJ7Oxh>iu5HrH0E5q&zIePX}quw!mqv+1HE8+D@FpdbEog2Lc5t^y~@OTCV~dB~e5Y3E3T=*}MPbd3)J7Yjd-*HBCs4ytV)i$9gG~NybL~+yT?efJC!K1p(`U;)MXdtL?j!Fp7$5}mp%!kl&VPF`i|c>tP?d`4%*%B+orP{D@n}q-{pNXd8TLU)rplL5*6=|}6OWLMeaIvRgLPIr4lMpZb^GhU=e*03_xM_=se zDJgvRE=bXE8Dy%1l(#*uM+C>0@9Tz{%(-fd=8bjI7OOVLdc3riAOC%OrWNYVoURN3 zbli(i$a2=oK7*>0(Fno~u-U7e|LOE7_FYP*(a>n{O1C)?m^E=)1LW~^Ry6v54s_uC z5;9A;EXaSe&C3S?TN{~X;;1oHnMN`KgitPrP7pgZuDX3>P;6Xueb@$ZOrM`1@9cFb zRZ-6^w$xJ+m7sJy@IGoOxl~2N*$x-oYw)#{4f|)UAaN+YpW?QL9K~ER$mS;ZYq+PHSFX*XB#V?ek1}Z_U!z>?e{Q~&M@$X>bp!e`4~?Io6!=q_ znom+#os{@UFt#x#@_mIKj9gs_jh@)e2`V@%2vFCIqx_SjwaZk#YKu ziRJ^-BXNs?57Oy_f_}^him0W)#of}P1#^~(>5&k!W#&nV0GDuM-k3XJzJ#f-r_BE~ zi?(MnV(}j60iEa;>8`(B?q?*NFasB9b`;jPLg5ONhhJrH(<$MBuQdL9Bn^gz21iwK zCM02o?l=gAjAto^ zR(p0@EiHx_VE+bdISQAkKZMB-I}w^n6-)8{gzT8~eEfYmU{7_7PMd1wMnl=~SF`TI z0(Ob?_*#3y?TBnr_Bn~+gWZ{@+@SQw+q-t-Y&&c|Sz=Ol1|kdOS_>djS_Ifu@)^x1JE&eSL z1)rp9uMeNN=;(R8#)a7hS@;Ap5?6=se$=y}I$^Tx*cpIag+nugdZnT9v|F;G(v8yj zCU!fHiBY&P==uKm{B0L-{v#2WBC>=z3J9kv9r=1EHSmjylWeMGE~ZL&WYn+#skS1M zb0e9dIM1#)C+e&DUvK+!9FOV%1xx^CKb6}f7|u1($a=C5Eq(oc^W_5@l5}@)8!~d7 zGZcO%_5ZEj>oi`PNx|L(FE&`S^%IPA4~9qAN!fJ^KyC29c8L$4VhGFMF(c<)ZVG<; z4jr^UedF+>&a$HAo4SN3ts#RZg^=*<8JmBpt!a`}S;f}2Upgp00iQ|BcKZC5%^vwW zMd#YkQlnNb?PpoKY>6XxX%W{yp35d>*DNF{fxva2m+Kb0Bjv{zhbLOc!%K`!4y*B4 z%BMH4+=DgyR?Uao`fb-6gAD=^O3M5axD>D>OPclz|LBjWYnpb1Kd>SZOM@vyrBb?; z(enE&xQH-pfBF%T0LN-OLWObxssVL}>|*7A%n0LSRU8cT<~~<)ioain_?k;pEDP}B zs4;DWHCLWw`Un=z+%-YHuwC%2x|Ehq%=&a;YR&b9(@dy5h78m7-TnUigFGvfuan;H zlSN2wy9*I-@64(`tMAj^nn8xYqu7^CXIS2QY1U%t?GTPk5MZ{+FYP3X{8P0E&&ocz zXTnNAc$#E`Iftv)wPKvcnApG9BCZ|~F zrQc7#G3{H*iu6M6JXKmMt$6-2r$fJM78(W88K>IHw(gKQyiC1suQ&0q3rRsESuQ_K zSY}RbomYC4FThbFz+{Q)`vIkRR`MB~t&m=z=maEZ;NZ*kT5;9#16EG))^!aTiBEa2 zE8e?ZLHH=PF#C$;m(BXzxmVPzpS?aiHYHK=V4|;NDyc5n176iM@4sbi!bDzvDoTMY z35YvmB3g9t%wGZqPwh(g%Budwx|)1mu^GNiN*Clyg@DScu#6Qgb$P)m6t^~Ip>$`n7lEq=mERc(4A_4;35Df=`_Zi)*sL9u}_lPm~DzKQ`u z!1am0=A`i+YglZ5itc!9e3`fV3-exvibZYf!5f9d-+%-z{`Sw+Re>I>DY%Eeos>X>L$TRvA*&;_BR;HHc1LXGjCX^SxJ8Rg5;YK*4$## zSN21(&^D!iNsqKRXKgFm%Xf!79HAH%4RoyP4k)wdUUMgG=Rpi@)a6R+)v@xEhlxL! z)N8FFG9(4*a|azR-=cW+=#2S`HqCqQr@R11x>nQF<5GXW9x-0L@6pgRVL?Jc^Iw=dU&#IDc9IjZ*2cP25l6fFQ$qEuN=yAWvpx3j&D-Vd)G}-_# z$7sgd3uT^TPY8TcE-wBl7rn9*cMrO0$}dxyX(PsaimPIy$S};o zm125OK&a83X%4F!vAdeX&wKN!i8s*CubO&LKG}!tK~`Puem?{49=nA zvz>}ZY!QU7x~T5(?g_UTzcy}MJXHWp7q*h;Ib3SX5(|h4x=5rNNF)Oh1mwc$3={-8 z$dEPbk$|GJD#ipFiAoA#gX*?}y>pF8Yaz>rsu=r@Sev)Zj|@~TMjUTTLEO5-od5o} ztDWVTMa}7b?mQBAK(uxUxwir;(`c$DWueWkooD5Ve{L~UX(d^%^|DQ|7XWl^#S{OX z*h(LeZ&9AHsylzAnXzhc+OBl1TJ2rUUJE*-+O!Smi1gDJpwme_OeCNpIMb>yNcYZ2 z2;SV`e2-~k>UC!R=bk%T_8=2QmNg313z2Jgf zAm?)K-$S17aHl;12>00-?%#Se89xb>fZF2@B4M^7oDi@SpaPg<77?ZtJWRT@`)$`f zdY7EcpTB*ZRT+crLR9KYb|b#$kyYiFtP0H|Hr^JJ{@XEFKtKmW3M`@|PfPT6Xi2X7 z=a$>aSIHT5!q?vqM#ViWMlP`tbpf|scHor-=c+Ig>Ui@2_)PhH^MT!K$_*H;Ff3yu zokyKdLm-qOBKaIsap7^ToIiEtRS7Xiv*H)AmtiOL30d&BAuW2JWS+<|nQ_p~^0h9S}c*G7F3VZ1#DaKzDQSnvB)x@_1rxF|AVyvSulz4Nbp-Ve{`k6_)=kOkyF zp&+wF+0hS*dZ-ABCW-}&vKH-&_Eixbw=~_JY zBDoJJgCoboirwXXNBFU{L{f@YYBDfO?<=oZfyAQu_JJyV)&}4L&eB6xRKli z0zpz~l5GTNz4P1=L4;KdsL`#cl0aVX&u{zdmA8n5DPUCA@7a^nd5{@Y{R+6S7$3yj zh^82TjEHIHfc&k9=kA>AO_Bp6HMw?xRA#0o`}!8YFwhte%*@f0e51=_I?L>m^|s+H_>JuW6T9& zQ(yFR^YC5EE;YEH^ZZj;#+Zo&3OjRw;#64tF9~W(--acf%j>l4ryE|#N}TlV5u7#v zv1Gpfwt2^OqJc>eTb4-@EHX~1l4{b{AxUCA8KWj`DWX8e45$}L?{X_H%R+codQ_-iX zWe|ufBVEC~G6#S}ERo7ePzhCRoCpG_;#V#`9fFDR78p@m=%{{+A$NxiA`g#_md;p+ zYhw`cnc6f;4V_5er%C>_KJNEMK5KK*<-vqLpFmi9T_m(CObb5DDh~WO{k}iNdn?DA z_;Xi!pp2MpQBSN-YjGx}f@++D+B)2+;8&eqfSP6hyeBFm6)oO47cR6jk6Z&F*|Mn& zf`4p$K2gd9hjo{niE+lmiw>MSpw>(QeT+!TpD^C_TpTw+lYVo3<_W@vy#^P*;b(+E zG14xB$XXVdWhX`~N8`~i!+}2Y^7dcUjzTA4f2uAn5MC2VN;VUxe05msu8=h6ob6>d z^-9|kxy_J)XTV8dZ4B8CrA#^?>F@729=6S5Y&6_0)PN3M9)z?>aa{^}*s0V=BD=yO zpwZm$Idi+FGcD(L$yLtxlCmFna%1S?sHewD_A{2urU_9T@|6^B{R zV*^%n$hvgOPz^QmKAE=x)NjaQNw5*lHrVxlrE!s24hsc8zZ;??ZMKNv$zmZ`kwz_H z|0N5LVWH6pd-Wsnv%UvclzC-ML`dU8`RUTT?ETsBCgB_hF%<~jIU10`K)YVt&aWJ# zc|C~i32h}B(O^+e1WE%1(1eMo{k%4W9SerT5`p<0-egK{A#K;_{De|b7IIOZvd)_$&-m$@&#C zX%}V|Y$Eus?y{KMR_rt0ztiG|m4eL=r{FSX?#qkGNWEkR8Dd6K020uY$&Xh*wc>e= zu+S9r%L;$b*PUD_^*jw;SzXjPaTsQuW<=I>{U~w*=oEZO%CdTYyRc+FNjc};42>%x zLi%P2R`*cW?Q4a>ZWhlhJTkG{%w#RY@25IDRCxCtM=Jp7d;nPHTDmOq{E$Daf>V$m7g5 zFZUlrTSLK*R(PaPXkTMBGEIg-Jg9en{(Tq@2*4v^2lRQKr9~g+u4<=3k+U+MX}nWX z(;|IqyA>Z2_}qRt3^^HhNBOkVoac;wYk)*rKQh#E(sSkom?3_>% zsUTO5#ZBi+v#Af|7w=EX@bcKMM73y_nNllZrHaw|dmL-xv{N6L3+lcd+(cx`WTaI7 z)AJ&P1^hn%s6bc0u27~A-*_&0*ozwqq_TvlKA4) z6TGCuBpPeWmlkvE)o2_9Orc*3#7@4tVnhZXtjA+Kj2dfT3n*!!+N9FZ{~k0DGEm9i z9-KEEK>r?p$Y7p)0i+Fox}Wm5=QiHf0Xm9q@R-9l(CrW4r)gNevMuJYpF-_9Sth+tL5*#Uy!^xrwOso5H zOM5xz^2ftyLknyc?ONB!Be<7BGXX9f4j{?$&y1v0$`Y4EA?R4n^iz&H&M8W#6!{kB z0d#_YNEpm$>l!MIq7oA~Da#0tNn{OOA58T%r5k%Ox$!jA-iTrkdkVp@O>d|;3k>Wv zaB`!0=P!zL_aoNDQ65nU6bUFEFbVxf!~+uJlrp}BZU`FUF&f}ed4m@zQPyjcNM$q* zsBB6ukIIwf@4dqFeRZkN<>Tne>fa-z=0SOX`h8#7?&oRkR`yXSWE;%8oKa)S%g0`0 zR8^zm<*4y}1zNtJ#MQ*BM%4_IVftM0N>+5X30v_p>w1BqfzPE^JG$cSdMuMFnk3)C z7%k~pM*=aBivwWcs7oStqnC-4`Sc+&QKxpPFr@6Gf3O=V0&O9lb#>)7@RA)^gyv9x zCSY+)06 zq}5|;)B%Yn$D&r@*&zrQ^1p_GyzMVoVQ1b7mBp+BN!V@Af}yf(P4|VeKrUzMY&Xt^ zU6Q)|RLEKL^t91fZdsi0txER-h4Bf0&xC*tiK$BA1U;m^9u2Zc_~IRRuCZIDWX6xkvC)QD9j?V1@fUOXn z8y}Q=vukp}QZnH_6k>smaFEMG9BC1)Q*kWVK?xQEGY%_}`i;hU?ntAQP;?xBVLDV2 z9-LRn^-V~kq&4U|NEzpj+k<10KOLWLp`%|fw*cZHjj5Ec{DzT)-k)1~ z`+a>aC%z5DNnnhU)}EwL@$OjaQ*egNVVaVBCVZ>Y;Ycb0TIvA6X$5>=W54in|{Lp^BAGY>;&vE#}&a+nV!|wJE{k$PELOGXxy`87T!|2nvF7!YaB4;GrIkDIaK; zBqjqQe?DjeSV$Nm0t8l8W($3SLYq&4Bfp#c6aw>WzHOYkNa|_jWIH55gj3>a06Yci zn!3I0jalY(NuS0Wih3nS>%?x?`6YUr6jht*9AHOne;@sK`Oh=QmH`%Zk)^TR&5PqH z*~Yc4^Mu4>H|vMZ0Ie+J2aZ*o#66Y<#Krsve;h?0ARw(#v}{ucB~LPA5Y#=msYc9E zRx>8T?-GIiBDRZoJpA-qlg5%b`EShw`3Gmp8|=5{!Ea4xT)#EHd}%87{HxrAiulk- z-m*4t!>A)Vq(V{m9}=fPvip0xJ9-j8A4yUYP;QX1RW*yC)1B&LjYDNl);vv}GQ`nX ze<^+ngH|*FE2;8jim2qFke{hmyz zKm2leda;%NdGgZv_T)w(F`-wkrfO?Z20kn2e=IQ5{Dqe?`TQ3sz_)St!G-J`Rl4S=h0WHab2!f+LPDiAj$NRf+P_*)`>k zzZ(mUWSB=1?Gm}vQyd8J_k-Pv%VjS0q0rcCS?u!QkaCgIZl)w9fNy})un?YGGZPgmti^ce0s6;?N7z|lh{HlyU>N<$= zJOyEX3R^f+?BmCj8E-D*2)F0A{Fd=NcfHP)kYc^#ETf&peEh~s!l@M7e@Z8tF}X37 z^IS9P7y|bV1WMS^{xQ`qd>}wt*A!?#6Z=p(@G}|r%#1&-KBOo2=`DVXC;!3IF`(KYjBa&YlT~{_A|h zM?X@jEy&eD;~vw8@wm$}QG&smjhzFh8tZ6LACAc^4Rd}W-|e(WVI^rSAZy=Hpz za2$F#7SuCuHvC58h{LH*t_K&r0yJ+-QX;WZQre_!21iM{y)E^Zf7^u;J|!UesB;xn zbISKd-H_@^jZN4V0VQ@@q=Xo=c(Jw_FO@=ozIt$#+kv!V4-=TM@JIs%nKeXbEB_D+ zI`NUE>bo3I>7!$NP*ToS$}+h#4j7Z<*Ju>UA}!FxfZeFuW;jxOLyZNIG-avW@*=Ed zMZIVKfB(<_%i&H6f3o%w^j@WDE%uB08FiJsiJJ*Z42;aR1h={;RVQVD@zh!Ah8o*1 zNk7FQjOt80 z1~gW##wm_NHjKuOIBWaz(FGY2Fe}x;rJb`inRg~FHQJNKe-#Jq<))&~2{Gd+7^akh z(#3pW?zx!3I`>>AjUM{0R_(>F_eOO4->F+mGTO01{S6rF(jgpB8cRSWyOA@c zdCeLZSY+H|Jx>gXm!#|u5{L~g;}7v4EVZ%$3K|D2O;~E2Wb$hVJ%R;X;=y64lrJ^ZT_qjlf8jZlb<83iO6d_GDmaOHj^BeV zG1@_=Z(sS1#^&a);9;Zzzkw?)v4HDE&UJtS68`7rrc}GmjWe5m&8^7nj29fIaYEmz zG6!hX?x1xu;}Q+svAVeem3Clwy9W18Lvm&fe-NzH=FViBP<0n{u?-)+{|8AO9w{f^ z=L2nje_;ugyRF)H)+7nwgz7^a0M$IX>Ye-T?3I(HBX7AZw`3DJi+Bt$q$2DnS? zm9!XPG+;v}A(oxr;IXxQy835MCqUB2I&O`YV#=JGDdN&ItcY0~0E`>DvtPMoovWf~ zw4;gC93>l1gQXKK^lyDY}2naJf@c&&fWP3Rv+7ZlYZ=R7<6z@i? zzpY9TOO#j^7hTUroy-W!Pf3vaXuEtg+NIFCvCEIrLMW8RE7z>AXZqnij zkMM|e^e5MUsDs2HWm$h9|eh$T~^D0JN99(CK+}+fTT63#ihY>Y=7{_C^12Rq! z4$R$|w;=ya9OoHdLwzB=cMFsSSqkh{53Fn{R~|K}LWVnhvTn@ieIk%`nw>PIJMyZ> z&>x(|iPXTGpL_|4bCT&93G_=7e|<(0JwnA~PH^WyrnH-hWhimA}Jbn#5Pr$($lF%bp^`3;pQnuUCR zlAbIDZrWv{H+P-qrh4D^e;rF3YP~pU?H{yv{QV!$*_$8VB6N88cWpf_&60Au(3B7Y z`;m>w|E&4#ilHBrl6Dpsr4Gk=14~T?Ct7-U7&?dm>ddKVI^TkMd4GO^c3V5`c}zx0 z7Dd~#Fu0XsfrbR@OB0fX-{3R^|354!#0wZ3iLIaE6vu*)S|#5Ke^doUNL$xndE%61 zap-tWSCGF;ddJ*m`+A*dP)m*q?HXXYkSBKxwW@>fK1|wxjkzn>Bb_3T~ zw6Pq=NNzJ`#@1i>|MdU4F)ez>EKXyZdf~TQep`DJd+4px3xt+XSM}B2S=C>}8*h$Y zpDK^F@8r+R^P}U_fA20%-<@5ay?yiDFXtymSEnacetquq-R0HM)i0L_eRuqiql>HJ zx1;lO^zQURw&$#n@67gxzB6$azuRf;w7k{}ueFETy9c{J9PID;&tL5By=d*cc!s`j zwOTFo%hmCBCUVVp4)4*Z_^#ddU&wWmvkb!{oS~MVi_@c%e}5r_%rNAe%d4Y{EBX8A zr_)9aze5PMw-xvoT0%j{33>ed88>rtpuWZ6u5E^)9BXQQR6gC zS$cqeIsfV6=;Rdrcy#va^yI*tJtSBJ1JtY>R#S1LYpI1_>eX~f#DV*V+HLFVLzH(| z4+mf{Jdo?Ae@nxV#0U8SA}g#_$Py{_POaEFS7@Iar~ao~=&6Yj_Eee3o)#l)K83~H zGrbw)JJN{L=c2+ziG@^ef(=*3nTjRNZVZf-^2qJy|G`%H?Df4{y}tK$4q7k#)=q2p z#r}&Ido$Me4}RO{kNp_nO*^(8f@HOTlM`f4n(O@{!-FXWDD!bNx8jQu_zZ zmW&z}+l#ew>03M7#GVO8L=!}1-NmZJcEZ99SbrA3U2u6|BYmf&P~CdJm|WSoFLgL; zW$n1c-ZA0StT^;Si9_cp>CunIA3IiE-3ivjHJS- zG)WUMf1&7RowsXZ6>uW5WD5=PH9_jEg=x-a9qCfii@*U$ACblo&Pjv++;2t;sSsndI$tYq>s?H{`m<}2w)k7En6&&@!31MBbqm8Xx5E-?# zUmNiH^%LvQxuHV=DQ8a1p%L(8(013Ksg%Q5e~Ny3_p`4e;uuNmr*}Ui<ijy*8(_~;a;5hZEC zbgnJdAq`cyJ14z_Mq|KIbq22^ObswcoW=oB1|&&rAYKn)2ZbF)-KIN>(ext_B|EpD zP4B#DPnxlfgR!%uQo>o529lU3?D7fU9<@7Q_03|EFB+WCr{I{I5(rMPrB6{HJXl;c z4=Tvm)#NEmHyb7fFh@@U|vB1541hPADjc(R+etJQ}18op~^aN!!EnA%em80KGRZN1U^!kj7=!RktI5br=PJ*GSOaF}jglNcMOe_jB3$5d5Eb zrrqc?s^PSiZ~<2eZspmo+H73PT{P2S5_^P%T^wAaJlq0F`Tueb92$+>RYszeY zAk@`z^piUDQ?VFJwM$XY=C8Sk%_y&R?8Fyy9c^=G3#afarc5!#FfzpkAqIzPZ78Kh z?cOXmR;SdZU`bMhwb;z&=Hz4=AA&KTQ>I4nnj^&AtOdxaTpGc^H6=}eznkHBMTR-m3x!ESu>UQD)%^b z{IPA#b^bsMqcvq!ID7Mx_wMY-JOAnAm)GY69Fq@Ok!XanDJ<=*)cK$+tDRLMe zcr)lNBozo9bQ11EfzM{_Vj`DF_S6o1<$9262_*M{uJfyQA|x2Pg8`Xo?6h0{bHC-K z&t90@0p^p0k?UQj5M?N0eHy4{Vipqr59QQ}`9QZ&5usH9Ze6qsVUi}?(mMthaKy;X z1=wQK2xB=L99n*H~XjrnYjj`m+#02*2$I3`lxI%}N7O=o77y z!S=0uX(bz|I;E-d(uc4J!$gdw`UAcQMEK}ZyF^yjIC}N!?XMqBU!Pxp{VP8o94i|b zwpRL_`jqAjG-#yNZiM4&*D253w{wFT!=(syw{}D#mPjZHX9&B_>ada%V3-zTe;YTy z+}}hJ?Fv82;x;X}?4cdSZcnSohxmRWaN{y+VHc2GCPu~cdq>a^ia zVS{oGl+^hh7bH>2l5_rULgs=8zWBo;2pBBr%4gDIwhJVzzry&NH{nOm7Jb(YjGq9DKk)^MRpG z*%ApJ8kM6ZA4!0JJSq^_D!~ue963q#Gh+Qdh!^grF86YfbS;_L?Zj^QN)eX3kSyNW z(nc&S&S+sYNiw@9|0 zfThF^&eBlP`-gD!3choe`1C1ZPK&%a3bo_aE(v{KP;TCTIzIyR2cfG$2NiT^ydIU} zY2`;iFsJ{PEK$#sgxH2)(H=K)igMl7k+5_?dNW$9`BbJ;hU>@QqbV0I>jb9h$mD=Ze+DY8q5p6Vg(*vNND4UqA8t9l66Y_Oagw56 zE>ABeOTf(*l(LBA1x&CAjsB-E&#vAay*`7hl$L^@7Mkg&63cMFozfAFNS{FXx@s6D z`lf+XQ;Xeb5z476DeXU2&w`IsfqEFUVsC)06+1V7@&x9((2>20uAHjp@1xafwVv(m z!N09mtNd@Pz5DDx+I!FUp6&0o_GP)9ooD+y|AAWfIdJo2QUw2x)}8w*5AGXzCg%2_ zfsk?19WZu%fSSKGlazQ`WZ9DYny1B|-=x>OW9ItbZsfoX{vYC5L$8RE7ESUCW%qC|7-E5r&!ljya%Y8H9piIl4XF;c zPh&SBmA~QykMx;m{qw<4-GcXYD5h{RRxoS*w|4hR>wj-&XSM%7$YaAn$bDbOf;d3R zh5l>9wtDXWnYsQ|f{TmOqm$RC{xG~vA2auV|DD~^`j;GFwf-OCIcCWiK{`Bjd#rQ- zj^l8fr4{+SOio3i@|frl=0lvUw)$`CnRET?JWjV`1GCou^S!eC-`;CKTdn_xc;-wV zcGrwyL6OZ==MD24SCE&emf2jELB}Sv1nQ$1|^j~C(KJxXFf4w$A4r~ykT8}D! zq}JE%0*$T}2CTxn&t}GRuK)T3S99=$S?hnVwNqOE`+M!()%t&k=U>$eRC|dPGgYxP zPgJFNfXQu!Q(}^-g(%E3UaFIkE@L*ti^+Jrz^b_Aa-fdqpNAn2g1IZY;Y5k^zxE7# z-DkG`uihv-@pc}1WPv_rtp9dv|9ROt{0T!gs((wU0i+d@yF>D&e zFhLERB=*m?zvu5X)M=*)Qv(`!G8`;BWd29K?ShNlPC@U%x$!?Qk34G;CQ7~EJIo*8Rn zh^g_Cmet7+)99eibsFj1L)x#gq5jfc>YF47PPCO;MCdZwE7ToqLyQx0fFd=2jZtxy zzc#t9o+W=j3-bS49Rba>|LpEhod52u}7oWLmoZW7s*s^Fk}7iKX0`s^uN8; z`hSq;)2HoCG@`=;2>2_NI=TNJ4kcQG0XaaM+h2daG#av481(ysWjg(g}LX&_MZnv9#M`QzKSP1IByOcSj~lnc~+d34c~ z|NpP%#s>1fd}#nUpFVje9Q%wOWR(Qs^Q9y_0mbw(7?3cFXxu+j$p+NxQ&3-}r~}C( zRV9BC2joDfK7-4^ryrA)=;W<7C7Oq>$@l<$`h*}2?w2o4!aC*E$x ze7s+RUBbz#LAQwL46hoh!Mzo2Y-OR>!@}oSHN>CfY;fPvpx^O`m$?@O3^e z;X4hIh?8QgicS`3Rn;i8s_{Jq_rUU;FzDN*$mjFV2V9gX@V|f!6Bd(L*trN)>V_tI zGB@s>X3bEZ*oM);VV>2eiTwP-?HOc_3%SJ1GJptVX6@x`0~X#Z`Hdd{%Gb*nf{K6K zcM1ZWfQJqA8O2m(x@)(Ji${}L%mi9ju1oo_H_Am(lG0f8P;)XuoUL?#{>Gaw?k2i( zxGl=lCKZ^8T;v*f|3U}id}E_Renx+0Opv@0!4ej+{`hCfgNkqs7|+uT&(GYKN2&!@ zzdTaS`THWIy7*q;Rg>iM2=awXAaj3H56od8Y{B3`>9RJvb z^XI&_Z(1=O)VAy{Qr*jPdYDU8RS}|+lqD&JTblOZ#>vP$B(d=4n<}S5-c(`II2n#e zdd!9iP6=xMXWMV@d9CK;j#^Iw{)TN3c16^*;iCBVsNE$3x0^+*mdfjJS2 zAEt^yAs-G^dgxyRNjmT6oCtq1rE8F5$X*wl^2uqzmYSo8*^|Ex!B%(t!<{?M)9U)y zFF;(Iix#S?6$xX7wcB9rF3aiS<hU4Qp`zi|X9 zf*@!f39f5O-(cmE;pDl>VnOq;jl2G?-%@wTi&Bql=A8+gs6uRMj|Y`xF$_Ul#1U$K z`tqfT@?=WB3Hv0$f*91cZ}1OINuPXt4RJf2Xp2(o?A617zI;Jl65xyz)iOk#(Xm#q ziSlAGWoeB5bJyS1K{tQ7O0Lv|ID|c^R!fZZSQdv(6@AEWY;Il^!sJ45e24~w1&&z% zDTkE#!z`|vjm^zD#Sax>mOHQ(XxYI`^V9n1earjd_l?c>|JRq_H@|#&(nRY8^q|j3 zuuB1+eA;j!+X3>KMr~hPpIJSNJ-65YRbAW&pd^xJ_7^Sdf6n>Igz29-)Q{8ai1J03-CyX_+&ApHE6Za z!Qq6BEHA|M0h=#7j))IUTH7If`x#7z2^IriFq_)5)oP-qO4Ve4yum}#L`_Ib098~` zuhnYi+xG;7?fZX%u)P3;Z42Q9D0+qJSPgz2SZ)FmcUac0S}`M&DA*{T07!Y`!uSo@ zxG``egez-&xi{n?z0G*Y)b!CS2>|OkrKJeqT**j5p4pNcn~KPzNRJA116NtZAZ0gZ z1D5@2C=rCy(!cWl&M^eQGsg1T9d{N=b6ag0Ra_FwAB=y-aH=th1=kXd1*!yd}8(7?{jsY1DsIr#D8VsN0Q;Jy3(_fMY0)+NdFka(o<217Y^HE02K?%}A z$Iy$XZ&uP_H zxXMJi5Gjs%WU_zdA^FF67&)<@t+@khdkA7FgxQY;>5~al$B9IoYv;JqISAxubHHI^ z?voLYGM$gEb|))Oj+Kj?1Gt0387E{_o&dRTr6aqr6s?m#3yoKu8E;IMsz2aW9XKpGMD znK&?t7rLJD)#Zmc#(ffc-EpzTrIraQ*`&HNU;^c_Si4^OkV=&6>j>`k0+mc>6ckI$ z!foMx!d=n3D5@SILt8xyJ-2`7|B86#VE;4qzt-MF{NKG*{NIOp7U2J<9}}BzT`Nd7 zpIg1c;PM!6!WACs0yi<%G&j)~`iw-H#Q}P@3qR@bGVAr|N7VEtg)0T*vC4CzLIwet z5@zF3g}HKL>yDjNbihbw4M1-wlSWVPZ@gI?i27|5kl1;w>D7OM)1pJQQrtQ%tcAA=16ZcQLTjquMTqT@t17GK9-iCp|H?1v z?)KmI&d$!H{rB1aYX5(TXMz3Snt#>IYZgAmv|}hl@o;U$H3rp7?cY{))K)BmnwtMg zwx-xu6E%lp`*WIsx73t}P75!#t?${}M0uPm8>xiGq@{CA!0LaXNJlJnVxgfv9g*0G z6&Z&l)JVIk!OrJ6qq_lvSxkI%q=F8^g({&dF=fy*zH#e+WIEl7gZvGs(#65`4Nk+{ z08b+-#y&vsJ&k+pZh;Zk%=lH$fYpf!alQC*OsY6yFn)*>O?&8usO*HCj7W;3GEO;G zsSfQO#rw8r7ioWVV&|VQ6qY5EqSe|8DHRARG<{g!yS0=sS#LpU(bLy0%5oN2uCTw z;aDdZ4d<7YN&_N)cbXfh8Iiaz22Ip%!5lIG$U`(14!@Kzt1o(_ zeNCGoN^u;rp+%f(MolO3&`ZW5g5zRSzYd5>+Q1MFL&V3!E>rgTIhwZQP$lS;=0n*( zfHi~vJjXQ5V^}NU#@Ir5*46g2S$7nWH}@rl`lV)>!4pez2ZyNHGz{a3fv5C3AAUJH zll@?dnuhg%%sJ)TE#&K&wuLo~p6g0KE4Ezb9hsmJ_xnWrOvXQ^Y$z$&jXubm$S;w* zvuJY>t*%?BGqqzVA-n$B5h{Q+RgPh5@0w*u=`v#MI!jPW zz(tE&-7=dTl{Yyz?<%e+sjFYrfH>07vaXud!&1416a)@AXr5o1{!5YCv8+ezhNNg+ z^7W&CC>dbX-q=uozR89pr2%Shp!F+Git3dkXwMp38V3IM7uPG&NT?uA^LgY`RdSY8 z`qf0jC5s4VwBAE)POAU{kL$UE{a>&Y_sQM;zuWC+6X*Xc`~L$yi{Jlp@911A8bHSp z=9SlR43Pw~KzRF!|9c#nn;0zPS!H+t>jNI0~d;Hl*~$IXLZXcr{~|Azct-!NbYVwtF96+sv)Z# z&5Ff8zUTJ*UnG&%JZ9|xGx&e&S*x7?ZGU%fmH+KQo`v{-9FmkHtc`+j@5j2i7|QUc z$k;i_q|jErA;9bEtw0$I$`W_oE-=}DMTvt?*zZTV;UedJB8kiwtEbmQk9Di8>pD`; z`WGHX8`ZTR(e=UGuYYA5TY~@RUTb3g@9jNnt=9iTJPWLUb?=A9Di$AQF&NMLQp+|v zueRyea{xs&+SJ%5La+Pj%C-r5q~Agv&%B(IFVuAG#CA%}nSV9R(BBn1jYsc)aB9M` zlaC2Y1^VKP+n#<3K5A%XoOScsHqN_vGN3+Ie#TwsL3-E zG8}vMIB52al$vskl<)-{A(DuHf<=PM9}pQzO1*m6P7N^O9b-;@oTv(xz=`srSVzj3=%bCgyX(1Kv9^_((^-*kz>tqzZ<%TaXU^QzqYQgss{UGNWlc1k zTa@Hz^udlZgMKqVeb*~cAHp=9%COgnx7|PFhbJZDzb&R`)AlrRYVWjv<4uM+Y9`8! zIVB@XZj@t2ENH3^MOhC${TqL(ZHS1*$mE|;NAa~`kn%ua89|3=-JG=Kz!WLO`EY2e zRhi1Hv2-NoFF%b_RiH&Q#crz3WepDH2&ztI5leMRZLNeQ1c&|+idpRG(({m9{jpu? z^!}QR+eJErGy6p;vCvNtz39;6kUv+?*L`j;|KH#=rg47`6=0_Qw^g?P?zdO@KOg2< zK>q(#O*q0`mI)p3HDyr*ks)z^n%Hk?MVG(A{VCzUE*KNj_o_KZ0-&7 zs-E=uC&RQe$1J!u!1@_61Dk^Tf-zAtw;B)YDpU4d@osLfsQF$9=Psu=0)iCOa7|9zO}HuC>#Iol^M zmoEK(8!CDh24-|i;$n?CMG=C45MLK45Jubab}7~ERuFSS)I^5ZlZP(dKq z-#h?0#mg;aVoYjiwXtnRU=J*0-l_~C2L0o2#TWtAYD4R&7H#udaBZp zihgfyocsa|8{9!i!7{~dP_FU$o0Fx%;r+`H#w_0_%mkI z<&sr1=DvUAS6r85|6y^T-O~QkZtYH<|L&~re?H7}EBlX}?UR@57aPkr0ck>dJSL!g zto2qP1@s;5KzT>^WD1%@?P8`NU4JQmrl4Y5HKw5H2ApCOH3poS=A_b~>di@y%@lNk z1@2;At{>{x4`oWaB*wRY(ukzK&1~r?6NA&7R-AS$UDOz$;Pq)enJr>UaiN%@rY>&x zQq~8zhev4;(|qjz0E3vS;I5&&^lICgZH6q>ZS>_pMIo-lMbFZe*Y5K-DVlCu<~bC~K)fO(m_Spl8C?#BvPjo^h0fld>5yarOyQl%x(Dz~=0s|(L=RZ0%#Ezd1< zGx~6xCZ^b!s(Y(+qw>F^^HeqJ>dgp~#p_k*3gTbVC6h@gilfsga%O5wAu@BPDJO@b zm7=1H@`Ox5_M*;1Q>kyR8Mt3ZqUj@hOva7d$@d`%Xh>{mX`MleARP@-CS#BFJo9bZmu*%98h@sbpeW&&WbvAysgxtPUcc6-iFrVv$|(_#SvEq5~eT%=m%Gck(R%X8|$Qf;r=C=O?eT3Fl1 zq75(EEanVxL5jJZacoLMceIbWll5(w$R=dI1*f1!ZoEf3&2r`cxkq#_+^7;*vOYN9ukW39pB&B8U(!;cJkJ2E$9Q$udLRudP zZpQuJ{hhttlK-eM!ujk~q3o`puP$(Z{Il&$m7l*Oyv8zBH{sl#U3N;cWpFPtpU zUY3_`eg%tfRs{Ager*$juQ#^YA~ za(n-l?3@5Ox;IPLR4%bJ7p{E6Spuh=3i2%+7*uk+@uyb zEB@=V-B#KEr@g=he zW}UKU&$_ip0f9a<2wD zp^0E-Qv#^tzHW-f&SvG0@h~dHxytW`)hN{Y4pXa8SNH2AZhzjMKfspG|1+z9RZNdf z0~2C_tGlQ_7N0|o&v!eOE5x_vk%E%6XfF2&8usl(*QcOY!=92veY&J$smvrBn!4I& zkEwPn&2oscnM<;eV9FJYoS&;j^RSDiBy~=-UdnuKi$VefXMBz&QI0SHVYFAD$9(46 zDVua|o1!OQaesAJ{Gbmzu!BP+NE%C3q1i<1&ZX97E(dRzh+NK_$-~gm#4)Iwtxhfn zy_FS;^ocmm(v-x)p5-;7h0@|V^~+%7)-!aKYfgbGqDcGTxA?c% zIII1Q{}wmV`kZ+L{f!zwprSIUnunxb6Ku^U=)hr!o_~6t6pQ}G|HcoW$l{s{NGNa| z`hVjtY2>r-yfX-#z{KOYs<5E^?+-{cr2UwsWd1&8$p5YVos$3m&d&bx)%nkZJZtD2 z3(2V&;y3)0%MX`w zlWVM@V<1KJ?)VagH02GyPsKL;UxDB7yZ=tN;s55vpua8uXa3})csp;Xi-YSd0o{i; zHhq4RG&cP%zHV&#Vwf~G|L?{cdWTcWGLFtpPJemBPg3>=2}HxEA;H_KT+04v_#+;$ zkZgZLCW{5v|HbLi$?H>p7%tMs^!2~re)hZ^|EK+YceVZ>LK0pE^P(GQw()?}FtFopJ0mL-ywnV#b&0qklHq7TR6W1ZSX)C^ul~o$MWfN_bfje62uVWXki-EcT6&jz>w#_$_W2P> zIc4zyYWW}ikH#rOC*wM>DY0}XZc;4$TXqILb}=6`o*)T6vK^06mPk3(mIAnNLf@Hw zNA1Qnjl%;ZHF(;8jg!WZ2rQ*%39IXSMyUA@5=9LC z%F-xoDj?R@&{-^OBCtjSn6wf^l9Y{TNI1d<=f;93$CZ$jqniN@1}MO>6oJ4J41Vw< z60rou(-;L&#sx{aueK@ps?adN9Cam)3Bsk00e1UDHu2to zDWOSYA_zz4c~Z5DEEaS~iXbK_3w_GAH_-aapU*Egd~^a(BKeoiiJb{H1cm16)g=mu zqVs3!Ffu+mcXeXywUJnaNB-+=lh1I z#=Gmc{g$dCbzCCxAt{2O9*ZJ&qteH9BbCpUgEVU>0go_^;G0(b^h(ww0{#yHO9&{2 zA?@`D2<@B%IizdosMn)06;#6cSpp?@aT=0XB7mgGeLkZT!h@88mWbwlK7XUrkBQ2* zcNQm^m|daq*_-~%`o64cpBtZ1N3VEnG3CcBBtB<7(LtY)O4N%mk}r__q;Wb{>MyOr z)@Rgloo|19`?jggEP0yUmq!;(`TzfFZgkKzNCr3!3y{bc4-HAeLXDCMoFptXfNaa( zv7l9eSx5plOjt}}Vd2RQM1P$kozy|1P%?p&`-21)(=kqPmqv3gr-_NU)#{r6sal7# zm)c#I(4tRO2kt}%4vu}v-}P4BDGpW7yX1=kr;^1xJXlK|XkG1+K}02IGDIqLC}|9rA&Q7B&-fH5P5s3XxhRxr7Y7p{E&%1l%cEnI63((TAd3LI z5R^e0RslITl*bn*w?O2=bgAtZQebjHHBfRS(u~MeE5QYc6=bVXzHWE@-S3wLB{2Ha zG-c^REdJiP`?8*erGK^gT3ukDx%Vw*SMjHVbmnJCKgA)*orBeRiR8^^0^QIk zLL}xHxIkBWc=zdu#L7^3L*R{S64V-{b@}M5hdTKQjUw@m+4j`Q2i3iaLCS6rju8L| zni0I`Qcr_rs31ldlnp%6l6>tL+J9U1-*z_g5f<;-cXB=CObIztSHzMwq=#D`OM9lSvn8#TZ)Ok6p91k~ zDY=V-YZ8NT;V13BfUu!_O=U~&-19#>l7^hSQ<51a99KP+S(53)V z6{<%yUCP&8!I`5%?_D@-ov024rp?=(7-4bd)YMIzxjXTNS#zh(B;@})IdF1=mB@@8 zhaT%To_}$II%XS@CEkumn$nPTX3k#m07RBQPKn|V#*iXEj?tePjwHTAsY(JElRD#k zodMXIB2`%!R1#&mNoTG(t0fk_(@$UKcicI@!5wqKXFBV;mNQSq0hz<1F`38;%M3k9rWe)26d9#sX(7~0A(pk ziAX6K5pWBlJ%po_;Bbrr*cn3KmH!Gp!=8>e0X_=B^;5(UYU%^=@Llmd${^YF-EL04 z+i7l~W<-DDz8Ex7yM>xuq%7{|m(L~t*WDC;=R~}PRQ)Za>VmSW${r21*R8UzFzc3E zMSU=%yi>4QnwWJ`nkFOgRRWouJ}g*@`($}X(qCuOUEV?V z*V*-!cl>QBH<5B07gD#XW|~fc3R}*3{`L3uHK%`UjXejb=_*mdsg@%u)%_1AwQf>`A+ekNl%h*y-m4pkiWXv&2%1PL+t zXJUQVD%3+|sV=K^LlB%nB#%(cV$YOzhcPK&Uz2gWI5-fitA?k!*1P z(MlcP-V7}2_Gd8)FbBKaICrbqa=fyY7eqflDjTpHvu!$CsgEwDGV{)jAn^P8nz>aA z?q=C632y;C)RrbvAZ2y`Y;s`nO*_y9`*RylP*qAc+Bu=k}GnZM-(QRvKvsz>?E zn!nObdah44;5LLyPIaz5FheF)STTQ&FQHDmPDO;rVm2Gc9Eb zC+E+}Hu80+&+W(=eGR!Zu2-fe=2`O;@6!z z6?^Of*WMiS7hukD9HzK1hl|eNv1w&V9CUL2ESz6?4lNuHHIK9QKb=YPj{Bd=Vfx=w z(*Ga#xe4mL(_eWLR8TzZCJ1W%uQ-iq+@Gz}&!NBHNyVP2l+K|5-pvWeq3Ror6+dNB zMC1My?n?cDaHV`5o@i2+V0Scj( zPg$ekT;871)rBnygq*wox-IKV-rI4X#vdCEf%~(XRqY7ecbjSZ?Pq^}+Y3pT;@E4q zy!6>_qmg7$bj~6g%!Cz?-5VpUnm@M{ZOlzDjy^q#Zt$2tMYNa0A#wH;f-s7wTPk`c zCjyF}_1-XXo)S)C@l?U19guQ>aGK(A10gDi3V}5pQWL=`8Y6Cij#VRw^>XlaKYpVT zl5XZ;wW}hKPGCTRY;IcG09OJg7SU@Wzepk`A4Q50je9H|DhEv!HGsQwp<8NYbJROIkSvhgg4fZ8oGu^U(R1c&Jkn2fOOp1 znU}z30~CKF%=s)5{As|r3hI>uD9}3=WkX_)%MrA+h0c10#F}1n3%T9Afp`YZroJQ| zQZC`-C>%?K1}Xvpr%dv%0>n+P*=XP(Ae_HuA(;j45tKwj7UnrmYT+()bU|?VYf1%q z3lqTUzh`!KN&ih2=;6grw9!bg7|d$-Tt|}Y<`aJz7Fx1FD5jCKAssd8YlZ1hcwIvd zVoL~ELx2GQdJPUIoNg`67M+N4vW4&!Ge+q~dNaO9#+A$+>~O4Gzb50?I7w&>Y@^VY zes6<>s5bRxe@({f1gy#>Req##9S{nBbzU63E=ujTvCsQZ6xkHmouuKwjqqcG?&iSiNqzOO^sk$7}q z^QW4iGv`N_m%qNfIBDdvzoA3j)A54m&Gox z$#`my*G}}qc{?;`mfA`Vy-NHw*4)sTfY#EADlYz6s|gkCwt9iRd3$ww>5GqwPX&K0 z<}4z22}0azJ!}}_R{Iu#i06z%JTuwEokJ4C+?@3!N9wUOkUJ;i_J}~|riI&{l4rrK zPC^tb!x2dZFHD<`xCG2tD%6AvG#u;5q7aU;G*ySq=2i)ths`F?{L@m=IpaN+J9uK2 z`UlxWDF$SH9Lt7XcjRNjQh}Ui4xfLlUuRtshzKg1xUk@|z!Mx0d*>mi2IMjH2WPPa z@38sFmpspR= z;J8nh3Tguze|iLqER{`#p$h7xhPtcdDQHEmN-Y3`SBULOj{s4@Nz{`n7EVJgWmuG* zzJ2948k?KHg3Fu+{D!0iQ5~_2=qSTwB>d0K%|^pR=f;&;zvc=ZCc2jzFWfmQiYFbk zt{DiRp*u!hCI+g~4h(PC;NEFS&a4XW2E#A5xii_Oe~P$;SR9QveDwYwBqh^BtPVhHLV#ktDLz1e^PemrkLlVFup_Yskah++GO=|-f z6kE`q^4^S}3e=PA3&&$bInM~6zn6Jy10jD{&SMTnJ_>a?vbfgVp{X?^!RFK8E+Rwk zCn@QX)Uc`dtkgmF0G z<$$Pp-gerXXCxKH;ij=FK|DDI=+7JNc!KGlyWdin+10apR?j1R{{H{~0RR6zhvX~( GR1yHRy+F?Z diff --git a/assets/jfrog/artifactory-ha-107.104.6.tgz b/assets/jfrog/artifactory-ha-107.104.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..f15d27f9a7a0f18c16ed8820e2259b8750d45e2f GIT binary patch literal 224367 zcmV(Dc zVQyr3R8em|NM&qo0PMZ{ciT3yIKDsYuR!J8Yr8cm$&Vyeo8Id7#$XOxYOi=1rm>cWbMS2o_l?fwwo? zwI$B7A@R;lS66>{hI)SQTfggdS8L0sBqEp--I3xZXdyHu0*6>&cksQZey@cP8*-AK z;~|ZxnAz_=f2-&BdM%t#`|fl8 zlNb*p61EUhUCckV5K2kHIF;S)qlpj+?{_+Z+_~KUW0bP79AOI~i;rH{-|~A;TOr{= zN)y%CPcfARaD+}QIP@0BcuZ2nvm{}upz#>tC_+>G2TM_cgEKsq??x=0V!=0B2n{nD zg-9?KafIU#?HwSAAd+&wHDR*rriT|77rJ`^n|2(WcUm-%JsQ!7^gA8QIT5@g-|h%b7Z} zZa&ifucQAF3(oGajRo|-yS3G;(Er}n1O2~`r%a9RlG@NQ;i8ZD1aIybT>D>?v~emdfI*3-`Vc(^!%sYo!;i-Z@N4Et#11xZI}PJr?mgiag-5$ z#|+@y{lB@n-Q9Uy-v3)qo;>XT`*>DX&hsx^+-5J!@IT|sn;$K-^J zDHoDnX+Dp8Aq&n(Y6(_e_Be~80SQtfxPpL?ho&82}wL<}p z(U2f^PEs0%Bt{vRLs#AMHC^PsgH*&)I~M1)4?Xe)9;=oPnIL_1l!hclY=n}Oj7Uo2 zfXIpHt(RLso9pwTqOJ8x?^R1MyTE`Dj&Q^oECV@(mkLcBtr^hpHV3+%(|+DZAFcq2 zPV;(RVk-7n&U49ksTk?M{$MnIO?1&I=7Oa5r~a1DLaCJd!9|!;ed8@ zL8C~HJYWe`UmyMR<;l^jcRwDz-7hft=Q!;U5p*~SvXqKh=ZwsFN2D2-R3xM+QEWWY z-P&{7mQ#+9z7zG)2uGa2t3nq`OJoJ@>IE&ByC7jc)Y48^$R&f%LNXu`bO4s{$_g5Y zRBmFy;6h7r6wP3Vr!*vG`Z&s>NHR`HkZBTOLC_lD#oRK0lxb1~9M*bk1^zwK0Q;?C zlM>)Hnrp2f^Uj5cL!F;tgxFdLo|!rU^b-RcCsP$rZlEg96%ID5~zVi<9RhV&`+`M6x4cO7{GhzqTIqTyXQC-D8vG{R*D1dqty>r zt8(qUWCbaJoISYtOS+b%^jxlTy<{lit-8~6{#gnqy|XL%j0-aT6;C5Oe3$P4wj?~q zaUk)?Ng!9KWHwSDyD3K(I2N$ila!rnN6wx!uer1v18~Ine`z2W=BJk0%qH4gJ z)HNUv3OMzKBw`n88e>E*@iftV<03Anw%42M&S;OyI91C`vO5~Ls2Pn_F#7b6+^R%l z#tFi*Tb`XVefSM$h$keVqnSdX+jt9=Ui1y8MPTQ>CNske57j;glFml(w{AcdM3T!5 zQX+4@ehZn(K&VbwM9_0Axem=VOBAIn(n~pC$YL--t41ZVB`38!mUVAEtSWL(y>6|nwDczpvJUNf)wt_pP^ctlA>+hXWe-LuW&&}d z&Lss+?j@0CWCLLZh;n2FDw+mJz*XKt%RgHPxw-<)=&zvtOUc+$5zWvPh6Z5J?(qQ< z?2N>)i0+zxCn=r|Hpx=JCRYn<5jX>?K2o4)Kcn%~HlSeLKWuOY&xQ7F%AQ9Y#BKmTukm?sJBq_U` zc|#V?JWl^l*6Yej5gw8#Z$zYcG@^m0gyQDpsre)sGW|(J&V*_H15Gn7ByFAII8!{E zBBDq$X1o}-`BPD9cnjJ>K!cC zkX~z&2DX45)1QEt=0mW;7I{)8B&DztBBT{z8)|8*Ju7)5^;$6)us}d-qtS)LBxTun z0)sw*`sN93GVm>%xaWpdosJWjB&n!h?gYbict_7Nlpb;E}KrX7$i9`pXz>m6weF17QL$ZnsHM845lP}|DtL8(8-X|BQex-@7I-Lcdgk)1_Et;LGgy!p zmvNMd>u%pDs_EQeCbF#nt;_bda4JC7)zb_mZn*85RdRA>am!I`^ z{KtOR3(1h;*z5JYwD(w2b6fN$E@?-3)3_y$G3OU74K?}BKji3cs=9wEBw9l`4Sg+M z(NzIV})HWqJJRu;N=eLDq zZmFt_k#fuXIJp${D6souuuN%CnG{5$D+S?bZ_`LeR~-4M5sl=Yn{wR>|Q1d!x=F$(ev<%vzQ1J%jDOz99k4SccyIG&nU96T?%6hOUG}U>Ye^ zA!2DkHVBNZ><1S(6)jW8h*TI#v$#}2NUms>gJ)s_%ps25ApogAWbtuMQ@Em366x|_ zt(M67MI$^8Q+lq%$qHj~tN><0P?km;C?fcrz}X82pIpd@OcNouU6w}0nin7x0{NSR z-kimBDYo{Ui9BS0oU(bkKpW)DxRn*Hux0eTCs;LhK=hx^! z8o_>8EEI&LcSdF$MKmBWC-0OTL{2=#({~^jD@qP^L3QdmBJ!LIMt!uWFBnQ}1B^Db zr?%#M$*Kk-GK)liG-bb6zro(|2jqE@NAMylNQ$Fpg?>JJ^x^dA_5R^ixs>Vqvqv9J zj^6CQ+dVnFdf&nqKv6V^20dNF`1&n%ZnC(KGVT$~h1b)^zZM=F!iY3wtQ_+-5;uYQ z8SfZ2g?I@IJxgh=`Vn4{OVL^3M0jFCyz&=dWpG|qw*9~ILOX3F+?L_n*Z=0qx7FIQ zEP|J2@h(4P@d;xBcqm(Pl~({FxAZd5la!v*h>S_N7k}h?k!-N1@{!yDbH~S-~Re;|M2H`KkuIC zBNia(OG=rGE;77DrnRe$0jkWd%j(uKx+|_VfE99}h>l1w3nIy=u`_kw)Hun{0F)QA zOW)RP>>^e_hGfL# zo+9a###nALwOUg$5c%#Tmn6s)TXMp19QM&~Z9Zvlptcvt|6WXJM9^=)p+{>$mPYcB z$5j5qX(Z>@^R(2|lZ1g~0&T)s+wXKD7T`$ou>Ggqr@ewQ0VlL`-s>n;YA2%SB!(^U z?Ej&o*XZ}(ze6EIB$%)Q0w_mZNX{N4yWb%m5t5)ySvV%`-|bLV;A%RMtbgBmSsw99 zdEA{LjXUn(p$9*bC}K(iZKMeR8clE$s}RmytG8Yq=bs#G7$I#*>p z<#3VTxnyZAY*nAQ{@3RdTZ(5xRmS~fuzH-bVdIrr(OlD;rZrJiq!v}3UQqa{770h* zS-w=J_!3r!Ymu4AUU6S9ngIz|9CCDZCCkt_h_aBNcFB&32NN46()$fbA=`VvlT~p#cOUdaZ zC49o7u#a~17oNdk<9z99u?BruEA!ThMbSrJEZ=_KYXu}KS@N(_ZnaYE#8uJ%ZMS}| zcWyP+74fQbvb4e0mL;O&a=h)5!Ck9lqut;NsSUIg+c=zAgQ^RnWFWa2ykKZdgyPX9 zYu(XokY=%zg_w73(>hqR-@GKDmbk8{H~9;1p9?&UD4)=HEGA@+ra?s5=rql^&~3}> zbB!_c^{tmNG+wk_9h@>KG}KXGF;&o8J5CI!`yWVUIXY2}(6Ba1?GfoJj}Zv>wy zfu6|zHg?lh(-#UIr=T}FQ5VNUJXP0uWlJH4X1ha2#hS)sFJ^#9qmhN4e(yRJ{~)<@ zP)>!FK31E*BaM>U?(T|6Ql_~|dDmTZ$6Z>u2G(nm{G?tGWuQsRIeiFmIA_)HANAT_t3J4|}pJ3TI`DJbP;`RD@nwTU4_VV&yml#szxh z#tNh`jv@+53bEsIpTKVmu8vCZFVBiZ5*)(8BMZ?O?Vg+-yxiS8Jv#YS5j07_3Pr)p zMM8P;{Mf!ciU*1(u&dJ5w}8s;C?Rn{?e|oUU$AL_g((E~@;DBNF33{DAtYLY@omp= z7sc;Wd@0XQEKkGDt~owAY#Gd1d^|}(eVNaOmOkuhK4n!>=|t?wBk@^#yW4HA{zv$; z43zB+Y>z1sDGk6%Oj#kQF# zgGR*tUgGAxTp;h=GvftGQs{h$-m`?nZ&j`L2y<|xksI-e|5Wx!_8}#5PXM0Z>jpHq zlbf*%a%Fy_8&!cE;g?2aNN_H$1inwd zw8EHbTL?vLoO8*wC7?%d*jW3B$u1elK00QcQ`rNhS?i;a472eDqVb4rpbMPFG#+nA z8cEWW0YjqOmB9L_EejfVn3WZ@A7L(NzzI%+iPgWlZR+D#Zcj5Vw@yBoES2z!040yF zjM`M74}(bXrBOa7A()hDd!r2_X!@Qe@31m8_@V!_`*gFNw`0v7+WE_*Xz5VeD0`B7 zF#7=w1WWN)pBQqjuLdj%^;@&HSLL`@<=n2S%~jq~(Em8lT(R|FC7h0xd`>QRNtmH= zQ@Va(=ZktmqNJ0m7oKrQ^2}MQnca{DnYH5UXqmg0C7v9IRbhJEj?)=m!!{@(?1H6d zB;^i@)SEi&2un8#4t8NE?*kGy@~W6gYOA3l78i<=bE0Hw>U(n!!6epFRqK!y0{^YJ z0^q_9Uk((|3`a#-oeAc;Il(Wmz%QtEZ1Hmo zeR~fP;a8s17^gGn&%eyzjWI*sQ#(}5b43rBCc0;a zb4&H(5%)vYI@rXTt~Ao-L|$g07AQFK;c|kNwNyWrlA6{G)jPoTM|&FoBUP6Iv$%>us20)4!ZX8`=~WM;Ca;4VQ6F zamhg%_H7xw@oF7%7G;9KppEG#s7;C{{_lp22}w5+_pPrPc3&&y4N;1~i>wx3%61i} zV?N zCaC(s>g^jUYR#Sd!MP!+LJc2*kTiUwQ%NyBaw-35C{xpC=WDfNqZE8S!O^q{A8fZW#t<3>W--F<8xBKJzEnQTA1JeG625 zRrTPGtg_TjZ}7J zUWv$(+^|)N*5+vr#zY**LI?4PJ)gl9xQ*5#$_4V}<;iWky>3)47WT0tSaXE<#d2O8ZF< z!IR71BO-X%NT0<<;*%P4sZY7^>szSyu?|SRWf*F*`%<4vQ84tZR=k0b%gk>T9D-1h zqt9QL{elWGdYez{fmmb9I!ih0Qc{QTX0@_*lSBecg_S}Ef>GpwQdU2F$fInv8^Kmp ztjZw7)1^EGebp~n^DS-2r(|AlabeNdSGWgT!nrH2aaFmls1wG{)Rk*Kd|lQQu5YMX zsN7;omTu53+R$97NCoG1iwkqi=ujmd+O=vk?Xpf{K~u-M+D_521)?TP`6!w@c$^0& zw4;EZO1|`#g~W+3+4j^O8$2M@UrIv1XPxeiVR9ilI_!9w!nv8n^v{gwIEd(s%zU(8 z7HY;UB+8E*{JOw%Ozx+=(pRlQtRoW=2C>+&zpys7ZI+Oj^9ZH#PVP;}CED85RNxqM zjwq;%CM24w+N+)iacEpUq6ysi?9qp}yMxpHlXtK8f4$Ng+EPTT*>dhyI!KaIDX9iL z`KIV*RTDB&6RNkzM<=Jdho^lvM5*$7R9G`ChXtVmSxKHG%v5}bZurG!tArh!T|dWqI{lf;Ob*VU4;5i!xrTRug2)!3Q;WHd%{e7WXN{;9kt zP0S^b5<62`8L!rcAFP+^-0)xP!=4ECHFzFrC1Y@wyD9|pW_@nBTo7)q5XhY^wx zl&QJOJcDqom>Vdy=5KQ}p`Zzm7!D;AaHa)KgujcEc*`5SnZrMlBJavUSCw&WiTWTmjXg0UMz@}73&3TPMoqi57>n!Q8uQrv7tDM zi4MdB$CCQEs%$HvjI47EZ%bqzr@@4t6VElr;rbgS%khGU;8>X&AP-%Tp&Xt5RXm}l zGY_l|Y{+MI4y|em+N3PIzC!Fl9rm%+Ve|b=U6ZJKXH#?0EVx3tPLOx%{^e-KV|wGIihX{_EZ8 zk0<-PF9szLn<{EjJ%qiz{lQ>P<()Zoo!0mNb$YV9K3i_Enh7D_SbiV{k@a@(>m|-mk=?{tZsEm zye6{~GIIH91!y|+oLDN(XW)|auV-Xtj7>mQ18Gwbi6LA%irEE938x{^G2vBUcSq^t z7X>p;OmiDl*#t(jMyMB92e1o6$#~gN>q%9Eb zPZc@K`H2t>0Ut%{*Ha~810-05&Jz6t1KTM{$Hv>Hg0NDAq!9(TrV2vcI7c{22@Yp@ zM_h2wsf}W<@>t=k8*Y9YYOGyjA?Xr61F9F05W<*4Skg*=i}MQ>pR;^w4US-}K;_tl zj)Z5j2+Tp(du7C`d#B2mij)L0g`!Pk2AWzokn$q2(V^Y2>&+sOS4uQca6C2MJV#d01(sD2 zyD;&}dfm-!d4RcRUz)`n4mB2gpzMTD-w^Z^4XNS*B^+J`^i@+Rk-0%foTlyfo>Qsm zyA4^v;#VmS$Z^pJcB`vp$1JRdN4kbT+S0+E6i^-Sr=SIdUd@T+WN%t1aQn9$s7e^8 zgoO(OI9(V1Px2N6|2cT!1j`Js3upi`3Z(vfb5J9`08UFsJzXmFVS@tO4!n=)*yRVdlSsdb69*tY@W=^1yQUF!t7(evU3BlnnDHY^MT?T97KWnFW zqc+m=R~4=?m+!0VP|2~%06084-FMS%(Q(XDqBTtVkXD(f;KDYQSG6pug{FE@bcY)h z)c^qwCd3UA&ZBtikh>I!aAt&RcT&G_86@Q0x_&Q?rCG_hhjF;CQE7 zj8gy*j&)~W(6q1KXr5<^FJICKs=lF9Y7Ghb8BJb5*0i4>N*!Ezl#?x-c6$R|OlUAMPL3Rfvlvflpyo$z zNuzvH@Z`Nx8Dg(Fn!t6$QqxqNMbQR|S*1C+u_J0ngk+5k6igViA+wEU(Y8)fAEC8z zvWZxXc7GYjQQ$blX^8an0i;*2_c!Ec^xx()n6a@e zX?>S#-g@VojUPO%BwjmloL}X&D9P(Bp zWH~*9t@Zj!S`}oQ_&<3=9Y$u?4GkBo=49w)QIk?I?S-JdWfaKYN^E7g8+nB2 z>_ygOu5iz@ERxRc2Vzj0uRwpS5A6_V(;-QZM*D7-1FqOK+xoz2lQ9Y=G;%_TNUUAc zh}lBcp4ZnmgD!*5=677Y3U0E0+l7`oxgT9mgY;qC|ED;UHz4 zBNNo9aMW3+`^vyfl7spwR|?utrI4Ah3p9oJuOl5ezX2J7DJIBAYbIs;Gt^smo7YwZ z$3O3B$+2a+-pUp<%L4(ol&OMtoH!>+yy3z^sL5E$%|WaUqrk^FIS;(=p|c(YEx^$a zHwLICT7q;zm}vNGD(HRFhT2>&wmY2}Pcqxj?!pqirV{mCQ{iuZf$+LBmgyX57feou za^41Z0ABEod_5iiY_o@BAtV!WF)0F z;Iax~0Y>|h0=mS}#H_F%i$pM|#&hWA#6r6fp$%|?14vqv->~%U%}O(W`+e!v39}9tK@<1$VwY}OqM#C&PBZ8N%c}N8vS<9{UVHPEuktQkSxk(y}qnX+L z;~*JSlB>==p*2gS4cOf1Y{o=2B?&fxPERE=g&ztCY?QXa(-={NeeUEG7-I7plTYm%TnSM_%@F_D)f z9W@Ea*8!wX5-PIOp3S5rkIaxHDG738Q28i+IP8Q$6m`fYA@vFx9*J_ zU+}@!&szpDf^dW)cMSKMXSh98@?KMeGugq?%d;sT01q^vA=!_EbOwCDYce|soibqgKw6#=SwbYRY=~B2Vxcx6^*)B1ep6{oC-&Ls^2C!75gd=??5~MEx8e_ zBxs{qY*hQH$cI6J=Mfv4Zs`-oMW23Ez)W$mS`!PmT4~sMaNKzau(Ig|+q94gvM%$b z5p(USi^RdPL9I4dF!8Kt@)A#JG}Hd`do~5LP32Q6vBnZ5+}co!#~Nv^7X)GY5~q2` z0R-;`k?jWLWG3m03`g)na*QX+k<-32pcdJ?1S}2+IQnW|JWnUwrSZ5EW;pV=1lL(H z-(7ieabPxvW+RR$;dAgKzupKpzqJpJ&$rvZZ>YZ>+rPHk8%V#AIMQF$yY2Sx_lYA) zD%T??^Yz7q3ZmR1;!2=uovqE)4FoTG_Jtjxyv0E1?UYTG z1F!KWh-geIO+pFdWZ?TgQWt8KK06N`SKqH^s~-y8+9>o%-?ZlpN_D!L;aguQX)sY@ z1asvwvW47JM}M&4?`30Xs9Qq`V-Z@@sW5d3linPH;29CkG@m!C{(#EPC2wT~P04hq zqM<0EexxMXvSh#f@j#gf0nMiz9kP%>dJ5ym3GUQrL@$ZTBdY4bc$MYd)}}Ju)01G5 z-Iuc4KTyjDYWYAdAE@O6wbay7U?JBZH`X0hd~rT$3~5<3p6+dJeXB}d*1WDlmKaG= zg2QUU3vx~%y1&vwDR(EBEV;$l)aJEj35(cR$5GG;dngC3zDaq?bTkj0IbFx!SIN&I zdxHX@da}o2E>cV(9*vE1I>ncRGjgF+mMbW)1R)lR#AU*`a9m_ACM5nT=2%cZ0&lB6 zdch8v80fShx>$sVB(e$Et$Ph9t=`CQ+;z#pNz!k2>h~ttcbz8ldMT6b-=v}n382-e zIzWIAh9Fm0#>wwgu14$0Q8We0qlKqLxvYkCG$JY3W(?!4}MbBA{OQnayyO}M9YMcM!bO=)b^9dg6L>nsVeAOn$N zLB{rWu9Nw)C<5E8P{j_=CTC_vSo3>ll63RMfWoL0QW(`HQALFi!Ffcnax^hpZ?jsj z*UtGKSGD&~xo{P)q)h6SzrR^#YF(!+AUqHMSD>8E5UncFi72CEKuq)S`UZ5qf#BpA zGA&D#O&%p8*EFKbDVHM{x1Beaa+uDWfTiS^u}BFzHn;VMKc<%pHBl-@&bQrOuBZk( zSo@3fsG_}6$~2sdnu!UDvZ0l*FKI+dTy2Ig&>qm~qe%YMT;m$V4_x#7y%E;chJGuBo4I z@}F@;L*vs0X1tt@L|c-B_5`P4`#Y6~7fw{=YGk!;D4(u8)L^Jb}$0a_h_H zbd($c_09I9Mx#)7EJ(K3BuzIo(B|Bc(41pIzj4> zw1}C2!^i(yoKGg-NZ+Q0HE&wg)ll{we$u@~h!4}w$Bysu_Sd>t5PBb#N%q_<8#QS* z7UkJ^Rjy$&mk|ywL&jMJ1iA1kk3A*#8sx)>A+we`ZGPa+E3`Mg4IW>Tiw<9p=vDnze}8&kLBtMA`!%shzcz$=BF$V^=({F^cMS+PQiEX z!e`b{B?I?o>Fe9W%-Gye%G9b^5|1hBTnB8 z&~S!=3696cA527CM~Ycf&MrDupo#^d(+XO9QJtVnhySx-OZ=Mn7)u7He2Zf&JM+!y zo5443TG|!!<@C+Kec#G0b#1&sIS5)HQX4wYr?QCAUS)x>sW5YZU=62|9k1=}s%*5J zj@5W2#tM0QfjJn?Y{qjVFcrGJW1T6pAR7fm8i{$98dd}Dl`I6J4gbn5k;R66G{R8` z)^qx1AmJ#~@7V~ed5Q&lS9C4ooNzwP(RPcmbgQX>%dx4A%R@g;mMu}Qp((@Z_mYVV zL}cP0>5sD9_fD{?ACTus%svaSAEW|#-Wi$6AKIeUKO-~9zB{*DCeRHmhm>$4)P(Qt zz9uuCUx(afkP;hM9G1eaJHs&j*6C391)Zs&(A5@leBU4~_1s+3JGV|X-P5V2zx>1c zX?MHZQS1Lx9m?1AnZNHdd2alTe7$_3v%J*tyVE!sTMegg?{>5F#q&Y;j_}*zd&T6h z$S-@Vd2&j7C03D>;ikJ>)UJ$^)Ej3sB%OdwlS~lLUbuCPu3rescm^KDHkC1mU<9+? zmBz8YsP?qkj+F)+a!j$92b5*Hd%=X!fLM7g#QHX_q?{od%X5?y4s2VX{!Il)LLql> zE?UrTmJt=g#I3iT*^q=|B0KPw##Ca#H_-<}W@9y)u{hN-E8{45yeaUJTqGL^haf~# zGFFaaB4-Jwvkk4*pR#ikf<299Xqe)_iV9Y9;f9I(XhM1^UekW})uh4|I7hO632|#n ztAo!6XBUhD2tP>ZfNq9aE0ZZoS3r`|>vp@-lDK6P+~2AqoVgWRMVYiKX1#@QOAqeT ziMGf&4UGy%6*g~LHRo4Zu(#8z2_Lw#c?*P?);}|8UuCT{$onb+ztWnl75U{dKX}n3 zX|t$#khDEW+HNRqF>B~S()Rb0v@JRJpQEJBXbXJD>DCQprY@ zy3k1rdN4X<;y5Lo#6lYuK$fUk-xwxxFJ!?PNwpY|GF>cToC-LHs$m0?lxeF0fkDjm zNpxRJ3UlTtrtHi;9G4Hrh82yOr|U(QGTSFH+9yFXg85m0iCc+ zkQABpZRVuR2?H3+jdYmHX~JSqiL()W0Ptw70Baq;qj`l#_bx0tOce6Dpqa_Aq@3x`a(mB;cuQLBps(XndC=E1a5A9WV3DepLU;o zTj%G{y9KXdX5fLSY-el|_msdGNT^}&bP*0is)FX2X8a{j2}!A65#jpJiAf*LKZuQA zphMNoiYycLTOX9QWWU#BIoEs~+~mSgS9#NOSm zJL6=SGaOEcnnhRm&F=CF!H;00WqSIV9n7DDNs>j)!|D9lUy+;6KQo8dJ_t?426}`L z4<>p20kC!^*KK=FcPAPm7YL}q(cZS<9!Y2PS#^2Vx%DUN*lk{B4aGbNU@Ol}U z_iZem3XMIOJ$*)3;lji`oVcI;iTk?hwzxG4pWxMLuvQT8yyy#lOSMIx%)>>EG-=?=_HHgD%Lp`+qDsU z1xcqghF7mr9FXJUZh#G>vkxDq>~i)z8;wX>NQ1Jnf_NVG{NVWfv5v)#MiCyH6vk5= z<1tYY6ku%?m;KaHi9`0 zLxj0HA+8BPggAR9+8(gg$qsgmXM5x4UMj;d>nYnNjhbq@WQ&XEcg%6d|vx(DNM%8R8Kk3F>_ZF<q&Y z(8t^5Tj=J_f=lS;({hy^d2h8HX1G|xd=&`y5}qxAWBK0@lPQE69euZofNB)dl4%+~)!`mCbQoNfpTy***nm6l z1tb8FjEtMuq?NOwmDij{Y&41(E^y7&Y&3bfmn;n+k04i(Ni~D61tFEw!!}?|k7b(%*fRNKVl-7@@r^ka0U_DgBgTWi5Ta! zpVef9DM#E;xf9}2su74Mof6ot5T;8f35GBvz?%9cJm&bBkI{!5NDn!X?mP#QVkX>O zZg6QJJR~<-I=K;Cpx{CTiF{~)Xd*f1)Cjs<2nWage5pxN0;1&$hOo^p&P;;zw!W6O z(V9LPRJ6kO8y4WGtxb`1Jd{&KiOgQnRaN`NQ2HzCg?A=zNa|0}gP4BZSz4n7jF{YE zz>9@)S*jz^%-D^XF_X>9vSM}2m}18gmkZMuN1Tp{IIez3QYKiyqCPs^JGO7jY+J+C z`h>`W<|14Wk3Q{gY;SK#Og!yA?QT5PKMdo;5)$(X9ZCF7Y(CzqoU0rVN0EhcRD!OC z!j}WHy}eZjN4;KIK`-`?PxkkAPxoK+OFEO>nhvtiL-5Quz3$^3?@h1!Fq zR1JLifM^^+V|lmG3focm9x?far<{_c!nc5(tPFM!6eZGwe8u1uWgoI6ff2q%e%T<0|vjnUJR zQcpx$e5%snA*G;uixXf-6f)%8I`RTtpg*UctNSR_-YtqdETBquq$$f{aSV1%?K+WX zySNSu7tmca#jy&0sT4pVIyUeHQj!oj#vsj+sikj--0h2BUFeFx49SSbB;0_+OK^7{ z676;v=B*FOh@}LnEKGK$hAgw0qlyWaG#dtc@GT2TADs{!{*qEbj$(ba;VSJr#AJlt zD8>vz_f$tYP+9DiUZk%7I?a8q{XpNluYPdqXz51VYu8n4w~f+GYwkD-XEC1AKxtbf zAyZ*E4ZJMYy+CUanB3eDfDwkK;w*|bP|PaL!L=7rJ0ecR1_~yOnQV?$-(}k-sgKaw zIN6lE`tC0SIR+euIF-!1f%EG1{)YUB{u>=7BnC;rx_et)sT;X>O;@1Jo$K2_)znd0 zty;A?i>k?g3K@6g4Vy+}NU*4i?OU4C7$q5qL!oFWvDVO`n(xgNFRLtbU1VD;D@la8pn)H-j;z2t zrmCVRTJ_mSPyF6ve^X2GWv_oqqdsbzU;Ul#_IA5bldaF-I*!;m7AuEh;YchTh@L%H zVG(}S$#@Fd8xo(Rp+u@joC2<;OzwrZWA21C#;vW!LrilM^*l!1IaSLk-pjDD>qiU;BA4MwCRM1JYC1s*G0{rJ z$jRFxf7M1iz5{EK!kQu>v6`|4Hq8Q$`>5w{`@N?vq+ltE-L5tMGJ=y6!mYq;a|e8# zsjucl6kcwsv}c6UN0jCH&7wO>daeb8x3(>DbRd`Y+(UDwEkxA~5=iH7}*N ztjbuZUtEVr&T*$e<-d>NkOc!TE92AJh`K_Wv3Crnh6Ld-%(Gpp0~}3pvSHE}N+xWO zq!8J|tzHb5u5JV`YZ_H;qJh$FX!|WN4PhgMjT|~Z#RYw+T2@*PesHXJOliR) zG)|MizItpp*^+{(Ne6&-m6(5x@O5>cgnY75#4bvzPRZ`QcNH%0O;d9;LjvccTak+fmF`Ro8Q;UXl*OB9BZzKUWv}Ow_oi0f_RM zeJj_=WksgTJ5Jt@K)ngyO9?6KFbnnW&L#Cu^XJr~b?fe3Q|@9FFN5qmTgIE855B9n z-;bAj=wqfH`nZ{gK1$-Dh6Fz4bUa|SS}T{BUt?}4gTJA7W%bBh?3++x8m{SLRCWF- zcpmAUS#&+pFGr;}cjSDuj1$p3_n@M8kRrxSK1YriaQDrd8_Buv%ak@}1sg>$0K-5$ zzs(-x$1e_nTLj;cs{6RZ6t1i+a1>twY}JW))Glz{#pei%e*3+(vVwNC0TWYR6nP}6 zoab~b@K;vQPn;mn^AzFcL?T466b*^EAS6c9ED|({NU_pOmLeSIo*Q7gi9CC08B;OI zhLDn1i8dlO_Hc}&nV=(nP5#5mY*xAM_A4g*T~ zwHt!`g2W;P(E~#m9kXziqYe=P_~3AmRW8%}>sm|VF!XfGo?u?WLXU{RgGN1hV!@vt zjwl4@lRtLV-)h#7hiC$x3R>#lZmnoRqFfcc-&)aIsy$-N2Nifbe>cQw{?35v`aOTs z-C%duZCIS{)%3)4YV6^7=!%<;!?yk2Qz1uYb1g|i4>dWJV#l|-t zwmuOgxfGLu&`T~1QSHF=SmTOqggSx0N+ z&jrxiFK_v@*JTe|t*@7T&@a0uhX;qR(9$)&Zhb8gTQoILLohB_T*w2$1R-&a7l<*m zZ+Il|TGTwdEoL#o%U=WdBQS4I1$w(XINd*a z_j>==XOGsvteZzDmCMnakV~|+xqkhgKSFTvdh{U&esu#R)C2!$j|6^wz!q`A2+!xN37+=g)bx`42|pB4utMv!-Bsf5FrKG&EH9 z@Aee5N<;OypDh~p(hK*aJ@-dL|9Nz9cy|=EL_-bmyP=?;ISn+rQjE@2mZKk0zL-At5nJwM&^` z=zUcp`hEj2jZgxXLuOCHUUWn_#<*Gw3DAae9+$5U;t@ke79*JLmj)HF@kgIag{7MF z1bBFsR{xKR|0%p?>9Q=pEjNzX5J&a50#in5u71VS=t$Y^5Z^EWs`z?i)7AVq##FxC zgXWU!c~9^K_ahpRm=k3iQ`g-lJ3ZCHa~k7x#sy2szowDtzpbmHi_A;wb1l5o^+^xF z=X1(roTSH5Hm0$H#MjYUQ_v_JPHC*6%_$IKfnSr^`W#3uw#JNsqdZu#`{N+d0ufZs-x#Ob< zLzIUgOH&eyJPw8NwonJCI!rYf&As~oy2R4!3={#21&vh@S}mzJ`Leh#d-YQiVnK4d zH%)ZmOcr%uwVD7ln0u-|W;GNpzIl*-tc zm0HWs4UlUWwaJ>FeDVC<@$O*o%hAb;XOGrQ=Cd&o$b&3rJi&o-lyhToskc{Gs8~f4 znWbuaOxaNWg~lmKP(H?W`RNbN;slGyv-Ss|Ob!k_GpegL`U}Z%KHf&27m|R5WWA+X zS!Y~DHfXSa`qOd0)$`FSZ3X6DWe$$vX#MHr4LDKhiO@;_j@l*&K)WG`9|Q|fRuCG& zhet2=-yI*FoZbYzB~0*y1mIK1f9wA4n?M6sZDds#a|5nHPe)l4<)PQs%RN0fF7;Ez zrn^aRsUTD6C>K~{+}EKX2)xrjuG*>xa?*5k)knG?{YMsc9XlD|yIPnL*M@J2Svfp9 z-S49Vfu?wd1U@4OqY=44QyOQI{u!H)LQIe(8%8vci$fbOn-~>eLB~v*!V4?{Mb^}a zjeW2&eI3r^K7{CytA%ZI9w6`H+H<$+%-vxBIXB)uHmFl zW4UEvzG-r`TAk{=+w-Q_+Ac4@>yD3JfMlqI4G6%v+**!M+lCl?))Zi{-MHp$9&=ez zuX589*+Xx{(hHo1OOjbL9*FtSSHUe@Ou9+Zo_2FwYNEI4gCk;r)X`X7hK4D-;L37V z+fztpASAJ%I4Zm5fi*=2h9mL;*0ELaF))9*^m8$r3%%U(i(Y`L#2R0hoQqY0fLVYO z{Uqm7C`VHwCJcgTr6eNfIM(qOmHC?+zLUk#>?_$vU{Q>}r*6{-a)tzA6QXm93tju^ z0D?j74^GkU@qxALGDckxxD9-U4P0Cum(Df{1VXMR)%B7%wcr4q%#PyybCS*mI;J{} zU9QS6ZXtuwFhoD@nno3a6$pAR_jys1gv2Ce*?3Yp6n{F%Dd#>8CWVjke8?5lTyzza3&VY(-H5XdqiL`TgIrI* zM#wpy}huSN5}?#U=vxRvp*S#?eI^4PCzH&BS$(W!<{*Z7%ldGg=Ct z+7$1TJdO6B?<5f*DfdMZ-Lj4O_Mbbwot<9E{`2w9*5-r#=Y2dMK6JiD=XBbKJKKmx z1g>UNiI!kO`snKpFdm(+Tl<#@xVV)=5XeKtZ|QQL4$Re%bHmFEfw;%tgW3g^nJj74 zmgp}e(ku?p<1P4;P6yd&L@!a>%Yn)5>nT#+`MRY7Kfyt*Bm|IeWKs8uOr=+43Jbk5 z-;hrH1cu|c zejy4vlozrMNhvrQk^oEI01^&4!c^#{3Q7cb0B{X8L0TvWpBIU&7l#8`7BsgB3D*7A z!N~9~3W$|}DSj8;(NdgA5ar6w>)tLxcYcejS;*#NWidAvxcTZ`nsPe*vpnsy1=qxd%aAB2YN1Hul58mUkrrl7i2er4vdkeF*(6qmMf!5I zaISg59OzVxfXa^|IuCwz#{B9yG5Rl#xxW2 zLV#dZ3S83{?;0rFZd?=Yf>nQ;u+@K=82YIFO&hh}wQq1_zS5T05cfE64EGjxdrV?a zR^U14M>v9&z~zpEtPX3=aC|wOC8xS7&tEUY^7(miD|oio0haw8lX!2p2qwU7wDow$ zDM?bH%MR!`CgC0dIoJ}NK{G;sEI)U>t9Y zye6|kiR$DIAl?aDn+TC~K#;Z$c0rI&V^=B9Sc*;{NDVrDGcZD$j*c-LE+zvy=C`x; zT{WXJ3swK<;B8!+Bl{xa@mRNW43)P^xEq@}vxGHmV%;Ve2Q$as>dJSU3= ztxMMuyrM~EEd0e4+>tiyg5_JiUagxU`4;%SE^4oX)!QQU+PJ(n8g;0wYvE7VS&TRXd@jby zg_cHD6ZFL;7b8bI!R$HiPzuO3POiBy8gJ%}S5JHGTx)B{p0dUDRHmBtx_eP?5I0On zaHd3gnT;BZ*vKTi0rNMV)KGa9sgy5Geol@8UQCGcdC6^p1KApl#{kf6VWUNrlt{k> zwTw%ce_e?HXTxi9R~V5$ZofYa)r7*FnCButHx3Ya$Zyp7tXs?(J`xyOy* znaU1CfyWX|yRe+Vp`QF%1?8q&Sx0LV%wLmPp>?;2_Fh)etWfR&V^w652D!EUYGv2B z)fjlyA^%xz%P^=yH96i~GX!lb0sF2KQ@#qxh~L+)fp3Aw>eP3sa-lP&>Acl!BG=vJ z8pBSKI~`kPSl-qTt{zfljW4xW z4bYD}jZ5OP5W>0vp~W!Qx5sJ$-kqYh0Qo-g>kdyH(j{!j32+NFhFPrv}#FfGFdEF!9P-&MldhL2?`;`HnqXmZCk=M*kuY&i_V4nNTxS{ZfuO{?=?yf5!t z3n7$w0T|!HbG@da0>il&>b#@+#?WuWz2hV?78VQncAO+;x~nYh8qmZylnd1Ex6xYT z^}3e(UjtJHzqr=X`ue&g=Mm%qyd%<#3lg@!YfaBWnj$Z`JD}gSMl1z$Z$xAC zXf5K%>!FUACLORi>3nUXqj=}YKLa}m^Ha`m{!9M5{v8UL+`7LZZ-m;9K1je4nYQl?c1IhG*fC7c`n&U9>k17q&;vi4zC!HjR<<#V8%6EEXgV@1(&| zgP7cD?~hTSEI00?!NBEa8u3X(*lTx#(!~=fSi&MUzMBOql4$V?4en-b28%afOr|U( z(cSF5XYJ$!v12c_m+*)IczCOh z>Cbbzt^S# z%u%s66<%UI_o(wMw7#6$b8d~fqq~{*Q4P@z0+q0^=;F(DPQ9fD?Bw86<11w4Yf$pK zWi)jx5y!fMe}RrE7HG4{Xs<3@&EmEe)~adv+89=DzAPly#qMW};!5`x?z2K>jGW89{&8tH;qgw;+6Fu@zbp#OqIpze!3hmB2RneQ_Y2>9O4oT|ETSa64-x871 zU=Bw&RRs*cW|ZpsbzMqVhsiANELWVZ>(9r6F0|0CfF&e01M#k|(2`|KJZNspUKz8$ zAoiFGbVMUEBv{;_ifh!dxIYr}re@!6ilw{fE^WK%AJ5zLwTh7@cY}O7=3!xa*E2D_ z-Yk@hf2mgdn__{BQxR3ejos5*HRisUkvLbPjNuE1O;iQ4Ua6?M_o z75aZ`|MPuH683}t&HBH6;~FyGz@naunA26az`b_#=HVvBX%d*gX7?UoqClf zK~30*W$o>2qXf91uN_F?I*4`Sy?!=`)t&knh;3@-V4Yc^daW4nry^ zi?Q7OoMmaCbNyVujYa#vw^iQ%z0Gd-VgKL9qw*HnJ#8ob#LPL$RU`9CRTKfAdSDOF zQqP?IKc%rZWK3|8;=~J565fyiEZG0O&E8IB|3BV&*#GzOd~h;{-BB86M>#SdqRH2X z)(RHCO`?7`UYM?>|0Uj!ixM7>9d$6q>qjg{AWg592^^8Xk=*o>)n=M z5lsBqH0qJ;;CV z<#G0Z;~sat&6LpddA=b2HPvw=*FQftF7M@+NFs_fq9^ z*usBOO~-Qk9}a!b#6i6-4Oqng^?Far_rI+t5BVSOu9#nsl=uUi%G02KB{#&QXOnp$efkUi znK4mIryiBayER9reC6kLD<@%h$5#(Io=K_|KXd!cw z-W_OnB>;Hy;(AT|Jwy^q(f@IvG@&FG6i58JGT_DX-_5f8_sN6&_kNxaH6gbegn?tm z#t|6^mf|t-$3ZeEWgc}HdDjuoh?j2*|F-AMN0T#;gXD`n4~oqHI8b&1dZYV)aETv~ zG%qDDUbsY*HgPHG@2B1we~)J=`cKtXBB@8?5xZ;oPgm0XvixWJLH~a*Pg#(AmvphX zY`#S5Xog)&Fz2s>V8c#c1JyU5SMYTU~km?`sf1emp6# zZsukr>CyE`(xY0ER2Akf7UDKt;Y-NWc{}Saxqpv)?ZdO&vlRWG(s2qq-s3?^lj{nA z7wZ4IW&Ph)_wfV$zn5oT6eBb1Zup{)X$MeQW?wSPs0KrPJ~4W<3KN$XX_qd~hPA~l!bBemq*{KIxP-{~{XDvwiRXoM`u_v< zvrg|OOOrz3{hG41aP<#0Q1fM(L2lLs*DH5~IKas*V0)hTH;F;89Q_}0FF6lx=>ETm z{y*+^%k;nd0>hhk&-WoDLi2rms8jXGXZtzizv1 zx#jRAtSJ`3#Qz77_~$U8 zpAV6@3+#c+e{p2KNF45*&_76TAD(6J|12b45)MC3{J-AL&f~KGZ?D&Txc}eBqgjiw zsJG9BAA|os;P~N%z<^!6`xQ@6UVw zX3y_>-8S;~aH8__Qo{Y$*^ubd(DmDO&qyWC?40+8MBrW_C_!y8m-6Xzn1wGWPcvY2 zo@e3swtgaV?Dv1*IHbMJ}td@N>N}o=)RDI9FSpN>o*hLoB{?lhQ=SUy&yuZ`!G+*!%#qF|FpfEf80g==c_ z?7Ix8yOS9FlsV9#riwezJOH@WAE-uz~ zvh5|I7ec&59wp2-*s|d{#K?~heBa~Ax-CbanJKp?*xOa8MaZs!mew4euUt3Ixuld) z%lsajZ4B$Jw(n$$&l>sFL>6=+E4oL%7s4COaY^I`O#Abf$PmY#fe1QD)m_0w%qu(# zauE;xz<2%mdJgF(*16>%x<5%a{4KxDW;r_Ms0f*Y!UD+EOp zbCO!Wqz+PI;|~kuLhyI6O@Ds@9G}hSJi$5S3lI4A^m@G)62C_%_^S}?6A*1V=-Qz3 zKYa&Y_d`4A=iS}-!U(3yzF`I6O$f1Px#vEneqS#Dyg}gwp^=j>xBrif5t@PDe+Sz_ z6VQc!f?e>(A1^?-fF56s5U=11zJKT9Cefe&-gyCL=mp=JCoh07hU0rsU2>Tt8a=x+ z@Z(eNq3s8WZH*;=TCt!~L5#HL-JP6w{Y&KaD;#=^O1rR>_hUw7h;-RYXmKlEO4;^e z={w-r!9guWM1o4mKXcF>`N0|pMP;KCt;SH&=_e}kRRJ{xr_cNy`&V#H`XOGC5IP!3 z6N61F@{X<{#>j!`oq`qela60IpvqxCTn2P70YMEUUg-~f`c!Ks!tN9c1{E`LYnvWi zW+I8Alo}==qQu5%M6`mx$eFv)Of9Oi>98uiEMtw~(!Y*0i1$A7Xo~R68fevLGSO<`_PPm|?T72ev;B#?zD6gQMwa{M*Ib!DKodU;H%u?GyNZ zGuC43ATt;Au0<_@scri41yrvi6kcP0c_=Bi?BVVwxE{lq{7XtEwbG0gkyj-;*-V-71J!_0oELymf~5l(D@DkYKgTeDp2OV~(y^2W(oS}4Re(jGE4V)7EYQ7z>pW(@ z6I-Ij{zBPlb1M&r_Q3D~lSGp-wt1jA*y>PhEj27&o79(KE040e#bnDdJQ6Z9vq&Qi z0c#0pGp$nC(~h887HgJq=oI^q)n$e-a<$SzrBaKSpc!gM7k<|(j>)%13KZ%lnp-ta zgeE33*K*X6ndqH!a}P*UyN5X%t#(h9HibvXQAWiov5#e*S4EH++n@Bls%@FEyimgn zuiGW+cCFQ=d8^Cq$j@3f>zwV3C?X|a*-NABQ;b1&*O%TBM<=vvQIaL55g5DECLQB$ zYm z)IKoS6`#&jSNd*>mS{p2_LloY_JUh`DU0n^z`v4S$o9-HWDOoM`K|=j9qr2a*wuBf zE9F^NH9@eArsthB7qm2z@O^$yHTAO&irS_SVv_mU04@2w5xcnSOX7!0oPu%lP7Nyv zde9(?~Ogs{$B`U~hT)12l#*Priz{qO&|SJHP=698GD z+zPgQ!S6`294QJ}iK3nwtIp)7lkp@L$v6_-t@`ar{bsAvgq`NHS}b zMF~q?<V7__@S3G&1EuDRB1%un zmS$RHe#yHlm$i{+BGGId-nnSJu4()je&1d@z|N_n}`1iKrGBkWd{Mpw=b(DEFIv!s9Fc_W=a)YelO^B_bca5;`Euk0wVqp~VwPc`(wcH(A zgIf$()Zm%#L!he{6n`={OrhA0crA<{0@I(H7$#GQ$2_Fkw4veCqCL4oC(Sa$<~e9o z^$6~4H4|xhOL3MTlNu=7ByD%LT3$l@7;Hmu_!6wV5V^%QtP6(rD9q7p$bX~XlD}w1 zB@KJZhZT$Y{Pv4`8y<(Afm3VjSsxEL>d#;Ni2(#AP#ia&!N%^=1u z6FjU&66YFee-REQy@^(8QQAN&_G0-9GEv>xr%t1{f|$cwSS;YpNWRxXRc4K=LX;rj z`X`DvBMBXf4nj3as?2aI*@#L&?bR22PQbtNe9>AzpwH$9)Cilg6hLuC=~5h5v{f~- z3f(U46juBf_EmM#j;VvEJ0jip#P{wOJqf@sE`2{FA-014+zxs|ZY5TJTSr#9h6-&J z#kwzi5)NEs5hz4B2w&<<$6}xCTwmu<9;%phXDC8SUroR00nAw@Q7xq_SY~NI$ zH-5>Q_F~JD)Za!1vN665c=?2oGXxx#G95KJ-Go4t(T=UA~aQT_JND zOgZA2XrF~DnG$fWR2q`s$D*X8RVm$hJIvih2N9Uu{(VO2cPDe+B(~I%&e}6t1 z5059q@h>Mw!|8A5!%6m9n?r?sE*So~LO41cDf!c?dHfhLP5-X%!6kj^Id+9^^rmU$ z>b1Qx)5v}AO4hs3zd~Tvm?l}c`8oD4Gbw&3p9;Sxd6x2Euvldid79lLl1W$&@*p8b zjN}$3oD?{vvC3O37hS_#)T9O`%w#B=AvVL&ndmuYHxhx0lg3TUmDZ2sjwFogauF^N zcDjLu!*$>D9Y{x^c@AioHnL;cMMc~VBrEp?d}VHhOZbT!aQvd#?XIS%YB=++d`m?Q#-ZIu=4fpYptV8d?R^`E_F3Z4%=%^PLvW8T?#V7yySOLaHoCa$ zp=@?>7p^rMUEB?D8os#u9$fkk%t??Y?0(X?^&$95?(Xr9s(#tYPLoB^H9l$jRbJzz zF-K>^x1;0X>BZ^EWI8+>93PL>fe%4vw@3e{@oGz%t(8c|4gc&CDcPlJ5-DYwO(c>Y z%4QNt;LwdEk^xRb$ZhQ3Zi3Xf*B#Ua#c5scqL!_!{7Pgc-OkkMF2b(R<1QkAuS_l) zX4#6gdo0q}7FB&3jrwf(E}8+c>7yuPs1094vp^b_5o!IbGIAnq-O7ruL{=nQ8p{j* zXOYB6N#Sdk8Ul;7lEb)PpIvgK+f+?@r2RIMAO^ zlcaGgOTH3W67Q&Lqf2%=FMC4L=qr;a65+H?Hm#G*m-nvOI@z>NHZ61LnWJ^G0j-lw z-rl!PHuuBHCcT?{&Jdpji&7yzaqHGz(7e4M*@Jv(vhp;;8zuN>xKGlJ^X@`iQ|t%zMJ%O>SMje{Abpwoe{yp0hU3S^MzO<~eKg zoVCv%TI#$1&mS$<-F2R`_)d8@H9FM$LB=9;9vd-ul_FZMPRCe=8)6QW%yqVmQ6&$a zSkiIJyipbAeC|8VOj`!j$jlXxy2+QB{fFo_WJ8a@BWfVYFNI}&Aj_Z|VBcBUVV8H* zPovYnws0S>ygomX`bxJ>9-6mP=99yzTq&)n9-*+X8x;^OAkR&Th{mAXLZY`&NVI^6 zKYKAzEq=lmb@`&OP-h*+_-`rJ2^1}+?k2SLI&ZJOVpH`x>+Wrp5}g%MEeR5kN^%morbxhuk|_bE4oTrxB-jle?&AszRPbOB`#_12Q|G$0JFbjs5jl`l%z z!|uNuh5i+CBYy-PjQkgV?b4zdAaHpN@sYm_EDS;Cf3Ej>`@6l}?rsP4j;w$=6Cg-> zKdmm|FOkghy&nHB`1AO!I#*2?tpSUO5PZZV-`&0!H?QumjLN#WPAq%zq?0 zV9HnoL^D@E>YhyFMHOS92>nicL~;h~l|f!Mor`CH@4zZ^SVC&jp=Di30BtlwcAbe) z!%;5Uv3HB;xFR5)>%AhW5qIOlqA?WbJ$Ii>E(X6&E>2I5hG&zE(}&`al6H&wjE8Sd zMrYYB;-UH>5`*(d@@D)fH#2NU2>d#Hb#Zb$Je!_Of4dkDUyp~AA1LjMYShG~yZhZlo!X5wYvAlWA?5X;Srez zT(vjrJUkwb2h)?$S-rtWucAd8ygE6JsJs@4A73Ah&d!EM(@obuVz#=yll+;bdkZhw zHJx-#ggiJp8crtFFoB+&QDLK7e}MB>EPt7G@s=8Ew`?Stt(=i zeWA_1&^jU3bV6*Iqs_k1x*xXL7w$2?m32HcQznf={b5j~ZsuAiK5GUC$@E$xi9>Cm z!i^y}NkrVfjNOeIuHIYM)+h)`@BQ*dFW1W8goQmuz;>*2aF z7qlL(mAw1XeM5|9Anqb>=2u(vs7GH0U_O2{?MiXc{dBi2N>QX5hzgPwa^f`s zs^`g@dEz#Dr0jr4o4Eb%lw6$6J%7!>Hg*3kIBz!d0ycuGm;D6 zlgnI&?q5f2jfLkDQFpqM^J}L&l>S_VVGv{gQudXme*Bpi`gGH4KhLunlzn_nh$$X9 z*Gke~5!|Pb5dFA)@{itnDSG!r%J9f@*M}gQw~qU?9dGB&Ee4`dishSEf|JzJqzmir z1_pR?Q!~JvTcH4}%1Kk^emp@Av@I+I1ZXeG*=D70%9*a}b@`d$9+Zzhy&XsYH-Rn< z*isRfek;H>3#}rOMhvalEK)VrV*C8SD76Ow@i&IRp>K0gi|t2-=PwqCQA-uz_l`N`MA8)&aWg0z`VPM}a@W*59l81bww79Ua zQbD~Fcis)BoCW( zx8k^};z8~758-jN(9Dj)TQbYZG=Pd z%*uGhmGg-!Ka(n*N=?}wmxF{?hD-g0xYfIF<|eQgswPy zXivVX>W{HRb0${J!YFCNjd(;bS#oC%altAFhM3@IxTD||yBTb>z^gm76uPtIV_RXQ zk4o%wftw0{2&nZ~kYmtoX7L&98mD72yasD=NY-v?1x*ui2C(s%Y`wipdwXx>>mBF< zKEyq?X}<~^y&Z?Kb%SfWjI+7%1j~07z9r1rC=u>kMg%vfTG`RSgDJRa}J4hTHsI&GZz~%)zdQZo-;+OqK9$%XMobJ5^oU%;tFo)q?n6 zk)4g}t-STXWe~29kz^Jl=s)ljEs;4wQ5-31ouX&ZfdMcFC#xE7!G**O=n?!gXTcZH zzB*n7F0~N+Ec&^!U7(x5Q_}!_{mCZ0X7leTO~*=SEWx#6$8|TFlNlh$qp=F?iiyNd zGuN5}M1X@xM2En9t!eV!X>`5bnJTmgEU{%?(kqBSBy~Hyh0klmyA59XFoh3)EMM(B`k7iUb zb-JC(fCTbYe>wymT}Yv^aT!6LoknhcGU*GJIqt3RKynCvFEw7;B^n9*!66B588NkD z_~#0eP|pP2VE2~hEPYla zwD8|{Hy%r!+!yl6(@3}~x& zw=p8yLvZdp$B5un5M38vt(-Xww?z3_+0w(Ozs22s`1x4XfyZ80JTa58 z2W=vD@t1+`K`$rmlpt>x5Th_Tt7Eqyeg%yi<+={V+5nLpnlx@q)ex)W>{RS+l)WD% zk}cOeN+e>lil?J^*&X|H^J~+eO6PygC+&C1~p*acJ?JOC$N;x)%kotcm2d?XACtN!47?)vXr55Ug^I^c3G zR)!!T^Z~W2rq21mpUM3%;mpU71wJEh4pxCABChwiK;TDUMIoR)U%qky0E+xD<3(ZX z5WhxbTrLkZm!MK`Ezk2q(Zy5v!reYmxkE zPVcDiSk@L1cSpf%Yl+;o80RH_SBQZQgz3TQ5q&8t0}es5BVvOfVG(0Fi5IdUgfOuK z4Q5IH(=Pp|ajNhpn@5uuCaRhzHNbx8+rE1Urbp*nK+b83{Z&YPUrOR*$dy_FH3NiP zECo0PM5bmiEtnQdLY%6T;TeI{QckF7+xdz0UZ4>ID0cZ9lhx-9q=ep0LWp#KS$wWb=kB1W&iyQ z`}02C3(~)I{mcH+id51*2_u~Q%4s9Q+X4Uf&ioJ_f@!3UTR}jTHmZhySU?Y~{S~k< z1S=A$^p`8oi54MU7w{;%Ml@)q^t zaAAdDVG&^%o)96l=F!dcyWS1(G1%MX|J~>RebT#m43^dv1Z0KjorAy-gbN7l6~@u> zY9WR`Z9^i`i2ja-@i;J_ZYlik&xn*H$?h?r)wp?I4QS2lU3O# zp{{6T)MaKN7j#PXLWEu-$SR0*Cg{+mA`5@zI^Yt<>1v!3^&L~#J$M7{UR-@rKc&)+ zuhs|BB~Lop>HXU~7t*uFd0A>gWUm3~ei(TBZ4NINj?f4-L~W_#~R$nh;GL zYPheNyQMitbqn$4=p4LS*;g!Z5F-(xU?&&Xvp_)?U zFA(~Z5F>A{@z)da1;6<#;6dob3?1h&p>-G{P!?nIz;}QPuc6yBTuw7M(ESCj@691j zcew|~Jns?;b1oykqkyZn>no)9`_*~Mq0|f-6y*pu(MOpZ*J_T+XB3(K2BZq?CK^eOUIH={s`(=OaN9eC61lp*flo>rNRrn@{p0|&>j zq||3Lw_5I+YnoR*aJ0$RFq|V2;&oB0BuACF9@@5{H8)IMHMHVzmWIqTJ@1hRGujFl z$Emv2NzNn5{wTHI+0m`$c=~!0FBR8J&l%Xs|DGmF6cOchbPcgWbm>C2ntr%|IBnVk zg7U^SLwC(pTnjj8HiI};#-kpO69?!BnVxQ`8nNP+g(+GD8nohb>us?+srIVLAFD{= zJFoPrMZ2y7#|q&j#8wFB>q0AY3`p)KTADTHIL*uYeR?U60diy&7erS{Y*HtoNsa6L zhEuNYyHN6GU+QhGsrR*SRe-Xip~!7%n@!96(dSsQTK1EIeLOdcWGs0UVC02hyBE7< z_g+~9(hP1=0`aa2h1wB2ELe#wto^6Y$ZDw_UvL$#H?-)?&PFdkcdXpgv;Xj*e;tCX0gpl1!0DvG5WW_2xLYgRTIi937Y@OSK4- zhG#iTe=taC33Ey#3lfz6x;3@-@E?Oerwhs+7 zk`3}Wk@~%YbL8oR)pZR^$E|BRQ#LLpsXC#5O(kC`Id;|5D{=H?haHSvRe$a}2rF5< z>!#oDRZqX4Yrgq9@`UFma#rSDSlmaK$p6yHP38Z+5Q??Dau5dHKrIMgli1>lm60rZ zkql!>E?!(ySf909jYFd!O}dC8shh)K4s>A%k6)c*KY%zykc_+ut8t{^B-Xm?Ty}$` zeak{$F$+D!OVFKNS0md`pJ=I0=dzblNpWe6&%h-7Ij*U@r@2XB5%R&uI^o341OA<2%^>0^H8o@(o+VpLT5G`F*UF~tJc^1QO04SHc_`Qi z=olSa9VZ>zw$&XQosMnWwr$(Copfy5W=-|~?>)2k%pA-$XLVSvuiocg&oVPny}+13 z0n{c*>y;~?`G@=`(AG|yh5z{CIq4s#z~R$g=oep_zw{OOas};&eApv>-^pEyqZ9H1 zHI__-mJKF&?MpXF$gdJSS;mn@&B%b6D&84{Ud7N(;FnuO%EHn}LkXygWyH6o;_rZx z%KH5Hdwy!5@-M{EN*uak(QGiW%IG*l*YO za^OFawiosQr)NqNgakNpla(>Xg7DEeEV(e!XHu6bqGQhVdw( z0nV;Ip`=2<4esnGq&)qX@siG+-n+iY+n2te+FO^t8FqqKzQ*+&yei$#aad(e;{%0n zO~nz#M@buPsbPY=lj7O~G2rDVw-Xu*mIXK@4sfUL`tSStynJqaoaxcSJvtwp+*}&)sOx{P%{B$^DGX{)nQ?{^L^&!UsKEuY+GJDsj?ya z?He>qG+H6T&P7gj*QaUt>#$BG8MTS5iYIJONoS3dp>Jr~F}oK(O#-US?z<6IAqKVk ze(;z;1s8jljD_L_*tE9`8edeVefI^1?S;%O9+1m9I?kqL()_yDICe>>p@)*AAZHW# zh3cM8WrJ^Ekjc>y3k3l0UwUYJZRl3!xt_oNjNNeH+kJFE2P4%0U{=r=T`vvwy}z>v zOHo&(dg;Mmk0G=UqEFezV?R&qY{L_)xu=hoA>|je2j`?U4K}UH$Q=2l^R=M&G>_7Q zwFCFErKIK!!85hEZn3NS+5KcTE!3KBm)_5dbhAK)!=Dw z=Tdxh8=$sRYIIh4vB4YY@wXuTP|g^wz8gk@W9lyx_Oh^0GzvBqrk0 z{Yl`)0=*O-ERW#1K3-cGOl5{9hff*cih_e^upU&fie4j`%BLaMDeB?$sgdITt4a28 zds;cNKv|RIIlF_^QG3w5F+!jK-~LsexCROHo8J3NY6<=rF#SiFqEZbiO@YyMIohvw zSPgF9Aek{+A+rO=>^@)XC-i}39n8M*ZbE(}%6L_uM8|tW@q|(JE0r}!e@Z;^LC;y@ zr;UZ{+wNok{Didig!%vvpc`=tG==?Cfq8-rWrWnhbNni~?mhQ5h4zy3&jsp%lXmLa z-`Zoo$HCW~AU9A!SY(a;7;bH!K7SxmukV{@Aslye^f?|4hozjCu{@LZGI@J@&VDZc z5!8kOuch#J_C(qm4of8j)8rG@si~v3G9NBV`6e}k@-D+_!mf4?de3OKkc47RA1Gw1 z{Z)!ma?6&*(w10BhP2DIe?{b@g*)n=p`9r`7bh!JkNzrmJDF8Ke)HKQ0$LMqH#|n1kWN2_ zwlFU6`rdBJ?yhp$F<8KG+M)-i68>+{UwGu=A42{)M8-XkC=}`Xf+rd=HFu z+T{NKh7LNYZ2yNjpn_rVGdL{BqwLHVz5;nYu3T#^Xb6|{=H}{oak6FZa^=I-g9otT zN6$c&V2#uSJ{Dg$gyf>Z9&bpm)=SDNrVMjEszR817j2s}zTZ9$9fb6`x_a92rXuPh z{1}MHp+IrA38A(&+Kx`Tmx;-Jl~d#OZS>N(E1tBV_u;04-2GO~)@+?3NVmrwm{EIE zfySVb!8(?23X|2D!mtK(Wt!sm`~Lr-2X|8sq^AVt*T0UTwgXo{JH2W1KNN&L0(DRdomHPXy)l|0VX9bT-2#;=D&$B zgyLKwT|nDR*Q0_ZzEUN)#XZi8hmXYIjSW8oRU;pQ^BPNOPk7Iq*q?!{C31~xu&pJ` z@G;a+xo0sZiLx!@(%T$=sSse&U88EQx8vUBYV&id`gBp^{VersW03J|lhQ=8$xLK` zA|?GJFTps?;Qsq=d5Oxd?c@~_6*`e1Xag#}7a^XMud4+Wvf=E?-4U{7LgVGCxf|@Q zVJ$-6u1xKn@Byy0S_4+DuH#n7)MBiA1M<`LvtjOC6@_YWb6TF8>O!s(r5*ADWpn#fFPuDpHU4J+~9 z$&a;RPkXz|FgI@5)2&SPDju9JW=Mm#e3g)m9$tR%E}PjabF-mM7{7;F6Ld{AoWSTA zd(6YybJ`(gxVQ^K*UMr~(cbz|)*`b79||$GcrfKD%kxquNJWP*( z=_8w4zZj!^r~K)hch0}tp0Oi$9hnWBqyGy&usg#>`~Qazel$DtueWOQBbdxw;lt9+ z)M;-AIEn;w%T;9584Yfh5tF_K;4$y@U}!r+K89P8{g@4p676utVM?BCW6Nv|PGHCV zNl+98WhwW=igm~9PxO*Hn5Ll=FjSxO%^}B~t<-CtMr5OfpVCo#Xby)EH4_O6lgDce zGEJde7L1oINcR)f?tOzo1tJM}vi>SdQt&V!l7K?p4v^XQ;|c?XjF-f1>BfEjE3UXm z$h7rq5rKczj2NAhlrUagujo?<*TIq9lZTriTQ@UXws@eS@Ag(5{{`96+2g?nx2G?0 zO7oZb#?6d%rGj%=I<0h?5t>F}NPQYDDyJi<#vk7WWP3abb)%t(N*dnm7!zDN}lemmD!vQu3f09dj7kd1=IbZ!hPuIBO-g)3~Q~Nq_8K z%O7H*Kh`DVQ$g5h<%9)pbbPw$$z_3Th4xkYk5p$txfA{BDet-V|0E1sLRBuaDbGaf z?$AwJLjNHQkBDGZEU@>Glmg;R(oaVpUeDsC8*I{rpZvoDn$*`WMo-HG$K<~uI zVSCIRur_NY%_YR{a4`qe?DDlG7r(v0EX^9OTf zb!-uzv+{}jU`ZJYa@+MD)tP3ZIxYIJv??vp86r3rZt<;q)ofEv==Z035j8TF84G-K zIr}Zjy>6Uqf|i;xKd@MSU9}XW^ttD0@w7YrjlZU@#>>NeI~)DCsYapP(Q>z7)7Zxq z-}0h&NceT4i&C_B7vUdSnd3U60JYQnA|j_qqgLW0!7*)<33bi8oiH(tmPtGngX!b$ zg~>)E!Kg`X(6S8Av{j!_YZ3Mb7~XuS_zy+fCFpwicF?D+Bz$K#iBDGUPYbx`+wt>z zw6YqiI-P`A(lj5~qzox?hEV#D7inJEMc!8B z&upl`z9f0Kv!pvQ*nzoE7vN~hvekoaO+Xv~y;?_;6&!-ThM4~@#V?5Xbhi+{DYi(!>eWl0LSkI27-Ofd0TKA93AG)$!4teTZ#Qac~-bA z)Qss2QZ;-jXNO(~8P9E2g5`$igj+Bk<*&Lc$}glB@Q?ePbj&bxP@hhaT`>3f)p)*F zLZG^KbBJv|eBd1Tn&;F%!4r@71PA$#IcTsz%k2i0)q`LWVUSL{rQEWq5>&y6D3&HG zqsY!F+(6j+Vo{-CBo5BQ4jdyFy`e76?RNZlk92jb3Z_+ zA=Xt${W*39ww@Ps9J{)SsOJwt%8=W?jJ2w?yX zc5uDNbwfOP=stBJ`~FAed|U|IG2jGQv3InZ>ULf{1jFGtY)~BsJj&GRLSi$)44uC7 z1DmM7N2LVc{ALY;tFf`1c&q~iRS<6~){94dq+1lYaLL!Dx+bGOc9=HjSlgDl z4f}(;jgyZHH(QRGo<00sVU6yLg`k@YC(EcKH2zhjP-cqsk!~MYQqCeA*jqE8hD9+l z&~Q5T&;m4mkFK1ryT7^L%v_ys-wu>H((<8$_yN~qCwf9NjF)q#H@_LDWjik-7~cOh zmD}H&5Wb0rRvtn=>7=?~j4Fvp0j~?Rq(=V=gsWf!9fT^i=YK6B`XbECDK}2E4;L5i zk#BByr91Y3Ua-l6yUsRZNx*)ew`_W{2g*(zC`a z!S}`ta?e$0rWS5!UYaC3=WQ#j|^^>f?Zrl z@+~iDqxyWth_YR_x>~!vqNYHybvD|{u4J&@w)~M zbR#?VH0XY~8CIG@s4A;w-XX~hw~9tZFW1)Js>4x_nYeEP#$XQAx4#Ac$VUOXXv=Da zot7q_eX@zMbcHLl4b}?li1(@rEG92lfVaHzo*o{19w%7a`F{s=&tYkO$i2g@EZ=39&3uf(fGeVu;mlBD16On zF^GkfNn#PWUA-ZT-Y?nZH1A*Xb`J@%a@To2OWVe4rYjq4F7|>bSerwoIxwK?t8kf( zZ^TlJ`ZWgyVZ&XrajjQA=x{BlbTJCBXb0TQ#axeMU-!Z~nk8n0cRXl;_ABm(Qy%S_ zOc}>j*I{;`52u%9frR!j4H|l71n66GFn0wF-CA|C+z7MofZw_>?alN@BSxj#CRy*% z5%tFDu zWx)(X61FdBV&q_gPt7dgG#jPZtBtR;OMqO|p>WwEK0@6%! zmdu*ctaQ~^$~vb0NntjZ*W_jzmj?S5^Moks7CB}IOajQfYhl@{+x{e(m-;|Kf?YgmMBXu`kFb_9ALjv1J*8@>KHU z4Z8d+^9A)J;)ojsnm4r!;rW^?+Hyo~Y+yTYS$=|tBLb5+qAXtpeBe-fWfeE8ib1O| zD)sG=#t~C1ra&sxB%JzUUtK2o-5tS_M!=*;Wk0IFi68pTFAHl_`6d(9k?W(U4Wqj( zBX)k&bJFDNRnSy;P#GFm_>};LJep}w>}SZ`xoNO|Nb{Q^kcP4Mzr02Sf- zH&QQUdld8+wp+DAO$Irx8qg_P{s5hT$b?-s^$3xAXBisP^iURGxs?`T@FEc?_HWoQ zj&^E$nCp#tL0((Y1=1aTO*%h*_qqBWzGrNs9$6;BJkyc-o@GO`^2&F<+C}IpXX)NdMo!+FfZfBUnKf$?eax3{P>nm zcn^LnCeL2obSIp8GMHZ-{spcuhk6*u0!J!VrSt%=1_m;z0rnS8uWLyTpzUV zq7DB{hJz@m*XrhvkBa*mC^-r`$*PqPzXDZM=uOD$KTt4trYK;}yW+n~(k!MxNqU9I z@<<@Xg{LN5SHWqZ^cH;c>`XZ5BP|iBf38#GDYN4aD-q%*hw7n$|2cm$ z{WU-*BTm{;Da_i8!hQ3jbK<**%N>bg`uIHPgHnRnyHh!w{42}@TkAoU>bzXLKCB4M zUZX1k4quU}%07j)9n7sXu7W?rEc@Xi8x@DF?DsZIVvPv7Li&DzGA(NrL9p#I0et^x z`jwTH*2w5&pyEK3JcSc~wefliWcT(WX8|2)&VMSK zOHvtXo8*&7@f#8?$T)2|`L(V7u8w+I=cku9n2)3}hTR_}^y% zS65f%fK9J`UzNe%`q-ABu2)QBR*bCBm< zm+5Ks!a%)=p=llX*f(UPXI==hTh0p|FB$jIYrShL9pV`-h~wYSbicsd%S%${&PYzu zf(ubmqw7rn{{7DQlxI~SKZ)rw`IGz4Sbxj+(XG~#KRk*{h=`Csvrj^+0XZHD6`sXY3BUr6-u>4K%>HT*YJVxh(5ReW5p$J@U(j8 zRBN$g87M+#3jZ$=GGpn6nRE;}NGY3Guws&$ala=H={=;Pht_;EzBrOLdsq}Ho&my@ zezNq`!wS$NnF))2#T^j@1zcZVmVNX*dp>JS09^xGml?G;X- zT0E~fdFZkvPACKsB;JQy!$ARDnjQ~O?-fKQEa$REa4KGF3aj@5^3ZxpkhGkD=Nw+I z;%q?2jLZ5xfSw<6_;$l()01HUI3eimZ?U*6^r?Bq%=26RO9|*)-St!=0+B6tiUla` zY2xH9QQtC5R|~GDjaHB5skEVQkR!p)XD~LxDYAQ<4ly;{HJDzz$oN=6b*X133%K5k z@KVYdHDFOe@XfipJe@)KwAk}7*PhN%>{eBFE~hMF&3e^{-nwnSI`5$x82TcMv_lX0 z%eQ@SAw+4Yj%K9%mA%a0e7vs~p1!=K$9>#49FI9`Ehs@D?*L;Bn-t}rKni3=1GwHR z_zp6fVJJD8VOp^7@^n?ApoO&e4x9Rl-HDS!I43GWgS2|_q>tLxs05jYr)N$Hm812t z^(j_Q#JG8nzhW4H>=9;9qqz6smh09#$#pn%*vvbFG-T_t8y(JZYAf6>^BP<3KSb@#&fh-7E9I}&_T#y@Y`VQq>w zo_30VyC!yqb52*dervcYO!K^zVAX}-w;1h{`y}@(oocHJpa`{gA9mJjPc#r`&$`^! z9Zv11I4#tun67d9kGrD2Np)5H(=J>)a?QU{YgqJ}=v93`XIs3Uk!541TYR+#zP(q( z4y(qI2}s~>-om)KS4C%YV=HbSllmM6@eoOQ270yB!)>dEB~tCJL3dyKPovT^m_ZfH zlPYySI+tsLktIR>xJFZOq#ENpGt_R+SfRJL%!+>u{j9@ti1USJJr94=`bC&ya;nb6eFjYo7q-v(k*F=K{wV5^lzo+&3PdW8Fo&dzc^Z}??2RBzXY}?UI4rvYuNyoyD=)2gdE3U zXtxt@)u5myW@Q1h$sfm`PLat{yNc&lo|q|FE3x^3-&G?xXkpm@LgFqVxYHq0RG~;~ zl0^SS7NH)AS&G4@L*X>|Je2_fAhKE z^VnJgTpu(D9mR07S>ZiS(aIv;C2hl#&B&wvKA4Jm-K%rTopgu!T4Uy1do&(x*pRAU zoSd3w*=XeFC~F43%M-Z)hmHDj>pt0+0&0(dPYQ+X#$$kvr+s6m_BO!0#C5^#lvSd` zF7&~2TeazJga5-3i+k)yvnoobep#C0!}%yw&E7Lq;gO=kOs=V zCJs*O8UbEo$#`Ck@!EHTZGl$r($cbp_~RZ^N7gMBf*wmpxhU}^&e=h1pNg}e)g`-C zbF=@jJ?bC|k^s{wUUvR<`ZCwV5PJ$igFdh5k;^P4f41N4PkGq!93D?a%cL1d0aS`= z{Bay*yU$L7Z8Y)gLX=4xID8!&Y$1j-n;vSZS$d)IpVfV48#q*1ZeY@-W1v=^_>FWz)p!E2ZPr zla{`D_R{%r`Lm$4yI;I}I~@#eYQ@S!Vot!&!i?kdDCHokCXkr@IN7?ha72c9NfYa8 zIc+E!aGP=3?B?M|BK~z8m+NHcJ){5%5ZK)GpuPue-3J_Bz5}v6rH29HQ_XEL$VE>B zDeeXSRGw;(!uUUt^e{WrDe$?>+X^C1&c$Pl-Ty!?k=y?YB|1fzR(LTJbQe&EaOB1I zzPU|GoUJdw<#mc811#VMX!p-jbD&yLY2*zO%_+Xo*$oy9lcv0C15P_=mX8O1*Dq?HzrsEv`SQk&_K|<2d81wL zu}139a)KrPm(wIqfPGENvz1K?aJ!=98}JzEfNa?#K=@0+yJ@!o2o5i)hqt-WU5ktfiG=S^e4$3GMix(5+X=8Vy+YeuoNoe8 z&No#ca7%_1-N#iNaHSf|57g2i^e$<2BjU>`|;7_TyE!LjJ`MzEd#b6~R>CnS@B=Yu{k zUHT(u5Y>`gu|n7$l@Dh1smGUYTx&$z_}ALfZ(Jeb<<+-Bv<c7(7qR1NQzl7q_-lo64OwA0+~Y73Mx|1}X?Y(Ki6u*MyW`J{~jK1dU%l zE_ZW;EKOJ5@Duy23e7g{0x#h@7v7CK3ZA{iWGv(pxL+W|^g@$t;MB=7;}{Gn(2N={tj!hM zON3I6HD+Ov_#m({tzecvDU6yulj+S;Ovf?DMV8Py`4bU!c8=8O$?Z^Af z%#kDwnN=yeJTR^KX#4Pow1Qse?7b1rWLLcEIpo=gqhj=dZ{>E0c$ z?p)p+KJkCPe;mA!TfBgLnCHb7UpRhp*&;*b5mrGprh4BR_-VsP{sVFtiNL4uPTzC0+zKM~+T?>wRH5puk} z?Eg)AXMT4;kA)#kW5qKzC&qGfsDq4PiAcr(Zo(V@u;is)_KfJudkKUtA?k`qGe9Wr z=R)$n_*EZ5M}Q>XjiDs74$@H4?tRQ-fq8_;gV+<-rV($$}x<6?2448zR#q zgUXn?kqN=R8w8?u&AK9Uqd(8~6HD+B(;&+oKbyWA((*g?ZtIEbg_bg0Vn555r^J_+4j{O5Pj$CDswX0*A?bUc0O7R9(d}jke8;uetrksYI^~; zw>`cZs{lR}IUn}|j$zoX#R7MSHo&>vSYf+f7O`4OD76ZiP(EzoH+Qu5;E)}2X5rio z1~p#KkJNn=#t?!ma)W57dX3u3d|=a@lN0}~QX$}ye`*kTd0=)a;BrS*0N6w-x|UIU zcnLo$bCrQ}du`X5|4mv%@2@D5VL^ARw+*~oF8Vuf=j4@fk9?m8Ie>SM4h81h9);|t z+aBQ8LbgcG=DSkj4^`w?ZxY487O`N92Pa2%l?2Ah>tlN1MOh6huQe%l5rv$=(9hB; z_9BZo8oWX*%OyEZHfgLJYHAt`4^*MeFPCV#)`u=w__hjY23lcO8Iq;%pyqUbje$~) z^)fV#SS4U`$|d2b?`qc2Ld;|%a=9+ysjby@8mqd3|B8?N*%=Ox^v7I!oo&Vq{#i>! zKv=Xp_z5GO-~V8iRPB`Pdz`qH1m{N&G5PxMfmbD;NTP9=b)99a`;t-+;kku6nXlBZABjCt-Gv&}`|7 z$dupumR-OzXunRQJJ!F>?=;J!*JhpRr68r6_{z8C7SOAe;)foL8~0x=^*Qnbd80aF`}5XMqj zb-OfC<7fX2QeA)gY#j?%8A(2=3NSmQiSF}+8$jAC&5Rpyuf~6- zIe)^=W_BWz#VPX;XW0*1{92nY%rKY(X)RVk-x4R4;je+EZx0ZQa5%CB4Xa^TFj)B+ z=3i28$)N=+#?Z}Sg!Qe77q~JE+W`W%n-QNa>P~`x@=iPc7{7+YQ4w?A9)n!q^lxNc zA;QTnWoA^6>5Y4V{U<(3+6i-Jg;v;V12ocDyF1|M^Oh8oOyHt?*iv2Sv)fYshcG+Wo9X$CMCRTuG88QWVg}#yZ#8(9* z7Md3MREV>>HKFGtf)W1PGo^W9K?$%CHf=svSV8AeG0v($T+DHRuCm`AF@|P`IR7Sq z*@#M!$XY!u`t)3@P4zJ)K2cM~ek4LFGW4&8JXJ}Orf~~xcyWFkNw8VohW1}pRZOg@ z+^%LFDQz-6+(??B<9I32@cJl$p+Q0+_a_6>1{qHQuWRJ=_(gJy(pMD%k^TJwoEjzF zq1<4Il5M6)iZKhL#5Zmsl_x`Nl)dol`l_EAUa#=6CpY!5Tq(&70}i-o9GqjjIw*`&`e zwp8d@wK!ZiyFcnU$R&Ox(($HDe}-%>&p$HZvO74PFD$+RMDSzY zv4mdg#TALAZd51+to*=TQ)Rwa@b;LVW-EOEBU69Kjv-q?x6mQIa%;D`4`kO4FemUn4M=S)0>&4uX=TaYoru~8Q zLebQceEmITK&6`>B5OL?b84P-EJqDva4Vg!LZfkFmn_dtHr7b6nP zCd^+=H?B3+E4t2~uIPOhjCZY42%WeT2rL;R=39zy$*JTMAPW5sc4jW6L^`CO zCbGa*f6}s%Krxo~0HPlF4sz?|mOC8?w$~%}PNdnKU=$l=HWob6^9Q~eslIrAdL#z_ z=2VGmFMQ4C?e82)8cgOoA?dC&jC0P_m3c`YVVU%dn4?Q;v+Xug|JOUt)A7cw-}5O= z0Dc&f%`GMB>kaUm^x;@QlEHFQ(>EBR z2nCOY_Cx~n5l4b*ubmB>27~?`|KL<0a*X?%RcpbypDT&zyZ=?r2VT0j#XG>4{sZm8 zUfVa*>>M-%6ge!K^nlkmAT?UVAXh+$!+OMLFRk9#^!&?IS#POC5@0xQ&w?lD_w{_S zLzDp6)yM!GTJr}z>505yN@MCBsJvhKTg&mAW|o8(9496h4^9?GIBj$}!dn|$`(x{X z^mA%;5U4&hG%~YZ!+fyRxE+t`#3An`+()PTkXf6I&|zO3%zT$kq<7Osux|W0jGXQZuToNKoXI%;j-j!zHI5Dm8^

i%EV(JcF(IQdXZxM1-q0&@1G4n=jMDU=L zipg;F;=*t<2I_2<gzF@KU8Gef5m*ABFD z@AZcoFttS(h8LBETk66@ja@5tSD!5>A}{Amon#fKvWF&fM%u8XGqEC3ud3E~S&HD& zG&FF5hRaI_{XB>zZdgC&%QLsf`y*#Q$5s|)vugTdAHsB^JS3UwXe`hh7w|Bb8CrDL zlv{`7E5IaOhJo@p188w1#wtzeg(vqp8?OoMX=Ho6peQ8lY&KttuXq!6o2D`g@EVOykL zFEsYvN`H7jcBMyv4H9Z~E494hDJ6M{h8d2Gf(*d+a?*S$TJkbM7Nj_5>82sfl z9AqUuq$)8wMrb`9e2=M-#4@tsL7{j3g=vCXM726ddxOO+QVQtQB(Z*hA7&Z6z?^7m z((Dx+TuFv7d%9dmdh1(MbhTn!=lN(x1i5QF%gK%FZ)E-dOsH%i+3QO#fEl7Ju8eOfd4p+skuNb z2seqNsonQDaVZf;BGZJ5=sfZ_vm3l~!~2hxfq_47{jLz zNV?*@GM{7*pC78@`+Z7#vNP$$oG_t^E$#ATO}{w!UDDr_hJ2O#TO}E>ipHENsxA2( zdSMbulDs_WK)o@85>C7v&I#|Ks-Z>kdC$^=!SwErZ_*M{ZGSuIamV5nL{~-APiN=8 z<914j?yRkgz&3sGXEvncSr-i&1$(DeX1^CjbDij%W9^MBV##>@4atcfPnWf6qbKLY!dW#QUOXou+NC zk9QAb*#nUbGYEVzUHh7ZNr@}JaDZGU&(rQ}5@MBLmf?V9xs$_gbCUVRoKDGPx{l3V zE(_Y`GUeDAZ6=8G=>QLY0+b|a=A7Xu8W__=3fEHX(`^^x5!%rlta_NYGXEJ@l5Z9} zO6jH8{VsA>Qh`O^M(f0%D(j6OMU!dps6pN53EmuTU^%S`TX=SnBoLQ8glkymng`cX zoC=+|sI14{P6dI+Zx->rQ@Y-#u5%D~KB~Kth;F3Bg@m#}lFA~BVYhbOH+9e&pUSMi z^Kj=VkZcK?L7FKnT5iycmJU_;`{r>H*6;<=nzis2I~s_RG$;PLT(E>dj6!jbPA5K) zSl%iOY^Uq<&!%FOzp^2h(H;9&`xVx)`gsU14T(-2EdbjcnTzW^alNle6-4^Zmec8v zvL@Im6*>f><)^RMfImYXajEvD?BK@{#jB?5Zs-**k$xP+&B0r2{oO5rx-StyzY4Xa zl2c#OT%j#1eqhq+o<=lWC8hBcBzb75A`pwY?ZPn+m>8JeWh}dfmDs{H)LrIkvSsgOl!;zb#32tiLXSzs&iPcK+&txA7f|w5fuF6E_+`+58acT0*QkhL z%F~NRmz-l3O1K}kxzLLShEn+?$QA!(6t2UwE(nbA^=SY9D}P29UYmZ$@miroJ{RaF zh}pun_QSol=AOu@vj9F2wp&#+Eab?TZ4F_V^+QQ2uhNh;fEi`MR!)a#3t&FEP&-%jMNnQ(M_6$_&58bVm=y2U7=p zHBFqOUSv~&M_-~PH>wR6)2jax#`@ODv|xl_Dqt=Pwe;4As@K$Pw+Y$)hxk)kTK)X( zujWeCW|_-gQZa?uMD+O9qhI79t#1GG5#OQ4u*IZ_p|~3+0q;WF-V%kd{Y6ql z<|?SwT{A2)k%5zAZ?T%9h+-RN?j?2FR;gQN;&Mo@zG4}5BZo*E!c_(wa{Lk1A zDOTs|*!X2va@x4~<;*aRm}gQ#nYM-qRqvA0M;wLJ)zw`ZolFc3|9pjTTG+Rkbmf6b z%GfcXH2y@>>_B)bN{5`ddK^l>ry=u(zX@`Ou^ptJ5^;boNXHb@t5V1&W(4%s*U)M@o`I&)BZr~cpb28m zI`wTlG9*Bt#*jkQ3OgbQ=?B5>dQ3Pp6M!I1zrG9m?!s>hhQK!VTtD;zOKch`<$8aD zfdZ2mf(xt1XbP-^*%8}wP|mv)nQic%?{dBYjH_o;zg9{BGqc-gI$zMwr+^VX+M~}C zz@ETZ)3O4nj^@)MwSF2ybN6W+Qr{9sm(02Od4_H)d~^3}53pf@0aN@d+&5vLc=Zf& z#Ruuqwj$)a>7xeEMb9?wr#t(1h2~~qN#S|GhL+Y@!3|&zDWHL40NA3qHE(7asr>~! z9Q-4o1US@x9<%-z^1Fd}dq#b7VM{uKM3b;_zxmi80$nzn?Plw=s-t}19Fw5RC0Sqh z{(1%ZgRrV*ID4+qQ8NKANYC{pKadL$JY;`@w(m$xfWL3^LA`gpE3|Zjf{*wi-t0g# z0uTH_s%0ewWdBp1t@&PX-B)xi$Z=or1Ho6FSwGkdSlfJ$tt-Od311Tj&WFeE{oe`4 z7tVtL{wD^~mCE5)%~7E^_@GX%;J}|OxHPI5W@vM}RMFUDFW55QAh!ZxVc@NN+5&YS zZ2Z5_9@%)VL}%4^m(VjH6fI5iHib~52o3#tZ{spCl=jg!-=I1l@!w3PD!k?p4A#F- z(Y{ezIiW_HRmbieuq+qd` zHXpta?2(Rbvsm7+c8$A;`sy#PSvS;t;Cnb{nFNDH`U~l`8jrFv;k>qCyl^!IrvqDZ zj+6#IY4O1`&5E3RqL`ZE6qr-{&-C-0CFdZDsUNcPZ+f*uGshXqY~5x8J$*1*2x}2V14bppg%zbVlnh<`nBr1gJoV zi`k?J>pzI|4!M%?sK!~xNp%rG8%p3C`poGGLcl}L?qvq&H^W98PQb6OiHQmDda*J1 z*BRu3W}aLi91#^ApAbw?U#4Pbp6rg zT;!j^SQ#UNLt+inQR5LjyV2EdMa{k_RtgprAv@J8vgZbX-5VkZs1w6a*;<-_g_e zXMW=dWhfmB!grX#>WVOs?w0&gWwo=qr@w>#teH?wM!$L1<8BXL%l z3M~)&Jj?&h{a_y^=j20fn%bFBg7i*NO?K$6>%|uMw)ecB`k&1u-uH53j|Td?q3&(v zk_sw*D1s*pRuSRQop&Valw`et9a!a&bW6}1gcr8><+`KmDYV*K1dtlunB>#>KB>jO zFz9Tgv)&Ga7>zHE1!i)jUj1?de<`OV+%d6w0)L=Nu>4s_NX!?qvXDp~xgsHeNU=ax zzbJ$oV*VXtHsMmK7GGI@90C`*E!9K5KcSbQ()`Cz@0T0YbRFR(y?l~~O0efU{(eTw z5-#s5#%eIh6m9>Q+aUD~{VH35ha2;fxOSL+oNqB?j=iAe|W8vq+Uu836cpSUJ z@=QTSiEa*$5mwBn^?6}}_xQGu%GUNrN^V`#BnNYq-Jw5XTHti3a&v_@gT^R7cU}C* zYj)D7l~ap|jJv(6vvyOBqn#es!U+Yh>EM~_S6_3j8V?ZiFP-K#3Z7$Eax(IBIP)4T zP(Wi=V9$Mng0iYFB}DsbF;TqB#a=?yOubt~wY}sNVok-&{hcu69gh++^5V*iMV~~IAV68&2r7=57@NIF6@{fceRhgB5hNdl-%G& z*?Un~i|Lk9uS1uKrHkF_kaT|EdAoOuH)9f)tAOd;w-Z}NCf)NeuNLS2ZU5<3B6onT zdG8X&+raA!qaoxRly}@mcDo8WAqo1o9y6y)ISMXVT9PKCr%=&^8nP4ohbzrNBIxXY z`$*>EOng~uz)pdcB%lJg-_~Ya4HsHJT!tY@q!I&Y9$9MM{uPpt{*aUQQ)@3=4iD|v z(ulL=y6?Itn_K8e6_Dz0tmB6X^888Ec(jw=Rjb7Ml>LbC1Nt5(s_NfYG{7yhn1^&U8=&m;vsySWhcUTSa^n=lMs52B>Jqf(BI( zA!fcXax^H9_n~;IEq!kyDJ|M>ouB9zSAJkmSpkw{jw8y*U78Z@WF6FC5g@K;f|2=h z4cd$Ws;&Juc8#{3SW0FKQMq+NzxnU^7w|}Sl(S$~Gq_-|R`jN@CO^ji<>ayWFhpNcLk^D`?N&*rwpf|m)hiWsj7}Juc_NB7M*$a!UU{yD+!fRM=?`+Qx&E_ zQ2)Y_sP|xn3y!;3x#&+q$jWP>pFuj68`v)y5pwfb^V3(5iSn5|5v>cOw@U>d4mxPvm#pp~_ zVMMD;`pTd_dAwsbrAY+iH{3G1eax41X?YfX$63U8VR;`ypPO8OOAUF^O8Xv& z;L)K2?BA@BH&3npm)O68UTW7!>jpRuieOqUxLRF8?7rQ z?^>Sau0v!~r}QNZ7jQ-T(V^03vHbl7bmgL93#+S;ra=4LrU&tfH}ea~KWW=V-pud4 zCzM!o*&yZ0T`gBKJ-`9u;o$h~u(zb6(Pe|cN_~{M_2pf+%YN%7zr2f1p}@jngh4d* zct+{a&%Y~mAaKet2CMNykI@bz3=-Qe6~VFana4nMpv68o;1T7g9o~kdHxJ%py=E5rHTM z1xR8#eb#-A`+E0D?y6nWE&!xRx7)*s_@mn*fnC$CJr6ZEQz|zKt8-57ve=qGJ|ui> ztP6?-_peXiy}wplGL^&9G}pF`BiNdiq_qx`*4oXi)0N`d`AF$rv5?2f?l70<8JY8f z&_rsDb1+HK)W%vlo6pvuTAEZfYZ+`y)s6{feX`GJyjN?vlA8!qL71;C0mri}PDrOyvU^6JYp6^^ zu_G3pyf(9WltO3;NB@SsCFX)J=q;w(4qc#Ye4w*9h^N4NNT+*tVNG4Q}A!Df& zkwL?eyI<8?2sm|bVKJ44b2-Okt3uEflYtAVJpipWr0!k|8Dqg*q#RBss^F3_#~Lq` z`c{d|z*h}x(so04y4vq@%0kla!r6A6)886Ouj47>h336HykWWdW=1nQrMXll)cGC% z-0yd>_=&6uS4=rJHN!!UEYP?x!mb=aYtSx)pWzPPU5UW9EN*>QJ-?U6* z=Lwz7l6h0T*7QL(bKcA+tf|QHLPju+Q{dG)>YHr7_<^*8_F>R!wxkZD;sF%CxW%?= z7pv5TCh0quiNr$B^Au`p7Z|5iDoV~x2(7}p&I;0+#k$VHHX8Xny`@PUNu-)m%~tM2 zzxz{{45mer$CotAK}Ku9pOT}VB}~$3DZSM>ClPcklo|IKitkXe58j8;^#h64*-zwP zz5t^)pu5fnbZZ>IAe5~qocSN!vh(CFu&lA4JVx62*83kwT8|J$DA!Ui3*WG%uGB|u>oSjizKSE zi%JS^Orv&kPkp|lcfOAMJXMkk14$+4mUAhFWb7)L2&9~!N)1t<@ITC)u9c%#Dnhed zp}4Lrrg%}Kj#a1l zX~LXCSef=bwqE;OfH=czsluBU=Hx8Pc!uLI@WuBG;roZ})rr*pVH?w4CuJL}r6Z+s zt&Z!NdAbNO^#)8$kZBxd+$4)aOu{UQa~CIT=;;cwg`=lEOiyiiO-lBb;FKm{aH9$V z;fCHNlFx{)GbdE;lHSzb3IUdOQ+xY(rfuZVZc&1>G0Le#0IZ5=!VkMNrAg8tQx?U=6gD)W*_ipUa9Bi=u%0fQ$WynNy~EnY z7$?ezWe^U-M`Vz*Y#OI9){hwt*(J+jkN_cY5U9Y*jL{p=pFod5W}67xG=zlbvG}dJ z*hO9P$a_$(z2;ddG0=jz3|*Bha`#9oEI6g$2D}AAzrUM zNr*5~CjPLzO1AVYf8uABRJXDf!9e}o#v40dy9t+ zsigc4MxD(PFyQipC39_cSbQ@uOESI>bHfx@)>b)v50$kMKqgtzmO??uqsY$$4l2Sjqz6Wq}{G!BY}4H7uyQT4Ix+S;D|fmn!OP)>(Q? zS>K~T1+Gow@gygC7E3;?rh|e;C78>fPGBaA?BnSB6P~!(V4_2#u`M4&poNY(&8Q

_*}h4vzoAs4d)F{_8ieT(N`*`epD&4?-D&p6k>_XL)-woO=-wjQj*1TA|X`L8>b zWmf}46dwoi(L_3MGAM@e;Z8A(o6|Urr!+Y_4B9~}Xzw3(kqol8hrCJcPd`|%HE>bS z)DrrP^>aRxuVS21(P7G*r^7nQSV{<^A|Xg>P#WNLCXdZSS8W#b#0@Y5nB;GX^Ce9V zXb##Ct>{2HTkE%M$bq*Z2La^D9pb%jEgfo^f2tcCmTyIPIYV}3&cc)x4OWnl;=z_PhdB4 z+je`wyXcwPxbX+&c)2*0-<2$_YLTrKTtv!%yx(fog;pr<;*L>C zA===B7IHoei_wT>DtkpoBDn89@X<)kqIa;e8M}AT+y0%d?XG4^@4}pP_TkhzXedp@ z@O9k}_S!)UgV=XgW*w8;Sw7nZlj}7PciV${KYJ-n6Prd&vWs9j3OgyMX!Lq3SfurK z_x83Q+5?I0cn@%%)vn!xdiNDxn5&4bOn#bOpakBAbw8EDKSd6-LAxp!hlblB+&clg zXJMe-nS)P*TD|6BtK(pKrZ*I}1H6#jv7z#J5~CV;GFLofNu078@y$Z;b3_!I&~X>X zm**s;NuqRr@ReFpBFUkXCynr^1G5%c22>OQ3eKq{11<{A8K~%-(&K|wBh+f7WlK+Y06-+@*=J12UR;&lASe8T?tO74x^lPBnxe8TMaO_if!qBge|&bXAu zTA4YdZ}2Q+OT_syjGRMqo(Zz8Y#-zRLMGH~Ucm>*?TmABf_d90zISnfcp^HB+QbUR zDG3usGon3n72&@2n&T!zh~*L7xs=zblcd} zz@)Dr$MKw>x-{%j^ZMN*F)R5eO$NDiW5dIB6YPW};KTKwyn# zlGb?7>lAl&0PEPjdpM&#BG+&FF4Irv+sPeM3-U=DI=N2m$r+$t2DCs?-%>yX>DiC# zdvGT^cqftbEzgP+Tx44>NUsZ`xY))K=k+E2(L!wgYRa$(wIF05SZXjf*I^Csd2e@5 zt1+78I*~%#0yWIl#m!wMZmOU^nm`Of&P@1|ieDeaTIP_t3Qp74E=N%x;1OqXVtl01 z_f71m`ug4IT7G$gfT(RBnDck}8@*K&6}=o^O=&qdjaE}SK3};x5ag0ar?JQikoaE~ z(OAlsvzW{vIc4XzJ!Cm;>#4NY@WJ=m5c+azY-FI&*NoPvh_zVjEeGud8LLx^--a?c%$k;DPUnyeX z4S#>`iZK{}A)H-Fc9-)k-E>WkR?esHwN!cu2!(nuiBn*6FU4^w*xeOu1R8dCciW@B z0;m2~xWy>5K{F}~e~~=tu(69AO$Zz1Wwz<;nBY?}Po?0Vu}jVq75-(gaE*kfUb|Bb zz_QssXv=JHp&wN^s0k}vC-rnhP2t_RaDz3LA8pSg1RYJZ? zIWH0cb3WxdaGpG4^E{QEYOoR9ack{-Og1^ zDS~P(y3Y2ZiMxeriYWDG^7KwnzSyFvD}M-$qKZ;0MN3#5VCvrC%A9ELuvd$x4^*9k z(0=bWdL98IV`%fWD5lD=vt<>-ZH0B7Lt5U+I#0v`$Ad!@Yym%5f+*_jE}?3n4PEg{ zQN1k2Qio`gpCM&ZnU)}$y%d=%!TFh7+FEaj3Z^OYT{ofH0ywLd6q1@_zuWw&`yd8; zf^8ufTMJq!F#|W|mSsKn2D-=?O=P=b8Xj6i7R$gzAepfrN^gb&-ZemXy^jMLxVJMONRjbI%^$@B&)xpVh8$ zih8YXN8DS%j@WJaT&3gk2DF#3jX+d1OEs#mTJAMFt=&PT)ZXBrb=ZcKEKj0P#Z#b4 zM$S^Wf{MiPERb6~(9sLPNdPPTBsIfhI9vi6GN@GiBg@S%s)QO9aj05O|Iyg;aTyOI z1U5kk93Xv9C!D#0OIBXg+KrTFB@JYeU$Z8SpnJ8z^B;Ibk0rjHv)IbK#|UKjPW6?CI=Qvpd>W2Z_^Al`BFUsv;%zPMU~Xv%`uAD;m6I z5W}7OHt2#9Kz)*y3H1CZs=lg|U1GaSU{-Mph!62pNyT7mbbQP0Sm&^I$4s%%DpEWU z9F0lxxwf30BvLp5V^f^kZ~HSAYGT@6T@-BhoVQjxOl=If%F)Wa%FG-?}xI!Jg(6NBmh(7P+eCtdxjR9IBA4Jy3w-CHg3 z+7ol4sb8D4KF`k`=KuHq{J$1G9W951Pb}omVu?{%uH@W@-Fr(J(^8JuIS9Zv(PugN zlUceOnFWi)EkUS7p+2cBeFHfhBOQmlhm9`KXn|2yhwBVTTNLeW#>#76_Q)W zw{gP8$m!q?&^g6jZ;Xiul~wrn7#Jy4*1dPG6Idb zFZaKRNYoVS2f&3I&}0^;Y6~j1_~jmpc(8>JjC>axL5u z@9pe6|9a0NReek_SWk>dJ(vbkxj?2&6MSLJd;Qh+#HA?=29d*M?Na4 z3%>ZF9dtT+s}EML!MuC0zx_~p?QUIqt(E`O9jnNGUHKjk3m6t+KIHdRAyI0J?ZIyl zDBYdISzl$z=3RZAbh70%jAgkBj=w*+U!A4t$Q@Mwwq4cqGNtwMk(PBJaXwDrA9wLh zY{T=lEmV>c6n(h1Z{C6VBLaiy2{!+NlN0xf*QL{&Ya#u9(Af>#!3dkZMYBj%bTK-= z(XsR-tQFbfJQzNLd&Ca(Wzh~B6gC33L06@gsekIyMvJgS`KoJgr>njNYMN$>AA?Q~ zHFi;<+KyA$OpLa+?&|2Ws0edZYm|-!(b4%r%H4U4^7_1xsyewzD7uB_(nWJQuv2kz zi#AC}RrG{rWEO`vf)q1tqI?yrGV~LcOs$v3>aV(J<^}mK(&^1a|ICEAb=rbGn%ocGRQTpxjAp%g00S%0n{7XG3xDf zjZ-G2Q|8KVf!u7eU{O`B1(?`AP+dagrtFsNDG?cz!s#!s&fgwi{bc~5_Q;e0sTK(@ zB4RU*;ATx{S}t@k!HRyx<5VYx&t~Qqt$bG_UA4iPr}afj_JUST{h3K;1Fz|UTY0A?I?ro0G1<#qN zm57FMp3-S-WTHG{%#`dhKe-7!$$7KgQh~wWbPc6XTs!IaESpr-`>tJkpI9jKFq9a( z?LsyM&0}R9k(6rrjZ@05VM?xvIFaWLCFIUrGM!YQ`ksPK2DHfeRQ}Wd;aZYMP&%K= zH9TE~S9OCuEy(W5KRWJ)w)ZMBBF;AP5l;E3Hrs< z>6G6$(f4W++h{Fqx0W*VUcQvx*RT{6fWP$kcJc8c0=tLkYi(`2vQLswVK1s`e+B9H z8JlqtmkM|-+r7Q7VfXeNB6Ji|zonVUtX>rlcE5&|?BbQQ?Mhl}t;Ezf8R*CiD~oN>{Nmi1|*$L$Q-naU*tYO_An|N6s#WzBdY7(|ReIT6}A&p?97j zAn*-dyGv%=U2E-~jc4TDERU!0Kg(*R6LWWib{mz`J-|XPmfP{`_RSW0a~-1D3%Ulz zVX$YT01itM_Urz2-&7c}fh`b2VPD=gFCSKf!(p7}8J&~&S8rTqpDlHToLUl2w^aFe zwRP-$4L4;E-IPOj<D@3sVRra^Tx0PN98RRtuMyn_R4d zgkfVH5Vozd*WIsSue;h%gKLcH+5m;x2a#tqXXAOLP%qY$^ky8O4Rs{?O#37@eOvG* zNN$^T7U4~6Z9V>HkumZz;X|8FUTQz$#x4h)tacEc;NZ(2L?<{Xce1MqjMkF43p+%m zU8Szozl-y5BK0f|kw)5;VHz=MpN9G|(DVc(2IxtlW+$5ZcNgQdlKA3o#C~vS4x;O+ z{ngx5Sm^6x5~@nhM0-UXqyw86yjM%f<@*yZ^5Z0yb9XQ9m!gNv9JGnVOBz$*!w@zx zvY94eQ%c7=P|RffxB+@K1FV8~`(!%JhF6M`a6AnH=paK6uJPBQdt@;+DOxajaUE)=Bk7!O8JcSNK*>WHbQM)48l*V?=dy2%#HSaFIU8Oc!0yT2L>CrVU z7~D9!c5m%C=hIonZy8}w^KQz7P`v^3B1@UBi$e39O=ocFzz}6@a3-+c!ta)%u2#d! z_Sc}vwGYHCt4{59t{Hi1tuH+Ij$0$9JQ=u`+P5X2GKmyP;B?Mq(wK2zC53S+2Z zZJuZeOcx@xZH;x0OL@+?pRuZXY;Q)}#$O$-hf_FwMR!0{#5Rb5K7fzQc2Cnim|wa2 zuYUT3n~)0#+h1!!EBPg{{;Au}!%&VYTv8#taKPJ`ItPMQj=`53-O@BvnG_+2&`Xko zTpb&`XGWX>^R_(xSsa1~sF>j@an@yFbQe4OJu~}t4zBezh|w)1M(--x4^$2FZtbJL zr1_+u&l9E*$fa1QlI=~=tt;1Q+{SK{ZgrGZcIzu(04-$7-BmmQD#y5moJ{y#N`^W< z0IIDKD9nSSutG>NBq2OY6BX?)NJy0`m+&!3;N{TZ!JRA`Wl#DE9lr0>?(XOEu?H?)tq3K#T@jcgbHzC zl6fmxY8G_Yg5I;BbzG@q7>m-Mb$S&|1Seyi-(%`Pa?jPTQNv{>C|v{+m{lJ_Q})le zMIo|Cimv6XCpl}2((TF>1;=c!U^ zKTYW+8^@^wW>K)U25UMD7JB&QCK_2Dj#wx6s{ml{7gcPcUNz~siMeCf?b9zSf(kG+ zS`u%7@nwPm8Bl})dg#L|Dij%TN2|ux?(Zrvts__;2CXlCDV?9R6|_6HmeyWbwbOz5 zNtv9U9AADodHwF^3!MLuah^k6juI6E6u#wgq^iLRW*j7xJF62;R7wn&^MqaFYMq})01?|@2<=eP1KXUfaCOb(0hxYy564}x5 zN{Svd6-BVQgLgE}U-9fzOE^b5#{i`aXj`Yq<0OG1cBbov8{77+=u{cI3g~pt?$4-lRRvfYvVrP(T2z-+U zkK9<2y9Cn+U4UI%M{R$Z{X{T`2H$#rzHP;UICYurP#xB52qA%YYk)(9$P|hL%x7Ez zQO$}>I=c$JpFxXsm7PXRW2zx^R=AT&4y5au8vR=LM^~g%st&gjZQB0|oErPV0j5r7 z83(1aSrl11%ee6ekS$%FK{EYquS$F1MsW8ZS$S&smF+-o8wcwKvbyK3&ZWvTUDrE_ zMZO4@w)LryrA+6sD3fgH4P&fy%9`Z5Zo{%Ycg>PmVa+xX0$`)pg7Es~R=uuo)!VO+ zqZh@nCV1{pih%=(XNSK-tlXiBldDuse~g=Jw-$!XEf0p%m!)eY9+W|_B31eFK5NsC zqAO|2o?S(&L{%15fPj>4tF8Hk{H!7#pdog3z%=$C8KG*z48b=Inz@NK==a~0OEqU~ zlt5GH2_rPj3!0F>9KU^oOXj;_yLQ;}%3K$dQbT4}sX>HUJj(@!*D>&rhv`&zQ}7NP z^eR(K0Yhk82xSUBrS~VcF`-z0i(3`Q+Pt*m(ZE8m>@q3FajNOH66W#b_Z`$j3)B+^ zNIrwy*eX%bmZ<=;ZzEL(XduD~lPU`-_0VrlXrO;{Lmt>6yX&8sFKVOh*|$)adb6a? zcw!QMXr$|dsZ0;0W9r^`s*$F$Qri;v!@sl8Lztc&)#0CsPSDoClVio_aOF1p{+@Y% z9s1G(`to_{NiT5yS>Dbim$Vr1cbeJK+yki9j*I46Y0oX%(h7G&-tt>U1fP0**rlH< zD_1^YbJUNa(p5whLlocDHPWa*QlI%3S=UnxlbET7SoVS%sB~&lI;hZ830}!3l7C`s zu+*cs&S5UDV+@FT0-}C7IJItHE$L}_sz*%>fY*d|jo7a>sbV<(YTZFvIqO_7@;e zZN#`FUN7WaW_5dp5vAA?0*xjTPHiW;3*GWJV{}TUJSq}KhAgBKYg9Xcl;43DFJt<5 zH^ROxgn8iEN(32lo{K!AGp%&Lr8C!m0hN<%=DP24#chnv4&4&FWCR=sIV98yIFV5tPumqX(QMo3nRCKA@C&*wqCnqZ2 z?))-v4qs7u8uZ{HlYmTFiCHmB;xO@ACB5M^dPx(ShAdMf@RUGrF5JY?&b(8dxh~YD z15TUPTvJL-R`MRtXqd2Q=peTJ=6MJgl}YRJ^rc3@2h8{#X~o zk@9e@!qRH!>A-Bvt`^fFo3m_Q(+xPM^!{3j4&*;^H%19EA* zp*c7Q7EakzTQbCDY)q9XloSbaukYzpAH1y(V%)9?R_hqoa|wbDDXDV@5uWJ`gse!(kd2f-ijhrM zx?)0c^@>fuMvWV}Ye(Mom%b<gzTR5UsW<6HQbH7@gtzAOi1u2;8Z6H+75; zT28+0q*_(7n`kHQRJEwKop~1OX&vJ_E`eK+>^u%_InRB6UAbbTeK06%vu?JBX0olSH0B)Sa%5BOn~Jhr)=>ny1m!Fh zMaEnUNcq0%VIq{fUiY0+bdSTyonWt&C5hO9T;Cm?SE`>4^o>7)x*~F`1eZzx zG}BZrtYoeI|1fw zmdwlj)V%Uf(7Uavg7%t{Fbx`Dc3K)}G*Gp(2ennFniD!G)zneNM3wDFYvmvvF{$sz zVk(g>s;x6=$SOR*62X-1%F91o`@De|=pM7o^oOar?~a((92Yphb=z=V*tAmD8imn9 zX?WB$C!up*+u)44>J>X?p5jsD;%^-7?kbK z0gPoYdmEweuE&;-|n2gY^6)6u}Id#p(yvdWaYQDH*k0G{B72HS2j7VkS%-XX{B z_umjc8bK~vY&<1e+uXuxL zH#3Je-4YMBLONIn{8sJ z!Py^AE+I`#3(CRY1y2br@`?N+^eh^!pu6_~Gzf~aygbk1DT$P}?KEO6@{Ztp_eLy8 zw?ic3+3M}W)u*9U(6-SWEV*6~A1LQ=@v3iSoR|qRn9!FryeVd4as6%fn zE|NQ_$q*(qQ?)t!U2_Qq85SyXy3lnyl@p&_@H>rr$^;{S4$vCfHEU2pgOnkmzkm(@ zCq~b}4LTesm-XKB&gy-tPYYCGmAax0C+!1Wh%LA$TNYIi0(1^7P;5z2R^n403T^H| zZyeOUp&N2&-9p))h|X0-@9vv-J;`0N5}UbrN8=nfR9Et$N!O#1wl7f=vy(HS6HN1b z26AM9Hmzfk&{y}sVI-+G&T0E#`NE(sT*$}JY^(I zZD%Q%oJH{ZSX2l)v3)28Ax{NQ*c(39%}-t8z(D0|ILJ1^+jj%wFxOee!H+b6OY$n? z(}A&E*Z1B);9VEy9yVQPNL_#pz*0dgXdl+R_8P9FgkT})SOgYTU4d1F6{lNvaf|i2Nw)Qzlz3(nO^nU+!iER+S`Lu&) zw-hP-kj1TphSQgz58Uxg5-p&3h6lBcg-*V`nEDU$Sz>E34=PTjnO% zu@mf|t2~OKL^6*g>C-s_WC%$EN2#)R99U#ll~YV&mxZ!lDhg1CoLCqp z1F)6a7TSCS!rkRh2xiab;sZ{$4^2r1n+$?_e90>bhMg(fn%xjKo#k^fr86S}sxGg;{EA+-RR`1= zz{|%e&nGN{+$OkVd_0C#rdSICq(OUT3j-+Uq_=0QL1_E=-fAwTlUxl_%gb&CKo8?) z&*5eV<;Wc@oQpC6*k-qvICscFa(Qt33n49d)ukV|O6%~Jk?=8hFS-0uf95_t)kaIZ zfwU@hOP#t(^F&^ZMkI-EnDrt?JXDq9>6HGHr(if|H)03M$mTnex{ixDVmms^%G8=| z>Oq?sPgpR?r^&WkMyqBS51-+lJHxh?lU!!2MahBkBm~oFU<$x*X#+_vuj@8~(XN4^ z&%p3y?qx)2OC^kvrN%-(w7?xr=`-lC03{unzeSp42uGvueD9QOY33 z$AN7_W#5bxK-=2h1Sg&>HYH)NrySCz{nk?gzgMv~`6S3f)CY0p3SyL$c5yd}bCzhb z;iu@-0n6tz_5-##4cz1`o$4(lE;OC%Scg$=f`h}q$p^%_7c1M@w1Bx8C0u1 z4H`<4^W8u>&BjdUn_*)R)Ifj^B$07aOOQrMR+bk#8P||#t&3y{Tgxp6GkiB&-xw~p zgx$xci;q;nwZcBjn5u>-wSuvhX51(?$I&q^7vM*l;K`| zv**L?#m2K|r|*8gxITY-M&6$P`1+c>JR?_U|NH&<)!8X|_3nxsUy%2gKVBW5p8et9 zCr)sxIzg-RF`%Wol@&VHHBQN2^}c*ifnn3=Z(HSWw&g_8pf2AFxVTw94@%dD;V)4;dgRh zo;`CDd-hC)%j(QX-CTf>XXM)WU`lj%LWRjh`UB}RM*fP-+ke}_g_bOBkl1p=<^oKP z0KGJaSZHiw5uxA`)K1nu%i(z#2<_*@PTHl5Op0M3zYoO3WCRHi6i^b-w(ZJFZ)u#U z>LxW6H(F2|)m|+}kdWWA>^Mi_muvovz_}6y?S+)ImcwYJJy7xXbq2rM*Cdr+Va*uqC{!?dMLfMyWVjx%(%zUZE9*~u@+{bFLDxNfG!<% z9c`>*oK674W|khV1)_~Wv`qq5$JbARj96uoWgoz%t=M~f%apGJ4qKZZf(aM7K#*M@ zp7j>!aB&akhaGs+GwNl3LNgYfBs8Alj+r`I6uP`9qX`DOYk}^rF|&5i!$7(gNZXs4 z>B^MxLY1!2jj@40SEkZ2P@KScs<`k}7nlcM@(#tr>I5q5$F+XM!DjM_ZeR`Ai((zryjsT=&YWkJGR&*RH; z?KyM;p2Eb8g;K;uB{NNg85&`)W`tEpNEgAd$!5OdU&owOf9kgo&FXb8@|+4NP|hzr z1;ce04Cm2rlUjDMg!BV?8n>qFVkKXluwnFYTZRP zIxqsulXS*TeM=R&!J!`#5mgme!i(IL;*cl8RB(ZBTfx`XZq-_c+eRQL~#luS+DtKS!~IiYrHyDnd*Bz4uBLTO6QFP+r^_(xL( zOu2T}4tTc)xG@Ztt9+u@IyJB98>>(eH^D3G@`nCi@+?O%ZB|K1AjFX$N^YCdBx#T- zi{fIcLIP|J#^a6@Mvy$RwRhHc3o~-jr64BU6ov@_-|C3?T7>0sAot5pZ74e6Df;{DYdI66>$ZQu_Ay60suDL&5x9@(Ic57^AO!)on_@&OD6s zOCa#tbOwMZGALf2HfI@|#)6qj^JpBK*0c_#Z6Q6QV`G8lON_3yx+4|yGz>zXu}jVq zXn%{r+TC+ff{sWjQqZ7m9m#=Ta~-0ihD91BEYKbKOZBGJ05;#DyI3v#)7$?dQ&nFL z8%R1jR_Az@bq?{%rOGuEMkCNOOnF=cp>2~5e1~AU)*n z8*VUb@Lc}Eq5hu06OebjfEYQxda*OCA6-EW#U>pGmz~3{;fUf}A7;*XEodaqx=G5*ji&rz{y50&P6xcVm_hNK`Px zgHv{=tISPHz`J(Rt;OzL#dD11xJIN`rpcK}AH)N=)UP#cWrv8ep%~H5vBOAeA0$>D|QZY<2C|) z;6OW$qRX_@7H2{4+Uv1f(j06ywpP+ydTu4_mlip18he9F7q#{VG+eK4stV=(U~lx! zUhO-k%R|O;l@ef=N@lQDp`)mzL~75PBs3itK1$o`((>(O%Fy(rv)3hCg{V0q$Uc=+ zY6yYRrkV~unr;njHT4UHGM5TtN*NJe+YQ^|7z6IOO<8OLN4rrrVBlvwO@pvZbj(!t3YYlwY^h<~>=4*?iH13x*3DBw~} zqmVVMcq^k2u$X zj2L>Ud7g?0Fs8dYbrw_^?b}xdm^eoO4{P9o@RV0t?-(z%h|^HlQ@Udrvvt9N&f=3k zsDX_M^6tLmik?N;ge9uP`E3Nu-t%=l0tcp?2Y|2_y503rr@T_fa9D=(4gre2f+Zte z^=vJpG5xS5%7~gCZ@%Q$c4?UFIGzrW^8@9qRc*FQAnYOtetJVKUkYhXlQ^YP#dK+b z7+r1n^%{!b0W!h1UC@4sZD@NomIG;=R41Y9cmaeGhwUEUiJ$by?&P3+LN&4qP89BF zDNF~(u!#-pn1K$EDWHYA`mMEBrgV{sJmw=Z=$~EvbawUOzuvz2aQ0ugtHswuw*qF-H@tEf#M zlaqBV4G-*Lt3-XBcQz>D6!`yj36Pwl%VYuVTRgC*!%XU3D!nwQGKe9?FW1G*2QC?X05P0UD=<=l9?6`;<>OHF5p{g5&V64ChbumKs@Vvw4cIK*FJERbXh0iVly4n>xNTb}=tlP1iPk zJiLn{UIW+mfa7* zOOjJLat`W24OG_@&sDi~ON25^Z3n?7Ev$2=_ksfl!KEx5U|v%0TV@O5X|+dl(IqB$ zB}aQE{(YCNpcT9o=ZkK?O)1cP=D-^1W;`M^&Euviy6q|hB9 z{n%HzH(8NF^p5G$r}c1_=Gk2N%E8tq+-NqnV81e$%lga`XL2W7r!POezk0Kcu-it} zI^59)Zk_#SVp9%UyDhS%!no$D5)njJGu3C;HqT5FlB@cIx^6MyDLH5zw1FyVefBVGctU;><-T|*0fd+y~|pVh6+e7!OXl% zvtgWPs+yQf;NyOgF&sh#DZe3G$SMWTrWt%7 z_$VI`DXdLs77c9Dx6N$BBYOm7wZ#j(`f88`#yQjDt2;0)3ROI$YgEWxl`xZzp}e-u zkr+79y}Gj~umNomyuWZbckZqUUHK+27t0(3*K2Oy(@BnJa`vPXwEU*@@|{wrH+Tm` z{(jd6HTf-vw(h7P@)$!NnZW0P=<3`~dZ$_%Z@VE}Fn`-eXsf(gA!IP5;SEcpfhJ8R zp3au|V3F_Z(GQ@}S~a7su#Hwg-gDdN?%)3|c<$`xHayS}gu6J2LYhUm)>g}u2L@u` zoyTBe%EW^}3-xtLsm7!#x*K!Y30y?POshF`;YeS{_g%>x3j;u`yZ`#x6|JL57PRy)2ROx zQilJJ)^8rGytr@VLmv8QHvdMm_$5yoXG|w(HOQZ6T1dI1(`xN5d`WUAT@IeYFagiT zJ0{;?XG6YteRlP>PmV86$;rEm)AQ@|cNcv~=Y8KlYmlq6%d2;%?@#2{4S4GGynlUl z{_?&21^~1Ja%$_!ieN*}W>c?dlZc7bkfu-*5%OWOsVb^t3vAn{mWJf7wro*DgMyA4 z*aQQm>{KzG;hgkMSDCidzj!g8kVBOV9SdvPD$k2&m5GIXHqYYmBq#hXWtkLTl)(w= zRq-tTCyb}z)V-l9I0-V&Xqp=-Qttzr02|YUoB`;{B#Kna*1AU*h{k#rssNh?qiVUp zPf~P+p>-LzhRR&mHQiv+4FbIlnJ(`vHEy12NcusO8%%ROU_f4(y0t|%Mo9E;-HI4UHp zj9~oG0N6dt!Wa}2oFoW%rY->-O9jaZ#aL#cVf z9I!G2$)8QNNYE=)+Kki`?<9JuJW(Q*j7BLtMS)QdG|c@kg<>G`@ecYZRi{qVx%w_+ zLd%=r;?(tnLuxKap3zje_&$ls@|(nJuav0m0dNg}ff`0>nIWIfV$f_)2!!(M=QwguI+L8ega zz{=w4{v*27kknKnplV|^oD*v4f}w6H&!KmVCU4pz7^&iEgyuPg`dB)uR?b#~*m6mu zUT&o>xpzF9u{4VB$&e-dZrkm`Da+zp3a(qZA!4(P0dkD`Jqnya^Xws7(dbSZLGfs!VPA={!D zPUBn?43m7f)ugsZSTDQWpCUw^fcz-MDmm zv|xetHZ0~_S`5N+WyBhG4zxubP!}E0C4~mR-~Q=rvHOtCa_D4}o686j)P0?|$xN*k zo!*q*u!f3qkW!wR5a`i-G|~kgS&}sLf8*(lXSq5UO9!-|tffLAGiGJbUIWg^CN#}v ziBvZs!~%9%(k?wU9l@)fMT;BG6%f3;mTsmjWJ1s^hTA#H;&f~@8WtPghcEt?*d{cA zdS_YzoDNNoYsKs1to(vmkg0wJ2nfw@rI6=OP7iS>kHYY}fSixy`CDB`+8#ICHZsa~@NWRC924r}Gjf8j;B;qxz;8MZ?`O&GL*? zrMQC$^fb6ag%Q}m8?KSh?ryBIk0V72b^~(7uw^KKp{I22C|j8dL423+75#^#JU9|5 zHbR1Z!*qd!|8vWceYKhB)>yTatl?B4*bs+WQ^xXA`87wojy9}bwXIfKh@6b&eC70% zzLBvop2g5k6N|o9JCvWwLa9v-!6)`Tuu(JS5RIt}H%^q6dX!0;3TdX?s?#`?c%rmN zfrj@go=cdzKAbD7=#Lztku#RlIBgiY8L9A~9i;Qh;?Tf$K!*?wh~Kc>v7xcMA<1II zq}lSf(=ixV~`^J?pKc%BuZMi?&ta zLw){Q@smfrdGYT0{N!wtKstwNBPGljQshSC;M;{rK+R35>@1uY0%cTB3RM<#B|U?5 ztae*Xm@(ddP1JxgsD;218msIp0#m=kwfhRlMst!dDx^Avt@Qd8cUvI=Ssa;ZQZq-l z*KUVAtP)G-@I5Bx9+KgE?Hiy-JaTkKvdppLfK~WBYgBic8d(onxwLLjvrD7WO#uPo z7D}LlEhWyPrd;IQo=plxdy}~oEEvrKRYj76E-k9tjLsW`2c=3|BOgtW@+u`1e>#yV zOcuqXxo4ZVY=cIT{C6hx9gL9(ikZ6Jp;c}|L+!qZBM)^zpQ4cX%+jcs+S)}JV+>(Y z`ky(@GEIXGMzv3BFB4d+RK+MLP+G=6wK0qQ7PVXCvZfRf=09fbr^Q?3P~ zMWoc~Nx3x=yff|9xQukriCaA%)y$^hu8k?BT(62?>zutx08b8$ta)w%6>pWtg{{;b z@~IM~B_4TZ8LO$3Gy(5G_CVP&RU<%GbyA=R$a_^{AI|MQYNqM z7}Pt-Mqp~9n6XT-h$%;qyawn<^gv3wusu4gN;J-xLj1YDA)t}5dln)R4}{llh-(U6 z(LJ;;pcjy9BY+4U18(GKTSpK?Zd^S?#~8z;p}UVJS#-(-l4wN3HVDvvx^^+T%z#E( zGvkJ{I%zf4=8ixlFQbB|HY8QWIMYmp;z8q45oYmFAB9yq;&EKH&zjq0&P{WJ8Wx~- zYCj;Su>jSHW%8+?X(sn&ZZCnI>Ts?USkSzsisi@voMNQnosAW&;SNmSec`6M1+_V8 zI4P^B_~|$o{^4#DsG&tRkNf1jze!#m_s{!gbALX+e*NzKHTn7Y>gxF7`uwa<-d$n0 z{JU4=_~I|*&*vAX4Z>pO0luF>c$-}blr&@!GLyO+1a?wt=+vCtsjUKqD65iKJ|frW z*Kf`mWj;;gU22aYw2 z%j2u-^ON^)j<3k&`>V@${WHaFmA5cq2{g8y@l-$sLx?(NN-Olyh0bOfpJlNW&tbtM z9jXcV=O`|+mnv(c5XBU96+^CL0hC?vFt%#4BI?@D3f5TcXss%<3il2I^2TndeCbV0 zhj9YV^K;303G@|JaoPYQ*p)V{nq{UIJW*SZ{&} zZqVS>4LA(QaVU9$+yz5<<;bW52)YzMPo(JXU)Qp;aH+e^NTK0`b7chuOQ+{-2b(LQ zWW<1;G@zKt3|eEVMa+~LR8zk>;2oQ$ac=LU_1-3C?t~8$ZG{54Wk-@7Dfuc_i)x8% z^s88S?j9D9*ZfXuLQ0ji8wUG{0K4@;L`#|=Z-|w-wOa&?xcX~JNF5o4`GTb5yeN*M zJ4+El18o!5iE}`o<%L)G9rk8q_acwiK#7cSZFkXK=OW9Tw@h1( zsSpfWeQG0WqiQ!E&b6@N7BrVT;P%uC^LGdvk=SVGq7eA(;#Bh0x-dBS{rK|o?BewN zzmDV)x&po`d;y2<$=_fqch;9g2)SPIg@z8J@U00(tmbjTGF941X>$#y$wTX5L0B3l zTqvSH%xHMSazQqK`E}DNDG3b?x0@SeQc0Cc>qDA!K(X5mR74VRnnLrQn%~=+M;abw*P01^K&!-N4fu40##MU3Lch2}-t$D^7 zIcOG6;#)&0oip*5`FuYAmHcA5td_j2zry1hNg|{(`RLQY0ik3|K44=mx4)Mlj6R}U z`znqHTc^c%sAMd~MIen9qpXO7w0=GWYZ>)Sb_S7YZqWUqkW(H1+=N(rLRON{7s(zv z=4=C7DZTwN(~E`oz#<9!H;Ugz@P=*cGv-afAi3?EX)3glF~4Q1h&dKGwY9{_>!P}@ z;4yCh>;IJE|80l5PdUc&`2W^ktG!>2|KIKHJ;wikj?WYFr&k&G%SpbD#}lH{qm*n3 zEtO6tG|M+|H?BWCdq&V2c$0rTA;Y@=|e36*nf;K&~}dD?~I1gc!>?{`K5~^0uO> z*7o|CoTFOhu0@mNBPyvb3>OYHpV)z!NncO3LTBIr-t*XY}(9P#xr z9&bC4+kU}wcJ%BSd6n_0H_82=y&voTqTgt^O%0Rxxc2y)7D8Yg07;~Dw0 zYeCTt+J}GKc;?@OV=uE+A-H)RES|apnp}9qebM-614@+767F}?n8f2rGRNJz^j4Ct zSHeI9?tO|oui5-#^6c5gyX!MR3BR4T>+)u+>#y6m8x5X%%_?9k&~1^6)|BDNlP8dn zsVK^8la8v|Q%FpK@(J$D^@FbUnP>narCOSzx-Q>e(Q^)}qs^kuUN=KC29S^4>9Q*E$&!mU76Xzr^*Y^5r_ zdK2y9oH~n^hVfq1f;rlFWja+k4Fk=a!nzyUvyHC)C$OU}#F|IhyJd7_9tBeUC( zG!uDjKa@JEm^Gf(a0O2ektDG0Aw`)%QP+b3S%8Ysy0oorvk8wTQXL0YGjfjxF1Tk% z!y8h}6hDNrN2o%#E)S!4n2Gh$K7B*dirP)~-h>*j!G=U-J!$_u%H1y)oQ8gP<@=|0 z`%8O8qJSL zo)v5Zp~le$ab3}m$gAJ@*&w)7{1MpZbj_6`-G+}CVOafYJA58lbMZe4CUW~XAyYP$ zGbNk5KgOH(+i+GKkYUCR@pkrd8_<*M!G$?>1r z-2C#TZ`QZ*snUO4DCbiV|A*;+r`0Og|LEmTB7qISxAA5S)6-@25#3sbe@j* z%lS|8f^U*7Xet+w&Dfj3<~I5DR|NR7ND@^P8HNacQslvZDS$_VnSIv6&_+tTD^2oL zOrD~@nj!j&g%eITP5JFOC3u~vyt_c~rt*tRnoo|%CYs=)Hn{e2^6RheRP;`(Ar>6X zvQv3HkKgw^lz*|*oX#ARZev$EAALM3@J=0&0&faR+c}H)pA4eqk4U@KdK)hoPpz~x zs$TwzL*u>KQ9ld2rQVn|P5sQkm7aiQ#MJLLB|?2Wm|5!PW={v2V_atOZJe+%I};&Q z4pPT{6k^kv3R;O7qQNA}_ze9icj@Bn`oq=n&;ETNf87+5&BkUk+-z(D+CSC%4Bqq7 z4R}gkydd5I?&wX2KZ5)||DJ?2fAE<*2s@Wt_j?j??JeuJqQ+T78+L?9cJf37VV2jz`f$VM9|P}(%^f_!AW!WBG}uzL z@uQ=D|IJZ*`aN1P8?o$z3Tyum#RVXPqzZ6e)wg>V2+$A zIcOame6PQ%Jq##HozmozXZdS+FqV865S4wXdqu7WkHZqdNYjE^9S;@{s~*RL*NvMZ zNVQ))xC85N0QvRTk6HVAOE0f{^;K)^f^ho(-uhq9GdANdfs-i6)Uj!$`-qR6A?cW6W)j-5{+I2(lSSQ1}VBjGLR}Uyx~^=A;%uqP8}o#1~H}mj*L|O-~vq7G&$XK z-7VF256cX^k6V_hGiVo8S(aSb%wG>7InBl_zbt=kl&B+eeR8S4!;AmY(LU8rHU2A+ zOZ$}JUk}B9ciWwAIsU7)_Za{6Sw3Gu{P(x-`2E5`+h%Xo&r^E;ZpP9R*OB*#wD(#Y zgyei0Qf-Q~ZGDYpX-e;}CsI5YN2J?oRm1r}lRDu=njeu}{oU#jb2Y(l4@b>Gtbd^LphcVB)pEsBUphb}#=|`$T1)xbjYE zI!2hPykvhUzhOk6${Y5F@*7H2tURy3Uhs6DQ8tQi;Oh-SLYmVgPU#zbSV~}Rn%^u4 z{XIC8CtMHd-Tx~6S53q|U;dZW|6A4kukIuL{~Vu3`u}gC|F_msYda6=|J}9q|BuR; zJE*?YTc-Z^O6vc?y4wGG+qCzn{I9;NkIMg}^8fhx>OM8{pQ(S+jAH1L9Q{^V@FD%b z(<{k;oz`A^_fh`)9G_)%c^<{GC1RPqCJThJ$8rh3%Y?u5efgjEsnUOlN^8<0=NU^l z{ms<>Vg0{buK(6)b#@=^zn|sv73lwu_1_-rzkSm@>6;gn%4w5+l9J6*(pgzX<%9eF zmZF3-_1G`JxQ+(PBO_HhU(<(63`Kb>&y}?HAa-D3YV?BHp>#5c%IC9OUse^HZ<1&& z=o6e#*(5u|INcEw{Z}*8|M-^%|AgGpJe-)w$Wc6=(isUSG#xWDg&iSb#3|3?(L7o{ z4Fy9nT$Tl5vT6oY^VeVD!dj*Pb12v&_!?b{nJOG@Z&#K`7g`GEQ#~xr>g`1u>9An=>MJeqx|md$(_(yMWo4wGz5tTI_KzFX&3u( z7y=fTeMVds=v@-m9M^A9+qAxG>{CtmV_ajOY^#uK z>~oL3w#(~N4gAqwr%yG3FU>{2-OpnA@3X~!?sqEvUwgZ~$NoQ`3Yx^?Cu-52bOkMxI&j1$oWe#BVp})Az;`crUZ-HOtG}fQOmsW@W?LJle z545EJto2_ytxEn^tJit7|9pMC5HWvanWsL`KZQp_@(*Zzx$^u|K&`4O6T7y@?WL@>)!tE zWB%7?`K<2$o3cEMLs61Jv|)b6qkdh-i;?&-xI73cZeSWIaiPBuTe z$W)~9C}wg-8OzU8k<+ByW#iF<_&ZHlL3 z4ia|Dk|PqQBd#n)G@k?@^N}_C1VO2MGZMg3k^Gn^c|ZT7U9aKA*88qDtk|(KJBpgbVh8@zD|a?w6A{@A_v)u%jj* zT`nHo4$}OnJ$M$lS&U+qLwR*irY4MYPO7fpX03pwYW^`j>>m%3E=h67W;zm^+hnWm;R!vZIX#UtlWGKQ)t>*M z*_1r!97?v)H2;JA3l+X67d&FbzD%|-Oexhkz}qUFQyCjsM5rJ$nnC^ee8PyBi=0ih z)e%xlnK#fYiQy8nB^cEiiqI)f$Al&c2v90*6q+W;-@=e*(ElXoFu+qglc&nW8EiD0 zFE*a5DUn;bTRiPPTUWh@{%>xJU8X5lIT6xhRlq_k^cnnDgUdT z7aPxa6lnPm82H7;2I`RUTaGp5dF=}ej<#;y#5FsqM-z`7()$w{PFO$wC$mlXR^Pem z?m^eD=17>Wvwy!pTxR_(x9{zk7xmGZqaZb%Rn}X_$4;v{1%(FqAl5ksJNtF_^*M&} zVij2kkNPhXr+IIe{QB$j9S@L$4`W{HS)In&Dr1!20r(X_c8t~cOVX0QX~>5g(>yQ# z_~Mse)`q8dLvMx;&YNthE6$4Z7dP?jw8-Lg{C<{j>VbG({&9u*mtT?du7FuI@A920 zyfOv$7N+?oa4gN%j0*!? zY?5%Sc-Am^#TeOrEb=%V_ks1DBs8AlUU+UqxmY@8q)ATaDV@e4L{?!|3cJ%Fvy3&B zQXIh}r^naFz=BaXgjR|IlFgf; z?B6R4Wu7G#VtFj$wdMOxxXr&PrbCuB$ajn!{XmK|kCTU4<^$)M0?c=#GyNNUEB+Oy z`F5$bpSkYEuvy)WUw)~XDf#tRyG1$8S(Dz;jA8z`gf!J%^}6pYKYQdtk6h@>a3T0& zXNUBmZRA`B56}oGn`*fz@{HzeJcq9`78Pkk({QdzDd@hlKo*ofZK*>IQZJ@HZa3uU zFWH3N#yoqG@gj|`_%KeN?|47B=V6le`x(nZmgaQKUS*8+XEbEbcl<~2P-ZbNIugG9 ztA3llF3PsE^NMGL(QraMy0!&&x9x`R1gehIu?N#7Z_(+jLk$;6Aa=Axz#ft_N=WO( z4y<=9RLMS;*{;Agn_*IjoMmMMw%=FzgOAW*#)Y_G`5n)0`ubumLhS`8UJqgcj@RM( z3RE0jb9q|jtKmUTSQ@i5SG2P8e8>B{`uH?X`!kv`MWk4EcF)2h=b3zU;cu((a)g+x zaqj1llK6Z$8JqIlg3y1}y*#+JiM{AE6)n%Om21Bf5`;vTVr{)hB0=``B>tT z(!w{lKl;_?ZRfYW-BjJkH?1X~{0NT_VJrlT%-`s;f62A`rr1a6$DhUTCH?$f;ta%Z z7BngEdFA^musUj$XLCoa(j!WM7f$1EpPdQZ%xh>%ifJ>z{8ejkP3&n5hRMNIv-@`hF9 zyRmhpY9}55hjaxKGl~J8XFZ4-;2`?gZ zUJeU9ZHT4OjK}Fm%~rjsr>DU<$WTN0U7D;UEBc`As{q>pa=?d0c*F7wI$en~`Ow|F z03Lxtn@RJ@`jBTTO!N5;yk4Fyn4!hT&R4ySW~{;ewks$MLY>{u;%we$Ax|U!3f4ce z{xTK}g$0ELL#@JT7HZY&avpjonxfmh?XJaiMAy;9uG4`(768q{NqozY7JdA4pY*%r zr|wD$^hd0Ac?^%S=W0Hz~_?fL2kQAJhmDypLB35s>xtLVrKay1Xwx zvp(o8<;y8`wHInRj@G{NiFLX4&g=Ky7DFcNzDP>pJ>nAX<-lY}1&atz4LJ#un5DU{ z*axu4tjK0uFk$sZqdYI&Z8MX_+r41sH9Kg3{G10-4T1bEH1t!FvX8g@{T7?wr?>U3 zZ$_%R9af@O>uE$QD2A)Ci1mCYA7QImk(WN&ZR|EY+HF2zRPDNCaXANnG*~_&{x^j9 z&@=9#SPv21N6}0z4``RXK$i3|RTx+g|e}07Xwc-?6`} za>AiCk9pAD*8typ>iG`(b*V`$V`H;y^-nETjJ;)+tw3uTb{5%cJcHN+HZF%5&=(M| zKz;!r)EM%whjvv#Dg=9-=d-fSQhw*)nJ-oY>F2nYX$AVp4N&@iwQ)lG#ht$p3n^L2jm^&$3&V_2Y=0rC~OQj+1|8^K&0*mp$mFu=J^w zXY^+_zcLrYn}Pko8_|8c@(3q#V*D+SSa}Hdi#G=PdKLQdKg9T72zHq<5s%Y29m9Tj z-?moU1;uI&GxFVdBTh6RmRi&luv1#YJ!Vydd&mq zve*5(B7w25{+Z1$X`GdAV9oD!Cy@KN50#c*nV`Ksd9K97@P@%31asf*wH#EAN_ z2lyC#_Grub=50BjjN3^3)Xs$9qRbWyjG&uu{p$NDVf%R7Q<(mUZ1FITO-D0l65 zasd6_-k(q7`dLIcD|ltNL_ON9MbOa%sVX$MYQPi#leitA7lGViKo#&t?O7MP(x)tN zPd{2KLd`*bC_2sd`dNQVyjP9=3ISWHqpUniN%dJpwOOp4tT$>|0a{(Psk2+JJobtP z?p33{ev1@`atNArInrG(N17~^>>R9}@{KNuKfZAEC=5LcL!Z{M^$;sTvEKDRJ~EUQ z7|JJOCNIb%C;42Qgb-58Oulr*&9CcITmLmyCDU2fjMEVh{w{d>TgG^x{(q;{-YwOC z-EVigkM&y+yB!@j>LcGujn0NOL7cI_O3V41}9h`n_WpLfV}a^ z3K=minA0%B&J22-%=d5qe!BYo7#@=BP442mPgX#8b#--Bb#--hm7iZG>4d;ki4)#2F~^Os8oZL%5%HAUm_x(C!? zTm#q%%{<@x+u@)^)8?sQWnOwEsou)4k4IsA>jDc&-yZ@|N!NEG_3EI1H`S=I(3)Oj zxL#3tU)Q7xYXPq_;%QN-2iJ(|Gz)7)tTXxn%a`sNOk|yZz_N9fN>v1=9|Z2TqBSb2 zYGo^DLr9^lwNkKw|DKorvoro5{O8>NC*dgdb6m~FPcp{B{r~$nyFb1*>p%YRdgnj& zf4<4Tjqjim!-b!XOQj8T5c#95ba2>sKloJl?mYVEaovmQpS{5+@~KQ)Ao|~9-mKFf zG)_(q+xv}ohpoCdIBpEQQfdFR+ie~92OnGAUb}N#FYlI0zjhlZC#~+Fx8H4_^auS< zC#^yE0D|I+#-dSt9PQuV)+F#ZMK756-9^!lx? zv#%(UL?)_tKkhVJgLYH&0ev3^)-XReJ~lpdj#_dm{kgNvGF;-);5ko-~e%J2t!RkFBmfT#$y>I4$m{E|2Imb1aeU(Q9>&8%K_* z%`%+E{$#=Qcs)|PuPjnzc5WRudj0l(uhr=8f6(y7k)P$^FvEU296OOV`kI&<0E*Dp zp;&X!p~#6WgtC8lO8B+c>YttzKw|eHJ)F;`%Vu`m-f#5!2kpbc$;IK&&vIgTt$`WW z1fNNBCDL`ew=4?8N(P|%rYo}grZ~=4ofgy&}_Ya>Rfs zOFBB^^^aR4H%+nk7Qv=wIL$gnL+sAi}nb&t@e{4Y=b zsIf%d(>^NA_(Ik_{+CxOad3mf#=F*GT{-D`C7sn+gO>v!AlPW$c7F>llivpfwiX5_%; zmHyss2)KVw{X2Cs`<>%{qkT;F6u$qM(@~n>f+;CYQZcP=tJ&5DNO2HmWF;E`V>0yd-Tq3;&3|4)o z`U7E^&Xm3YNO1%S`11sq2GRSeB)yY)jZeCrqmw@H-k{m;4h}o}4MNkpryYNryr)+p zGVf?EMTiVF2*R|$Ao+_#v@EP$uT(l}^?Hr>QuMe|seAn~ zMgl4t`Z526d{ov2N(l2yl%y~_(wx1MFy}K&CR0BTFCttB=5xHIv=W+P4?%L3y;|+& z=7w6T)nPILM|d>D@etR7Fq=mHT@CEo8qK!-hc5nY7N+2~&o=0H>Q@!@!;zn-;qA6q zKASGh1ZH^S$1pWc6k{%Ine6Uzq1ayo)ppbt&hD%&-3DT6EJN~13JP%Uhf!AQo*WID zt#=X#v5g1K)Sd;pL_v4Hq_X7!v2u|HIS8tq5Fx}?I{xw}T zNFN{OnVw!%4#J3BJVyU+icx^Gkep+j19BZ8fr6+OLX`AZ9GYW#OyG0YO>cHX4C;#W zqJ!d|s)cy(t!?TDqbYPnMcQuEy7ed12-o4)A%W3$zJcMpZJ7Aje`HkxfK z0@VTE`|sdlxTlmLt=0bAJ|Q}x+v@e+?)~|s)9t^lS#=iqzn^~6v5?!@YQrxbnH9Ah z4C$Wumn@4WNr3ACH53+OWAC3&Nt8g@iPytR?%L~7sQ{7N)V~WZRz?A5KCMt0UZOKp z`5)w!?Lj?s{u5zo$z^yrPEaLAmSCTD4?VPj4iZR{%sl9K^brC-k%6T1gOvc8;(V6U z5iY~h!a-(fR7DK8J#^;4_}nYaOWoG{*5Ci-MXdTlm8j~AuP9U17p4d;8}8|ZrussY zk!1rvLMo~+m=G)&L$JNzv41$Y=yRE{QLEeSbO&yI-;S^SD73d5A_l^4l+DWv{5D=` z#bf1~vEb~VgP5e7@Xr^vGBG0GYLjvh4 zPHtj*!x7#SOS**PM4y1{u*{eAji(}AIObHO_ePtF(qWlv%PX~e1L;n6fuK%c#UxM+ z3jKt&n!W5eWJ+6NJ)3zEC}D#vN4Lm~b%1BK>~fg4ZEGAlHS=~kJj2}84&^SJmoJtM zuG#80+J`;ekaLo8fl=phaXLW=CE@C@%xy{z_s-#@n7YQ)g}bopN{-he6cpKTp`Z(8 zVb_(swuX2X0uwU2f%cj6k-G|ho8b(c2ZANI(@OQKsr?aNddn@OZC5eKlqV9~Y2rF@q&d@l? zaxma489GNvjQm(|wAg>RH=kY;=ng5u2qT=sje}T}1sL1-DOUza>aj&2mb(5|rZL)z z@sL<3M2_Q#R=5k2;T29RWYhnl(=QHcdH zBW9H!MafNu%J=GdXHHg1H82dhL_D2@TR;VHDWM^h2_#fpB&z5w+P5~=ZDNIU2^N>o zVh|?6;s;ZN`7c5=MazGHkMJ*WX4t#mc{x7=A>DcTy-P?%HzA}F1GqtFj7{jp0t1p5 z&8DN&4=_<1rzh{bjV7=)4HTFI>%o=R1&$Ij|1d`6h=(p_Iaj8g<3j?8>^**tVvGZD zmS+jN!gxwVF3iywrx^G#PHw7bpKe4GpRiO6>o>vqIH6@5lWUx&!n77VEg0wM^swJP zIcyD1-Vb{FA6lS0B23KB4Ck|{b=rZ`eKs89iI4mY1vnd~;RU@sTGI{7eDGmB`UATG z`GdFtDGf$AKZ1F5X8ClMchZl38u}LzhFGtyZ5By3i!+>~*1S?a*W828xnVFN~r)iTWZ^FZ;`|1+K(I{K9}!R5Oe8o`i^>>tS+|0$sSCd zUo#Bi%^Y2Za+XPot{HPUXFLa)?Y0gChfcz5SiOvrQJ5u{Ik4%4pN(sII2{a=C`q${ z9|r@v9T06*8tzBfPwU=ie6}<3O2c>X-t#j)d;Q0se)#FlpU8Jz95iQ91Yhs|^m>)!~jr%ZYTH?8Ge zPr9=-2N2vnbBlUULb~!jtUE!d^21`JR-$s{M~%*F zlX)#9R;2V=FgdX|(7rznb3Y0*oGGWC2`uXi#k z-eg^O_sXy6s?Jr3>5o(F2afKf-^34NvjYoi@83<`gZ?1L%*Hs1#F!g^C~7zP#QiCR zY!h9cCoC)}Q&A)B+sy*pD9|VwsoIjRnWr`9qR)S$y@&$VY-qFBJ?Q9pc~?q^35KqI z;OCfE!M;h-s|*F<2@oDW{uUQJS0qH-;X47es<~XSD zlmK9*!d~w>%?G>NF0n=5AD?nbDO*jpwPg<{{lLv$Mn6Uxt*Ls#OWR!$Q^QcAeF-X&A>it(6AkudVG8 z#hiUz_iA50f3Cp)(51Q=hY?15@OO~Vp^_AZM9}`3;or~>`thIYuSmO}x@Um*%ArsS zvIUNj_jzY`M}D707*EkI0~llZ$GlX^#>q{O!V@IlK)u{gbC7NJ8$}l8hn}-WNB$K? zJ`ovA^lO-B=p;=buUWf^wocm3ZQ8AO(mo!Xw43$vcdY9#VH8o{4F%7S_mGq?dWph# z7|kFIg(#ln20YGr6?*5XKSkaZfl&DqDs$i-C*AH3|3uGK<^;2r7<6a{W}GKebH+^T z4~MffCFg{!Uf!B!sDdxi7c@%o6jg49g!Fv0xyO_@&XK3|`$JvW>u_u%tOX}27H~v# zb)2KES14om5MhRx-#E-O99_~t1+pw?HsziTYJO+iQXvCl4`=MUm z8iEgB2q)!9`v_nFKJ2_7ylZ`Ed~A2R5OZ|Y>No6R9Duy?mSq7`D{Wi*gwF_TevvH?XHA*ig* zNq!Uxsm*V-zLHw2DqMOx1gypa5UYMzCe}lY=mFo-4}tyF$$5Pr09tFobc}9a7P4 zHQQaXTAgFA!rBMSl8!J6GcuW}pJh0BiTsNs%?&w|;8#0Q19WL`USOi{(;1mOy2j~6 zl3_GS0vf>qe}oyGJvnbj$qh~|M7;9-$5!`Ur`H;=^TKy^B;4ib96f(t*a|95FKz;( z+p}XslZMnjf#Vi|_2rB4ORs%+_{oM~&`6;Z*K-?aKgD!A;VVM+Tofc2Rt8++nzI9} zMY$;Rg{wk`$dlP{jFgphT6u&}`cg7uAcRvvKul-$!*D!F0`%tloz;M{UWdtupH?!% z#Qq$ULxZhYJoNUh!GjzqHLORp@Qc13HnVO!a1YEl!^2&c*xB;#> zGdh5fcg{|1UQNQ1d;?Zlwytw<#e?+BY*_c6S|CC?F*r}VT5%Ct&_sxkMpC*!a46!^ z5M(FMHH$}>rd+feGaWXQ@x0+KcO%ut=Zd^5};CAsWP?*4J-G(`OEHIc90klit z-uP*}7RX;4-D4X)I999!=D5>u*pevZ1o?gE`+nto} zq1_xl?o8wE(B0WvJ4FrLoxy6%6eVDuRl`ZZa2XfglHR=zYRfZnGV$LoQ5RRD^5getx~Ccjy<_>!bWwk9YyDY-ULutP`9x-*-xTmma-o;$uO3X zz?g5W_z$&@PCDIw#^zkKwBf2FKH#5oY`GY%Sb8}(`kiJ6Y;5Gy zH38dq=tsj@L~OqZ$D@3VSUzVzitbRBPzOT>E*sJu#{oGuTp>RSudrirmP*lD|6G%D zGZr)H>g8APQBlo>@?K_r6u&0C3xq4|8#KnzG()otr97oScXHq0%>czoIsqb$L;8Fv zr~ScxuF`Yr2D3ST#q@PZhOco7FB2gUB||ska5zT8Xa*MvG)5)Pk_gkA=mai@f$&*^ zW*KH+(LaZiK(%!Li7NEG!*R{jfS1jTL&_6GnpYVZ_MZ>Q4MFTB^ijh^ZZP`qS(cM2 zqKSWZ0S{s?XA!s*nUj?qAj#p1ju*g#+8i^>pJV#`%|Fpr7-u>51C(6Cw{Ou~1^?}r zZj8f>2hXx|tt1f};bNAHY10U;Tn44mdGKZ7(=Kf^S^i(hY)deDLq>whf=>$H;vstT zR`F8tAr6yKW*m-Hn|(uE<51pYUy2*z`%89Q(wt;kS7LaFX}!D^g!GkxS0STH$GDOw6+Vwj zl#DX+MV1H2EQcmO`LaTWuY_?WALB~qPjDpa_|!IJ?rgLCE{3bSAET~A=)mG7_c-P}XZpY!e?X?kd;vI#$FKa}rb z%y~(Nq&s%6@SScWh)!b$`5QWrzh6mBA$^q)-Eyx2C1<+-hsyWbuCV?jnXd4iO(Yh_6=ujE<}=vhz-h={ zF*Ck^OK;(01SQP;kR!sRaM3XI$(A*X@$HoAX1;;4n+M9Ey6dA7Bd;hjN0|`INM3%$ zrnD-LmK_OYY>xFf%c>SbjLK>wxUZo4aGz?q!$kN>6i)p4V8G)MKXi^-i#=uRRPJ!8 zT5#YkYm|&?OvhHEWJJ*wDt?cWH-w)9ha8?6bpv)I4( z!-%l#gK7OZMFRh0={O3R#u-4~i%N>3FvdTr5e3Zky!kBq9B;xd7{5e2GRh#!gn&Ik2Ib9jGubF(#8hq%Pc64${zc=Uht3n_VWR1 zxiDVRk9IY(h9Udk9Lxi=Byv+$c!^#%A&-W|qw@X1>GA$?*+VCY>p!Xl2!G?AUd~WRT(f z)89_~d|a^SGOL}kveJCv$kx{C9DSudUmc%0B2xU@49CN}x)=Cibf?k=LjAAtK@tTx zt$XZa;FUDGPNpf&vO`M8tiEUyXXbx3B}*M9ah3P>*!|s-4V~TbnG$c|;0d^^m=+dR ztgHmViU+fC|8wW^oj<&qP1!g)j%$z73;zcnU3kcQ^@BQ07XAS5=7x6^O*Tl<~k zgAyNy$!uA$7Cm-^Sr*2l_i0)_9aE7(d7O zmc}FC+ngx5Bu0e(;%Dl@M3rZsD$gdBXEZkll)Ee6OXAN<^O8QpZKOE#%J&LQi0y*t zH}q_ziW|{!30EHN?A=|@pWxHX3Ie2-5Bb5=QZ(KUerh-C<*hJ4mD#qt!LdKVyh*&R zY@1~b3K6KX9Fd!*WdoActSCXs9nRz(v${Qq7IES!{tBY?_tPZ)Ik`AU(nHR`>#2Os zz!yoHlSxWB-~rWKlR`_PRkp%pz}(0!I6tAyVVcCbf3dkuk3D22G!};%-{fZto~O8E zgd2Ck{=*)Ken=+P7Nl%Vue9$ebvic?$yo9tl(LOAx@PATZfkbk3ew0XqseM z2#11p&htx5l9U+ZLt@F~W1qTLk{EMOOQ)yrh?Iu!0A}4QE4bJE>9m%Q!!)Q&{WQO; ziPrKjuVi=)ys`n)HrlK~6==Lo!Rm>YMeA406#60})59{H1a%8{P0A~kjOsC!MC8DP z^P!70w7G{iAeQ|i$ynSG2rDY9EAHIE@7a_<6!qpog6ZtQD^R5}v0!h|=Kd4Q3eOm< zizmr7)}K3*6B4=!-|GyT|~ zz$w1`O85iAL93Fr^2Q=heeGJ=oNWHu#s?fv(A6^6}RUl6K5s3}yw|3PVH zh}3=o4#>}_x;|q)&tKAU(OH>|fBsUwiU&nT^Ebf4DC3`dCSf6*Q9PeiuETAuC)QB= zO=2n1=Fo(Hf+gf)yA4O1QwuDRD(NIt3bJ$?l_n|SCO5I|!`j~)pW zp;~J+Hg&?u^f`jOnoDkCnv&mPo?-T&R>779wM&cMV<9mLYI6-YE7-+wxDbG9MV5_B&iYe-mf_Yd9?mpNXhB?i!E+a7AB9NK6#G{vNf;~9 ztH?;YA=|j$zL@z9-jVhYUL>A5qca5xPr1PVso`D9#_Ixol9ICljv*~TJY-4FQ+iQ$ z$5IjHVLZde3v0T&`vIzCXgE&7q4Aj5Q#~si4?m(=9oKWmtZ4`_fX7LW!pW4@5XCfa z3++~2Y}+jNtmqyT&Aalr+4<4+xPOYytmUN&C!0N-#Ba^HwK;4ew`|N)@tst#|yJ*4>rrgWRyL43TwqVsR{uZ z&8zHq9mb{&ePZc$AOSlU1vs0CF#craUrw&;Pb#$QL( z$fmeWQ=iyOX5b~D(imx(Di(qpAQB%>rhb}`16Ft|4-XKkDw43NGlgxXecbC;Uj1p8 zO!hLo#eur`i(cQZ$74kRk6KU)fhURtHNe~>=o1ZUlG-55*u&clQZ^z{Ji8QTU240v z;kSmU7;0RbfEwAYm$#@|%6>zeG+E*2FITe*JWYaZ6V;|^GOX>^hG0A~2Uhtn+a{b> z8XSR)fIwuuHc4h=o4!m8IBfr;2oV(y!J72*EAhEzf(GCHyz)94`I#8^p4&z4wLB}jfhj1G)rdb z(0CO@FQNDg4*DIW{x9FZ-m4_nIEA8Hs^fr`V*N-x?bN-X<&u~kCmjyQkjiwZ zizLBR7f4MQ$n?pM@_Mf#1Y+)KoCdO$r9*n8q#p@X7uz`kyQqN?NFYKix1tPH8i;CN;WhXHPW*gqCq9wUi2QeX&`VNgSj4Ej1(C3HI8=d%oJ%df4QVl7bmMR0 zG`z+F3tDWDaG0OxKBVO_`N06d>NlW0^9TBmELaWS=BYoR7Phk$tfEo-NU7984l>Su z@PO^vQqZLT#oMr6!bzBhr)OIkP8_ockc z(xG|Vy5oQgobpUd%bEe>c;py3P;{)h;}9WJyaXb=?lL6*OZ5;!)K9pFer+E&JHPhO zU&y!n;`}x7Z&5PEF;iBMJePcA*O{0GN3%ynG#;%4R?X>QI3cRUFv%uieB|GDrZ}d7 zQsw*Iy~^uXJ3BjbXR8xFPQ85pYOk`p^XhxGVTN=5R_OI!g(!OUSF#C)@#rWU9V96q z@B6|Q>R3O>`vbU@0g6EGFP#{Y4v=s#)7|hiVn(0v)(l#rO04G#*r$z6iieqqyiwsO z$EfnX&Ax$U~B{$#cqQiF%d+B+QJ@-wzT1X>WwG`kBX#uQ-sZ5*s?N1cl*<6)6ac)W30cp1b-I|FH~(l>Nm^k z-US45qKhQSGf0&PH9>Gbq^^>iB)wvalM_~s1;ivArqHAjs}oU-Wb1fCy*^|kf+4d! zoelF@ian&A41~ccr^0PUby(rrxxv7msgAC(ULFrwZqMi~bv#(Df5 zPASJ(-o<|KE3s)#aLTH+S$0Garh_~gfT>~RuO|r9;jNZnDPn)CJ?2zC6ErJ6kTHk)1|q9H~1AYb)Gr7L)_Wr z1EO&2Dx+2va0aj4mcSjsMKf^DsBS!X6gnIyH!-@zeh$|{ zS*b9Nl}tAy3_p{;MQfCjGjz3^B&xCl|KSZ(!hzaT1TmJegL(LPZ0li|K_(Cx7&IJ* zk>rUGPWDqj1-IbE9m=NukVeM7-lK%R87DlxhRhU7y>U#ctRB4|L6`6MSV-NfeTw63 z3&L!*DBBIv4C)h67ETjnxZ6=GfMwlW!_UVg270|T+p$9wYgT=iUB&Y}oBQGB1__YrJNcd8&Q6ic@B z*Z}Ysj63&CxEyUaV1bSVD-B#?DS~w?U}!E+r7!=JShN9w!P{tvi&h1gBlTtXN;3Ra zgj4g~(@tFc))k=F-&TO+8PH4JkTbLc|z)XoN$H9N)tK508kiTCs#P2y7H{d zAhQr!ejH=p@}rpI=jUVa*N%CPCsVL&)Z>Qe56#shi-cTwy+eTn(uO#b-OfEjbRm3N z3nP-T%dgF#WO%x8+HTg~(_m?yz?yCu5augiEvlD|JkpPOT-diF>d(%|)AG|Oq#4@6 z3|{J>8(k=dG7K$>9I{(1Kf0myVkTJRZh=vJo@WH2QuxC*9^47B5^)k&h*pA?dZ`5& z0BkW&6kaL_WV9roZf5vll%cIGA&^;Qj}Nio5cwef(E*0US&v+?_JrTUF*+Cm3(-N;VohPgg5WfQ?LL#cw19<_G z!rDdqSp^Sa-z*LqT%mUjF=)-MX-uchZ^u_bQ5Sd z=X-1uXgBBQ>WwQ6U+g89`C%AeHR51j>?iiw&ZXiO%eZ(sVbRAce@}nWG0;?yy)#Sg z32t_pyhDKDJUk!R-`*STAo8p(bOofC16X zK1;!aLJ>H3H-TR2D${&^OtGKwTQD-tT&dbeeHIo`#dSN}XUPKvh^eU1>gQv6XVnZ- z_IA`J3Udm;RWBh8-KY2+v({kF;~hjO4oy!$b{hT-%|OIz@GY=VSj?f*IC0q=aP6#^ z8&6^f*kL$i7*k9Z@AqeA-be27A`hj#$up-8O&q4TD#%yyFS`pHx}Rm`T&(aNY5X`B z!^N=1z?bYwxTK^juApY;c(ach%_chRyno+5es82aqbyILxq1FlL^f#bF4k;)PUkaV zM*?xq)Y4XN(aR0U6MLaH+kVLOnqkWFFsvfe>c$0OBD*fx{(^3Xs1j{^P~vE3L6Dxz zT;h(#QC%)}{g@fqR`>?`o``Gmwzcvkg%nU`=q7G zXGz4~M)TxKYfc(p`w_2;YfhJ@2R65Np68sW`hhyGUiqH3o_qDr<$I4OJ7@8M&;}+# zf8=fFY%c}}1ovaQl1t3eXmeXNiq@Q_3DS&yrN8wP`n*Qb)nh*!)2BRoi@B!;CaHdm zyk7o`>XuDu+1(wk?DT9OKhablYJQKO#QHkuGD{;m11(R(1E?VY$%jNH**(&TZoFYK z82j0gpAW}s^!lQ0OywDtC~?O)in7N{@d%w!=J3k9pFRFI; zgvnrp^LBPf7H*tm`FiWE4p-OXsulIogNbPt5o3uHKZP*(b)8%+M zC);#Qwz=wLn=4JW`OPQWbWWCMo-(FOzP2aqo-wtTm(Q8B`_{7t+~~Xuwz%9+pJay< za29NExt}s~drjbm+!^LXr$;M9@<*Ji|5xc%*KTiFC+7MQPd?2P(zKWR`79$Wa!G@A z5sr7nE||fuMx98SxKe;%19DJoL?3cC6g=-$v38Ff#yD4AHIk2S%xaYy8jAwC$VjMt zqUWheskIx}!B{wQ6Y(&NXSeo@jM)&jgdn9#s6WwUCo^yN)sNMk>P~gn+gAO91{j{u zPW^gbT(DEA2dwv?{0Q|VnYjXH$T&%JP!KerYHK#-Z{cX6^dQOCJ@&bDj8T1v;HMBM z+b%%wk`PSAE@Ln2{0vQI!!cA;U`f>;i>6Y#+kxbEp?{A>)-7@r!HuYDiKz~Q0-NjQ zYW|@x8C-}QjqBM|wg<_oPQpD5i=Kn>d?>QRxg^V?7olWs{SdY#D2V(AkLP@>Jo`|2 zc2s%RW0E1`?is$)8C9j@RLl1q9Gl%8&d?Y1nZ5?n9X|IuJaMF;{?G%OCPEHz4s*c) zS>#MQKt=a+@r=?eVFJ}ll53n^M#+s)z2y6ySFiv0dZ#u{ZYp_F877mdpW;e>lT@gE zo>juQ5+r#=1Of0G>lKGSy?K9@JOCO`coJ{EQU2kCnL z2X{xD`9tB>f0-li6fp)rtn;x7}yYsxKI$ydz({Vqa+fng**Yy9=g_SANGnzha*o>;>XG z&xx)*SHi5j8!xK#w&4~0WxI01OC*+@j`IAu_RTvvL2D0IaIfIsIC757S`u`}NU{;B zFh==GFm@Ngh*pD9F@Px9J+yG@bw%^_n?L>d!ymb1=4m*o+>FBIpK z?RS6eryKM?&z_xqceV#@_s-8>%)Pk*Q((Ue&}R(x#tRjy04n#?YhfMdcrr~=NKwYi zXz=HdDZiBpbJXZHPD&fR9zJ9gWc8Hd0Ht^u5xjDI3vOCg+ylPssaAe z|AH&Lo7MhNQ;10ET3bR!pw7DM_!Wkts}&{#Cf$@l%q8Jf<%~5+GkGbXrx?TJd@g=_ zt^WoGt|Vn?Nora;k{KMzl{$UvER5P&`gT|i7W4&3>1E}6fx?{7Ld;^W|DsMp`-z>K zwN?7ILvt6JbVn)UQ*YGZGK_;yf0Jd7m%1&`R$B%Cq(L{wN{|X~W0moyHlNbRc>SW?N8db7w*n7DnUx{pIpbm&2CbJyfjQyO# zK!Jh|zb#H;S;Y(zoxG@|m?nbbmlh%F;=l?ac>dfqlP(TE__Wes<-+$VV2Es zRk<8_f4wauanTxpoL0Op{BVdI55lW<@nLfEgeRR(p*j zOE%N;5~zX>8vVwh(w=6wqT8#TS^GJAF<_M2VBO)VHTzq>EZErKZ$e-~$xRG8d1C{; zhx@0@QBZ?_!86HXEs^YTr~jdS{GP`=b$SHhBYy~9eL^vs-u5A(UrE-#n_~ScT(vFk zX@j|^Df+^DtkXD~O^KC+1Jvm$MOy*Q;#9}R0kGgrIy_zs1Larx?$E58X|@wZY2jCG z0Ed+)@44IYwI786@YGNgFW_~Sk7%_wtA>f^m=t|#si7{yxYe)K0}^~O5DzxlAu3Kh zyC4Kl>7>5zNx0ue06&*ci_ff)&pEI2ViDSpW)-5muD@+JaGfu(J)!p&QeU?}J7v$+ zHFW3O$Z`B~b)TVUqvG!RO0ap?>BDj&4vuBwzwVyTbvML4>(1mse3qj^964dOGx5qr zZEum5b|@4m8EiiZGYHnH@=H|-;@nbTXAaEvT%(^CWXoKdox-iXA!o0qzUh5_jcLRR zI_@0Hr`k`i&Z)i?Y0lXzw+fp=hIS2Aj+X0k{to4#YAR2g&Gk|P*!Pb7RFptR;s{Z z;(imc0$~>z_EA5Ia6pthPv-uTzoPCOAAW-T2($_0V@h#0<`xu6Qg~B3^k*65#DMSz zc$rELL0`eP`rjgq{}I4%B7l|dIx@Jl^=e|slj(EF8to$JnMcaPH;&4ZpLr=YKmKG#mZKpxf#6AI|cwx9b_4Du66} zs*pWlouUZb{pG^edL3ziJ%L0)IoL4H{^tzODuP6TIDm=?lrz+)$Ii~Rz|Vc=w>Dlg zEztZzB^w^twO~V(@iM|QeLGGDfoU^+rAHbye22hAd=Q8#(c%WK^XT!pdxFqfR+gfxV|g{u<2Liu^1Ohdqcj_uO|{8Bm|ZP=*I`(@^QtUs_gtcCU3ikORSmnYZgrtg*;Y}hUsIWOaS;Aa zmH{nk^7XkCrubm)G_YKUH_fiAa;7z8AxqlGi7zEjYM)nQOB-{_lnSUl?bFv_&7&k9 zCBF}ALV2C$yKlgpFv$lqr-kP_>}hvil|k*EwI~^7j%+%Pmh`DtaIsoz-p*gug3o_(ohLdfbD6YzKU}8FD}CT=x@K1e&$7`zJZEn6MeXrws2ibQQN&&*42)I zi`BIYOZ9t2X&YaysJC4cVX9jLxMzN$voC4{0pTDXrR%e7xcMClp`5{W7~p_^8RASt zO?FZis>|tXgzIrQ^jY$*;};gF_R9V##2L+1six`-FfE3_WA^Hv$T37&m9U^6-|_HH z=KJ$gjPPWd-%&Q=@n8ye9?chTe_5|1k0;+zoMI*nn1^S;;9sr=gH71eV2CdrFl1PP z_YbIkDiEK4&R&%71+nJU7iABLCJd&Qo*XX6dHl>@P$kA_2PqkcF!Daf#vtkl@+V$Q z;_X{|L>NE~EB~?_@h@wP`epQ!W1f`BdpMVToy5_dT7xUYIrFM=PNpTe(l9U*ay=1C z|A%R9rrleaM`=EL!KTinNW7@F0w1l$r80JzYhJ-OOCiF01P4f|ajol1k&%%HBhV09 z!VO~FJ#%Cay?y>hz3>Dj?$b=2w3eyK|DL+Pjn)-KW>s1^mO-dVRSM7s53M)?_freMwKw1an5!;P|f+ElG zN+yg&VcV&nWyt4mX5cCf`$L}h$IetvMqoAY_C$iY7OfL-? z0WR!Ev+xc1sX?%=Z<_+s9Gs>QTC0eiGnsoi$B6NN$#eoCT}ey#H13L%C1Djmt#Gl8HE9< zqx|6zPxF_KrOHU}*Qwn*%xHdVeCf|34h(JO2^o_c^$?hog_CJSOEzaXL#>$bpuz%Z zbA|tM7m}V)O|elfS&plGc}RySy+tK1@a( z$o$5r><5E9oZw`Z*UR_n$Gyr<^#?svi2$s7v2Q-$BBCCI*);O+bdF;L)wgj*paFx& zEK@?5jDJV>w^^J+bx=bZ%CwOu{>nTpKRbP`;r+z_E2D}cjHjrqP7-ZEc4!R6urtIj zyTKZV(U>v8-#b^8t6e`p6*!|9BtUx}=SJR`Y&`U+pzuH^$M#D|Ju!=X5&pO3l_g_K^nvdZiLgbV*CyyHca7X;H=d z1hyDvc^_7LSq++HsrSfU$7(dQD$LTPP*b5eo-`=%`9i7#fSPwbm!rdJoa4-Y&l<9J zFVU1&m{;-$vVtpcc!#Pis*fj6c(@G9ngeg_m1jR2h}EYSoHoYM6sK7!jKll`{oC4( zp~mPZe-hCKb+3HScx7HQf2?L>O|_20G&u3o{0@q8@XEZRd$qdky_5ZzNrNfhH66C! z{r%|hRZ+7jytti2uWA=zT)Uk_Q5dt7c)W6cb8y&x*KKq^ErSq+%sHtsEHN$&TEMe6 zo?up_B|u?(nV>s=Lb+O2eYUe>AMrlz_%b1I>Cz|`3*}cqPBF*_98E~4DjCP|F7c@S zzT1Fk{obcuzjZYD)HpgEw2u!u^%dX=Fzw@Bzj1ij>XKeUCG#Zw}vfpa6s)%J=A?$hnyDUq~5x)D{kCD$8fwP+%d zLMfhYA)dzB5fTgtjErIjc^cwtOl0&UJ;Lcal)%%oUhB`8wYSP5VY2p0d7{=g&^$2r z9J)*nE@#JovubCO{gIyKpoUfXzIY{g-lGxD^7Kz(TcCbG>PHJV7!ARyp!P^ zUEs?kRb)lLIBxw)?;gN@EN^M)z&-U>4|xV~wG_L${%S85-UiiF^m&>l*F2b$m(`?! zcd^VAQmiMj@mecDDdtb7IEM5~*M6#3ohln+7STwb9~46?8N6k$qq4=?1R3Fcf0pIR zgjK7B{6~eucMh8hc~@Hjc>Q~Z*v~qIr3)n8WXuRW>2{9DVTOT#46#J?=BurQCPD>F z-0gJa086=8osiAN>aUcGHRviEKM6ML%2XjX|2|9lI00Kj$dvczBb+mNv5f0wsuXTI z98GlFqo~zFS>`I<=Ja)>oE_x3$>P!1@_$C0LL1skGx_atQI z?ZvKTTTPx2gDR^M36_OwC(t}Hp1zsS;s8HvJ7=8av_|-EGJ6X92J)xmDcU^Sn@y)U z-8Pq?+1gfU}1mSz)ffhPW~{%wg83d3=ox3t3;lpdxrZw+J`_STrDjjzLhv-`)o z_oll0$LfySXcqVQ+hrYE_G5j^`?30}x`W97?t0rsZYp=eQGHNq%UhU&yRd?PLpxOM zJqfJc;;M9FlK?&x@ljPIIe;)JzsR&lmZCtUV0YIruGYcdT-L|Xq7asY78KX5wFa;_ z=n=>k!`j^jWrWK23z+fjujg|FIetmQ{nKu@b=>Fah{-Qb^MckNtL2kv4V2hVg~kWV z>8mgV7yB)1KHKsz&mR6OCw^j7SonFxXSEAIj&a({{WM2j6X$rC<3Pp38vZ2;<1i0> z@bXVqGikXbIOb`=7c&pFIkMN4jsdAqDEqqHp9@rzjc1yDCF zfWq|0*0uxX9)H1iYGezQSq+tKGwHIy$Zps)G-Dwo!(L|;^)gyY)OM6mGARsDM5dKy z%2|QVSc7Wd$q~CGCS$Qco2lT{sh<;r=1d>vT;BI^Pa4lK&IGY)P@ag}jxFwm+_%sg z`VZ@^#Cpbv)@Tb=!b?+3a=`9D)9JWl>y?ElrZjv*>;4%1F%4`X({mLVO-i7;H~v{)i$ ziyF$r9MFL?*8r^%wQ3keda5VanQ(Q}zTosjZ;UAO7sSaIXB(E^U31e0zPlNd*|iUP z_09Sw3++kK73MAyns))PzruGA-2nZRsH3wp^qu^@{{PVDjp_?RR32YZN3FWzjt4a6$Ii}9Q&-faV74eii4Pl0&S>K?Uw)EHU_2H)Z#dj1x@-O4dW z6~CzQHubWzM;CrRMmJ-eVir>b7x+9a5UZb_;k+l}XyD>nti0-{!r^>aQ$R0R zv+tHK2H#3lTzTv`MHY4ynAKVN-o#Fe5Mb<%Et!`U@{5XPn_Gd14$w9OQ@I&21M;S3 zXyAdAa@$WGbEc~iq*nH3d^EWV!W31e#&3ph|MJC}-&)G~;SmF_yZDFS-7^6cuLIxt z84fyeJI-=His*Skr4S8eEpEP?Wq!XcL`i<6?+km^zF;oC6RC9%$-hn%DmOGEGJ` zrK9?HRX(1Q;-pleQ?JLC3~1bK!}!cH%a#puoBGS&zRn0YNqY5lAhVjC zE5mlEKqH`Ju@+p9?+W7R)?4)2l;wt7H949-W6M+fuYDH7`Eb><*dy4+64$RgoRHnG zJB%gBUw1em)n9iQMa0(|NF3AQB!J@_Qfs1#KSg1NXhmA~O2MDD;Ag{}fj;V^9grXR zmL9-fcy;duk67k~gP0A^t7en0pk$Wvl!7|6X#5X6==IaMME<9JNxyX1Rj%M`B`Di* zmMU3((M2w9JHR-MVE}$Sd|0HhdF;{79`c0b@;kAE5n0738SN+2J6fmRdfvl4>N;(r zWOO6~&Nb?gnaZDDYm4i4`dW7)5;)K2ve>E1&tl5Z>}}03ncl(kN*w1I4MJnDsPY5_ zILpJBMpcrA`;)+$JT$f{`oZflD|#mhuvI#Y-6bO)giUSZ3Dn$C%7De;Z@d_iSiLE# zP}7kjG52aOkSJC?_iAM3=5+^=3-^T##YtUfm7-pc0=S$-5h2(#RP0NWf@cCHo<)Y? zbndBD+<^8EfZ?)(vnd{im*LPR(ezR!(YGZKzc5&t8p}Gkratxa9H%ka^Rs2s|Hcdg zrA!cH^M~}u0+AQ1kz&QZE~;FL*h!5V>E(X}h8-Hkb|~P8XG%;3ve0reY#5I~1$N?n z+8PS5J&iWhj+3IM!}Pjhb? zs}G9t03?Ntr=oFWB`iqD3$}UeICozE0^Cz8kUu3)^4^bz5R`&)hNY3r>yPWqiIKX1vl^w0(69nvi4XX7PDV|v8or(-MI8Xtu> z_=5bKD^xk~>K@v>pQd4)qw?;2la1Via=oh_%b#NGS1|Sl>eI+1m9iyr2JYf4iLMu1 zTDiC&pl_VarC!Bl{eT;uh3}D)C}1zHJmhH~_&uV$mS9-B-V}kE12V{3x!8_2aJPs$z5qM~r(Pgs;)OSBXit&1*wT1I_SkmH z*tM)C%>#y5h{ysiM=nQ@RjnV=I4&>|+d`wA4mc50(+*I?E@?!gnA7=MjxbkUZbI5CO!F;f zbrC(RJ3tk;9s8T5P5i=>PoDi_<6M3`dr^OJ&WoBSDGF(UdNIyiOVo9R@090(;R40H zZLq%CYdFiv!QfQ|RRXkGSK6Ox(RZMn$sQcWGiB1v|0$Q&B#*wHZ=x@dlXo+#?NwjYYMa{@ND-aI z_Q!1Or#Ps_Nr0;%y=Dlfbh=hNls#{8_F!=yXF9lZ`hN2aV1l}^V!H}RW};cJ6mB%N zQxV5ZfxytBUVfHbZ>ppf*EO7qazV(d>jZ}!`6QQ|t~kyoZd_#WxDpC2^x-*=Hu~VV zAR$=*56k7Y%2E-MR!j&_MAQWME?u`Shhdi2T^q1#^HrTo{#0?9EPE#oGXxx};C1wn z#|QUVQWmyxFpQR^p5YA(j6`E2V&NA&_Tr@5*>ClF?c?_{oD+2p&`Gy*((3jVNoUt29rUd76=F1Ge_AH4VoAAe+y@Oz zvsQb`pU#1qspcNobzArRx$+&`{?8Y0k@T!j5R?b~)eMWpZUE$X_#uT*3MjueEFAM( zSAY=21*&Sy1(>QS&@?>D`Pi?3ZdEe)hZ!Vs#c^(GP(u@FB-Prkz19<-Y!&o>traH! zi2N5Vu(rq(e_FhjT*AcVb$Q}X_4mYzjJY{LTyCp|`mzP)|I9Ora)#C!RAWsGl=Jlv z5~emW_vsXMqkqL54`D1)sM1^gm&RulRrIJ+&9Q3QH>H6q4c~l{lZ3?>RVvCwH5^lrer`u0B!_ zLExg4GQH|xAPirhkQgy3NB;-R4lPMQ_iqwn?x4Kq@;50~v7jx@>QdW8SRkhzO%K*R@vXCQzfBPd=rTj3S~tq@jTx%n6o?K1GI$4E<_Wo`1R0?-B%{#Kl-#LTT5W(@Rs%!an2}L5XV%0R zNJ=kVWUZs^gyY6ZGfbV=P~R1sC*ojBNvNXk+R51NyWB6RptR2~h}K4G^~?JeQIXWq zI8xmj7Gq`_4HhK(3Qb{TBih1w@#a8D;d-XudMrH3dC-2ij{A>FdbCPfbY6UrL|P$a zb{68bCGvL`gThPam3aSz#>XA8NU|pu0qa)TE8l<5^Bq50H25u%OFZP!&n+Ta`iuWv zV&d4h_-r4tcd;|z!}qVqM5LyMT<)5c#|muWrxUjaiX74p;g;x`Q(ILKEhbs0vW!t) zEY@JshF5sUI=lvoY`Y_@-2ucRhgwl^E(<(6D<;IcLA%zFt{_;OMvuV74wcn#C<-{u zYzy!aNVp>0zcCstEEbsQ9XQMxKUv#_&QP)l)Divu)%uKP+yU%&PClXXJ%>40ef}$R zk_+ZhqrVRYb`{_&GQ~0!l^3FDzjNGg9rxWByO#P%fb#_m0$& zta%VIoo{I#2UZ5uC({s0ia9itRA7D_a0R8L^GK$5OiS@c+a}Y>)wFVFYKq6W1J$_O z=4_V^vsyWPRT3LorI@0=)IZCsRulNL8&{+KY8S6!y3&)&c#~)678$wKOx;#? zZpVh9vALmX*O1x5i>{&zu73kNzu-nq@pC`H4Vv^UEQ^=ZC$vIH9{(qJPw^4TAay46 z>?x-a!?yY*n^$--DTWv7NgbZ4m#;UxYmas4_JUJ}<*@&TH<4_iDSpm_k5)C4U;ohw zA0^kg(5P7JtpKzwyaIUVXE+u?Esypi@NpjGXe&wa5NK(IA;qDTO@n1%r;cv9?U|N3 zx5*8I-MppM?e(RO0CBus%@@$L9~()$>|12^M(KgxGxyXuQ6Jz$v$JQIAVqKf7R@G9 zF=j5szYd%nPo~r8|trfwOfpD4fh5Z&z&Wanax#BQ4h>z?@3xQ7 zQKQ#yb$@Anl1reCCa_aS+S}QC{c0{x@WUx8p1<`I&1f@_Ei9X$lZK-(Ru_rz7U@UU zcnYP=m%!BT>eI^w22TJnmv!(#_?L@{p(c&}ghWjlOV%@~vaX%a|tj#5#c$d56~W*1sgKp{XzD%k}_n8Rtfw!yp7 zhONKKUT{8HjIH^wnJOZ-JYIQ=|Lq{SppL^{)!*iec$^E{?smO~HhDo`_hO;{5=aJ&>oM!8kHtc zJu8HK{uDDQnzZIyyz)54?)#nM1=4LZ;#IPHD>~KvjKRGZfYl)s-9{r3~O+q4b z*07jTvBY$73(%;YKX}fne&p%kmC#kn{1wzQeIj{+ZpPto%tKBuk|-Qf1;#SxL(FMa zF^Gy>CFEx?puUoWM8Nlur~WOSA`*jT?hw)PL5`5#r=!F6@h@xoLd2N=cfBA&X)~@| zO>4+}Kt)RNKfV@AX)L|4{x@*6pdx1reHy=?#4!~~`ZC^BNJ=IR%@E`-?2W+9c$CoA z?43A#1CQX9W~qO15$2QMw3hVCqu$v{>sU@ z_wuhW!{B1?ph*zd=G8yCzENCVIy*ckl2%$dsZ`^uOmzbDV-=|W<8OBfJQ$u%vD1l>47X1N5R!g5ajgy z*7&L7v;;-5(BB+KE||*@1orz~R@hVl|8lDhF;K{Gq0@SCO4cPJYwKiOqG%krs@Kt= zBV_Ld%6C^>iLH@xi4~w*C(jbgtmDpPbcO$ovMZ69JT|e?2 z>Angqdb?bpGhY}_sAE|Tg{gFkC|Ed4;ujD~dtp+^@in>--*MF(J zC)%a3pz0H)JPE%>#*+<1x6@2)AbuRk;v~ur!cOaiU4LPD4p*}7R=45SHR42yy>-mE z!d;*8i{a4uzhKHe-d0)JPC4VyZ1Y68gJfY>mvJJQ(6TX>8yV&R9`YnS&E7CuE;T*O z4iBp@F`6ES=LgadJC!k?dZq zU4QpI!ALhnLyF)w!N{Z-C8J&#MR&+M!udD}Q2GAg^mzZcanw57Ij84r+Pkngu=v?Z zmCEKY0S#PnCw>kfNS(jN3Bt7YxmGg{YW$xL z_A59hflstaIx7+y)3w@s&EkI+dS;Qf1y~kUS4T2$=At@rf`_R7*Dx`@f+4l)a0VNS zvcn40nvyYi9dy)+y6Yje-T*x9)r3uEgu<2j6SurTi-U1`}@UqOYUD=yk< z*^bUs&}vu=JqbWLq6n)dzINGGWO?X&heOsSoy>G_ED*zFqou(Y52-Rk+09vF2I%1x zKwc%BV=+uY#d)bTjIbY{PCKHcL*esXv*Cg$3MvjO*sT^&4|%Tdl&7^88cQG7nmrz5 z!R{Zn8pr7LgorI7qP1plg@wiXM(c8S2gLt*&xI>v2YJwum^{d#OievHn|JbAd`|Z*H*rNYuY*F?$RLgCv+ypF~x&A!F zFi6+dMie|#Giw+7`4+~ihNRnQHJTI|uk!k%?!FNzSdRs3F8e>smaXX*DPe?*P1+(0 zRwSY^w1b0i#)-$cFrv>p7BS{mHE+2;xqv#4v2s@e?KXCu62*RA79;!s>z0QC+uyh> z+tosZjrNbXYL$!Ob*A;d!jPq@>KwAy5U^m^w&i!bmux|Gjw@Q4sc44nw&NKBwvF1pdFV&s|0p+Y8O|G1GEMk2nEJB}w{G!pM&XK|nX-+;`~!}rIL+Mcl?F_O zgIsd_+wo;W6sWtiyDfz?!ud&>1hZl8?kj&6?U`4hus!#sK$w&tD#WE>#O#2eMiDEI z`SrL-cJtnlzl)!hkjfy;@-(~v6rBB=N&^>w+thas947JKQ{Ng>gmB{9Fh@Hy=RqsZ zW+~3l1m`~WR)iU~SAx=E=l$Sa>qFyXyVD&sn$5vctKX=5<%7e<`@tu#B;v`evVDf# zKw~b8LilwnQ&zEq>UGbbBfX&L3op2+j*|)Y9OwDfkLS*PAm9_Idkbk8}k;3bQzt?KY;}PU-=KZRH>^lVK9crvmInVUiLI|2~QK`R5bf)KF02V{4>y96mC|Ts~~S`}@)1D+nS)mC7x| zvToLDJ)BfHqM<^tYP07kzP5*?t88azKs06^!!~DrkGG zdNF;+gxL~GR8>0qQH1=Qn&LQHNXLe3_SBRd+G9M1o-bA+W(s*2 zQ$LKzhivK(S+XHFieWOy({KVVIlBS3T=+igY@+aVlIE-MGimnZyqu)@ckgY(vBiZ<=2`KP*G!^BHz9KDkbeZi(=$YX-=wd%h;*)Xe zXLtpw_RKC%OCyBy0X{Xo zS5@Lg6I0ZADuQGuQQRGo0S7xv)x~ue7pqgr{0s3GsJcTYGBu;u>v=SJ!Gt z_np&eK=VK;Z$0RP5J4WgnU^x0FWk2m`XERLb72YCPuf$XRo~n!eyt-0EPk$|m?!*F z;w2i2(#On4MpJ+pFLd4GZ-Ar#Aptg!5%>;@kBDOf3ggQJel0p-XfszyWL!#W)LVAP zsy1GYp!S<11BOB9wcZ|Spq%fI0IKs1(rPR#4G)cPh0(Ms^X7^jWL0)yu%4WUA;v+q zXjbX1aNxwhMcg)gB1W_(Yh96>#901Z$>{M=zH|Yy2)Gt|+7L}1Re?W(OHG4HxF$DSR{RsObP)**&Mu_XG6pZ|_)tDy0B-@U*JAv_Ax!>v zkM;;jFilWR5|$kjiX_2pA{&xmHu@@(P+(!NDGAp3>WL(why;ct6jExLBouXgs3a_a zw}94bNkZWerX;vWd%Pq_bKNBh#mA~8vS1!5+`=GReNAbwP9zT#2Za_-D-Sjm+yddC z)`}8g_k5&CH~}uA_(O!kF-U<_nBzTMEHdMDjwTeX+dTF6;rCU=!Q}!sWC2U4Pklml zI?vbSeg(a!;(HaO&gmvCmhrdIe#OasgX;@ha%@x!7icYEG2t>15s=lZsx_qoKr6CA zgn`Qd1HPgdV69h?1khiIAM&?GS5vOca|Uf6e9N*%ID;aN#_r~o?^}QGcN>HK&hbI}JxCPOaW18z zEDp=;ro~MCPE&jAw44$y%?ra`W}>|>8Q5hmTbFV?*rtCswd7jzbWsS*iGD}%y|dAg z!*%?_5?ftq`ljFx@y7zy^hYOX)7h#F@F!;n(ngXlhqWK`|d?W+**AR_NT{m80cG`bF?(VVp*ie z`ZIEXxL?Xq3*EJ@m9ku;XlZc6vLK7~r|JN4zf=~uedP9$efB)}OcmFcHC6jcd}-Xl zgD0!Oux9IawR|piwvhQ66E-3i^F&%`L^)z+h zB2M1??Cvb-uJtwR$BgPKa zSr`Suw&L8+XDkK5Lk?7qx93lHka8HfHb@?CzdBfUHdDZ|2a%1RPhJ$|_AWZm1=?w~ zptCsQs{QMQM?A;FwQhgFT9Q_SUcb>l?bS1y21A~c%(sq>{Z+atPvr{^Azt}D6wfnM zvKez)Z165KDVM6YqP1PatXs(>TFsUyA+6}S5|Rcs!b|0-H}71J8;L*2)-BKqWK<0g<2-kt$%N#E=XSNis1Ln$)a{ zU0lVkfVwVL?24j*z4x|uv4I^6iYW3ub7zuFk_n)z`@Zl0GtcwBi!=A0d+xdCp7T5B z-nlo%W4!o3U}S$&Fb#)%TcM|g#dQ7@u4ARKNp283cR z|ML;iN>p=5NKE1nJcdvWiN_G_L*g;y8;8VWNMl2ync>ztxz(mfUr2L$Q_Ui^iAFIM zzj>bhr-$|DO#3f0egEb2OuhhvCqKwwNO|=-j)Uk*d;rd53`1}bMR~p3_ru@XKvr|$ zQ{y1431Fp}2Ovj=B&s5;bPR_tpnr2%K!gTA8p-3pO-)P5!97K6tz4TUZP+0f_(5P@ z{?iB!Nbz_N2$doduoxs&|L_>*a7oZhLj;PEODB%Gsv>dib9<=#R&Q#FPWmN~NOKm_S?29^}A=k3uLc z?F)&JB)MIK0#uh0710e&NPaF5E^*2ehtLKEJaJBBL{=Pt+IOtWO|F&A@g{?gM7z<0m zO_y9SlaLs!6v*>KKa=aq{r4hnGqWCFTLI#!JeM)ZIJIFfi`KVFN}NJU zH)8PnUqIeXAZbVo1P4Q{I#DP$TT#x&X2*_=LCCKHkfhxRA|50pBSmQ(N2+>`o1F0f z3Re7Apd#fKJMCXlQ3UJI|5;QO!zX_`*$iwHE2UQCFit#-#p23iqanUXipaGX_;@U` z`KhAKR?)B81^RziMWOGA+91^>wC2SEwiI`W;+8ukjAWj9u$03Wpv^PgAjpTbrj(V- z24AJA)L!g64{I}r?tdR>D*+Bw{)R|0{%@ij)o+ad(@2Lrjeh!vZ-g+aL;Ayf#Q)*E z+1ELSMu8CF05rf5$&e6;Xn@^MjsHeO^i$*ism4R!DXI4Lvqu$HX{@Pe04Nf;QUP5G zV8uZpO%8t;zS8iY-&sliO-1+~3h;BLgqrs_s^N?7gWuI{)#|ioShK6|sdWBG*E2J?NTDG62(|bT19T z5Ty7ThjOkq;l|W@N2aBAR9#3IJ1i(*h({QEXjoWqD9I)TdJOjW^2F%jcdUQ)iF8ep zRy_t5Yen}AB!Bp0_h6|j8L?-O`uljr4r%J|;1#bM za}9y%^4(m@(=(Kg4M-F7b$u~CCsY&jfv{X&qF9KJ9}h)|W4>jdfMP~b@vVrU2*=i} zgDbU~gl|xK<>wS3VX7 z8eqmx!#R<^LlnHUlnr^EPhK_w|)@tuUF<@KFLM^Ah@@>tU zIdQqrv0je%h{KK7RjmZS>=s(jQAQKJGpp=Qnkfvoq(kZ222G~&u zhP*@Nzd$gmngXfj#I(#S5h9llz87A*biRJBDQK&!lgB?79eFF8VnK`KCe+f$lwX^C zJ$A&G#k7Qs;I*aJq>Gi-fKlVhJ}!Balu8dNA`Gmnloko)MeKgLU*%hHd&1;d*#Hng8Q!^u5mxD8gYua;OnWAu1J-W|CYfg z5!Tdzpb=qSAz!5h5+p$iOGpYpd75?;L;xd9E{T)IlW5H%CpX&)HEJ}E;>I9L22Zpx zE7~GuuM@TrUSvT^CC9oJ4@t{Dj zQEX3-Fb}q;ZwQ27Ae$efXcgk4;HY6KKM@9tCZMvK3pKYSXnFD}5FeSo95CQ-RksRR z;%P3v00v*gfJjZXAr-j6u)>isp77L~3kK*RoSfjrx}-=2%h!R_8j4i^YFsV1sIiAZ zv3Wv`kk(xcis(Qi;MA7ghEy}$-z%}Lfy7i7zet(`sjlNwrB#7k8bPdIAt0&*ag)`x zB|xasjVg)z#??g;?KGw`7=k5Gt9<5SVOly}ep(_a${K;f8f$pOcAyk>_>Ks8!Ne=d zi~U4!lKOj<#CM98TN;%7lRlVNsHJ+ViXCO@%{A|)pcIuuQYnak^@>FbiN7hXsMD$j*!+s)h+<(d;MBy3JH|z-xxT21HL!F}kYIB4NX>7gkY zja&GdH&TsT$p{UBXuax91;`mXx)aA+MMWGuM%ALfK z;F$t^DETM^3&q$UB1p&)gL@wV*+_Y)7DEIZilhmfJOg|Ky@SYsXyezdHg-`f&X~M} zk}=F2Hqh08&sy4k{ypYH!#qO5*#1F7Jp9=qUcvspLp;KQnivV{ zI`Z+*3|*Vqn-tY6PgDY7VqXi@>K-ECk>0918WEh-$Xi6fqgn_Q!Aaf}kA)mD`JX%` z-KJIy)m^0aRYvOaZc4}2XwsO(5(8qW{!5wXCo|quo|shjyJq_dyXfuf@70WCIEf1; zBH)4l@>GYF0X%@G#zU3#IEAiI3E-=FA+0zNkEqrkNUs`^JHy-(bHTnbUcl|*(?yMI zY{Gn z;;2fs(WR{PCgddtbwMhOVfc;Qq8hpbL2Q$YS(HP8)zZ{KD2Xo+$V1d<4hp`TLZuvm z0G6mCMBl*BFb{u!uMkDDY^-lEJ8Vp_7nOfebD0eDRFB|bd@Ptu8|v8rDyt+?RKq~V zI4)0PsgZ%va}_7?#xWXcT!m12W9<_HQ;CXGRS6RHzd|cW(MdD4B2a}tY`DoSekZMH zt_prdL(S!%lBAlLBfrv)3prxUn1TOSG1(aYqcYVBuq5P&sqbRLVrLM}gDkUPV0RI?LJBmv}WqTo_Ei3H|i zDkl+gq*t`^+kSxv25O1@%)h-xYtjpImQ9urfa=BA=?bx^LJkoyj$L9r583^Ahk zJQt0#B_(hyoE$2Z@I|rUQV@)g#ytfRSS;Xh;V?K^>c;5Ni)^hGFW8D9WXB;$JOpki zSJ1}I0jYR1mf1m&iZ==2A7;yE6qh4{qG5=WAVq{6DWA&`2vQ&(EQKXPz6jf=WdkAq*iBtTGBqp#-pr3M&*k)FZ^plN}i3>BaW-gkVu3UxJ9h^iL#G zWlSh64wk^Uy@5n9%)`H-5exWSzEqF`p<ezBuwv7ui60b1b_hevdw2e6~SXC`q_ zC>9pMm^0wvUs3U*nWW=nI3gYt$FT-OM|w=$Js$&Rd1GBy@fOYHfcQiJqu%%XvJ=Ax zSCgW!bSTFQ-yDhSdy^aBzs-nf^4f$gQD2xNSrcZQoaJx*IG2(bv4+*;hqw}0h$I4V zp!GA`Xbv|%K@4ED=63_iHKE2t86(H9jmU^AhOEUg%F@_hil*_|fnySH4qt%Jb1ouI zQ7n?gD6-Zn^^|5&2w9WKQ_#bOp+>QhT|lAu8iE=JJOswk4}J@rd`FlRAtVXZ9dC*} z5^Syn=1AeepiEGVKN5@miG`}o9S?j%y+0C*m5>J@s#*+7xi)w)8v$O9nJiZbf`~-Q zZ<>VC=xL(^$Hc%~EF2$!!V)*C7d{dsfyl1@U>m8*3&T8hm^WBYAmd+Et~AP!KG)K0 z+|z4tQ~ZSle+7G3yX>$a_K=}oL;TViP$OLWganNUCY4o%beN8XA~8~bz9`;9#2W%M zjL3c{=ZJg=M=N)To2RNUm9F{-w65~$rt*mCF0gJykWB&F-Sc3{C%L zqH3K`o3{8@Rd{_+fzlr;=!5OB_{u*nTL*NMsd4ft5cUHT(yYT#0)2w0LF{B+kih2rVBZIkxnyzBrdGuI5r?q zu~CHFLt%jsV-8^M=91L-+1lFLI`-=a{%dP%tNvemJ6l^FyM9jnoccT1JN56UV{7Ns z->JV2Wc$r6e#I{Vvz0ow|F|vn&i#-46hrMo2OEHR30$cQd5;SnUw_7DmkVT*$dT9} zVyVse7zq+f_Th95Q|ltnKf4giFoB2^hFl=?VczVJprA12su);@iH79~4LpVhD{x5(GS~I$tDD`@+c_p;!RB zP!VvW;G00eIPxG6l^YSr;17us$^b|H8kTa2cRY@iqxKSeM7&KxB=Kr*r9wGb0T?cB z96u4}sTC3+u_$FJ<>Kw*C73^#A|HuSa*AXuilMnuEsC>G<~z;3z*!t5mvtkw%I+b2nRh4=8|> z42AK9Fp_{@Q3rOEql!gbD8s?g)|M{ccbJS74N8#uitw%HsGGSRJ%E!OLQpifw4^F! zV`mFlS%d}%#qUt3NEd!ts%guyp)}-Tv~K_uFyP{5N$d* z4ct6cDVlUBGLjCFZd?JaDzm(x5hng7nJ}OQUw3#ntZyyMrkIK z$)KC3qFf1IEJg8E2$f?+;viIthzXir$+(0mXn=JRB^5UYH6FF$h{c$0Gw4bkb2GQ6 zW2z3R@j-;M7!T%l#58a-cc;q-iumw{xZ9&wFUUFu!l0E6ERi4*ayk^}UU`0k{2qPW zWy3s($z)RZ4U7DU!IWoeRU5X|Y^O;*q!=>@vH_l6jPONLYqb&RMTa1g6@biBmBLG> z6DtVneZ)E_f-zO$NK%^apDjIx|DQH{KYzrJ(*KKM`J!a9YFKj-QOq|d0UG!JcD7Cq z_NxBh-nPG^(@+2ZZ~RhItuc4R1gp9z6O255SdaXS9w6gtLL@;X1+iIrx($j7Y@`B|$(2Yo z=&NfJlGgL$~sh1?(u3w$LKd90g;<-oTMg2U@twy_-Az(TEw@r@wp&>7aN;q&kwReP&-ADtUQ1vYO{l%PRm450TL4H5{y+GoDdTOgALJ2HUSrj_?8;Tj%nvgvZxahU{uPEme+!im>A`2 zjmIi7z*r=D5-OGOxl-#e%*bN`w+@B52@<|E1!4#}$<~}$*v-MNzk{Q#t*xuvWQHb0 zdm=&(UxYFsjv$GX0<4A7@RPj^u_sBb_Y!H03i5{VU5S?F@@^$a_)vzL>m#hA4OSWW zGjmA3<%z-_5E<0(Zs@ggWNs%v%!+WK*q`Z&-YbNU_Y`WhtN(iMNEtb*j>`Ln^H1S= z|7CtKZqikBPRtj>0=@`F~6%?#aJNzC;Tefrvsg6}Dfq(I3{Pd^V)h)9LBW%l|Zz|HF*Y zKTG@(zb4lI`q|rQtpC|L{@nlbul#yI0UW*v3dBZS?Y06;7wAcdBp!ne_}S1f3PJr` z>D0LZES_VcQXVV;2>@ki1`!W6B1TX{04Kr%&G?^Gz4M|QhCdO)F}Ly4dZ8lsvaluBTZkcg&2M+}lA=Izgm!Wj-UEdoJ6rpHSg1|M zOf4uS=ZY9!Sjr`m1VX+LW=d1UFu+>GA~qX)06`pO%EAWWN@1xrK6tKlI;8k^4`s)3 z&^QpVgIFDJTjPCn0yiF(;zb-m0a7|jokl-fXGiKHWHNU41F%AXc{Kv|w*A!KX)-{O zLa^^=YYPNHq#MXWMM9Wg@_c!q7?~b4axtR zfWi_e+#KsN8|;mUgcx$9%785BSWSG<6*9-$OOe7TCMPMxz>yAEnSdokY2qP9m(7WV zMN)>moLY>;uux|e&z(UQd@%r=auLLv>N$42lUG3JA*o1$rPSt9VFosw^deQ86MyVf+o5 zKSf!Ue-kBu=0gCTEkga_%Ja!eu!;Wz3lu_=H@kEA3h4^Ffp-pNy)8kU<>{wv)h zMIu$jssqy_0w;{gJt88)%Jh(O#cUBGPC(-nPw5a855r=PfS(8}bCHhy!J8hj6Zv9A zIk^=k*4RdOH0-4Tt`}`%&V5(ucO+qm3rk|NGh7I;i3Q{{8KK;{Si; zhsTsI1m56t;Se~Mk4hye_y%CU2!*)`64(XOj6>BbFy&>zavQ$7-WY7=A_88h6p?UZ zVb!b^*vU0S`PPN_AV%p@+LK%*R>I-JF$n@D8kZpDAxR>pkdw?L93GQL#3)Q5 zUm)P4ZmFq|FhM}sHhvxkDD8vM42C6qgh%Y&gzRi>ZROE{Dg%V)!I2ecoCMt6$Q{KC z5?4nlE;}JzX!Z?*tqazGMP6*btxT1XZu8nqrRM6tSxM_MW*lPVCOWTFX}3W+$eun-&2@xo*rG&Z9MxaACV6r(Q2gT3a|lL-0WTo*+JifSk-(Cj6E ztqNM$n1c3*`yAy5y|@vp`^qZjYO7_kLX`C{b zf-ysSpuIMaBjrSMP{Ji~1Og-}5D^6?}!Bfl35Lf_XEeCRhm>jK11xO5%8k8@R6SK*Nx|H%yPoi&7 zI`R2GSeS$u#8JHxej?^W5lJk$x+i#yGmpX&OvhayMpI3VAc_)ArKYNA2QC^0mDoWZ zN6w#|CCZZcOGN{U0VhpN1(ZP~l#U>dLwtdy7(41xgXISgsE)A+;Q^&;#HT4+5aZz- zE_aUN(@ZT$fvO(mlxTuq)m9bH8)=uSF7@s#^_eB)BnOFMk#bcC)!K|=5H;)IlyMXx zr^^>fVG)KQ71!Fy5f`TVT3aEY2vvO*55!fcs)Q^}(bfiYa60Ojt~Q^VdQBxw(xs)% zCr7G;QHqfum_&GZ1OYbK;$4^Wg>V30lpuvwdoHiQBuX=htN~FLN`odOAh-SWd#(flZNhnQub{9usJ-$xoaQaQE8!?+ih!nE?Cf=;H0(!NHii!n% zDRECX8ipu7v>@TZ(JsFDu>c_+0l~0@3yY+jSlG?pR`EW7ldSsA$(G7Kr~+WTJF1xX zpE*{Qe~@QvvnN!uLWbtdB`t)$VH#JG9~_Mm8ZuXtmJ|^q z0wgwtY>wp5w2cZ?ov)k?3KC5kEe+VLsH(Po;J+KwD7gN9sD?c5-!f#{l>+R5U?#!Q zaR?F*I0a8I;_`=py4n;{tEM)48f%Wv1B;0y=H$;BS9i)%>MH-AUIO|5`lq)3CqQBm zm2YRT2TZXj_Mf!T==z_1KU*h9_4Pj|yZ-h+*Z=;F-}K->A9^Rcj*br9cc^EGj?OQ? zWB)Ut>FDUp(M!IhqodPGJai1Iqr>ch{ZBV}jeDYwPL__Zr$<<_?(^GImyNh`-S*{O zcKfY8mqxGhjSBTN_VCQL95!us+-1G~;}3hzKKy=Izr&rlP8_6g#~07j6ZfDgksZ%I-=4SgWzF;b*D@Y2-``Lc`o$+pN0+8&U<|R8f3ObI z8rX+l#OG*rQ5EKDdwl4ZZV3q{Mud$Q~!9v-Gqh$J|BehZ408K%M6GnbFnp%BSQvE=7q{2Yv* zgYk1Peh$XZ!T32CKL_LIVEi16|IxvK@@W=JbIjJ>E%|Wx?1-r*`CpK_q6wi%BPTZ; z71SNGcy^cGuzz>mf>DbG*3@K{HH@!%u)QU_s_a0!Oi5i?YOng|gKtj0mY?@&!{*LL z?rB>d@4U42q*KFN>ANu{$1-oPNlz#lV)1Ng&_i_2tfg|E3$yGamfwhOgLCx6Bu*4h z_u7!)v(V;_lWXpdqr&=rVa0bM>lX#Tn3!?k&`Lc=L7nx=kgJ)`lSIG0oqf69Y22+3 zgDcIJX2kz?+|bah)g=0egSO@Ch51ttFt0aU$zHwTV0HM7u@~KDP7ES?Z}~@-eZ=&8 zQ+nc3m}hbR{6tA+eO|Ti*3Iwz^R~P=6)c;`y}o^Asbkvvd%^in!&62)?H%7Hp?2ZP z4X^TQFI~E_claqEy|vSCHuO(=b@|Fvlc_F|q4C@|k4NUng}cTyIJ-}MmnvO(M_DV+ zn+)?>Ij(&vqwdJjq&pE`j>T5GRo~l@QL%kon+}^Ke?Ko@|Egi)#D>bp4RuJLsM>3P zeK>e++_i2|i3O!DXQ!LYB!o7%pDtYd=b33=h^D;S8JG#fGsZ>L2Ew&>s%9FRrSl%Y zC|g{;x{Jw?w*4QL^onZu`?N=9)VsewZD6n1Qh#beOVe&Hd&=TMi@M9F+3)(f6>SGP z@AbxoB=v{V%7y2qclCRJZr!anC+?2=;+(ek#i-DUHO#WU!yj3!*fXs>;L)gCPBnj3 zK5m^Fd*%50P5IWh-FNR5jXKur?nt>BUpBBjv?gY~G#6)nfVFYAXM0{(Jrz4_+dXP_ zTFlGzA-!&&M^E=OwR&AUVwk?D?=w5;o7pSZ*1deXsPJXqyHaVu5WoHV<(fM;N*6AE zcXmZyJ3v0dVDhT)WL9kL`}&2M1Ny3Kzb|`NT^9A5$B~J* z@3}N(&zKU6=L1W7_9^*&0wMN}?Sr#V-TSjsTfo@RKUksh+*<$8;;w(Q7rB3^o~4`K zyXds|!143Z##Q03H~GXE83o1B+2MC2f=DzxbVg#!NJ0a*Sr-^BdhxNp3*N&4vg)3f z7PK^7fPAU8nQ4|e?&%q~QxgvdFKxrvP1}ExnJyk%Hfqtp5qlmz*g194$F}kJ=NPzn z0!nYp3yc;OUUwV`C}Y*;-}~C<2h#g&9yYk%%gkVT zAF|mF%lyT4UnczUf7Bdj|Zz`U?;hT8pm1h5DnbBH|?!EJEFGg-gI~8 z-FGTF&`y~CX8$C+I`YX$>wJORu2S*(;K^Nww3923gI;dM+4AZh_|Tv4C|kJev3UEY zb58r}FOM3M{?Phk|6Xp-b6K?o5y?8w%AEF>RaC7HhF_k}#rH`vaa-!T`{c&I>ArK$E z+zOXfyw3RO#LKd;&iDIpu3r2i)7>#X_|=^+f~PYne{2^{fu7To{)>| z=7ys5l-CbJlSX#o4_LhQ(C-z5{ExH^&hE4D&qTaGWAy`fUAA7E_xkFL%Bg`bJ4XI7 z_>|t89^$)~m)(i#FFEmLbEojm7bixXM+nD2(}jx-g8Tadg}4Z9*^u~bQRln$w>P?` zE@CgtubcKq+i9Ut+R9JUoj>FXziinnitRLqUN@9*eSHdyOgC-5ig$gL-q;&U7nv<~ zn)t{tDd;nQ`4NMy2F3>Yj_FA?r#Ad*EwbLx>*}37tYmyHNo5H> z3#Yy+rRUYoM{PdsADqRq*UxbNnBDqX>DG^b-&kd4+>hw7xeu!&(-~c9fwS?9Hf8Y5 zr$c5Q3b>nLSK)JFqkUBeU0T;R2Kw)Uy;~o7S7i3M^QzS9ca+AJlyPJVsb_K z=AcbC+0(s|`9%#k&!2FcnNU;Im8Q4Nyt@4Iva(yXFAvl`ecrWx)-=3c2&*G={-yE3 zpq@y!nm)DnuC#Z{I_`$oMUCsLXW(g3T{0$V&fWJ%UjM~?GU)viHz1$md$a5#uEzdd z3zXW87O-jd_QagbryEu}Ev%XLQWAMe&ww|gAn7A~?riF~mv`1#3(q`pe)Gf%uZ^LG zIlXQMW737T(w5CBYLyiA;og*uCO)%fvQE=lY$$DbzkboKYXbl09zn6W z#wD!yl?fH4OESk+2iN{GCUCrNwr>`zm401V#K()P?lN6%HwVYftk1H5a64ITrVAH0 zjIN!IPe1D|C5bmvH?a3`KPU9u2bnI_k=>%-a;_-*vM2HKmpZrMX3usI&}jK6R>zn7 z`bL@KR-?VaZomBfsrRd|PeM~)Blj@PE~s4WmzVcx!^bO^Zlnz;TI@4X2*8`{y?$=R z4X17TfQPDW<+8e`t*`D&Oue%6#2(tUb{KV&+9Q+A()WHrd^-J__|dp>HZjQyF#~%9 z=HgbqyG-2TFRxEAZmzGs|7u>(uH4=mZUYu)4JEtZ)QzU97w<)IG8hW7zA z$JMMnV#7?^k@WFVWz?;SQ*?A`{5A$TBhuj$^E>AhC5Bnxo_Yqez-W{-gx(fwyHxMs z1Jl1=Zv4%06MJmY)*5Ukb#0T(J6i6X+H0rD*tZG(PGfQOw2-g-=@T+Ba??#r$hqZbI^0b|Kbj?76P-HExy8a|;;WZiG3+4I63pumXkdfXqh^-H z<6F1aof_2{6Q%<#b8%9`#dg<=$6jQLpzaMF7HbsOQUMM z!E_xr?#c)EyVW1sojEo?@zzx{yv5PFaPi^5*>f=UVNKV6f9+LD{E@d9XnI()-J=b} zDzK#0_uiZld*yf!dP~2w<0kl$$e$jpj!gRYKXZU&HsKQZ`NNBb_aB_4 zBRg&Qj#>7(X3e?h&RgB?tlk-iPb!#pQf#%%_BMvPWJC2wnvHEMV_jA>!c%3`&r zxt*FgufO;h z*lvwm@XokGOFHOEwq9<9eZM8ygMr^Sjq9`H%-{W)18Zy$(-TMivUFr?^|J%Y;FovS zt#G$ZZHXI~jal{)F@;ylfg0bZt<-T!zgE0*J~FFraM&lT!1nSMm+H>mcI}x~ReS#! zuMCHdDaOIsrw;Y)3=q<18(BkW)=lTcs)uQ2Tp-z1aBq(ZkO7_tmxsK}MkAE%%-0mb=Yw|3H$~%~6V#i)3|V zzUnycGsetx%pyHKJEQyj_V-FxcERL%k&cA|*Gnu+=t5^_-HyFLziP*_I=+mjy92Fq z)E}%XIyuK)zxZNQ!py)d9ocrhgWD&>yvQr~ZPA&~&BHPAmFw%}RxouQz(D$CtlB%5 zHr{^F;ojN3?`nd8Z-vtAMHw|a-sOvD5wXfpR>z_t{*DX~Z?x)r$LZ4ne*HXj-8$fa z#oc8-F?UMe+*@^dMVxdoUS%Y!W6}2LUD&ji{b{(-ZQt{x?JxJ8KazJ1nD-?#4A?&A z#?Q}~bHN?AOLSehSadI?4^VXfap7mO-A|XeFIlu`qE{9^^CwiSE{WgW^ZC0~uDItP zKszZuGT}0q8@VG3_KGTxA32n|u%_yG|2!ekN!+fbKe;qD@MWJDOT456*wBTGSIr+k z7h^WM!+?uo@#Qyd_Mfuxd((4GDbTW5eNpeS`!7cH$Z_gAv*u66Z+PwlbB)6yg&68& z<*z=Jib2LYb9 z>gBPkmp$DZ*>zCD-*a&^HI&tn=`nw0A7U_<9$j7GY*cYQ<;dO{mwp8nVN^lV$49R= zc1l_Gv3APYPEokEKG8ln+wbu{3~cEce9mDNTYsqReCOBQRe`S_tpf2Qt39p7(e%yH zr+lo1)`3fKGht0TDdsP+!g|f>rvLc)lJ=rgU5^}D<_P-KnO3$u?a=-7?QfIk^aFT& z=t>NBSp+On9J7$H-J9&ZFMUwO>bV`;G0sxi*Eas*Ca@h$OuVq>G5qDy4C1V1BWP?|38h^7AL!4huIkW*nYfY>0 zZdsAovX#r*Ctxx>3}jcAoJMz+!YSVdf@&d`O6-miqy?v_c3H|@;s&`JbcoP^fUy}j#RoM%7Ei_zlY9EfqXIK^(jq>yl0LC;^ z?`oGQ7v4p>Z|S>>PI&*u-utpH-LY%r+kA9!K8_gr(N2ml6pzQc>}(Pjx31yl4AY4V zYs3k-5HB*$Z+L#O_0@e>Z(YrO(5`r8JJrOjETYxM0mb9059j~+XqBHk9)2vLl`Xv( zU;jskJuVYE_XQD{Re_Od;jYn`%4}n$``um(_c*(6@oNX%)2=9=4ZGcm>c4I4&hDow z1>7DO<+iOX4=pf=8jWeQ-?$TBoRb1;H(!p7e`1TLlQx&n^>t^b$NBC$d&PT*dg3j_ zI`~?|r>FA@&!*BJcoF#{Sss^(A&rXc!gYfJo(%*xW*Dm@bNHo|SlBsq2~d;S4V;NK zTi-1QHYg$jx>YTGbim8X)$JJ*)EL3)$Xw^JnvK=i#j2H-cRrQ3zjn>cyKR9Q7#U2C z&74|tr2hcMKsmoo$6lXKZ%hJhV}W#g|9Q-|KqH>b>01_i@tnOFh7E9kF^TpeU_bxa z)*4^e9?x0>)8@zO$c%iuW;X~(S$^TC+^_EImdChuV5Z439C)8Lc*iVzK6Cb~9UX2A zOS8vOQb?ZyqeVB?U7CQ&ow?<0?Ly8a0!D#jLw0H}n!UjJj;WegSmgyw z&nz7o!?26Xo>$YIKk%N@Pl^e6jv2r5tw#@e4SF&jpjvzD0;5Gwp7bApdExMJM~f!Z zAIm6QX4?A>uD@!yvwKth_pY3_$Z{zI&)k_Lk9&Hi!o&MT zK3nJkCbda$_Nfn_J7Z?^Y#W0huI0_ooL6s7Iizjn;pnlTism#b4L$hY=A859i87!S zpM6*zU%H!Q0N}Co=<0K)_iwHm)vJ^F+*p~%gUkWR_k+4E>tFTy`XqML=h_W^c@w$U zx94xneD*GLe$uQZd$%(_?~c2>al}-U%zAdh?V=VnsjfA5@3eC*%Sf%|c+||gWIeUg zIiu^#nl#-I0g`Q`Pp*ITWnKDUw`W&+mSx6XIeyM*U)PgSe(%q<>bd3i&YOevH|^PE zWj%G?(W}|#D52-YLv8?MaZ=Td$$Yg)440bYVu`g-ZE7=J5<4*^6GL@||#2`Uk zk3JW-eR^i0HpPdoWyPr1j^{{kP|IQ1|7CWW*jL~UjwlP(5cJ9jgsqfbn+h1w7>8;)j zCT5I+m)f+y!MJ19AJ|f>cEQSv)xELDc&kE^v=?eJv5kXv#PYD&SrRoByK)S zqIXbVT)gx8-I4o@2d(Pxa-zwgtqYc?+n#f4wdS1I;p9ncv$8$+gUVLa%+!5Qx@h_G z3+-rLrUoCzJBW2JUKcLjZ1ow_-!82tzdAnI@9ru#KW;9IuYb_u z_TUS`cPAS{rQzvu6E>|1pEzgyO55G{@BMz#I)6Fy^zD$81U~93#Rw-YdABI*U6=Xq zaxv@C%JPs`&kd27l^h90Jeyd>xv+V2ztL@F)f+FidE4!C<&EKQ-v=5dIr~2kEaXNS z|D76Ld24^@!P|9tE0Qv6!??a}{ex*oIuxS^Glc`TZ8I#Hv>TX{7%a4MSn$hWkZ+(D z(({qpPqXu;xjgQCWdF8{V+FJi{&i!L=N>F`+`pUG&?UbQKQsT_d6SB6=*;(L=ssJj ztEZOqiZTm7*~+t^7y}H3>|?BYSru|tbXGL!WR_l8f*arb)l@sI2wZ#NW9@!9rke)^)yt={`Pk1wmDRZQq< z5&m>WDLW1T*m*VuMvFc>UmSu#Ymaf4F7%(2o^g2Uy$}W#nz7k+rw_kqxDmB|tHJfn z(>EIK=x}4#Rl(XDb=NoeWi)KC+CL-8?gAvU)XNSmop9{+nK5@=XXgNDV-lS08h*H} z6-b_~7v|p$%kXMHs?81a;P$d8c+ntx?zmdsrB&(MpQR5rPd!$U>?2+EvG(_;Pms-> zK0bR=f2dvWne$e4>TW!RRSQ+VTfu#B+ualQx`vjA79`UqTd=ZNf6@Xr&8~RReR#yc zxcMw6{lWYJ1B*T!+KKdawcWh3hWDrI??=%-#_RXa{BR~Cvt|Qkpl;3Iu*~<_3%ymw zwKr#&jy2r0=e92$^Q0;5g0oNEoYmPzm*(7dfK<|O$l({y311i-kJ1KmQt~2Z_e3$hvtvpyUQ?jlqc;_Z0jQaz@=IHJx$dX zWLds?SGz?e9;Grco%cUZ`4r>0G4Ifjd8Gmh)(~FyDMGPnMoga>(xONBy!V?(c7Q^+%SqnKrl}=*R+x#Mypt&aOg$ zhNbJm#VDAL_!;1VZ~)G0;ARf}0G&+qzj zd`8aI`h>sVg}cmqv8%iBl=6}d>|a|qycm7<#teYXuvos-`4SgHDMRnY9a?!ThCbu| zde$;MCgc3>H|yQ4ljBa#*~Xnc)h2g&l*L@8OpKgqb+arj@lJh3i(#g|8D$LPDdn%q zI*q*%0*IL{#7e~nsw99P!veqOIy>aVm z?z`JV8VsZ(pn-n83#HdrFPvSB9?Usc(j)l~R(o1S(UhAx$kXvRCYk}%gheEK(ABYe z2F6vz<(F4H8nms=ktuT>&vh`kd+n3pP}PcKyQKr&g}zW{TE(w*W}8#r-m%($?zYXo z!39;cib+S=FP1Eyoqo&`BuYr;D~vvQS;ze)bv9n?`uMrn0RM$F+;|sNyd=H%hjuG^ z1&7JpEOt$e-VuI$MM7@%xmAYmx}YZtpEZoU{O}40o^waDIu;#n2Mq)!{`~ogZ}xmV zG^6z8HAr@eRzVlnJ}>FLD@|JUu=J(*`VVc7uP^^n=hkrN-Ivu4uf*pe;}zv>6Ze-T z4P)H0e>2skIkykaK2`B&XM0^*$2JB@#%7M2*wSYi)|DggHH^IbOU~W*UddHH-tSEg zLB?BImLo=qKGtqs(rw<`*|)km_vo5DbkowKtJ}nGeGKA%<<*8dJvx1Y zbJ(_(@$p?*_7S@(uT>csAOEZT*8WgYQEklSJ{d16eV~Zj_2`SWkvqe;?>Y2a2U&=L zV8iw5FHc9kT3*fm=sfQ?{$<+ku&DjghFc+jZU>8n!TogM;#I@PPt(z*y*5bO`g%nk z?6xZES-g8|T8j-C)w?^`Y;@no$h+KO3Tu%5NVBm6$6ud@`J<_;XV`gLV}5)>xciyP zBHm>TwPk17M>sydU}<1{d`zNft0FT#=9>)M5qEdv)xq)1_gyBL z&()EMb@EG+o^F5pvNfE0+KgvpJ6?974?C{Uj-Jrw1c1<7tP6~;@$C`ZER0_^XG-iy z@BQ1ZW$e=Lws<1?@p0?hl_lmSTMG074ZH9MynA#sX=-4p-A$j)t7neAw`9+U6@qo! z!+|e;s+U_4;sm?+W4LPlv&4GI8~X6gPj=>ykcA)1_;98}COxO-_=B_D(|YrIZ+UtA zO+(cCsTm7K#nv3>MhrKcT(+^xpcH6bt0J~~ka?nw!Ik;q)|=OkdVAws9_yUlqJcG6 z&W|av=(p3cmqmWfWF474@tZ`139vNscBCKuwHZfip|v4!yiwqv`eO~Yip3xyW9RZN4{{&<}YdS zhwN|T3r6;i-tspSIJDSeY;0nmrROz-s#${ ztGU&;uDa3m&h{}LRN|6yZ1L1sqvNMNPOzeli`RXg;hfrQh12SNU?I#GLuEH+Rbhe5 z7oU3%5|E=?5=|MMX%+875N5-J_e*ELH>2ro>uxOasjj;iTNf6wWHvW0evz*&)1Rp)BE0VaveCK=M^986*)flj!enfYva+YHSHHKG8AE%=#B4` zQ`|FnplRg874-)=HpN0(-5y0+-1Gw z!!C%+`;XbXTh4Cabjsn@b;&7D4@F$0lFY{+^g$N8lYVZ+#R2hk{#mSF^bek?dG%Xn zcMgHFn;VL5kKNuqCv}QlJBS4xpq&)A%Igx@g9Vw<{63s}5&nA9fNPJU zd$J3XKEj*(rr6(V+1t!jHoPr#K2jDe{P=d&F;U-Ve|&zhtlLqm^O?_+u6B#Mdi&j* z43Klo%d(Gn-FGJzah^3iecfSQ(#J;=ijE%{R$P9j!`;uHPP&`9?AiSG`opez1`i_( z_KL2t7r9q<{I!+)*<-i%i^q=HmKk{G1N{MpZKCyZE804Aa2cG%`l8oM)UYUsc{r{A zyocfzMyhfMpZ=j90}bjEfl<+I(rlS_9?4Zy+C5-Y53F9 zziR{6zOs0KzK}bCKH2?Kz~Ap5WxhES1Z*oq7cOplz|b#?RjPlmvi<#tw3!P=%c_%a zy*bk$7%x2i;aAQ(Jp<34=g)^UJUW_$gwE>xcJ|>sgZs}%56xa15>NsFhn+55JjeMu z1{J*8TDHI8ZEe=3a%uQR9^I%@X5^8DIqmPw*umvz>&RxdTFyL5-&mJnpEGr0hr;sI z4eULmi)y=qHN?IJMy7UKFjpkbW`(bOvBs-xCc4vlBu)R9*$tdW3v-s;TzYmW-MuXa z#bnu6=QrGVmlqvDJ7;K@WcAs3i+H_p%E4A3_^xahob8%FZ79}qn%V1@dPthNHV`=`fhG&aSuOIB`1KsNB7V)8u{&Y%Go3idKXr!$AMDaPt zS?~K@dAPjS{Z}VW%`|Imb}^^_3q62%Lkn{&c)DOuoWYSr?x#!KzjW9&&DXdpJmred zGw&Md}&tOzw*zkW>=?;fYP2-PIpc^R<_<`>kgXJ!kXlS6QM1iZs4AAJOI`x zWcw`=OLtW5b~_dka^pc^)oa69i$4@BTbRhb_Ie~u&p;Z;>R5zE?drwKVja`(H1=tx z)3dX+*Df&@j=UFS*zLxMlARAyqW!=^%eeS6*|CrBgx^@bw(7OvK!*>5l57Ibiq=}_ z8Suhc9ho=Z#!K}Ka{ZxOhR-i7Njh9M&t&UlTI+MaZFyXMao(fl<=AwcSN^8OTeHPi zcTb)gy7GZ(ZT+Y+qo51cA;0jmu}Q+4+Vg(plif$lCYo$D$B;|?$L!tdiwX~?uBg^C@a$pyvZ(sP-m*Ipug}cu zGERRsdtB}FlC)mTr7L_lkn_#5X!_;dm)-2S<32x&Y4gCeYDD6bwU2s?@08QtLAJvS zi_Keg8I*GGO3$)aW3Kl2(qq%K*My_mX2(IK1f9D_^sjf$iubzd3EF0#ugskgHHF#VioD-R!I8a{>3kg zHJMi7*X2-T{;ZGQpGO(m`E;>=Qfc_%%q-ja{Q|OdWO|rUd~&u`Lx;DrQN^|TSV-*` zj{fd29Gh};N9w}GJI*f8Xa~);lvUTvwx~3kp1GiJ^m1Co%c1$g-(Iw!O}|ki&DN3C z>L1KsF(~5G(SS#z4yWju^vRG_K5p2%^L(ew-=_~%b;|?v21h<#vggCmvOy+xfihE* zL6R+{E_2e_PSVk(@r~CO-K=@OujT!Lzs~GX#v1TpXNMaX=jPN6RoNdXITLM;HICSC>Qtf^qv-1R}8bI>0Rt){1STqF}v); zrrME$ma(#E6N7UntZV%vZY28G_hdm^X(z?gS9I#yg9SaIRpcD9VW#zayk?7dYpcm8 z+%AeOpNv_Xsb^q3G@Dg>Hvi9#c!yQ8|V=-26Z(X=JE*RyNZgeeUInC`@gndG+7sDa25R(ZO zz(`Nek7^6eHJ0&R`=r*bIG?j(Qj>e;d-FozOdl2ztMu&CfFGgHDd)u{VizR#mtmDPy z?^bYI&iWMf=TzzJV^-%2@1I=I(zMsWXVM(irNQa#MyH5}kCqKBps#8{W6XW!d+P}1i@{nlO+$6ZTaPOI;|`PU?!({Z~xnP9%6eQ@?n<58FN40zs9 z-+qTA4ri}y8hxRaQKyDO)d!BAHZPQ6v6~ldds0xB(KYo|bE?PA2_08n9G`ea6fnH* zNpCE=h6;=pO&)W;B~7obweiBmyJwg5I-7uz*|+Q6lf92`cv>t!+XiAmmuSb9&8bhh zz`fA5a%Y#qa+_YCt624S{4F*fz-GvC+DWn3FIT$g(mJ*?_^_}PJ(%+#;=+s$f0ReI z+sxk9uwmAt!U~L?HMFeBS?n+9jkyc^+3 z(+lY#UiGndf9S+xdlq)+!;n>XFRoj-_cAYU4(8=s(kje9-9PBl!{vFrW1wtmtWjK? z+mcDk`+I^k7pr5D!L+3i3;KUtU1e01+t-)p4mvZiWav^D=}wV`5do1#z@b4YrMqiH zK|xADI;4?KX+}XnkdT({Zlvp71CICp-><6QrKLM#2m-Eg>~z=H`_6??7IBr ztu#xM^LUpi1lCrJoD0$2+C9)0PVneEDv5Kn~Klq6$fcbqbBBKyi2x|Dy4L3 z90n+^PVzofejpfX_?frXOP5S_moys@Tl?+A%$%D)rAX4h~(BB1zgIVd8J4s(S8J& z9D>2TglpuAsFsK7AMQoSUI5oWVcf6%P_ zND+e@wMmEVy>`9TZP^C3ABfsRUokTYRNONY;J@TVpI9|uH9orV2;{e&X zQmo7ijJbB>$8h-?Qa`5|ChK1M!8r3%Id@1R3UC|6|Tn9lQP^yR^%3d)ZArC`iONkTS} zZJ0J(%-pysBKqiuRyxyVUE6MFjyhz<0o)0P^=ms_b)Ol$cIDT*D49$)6zAlISR`Ja zK|DoK*0$^w96k|LVV|JM#$?a{0)7KG`7;bOb0<^{=;%q5@Y$@WeWAd&l~D9Jv2RU**#nxs{@BYyPkw+pwD9=b zD_ZBpceC~OPz~#|eEvR5T@1FAM^JL9_r2f&f%Wu^el}=}cX%{c_mJdu04iOSk4K%> zW{6ilW4ZVl@F1*{s((H*RIr7$r}ngTAdpN!9{_>p)De_iDZ4iPpdFUt#peC3oK7KR z+%sqGsdY{IaZ#o)&sIc2RtHZ2P%nEbe#}I5 zpCbSgxdTi7v6shMKci z);k=1QCfFoB4B*)Y}QvL$rrP=%>wOqlqp6{^auJLLCkCiG8@Ukm;EHHAGLWuDT#s zD6)X`s+WZqwN=q7+2xy~&dfpG$_k?yD&Cp;8mg34@W17Q-5u0Qjs97y4|A7hy4G!S z@cd7ep^J4X$3^F>p4VK&$DaL(6{LvINU7-$;4@O+Gh^B)Lpas`vKtOTSy+CaMhsUq zL1hiLJncLFR%b#|=nn`+8}eEn9MY*&FI@EyFyk_9QV=Kijem)Z>3l|ZxSnrVPNpL& zoOutk?OK4MrXTZbipcvR9)b)Ej}?Ce%S?-~z$DVDR(fVa71OM*zS0jU>~}Bgx@+E0 zd3rBcdun{Z_pJy{Ic6(-3}I=CmN(D?KtbF*&gSkvI;5vXSnL*G(QXPgR3EArUUiQ2 zXkt+Et0IKUmb6)!5bjq_4vg^!-tI|YY>fdcKl{=hL0~66BhStj2~uQBwJb@VKX9P3 z?zl8}9;%YbdF3@?z{!dWLDE>6e>Q)@H`X5Cwa0@U7FAfwOw#K?CxG?nS@>5V)B>6`wq;j0FUiW>Kv?Y7#=edgiPOA2Y1B`vjYAw!C`ANAf7O zpy!^&(VLseQ&wcz=(*dbGVvyzm`@X8>Z#c4NpM7J2e2B-v8nH)o!D`|WP}v#`s8NC zPp<=loOu2Y$gK(Qg-KU6tx27Uom!$jPfp z@>@xKt3qE8z%CCHf;d#G=OdF%#kqX4c1L4zeFQR*4_3d^b(b&v?}-{OXpD$!!P%~M z+J>$1*~Ucfw^&{4tHzjKu;QdZA@Wz|dh(7HEE~OQLxha4zpsIDj#PZ4mpUgA92SN? zv^H$6J}1u8M>RwvIVE`{lYf!FzUsGUE>883J>)W}WtO0BX2syWB{RJaj37z~O0Ihr zC@_pA3mrO}P!Kk&cT!1hiLTnT7OMFa>zL1Z)%_`g(hMX!$g8Uv?@NI`BVLl+A3a%d ziQ%G`#-K@iP}FqLYz`>^njv{^VO?jtqEy0p0Yzaam9T|0#m(^ss;o{A!k8gX*wQ@qc_83UO)vqk4bO$nX|}y z>7mR1@hBZ5hHHspVfxwi3sjEgc>W+o%np<|+%2N3}e zwzE-huH1_T_0OK?X58;G7nL{n-aLehwYnUk+_x3$S^n3!(P-51if*fqV6t;E%Q{qy zXKx|Cg*^U37dGEcetYzb^*3zH8jjnw>Vu2r$6x-F-m2T@usobpRyK z*rW5@+iEb??TK4jIXjQlF=uN+XfzvT^HtNdJ@i$W&xM72k&8;`y*Cf1;;IkGlu2h4 zua#hw&w*oF_3V*F;5Aem?s>I~hM1+O+6bweTZmK-#XZ%9-2)U40)x!`VPPQr-2r6 zNO4&F;*87Z!|zcykVlMRLxI_YN4*GD00ee=h@dPK^_WobLnva<(MIU4?zGBrmd2#L z;7CqqUZpyoD-AydDwG7K>8IC|xvXLSh(o()j=Jh!iKJaISu50!Pfrx#qvVGmy3CLG z!NPY&NHMu2U@-EL9K`$2dsU(w%R+CH7PN~>{Jl5#G5L{Ilj@BEriOyBG&y&6)`DSg zRE(w@;&?e`Up+@oeHVTZuR}eX;1+SEk;k}SZ#2;+xj(GUR;IqZ!)g8WAUHCf=~xDX zxxp+=NjJVJT)rX6+HPCd9FnaM=<}%sn#?B$hDX8^n|p|_++PP}m!L7JZ0&jmYr5{w zY+$(QLYX;EDb0)lXzg}MKTA1rfD$}0!HXeYj;U8wRcK@W8?Q%qzeyYcSII;g?^R&H zg@?yQaLR+Td)HCO4`Ojk(m#a(5IFHpD!%LW09pu4E*6uicsa%~U$8YBTL}9B8Rd5h zyzJSaQyq0$L%s0k_F>u^r2s8#B)yMH>>&U^U_A{4IAcJ-KLhP{)kz-zFo)}*)>{SlxEjR*D&k?}L}1@u$w4=vYSuLKD=%{gZmj0r zP&xhnx~sq-?0%~4x6k_n>&gZeON2N8=$t+k|9}=xk`NvaLJdl-Ht}C?E>KNbPPCAbD&7T zhawjE?ES&7Fz8pD*(C$6<`i+&68;#o!|JyB9MEO!GzRIUT8u8fRfHzdA^gx6gsK6N zH$Y$pIV0EgN(oY=Y`sw5`D@T|*xCM|@hWi?tVZhU*&0jnM%&KTdK+Gnbv;c5qOm=X zpdXpdWA7Aq4W$QWX_|i)4}Fhd1AXmNqm6U->}Tg+H+J1E;WSs4*x@)4agUy~)^I55(dfmv;}6EgWcPX^f5b(}q_Ecxf^A2d83JpI_T$ql z%o;UJmx(i0720uT z1l%8k%@Z{q(1nYjN^~XPK4oQUcE^<%g)q&HouKnB<>@R_g6HsWr9^LQ@~lVk=J z62Zf7;Fwm4{V3%nk}F4_AB%gl7X>}N&D2~Cq<;vJb8=X^g@b+M(SOnQt*Kia&y(>w z3TL*#wR~FjII;~4hP7eRm&-!095_P_&Y_r+$j=ZU6AN2}zKcCD(*4L8@*=(aiU)mw z)4EgTNA=>EV+ryZ?6B`;U~e?1hk_rX5;tnPRJ>94A$%E7cZvE|d`dKQ7g5vvAt zOe9hfqWZy@8kU00Kq`@ur+DSY$%;!hlfs`j@+NXdi`$%^L(ev}v&}Bv-NzKM{80}B zr2G&;xKY!O#oTL@;R66W0oR)F!h4D*`cjFkJ)dWE6G96gIWH`UT`9E!z4AceSVPZ! z;n%NjUhtUKU=tC`fM{qJaoamTK0ULnUIaMfQEGL;i>0|_UXJQlLYF74!3Ukn>S;^t zS1L(ECyGaUeApA(y|unb0rC;AZwyp7wfE&?`nTm0Wd-&s-zehcsC*@)fCNjMqaNI@xh?Fo-G9i%g&L-U!1YBz)*$-#SiI(GV$QjX>U909Kf+U=H;M8%oI|-KyDFY))oY@7R;y`@$gAndU;+C=R#~;1Q zCLI5%o0rMlOut9k7nU@ysN2s6r04Y}-TgDGqLiz6XDV%CK1TO*Gb@kBe6Y3(`z$>I z{t;-mgCtRm(}jzpDgtBnZaF?m#LG`?g^oDxE4CZZQ4(HppNyWnZS2rs^Va>azMX5_ zpp4h^t%)=U%wUM1Z~AaT)JT@`hWM?;Qa&-NijR9HvZbv&S2)53 zv=VRWD|{3nG=wi4Ch+`}fLdq8G1Bn5ydQ!N6g5r63l+H!AH^h*wj(<3uIWJYpBqJ! zk?ZgH{tQsiMCn)Po@g4}UTnX!STbRFX7R-FdleWam*vN&$G0d`1U7kS)KTIr-r+Il z^_qNi%a&uc0wMCsmeiS8}t&@z7u!^O-biZ9c>fobiLZq4i?RJdmTJe`8o<=njrb(fdS>!n1Z%SbnEIw`KPx^Q_Izj?Jgpew{d{CM5+M_{Z32x zsC#LX|67J1)kX} zIDbU=oU{C9iZ`;0Tx=U((re4EDI)sl5hpz(B9#F{_$hf5;sfpo)S5uCUO0K+aaTHi zvYWTHy3&Wp@56sy1FL6;-n~_0eCjN0xZliw+G=+5y*;Kp(LhjgJvIm-Zc9fuuU`b2 zCq?bD2u2&0Y%i^dnZ@!F|M8Z5k#eCi=)J|@6t@6L^X`n(`4~cCI4s4FPtR+RjOKHh<(;n})BQ;?E$GKETk%OE6hLwkv&%f7zVVy0bL&8V*1RVQG>9 zc>;Sw+^(}Oep92X{N`3})9GAv1kqJ|XX7g0rET<_Q8CuCniG@8fQAVt#X&+i0uIG7 ztzyxrcm&S|xVhcw7K1A(0w%L(+HbcCF5YdzPq^|K1NazarR&i=FNd%L&9mR_^@*5<=AW5xrn+=~?5r6>BS9Z+5$JJ@}Sc%$+|YF%0oeJ^N17iUi9iYfnqX znJay*H*NqRFo^&$enOk)O6Vm-4Yqjt<#r*yUFG)S6R`48)idv(2snOZs7d< zqWY-miY!ZmAD`Z~QiU8m5ZKMj*3OgRv>R$(ZMyx`Ayz*?@y`o)M!Wp&t;^zLzvukZ zgW&G>2P&9aOC3R3nBX^|?1#>+l+ty3?)O?J1E_E3(sy;Mwxa(tI4O}#%f%@91SMT_ z3=NSKGe#V)eTOV z_XCax%JtV8V=xsoDUNAXVU9ZiMj3ZM3%ur5kgdPg?tT*1O{2$B?tP_?%cKZ<{=)L8 z^WCUJgJO`!;j}32bOP;8$bavH<}^~hb|upd&gSaQFonk994av@=II}0lauBYjyfyM z4+tA_$cUfjigs{|KzttgT|+5@S(==Ijx3CBdU_s97O$MBaeF&VoWERIHZM70{xdLY z$`Z9)+cNJ}LbA7YL#0l_>tfc@P7+h@iURF+<3D!|0C)03r?bg4gM+!cv!NJ?qyq+i zpFfj0#8Kqr67jo?>itbc!#ir8ky8gCFl;H@k54Z!)=JtBT@AD*gdPz|XIM7WGN1o8 zQ5dh@F}QDHt6JV02jRPL2a)PiPD9E#j5R z1^OCmhgAf|eCG%Lj&S*~cJXO3R)J1GajwojtYA})W+dPm$^|!SdW5kQ2M1Ur6moL# zO$lOmY@iBuI;72aUl-djp!>st9%8DK)Hle<{{3!C(`Urj?3>(1o2D4Q(LhiZra!Kv zM@%VRwgDt^f1|s7?%#J@Q7(`I*)YeBq4|bOrAr;4yg|84#JCvJSbNM(o&q#7BK#1w zK)c;K(J#Mis50FB#Nmm&wcf;{rZnnvrFrCqr3)eMT5{|_o^>b&r#(^s33;a@ zkv7g+jDrJ!xad;xT?ubB(jlhAfLe>s`y8u;<1;8t@(|qn-$Im&0mFdI=hE-)9p3B>6-71&ujlHO|IBY%dV}to z)%_~Y<3-Kxh0yYHfl0{<6(`GBvCp?8V6KOAsKTyy2ZZo&Lmbnp)2{jm;-x5b zheC4Ot~`59Nua=3;YdMJJRUVMR(zJ?<)wH7(-_&$@4q{C`08#;-7x=R_CGK6?e3%M znO$nw^`!HDbPJxIz1;A*kF{PU`i7-J@N>$@U9+ZoZ*O?v=yEO&P>m^U#-pftP+XUV zO(J(09o2d9i!&X(0{vJ*TWlOVsix*u*e}f`6LOk4Osp+MOTdP{+%2cX0WRoM@tH}% zu;&j`YizPN`J_vl*R%(XXMYZ?FP#YdNkOTj*rJDJkYCuA-wVDW*Yw4vJM8*@r?WUI zO@)|tFLYHoI-La^RHPWGqtb2spoxx25+R#a$NxW0e--0vEy4$RUt zZ<-Yni5LQ5(5AG)heW}Xf#mP{351*26yl_0)E-)z$c?6>I$xxo*cf@|_TN_ms8DFX zKnmD*GWdD@`$e;qBv;>ui)a_@BrG}zi85(GH%;QAfR?mzWBtm=)~$DRo$t-Su(m2c zKD`#^;VrP!!>QnqP3dy2?~Y~O>ViSN7y_Pa2Mn96GikgiF~O6S_mkxIp?77lu3L&uArp&Q)YO(XHY~l! zN%mihed=Z>;B*UwL12GYl}D-prNZ{wI&t^LT1fUyLj_v1sR9|42~3J#-d?f!Vd ze4=P<~CBH0V*6BFYP>uB#CU+e(H33j5JQY9Ywf5cXz&E0t7h*GJ_22Zv$Mv>5 z{r3jG#lzRJ6DEV$ix->sC+1_wUC$zS2am(f_P>9qnNf}$1jGJ4hakB>)wh@K*kHwW zyd^oxQv)VWhhP(?39wn@Q?aCwnkcAMJwMx)rO*TdXXqj*xyE<14?saIJ-vfs&oQ{2 zpValxpV@%c#z(JNxR(U0{3T#IUH3CmUw2GXwM&xl-SOIxL z!c55Xxe11h11XQqdcj`L+K|nocl?v)iBGpSy!VC88xK6rGSCy7^@ElLCu@88V~PCp zLCIkrQ0~Zou)+Kq&*{MF!fxia}Nm$m$r+=<(9)pOOs{%V-bQo2sk5-WmVKC#wS1sv71xZ zx@;zZOOvo0*+Sa!9UFkM;IWG@A-JIrLOsmBoQ1GN@ef)}7o9=3n# zNt^yy4LA$%HXGWu{?^~Zid}66v63k5Qq<~4Xo)V)JWUaI^6)MDv?vS$XWTJ@#>gf~ zKT7=w6mfW#qESt1zFPYx4_4>xu&&?_@+n)oQ>KRkY>Rwy??*du-~ex-T1|{PLQjcV z6sI(XzIRMqJVW)#Zlzxj72DKmjriI=3&$=e#=V(5B52fH{iU@U=({*y+7+!8P0&Jw z(IHaTfI&OcqVPlTT^*ybg#+jt}mnLDx{Fcv?--^-?qRJ*udR8!_ZUCPEfFg9p?)+=18~J08wsFsIf7vgZVFQRv!0Jxjub0 zAg1x6$h<~bu*@r2#t-oVH-B1QmkLGryb4{sXGe4_=RxfOyEQj{&WD*dzC3sqg49lsq! zbof1rJ>KxX%H<)#pdBMeP&oMR1Eb}MY8fTcE_b5^rOuoB=A-E&Q1`2|9(Z!+O=ObSXKW+07@ z8?}F{Ms_UPgTPU$XsW_jGK55^0K8j56-AT9D&#_%(h{F4d#wH|EgkBH`NS>vUUr^? z^Cn5(x>>E@_N5XKI7$XhRmc$yyMZ!;*3~Y|0}q4R9`0FhmaQ+fm<@K7VbMh=iI%IK z%)09ZeYYp>g2c0?(a!uNb3(YP6pm#T5t)n}h>BhH#38`4#ithSPPe0`@}su4WWYfL zo8<-og6o&u)ioNG)FVJ)zl+r__KjDR;cH8u0}r~t ziXP!^mZ3Qc>Z}j=bqdA&K2KO2z^=k6EtUERQ0b(7yv9SgU(UQRK9CXbj*q362@o8; zuBuca<@?=GHTUzwlinr>?0JcwfL<`()HW!dL-j;&SRo)qy$zr66xIkGnj72``m^>m zU`fD5AaOz(eLlZ=u^Ly{$H|fTkQm;hgJW4WcHGQ)fK>uz}tCEcNL1H9r_{i^$) z7*@cgNjz$rnl)5gRvDGZ%8dSP2Y_@~ji5vF-rY<+UZ@o1>e3t>x*g#P!`Gu8CJ%Ny z7T;nm`~;FOT*a|-h&0+b@U=6}3tFlMfy?#KRE6`5uxqFVh?Qtf2^xoPN6m+{&|QD^ z(I28OKs1T&j&qRWoH0w^)Y^mQ!d?wcI0$@K6HQf^J4Pd$S^*Ss`F_e-zOy4-@%=?d z#9jesX7=AG;x0Z$zi)eBgsN^VJDy*N=_ZE2Sp5A2^e8{UuLGU1rIqF5iJT%bA@Nt@ zD<#7I32Hpu*ip?vU2JpplPsCd#VSv zpF^wCkpBpGmjb(38`s05#`c!)(_vIGx|!MP1-E6yHyJ-fIw*gdig8sB$Ryfwy#b|+ zHCv-Vekz3qU_+1ywXHh>r7V0&>o9pkusp+yM&1vBhnqjG^JeoWD4wBscX)7$Uir?l zq2$KPjpPlcfgi?LaT&>$);1{a9$UVCrxig^U0mOdQa_Q`Gyg~kSFQ6C(A&;ZW>CF{ z`iyKOaR9DBQNM3sWjo+a2>eh`I)g=6@KQH>usLSQ!rPr*}*CIoITx?($#-ev7N@LeqG9=F4f)6XYego^C9!XYxOU*-*|m zkkZLkLG9j4BS;0!Ctt7z*5TS}X`dt!u#}O=-pAqN6VU6+5r2cQ1Q}@W zo6MDDg^!(t9e&*oO)tnz$^LWt2Wn?iJ<%)kX_8QHt0FxLAGy&MRq=I(4w34HV_7w$ zlq8ob22>P99xPYysW@|Uy61}tkV3HWF9xV^SA9O$Wx6^TBWYaTP0cNzfUR;e%V_ou;(rP!p31KG+(m3^xVD!QV|xxYWW&t-Y>wQ9j?Df zC?Xe>tb6EJlBJ9aG#`KbDgLj4RoPIUS%&(HRrC8Jt!+`CvR>Xnq}l_6b|GcXd?+$J zC#RI^wKHGd!G6|ax9&AE^4?j+_I=VwQ#}DLxJWB`OZEgykDU z$_=Krt6eFcuaHnQW)|$dCc(ifXbj`xYKuMd`;#0VIb$+pw{d`PV67(7*(DOdlvt?G zx#r>xH^uW6!YYUU7|VC2dHHUCqmNiSc1$-x%(4-wRoNaCcn$RxH-8$+ z>ek=JyS$(6iR&dCz4eqT{s+v>;AGSn$z5@{q-5lLjQ_*f`y@|CB6wnvfM}{29&QX@0j~Qz3OG7is=y8A}-2CaC(dtNq zFs{WvJ?MzV0ZEXw#7FNl>UoaBoWEKobMxF&h%j$Ec5L)m`+WM;E>2X>3baCA9FRBJ z0|B)&7Q1!lA2a*4G3)W2CZ?O;jLFMM!^V6Dy!c`+Ie4TyRP51U%E^d-hdN6I1qAk2 zTzU4b)0vc^i{mh_ul#r$?AG?Uve*Ii)o5eK>kpF|R=dwsI#O8O-@bn6hY$w_?e>CqU*mDF1x+z<;eqlLG8k3giR0KdfV6CQkHAeze zFO*|au(6BWcWcx(!Ry6~VD`UR<_On<*4m}%5btGJlyg?&@>cu~xy~yPc#gO@pkr}? z3t%L5b6=iyZrJmmlrY=vdH>;w7S=DMK_i3pG+r6`{AZt^h^NTqzJBC~FvGE|`e9-N zS2aUfw)$juefF6f#Uz>UU9+ZzMZ;Jn&yx#z9UC=1O?fM(IT&|h9eF*fv7L?q0Z;K0 z(322!C1goQ57JYwc+KBvJd49Uh$$(2hLtpfX)2g%B`)uzGO1#7Zlm9V%K!j*Fd9LJ z*qO))<)n<3Mv$xSleMl#4Y-d;bi%RxzQ_A9D&A?O9fn>~^5wizt^|%{m6y#1ovJLV zHtQ@kImUa-)6!60^F(@@Z%|VayR;t@?>9muBoE!RRgN)`sv^3SQwT_LtXb7ys~}^>0qV(% z16J#!*&$InMmv=edv(kHle(iu8=^-~bMZKYuvU5ujE32K@@~=Ix>J_?dvPNA5(t8%p4_iHUP1kCQrw>odqikJUKI;1xI7K%|h$u8SuC-kPW*%caAqD z7x=G`uRs%8M+sxLzo!KEtvAay=K>)EIyrwMAJ^s9=q<0EeCD&pf)nF3XYzYEz=bZF zYQs0-P!RN(D91b4U7UNb?cipdkCJ>e89P>1Q`9K4A&vV^KJ&qeMAe=7_TZ#zC|_7{ zz{!o97YH~fD&731;qXLua*W5EXRFP*uFgCeCw8$us?xdWVY1lj_p|rYi;2r3NjA$e z%6@2Hj5}^polBycK^XYgO)b7te-_}qpw$}DyuzvXuX#^YHgdfgQ}HixXOw6*G)T;MF!Cg?BSpFXc!n7< zwFwN`iJ%Z)fuVP2F5*SIZ3m&Frv_hNlVb}o_mCNv5u3Lw&pUswa{q(1=qF$^-$!_dLq}yJvNBYzVr7O2G1UmlpFUUkdO;*7 zKNaKXtJBRcwpL%k9XI0n4EZ>di~|eB9s{GHHu$2!gK>wBc(geh>~aAJIULKXaMKv4 zV*nX?ET3e%9sBvhq@8q`-0(V9LFKqM@pfuIw9C8li)dZ%kGv)q#{p=)O`zF$;0)%e zFqoqXPemgr!k}K}&*d^K=L4EH=0fB^i2StWpX~i7dE_P!;E8?$dR6ZgssJEe@J!(F zG(z+&B=89`6(l7C4hB9JOW=m^7h!JoK|tFOO>X%yaOkcNNo6VS`|=%}OuBq?_Hrgk4T{8r)| zSn}2WV*pZ^o5Q*I5mU{S>$uoQL)=f?xIhGM{xluZaN`klO{78Ka4SOe%)K_7S=-@0 zwuWV6Rz2y6t`4ke6Wq5JUENytkG8x4Ap|oRLCJH59~T6m4>{K(n8U`ZeO(V1yPT2= zWeM7_pftP&T@p%9UXhaISsv^)`y+|?aZ$q|xS_?f`Z4?ZLj|lM2yx9 zT`sG$-pS03F*pU$;b}F=6gG_Y5es=8Bj)1hT{kKSeh&LOsCev=@nT)22D1UTi;v4R zlKTGmuF>MCT7Fb^H8KH+Z)I)lpv{;@^?dT*AiO?*nG z!TzY>XyExZZ5Wuv2ufbO^jKMIYLB#AhDOL?@q8r6oVc*22OABfq;B@#)2naPwF%zT zKe3PzmC^xy;x>XJ&!{?z<$;5)s(U-=2+@N~&&4OX&^al;ztqr>rhXL|P1d!(L_N6r#67jVn|{Is|8B z8Z3L3cJoF__~=#baV)EX$hAB)iH5!0tmj_PyKWG4)m6(|!^yEx7!BG;yvK47OMcWM z&g`Oz;Rqh;Cx8J9cimAX2^VDU{cTB}C&z;Ci|Rq(e}(kiQ>bpOYZL4m<}FOSeTNeu z#ei%#R3?%UwMZrb!z?@bK);&Tf87BKur(eT4WPbVE^8=V`_5K@(gQaW76$~YTgEYQ zZ#BIoe@G*+GcWP{_t1Opy1�NS9WYYu3)V7ZQHcO*$|3-yg7s#u4U}`U&Vo=dpig zgY-)@R@!=|w57{7jQQ42nQL17Q;jXCKQXJGOmuri8qC#lQTiyGyFT2Dzb^}7!`S4A zNTHYx2tN1`BxXL><-JoGLAreH1?;b@@>tB)RtMI%2^NZ1)m=)dNmd+?=iog5gc0TX zr16$}TU(6hWM$dSL9N(|G{3p|+iZYq*V;%>k0gB1#kK)E!{ZE}FXp#7?)h zt1StYFrSmVSb&_dJ@)yRBB$LztnD1d{>#ao-=}w?ZJ^%?bF%yd^aNJf@>U=eN)GR| zxjB3?Jd)t_SPSlflH(;AT8qg~Ka7x9X%-Rxhg2Ti?(p}QsRyzRzq74r)nD&)ps-b? zGm1AMa3SGldyLjgO<0w^m*E51C#Xld4>dmSJ7AC3nqh9fv!mLJ;zJk&`M;Djr%V>N z8`iz?DYbF;6Nj}2K7^D1YqEr}{0@=L>ht&0i%xq^nwLiV3JltjauxQo(G@#f&=Jc% zL0Pu=07Umg@qZpB$2hMzdRu!_rr$StluCzL#+q@Ljf3Zz|73UfsX(p@ zch%>woOcAU8eznxi90j4tjGr>-e$g+#C!j#*iS(3bufEH5Lm2s3zg4pJQVgzto*;U z-eHp9j}mQM1MPk3*y|B2C^oQGljg@Dhnz~Zb>wvuZ^~Mq-RX*f4d^ezzy3efq~-8# z`#`ZV>(XyXF)nOppZNqA)wL1o(wW9!!#RCJ&v>8ye|!Y?Xi9Nt*{4b3wtHx2 z#EI#qZ^?d%N5qJ9A*h$EI6$G+C#|Rsoz-ONQ1{M%lCPN-^5p!+gO`8glet1MQJoRz z$;6`UBR6~LRPW4a{6d0u03c_;|yS%e`LCf$qTbtggn?+H;($C2VMcXc zROkjjW^0^Px^?t{d0||$R+V>Os00WV2xaXD2_^qw2BHH za^?|mq0!G|?JqY*ZY_5onC9C1NSVY}`3dOF;F9=c;!fxtd4;;#&FOMk zZDK0h%mgV1tRaH%Zb^9a>>v`j4=SCDE?G%s!(@lt46#ovTf>Q8jtrWfZq~R-7}n#jB}9L8|Pb!m~^JnEqJ?|@H)u9DcgghQp>)FGTOr*?H zFj0Uj;aFDPU1eIi2Kefq+-QuvCzt(Bc@{*aekh2Hg6Z@R)6P|djc(?r~9q|LY-#Q(`T!Xt*qZTKfF7N`X)s(3%sD{*^(ir+aLVgp&-=Ra!rwc8t zrN9iu^KF;haZ~yztEjl9l0~rnWiXGc_-IQfQkn^cL*KQ2l#{*UeMb_T??^D&CU~T~ z>n^Njm{#H8(RR3bJ1}U+id0z}AdRhXe9uc4iB`$dQ~NKMX=o*4uJ*gI8n@+%YC>w6 zF3@|T;sAwDdM}~$TN5>sl=OTMv9hUip7A?sSV~}2>%u8RA7W{SHz6=!3I7q1oHm+@ zYkuWzea-ldjInFi{H{HczOMmvb01gp(nVsD>Zj40d{`fmCULVI*p0g`MSfv_R78I- zC=tTIXatSXs0LBXPEAk_VTk^i6c<-?m5ch<*2nuLm^G3ji~Em#u8QA|s? z{O3YJ4MdZ`FLaoiAaGW3Bj(|Yo9;w%>S!vi&YHJ1y}<0}a&zzT>y78OtLIwFq2af% zM$17buzPE-Wb=g_^Sdg8N7#Fr!r%A_=+V6#xpei!#etz^bu#7inO{ zF_E$Sghxih$Aam11H~X2tVYlnvvFzt7Z^ktj#)GE`MG8dJp(o=g4v2KE}oUyFrkni z#3{>>8A@^t%AuF>whm>)}# z{eOZrz}WiAd7u9tVjI8t9_tma$S8Pb#uS^LZUy^_%(wTf)42ng0|33uUrb`+=2e5G&C-}sN6G^Uo~9(;Kin7=$EAzzeM z59b81mI|}*?ciJWqBuHkSoapG75xpx0WwL81K6!!fXFnAW~T)r76WcoUpTMRzT6Kg z#}dNwEOp1VO;#gK`urqIbg8mp67ue|ur$3++ZPBctoWu4}!FhZX zbT1cm9B}sB1A(KSps5PWGYPd+QEJqaA!2vu+Ps@SYToyh8No7m4d~eK?B=DDZ7^-G zjKDdT3IaVQEe=qqaF{9lYed4>TJbCRw^zU8c5$~E6`{Z3>CF3wO-_N*kPK!cXpBLp zw4OC8rL#)na4eklY?R4RXWb|K_FrOqv*+S{ZzxV@S{LvK`Ts{IT_%Goa`a`kcq1&m z*jC(EgcN*d@rv}%wt_bk@3AOa%0(eOfI++E0mbG4vMPsuiFD;yo9u4LzPoNV(H zxuM9+nB4dsB=8oZ)x`LOXZnfm)Ksqbm%xDhWtCBhni0-BqJLe3HzB|*iOAp3H*2-L z@(v<35g4?a&kxRd3AK`_yLZ?eE^rooLXNvm`r=JT|0C7uizEJkfC;=Y-o2Ci)c<;*5g?i9W{+8OZraKI zg-W^x^q#OdKp{&52!U_?czJ>kttWT0>Y4)U-+A~~dnXcA9}m>i*bNPitCIhRj+oG{ z*@Fk0xCVNs!Kop1*4W*I2bH}*uzVJ^)Na^W%dh1x7lYsf2JOB_$)^&6e8i6UFpJLX zR=)iY9Z3$)QVg9y#YWj~7+h5u$Fj;{P)6fEZXx9fCuWJP^|3;a?7xbOMfX$`?fb|( z%@+_iQs>{#P=Hfnu#7xo4;W~`Ve9*G*Kx7=e~7%*4K$@9@i+7uh_zjz{Evmw5Uwh& zla*yJF-9`1_El?^jo`-;N=CmVFgL-h6EkYA-u94g0rkR)0~FGg)84`De*c)Bnw1*- z?MgFB^^tcD3o+ou=RNKDWzXhTEq!Yy2l_It!7!GOegb-sV7iP{Otl*<#y;0}CcU_w zTK`|=c{5A?;N_BSm~V@F@Wn&A=0CKi!VdX5AI0EHGD{)bu%HQ%%GC2~e0o=xPpP9e z^dy+x#|a#zhNdcfr%9-;h|2U_H1jCC-dMF?P|ABEJ&09BEbz}mAJ+fl>dM2R{<=8d zMvc)^gHYD7WsM?RwkcW4ntdk`k&GleGZfjW5ZT%gV~H^Kkz`+f_N-%x>^ozBpBYB= z{yoo~bI)?m`J8jlJzqRoBHy0tDTD8Gv_`bNB}g&T1}d&{I3Vh#QNMN{;=8PwW=fqQ z_3<_-eh4EvpN0CL#m0A7l-oYV$CATS!+;)y4LanF6(nq=BX+ulad+(0{o!*3n%2ji zqkP0`nNv8mX}`RC-pz8+VyKr?hBYze@NZOH?L`agYEC^k2Kg(CIq(+t<0f}^RM7n) z8gH`J*ZY{3#pg~J$Uu#}mJovQ=`f8V$U{PZ|Dtyj8B9xw z+yNt^uc&r~A~`{xtMjcGzE+{PlJOtTmVPvjoMc0aezF)a{_%fOJlj?(MqG7I{4Au4 zS(}^WHyJYaE;Zp!Akx+x{C==i+K@qcKOn_SFJy6~y#Y2`F+#*uqEEv@|6we{X9~VV zE~&E}*;*p|e~jU$yB2K-igy1m+2~)!*yhf&5v6!S)Cn>oLiV?Lu&Faf5mi=rDz1*O z{Uc{)1rhuy%|jGNS-Ke=f#uW*pa;P%9JK^c4qo2(C#q~wvWQ#DMTK9I&ap)2@ z$wC8y>lG(=z~t-Ql(|mP!)6@6UdXt$EuH2oZ}&mvElJOYxFA~L2$>VMEk3==*{HXQ zGoai2mJoxEZ(xB0Y{CiE0^$Z2!)D*RzVIe(5Oh-W!uiAf2@n1sQ;mC}M5Ydw&?W)@ zFtrfx>pF2k(qZ9kB${eaQ2TH3#V)>0A#Sj4YM44(VM3MUeV4G!Z#mkqMlK`n?%{;E z^^oADvR=6RLj;GUC1xGOR@OC}%cTEhYSgIsW-_W^(tHO$jcws@1-JJqK8a1`|teA z6d_GmIh`oBsdtM0)Fb-Ow7j2@Vy3sKIMH^%>Ql|8ZR2q7Jr^prupagmlG}i0_`nfF zNeFBRcM%|(I+ii#Asw}*7D}q@qAgLoTZ-~$|AJ^BdUvZ~GopHh2PEVX1u9AKTLhD~eh2^~`)?0{D&lU9IFb=9GwdcYKc|B3+a(P=|LM&=CcCHRR7BFLBqYnMT1i8|0lnt0YrQnqzb|?f9hr> zNpuOwk-(;_qC1X~@?xOdgn;$!J(%x3vMsRbsy6;1=7l`h9q&lEI zaU4kj2tKV#jq|zFZ3teJ!{$gSNT=H^S4DTybmc|<`de%m%eY8|PJqR38Fy7!ANS+q za6#{WzuKp|4yQIPyo(Nf7CeqzZ7G37;K1)jT#jz{lnOx=-v$O9wKc`g3XAb z%)(mpFPlKi<#BaNi{Wbt0KxK=3aL>XYHGRk8bxHxNxJmP|1p-~gHRwcw)kdy?}Zr$ z=`kk!A&O0-ToQjik#EneuK33S!%x~{5P}2>Eq0 zA1#Y|N!a4o%ilsSwhwg<70;uGtMmgbJQ|i<{*F)86xYh6{oAnd9c-7!25}HhAK=%y zyg&h4vzv5xaAS88EBmxS9i0#{58qpHRP5xBe zh^?K2g!NyHTiZHjJPL(D)_=&IN$h9v*ltPK5xZB#QhxWN=5cz(0ok=|?k%V^<+QNa z(GLAvmbxgjx?-hd--1cs)n~qUq!oujw=Y>j3}#lqLa(uqapC&y$Kl?45%)}P{6nmV z#gv*z499mOfM}6ASjL=0S8BbRC=;IbHsY%OfF{nT!HLJk7>d}rBwFICq0XF;e!i89 zTK41)80|P^#5<7hwRJBei=60Oi*j52jEyM4Kj*qRiIzjN%E-mfa#EdmuK%Q3*b32{ zCL*ygmT``Mi2ZQ%6<%3;E4HaTHON}1GohZ^1@s_32}R;=P|C>6_MnA(>w6=A%3Rg; zQi(k_|5V2zhv@VXbcwu}p9;|;9~0DFAoM>ld{tFDfopCYGqOUIQ71Oj#}xt^f;J8n<5Et@^Se@qb()*oOCs(s5kd`1$76Yz;XFHpeM1H^FKa++8=n8&axs@66 zlkeq4t*3UBnigg;vIGu*HyQd3B?pe6c_ zKUFjt$<;|5twP!w0oVO)k1_;c*Kn2hWEI|Ebs?;mQ{-Y)AX3bf(Uryqin662Wbn4C zf4zUt<>aXcryr0~1b?c*&FXOC9;?dN;tu1qfF;DBzXL4zp4je#{~pD+C!K!gA4g1! zu^HngE<3PkStJ&DNpIXP+)Q;GnyuyuRGYRCn`HWzwYUgLiO$sXyJOC8N2rKi-curAnR?x>eYG1J@KG!DNg&LsES+SPMicHH^h==L1+$NTmf8<9jJ#ENM1`bp0Iu5aM{=?C*;nu)#TTl-3<^QjEn&TSpScqR+Gsn59`WkJ; z{>@V^!!CMr^_@U2o7;7wA&L;9QOPx{P+mmSch#^n6+|#ZU3RmTBy|;FvlUZBShScZ z&a3TKA9GxXjA6k444VxLaZA<34D1wFAIPBzZ!L~zKp|@dM-r%s(YcyjpOIv^}vqi zLc>+&Qhct%0kq`qgvN12;u~eyAU@(h_E*>+3RyL-!Outnyi3dwA4on~o^a&+|5~_I zS=xCP5z6MiD>;7^jN#U(Ws`mpNRUv@B_U3UutCb#rdYNmO`HFJTEjdj}!U zMRW1EFkLxTqE_=RR9@x_r*^E34!)RcdU(}Ut$9mH#uQ{i&*#G?C4 zpa*d)R=vHO9^<_GygEHdZTi5nxi@R*Z2s{b9X$a{#Rt~l7zhy{x=e8a)F^BTG1zAe zzMP2lVH<>cd)B}99Vsf%a7%*pa?>26FsS4cPrtN=_S(pnty{>-C=S#!3iK$AP;z?~ zzt&Ek=!u&bQ7y_nf8UV25X`eb7*o6Vj(90M5g0A~H)~UR!i+Ex%I0A)KGQgrHzbk3 zEjxOsIBRmC^nY|N`>MVr=Xiznn%&p^>y8ALPpku8r7y(?u#6vS%L2=ovnxh( zR}xk0b^ikF@VXOW#&MUVU@}xcPm&EIm09^DE}zVYT@j$9GOXb?m3e2NXSwsA`pFk+ zKqWLYQ=V#tL%Hoo&12K!fFw>|8!E1dyzqV#IH8m{uzE-HyZLec zkXi~P4Y4p3rVQ=Gx5tdI>`Uo5yZXVb^{L4nFd^r(8R=*-o^!=v)Q7I=3+tc8heOu{ zc_vipI_4IzNdRml)^4J_Y)x&$>bdf8H5Z7Nyhmqb2BJ11C*BGFJ!a8dSy4I<69wp~ z^8&L}*gxI5f*KL>>^mQQi{N?bX33|a$EUcwaOSz%iFctEX8TWwPLQOmFy5tNSHG)D z)->)>qUiXmhxbT_DL-5^dA5udd{DO)-9bue6H*H>Embto( zE;Xtw-OT1qJ=fAgLY#oM*Kr%#H>zFdtz6M?e<5G@p6t=GlVpDp>Z;uCyc~TC_eCn; zUQq~|Ldvq^~V`AFG?~Nm>gF;GhV{yvx-Gp zP(nGBg1dltJ+gDBVxmGd(DF^$Y9e6S)|bi4-%Oe0aW2PaNnb6jh= z_QS%M$wz+Xv(kxre>jNT0Rz^Hz1I)OCtQWiHubH)jYO-K&AjLNgZ~TtzDS8@VP!jW zBZ#c!A;nC;)zW$rF>=bf&D{2vw+HkeWk22`oiJjjVapdI3g4Z+Vmfr*AZGA434Hp-s53P~t+~OZ^aC3kYZoY*{Tuiw1}|Bm39l zx@LuZf&W10(f4|$mA4=SmlaW*Z*nHFKhC;>g5=e}7xTvZ=nEXqpu|qao}4{5O`~Ft zWfa;*x6QzCz|rmbM|wnW)tqBQ@hG`nSUa*l2CfJ~kMe7)JkT}AjT#l- z_qkHGA4Dsh<9+WK<7ttjvg&-B2*f^bDe!A~@}3XOB+BWC?XlWG4>;9{p_jz2N95Axd?7yRPsRTok{FTFwrTPTUz0e?^qJlC`rGWaE@J|Hp z^fVfDO;R`5(Ne?h)lQ#%3Ka{>{^0SC6s2CJ!d?d!{*h>@j;ebzo3C=paFoyJ@&c($ zJcHADmgc^ldR+c)D1W^^a4qDL)t}bp?o+XE3|zqF`E$YNAsniJ9wEXSEB?~Ci@NeQ zaME3&%%*Q!LST?in*?9EF5yD!SHfpIiz088F8K36^|6dX52v}4ld)+v4l5NO14h={ z(Iy=NMKAtvwvez9fUB{uT-!|SJ8UyP?$#F6+QEhGb5=$z%CcG24H#5)p_RhZ&)qzL1Qj!;SC&Bn#6;{M_;<12h;Tf+Zr##YC{e;>(X7N{DiGYH$Pr4p=| zp_Hk>4SNgE;oM|Jc8X@i0>Vh-rXhpUzxEZCI=um%;_ys;;rc+h zB)J0y!5xR702Q(Rj9M(5Lh`A{&zA%D)CxydrRIVl=@=6^rwF$N?we=~UVw#4nPkMCC)hr^fvY6|oyhrU@W9n}3{ zE6!VZ5$D!jY0}8XuAh4FiS)WuAaCz?8jkkC!di+M9$xCoAVm)NG2{hyQi5KdJO5?0 ztz=}R+6nz1_uucN*tK?|qHyDO3u`=&Sj>azqd=&3pa=1;NqFlCg*dDEtDQZT-5*|Q z7Kd6n6r_q7uBajIB%88J`oU;0%Vz_NT@cu?W||zh1zB5rVzIwpHR=0YxpMj2hFp-w zqGtY#KS`2YLU}v*jrssP*%Aw}$+y7_7I+YNSDxHK(gzOHLn+@M(QgZtS*iFSu_xA@ zdF*DR@(J1GIS)uS&t^Kq;M>Q)YBi8pKZs$?0}9|Xq`Yc*-qU;{da+_LfJr;M^w?wa zQSClyjEPQf_k5gEzP|TbK=>&D+SkD{Y6w78^epSXw5*rcAH8vGW4>LuG)CI!N4~tp ziG}{&9_8d4E>q?%(g=Ht!^fxxFiXhhS>}Bd+!!#3+|yrh^H^f4b9$he)$^Wo);|he z_O3ChR&F1h9=Wz$b||4;Gc2P94^+hvSMvPqq;K4*s^w9mVlLui#KUzo=P+LVdcDPfj3wjAXFJoi5RKn%9O~8D?G*mB-<0iR|!@}ovThW|c_z4vh8LEoPux1(rJfJGC z94jF{)HUxLp2B{vco1iC{0j6O=qc*}Bk`f`I|mE(clB0W@Kgh!2T@`5m>ShV$Zm3z z<2;wV270UR^fyAnNaQXMhnjfLp?UToLHc@Wv|KliTtyLFc{6^$M&6>$OLnEAShG@Q zekC-SWIz7c@bMj`WU1MPy~aBh3)9mY|3_1VN=9-uXuZ5YV5DrkZ&HN8;2~+VUBv4c zZycIuk7sfy#`DCB6f)F-kR@buL~Pd&xCJ?Fa-bxeyMf!RES!1Hl_g|Hik=)muAr9) z9&4nzJzo5kN89!;4Xj;&+yP^LrQ`)Xo}!3tNVhFZ7GEI|R+ZXZOLsg&?*VEddExqp zDtd2RbCT~!QGxd-!;U>+_rD%9chF*d2PsNM79N>;Av`>}8Au)kMuFn?ntCJdLWPHo zpYt>g1Lad1*4V5*7DGLT5W@JNlbb|k`P%a1SUuf8JSH0@riQ7#wLkOh1>GNdX+L`WHjp<9Yu4$j)%J{jcX&k5GXwpc zj^VFy8lOQI9a#<+QVs0P$(N+-QqZ0LBV(4jqOQu{1<90`@D(mk)ip}VL7GTx9mKH4 zM=;dy7EBh!X?v#o>8Sjyc(8VG+dJe9UN;F zk#Jvf2h8r%1uiXdlyv$Th+J;htNrlto!IQu;{iNe{Ov=XdjVH0a&5(_d=~>m{odG3 zKUYU$d8iC)eDWg?Zo{}y{fjOXDF!oYe!un=`MOQeBvs`@1n~%^qyVF(0cA(;Vss&a zXIDzYn(o@E`@kofK5uKYC67<7Ybhpp_-6?J@u;HrK&31?x#a6cyr-Au-0iPx-!8&& zuPD%?azE?*xTD@+#qL#^wF$`MD^4gS&WcLX%(|1J`!8Ba&&l@M8aXEKJT%Xq3D3H) zg`VO~B>W1{gQ%6f_8fi-WZDRJI?p4R9I5@$6w%g=-ak)ghU(4&wKPoO9fa98E) znZ`R7pQo}Hhh0w@yngrEiqt3dkvH$jqUox&EYKUiQ+#e#=sp1Q`$ zLs@gCY8TBdx}wx_sg4pT-W06x)P9$YQ6x62DMjdz!Mi{Y;`yCxFW|R8^uCe>$qZFq zRnogIbB9}~Wj=y7o&a9x$YHFA#0Xl2V5)F(vf+9uIX%!6usNghjhT1V@Tfy`R%jlLLwn!y3BJ(}DmuAzgQwe&I694ET@i z;|Ha0YpWm6>3RuuM@+Uh`N3-?%gyC^pMf0^8*EnX;CXH2>$GHm9iDmz=s|?PbQMDNK$-`o z-nB|$=l#srtsFvsPm_#a7i4a<@p1Z#2CCNUe!BJ}XBt?P36@bvB8iFewK48V?`J{? znBs-*ZY+jx+t252#+Ek!p$x}aPc1hMA6PB@_oa31RD?`!R(ckw_8dSCgwy2(I-qkq zDZgsrzDUV`c40*9e9x{iHoP8r3|`nTTh*krgu6myikDD_qMjk-3$*R?phkhE>WF1m zjT4WmT(u8Y=nbt&d!_+*RqElkoev&8LhD#ACmV6|ra{3_I|3H336@2|vp}s+k~Vxk zyS6G64#X`a^=3jmg-CdCmyl3=_8Wuv-k6uxF7r{g-|{kh1`2`Z1q$5w?*hROHT&-b zv|U|KKd7G@Xf!r=CUv?( zDgJ2cm8-WyDCGAS(yq0s9?F!b?K?M7I-C^}c8#Y{M#7y5r`_mUFnkMSUo~jHL+AEN zJqZvN_9^!+q@yP7cpcbZP)u^UKff_sXV$)bBZN3f)38QNwciE&RV8&pU}632scOyh zm&XRjS?Y{+;gKZV^ja6!KE20qcIV;J^)LHtBgX4DZczye0w6}1C8U>3SDA+Q6@1=c zaF*>%Vtdg-p@^QIAZf!rR9zd&Y2UXgo-z*%ZX5qgRU>sHbYZ=XK=tajL(&jScGkP& zxsi?Bh|JjuY_tVLj-w}KfBu!Quz{JP0umlTfgWW%J?9Q^Lzhm)tZS+i(*AIIAaMQ4 zb5ffc?{jS4y3;ukD+>9KK6^}`c++8Es9h{l%(UR6Y!G}FWMB20)w`09YmceUqOY@a zs8qz0)KZly2qX<98H8^sv2*HAC_Aq0;|V& zKK{*Wos&fwNLEs2$Quf8Q5n@;)Mm_KW{8a;o`|QI| zn8M=G$j86=$!n@8CoGwidf8QA=geM(B%nD`R)%Y#ClLIY;6O>b&PHmTj zZL{6uT}jo^UD)(N+?%!k-S9_CyH92|4_B}4vL9`_6e(uf*&rJQ4+Y(yUz>_e;kWJ@ zK-lSp+W#>~dMd#YiK-}6Bl~`YVyMZ_amueMSjHU1C05ncX`oQ}Yw6>zICYtIDjB)W zh%|$?!}1nzA=}D)JYB?MIn~TmG{KW#8FN620Ion$zfj<4M(m)@3oPyG!Xy3v zWJt(Hi=H?VuAY}}H>y8ndO_+-mY^ctslVk^h{f@p2xyai{&A6E%y_6i`DlvqRg=_> zEQHTME5G$?h;Mz{ebbS-F%MR9;1hLTpny6b=te3Z@Ikzi$$Np1e~)Ksr1N!%$MN9m zbHLfQ(!vZWe!P@UQMjO@BE@wiTmXa~HGa1c4>IOKpvUXEYuYH~w$HuXe?IS1#5UAb zdi#%AdH}O$v)8f^&zqy-Dh`BgOEn~NA1B`=gk<#SZGGq{)UF&p@6rN^XJ=mN+GP(H zj^lwIyPT!^xq)Wi=iu@@d~{Eo4hRJPs)1$9aotE(OH~9yH=Fsb0}(3o3}b|2`d-BI zcHpH+dCSTB>qg@4+oV<`#=bM#rivusEx$_*O zw2@hGG-_T1EF-d0SFK$6zT;r@duWrE))gqM{RX)MhJMWJDk_$;ykh&)`@mq_)NY;d zcgF`t?6Rb*%yvsuc#!^%9_IbU;k&aV4-qBInn?Ih3iN2BIr}oT-7_po$4l5=zAVFo z120wB*6(mLJdspN<_$P(Ih>=5*>?-_%h_;zV3YCrJQ!;C4k>0zwJe(e7ocE$D~cgb zarGJ4d3dcnEv9hoAt`|01L@COFnf0hT;8)~kZXU#FBLGP{GH0gcU)$dP6OElqsp#Ir?rbG9`3Lz82+-Z<+i}4 zu)WcxKira`w#w2OBn2ttXEqw*BvNliaKT}+h zL&1Lmh4T3ojvYuK=o3ykd|=nS$$_8j@A;e#ponCtCk;z3{*gB+(&U{s*Lu!%=#WmK zB9+>JTpIQYAO22U#X)VSS$c?2^ePytqK#z~YRIQdfZqYC%$EvqI(Jah2X-CE{uCw# zJ;teH%i?bD?)=rM3Q44~FyC&{kLhrsgz~;cikbf8=U@fY=?r}=Z=q-dKcqRb4RvjM zoF{FZ9JnWbR;-tfyS;cG?Wimvo_d?W^DS}*3|G@dJAeX$?}~hXAKfq28(EfGP*#AQ zkqjY;%NiwWmhN|Xa+czZN_AwZ?Y5YDPHG)BOzS?m14hI^`5`EQ{qp@+^7Fg8sLs*) z@Wrbi9ww7MKVTPzZ7U6+~D&H=X9sLaTJ1Z4LB#gTa>P9f z`uaO0f0stdEa!u@HtaGql%DeXP}%=;=)bQk9#C@N7eij4fM57cmDEvU@Wno;x#MTN zuU6wQNlsdQl5ha2iNmL}JuAue9&?c&U!BwP-nQ&r&h{DDIVXt#$%G_!s*$#MM0VtBq5l;VcKV~Hd8VJ-aZcsvbZ(2?ddk~go`iSl&oKU6W z3s)e4VRfisxos?Ujv)#Xq%Zak!FnADHwJnT54u&qf*5%bvmf_sHCU@P%UotsPwF@Q zN8)!317bjo6FG&2ZAK zx^~nL&#OYne2HVSi|F3^I)djGriC)(BG}=_cL3lnzNINWVR~tQNyp#)2D5@81Eli+ zp>x0Y%c=QcEwOx{pgM^FKpk{>fvUw%Ie4_nvF|!}gjqL!TBS$f(%0FRpYQQ(p0nWR zA(dN0pnb01Sv8uY^0LA>_uXYjkgs+*?pQ)Xvlb<6L8#Z*~Q z0VJbvrP{S=S%f@zPKEBT!YnjOBFRwvRE9NrC8du!qcl^eJ|q)TQg2>LU!2Y2LDOjG zsa3u2W+dCNqS#0p9P-0Y1w`6DPxssWniX>CRVNrqy2IxLD8Onz#q*a+zN6YMdFLVf zkLS*76=TO;7B9c06T0lQxmGGLP6mMZg)AWk%YbSmTn?3!oa0dEo4)iP7amm@IcMgD z@Td&IgpyXj#&%S!`fJ*Rt5j_mVGFBtv~|N16_9W}3iN2Ev5^OLhJoe84>!gusUZ2) zjfS|LoIp>L&b=e!WC4>nnT>6Fz6jDqmWhiFSXP- zpzc~k*HfkHpiHHY2cbWUH}gS4q(ti+?^3~qUJ0urO5gkQPEm;q*YqsonH7=8m(|p~ za9sB>Ve^LDDxQekT!rdf2W)yW3|FEBmtyf*}Ni z15GTW1{)N%qzQV;Jm7uTD+PB#pR*(PbB_Gim6YE*Z6tdurHEZLAw(OcX3^@la`!%4 zpLPAA`DrrX3kW@G)ooG)TA`E?^HW*6kac}}L~d(kA$h@D(fN2>kHnGUdsFXT#D5VM z^7tyjjew8?pnX4b2h2grw*z)K?%-UX?~_*+FC5xmZxy@x?aB}B9pCs50ZuvImDlg7 zE!{g9HyC}|YsPj83WKU*8HMyKY*b;z1h9HW?tvKZo@!u<&W=M>$?TZY(P}IY_@T_# z(vdt(3A->#-?`9Gzh%mmeOht=B&UyMT)1bns|tYj)3HS#n0B_GVTv@xtOmbE00FbD70A7I@$=!oe#~XnF%TNAXM!*-Y3+ z5z?s1OQAa?BVZF=YMqH=x>_o^u~jR7;Qr(wmW&)o;kATp2FvVok^=|oSmEztkH+TY zcUQ|IoOYc0_Jv9E6GB~5?&GeXd<~sHcqV_{*7v#lj2XF1bgFGLwETH>z*X}DI(!cAoQr`hY3ai zw69}18x4_T&v90m$_QVyKfc@D0~C5I`!T`X_=dvV^1gAM(V4|NJkS^XmJo)*m6eN8 z2Ds%CH&99iW86NHdMaUNMLg|@X%tbTI`dh5OcGx}@>|8BtUdN1@Sn1ZKcq{}_B(;= z?efI{rrqwYRC(j0=TC~@uKjB>EIL&q7$a_c!@+VELOPW9wI~=0CXoKR)NxTO5^3?m z;WybetD2PA&k;xQ096n88LjRFp5d=Pd(iSeh{G*zkP@0UOsk^feKmnRXN=lK5l#i!`YoV^Aw1ITii7y96|1Y!9id? zfD}ct5yEdt3jK~~?X3%~iG|Kgq^=R1TJQ8*o;8QxFKBj`MuhkD>RVr4{i_(|46+~L z(%MO;~FSIU=TxIAk{Eg2Tzm* zHlw%w?%Ml}f?j6BgesW@uH)9=pVD=4c4AM&y&Sr!q8V@JfWTL8V;OVqUWCg|h(^C9qy_I?!D3oVH?@`|Uke-5@8riH4mt|Ym{p?8U*Xt5)@9uP+>bhQC_faX` zZyZnM(7MjhL-b!PqB$9X4RmFwJREcql8RHJ_ zEmj`PX5`e~Jy5Rx%JnhI^rdMB=;Y}i=T4loGUmO~%{~cGLT@9z_~M|jcidNR#oCyN zFH~5WA{HwcjPgr&hf2zYow0o{y;~Dyy^`DNpT>eeQ4BWt?h1ZY9Jyn`Fm$Z)%&TWo7_s#Om1YZgZSd8?Z z^hL;8__LR422AX592L1EMwoZ^IT@;ws=4o4*j~4n)R0 z7I#HH{~CWW_PtqwPQ1tp3=X3wcf=U-v!4Mx7%*-#V!zBOf9}6pU1-^np_V_i3PcDn zx{VI99kMsmeS|tlaGmATZzSNwB|UOSOl|_6k{s}%23y3VGv%@eXW0kXs=lNN|5`qp z{tlx<^@}+fQOB6zz9n=@NaU#6G}Z@@pp4Xm9CW!5qv%xgNQJeG2=Y@&|jbP}r!zRiAm-L0RZ&@OOb!2!oU3 zO(j@5@S(RVt{Tz+9o?xKUAQcj#P#hcN_leUc`v@-FSIp0u!dcBZF*xK^COfJ3Tqc2 zcf^=Gdt4z0co+zQY-@b~g5b;3&NY}6i9(6waxU|uJa57XHkdw_@I}68r2&qUc$NEG zu0Lt2f#WFvvSMft46V2^#u=rI+LBJQ$ial(oL zC!Y;}3Qch!vW+En-~k5$06peRg~YwprhE;r1c@^n``m4r{)vu<$lXSmm)c&hObfC* za{tNTXHMsJyVnHp+B|R9YRuf+t~yTNx>FuVMh>KNq(a>IJ%?41*kI89W@lZ2k@y9h zr8lb^g>!OuuIwItY_0w+wskT)V5Z6`=~Xx!GjrLA_GUQV2=x$GI>?`_OD#DqV0s0Z? zkL;*GVDD@!2Et}j;4X3->h3%GA~*Y)#ZkyEp>elb7>bpMr)=)KCTCEfkOu-!7{Zx^ z>S}4Pq3{&n3Mv*7WOxg>U!#<=y(IRH*l!#?X#Nf?=5B}Tsow``(nkBG#?mIW)l#h%~10)m6UhrJ!JTE#)Tq38bp$mGE z9N+`n)qK)Yl!Cr6g?Sr^H2u=8u7hlj4-A#duJEzT91+F8eT-kM zL!f`8>-w8je-GBQ!1I()6=gV+P?B-uGk7!L>M+8Gza~7smXhG-*SvcD=u#US2P%zx zDt~QfBaGoR1>2)UV~A66yH9a$jsCf!21g~t<}7` za^ETC{LWV>+mWwZ`~9(H-AITgj4t+;!&yOzbubhbRe=;Y-I!G3(lSLYso!d<6r?yA zwj0ZR-+5Cap7v1UasxXJiiNf|B{wejsD}Ecy!y$m27t6_+XGdz->3kLjPF?kDi7kG86=2SEC0V zX$OVyw&#s1gjR)7d<)Pqkv0jD95{N4I7Sa{fki5{xSO2|d|T;iI=Fh{2?+dAFclK_ z*!7nZ>;?)UFzA(T{%X%N3&**Cw>4>K$c(!66#L;fqrX9(oidb_yk}P($NMw=puO1y zBK?a?0|`G3^dqk5UOx>A;m(_G@82)9y34s#bJ(${(Q+UitpQ8u^+B zFQZ3Jj{p%~<}V`1P~R!Oj?xI{t%1MuElt`UB<+1`dco#|4t9}yaahJWr*1jXU!1L$ z&wxj)&nmusu)+<8iIY2G`uI6mf#*=W*@qR*gTnb1UUc5y5!7Sv%?hZl)NmcfGYIT@ZhVFgyOD^a;EKk{eo2p%rF&oz@v@}NK z+ZK%L5FbKObUShoi}0@(8w^u3(?%M7La9XRKHfsYn+a?iC_e+oi*Slqg<`BGzGd#k~@GuAfxTq?Z+?I6;a?_$cV>D8%3~CG87k9DH`T zN!dqu$Mp@h(>})U-axhceSek1V?qu3);P5tm|_%UEqvL%*+YFkDD-mOgbEVA3-lwF zdsUu+wCT^6jRwrcSt*?cHq|S{2j2<*D&dwmL~5_#s>-WLuY`)hpI>0tvd66wsI1uG zsqH{N;<-@O1f{NN>W$Q?27+sL+PUtCXp+VYmdf>ZzUUZj2%bqzE0#9@b)9&Y}Z zuD*kWP*eUgV4Rw1HmA#uqw!?VVTF z#7%RcN(&ctXP{1l)S^xycKl#MAU@zph1haHVbJH;*dOZ*kun3GUpN4UuC=!%jyKM& z!l8!@v!jCF&Scte>rLPuwKvVQ{v0ZoefN`#4gk?mw+E_zjOu_zAqfG#z#9D;t5|4z zsb5SQWyD2sDDGfv;`}RNv{Z$*^3(AMqXSQC|eF>NinYpR6 zT6Y`rp~ziF%uD=kaoZxl5aSt~9|(18bBXu+6npjV;Ap24Ar?12e0ho-xJ7AK!>y;$ z0Ie^>{!nn(?oBqTRy3&&V%0s^)ABEG<2Zyus745SxN5GW)CE$Rkzu(_fJ(}pv5l?d z9|#b87W8$rQsYM(B{U-pJ7Q3-UG4hz-Kof}=okl^w8}e#O~5EoE#b2{8S=d$@BM+% zFXwNmao>W%qSBD!rU|Ywbf{g(lP9i&a?2eMp`p`0;~0xMho7%T__!V)o)|s?%*tWe zp>+s`KnA7P6BZV7ZmW}x)4<@kk3c_yhkFG8K>75BZkCD%{i6IBr07~Ut&m*TQ`qb` zrpO~qVrkK|z*M)_!T;VLhzr}D?5SZ|l?nc?frM`Z{fOya!$8mq?^0w;Wx{qiB*&_z zeKg_wkD>sNL>a3?Wb~7Y*>1?IvyMT3qt9`zv~cmhg(oK=LKp!3h>EclD*z-y1J+b$ z5&y-X)zAoecB)srkgYXiBJi-yrGyR~7ZpU+AmG&{z8xSM=y}cl(Iz{JmNyD1Zi))I zqz7!#^bLRIllk44ke?5{yWsip1D}Pc^4CK{Qbi$_@wr1iMWx>imM!FFyu2dk8uJ%^ zaKMr95zyDs?a4_q5ZIdi^3%OjF^)Gb$bz4luoORGZFoQY<0wec+SxmmyL9}bKTXH* zrqt%)@MMHLC6qS0WaPjny7oYU?DTAEm=--s{u17?w$}py1DyAVClWCEYR*jD#IO8= zzdpG-BC&2v6>uJ8ZnS&T_hN(!A)C-7ca&U3lA)NvR}0x#I}pC7vt+NFPVo)c`Tol? zg_`*NkJrjD^sR;D$A#C z3s2xqx*3BIi1)6uzcAlzk4yE+vShh?0PK)Bu@knAfxC<;EoyvIq6pI>7t zD=QmI5$E87Be4b)Uq>tL$9O>C?*e%r9yHmwPTkB0o%_M^>SUnmiLoRh4$h;yIP%2^VeaC ziE~o^9jKw)3EV?a-Ua&3HvDE`v>t-CB!k z-fruvIS~%zO`sn^O{c&M0TLT@h96}Se()@1a=;lZI3zmqSSqvdF*q$V zZRGd*V(pddHxH9NPyVIRncl2S&CvM_<0bcR706y@JUX3w?HT|A-xN-TF!%(6RFK#P zkeuPVakW8)bJ{_Vt#BgxiSJ?k<305E!h)x3!z*W2O)A#zH|vYaR}?|lkz^Wdn6GY>Jq*`=YLANOj>5GuTk^FQk(HiVw z2IBzQVE#$%DeKHCOU2s#$#v@C1JeUB*VTK#U&$9aU_nDbSN^$1AJpYdvoPyRfx_KQ z@`u5ifeEeNqQZ_TtWP#3cF5FG1Yuq4RVhL28T(LJ7VV0;Wv@+Si<4Yuc!KncVUy;+x}4$V5C8LkARZl(G+LC zEc$?2}e5PZN1l=S1 z+r-8I5r#f@yOyZH)p2l_xIl(2{}nrCe)AN%fPvW#pzthY;N)w_rh(l>8z;cIjlb)GTd0{nRghLeW0qG2BR~r=~??Tx^0U z3cz+j+EY!6nnw^uOFB8O_FYV6%&<3WC&EhxfD$eyY0X%5)11f=R4)o`GCHA1wVSg` zLK0<8QhuZZkboe8-dshe!x0QnA9YoN7N5dZ(g(!J4)AZ@k(SV#qVH=UrF~JO2x!FDKPxZfW1QMJ*B-k`tA5IlyOUjl%-SkG>c} zEZ7wEd9Q@v7}}G0P;QCwvy?MC8+o<5n2qRySi3_0wbs#!0@9 zWAea*Ly7Z3Bm}3VVugQV!%N`r0vcs_T>AWQOIp@PB|6j1<&(j(wQyATzO<`rH8$vc z*3q)oTlp*|K;z<=spC;-=~_3Ea!i@?QkxJG232UC)UIDOL8ByDdY$Vn+d=|y{eE@$ z3~Oq5TI04H=I;>^>8m!@thb*qEz|PCLddXKkd(11eEG?esL3O}%jx5ZrDw)zE?VFG z>0~&ccO`;7{5c#YGYOCz{x(x{oN(%XHNg~YTgq}R3`P|^>q@4H>up4=WDo~H#6}{LN)anuaO%%-(sFMvlM3_wIPrTG*$I~) zTz}RYguSWc;Cw>11W3-~nT1cB)67dMr@2&pLgy4ztUygBg^pK6|l^@&*aPTd8N`7pj{;%^g8ZpPi5p9#|j#p+YC}OJa!Bb2(wwwxzszk zyK}=~J{AZ**dDCfPk1hvk&CJ;Z=3M0R(=%ZKFei=ZaF&qPk;mv1WHOK2gF5erl2HI=rA?8l#w-WD_+#3 zj2+dkz^!7^jrhzbgGQll$O)Qkr&+3fpm`cl~sM93Xc-gy@!hWyBas z)E-6Y@WOG#(lg2DH{CMxe-J*Z;?VrOL@E!OV2y?Xw#r2f>-MzA)2mRjj~W+RyWGiL zn3oBO_T|Jz66G;U|Ece?w~c3#&u_h@f?nEId-2($y;@4oQ{g3;gL*jLHWS+zxz-7V zinmYJak|WLymuFx!n;Csh=7uitCMUK$} zhROz(mSN>2HMus*6UVzB@}LQHFoft>x=6738{++8Qz=F0DrYmTd`+M$_o{>{CHO)eB+*vl|-R8t7YZq$+ulT6Z~OJ z*tB;t$ro$$UOu4imj_7E^HBM0@Q*8tQD}Lkx0RL6uaX0wxRNubN)H?tykYx$cbBVpKfjCly@ z5=!`Di)`jqT_Naq-BH;oxbk_OivGvhzC-qohBm=(D=PnTuX&R;zj#{XL^WY;)FD4s z#00l#zN211>x*1gs5S=b?m3Vrn|cthBfJ&=v~r&gyD7!$q|V&r{csxdj3Se&y)sG$ z3ntB|etsxv=1JYhO&Xdgw6qh6q#T2K8#;*u;00NmlucVh*F}^pID5wQgZGG6tVe z`RqOC1=7-Tvn`^JA8o3f=5q3yYJ|I7Les0ZsLI2;ZXeqt1#Jd3aI8B|mG89P5CQ>$ zAzs5UN-Yh(tNh^ztV2#D<;r80OW`v%jLsF66rWGguOr^b4?_u;8oW42tmAq5kC#ND zKWSY^TQcM*%TS03azj9=;3jd!7CphReE-)a#yM}s=@Bsl!6sU)fLixV82)vmCp_$ z)r^7|n;m`eLmES2$Vl>W>>U7is;%XUPZ1|QLE(e^8tV`eQ|iXK>qQ=Q5p1t{DveSj zMiWcVsExNxjJ$w?NDW8F3ONpwCdvcbjRY2qA@nA@l*i9*kr7>#kkSV4m)%>_O7#qc77cb{JV zRS1qnS4R03zHiM)At-%@td)Vnq7=W!7w)+9yyowoJ)Nt=}3ks&!3p#snitsGC$TBn7n8 z47K(jZt-~dqKU;Lv{@_4=?^n371g2F*l0{d17>rSgy6Z{_2}efoCFmd)WLq127mc^>YcURz!9YAV1+r=?$JVq{-V{cI-zgRU~(>7W;55({v1F@-N|oHO)=lB1szZ%++uLF)W2DPYZin2n zc)~$?qy?Z;GV5Gm!-0!t z_4D1>0xu=w=jVpFY`wO0FIw6Xnh@mq>nuY^_fbN#sPs?qCF&ASWKkAl*W_OiT0BhH z-Qb%zV&g18r{w*!6eIr!;j2H(`-2}}6 zQl-(BJ55rMDHY?RAN-)XAw7??;(KB)%XGo#^=Y@%G7n!1T5dJvn7PP@$!B}$epG;# z|LHidme&_7eGijL771{ZmoBMo`CxlcJ95kKY9t^YWF%h ze?vjRBOieRKmyDq842hu(njt84xrEhE8fZRz^ z!UJ++t@5GSa{3oZ{%Ms8+^VICtd)nd7dfG&cRK?GGi#&tLe9SPdujiB>g4LT6))U% z-1DzxK9iOM9F|Bj5}vHehy0E?K-S}&wx^$4BInAz-IT_f;(=f3=Bc+Jrm$ck}d1pvivz@FNI{B{>lyH7x)w$0#(;gYJ z)S)GC7&=x+AQ92fB0kk2zP@niYN^xB%2H;D?-w=;_n*;@w|!etS@G&n4H1Q&K3y&* z^zc>iud=B6_uR}aExCtBV7J7)eW0rkEv>aqB;}Zs3zk}kNC-AduiJb7mRhE7n0d4d zYVDoRZ$Ff3RhnEntGer1G+MgW95BxPbUx#75~o%+@XF;tyrBASn7!}A_vyRg)llx# z#t@>L)pHEw(=C-=9oMkSysp^qgn4v4N{AmG{wRg=sQw-{to&Bno8#z9iqa9O51$*h z9oZl6|9K|M>}9g4^sousqN~4YT#CFrOAQj$Q9diwXtF5_+SwAJc_K?|Jnc9f6{L`` zqBb}=u6F;!ZRMBt$IO~YidILJ506<5epC?N4hwp5{@Ru_TNRJd*gq@oQESG+w=-Ik zl(C1GY=oQ|b$R`)tA5X4Yee$p^c4lT^|xc%qZ5z5vvhn|B`r7gBxEVr#hEYE-F>IG zTxyUXZQ2@|{$ay?gM|$EB8~gd_#fr04EePN=zK%hcKxaeWfRbL^ML|J_5LQ=8AT@X z<1RlX%E;-*ko^2||A^E+yf3i9>WWw7OKiml^kI+2?Maw%e%3IOd{ZkLqZGW&a(0M> zAXtW{@?m&Bq#qbH$qbq}d9Wm1JDXM!K%g4IaTPoZfW$iL?(ygqGm9)oeL1SOpC zN6y*yCGTxk1j2|>WC+pC_t`8}QV8iZdI~GX&&29_=FK?=+cXuht5~IHEAdWeOrH8m zqXmo&de@R(mU?V!2Wbt?t{RupLawqh^Gxrx!B<))j>-zn;5VV|p^3G(%9U68R%KKZ z-LkS&F2U=4$>Z|2l^6KIEB!S0E9mPAf;0nHgawekP!&S_iw zswwbs@KEpcg(<(Q0`R$`FOhYv=~bJRsrrt<{pjZ0!ymIAxK5#ueb-hT^g{32*$~u` z0FyP8I@ZbJ(J9)CPK?j?+%kh*b}XaeN(Hv$@MI9$JgG-xB9_{MmLVho`i7cTupY&G zN9MfOOPvK-;X@VZ1)39Hy-X;qmg zz3xQ%HOKR(7uR?;+VSoO?k2NtlkE%jA8FeMeb6xy_}pnLJMdf7@mP&}@c!0RDJxW40U9=8X@}K}Ob%;hnC`x4 zsx;cEz18cD8IGT^??iq2y9ztPv^Wywg}~+_Do9#?e#^yblvlZGe#`5D#FE8`Itv)PNtvZp^=vn()cBs?&wij=1^KTVMf{}g# z%n+ArsqeLf2XiO*zo(pAfD*1bA6Xa~P`u|Re8}UW9*t?>6V^Zij~lu!aD&Gp?yBQ< z6SvLBDSG=ECs;8~5u4#WrtS*b=eof<;9XaPOAVgt!ZS%ob*|q$9=$ z(KyZO0t{x@K~7G}-okqyxbmt{)32nx)5j0F6%KXJR?^(E9qMn2+^;(hwNPj@6iD)m zhifJ_IHz1)UG-;JOg+`taFgX^Ic%ESC9k$(m(Nwu%(h$JO-*hBw@*D|Ll zeRm~q5%)0QDi^`^VYl^18iC}N9gb>}%-%A!qNTLEp zHqxuqbGNpxl(HudvyI+>YW2xX_W2a;GRkbkgsKbIXxs^YdU!9b3w70@)%(^*m<3hT z+eElKWS`%#>tTkplLO??o-?^%+!A?fBaG@VmSiN{Z&r?k-TQI$LZ!-$PS+iWTPVC; zo2FP-W@^|{UtO3}y>5frc-y=WxLKQBqffV1{}HKuBi^>%=h?Z4@aCl|C-%le-KchX zP2tm`(G7M}43SLk5Te`SMU34NlBkuKbq8N=&|0xD(dk&TvZ8Sdq4u&C_cOZ@3q&$W5+$@OcQcEusDN1J$a@4(0-O_(oahYtMpWlja3( zeh5RyuTlBz9ZIwPA!66kK9A4-JtsKz5A}(mQyiuXj=a+HUtM{j`fZMs(MgpRMh?x_ zZjI7VXGim^lE*uyuiqa2FtI#zrI}XFp^M{DiX#(NJqS2*&@J)W{kyPc0wB%glF*PF zyL6dLO+CBi9Om%m(FaHd=-|6%9Qc|~q!(UmXu7;59O zf(oe{YHL;Y5nl(J2IvxK@jUBKjQs}bb60Q2t@TKa zztwnf?YS0<=fb^=iR-KRbyu%cC13k|%S-8VrEqb4XnFq3ORYYccis1+=S8ccge&n| z{4%$!G*eQ5vl5n&lw+PK;!Gt`=;iXyb1wxp)|P8I^{}$(TSjx){n|QDWhxG+fR@oud5_Wzl)QJSXW&D5bh$$+{$4SSJCi-hgje&>ad8t_8D%&?0$SCY4rH9HE>P`3XS_@x)CU}7UJ*=7OPn>&X z)bBgtUmQndg&HZER6%~{M6|CCBhl-A$pbsuFnD{1=1iHexso>U_}hez z70yA^w4ud$N%YyI^45jH?>qu$VIOTl+la1TVt>4Qx%^p5c2KO*yS1sWVVJ8HmCrt| zcf|_wvZl*1O@lJlZMnZ{Ipq}+0KyR%sk^5nu5>?hXH@`vW-Yd&%(jg_ceyTSvb}Ro z?Uv8uZ2XZRq}M2=XNTIJd1>)@{A0en2w7N%lcO;adtz5YOWgLfmxbK(<6EL8n_atT zj)XCuOWXEpO(LiG<+|Z-7QiQ}7-{eHg%X9^Awnd`zGv5{Y^W9K zErjT%b6idu8WYpl7x?W8+^VqmyKQhCmj+~NjeGpGXkX^5%ctOzpIMTOgwbc=Fr(LY z%ihGvxP%*=pHyZ{MACewW7+QMO+)=2Jt!0|f`dNf5<`e?uchQCK)t4x_1w35jNg{C zZL@CKkC%eEI;jfhFDMl32s=?QE<_5pkWC}9LNn~oSwa@lSo*;Wyl%m)GN(tu$w(fx z(;R5U)GRX5lD*@Khr1su6)WT{CYme2@l(}uIb}+wPN%h}zJjx#1*XzYIkkb{M}-L+ z#@3)L=&(*n%2YriHEgS`-0Af#ZF=0?jsk^qvmKRn4ADQpTQJ zbw3oUA+t`oJh}Fr%8fdyF;TW-ki3RkhmsoyvOPSSPsTlZwl6GdIoy#{saWAo&2u-A zXw~~cTUZD6qc@ziSc+V%L{Jz_Y`R}J#AOyIVI+Lj^GI`&a*XuCy=st3XJq9SHVNP7 zYK>`n_~6lBq8VTZ;Mh<7-siSnOG-L>W611uc$Qs9#|kmd?053;`Bc(@coUtPy$Xj$ zHYp+@ilmZ{iRtxMDq;#gW+CgTnf(kO;>5;SVRKer#FO={x zCg*Is@8Uv(JBMd986ipZd(xtttHKwzr&!~6*LgGHnVQ9wWF#DR4VVn`V6`kb_Oxx==Cp0wwr$(CZF{<>J#E{zzSDoieYkNR&Ra%RL`6nb zR_5Mouf0|hkd5<(3fW?SF{VHQ2BJF!@gVQtIhCcb?dOg{$y{5ge1@UgR$6!Uql@A5_J%}0{ z3O8Jikss{HP=*gv*rhm=v29Sd9Z7@EqkEg$CpRs~2;K|$bAFkYPiO%*H=>0|HWxWIa)1KL@c2t1 z>wuuCB`B1~9Zj88b|aqlnq+RZS=@BxIVb*L{GU2`&$Q4bC}isFwzDQ;A4HkkeA6^u z;-GYuzRb#oSDWoJRJXGOVf2tfyV#~GwDz{1|FV@)*FS&anuJ&usXwcK!7Mo~{ZgxN zon1tA1RGrgtMXqx>xzqm%Qh zW+Z4kZxWMYH8PF;e9eVunq3VGp$3`Js3OJi=+&TPuWyIxJ=C{${J`eV@bdCYIve}G zwEz=XoA9wKBC>Gt`CqStdnZ92PX~>t1`zY7EasP>Tw+2D2q^G&#B1;z^NqruvC6y_ zE*`MYEip;4TBsr1zj}f8b7}t_KV0f`+Dyl+Up(*=ajb?RZPn?mu|QzcFCHNfJkju^ zF|ppd$EGI0yHitf=kgqgErcq&H^f$}=cFYtA~rX&y2Av7zlcucOuvL+tezsNxcO)- zbgPSWRyQo3B_w7kqqLv3bEtmgEYdz-hQ*KcD!$oNH$zwdWH69|NXow+6yIoDrfWHP zJIo7j_V7#o!%C1LCf?1E6pEv9%nhX4Vq3Qs+~$9@QB*xo(1_(A1fd>iOipfWtY*sI~@6Jyj(n>limZy zC(TFKs&i1V2TMwFFp;?iH|)BwWItcqDoNF&H!@ETQ5w^an5X0>F z+ix1)XXkN#kF5py{kwV2jIQ^vm7ENhu4@KgWdi1(0)Kd5IJokk&V>VI>Ad`hA0Z810#RqOKM)gr!0PGqY2x)~c#1F$_G7yTvy8eXWps!1do%*u&r%bHW-P&&R z!`ne;d}ZONinYn@UGex^O!wi9MK%D7j-}R^l`!W-okO+E6KRk}kK%Y7} zrfPP$)%iz!TAzwrjdLqnEOe#Y0p)1a^(WiuL(H$<)Z{aVKt@nX;E8dS_i~oA?Xgu} zlq|L6gGVtpQqwC0Hn!uojv9{(&o(+1p?MLqD1PlU8>tk285yflOir+BBQ>?zJdSm+ zfQ9TBpz^EyF0p!PMQM$n$E|6mfW?x<$ED!@di%W2_lfb)SGwO9{Es$RjN9o;9g%TI9?lDuk&4u-E zJwe1XW&WAlp2S2O9h~2NU9Z~0= z;!NZ|P%Ghp#Qi+xES%)yfZ#Bb+-zx;fNhf={!Q%^oTOR!M2~kkP~FttB}Y!i`>%9! zY1s|vIBr%ooa;Q>8<4~jX_NF3r z9*)ATZWyKasak^mls9qxu60_UkcpUAk411U$$%qTX~lLFaDY$X}#(IE^uZY7Ma(4GZ6* z=HKNlU=ck=5m+8f8UHBFkD~JOt7W%;!FhYvt4Zi}1y%x6qw#x_9!c>u;65L`mTzrt~H->ld@ivBUR;8yn zEBVS)La0m@Z|1Mibm?X7P(&VMjGL=(?_^$uUImAr!dBQ%YM4vI=Z4{ByEE_jtF*=a zJufpp5(-k8kVNNzhao~4jdf4fb>_-d(WyB-jkog;-=$uzN$TO`$wy$mo5G=J(zfVP zGX=nJ6ev+eFiX4bAol|A2c;vHYF*;1p85+AG;Ty^ zleVM;RW2nh@7_eShYFVv<6+s5;=GxsjH(0laq3FUo##6Ww-xuu=CLQvMkl@NMTaPf zIDV(+5TWAF8tB~|BF;(evq&BAt}Im?*7A06m`UbnS`?-E)%S)loUTCO&q4}Go2zPKMurHZ=#qh)*w!yc;rwJ^5WK<;ZH z@(E$Tr~+K@{u0PFZU!PtnL9=>aX?|DCh)o6M9fCxif)=TmmY;tWoy?H#AXrPQE(1B znH23kp`S5VcDGsUhF@h9ULU56_|&kisMi(IVmEgc-bNd#sYN8}GQ5$``Vp@G{Zkzy zK3YG~mQpr3$?@QH1UoN^QI@k++WpFT7L$F+{^=~0P4z9LUTDoDCHYa$>@f+sE3bfm z8$Llt*(R-1?@l!KNR02d1P&>7dg53A;Wjn^i2YlQqaB3)y>VJAA^_4uz*%uudtTh| zcFH*?0Bc+pnO(~LhWRmzIZ4v$owglK60i6B`$elGE8-N4MIRj&KO~p&6Kw{Jtyk`p z@q<~)B|CxiPPBCdwVf{R6Bx$}odIRWrE&UyH@$YMG5&(eQK{aAABV)h!YJeY+VG@) zWp_Bwh?gv;i{|&W-D_@^J*)=E|3tX3nBuYfU0MtCFKmTdh#T)}*Lupf%em!N2e$E; zy#?XX*qT3pZ(3h}KfL7#JSAoRjI!qWyib#dUQ`v%Sf$fV7$OYL-=F>R(msRZ+nG0` zQq{oW?R9=+Mar9dBoR9iy^85$!f}KvyO?Z+cRylmoI~&GK$-aS*k2y=kZo(d{d&(!&G~Dsj?hJQ?9~ohfs0%l17qE%`P!7j`K9Y>8$_esY^)V^rK*w?VqFinhJ(ek$Z=*9o~j#lCs&{BPuK-5C79lY+&Doi zuU@>H7dDgq=PN`k1 z$NuDM%rL~@sxwWo_G$w~TaFgKW=SbPt@GS~TnAfwlBL}i)= zk6ps$*R9P@=6d8-6neUk)qQ#(0jgDhGarYDJuYM4Ux?p#{VZZ(%_M&S*IeoT}m~Ge4Kz5z6^MNNSJCpfu`;=2#bRj?`=@sVL`8YjarV9H_ zCxW4?)mGay`+28tlZR->3`97CA~Bw^4nH5&v-maom`#uDQ3Eg$F-Bv8zk7$Z^a( zYD0PQ=k^6Y)2@I|9g1VA?_RSle&;1ybEs|0=2Oq`^*=Jx&UCF{yVmeHuRE1w=7-X1 z+Gss*i`+XB_nrx9Y@(}NyQ6?SO6%^D2?%I(Gjye`$CtW%maqt7lX* zuS+&H8#h!lvy}=-mYIGl91)wY{8AGaKI+>M#>L-9E^E)LNw1V@-dlIO$NxC0tyj#H zN`7&)DlkMDmDf(qQf(fv8zq%iB(u+uQ5hSn*}|cpwH7}Bp%{=%N@k=m`D(TAh>(Io zpK9z)vEcM{fBn$YZbCNKrTrt>BlpoEq2W=mNm(T=66OdCg@l7cApVaF{;3Mt5(Nxj zm!GK@C*xJJ`jxoO#=dEXWs@T0p|&m`vgjQS)S`L1%1wsC$ec{0yU2?Pxxz9{jCzLC{Cd$RXBCjq-9H35PDj4KI^*Ky|x)W(JRFo z>annyLB?02$@n25lt9AW%nuF9XeK8ZcB)!h2n*pIsfwh7l+4+n#~otTgbOy=md|;J zU_z{A33kQk7)>-pJXoTHfUN0NY=my67LnJaz58}2RPBhBzyIC{J&m<1nS)C=MfoAW z=znH3mqw>myeC!t+{s6iNEUX7?v8`xP^thS+>g#ua6V~^R!bin&2EELy;xA(q}Sn7 zQhe?p-%>qfkiCdbg5=&7NJ2UJLz&UnCFiQJD-;L`j*sT?{|#=CI%+#vd8s?zf?XXr zW_RjJ25CFw#PoM%V4f^vTP_+M2W7z)Yyp3=X%~&F8%3RDWODNj<<taS>Lo^m!2^mQn{UPR~xytWY0aTuB|k za04r7fOq@iHwW z17)Zs!Fe@t2QUx8fFvz3#-pc8YKb2#Xvr~QS8st}GNEZ9fw7Z^fG2elU|#1vwt+H# zmooJNAxxAlQku|+6ABtK@mcEmAZ!v20AGm>@viPVf_=7BF?PQbRd_cJL+u$NR-#@4_=v5i0dqJNvP6D!8&oW zQlp!I_-zxS0%aZ^xkT`l)4dVh6{3VtOqB(U2n^HgK`hLnUOY1oY$_!GgG8gPS-B(brHSbR@|i zM0mx)-g_8*84T{Tcm`lXl0FC`3_Ost0Q0sr+aA)bWRI3B6SW4?yqRzh>_=1xZjBn> zO}GS1n$tpZDPZ~)UP_nEPfnc?%BacwC_+2FhXEl63sKSwdVpj3aL1381qZyPM*(Gv z9f9y-4D7K0W1#K^*)WGsg94LB!#M3htkPC-B}=fpJeDw7_Q=uQfvgq~6`ac+E2uIN z-|JxHivV}xi4l?o>gb*900|mCzyqt|{hJ}cA_P4L3kYZ~i}Wj5#A3bUwkpyB(_#4M zQez2qhi;974ZsnEd>WXOABr zTRLY+m>h1J@YQ(RF`%R&LoOL88w{=2-tRhUWw=HNIc0d~xyx~$Oof&(_4ONeCm|X5 zenN#gJ_g*kFp8Fag6Kg5mv%NAG^tVtb?f?18@Q(leYT9yV_`G} zc;-I5lKDL!pHQ5nEBAYs*U0si<^m^Ss5vYmk|I|S0w^{qFGjHNF%hUJDO~g-lOC3d zKShX`h+w}m_gwxsk@mpx43a{)%h2)Q;*==5{J@?H@F4{TWF?K4m;yK@Ekrh`Qzt9N zqG;;TStX2*;tntNBJ5#Ch1LG3ziSbbAcp=D;}WZlz@R5>8e;xmHpM5>#m<5%Zc?a{ zog)+ah}#*$kBw%bveESGz%o<>YN%%W(Z^Cp4Vj5^o@6f83dMQad9Vx<2n(pytl4aH z`#rA5J>~i?cmzW+JbWTlL2Il;;!%k-H zUI~?|qXxT)5Eq@dO`4uHkdx)KelB3ar_hTnP|x;3>1aD{GWsgPno->Dgm}be4J#b!sv_*LZ=+M zxOI?Q{9xZvVT=)EEVvQCg72jlNei|@Z|6?J1BP9z#dY?P9r?VBx1gDHA$nzh`bT~@ zq&W-4F?e#t(%&p07>@TW~ z7-bl+7YX(>H*c20#5rSOTh9gz-yjL4*<;Vhocca2Z(X`*q*E1U%soz#caZl?6rz9+6>wRU*QjnXYEs$gqJw%nl(?ecCh5jTJ>HypotC#*4?t0#d{ zAuNGS?hR(K*U(*FhQ+RYNB1DOIq=eaBy-~u1V+N$G}!fI)J|sAz6nDS?*OIvOVuv- zP6^jg3*D5U^H2YXV^*MO*j{4$8<&5a~X2KRycS`7;5^5&o#GP#Oq3t*K6Kwj@(Xx z9)qJ_7od(&AonKn{=-h@2GaPmk7Y#u#v7RLDj(t$IRdOl4$-FpvOr>v3;}L#@fxu} z;u90pt4jcRmgF;5L6MU09DB;520zVKbGP(pyIU7qUO4t(3DrLy*tj2xZ=||Z65$!@X}l2 z50WQw2|B~_T4{m5w^HoMiCav;z49YyFnsG`5Fh|@h73W(rw9tLl$6h&gI`z#U=&fP zXNA1kdigKE?tD6Q&tr0mFN)ULycxh`av&qc?Pe6fD|M!ob{$JS-&11L6Pz zTXZM~L73>lR}_eeJ(f(?GWB#<(6QWIHxI&0ri`PF!aacJE}{U`Cp?Hh;9_8h@cKm{ z z1i;Tg0rDZ*p?7=1B(AE4Fs@iFui_0 zmJ_`0AVLB?M*_|sBLF13k^gV@NL8RfpW0F9-L}FYItz{qJK4q8}BT)CUI}Z5S>A1%o&NzC>$oQs>7kSPImr zpGnk~SFRp%D-VfS$X^hu$W8!g#Gk|O)gBt@lm7N5f9(4klH>^j0`S#B*%1g5&>KMS zFYU7nG&UmG4{>)f1Pb|E;}JRrm?%JiLGrpAXdqwWTL2ILwUzSx8q@JxeF)UmI}%~( ziiES_WHbP5ivR&(2~QLd0N{UL!Tb0ie_TO*T_li!`u6{H83s()w2>c1FbmQKzc*X> z;QXwy*1N51!0^SX)qk7YR58SK=BS~oY-_IU!#%__GAYEfM8FzhF0h72G8ZqL8By{v ztW$>xcLR_~a|dfj6kVp&GYA(@`m9+qC!>;R*&;B6CwMey!z3C(6Xs(!Mf5P?LkCO1 zkqcGo;ATB*du%fbv1#lW+yiBn(6Qhn~pns4fC-uE2qWlku={`73 z9nOr~0J`a{CV)Q3W3i{_4A`guC3NQGUJwCez`e$5A_}ZgFu-QlDIpk0WR-y~X*9hJ z!Cdo_4YeV76F3n_S<}V>n0T>#Fo^arD9?vmu$;-aBO}u#EuCnW8|P2~m;xbx3e+Zp z7o#C#^aKcYLMDo10{A#F-5FS$KUZS0rJ(s$Wgu~!=s~a^h;&_1hWDj%n-@RZx}vmo zD0%pPNJ#^(_UPwvX&e)UR`&(ZY?d?`tl#3;TSJqBqSJuK; z)=_JqbfO^6F!9II$AM7U`{%8OPM#*@;9!htv}N3gx8xr|K%Jn|ETFijgqg4)Itfyt zEnv(OtlWo~9d5TE54CH+--+C#4*4+XM~!eF)SU2EGq8uitoUxXF6Z8PcFzRQga(9k zyB{~+r{6vs-`3Ws4%}N;{rHZI-yim#+&r5|#Sj_FzI$(%5dmL1G32{6>m@k46ma1v%t z89A8)`4J8r{lrrYUIXdDq=W&ZkUfIrP{H2`RA3r@GL6eX{FvV+Ximq&20szLh+yt0 zM5Ycs-mai@a2dxbq6O*_5k#UgFg@bBodJ-EwIS5w3?&3m4<{}E29kp7&6=t*Y^Q+)^gxo>9WWOVd{xDJ=#N` zCM~yQSQ~?meOf+bdVi0xhQ}N)JTR6IdU7ex3KD!H_idiA4w41Mie`Cm)9XOt5S(%P zVg@e)7ts1q!kG;=D(ljiTS%)*>T;OW0nz=Sw_Ay1d)`?}xAvahbR?p62U6PN+4AEg zc@L5+7oEAYMlTaBKmYrbdwMBGo$(66GZ979n33CoE~4~^)k{1J{+e|`3|C@r*Bv+s z=}xsmN0XVrQWU4&mnx;wdvz6>xo5y{w3A}_r^x1cWk&}R1Rw4#0(-wp};!`pZe|fM7PNnR4JGFh-LZFz^n;HLzGs5H<`CPDu{iD z)dYY>52Jpq{q%EK$Iz?Ij1@*-d!0`O4&Rq53JoMm9M4k*#DcQs@qh#gnouCn9A7}d zaj|1o%I8P{m3`a7KVRCQ-jVyMjPkXP6gwxj3boKbOLN6Nh{D3mF&+5}is@^8j2={% z-=guSj~hjJvOyWQnYanC37t{yL=z*O8MqR<1eoqyQ>i#;>Qe`4J)1a++D3NkPkiXt zFj<&WiZ3RP?+fCK<@a17Q9sI@&A8GdA!nvxM0rk;z;Ro%cZSePI z3}SW96=h3<3Sl2q2#Nw7ui@5;4j2o}e(3G4x)G z<$2{OqiBBs=+UNOsuYQU7v)d->B!c#S?R+JS42LrG!P9v9vWHlmFu+6e3QR1R4>y? z%)i4$#Q3HkIiwX^)Iuhh9!*`osWD^^c%9c%ZktFm$J=ZS3oI8Uc^=wx_BG=IR}cq; zI1*)-Ttm5_ zIp-Iio)WKiZGag#`9d!|U^UCnahVzX}tOnA71*}lwv5{K!FVt41r-<^%(Tyl@G z^-}Jf+90#w!4AoEh+%o0Ri@d+kSy^K<>nU`U(;+1qzV@Y$>_c8&Dn#yToz7Kp>Yat zkKI>$Ib2=}mcVGLgo=N0R0aj+ z3@CnVl!>Vvr)Q)f)OP@codp@d)URiK&ZxIRI;`|Th{3+4kRdI|#4fYDIlVHpH8i-m zy{22WE)9*}*topWJ}FG`8lcfohvxqn1*Rrv(CS~U>q!HWjR0UQ6ezU}59HL()zezx zr&w%1%w)M^Khwo`GCQ||x%>3p!tH>g`oTIr>gdSLVC8@OaZr8WPtnlNNBsyU^egeB zg>J)N-Xfo)!+v6|BaOao9@6^b&!bvr!XMeh(JxN3-%LVIJbm=G@-Dw+)Ij9WpgvqJ z`=hpfz9{8%rt67R1Qe-%u$eQ{uTv=;`GDDypgdM`NpKC^fXVVjb08o3h{H2CQB2OL z)~G8u%H77@d)?7+SS9Ys=oEuBX%WVrHPZ$_1~#`yaU-7Myar76jx2P@jI~Gq`Xnpq zEKEVe8{XZ&uWLiaI1Gcm1|)~9e0M4%_V zcle!f0|oQJ)DJq?C9#JBY=QhQy>3YRE%lQKZc_uJh%O_+B$r4|6wS4~jOX-oJ|bIx z{0YOPv)oogxxh;Os%aoB;9CJ&giK*bqK%WW)=#*bWoA|)Ts$x!|0DhdAba{X1ltb*=m4El_4a2wvepEGtM*p?w*Bp-NA zsEGlJAZ@su)dnLRG60U9VfR8#O}>{-XHG!A2(k5vnr>u0VDyUflOO`AxgQMf6I+UK z3qb>=?Np(wUx|}Y)GrpyhkoK$1DHZ-;Pa@kVy^xQrvB$3@N;+u&-(DMFRywZs)ynG z$6rd(JtgZT>Q$kf0WIPq6+jwm^308#Ge)&%DBYYRiE%-B9`U|d` zq5)6lE;}N-y%3~`ODGKygIDA1XVpg2XBHwY>gWDDKL0W=+4^3qg&!ANKdXTDJ++(_Pewk2p->N5K2sK4hf@%FOr-hZK-SpZEkJ_E%oD<{}Vwls3L=a9`k*=Vj(#vv#Os=rHjGMjR12e{U6hSmHF#DK)nR%F2sWXATE5`q{-uOh7LD$ z8nkyeT9BK)7mGRjIL1We7f2r%T;|{FPt^GF{W}fZFqkGGa&!|V3&ItoMaOuA&{2bi z1eUtEPX>_!5>vci7OO|B_{q}+M4cBC04AW_4Jn|D_@{9frlEX(abS$Q8_-yU$rN2>sGvZ~SC|?zEv`A_?-59-K)-D4nbXI>HDrJuPXcA= zWq%UDOsP=&xWmLu73T0i|4JILY`Edq5sjI)X(g8t8hb2w?Z2HI9l6WU;z5J7B&{q? zsu>pHM2ZE6Tvn?~@H6)pP0bdt^o;zihQL{&!EywIv>~U=ybOH?fCMnY zVca9JDjEC@So=543!n*aL_KvAV3@M-Fv$(DOtem}im+r!Qwh%Z;s~USaE*cHfikGh z=NOKJsKdpH6ou%Qa6y~+WNIkNn}yRcu?{(y#(3!~j;rlc8Cyf68JuQs-5O@gHv7;9Nds^wQ7Jv)J=t;Nbqana?y?50=XQto_z>}wM(dF6z2A6sa z?&KK;w300|M~1CLMJT5|E~u}M6Tb-B%Ex!dX)BK>--EB3eOW0|wlCDgE;c(LsI89K zk1J1fdV%Wt6zQd6tDv4;RVy**LVB;fcc2ZThgx1+8S6as3v0g>9{OFwmRK%ZaBduj z_LmFI$I~MhAQ5)jZvy!9`E%tT$*GllKLD>hoFE6_KVDo0p|PkrHTg*2F8)d24cJDP zs3VOkezE5dmFs+AdMt#wbw+%7%n1#2YsO{_AG*%mSj1GxtfG!>R$5C!(Xsvfxa==Y zNU8KOM+Xnvu4HT8Fp(-$phSa_x)Ve`_7ErCGrC%1L7gyH&Rr+;%3qpiCd5dFj;K5E zI>E6g#`Y3|gT~gCYR=@I5GonaIDJNqg}KEI35?OMEx-P2USjBy``S5%w*=uQ$2&P^sF{b;bo>ZuJk8 zlor=_(tmscvSkf2pGBfLP(h*jH$I}EpwuDLxS8ZZ+_sbfoD!#L8E&?&l$QKR_D&^? zB99W=f0K+nYUpp?J-c&VL-ct03tN1o_<(DO%5z3Tu($JjP2)?D^7+Jj5I!&ZBqDCH z06GHZk#`^o>dgl=5r|kK&~W~t_>L;sJO>Kp&k44UaQIejtxbSvzNZllM#u{V)6*n| z3t?NHSk7ZHCzJ)}*@ZpO&pQh`r+4aJ;PYj?>j~mQaf=`t$~oXNIsjpSgJXNtx4?jn z6n6lN1P+5_dXQBE!D|Hx3PE%_Ksf?U*6_j5o;*L3n7*N~dQHQQ#McqnM{2FMH}{^3 zd;S%}v8VG?80UQDU_ee9ADPv{6+I6>@`8A3?%;tQa{5{o5yt%o#}w&{#Q;^-!i6+3 z#*=ccyLXSl%F>Q0PVPl6Ewf~a*x_3``7mY|->jS;T%bxq zp>wQfRDV)U&dqJrJ;YyQvQ|sZUvcDG8ca9};}QzL8QuJs(HzJ26~tr07;R4+J1F>J zhTO;Z`OFE@1`{;?CDTG@r< zG7GGC^A7aEz;-M)#6kkK!W-yq+68b|4FUou> zAke=W^4}@eJ{(1P`ocdi{C*uxg{VhXdPNDgWK>recLZuTBOpdWD0iWq|C{2a%sL7J zJ-fJK@U2s;h1gKgCwLK+umO`%M2-OBCh`g2tolU}Jr6fK55KG=PUEOTD}0ep+f|5t z5)sC}f$)mS>kUy@@=(j7#?H86#JwoK1ZvN1?AI2yCE;WcqaZCxvfc*FV^|AuYeNK$ z!o9@0mmL8|4!Wf5wRy5#P!OwH$9*|#AsI^AV}HGv6KdhS{Fv<5()CPxrBO@T3!BT- z-{EuJ^G;{Di~2@f2tctS%MNaYXU>KmS>KsA)UL*S`!dM<en?YmQB4GFa`YhRF6j})mv)dr?<3i{$A)~^Vd=;9)n2=vursYX0Zf)=Tleffu- zEkv5#^Few^lM>oc@^mDhI6vLC8AOi{%ZD-u9%R*2dYUwy{Z?jy6bYq=W1#M=+U@&F zjATv@zQia(r+Tz0EA7h8t9<(k+Xohg94@kfB%r1twLEM~qP96PEJK=FI{sMt<+ zSeA4}V7?hc6O(+kgE{35iBa)ksLt2zqv9diADfI&vBI>7q{0{>>A+&779R>gVMH0S z{xam+n+1}ZyCB^_pA$ihM`T_g4lU;MvU{FkGYM=s+g`x9aojRc<1H%Wqwdl8xCZ}(A7 z78=#&#M``OtlU_TeM>&?G@pg4H@kP(fS^}8dciN2ArQk{_QWt@l*?-LdhTGo1ySlq z!$0dRY&RIQ`IZXAo5*qmcmxr57ZF|wCIWwu|A`xPLXtMucoc|CT^2Q6@PvjU4BO4d zpHJ_8958H$htT_K_qw#XYKzB^^ixdv`+qp`Tm7C zK&~jC17#`>ynt(wpez|l+ajM4{e|jWZGrxHKZG$q!kf5@=T2g713y24mVR~2 zQu%}V6444$u{&=VH|apZKr$s5gx!I_b* zBsXGX(NiELtRtz+zc{9HzT~TgnON5B_d2A{8|0f=Cck%-MIfxR6z@UdU9*Ns#lk^+ z5_^~j0}{qFk=n$?LqWqiabkbyv%e{Rc2cloUZ6Jt%^Kiv(SE^FV4UJf29lh;^uw_Y z9hXz*5Gm>!S<t9)w5O!L+1b??a@x5e6hJ(w0B zN4&m~O;`hO)*%;s!hYY9sT;D(!w(#Ts4V6Bdo!(iKFkh28+c!g(y%`0^T5?SGiHo& z4_3)DV2+;5!e|zAH8YO1nrqHMLv+JKsYX^ELjGfg{Ciow9wFDEQvfDlTBucEV?&c6 zRy6~uL9CE77s0eqTM`!z=r$Pz@4pMRiBRiDk$SV zU+d{8Hv2uk91*5%WF>%P|3~2_fN0Q6RL+v~*W(|Hb)$w<=iEW2c;~oRa$&n{{`szT z8MOW~_el_F6qqWg>%JP>!&~KKhv8TA5KxF&3k2baI~cf!itI%palAiN{F99cuj_d{ zDGDJ=-eYit;||B5o4sWIrt&P_jq;}0VpeCd@_~W453|d=JKgVNyBV@IAuR~wla2xg zs22)3ok79umi(gKN3b~08|*WOGSjUul@5ZOu?WlpChNWdF+soG1|9;6qSgKuMV2je z!H)`!6Bd9c;!J9{)j3a-k4Y~hfJx&vNMR^7&iB=|MHAXOuk#YFi0YSGP?L+y`{&Kw zhCl^Uh+Yy8ak0cxVm_~_wyJDFvXWBno5=JpA&?j(8)GN2RAk~sDm{H05jj@rWymWa zXJ9_6{!3KyQV^8Db%voJIoU0>&OQ4*-Zn#jE{00j9p)O;Kc~sd!gaB=HVwoxNj^Kx z>e@MhPi`Zvp{S|w{A{`-mBm-w^sCI5j5dfjU{oFE)(8OSOHMij+)EBJuYlqg8*K9d z%ka)t>19f4YOmu zl4CI1jSs`#|8{=urMz(ygs+M*JO!`a4Q^`+$!o#-;HK_$J{Vx~`6Jvo{!YjeATC|Z z^3M{hrx`tXL@b@c%UKt&I5q#4w7YNz<~-hhM3J6MzTTa}ny~NpR4yvv|0DthW;fs( zUFXk43$yTJvuUm2wyhLle#&{+XSh zAK?V*!^#{&&)r9En&c5~R)~aIo(I&WVhqX}k)E=K>n~wvk^83FQckJ(Z_lU>Q3dM= zEq_*ws?lcQB8>@$x$F3aOS&-bH8`|LqkZz&M*7sJ1N*!EOHa{=z6T4%`}>+jfh=W~ zn|LY;4o;}HJV#>E^1MqNM&mI<88^vi&1N495v*Y@1d5T2^r!imXF)(dx0~j#8B-^o zg4HzC%lc?|vb!b!6dlvXrM`kNO^t{V7qcEwq1)bU3dhM7W~hRsat(cLMo}3kZkXfe zC?d~Nb`A-UCCgK2UE8-qFKHQb^(gJS?H=yVg;~bn+D(rtM z*7y&H;_k3o5w+?(_Uu5auyaD4*cMuoU**7W_kSePhxj{ArliulPecm zn!0+}xnMz12JQkK0?WYkm3!-J$lTDo&tSTL$I`_(tfVCIlHW2k@QGlB9zslNvbI4G zC7|H83Bto&%P*YCF1vki@v{lYd~|^DAU-}{X{XF!9%9duX0u#?$4PR}pca8B<}&Lj z9#mOWC&5L*xPW&rs}@~W$+d1tVoWxb2PXmfldILWz4|`G;l*BoUYLz>YxHw}+rKRK zXTOg@Rj%BmvYkD#|GlKR0W6n5E_Y%V^5YfCwDh}D4D3Jz9Y#q>_RId*r>Yx(hgQtR zLk3OA9?Je=$wXT;2>h{lK}6EZ7iCzYz4~I`l-WE>=+h87{i+YoM#6aXw;~~n?48w$ z{cVh$w&q%~XlzAQ?)&wLaxap%2eg>k_}e+c|JhQYv9tNN3y7oWSPbgahyyAkvBk*# zT>GWibe;@2@lldDDs&sPcbjMGnhf0A?rmM|0lFi^$rygBBkLSjIx3fS{+$7qTe|9& zh>r?5V>nrjSSak~&9FCTkIaR!K~lPaq9L=}39)7p&@tSUFFiv9IaS`If=cpam}EZ=IlvV6=u>n3weZ4Xtj_;B`k% z*a1OVEQg?pT61iQY>D-prsjxia_n0!Q0w*h+h(?4x8Wk}Si*wPDi_)^}w|#kG0)>sjbVHQvLGf5xx&rKzcU$|KjnN0YxvTa{1K<_PDbT=qtm zwh?y0>gZ}`X2<0q=Jr|TlDef6)RQwdsS2xcl|Bg1N0WEUE%QzS9O`cdlkOzh2TwrN zLiSuyPW1hVEI5hV*O~^`mFm$7qrB9idP6yrB?n-mkIF-4St@1#`s-8VhxjdQ#>~*) zIn0dIa%`6;V=niMjT(-h?w9ffyJT9~Ouk%Bh~#H!_H>Ru%kp|PO0I(4I|Yig$0W~W zUwNd|fUnNkJo};(sf`nV(vylLyXGYK$nq42!55O+US|~q7i_Z1f`;Zon zhhr7xzW%K8W3pehJng8%PQ~8c)P-|T2(I*-a{3ah>L3e!w2d1L*f zEj>7xpSg}&q(*D`SepG_hQXG}TPqzUwpuR|tZr?U)72K#RW9j`u7mLXVkf(GNL|lU zlheCCBU<}vRzD4Wf&FJ|Cd%GpJ(`e&Fvv0kVb%=V-1tK~hyF5XkJjt)a~A%~!4UN? z{7Q2sg!60_WS-v%$=J=7h{7-aZxI&n8oZyjR=VuaL?K*}80&*1b(;H59oeE=vu*(?0ls*9XPKbLCPin0@YUHp_Rlv61rqI zJJ#$(!WNqTQVat^)5;UXbIcoQz@DfgBZ0+^`vVx5EIXbqVPpCo*2xGH3vw+js|MxsrptwuvxEGVpe7FGjG2K&!DPu`%}JsdKk|ZC zCJigQQZh&>=DH8kOqWO4DOMsw)D{&OTfhM9&~+z_rw0!l#mw;9ihY<#7`-{%rDua^ zMlxwsFwfwu81_FRU(i7E_sGE>U1w_Oat#53#ssVeL0hQ8k&OCsL)1KK&cQtL!9kt} z+;{r4b?&s8h*eRJ5sfwxJmZ`yikP5Wo@R0XtO@KyFioiY5&~yF2b|7%1}%2nfNNCt zhY&NQL7^{gS87R!3>=fHFmXwly+9mD5TrI1w17(JJIEP1myEU0s*|QY+c1_}^8*9! z8}oB~KShaR(wHc_ISGBCzv@@)$e_(~r6qWw*_GsWgI{-aTMjgL&9j1)9ZPx2Td-V~`$d*q~OUqMRZcFmqKgz-HUCp)T2uK@WS(VOZ{3+vk z^NG8Nk^v`m|9;t+*O9HySeF|84*=dkA-`&CzvQF(HpVoFIk}i}BBm_xchSx^JQ@Ob zyPwzA>?n%(n0My(=xnz}=S>wh2`Lvt=k@(y1EJW!#Br!6O>+_KaqxZU&Sk=-y2-KS z!(5x=48e1a&WX#eX`}NjT}&&mCp{h(ZSU9Hk9d*kFrqi~H&xP)V zMpN*2Ch&Uh5rH_?Ev8tDb}cZU!#lOEHv|a#&{U+h3(%qUrc^DBzW@lp#0LOC5-#bO zdRT&P?*3`LdiCWrfZR`i1{VyY?y6Qln?Eb-|4QchHoua2d9%H$p1{Du7?=4aJ9z4+ z1hcX=93Cgz%qU4AVeCm}2)hF|N@mMg3975UI(#u-Xy-sZrv1HSNXdBA7uS&$XNGr9 zuB}h#F@>BI9uHC=S;;&jl2cD8an88Z2HECYg~wN3k#-DB%M3`f$L2MCh>19yGf50$ zTzDL-X3rJ7Juj_d3~&E!=bvwNg`%0F!Q+I5)NGO^=p)C%Gjnpcfkj{|+eI@C#im7g zmKdBXS!x1kA&s}S-$pyzMvE}Q;Vc=!d8`$b5wXTRsdBrdNseyT$|k4M=htJLFtL?V zx^H*?XIhNesn&rhGR`4UW^jvB+oARIB=p$@s98$){O?#uJ79r$94MVD(xbyZj-+01 zl4*x7usu&M9#8ORf`sC3?J_AO$JD5f0Lp6k))6#ala`Cph-IpN<_;4FMDgM;@q{=L zK92DutpwT;-$l{n(s8f64DjTuf&WwQ>(?~gU#~PgUk?q?w{Ly38hhW+7JB(+dmH^b z+Ht!YD~)Ss=6(tiozS^D5agP0xDr&_In~izlHUu9G-;QKYwvoCDxPdRiu^eW>p+U5 zxq_f*@q=dQZ{K>V_LRkZU2F_;BZy~UUz5F8ND*2bunDdeq<2P3MiR6f)KBCnve5*$ z2mh80Mf&PxAueAoo~ORL>7w&F(fJNQZo2mQ#+$_~k9tXW!&yv3NP=XdF6~4;Qy{}h zKO{GHsr9cZ?qeIZNNEfD!V5Y)NjFD@b~L&4lh_>k6GDH+L@`HiczArce}VjgkKrZ{ z?G1tKn`nP;c!+-cUOudV08j@q7ba!$}1Y1TPC5VjBYPA(M)A)}Px2zx{j@C4cOw zKP+*dL(W`Hi&>Ul&IPCQMU_~{XFZW|M!;!0rT6}w%4$?7Jb@P7jvaZSu8d(V9K z{_^lY&OV%99G+hu91Zv09UopE9R9rb@%ZBM9bC00KgT9 zm|}1}R1-9@L>L6Zm z6i29dHSkz)Q!5shD_py3%Fpo(u9o!;xpR9Ac}1!moz!6o+8;nO&>_BesQkZWX`BB6 zJSFkqzXb~y?xP|9%d0o9wsZL(c3!@C+vR_Fi1Kv}q23RAc6+<1XI|FSJon9BzJiG86{GDXzd2BJ#z26gzf&2&4|@<-F&2cU zKaLrn^&BbpZ8P7M4J)xwS4pGhj?#zJvK}0g=;}qXz;{R#>3*rkGKXo=t4x8)RCaLB zeCH(e35PBM>N{lBD8aWA8uoV4PT4Q`OAj{plHWdtR4TYO+b2+L&Hb;XUvkIQhI+}U zlbEmPN%N$Vqgkq|H807fv)edTN$ZN~${}3`3x3nD%!Tju3{W?(&2yV2W;U^Iv0{c1 zwyS;yZg{c%>Yo)AEK8g?EP+x+NNRgg{2giGq)xsgA-1b3SVGKlbXY6tsW_>8{b|AS*%7U&|NnOHhn`0L-=4_C*6D|f!{I=F zk&E_GumA6Czbe!JyZpZoQhxl=WOqX&@FE9mrJE@YNP0>~RG<+tIo!0F+mAo4t+`ut$qF4M|6w^pY&SD%aBR5PX0veI{99f@-~294-GcbA9@=IAY3psF;R4q;C^Gqor;LZ zp_u?J+tAsE;l=y&!{O!L!O79-<=NhF_}ho`gP(p_{~V8qCj$U!LW=kMsRdWn;48UC zBu^KHclr#eld9Tyf9ic5_*i1c3?K;%n1omV)fRX92H zgr~4-@;oNO)Y3x{!Ejje4xHT5^Ekg=t*N^nwH=zO*Lp1&E6IMJ&rrWF# z*iX+-$u;56+tH}6pUNs}1;1J{^+|aBQ}673IyZ&s>LIhNaOk6TD*-ZgiB<+|pmnwO z%Ijq8OE-+T==b%D@&d2cnpQu-Ljg)z7xnvQB2d4NBJpQ{`hAFl+xjKB{}HHaurJ=; zKph|DWMMIszTwo`3V?W^>)HzLV4@aVhZ1=AGBMiiXh=hkZG37sVryYFi``^9NvzO%HnLnVp`4$^E%cHZLxC@z2M9Y<&6=GD9nfQJCkAaX_#$tedpDT3(zL`J1^)?D9 zoP9XI$RV*z_aY)5Fdy`1JvP4el9)8D=YGQ~3Upk)M_ci%s>8vol1^xb=Sbqu1YtBLH)uw~SQ1elCh_RZnz`G= z!h_@-_8VB+n-KLf)~kCLJczFKlXuo9rwC=jS*zc$HzJ663 z5r?z-It_jD1=;21+64}%@jlt!fEgaB|1mS#`(_tmYYtzQ!BZkx9&d5pc>KJd7j71AqiVDz{eSQKnfopa-2YupNe~e(1~Lj3>ZAVt@5QUPuU_Zw|6aU!@us`~ zdx-M&>(-Cxn$C8?b8$=qqPCcyW{ND{lOJqXU>iao!g|97n)}W$V zt=bSjBewMV?xz(XIHI;O-&IEr+7$hF^yh7R?m>O&1gpb_zKEC_f=qF)oEHFG6NN#F}Gqz9K| z9Rm{1XzL>#rrTU!LjJvocpLSUv5~@3DQE}w19Z6iQ+skHEt53#PV4oE(@>64?;oQ7 z54Cf+ih=HIBLSOFSf7AyxC6D-a($%;^~`vC?dDePsYRGBz(rW3$S&tZ#$4ZL>Gz;Q z3{;r*+8H$WNxFl=R%HUIno4G4g1^ogllcv~HwoAX2kB@1H(W|Ah`oJ)YB>s1eMO_m zK)ds((jlOAdz{PVTi4Hr{V07j)vY#a2VD&Qyqe)xz`Zje4s_JNqwujWcqqx}!}rsVw)F&wc|@HkPA`8)eSTq>`p>t(CgwpU$D9M8au21|{u^8FJI- zpZ;>~GcvFAL{i!$-)Gw%+_oHt{$3DG@o79mJKOE$W?8n}TCy)q?PaOF0CihZ^+Bka z$xhvdvhHTQAeEh_i;=mkVHKUr@GGTsWyO1=wSB;=rEmJmw;<;_*9{ACZqlxD>@`;# zcV)R&ByneILGn0F70wH@8#HPpOdi4I~q9^~d}HDtFz<8bX2VU(%8 zz)-ChW0IY_ZrF))*rE%QgftR&X^yh(t*)2ct(xsUR#h?Gsz z?h?p7`>e|-Xb;3(W0essSF_)yzXs@)Fj`#wwLh)#7{+mv!~jyqbtePEu*KxWf*fY5 zXXc3U_7rYGPQZBK@nLHkqD>d=VAB*OwFA_3O2!uIM5CpaL3xsxX<2X_cC}Gsw^6cRW%EiWzZcV$H*os$3)=XU(!X>+Hl6VzJeo~JT+W;2$%>nqv!Y!K?o=)N zW;m-}*cC)G+r)wt%ggh2v?$rFOHs9VhKo$7Y2!|%Ls)B&zZ6Zg$mKk>t)WuG8O3## z-q$TOqJ4C0`L1*~OcmULG1enrh=-!dB^3(n+`KS1*w~_5^k>YZeQxggBlW{i6%CzE z^}BOocxdNU21$mx%(rYnD|q7lgmi0yY~`_XvGj^ zAgUqS46EtKUXhxr;(s$5qTYXnJ*R5l@i$27<~M-<3P0@~e>@zbPkYBl2YVMsA5M4w zD})C;+vFBzyv25EY&D3@kHC^treOYqj>bsM(jevmqQa!-n-cIGK|TwgONeErJa=ASvy-cGH+ea-OXf^I&76`ez-Aa$^H_r4+&4 zWcZuNsRydwf3g^vwB>?GG-7g!u59%y!1Ky!bA?RsU7>`eq%&h3X&i+jo7EY`A^kHZ z=tc+VNkj1*AMBm!CMOKS9gmp;*%YkN1dY=H8v!4P)_7;WI2)chhTG`;-QK=)EU=#? zV~a2VEY^z2jznb6-&wnJKEj^)p)h-Cn@!}@11eTvObbJ!A!6JoT&H{(f|ctH=fFSejnVKZV>0dOQ=x>yW_OI=i|ej;2X367X=JJWrY zZU^}~DUi&p2r|1ST0;P&|??@oyy--7()b1wh=+KHr|Nhg?;8lNn6aDX{Jzg;gPDPR+> zkQA<>nh_P1d8rG6!vV30Dw}}-C>bVfk1$M=S)u>|VS#Q)5a{d^5d71PJq$Ku0^-j@ zA8=Holc_|GF~*=h47eb=FsKq^~gHTIti*#9PXs)IS6En)%O5dZ7N%NKe7{}-=! zUUl}r4^bQs%13c|o%7Tzzruz+Fx6&u(e=*SXBzsu>CNTZj7aQbiFenKiN@L9H8b-d z;0AsETH=hLe;o*kLmzARm0J|j&?lipuk;;E;pr-u7f9F2W zJ$J)sKTiOrm!map-KJ^F^s=!0pH;J!S-v$h<ZX%PtyIX8ep=Y|?|Ly7NBH4Qes@ z&v8GXLN0g!Y>@xkJ8ug9pKo5j=;Z%Hlyspv65EDdSNz)V_sd*_N<>&zf@NK)AN3me zS1t>z|EwWXd-bnT|9kTyzy4ppe%-}?e2~&Y|I;~|`XrQm4xw55+PDmqg0Et_DgF%9 z{|_dAeRI^qj0IXwD=fFvyXR{i*T}Ea21~WUIz6zK4fOPbb~vIT=JSI@uQY00gynP- z{h+fWrFz`guMmGw|Bk+W1LS_N-4khkxJ9EkuSn=Qc3&0xRkK3dhM&JJr0Djunr?=> z4IIh-6VC$Rq8cy{zdtS@|7{Mhh2H_1nu0 zfB*Y(d#B6)^dKcC9`mxlO1clVv+-Tj@ie{Y-GzKE$8I~BU*6pV33}syRW7QnE4MSO zBDgkNg@}l!2%?jRJCAGmo@`u6lnHiC{;Y41jncYNSvi|h-0bYxG~;#1l{L>06Qc6! zM2I%^=2XhaVKG&7rt^Q>`R7~nL1I23@(e!b>I)JO&m=pqVagen-c;w`F6B#vI19)w zGEuJ{;a0nV{Lk8*F0cbM+5fzH`ywy@)u&GWKS0Te%F^iRie0tX&jdry>ZeYFKL zX!y(TAKl@gR^ms@A38D&AxBj0R&IVxV(pDa#6*9#DaQALfZZS(j#wP}PHqxmB(fu( z(+|}w zgvW728u&BO6u$c<-945C_Wz>O&5G{-itj(KUUu)l4^whW$njju9sRNn&vousgH&HQ zgEZq%(dZ1_hJRlhKBw0-AQLw&zxL%xPDal?dnfzce$f$zl0TE|#!`Dc?FX37l3&3Y z^?>rUI%oe)JV|`@Wy*v!`eBNJ`gnAG_Knwp3_OZ$qpy-M5@J~vw&2d1&r|UTo-Tr{ZwQ8PqdK_ zWp4lu-24e`t(d!wq+MA+{_DF!vG@_7N&der`2W6m@v^i3eUS3CCIoIag#4h|JwsRN zB>So*yEfbU5aB;#l9>HEui@+D&&p8#Jk6NbdshUjh-cbEGM zZ#93vjbeF?ck%Ua9(Go@{$IR!TR8u}dD)%+AEYet{%82$#PGp#?|;J#kaE?r`N&wd zoGZ|*fBsvj?TX(C+m4|8ov@7~K_!F=T%P31VqytHLLc0ElgGlS%)-At-DxNZzjh5v z?Uy#ZQ*2!@vTTQjwpqNOGs0q-HqLx*gHQ#W@;#@-hPZgwU%n@0ohVjmfZW~htgbAw z|4S^%I1U7neNM1%j!MlJLiPLq>+RRC^8O#MUw8iB4^!Hmr&X;V)SRE2IX|~ghG_RE zKkFZ~)L)3O%@hXt!lPKTz-u=GNz*V>+6jiHzB?|0bUaTE=* zSr$Ati&zNm0$|);Fo($yFi3X$(l`?NSeQ$CLw?5-PW|w48Kx~QqZTosHQVIrVqUCM zg8hI90p^_=fxI(#%Qk`kwo zdd7*Ee_X$G$}GNW;g$Fh=ayTmen4+CY*(TH3U5mMI3WDgdH7PAp7U9YvZ@xnqEeTc z9yh(<3{S{e90d9j-*8irnF1!^Mqk~Vv zMrt-|ku*&xgs${Of}@;ARVX?z&o~i80x-?RJ=B9Or3(F>ZFe~UuSt3@7&>t8h-Jup z(i%loxfPBsRE?nVHvbG+^;$OhOy-84MEgd%e${}R4sHeLMPEMm>k8LKrn8poqwPQ> z3kc84Jm=#Ihv9a0_fbf~XEX$G?>Y9!8Q~QCkyz-vL#eBl*~?o3Y{JW$*X`>8=G_&Q zR*8g!98u4`UvS%0vVwN6-RPO8an1qY$ zJ6vU6B#3&L7*1OECy!)v^(8n@XWB8Ua5?#{pj^Nw3T~~q5)ia)dI=%2xi00>CmDy*Xa+CVE z3FeksSE$ZBr#u@ynCZ0Yz+>UK8dq4{=zW*t0KBY8vf_h0Wr6-qC z#i}sXrHHi0p>4l;3TwzGYGWvbzgbW^#SL_|EQZEAkcH>_aQ{8_Oe z9jiuF6nW05N`+!O3~B_T?VID9zMHMK29HE~mI88YGh4!|6Atx*UFdqI?C6_qxa^}& zV>eZAJWUr4t;ZH|%3!GmScvRpc;Tnqt4lj51#G;+@w~#@y!mwmH6Mms9(~=L{=!K& zz3g|WS@Ble;+$L2azWWxcyg@RbW2xn^TtvIul^pa73L(o&L7eB?7us@INdurx;!|1 z_wjvh*~7vy)67H6=Ozjq>Op9iUT*e$GKweVR}^V~XCHc%Wl%la8xDW_aDH(4^U-nD@T>MV;~}=y;CxYJlQR9i6_#ZP{+tQ>Xp6?} zS28!QlKD~}QAD>sEtB!Kd?xeVCbyHNcyj;vF3wO|6IPC@++;9sZgip{XMlZ!xp=kCBfd3nC(@Np#8Ok$Ad+Y zJwIL&+wk?U_||wEyAs^l)EkcGWAU(ARz% zXneu$4vvOP^>{#q*W7829g^0^G$d!7jOmw_XdWM(9)ego`j7TFI=w7*7OFz~g3ica zENn~Li=&gn|KEqx1$ZXuUW4l?%Dgjj|WE=3hkEII^gei(9HIJxxaU@ zw+t5hSmK}>nUY@jkB<&dFD_4xPA^Xmhr_-1hi&;^2e?0>;Rz7}Psk#RZuraI`Qd@$ z<>L=~2baf3@6Pwmk6Lt{in`$xbK;+I5-{u^(-Fs`n2 zPnBKWiMvy%XXali=wmvgvJJx}2g+nPm&ZpZN7V z46VHH6%Fjdi+&{}!U4S|;;7&fSUIqZ{jRFAmQ??Hw;Ltn!}k zWmtamxv6AG2Q@lRn;us*6!06Gkx&*qBP&NTyx6-qJW=9QZF(O*F2Zev?(Sno_E{XZ z8AxtQ_CI_)U1TgJeXdH_O{OD!PG;pbf{G7i@I}I zt3DSQO)i;;i=*_Se%enCrQ}WHY_a4xCG=DC5E3EII2%>G&St7)u_a$p$CMPg65~Zw zX~2k#5o6(ForRc>B_3fxY^13oK!q8KCYMxjg8ez_f2_J6EWa`b8xwz|e)y@Pp@W3B zOe+`#xfcVqCsZUvpgvZ0l{smv%Ad)+p>A?qPC2iK`ct&?;_YC2uszr@wuS9E$6@3O z>#Y@#{Z3R=b9RrE?76mjE23mkz=0184h~3w=VhJ+*%ez-I}b3bbW+HIippISbdh@N zX@-)mmTPo#+U{%Cv8CGt5#SFxv$WW0QuO3QYRGe{x%LteM>@h}%CAJE`Vwyg=& zT7%XC5i{BKO6Xa$X|&rg^iGi7n9`T`C0^%C_}~dG_j>vjR(g``FiXIC!v?S5;&mtb z-PcC3&?d1IAzT!eAxM*0Y+<0^g8e!9Gp3yQsJCZ+viE2-oS=*2A#!0OD$*7=QxZZA zDo|oIoWF{&Ep=>^h8d_BhRvF}i@vrYTq|9!LXS(j%Ft{^d>YSo(FvI`KF^Yq{zc%O zV;Akbr!D#1jRIVv@8#kIXHD_Ts+Wx`s~av!!m9m9M#hQH>cF1Z~QqJQa<3vreLf_$v#htFibiGF}hAMO5B zyf23u=-W4#6jQHGt`$DG;hPY`a0owPeqJ5W=#&mDZIVS!htw>4b132X)QKZ==KeD# zB7dY6l5y*eQhGk3f0aI_mBi#Tpax!mMHH!B}hIGtfW zuS^P4y0%vkeADz>7J|~E6fBpL_sNIgwBvt*(KmM@oX>x~IG@dk zx?wI2({wRDyBMEcjL$B{r}IeI#rSOMpo{U@#rRB17vr;w@!7@r>|%U&F+NvqAp8{V zUY~|V@xN-2&$?r8w#~9HMs+>hM`+LF?s3_uo-F_raQK@9^!z^O*}}7B7sk_>vqi&r zu0F!%gTxBWui^wPB{KZco>Kf927h^UdUSE{?sD(^{UV;&P6sRUC)W^v!@&XNZIS+M z@3@khHE5eo?u0l6NJe38nt6rpaR2=1>|&V2!)V01x`#zDv}W!LVp$ipt^~`fURpB2 zBMd)VzCrGZp~Rv8Zr(NkU8|s-m7SOmzcA4lDq@kaolX6nF}`G&h)fc&V!GlxQ?oV( z@RCzj8#=i9bZZ;Uu#kk8v|2EvaTkZUi$lCf+*BusZrPF(^U#}e7P46Evzb!udTc!I zZ8TAE_@Afyznp(K{qS*kx&PthLbzJUDIFg^~^jr>#LBogTCYO+&v3+R8$$G0h@5 zFSfe0!gZrjBxW#s0^5cfW9{D2T5{~2@BebScX82Ld|>WPFR_%ZWr*oR$ADa@moY?s zY}?Pr^X7=G06pe~ps%f|)@4BGG9Yvr5V{NqT?T{(9J>q%T?T}jUb_qkT?T|M145Sp zq04}fmoHrggf0WZ3Nj#6T)ck5T-A1?`zIucNute=`!%Nlki;zo-PAVmx1U0Gw@Ud*7uqBneaXd zC7(x(hO)1HL?GDyS25ibe+KIR2a~_PIdS)OrJ=`ZBt;rozx3y-dlpRt=&vty)!bss zIKEaRy2QOu2Ek%b`UW)n+T3F~Y)jfUx@r82=FVBrg!Ox8je7ElYreme`rpm{|0$${ zX~U}zm;EW@Out~>r0TZIrA)H$R+cTP0I+SMq#R;1B02SH^TC)Z&PW?v?k&v4L(FAb zHU*Ze7)fJ{N7Tv_z5?7Lj_~c=;8m?3>=g^z{mIFoa}*-ReZrAsCLxZU3^Zpk3JLMm zPa+~79nTR)37GYAe^~g31` z=8)wJd#SsUQh{`^cd>Ul{P6L7|FGVvE8;YiW7L~6A%9BmK_bTGPyg^yEC~PU9|D=7 znt#HzjQ;0mGXLox0w`D!;>_HeY;3gf^GZlsS~b1#seqNa<|&=CI!79pW*^Uw8cCK= zYxf`i)<4AmNomxM9O;@!hP~9oZA+EU9p2gAaQI!Fmh#Ay;qgd}&lmAoDrKcQzqL{% z-3!(FsZTaH=Owzd$&zR9QuudsJX-0i#Z=1ZeLi0sLXpF%iKnxqb0(<2b}U#z=MDah37_|sMCfgzp1G&X z^b8rwdVe$zx5f&rQmPbe!2WILpKq%LV!Ae#2;Np~-0F(GFxIMU#ZTd?r{tcX%l!LT zGyk>_&yOzs^&@#^YWKvn)U0MvT6{JeUY-_uby{{}OK|A&QCBai)#jrvxukB&qg>jg zO$y}<0`5gz{sOtRiqfc_EVZZ%m?f6eBgyVvLgKn~(3#)9P$6kJfwa%1*k>QQlD6_w znl5@5FsMxaT-gWAnEH5{@dZFXl)OJ!i;0G`JgSvfA~Ci+#UOm_!pE=jv=+Fds7 zyJpjN$N2PGpD(N%cM%1G~QoZrOz&;-Th9vv=MrSJ_>^5lnMtaL_>sqpTfT-Lvl(G z_GF9$6vd-}is>nn=LGxnJ>Ta<2&1(>Lt{z;AB{-BZqSH$I0oRvg?&SVK?cWY}x41D`qu8zbVW83b^HHB`w_$uig=KOv9dfC!Ido_}pT>_H;>okqzWNXc*gTxS>ah_vqo5`^c$!^b?_V}|{A zIKZK&Hiq^+1le}^zH&d;^*V%;=D9l2EI=r#Q%-_0rW z38Z{z-Aia&2Wcoc12pPbI(=~b_oP4vob>|R?CcLCF(NVV6uSh!r7pB ztG1Z_x3KC5rAhyL^Ljg{|Lwed{j$^l9-=Iw*(Giu_odY3J6Necmk0iUs$5;y523~7 z`(L>Nm+#=a>TaFd)~Ris+V;0q+y1q*HX~W@?b@?Z{~Jt6Fr$-@ak6Y54f@~q>z&s* z{cn5w#p_Q0dx-K3ona{n4+WA8>3P<+Xrq`0J`E=*!ro^*A!4xh3|&mAKq8J{$s#c& zL4YO!8zJCl8csG5Cjpl9nt;QG^Bsr&+A|cAiGHzK*V$)?udP-7$HoAC2!lCdA+%H| zp@?u4(2xw)1_#5-p=6w_JwyAjkkF_7A@V5~Yl8`uTkyXc{k6g9FTMr;Yd=gUTk3!8 zpW-^)N&$_q_c@LbSbVPiI1o3{+K+<~{=D|%K+dAIAOD}VXXq2=l*Ixa9UO|aLB!dA z6Hl%Us88^guE*JbKgG9+#`S-GxOZ@JIGFj%_ffn4U%h(!a_3EU{qMZpdAr@M|A#2g z>@(%?{~oWc{ht2u$GUy+y}7w@owgaDY;7QT+D2@o)53Ko#HACTG&p&x{OADPC<+qi~5FrVG7ZBrTwiGu*m=89^7e-Q)KC17wAO3wTk zqOq^7f$)Vc(1`00`^Kt0?QaA5BnsFZW{ZUiWcvQELGEsCWghM~ zte%Hrp*9IQCFu8GNH9w=P~#nl>4x1v3`_9A+S)rqH%%|(;Sh}oiiO<`pnDueB8B$Z ze1Q>dpfTev(u!dmj$>n_a6$VTJ`F9lVt^bfPO(5ELP8{okUG4<4db6R4yW&rPX7ZP zg^EOC6AZWeW(1pP9Kw*I@9%y+JI{_F;>;gVwzV;U`90$V z48R4IM69j#9kUCxGuV0Yzt;MCATI|ygYC6GI{Sno&aSCCG!t%jVr#t+tFu8cSMx!` zF~>sk*po3QhM9o%>}&yT)-G7WlIo+T3yfd=X;~D)8(gJ4d$n7(EEeGH3)Pp7HD{(# zID!c1I3+GMEVr4F`ecmbK%$J-j+$G7em}z;&xo4rKh~c`$sZd?=(GkXph5}&lm3e2 z6ids97Ao8ZSCLDk3U|}=*J&-(J>X;jKmCCm<4eKBvD=IrTj6ZW%O4Q z5Zj-&d=e0;jeA^bJDgrhc+)IxQ6w^laP9)xiFQfLW)TZXCT3EvBj=>_z zLP{-h)c%C9KsO`^2I$OiDM22NC1`lYK*wh=?b58%gikb8$1Dig4RnY{0TB*MB^)^l zGW=y^g2Ut~Ikkn64Io{!HMmwDJ3_JIpMmual+jQXKtmq%ajiG3W;jJ)`{Md#^{ zp!}3eAJ@4f>g3PkEURRnB>J^hNJKf*{J}jrvKtKu?6?qy2S3a??#}X$xZI+v-~YHm z>pmj_LY`pX*HO?>6bFHsQ!w_>j|#*G?^G)WT=p@6DfR;_Dp&`(>|?4Uh-0B2=;k4w zQ7?V6QhIe)9&uTT^w9zJdDDfV?a|SFx;w+CU2f5pHZB-YwhR+x*e7CwO4h(YCF}z? zKV5l(u9; zq!Y<>_G!`_!JfY>z{eP3Nenp?BqJ6{|Wgd-QVH$0wt> z#rBo54;>?DV{C_zn6el`Mj=6#H6ZEAgO*!#HO7JSAiijO#Xd^){a`Nq8Ufv+p#yJLKSvXY~_o#$3e!$_6Ey+wyQ(I5?}Omk`&TkNTJUDXg#l!8o*z_G;0 zryTq(=V*P*IP$;*`({dXkiEpH_VYgly5e!TCq4?oufXi~YHa>6yQa@z+rDA^b0@JD zE-TrZ~baViA8j2%wN3eB>0W!uOxIschcf~s&A`%X#bSx3$D5gG&!_OhR2{)0_u65>@ z9*!mJbtk9?E4S!s`wrZr*(aB-uO8kl`o%=XPj0m#w`2+CL}PV+&^;V6D_mrz?-NtmM`i z*eB-gz}#xy_;`MdMr1<6PzU&c-E7SGOoRJf{IR>WHDyBnzN^I3A6p|Vh#&s`e}2bO zayp77`Q!Kh^Skg^1pgS*Kob7PAAkIDm%X?vi9s5KjeqH4~Lh#Tqo{b2%fsP!$QG1xj!jO2dopt3gmlaAMZ%Sq@ zbf{ZoQj{S%TXs=tBDDknx!f$aZiFchNNTmqxWKt1m0uyyEe~?1Q6@d!BSz<;e?k zZ+fYY)eZKBd-mk5SOP+eBRs)06f(y}<~Xk*FO6bX?y;<#fAj@R4ZvH74{LZr*S0zk zNF5#XQ~&GkN{L98!uWFxXpT_O0E<#;bo>;N$(?V$} zZ=Yu$H~oJpuv>I$o=eA&#@cRTBK=2Ko>;ksC#XBL&vTKOhu)O4ki}x3&1SSD%Ic6v z%y(6^?>=VYbVaggM;wUSGjMxEBWr%$+#n&XmTrO~Q$|TuE`;b){jR=}>f~EF! z4r_#A_n?12WhEB#?yM>CVE%oI%j`IAk;#CJoT~6vF+d*$8OH$}>#={0Ly!2GW11jR z(s0ska*w6lqN~~b(wWEwc?sC3t+li1amoAy1M}tqb*ESu^D>Fe?e%9e&%~wgr&`_3 zlzLM{ZKgcu@~JGBhJHe!QZ?}DcucrS#F$i8yQSNa`DdX=5T{8bk+PWiSwPNGX@XUL zXo0=k0T}o=Du-l~R7&PP4H3jbxO~&Z)?QFlAfo<-6Q>v({baD3>mP?M=3j-h1TO#7 zBq-2%H`Vl&PAt{YtlW8|p`nV01xbIf%%VH6Sy(o@U2L`G7F}{2`fP@Fwjqlk_F!WP zqA3pJ8R673p>;0H+h^IQkV~hm$6R(DwC;fhqxd>xVLzSmMHs2`5&Ry-nf#?hP+t19 zdb`N6Pj~zCWXp=BPazRpS&wC@;kxo9%Zha$#XbkL_8PmuKFFsWjalG#uNY6R+@hJv|U8wVsR=u%65#fRgNkWedz%%^}%jrgX^pYGOhSx1k=J&!mf+mQB*Oapma?D?2 zPIdCr;Na)YB2 z9N9CtI>>jd^<>J5H?O0RN`JJ+C)J90X7i#@-!Kg3lXwPM`@8Z)%Du49Z#bw{fHLe8 zFms^{24ozE0(Lb z7fC{&_=+%g|e{9=L0KR$Z&#jJxu+NRl!uOK&f>6+eXIkI1=tzXKk~BbM~l%%L3j=Gv}2## z!+TdAYgsY-TzJv1ghV)?*F+qJlJILBtza}=dEj!d?BkckdM>h$ zA9OG7Pqf@8`|Pv0BvWdEeLPj|uH)#+cPT4opP|H(%t$CN=!~$q>^OIel1fPGT6Y^l zSH53a^~q~89pQ5_W7p(oh~QH^yx*ezlG`1)L&Q=N9)b}(2N-C~*-W3socl#cU(l7u zP*%b|UMwV=4JGC>j?Oq6)mt0d?7ftdM<<=`{(75DolO!ajj% z+40X)D=TE5bAo-^%s(aU!)?osf1X%b3H!jK#~@&nUzm^$emdwD?fE|P0;+W9sc9gr zv0%U^oo@4V%1XlgB<$1l-i7k)6R=62hKNN(ztneZ^t8%q+2?=?uZe>S?89OyItF^0 zWrge$P4?7(k6B3?Mb(A1JeZLngoi2#1wOaZm685K{LDZ*vo2F=VKa@vxXcOx9GyS${6?6KN-0mld*4i_lQI$MVz`A|f6gQ{p2UF36Ex`Ceu9o7YmRb8ZJK zs><2@vD1SeNm)JnG{slFMY@LOogCjld}kXkRgh3nNv{=mjTxV59on##hr=X1C_t)Y zV#Yh}yRWhm_7Q|%Q;!VfJZgUZxJAFlBf>)>i9kc$5~-F;N~Mo&xhxu8`95W(n-`>- z!1d-n5Zf@RmX9HCAT5nfS01+9qN}gpuF!gg_ShKSBEvob!~Q!Q;Lxkt0LMT$zYA|s zwi=@2glj+rq5@qVJ5{=q`{OMul|C+C3|Y)Qa*o5iUSp4;XIx!F92L&X}+M z)0M|jZqb$G@zOS{c{cKJx;+G&S7SnS~*>Ak*zPK_Ydp43D*}CR9RM=8I~xG4(41-h~J)z#m!*!rk@Z z6Dw7zQChdpvyX^Jb<6`#r}4Wo%?o=T5#ogT)&5?JefFRlQuR9KdAj8mUHyJeu>TvU zl6(j~vS5~`qV%DE)hpsz>2ps0jERsP3q8$pi?06po~}~*G(DddpH9JJr#rJh#bTaL zmv3K?J|qC8xF*uZ&{WZBPoy`^9O2UwJkm#av@WMqG@jnOOT+I_R>D3Wo6T6b*T!rk zFMT9KBZ9DRlIY+dKt72AHYYyfM8Ny2K7yU11`+f3#$y^%IX~k> zlv_S$tq#reR>XXSO;Z#>+W|UqUM*}Fwh}y6K&?IVY!A{&?4m2d#!_24PjSxwjzvt*ih2`{f_w7{;-06F+hcpbgVmJ2T41ocMKa#DQ`>g1cS)O@8ElF|ZHJZ~`4gG5fCa)r z(235OySj2mJG#Qm4x4qs(_|V8H(>WX-c=4(vcQIJstvP}R(trt-o-{K%f@Z=v|Gsa z%*F_3wKeSfHWr$YSdwuZD3QFLUfWwzblTbDDJ#{}^lESPj5YjYWJAX~Pr0mI&u=^{ zwvay{YCGg7+zI!~*tmVY>9oXR;o+g6!t-=Z^9%{=c)hGL-~>In9x za18G_=!uloJngcAPIPa`KR z4$EU)W%$Ru<$_UC$30K5+!y~e#KX_>Psce=wyczY1oerB%Qme{k9)qaxW)2NcKb5? zvphy!dC0O_{%I3r=2pMF2;&igkx$2C!bvEze%7v+T2~%xS*iZqDojWX|0F>|I^KCI zu!ytQ+pru$9aVx5;3#Vz^JpTC!=l8I#Gn;XVy}$)@3Ej3%3h``9feGsA5%o2<5& z%q-+bY%^Jy-8#d`TARsxAMwhE+hk3+m?2^ILBj2*dzE-RWhLeq87@kEeX27hoPFFn zAv4D3iDMAr+Vxdz1$0KGK+GnfSF6f}F9zs08U$#JgJ6Wc&x-S|v=DW>rek$NM?M+T zkocW4eZOV(T-0Ql+S(|!6GKm?te%US>{FL9P3>6dahH4HqFO7}1r1a?26_VJ9=NE% zR&`-B)sBxIeOdiwVUxw`U5r&bhI*W3B_=;bE~>FxUEXB1qi69r}*2SI0B|ESA~gi!taeXhqgkNI7B66F@@iQGk3FJ8Ynp;wz~ zcHyt>(!@Xc_B#2d7sE3L3nlp?2S3(_cKHB1n36lTA)N2Y7ij{@($EWHAB>y&R9I7K zXb=%^mBa7K-O5Uy%<}BhkoL~xEi3R&SDsv1P1eL5`;5hV&f=(wec(rQbdZG3?`{&G zYPm&MJKNhkcVnOAYI)dV7qgpJ(rB?Q%xTtbWZ%84D0+Sc`;?#G&E{3ZKV5kuWhI+e zCHwF=+!G%K;Tbn6^}*e{Qag=^L3u{%%2O#Txi$=mykY$F84IXaACJS8KBsQ0r4i`L_be-sK3Vp`LBMVfzevJE zT*8>Q=zxXKCEPPpPLLN+5=!GxtJEQng(2~@J4aU@cUg(*oRdCZqJVl-sy#|X*drq2 z#e0kP(68}`@Q_F%5cqbuiSTUmV2*SOJrpK@(3rCsx|vdMifB0DLcWPf4kfbxhVp%yNu=NO?0jLJ6+uCl?oyJo#pfRRF%*n-+6ES5$VKLpJ z6B^Q4JX2e>AYLr#H9@9Tn#tA-7H&~hMXFOrs(Qpncq|D=Q+y4_kJ$4F@wKn_E!tTz z%K>;H795ai)jT3oaU2KPQR$Hm)PU|X9z7ttuv>|_M9O7a-3f^-_!aE>*#R|(xqFs! zU3ti|l07BMJ`J17J?|-9dC0Po{UOUf4O@7{4$k84qU`CFmFP=Z_GwU`d$yp%V>P}d6u*$6a`MWtPyNxW zJ9+($%1TaNG7ybV%ubKy=SV^CVU9#srG3!ElpdE z@-YHpL3D6rX!l$IPkGQBX^15Bh(H|c7E^2-RlvIHd1p!Woy%&10|a8=5iaSNdRP)M zBpxqhoJo7MR=zlN4SiJ;#UDv`}|A;Qg0!yg9D@-fySoE z(g<|rdzL$<&dIXRuVmiLL0R_sOy(U6J>9ZW_SxTSA%AYs{$8m78la=GI&WQ5pZJ?@ z${uiX!m*r^Q0g`p$HT4R@Yv`;0*&T2xQW^c<&?}2cK5yRNPjzsCJ~_mkX%!h;}1>S4={(<`3S9htj1IQQQsr%!^d3dvq?ST(|*h z*UvZid`8`)Sqbjv)_1Pw&Q6t|_jn<&pn(%ll%?nmi&cQ*A;DopI5&58*V_6+epb49 z88X7N(_%S+``y%7l6Z7W`DV6`ne?Ea#!5kh>*c6pHEgmh3-q#0@Ml)lPo?V#rO z?HA9RU%J)g6EPgV#1W2z%J{~`&xrO>N$l64%elpS$2buUSk5 zOKT+Q&*%co%M_x}YMZxUI?jlZhIAV$>uxS$vxKBrzF$8N;<*da*^p136U0r=SJ=Ev zMm{*Jz%l9(lyMRw&dPKIwx1qBA>{!Z!{K{x;!@W7`3lcUZgH3r*#?X(N)&O^H83Zl25Lqoo7+qg`J}4EG1`W$11kK z*OK!Ce^x3wm&oUKqH~#&*0S>hd{!ztm&m71bj~H_>mf;}S&q#R!iOeSmWdv^eje8I zS^0|M5piY}bL8Y|on3zh`J|E_} z$Wky-@8XE0g2san(A4ghaj92Swu6Ep39ir>N15IM!Lt#Ml4$L_vC3y989oj9&=DRG zKP3aoMLMZaBS=6&L1f{UmpJW;mzUe zlbeXp737m-QKX{NF3o*pRg|nFWPdZyXVg9IzhUAmC7i@{muqI!uO=ULRj2Z%*JpH* zkbw3lF3G5SI&0>35~2{JC&=(YN* zKGvsW_fa*htH%2I#-7#sI)4-?K8eTgaNQMCbxBzkLnI#4l*J1jJbHhkXT=U13nYWBPXgv^<( zzQVH-@&PZyV{m0%gnSOu6i*QABdCX1?{^Zo?y%^ZiXq59DTxT?q~4otEi8ZC=l0I3 z4deMva45`=qfECu_~NODmQKH)>+UM1<8YF&hbfMu~j zrh6E05u&c|ID$tLM1{UME7y#LE5;)dqOJpK*Kaibf!@5mJn5jfaX?fAieQLSh(=U|oNXjV};MB~bO!l~W_Kt6< zXb8QD@)?7%%2`N>r@0UnI}$dNcBeSBUPdF~(HP-yL}LnqxYXeUV-ZKRkMJ1N2=^l5 zHyVeLkb{*4qR9@z=--F0UqL*36`p~^5}-s)zjL`6bU?EtxC!H6V&9|dp=?4^u~{xK zlpE2$*Vldf6FiD)Dfb^}d;5|m+uI%VZEF3{;{lnL+^6?ov>GY?t7eGRT3u+gq{0pzcx77wBcN{L*XB$l|=37BXB1SAPS&PSL90J`Hs@1sk( zib%}CBs5`}OQOhL4$%~jGr>k!&_J!+etvyl-~q%00<9oanVp>CG=jmArb z02R%{%qd1Oxz^+jEl5;S!E-N3MXgY5ESCz4<<=~FA7L8j<#rIKgBZf+#|CN+DUUP6q6M9XhemiW=J{Yt9d+vYbo?Uvi~HdBb-k3dc*R6u(tAe#(-D-Rt~xlB%ska z6ab)L35v*=L=ajjg;OKjh?XmK;J1+UX{;BR?L{uJ9uvbUfX-FVTrH!Jkc6cAVh#Nd zz+igBDJga6G^NQD+0jR(O{l9I7}gHa%tvm{%IMvE%IgPa^ac{Fw*^DW}i z;(V8<5`YuJ*@tcdnK1*gJJ}) zaUvxs%GF+`cW>FP&aDVEViv4gL)Sy5@_{&8k8D=%&ta(ev%Wj0c4mf}(Cuysw5FUF zC@$4niM)`eBoHh$D;esWph_btwJF8L0uRx>Tvv6q_^7b8VE!c|F#wxMa%e>*0-TmF z458pKM0ubnw`LIwj)dV5Lq6)0j{^2Uxota?p;WPu2Es^f0UnX)2y?Q7h(GYrrzRib zl!Pxcxqx}IgPKoUt=BJ`UnB=9z$_TBdmO0Al9FAT%M(R->)VQWNl zf*3>vH+WB`~*OD1xL)HW+u|FDW`xSnb$9Zwc>M>L3lTSU$2%!xmTDTx#q7C!%|Y|r<#PhUUoJUq(Nu5MA6+wPHu2!d(;1V zYVY%MG;Zl#vM6L_N^-G`p9d*T)aF6!LG#gRj940~w5;SK2{NHmv#REo71Q?oBnl-I^DtWxm zB>bTD=LS?u4>qo?eC1FBg$bF8L~MLX{L%ev{ZaKO(zGC$zoVmnp1%RFJZ7zJJYlY>Jg6JcFaX(mZFFa1`;Tv zBX8w~6u zQDXya0VOR|n^YS5-%bM|1C{*k!FfXm`u9Kv^W+O4ZTQpul)pW*@wPhXFuKMQ4&Okx z@4!#fuzY1(%wa!+EJ*FW{U_C6YvUqsxb~k12t4osNr^fJkP-^i?#vQ<)B{4E&R98> z;j7P5^gfTgS`(mkOKsS;b{v8fiZ)^E{l5L;`Ib5Tku7s6ek!8{&6iDXfHdt$VI^Qu zq&|c0;|Ri6FSs!>YWai%Nbrk}XoNumRmzbR#Co}i@?LLpZlr1*OTVDwRPrb%5UumG z7qQ;%2upCJJPs#|Dlo0?%PsBYoXek#qAe}3S+r|iBah%-3e5z#a5#V@%Re%bQYlMZ z5QU&4In$3h>N=+=-BRRRm?s7pHoc|dEHJRwz{!o~oj)tiJ&0HjM|ngcP$Zyuz$Ek^5f4a=Q_A=bx+Z9Z zCuoSrL|Ly%B9+lNpt32sJStC?zw-*uch#jnmye?>tAB@(ng`|S_g!VXpJ%mO z*+-#}Z7}b0PK_BaA9{^(RgH?52t*^S<%@hY{iSL=LLoa zK9^qY>54b&u}rFHntTgmw4`Sp3B*t?4uFND9*NksUM5oJ(}&1Jo!X_skg|{d$*!dc zw1aro)0Nx6OZH$9nnRg@#W4xMBIsZSb97CjsAvoU@uaFf)7DkYuFG3-(LaD8sr0L@ z4LFNBGzI&z(Hiv$y;+l1kEu}yB%U0LT7_qaAY91*8V2&Vzhs5IMJrSmvkoL-uRRZj z%Ca@x7s>*;oT{_kI2-jy>he<|XU)^oMq{~Ual&^h-3t`Pr#uq^HX^1fg%k9U_WLx* zBH^RM7~$MFrSFa^?{;(Q=bBEGFi_q*B-N=&HuI`VEQ7A=49z&KMCvyh zXSpMdQbN&Dgy~30cyL}N*Eb=FlGdQ>AZ468ZV!%aPjZ6TIEPB~{djb;gARYW*a3(~ zG^SF%@*74HdVgl=?YGU1ocOj7CxJ0aT6>a0#k(V^Pr(^7hiOXkneeSnha;&3XsH7L zr!lzy*z@T=rV&u;Bo4G@9EZILoKx#O1W^Q@TvYHKBL~5uZu{cg&b z==0r(_8h9`!;M!@+b_IVPoF;9GKNpfq?L7rafOT>lqg>k$PELOGXfm^5h(>=1PX$3 z!YaDpp+1c%A8KtHy&*zQwo;AY5L~P2vHD=HF@Wc=rDDs1(0go30*jBb0cZkPNEjjl z1XfmN3w?q@n@@owznlCN0`n`rYn-}B>S^U8e#%|a7C3>3_Rh#M@V8?C$Df;j7pJ$FO11#zyOJlj47spewjcZ%yF^MN`)(@Kj zT3NdWQ=O70nK20J9^6zT<|wNf6XExWz5S{w=9e!`#h!nWn@|xS8p%7>=4}{tL`PI8>i%8g z6iD{zll?tC380T8DG4Yy$k?fxMbPO^^s&Z)GAC=ErcN2+XrdH9g+VKtfR$AFGDTGK zP{_|zD_;3(^HGJI{7gxNC%Fd9GLd8gtkv$NFuh*XqC3{!GXasJp|~a_M$@~GIUb8c z^!^yw4|*#RNO4r_Rr0}Z8+sRNG(0dNlp2`s#yYn5-M{BOh|QPTito?1zLt%<0K{M?Cr(nkLM>BAAY_#Ip4|uJbvl?advod z@ypxuW9QZBo72nVmmdz#f4rD}`^(|0uj-!;nqT1Fao(Dh@SjV`d&S zaVA)ErzR$=Vr4tEM)qPcJ{&0#&<}Kc&ZqhyjjMKDfn-Mp+z1sY=GU?O*cp5qk*`(!zN z&Vk|Djog>7-SVF`imK2tO%HY@D7(o({?l+pXMp7li=i%(o2f6fIC93q#~jH`IHqEv zbt&Vh=lWpCP1g0nFjZXVgn#|(U%q({XU_yg|4qK-qaUc$7Ub%nai8hKc-&)|D8XRO z#?FCLjdip_Fbr56kVNouzB10~Aoda#dQunI-7vj*I1W7=3+kCSTYjT)$l=r{*Mo~* z0h%`^DUnzyDQ!|VgQFzf-j4dq?LrBk5|DhLX26w zSlf)3N+CdBJ-E#6Kw7bf2~1dcsDXma8ltT-A7U*KguGMWb94Wq`#)3$ivQ%z)5!SMz-ZTHd|L6bZa3=*>`v`ik(zF)) zMT3mGO5W7X1SJMW=30VV-IJ=5GQfE1taM9_?dN2W;t)o4Djstb6DjCnxic{9*`xfs zw7-INI?>Ja!hHi8D_7$b#~~X<6Gxo2efj8|j0l*O z>fqAO*_zC|)0P_T$>NHG_Ht9v=Y*JX6bw^JLFr*WH1}N0V4Zs|(?$<{SF85o*Lx$n z{qI*+%KNQQsS4tQ_va^PuTGB+FHhgT$?KV0G)fh7^=_W^xS+y#lYu+z5PZZq`cMhO z2eslqRQL2D-xUq!d$7Id=WrrbH&?8#SGb82GsyxKW4~mm-IAMeqw)T2jNY)Zn(Oxd z4%%z&wRY438Sh!4{u+#R=?D%ejU}Lx-N>2Jyk>(7EHdt~z9)vnOH%eb3B;C`@kjV~ zmRi|>axE;w!I!2gd;eHpQBj`g3c>O_K&dRpdehVb1&sriCM-2hGWoTGKEVPm@!&92 z%9k4IzLE~|@EpoIW|0o1^av0YoJ4)c@4=QB@1c{oulz=1d;1sgFw%fu!5bJah0ZRIdcxoa0tvbP}(a2-+WGcyKOdy7R+b`eTwSSx!D@yc;? zB~!%Kh0Yy>f<;P^Jwo(h4ha#Ck|FL9dnGMK7!BEoNr+|V*LY$rpRWFy(+QCDk&auV zrI<43W{SA<3@c*R1_0xR?(A1?S?8)K8t-W$HAl(DQz6&!!HdAD9Wuh>$GHi@EJYko zBuV99Xj&#=5%;DYSnYY`5WwcM;C5>4TjQ!V6N8AxjP?S>YNXVvg)`p!Fy8+#q600T zZrGn*#)%hTE(JBUMD(Y4pvc~gK`=DlmoxV>C;co!5sk07nwVO#Mr4Ae6i0kFC7eZL z0>aE5{C^(|*0Lxwd*jVh7aR-qIN*W3BrN7JM$LgpQ+6_ z2Oq1O`sJ%_0t?A}I1zAWLG`^b?H17WBqs}SNVEyQ?qEX40dSh*K28!h4Z7!|wb-nJ z@QtQ+v+BTAwA^7q*Kk^_&^2ncj7JsJVM;r;7o$zV>1(mlyCVhizsgk<5@I1R!74+{$M0wzXc8)P`e zu^^;Y$+rSkK@rl{HCUcFWmz0LUegui@6z~YA=*rlwV-~42a0x#X+$*_ZkbKT?#I>P zH?)~rU9-VRSyCjJ{fJ$|H5P3w$1#%IjG3{`7yiHee{Ic*-Z78Un5JI%?Uvux-ozey z>+}MlCDc`YwRcwa7xBiM!`COuW9_f<=f&CK(aB%WPu`tgoW6bY*PqXh4=+!StNi-h z=dTx+hnGKJAoSOxe;%G+7QY>youPLp=dwL#h5XfQf9S6!&f;J9T6-<8^}=gCLGAs{ z{`Z}yPyFXE_Mg0H?Y(%0zH7BwE%fu{(O*sEn!h@{N2B7e?Y93yu9KW)7#`sawfvl) z93KB0A!LRj-&|ZCo?pt}hd-V)YWN*OsJ*MeKi3ipLQcrz=g+vAn@eY_(ds~igO+)wSPvaA7CrGGaVI}OWQDZ~St6z0sTEu23hiU#)c<$~ zJvK4I9xD^s<6?x($FP|DrZ3bSlR4}Ad%x}PnboaP_6q^_dqwR*OMh%PY#ag-at(|RZ&jcf)38J#;VpU>0Vc{06Ka1ZUxID12 zzEe`DZoOYju53JzI-Iq#c3oocns91X9D1R|p|h0q=||&_AhjQ*?3re$)Owj<0gKd? z4FM)-;#b=JZ(XS0rUDd|Vx0Hlvd zV+iM@!GG?zCHRM7XdPC7`@K3oJS(0Mx^-a4%KWU3exzg+F(y@K6Ie_K4U+0141fxb z2H=FSDcRB1PA-Uy+uE-Uc>U(F_2=Bup@5V#C+5%ycrs|a>rYh5VJt;IzWd2n5pj&9 z_2avrkaFoTajkJlBJ8CEUy)RqNpcsB$NCVQ_0gD;Yw#J@lAheMnwk`vTKjk6OPXa4 zUB@1nczkq%(}?p>yU;j+?|tNLZdNYsXBw#5vGQiBTnOhCL!Pr?+Dd8+j14+zNcKL+wj@win79EEdy}N zOy7aGxukW_CpT&m)H=)eJoB;L+Cgn~AECV`DbKXJ=Rft)smP6ga`X^Mz2ahld;JJx zciSzid+uJtsqEbs7jI`Sz`V$;VLU2E{wzqv7 zj}Hz;gbCpmS`R?&9-so)nPVnx56g!L2Hy^PZ>aS8`r7rFXX#)U49L4Nx#qj=7vDeG z%{9UW3U4Vl!?`u|vD*lXlzv>Ki(-W>h`JM70#@HU6iK8NZMSZd8=~`y6r3 znnD^ESx?=L)L|3=UL!&GCg@snA=%?i+|Om}Bk+IXnRcVosD{&4!UbF@xRGbOYO`@6 zchO9TN$e96_Hb~8@^A|z<^Rh$aA-7gTgmpeR5;SIO$#<&w7uQ11>Z?U1M7eeIxr87 zT`TA|BJmiFamsz)>A{AnDRp6t&winFIg%Nit|_yDP*=;*kLu7*#bPYgE=4_Cyyh}C zqrBFU6JN}Aw9TC@oWie|GQ||b$P^od7#ym#k(3s-d$ZhFol+NqB}oz1Vl&&@)01g@ z2>zR#*7+2$z1=|Qefu}`!{O!Os}9N!3v@U+I5;+2U8HwM6;(~wJU+QRJe5^1&6Sqi zu}^Ncd6Xb7jS_ z@`Op29mp*%8ZU>l85=O3fokEnMhz)3ZnCi1MW0#<#5eX?4B$`OE`1RS_^UK3GmmOq-(ZPb5as#mKI;QQ| z(XeD)8)M0ti7D*a%Wdeb7?Sjwnw18mFd$kbgY8@S(n>Z^bxKp^r4L~dMv0h6^#^Q>Rq1|nhvfX=K7Xm=IOPML-BzKX)13PrT6D2HyUAinr_I8LoFVR6 zmBcawv*IkX?za4Y`Ty#oUW#L>)H2j)Et`>&h*EDu|%HggPTp|Vhi})vOAQG4?JzmO-W)5M>9gW z*Tro2q?~7NnVH@a7NSj~tT_09f#w54-LfSTJTxjtOFohSc~l^zGVHohG!fJ%Q3Dy^aa zU;~9IOL9mGIQ}1QIlU4WFPU+YqMt8L&ZkSj%@&lhh~x!Kun3L*$1hJW-yFU^g{zd7 zf*%)}8Ke@+aKN3?F^$N8K=`_97$y21U)oQeKY9LifA9IzCx2<}?LB+? z{4c0=mjgFXCPnbSv~Jy3d2rvzGc~uJ213S3cgWaP2Q`0fCMof>$g(5%HBXB_zc!nt z;@&l(gQ4i4rq^z+*W-hK7Fqw=qT)GW?3U_d?)rb)DzE?6vuEq|e;>~VdPS79Xp&zj zyN7$h5DRp4DurW}J1gYs7@sR^NOiD%8oLRp{52>*wyDx$9pgxHvyKJbr!RkHVYuF?avp z+b^yE*4~r#`oEXwh$RyQ>G0I;vC;uJj>BD+R^;Ttk8rZy>c6RH!S%26 zINgj5%v=A@pOoeQ_LIH+_4>b$XTjuQx6K$96xmF5-Y~y$33-W%slaIbyNW+wVl>K` z35TIg|3zl#BVRB1*J~5xzy>j@^{7H>ecde3=tg0{D!luAX1w6~uTOBb08f~={-3n= zO6&jWlfBk@{olv)@9G7ry~K){s#uyQs!}|_F!s(Tt#Dm5anSjSur{U>=H9YOn)bOlNQ^Q03ECx50hG)jw z7-4F>q-Aw7!ZhmCxlSXUdr12=Hq>9bOMR21<3wAjMT9P+y+Yl=HpC<$9TchgYmAGt z{I$t-{jB&|lKGkUUaV zB5^=EI`tV`20r>yWR7mSjJ&i}G7pjl`jOZTxTA4fDa9otXz}TD z-Q+JxIAM&FgsUrbvIE{t&TgHIW=i&Otg>4AIO)Tnm+Z&;p<{t!gm@Z z5huk~6`d^8s;W_FRpWaG?t$ewVbFI=kN^DtnuaEkcad( z;~`ViN3SFRtnZYTB7k!xBL#V8M{aB?B99_HD$q4tWf8-aU7HP9_N$>p5Kc?~%KJOR z5CG2@%WHSsc___owPjRsNi4rJ8pEl^G!|S-G>*fH`ctO-Q~tA#^5)u~9s!IRr=0`T z{53X_dM?n(`T5)P4un{P^=NMT6!M_CDTt@i_?WbE&H7Fcw7gn)+59y|<>!q}NkGOV zMpy;mB5oer9Tg1*!xd}96F z?Q?Va4{q|TLjK!(+Ag2}JbC(TE&tuivxNNT7+zGUVRe}c>676p@k0{`{L@66NJ$&; z=Q(4dX-&39{t-i>N~5May)hz1-ELg$!OCeV8Bi|LiIkb-4(QuHee=mJY;J;87B?UB z3IY#GrQ{n&U3Tr()dyMnY)Z9YATme$(?d9@sZo3C3SJB|h%U*ZNEPKJ(zD`iE%mi` z>c8!6<+NEmXGY~j{+E>ANjjN5*%ofZ?87-X>q=k;57f;`?a=kPQo;Kyvk#Ahg zxyAmk58CDn0CV^M=TrXwt=2mJ!@WGq_a7sR99)eg3VfJG|24u?AaV!z%+Bq(D4g&ev9B|l}`(%uxOy{Gk-O0+6W91^}0IqW| z=Y*`v6Cn4kbYvHnqD}Hgq4BCS7=7O^a%0>M&BI8EKlM zM7g-7uyi>|h|2D&l5fG06bTnt?dJIEOt;ch`|mtDoUZ0j&t}E>?Te+)Z>J7$Av)gd zlUjwGZ{VQp=KH_)kG{SB-)^_d@n4=ieb!#@|M&4Mq5nI3ITtt%aT+S$dS1IqHI10! zYDH9M=Lf!2UY6k04*%Eez=WDs*&ynxz;|6|x<3;KM)5+|Grqd~2*-FpLa#R|*0|6z zK_#11cLq$LJQi!$OCM5+a(x}ay5PM7iFvp!+)ubIdY47j17v9HXQ}7r{9h5z z0_=aT{?~dk7613iI{xqdJWKHZlaGnbx2_c=o6oIYVQ_hjH{}Wsb%C20Ynq$r3w=f+ z&Efz(+lQZYbdmM@^do9|)54Vk@<`=5Q6Yl>ObN5`sKQ*ivGpcSDmq}K^9G_bA%t$Q0J6moWQKoJP+Dye2fM^r1J5E6bn+_5Ob!&l3B;HUFxa z*DQR7X~$5A;^EqgYYeIv+P|&psI6EAH8ua0Y)!GRCTfl*_U9}EZ>cE{ofKZ|THmv` ziSjsCHc|W1s#S9 zRYF%{%AjX_<2HZKbh;G>`CCw>hl8tYoQAmpo<>wme1PCP8u!`l0wZpi@vEKzt5Xx= zdhz9$RB^;${17Rc_R%#_*$FurlN3i~oN}yE9ojpJcWuuu(&*IAKV>K^OD09DwG~n- z5L9UTpuBf$DPg+alG385uUnMqJ{L^jz;w#;oEte+{n!;#49tGDm@q9f0ZSsZ-PIO# z0nIUBhF>lHmif*VnJmP1AY#BRxQ>cAa7Dn6p}A%)_rqGQ$fVjO_>H4;%0f05v8+0O zfx~QCDwPd%4pgkC!osasH^rzPQ!A%fW2@l3Fx{f;@ik5o<0#~~Mo3r=5RF6faaOHI z7U+5(iMh+oG%C_Vis$TAT@31&sqzmmMa#6ieTp=3VGmD|992cKZ>oD*^=?} zjR%SoRj{QUMEpTViedbZ$YQwZqhF-HpU~h+2YtrGhOK?#g@ywBNH^@{(y*|$mEBVjU*+z(Fb`G z`6Y697Huw~)pZMXW_AoEWY<4ALItp<$}!CBU9$`+T}F&uWeIAICA%`R$)g!DoAlh; z#%SNR=k8Q$6VYG%5DV;tH7w5m!TiEg!k+B48i$n~)Rc8xWu+-_fd`WwT}JS+Uo%0DVmZM$>_)f-qc1 z&@w1+(c(t8%%(@>P0!7{iYrR$>Q^-&jx@BYt7i4ERIVWffkO_O=a;7cLZo&qn-RMv zDcY2L{V+;~7`3;y)Sqv%5lLx)+FNKdOOokQpY@Hc4~4*8E^R}39#A^P`RXc=0r_~Y zjsy;)=oJ;92RDEH^%n;lsQJH|=(F4&xJc2{MH|m$JdpAmSQE#%*6nHb5toAS}2&ailvURTFa5)V&bc~Xej48{wvy1B$X(Ut-r}-lCsVX^7 zD*b9A;fh5BGg|MyHm7v}frs_n!u~HsHy+b)=s4 zZ#;^&s%t->>w`C6|H?MD0{_n^t*Q0@-B#h&l2lj-TR@jip57+494?;)Uu7v zt8M!A96%9`HZ=~2(CdD-vTcGM>9AqiMWwkixLFEbj2h{R(w#;J1DRENx1d4kTJzY;Fg zO+0%XG=D})O*uwN_yUd)NkqXS!Q~H#3?-#rJ#422nDCA;CqGP81xw)674~u;g}6C& zt>w4Y>q=}QWlZ$ZR^8q8+^$&LO3mr4$TwifN3OR_HG^|!Zst*jJup>&Ew!?y8qO_B zay0s2$C*LDnV-Jv6{rtknoecdYsA~$@AAW=lJVab)3a%NnmV<2+VQ5t95oZ=#+;Hd zCD+O^BNjB(hoY>H9{-I$);2^$V`TDAsH6DWFi3eIu#BJsv}sOSa$t%S;(RzT)v8Qo z)>t~0^Ov8-sVdMSnqfCp=duQeas*W;vxud-q_$SV5`shj2*oV+bm>J%uKw7rbb5b9 zChZ~}!kPWDlvwDm?DL_AFZ<8GrDRM}PJWUvI|oSrsY?~9%q?1;?Z*Jg_25N%q^MAJAOHjxw1 zYfFa?Do5}7tWIcupmB(rUi#~=;dhTd^C8}Q`mEDbQH6dvJb!cg=En{?&qt3!B1j-e zh&H82?gS3|@}(o+$TDBPZ0#T|Y{WM9r3&bw4zi;ON{JjMi9>Y@3y&EMr?IW$jwcZO z93oJXcuZ3kE4OKI&a96>nWvXGK`1k@?Fbx)p6a!SY5X1^FCzO5uA^MaV zuL}NCya+JmP{+$wsb!oIr$$rjiC96K&3S<32CnIE)oz8gDJ?6gaFj)YCR5??O}iDI zi>@nR>AKat^v#FaM;cL_PEbFKm6)VW))2~^4u-F&0PsLUv51&`U+fO zF4zUjnV*B`CRi+a;O1?rrBl8_W6aqlM}t{SF5J+nCSI@Hd??G!yYUKYBPALw1HKw3B^8fRvQ~rO?_tyD;@8`LR{Qp|c_VLS=OaF$79*pd7 z23jlm!|k`*N&TjeyOH@TP`Z@FZ|dvja3+Q~7WzwVRg3&M4Te+@$o01fKu+;;OPLtf zs}7}hBqx>?YSe~v#zc+kkUF25gAJ>buKMmsw*4 zne7gh_d8r}g(2K#ow+;GG7GDw-ii$~a{Vqbv$+)gP0nf#{+tTl>@JzkBQZpZD|J$o?Z|`}pPN`PS-9K$?&qjtM9qYrPdn0ewq5P~OoU znS!QKyPPRV*I$V#sMuDGDQLCnUXGu z@$H{BBB^h4TRP0d@Fb@dryWZdH3leneNsZY50;8wSV zZ8LQO@?F|yR;t9*j$od7##v4`FwfknDRh>;@r@YGW)0ys%jKysHb(Z&gYT<}J@HbaVP}oF-=2n5uiLbffaW zqVrTW>gvr1)5Ysm=nCRr(It~{mX`MleARP@-A`_4GJ@akW z##NgY2Z9Fa#6AYv5CXc;SVL|0s1ld1-8E*9peW&&WbvAysg+qS8jDqQ!D0oZg0uWSze{``VEsy?U?3}ObtmSrDg8Y!>n=-(jdJW`)^7@ zS|12*&i&t~dr$UD{-4jDKV8TFxtFJL69e$MobJub*Q@vcRD|?kOuqn5z10^!-_GEx zdbk@~?-VkZGV`k1x3usU8<}m~t#$P*G;&2I+)tovork6@UhUop0Z>aFHp^DB>BfHM zWQq2&yma#`SbVc0u($DRn;Lw*vCR%qj>82(iwQ*wkK-IwnyVT9TyDvFQ)qEb)^@zK z6PMfjw`Au8$kClyx@K~TmAP=`8_o(i}iy?bmaz!#t0n;E34+qk8+ zrg8od%}{D@QlaCGa;8SVFs8vuqqn#_)Vo$Dd(>~x_0z2CxO4V!m83uMvl{)+-Q%XU zzA-*+_6qKZ8bGc8^ux}^2J_WrR_KYOzvn3r%WhU9s%+)@B zOtoWamP3@yU6O?aQ?6j-{9G@Z`&~38sdK9JQs#486cQjf<8v&Da)b#8qy73k=5yCh z*`#yR6g~NhtGnU{eb|9@4v-*eELDYO6Ky(|TAR5Xyk#PCId7&9L&sCcpl-H0xg7LX zRwyzc;wVc~5(|5l+nh>S;b2$(&-}^9@owHw4+mFS0=f@xZ2SB= zX>9vFeAU?Y#VBcP|KE)b^bV(#WgMLzpYVpCr0jPRh=xx?f_GK9l>OfD$2?#m+5Lu0 z7E7-G^OM8l*C+lcT&9oN>;Gx{+4FMzpZ4=7>-B#x&jxy_@?%e$bS&AnSRIZ#ubgj z4w4!?9lXX#V?+d&(z66v0bHRnL3&`npGA>!m4m#Frq*bpL?hJvCy644eqm`8HWd&X z8|X9^HW65(0Zdv6B1y`|G$b5hgL7lSljBNA%F*?Z2169!Sc*Vk2?js-F^O1$VsfqL zL#H4EYM7e;Ewf3W5svYIq<*9EvM`;64uIpo|0(McoFqJN?MlCa=};sSk|bi2krWQ4 zu&SDeKUp6EWge;aX^es>D1mRN00K0u6n|N=)l+dIx5rm_& zJgM4w77IEeMG%veg+67wTWIs;PiN;_J~{>{k^IZ%#Lfg8fkJcn>H-Bs@>v>SLHLfO z`vGLqi{aY5Bu)9J9Pfl>DZ+{MBGT*NEG1w|;8YOaXm~ETZNI(uUBgr3-S^vmOI49N zE|K_<6hTm*MG?DJ>En8l%IC^Knl+Sw$CyU&O)GwSC2JA^|A&Aj1Qf%N_WJ~cc20sE z(hYRj@6(tHD&hPrfs(s84M{8!KvLvBpV2YlK}tbOL<>Kk(aFa|W!pQAlT6I7(D>}l ze&&5&RkhEJ�?cJhqtfV-^yhv%ct}&qyWeMHtB!NPf~dohbE}R$=Qi>blOiKfHb0 z)Ml1E&F;&?^QQd&e>JzdXcixTo%f-hl42)mw@v8<>3)Z31?XvkY#{f3d$f2tAJb>%A@n+ z8z6FNy43ayDKNR98YnpuX-4F#mEeNJ3bNHWU$^`I{&%Z_5*YnSnzD2$7Juj5eO1rW z(%NFJF0s$t`4+RP=WYOX7Xkq~^Rr}-;*jLd!Row3^5#>4u4xn@67vjPpesGR2Xstg zWhlHR@J2NWYK_vme017J-TZ_`k$Bf^d+Owa>fXdKW!DJD2ml1l2;Ot4r@=B*5F-rA zhM!AR^-tHL z(%Dz!u0j;)^s^{JP!jAd(=(uH$EKT~k&PZT&F#iV-5taULGMpZwcj>3piIh`*s|V! zT%;L|hG>Fd0fO3&ekoF3FgGYpy24G3Pb`0&E`fqz% z`3Q@5?Yp@ia;k)!nJZ#N8`AwPkCi<$*V&3z%Qv%!R3;LK5>_ck21 zPE>~iv*ztqjIcO!YU*aq+^zV+ytz|n67v7u95}hbN@T{4LyvVE&p1I{vyI3SZ^tA} zX-K+rXRmkwBFi78MDYh>NRb~W=#LCX65pXzB>{|SopG_w0BlW>sw@mDiL%_Jv(TK? z5{usHXD{#fjd_Rx zq3_Cn1)pJ0$D1i)2sQPAc=)b(9%Ybh`ffL;-|aQGP%|R&Kn$Cx-9k++QWg*L%jc5+ z>uw6ab0XeBs{RgAbwOEGWe-Q%>sHxUn03poqCS{W-YwWHP0TteO_MQrD_I9&gIa?= zRo_Q*(N}#q^({SS9~Lad1G2g!>94ctuI?cF>+E`~JN~wmn@Bm03#nUGGfk&Jg)QeS z|N7hJhEul2o&(f$nW*4YtCH&;umrav(dz*VSuRbAB(lLX;*g|@9_24?Z^FQx1<4pO zjd|`*gEDDhVL0!!?-RxKeqo0yLG7^huVk!p(1*H3^ zD|b+-nP{s0SYZdCDvQ(GVx*-V8Ad*KYX0c~VyTh0k zu&>CZT^t;U)m6jOT>Wa@j&L0Q~qiH;%h{H`~#-Xr+#CZw3~1`_mW&n1kJIlDk#xI9}Px3u2HT zl?~ao**2Z6)JGRmnR(|%5cq9#!`!Ncac-eG^H;pi-mRKHQ=~oy1UeNc)q4v@e2Aq0 ztDHI@Q5N`m*!$AU%-?E)D0CM?)q{NI&0pyzJ=Z52a2vuUr#jajm?4uYtQg1f=F>VY zooP6|eAUeeZq&`!j=q%6?E+HfGtiZKL^S8&-Q(I@VEzKkIgY~=7v^x;`8zVLtcZh7&!2_! zE6<^Y#EQ)A6xWoe~0cd0)++&&0H*s|dB=7*3ymdpRz{7xx786t8-ft2swBEbz9b#ym#XPjXyRT0uSaj ztJ)EG;5O6t+t2*A7m^;uvDa>S>9hStBgvxZj72n<3o9VIKS5YEe`YJ%n44f6eS8>Q z;|YI^Xg`NT;_NX5VHA&dRP;_7Kj9i2_ zHjo;+hDcw|-$2e0W4?fN+}XK!GQnC^dE^{W`YsYA9vcm=PPvaF%=tVL{Bg**3hI>u zD9}3=Wg}va%MrA+gHHQ~#F}1n2f5w6fp`YZroJQ|QZC`-D4a-y1}Xvpr%dv%0>n+P z*=XP(Ae_HuA(;p6A(TWT7UnrmYT+()bWU*iOG*WK3lqTUf97^}LH|RR=;6hWw9!bg z7|v_=Oh=OI zh42+~M(IX+GrmX0mCPONXrf!cB9qrRNoWjgqtKRqZ-a!WHuYwIMJDP5tjZ--exz|7 z5DI>EUNaNfDqe>LbpyG;ZXjfZM_I^(YyXK%EGi`~VZaiwOmeDU^sOm~+J`uaIfZ~p zuogj(bi-cI*q)E=AkIbv2|6NNHgJt&Sd;@uZch7>BlTGt$eojMdqkjf)52{}$+O^ACn1WJ;fSPy7p6@|Tmoh+6>7o-8clR$ zQ3%IanyQ0lbEkyOgJu(G{&A`3g7F^99Xv8i{ex_x6a%t8j%CBHJMuAMsX$IM2ah(d zvK|RU1eHx(Sa4b32@Z(8^N>>m@)-J^vsi+6(EQ{}p65Gs_@yZs9OmTN6Xbaz30O$B z8dZpB-v|+H7ZL5%AfkN-h-g@E zH$gonhN{vY3~%4y-f2kAtP1Z2!!NeEH{GU+xP@38O}2dW{+}czvqR&Vka&^=a69}3pDVWClegUjL{$qDT zm-YZSPgD6EXk>?%MPgFE>xt5ZjpV%zh=sj>8zOAxq1afeog1TMhNC^VfJ%u&$bbZBFnvNn%HmP(zZc%}+%p$U_pqBB7Ry6mgwuvxAnRO@x6`S>@y9 zc-6yI1VsoYmYrTVJJ6o;-i#j$)R*iF#}h<3&j??Z2PDQRWj1V(nkela z>edb!;j(+fu*_=2@kGvJ4n{r-bvd%Q*4&|~H6y|1v*0cwL+>Xk>66s3srRhkr(kD< zVj&AMspY_|&0ag>y$|F44Au6QE1WPH7_-;x#i^jy0!0o~R_q~L1;pKp+dERx}TVx~^#o?y0 rDnUFs2I$Wl?|FjhpZniZnA!ESe%8+eeE$Cc009609Zo%X08|nH{)G&Z literal 0 HcmV?d00001 diff --git a/assets/jfrog/artifactory-jcr-107.104.6.tgz b/assets/jfrog/artifactory-jcr-107.104.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b09baf7dd2a707034a7e79ceba13e26a490aa5c9 GIT binary patch literal 469740 zcmV)gK%~DPiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POt-SQA4e!lwt_gj9O=Xu|i zWagZ6Pe122jA95CreH|Q=sHS4xdkL(6eBTWT1}n*+Q;49-QBxO7xZ6uclYZ5m3n&n z)RA`a>Eh$%>EYw$UB_M8#nZ#54siePk?{GCfo3qOj{8^Rsy?{?OFo!RM=}^gkUH8= z41fY-Fb%1eC@_Z6;1Ys#Q{YfT2wdq0^ccnHaH`hFlmxBUU`AIRrp5ihfW8!|1_7jw z!3Z5rfiPT6&d!9CuB^DViX4exPFye;}1eeI@R$?j37=p29UaM&lf+Y6>jI z^u$meR+5Jp)9X!t`bebiT_oOOC9cPHN?fNPaN1Ao3Tgln13=+=k|y9Een3TNa6dOU z1vCxX&GI=D-BNcmcv?XbdIo*{SxzL75NQI#=xIMUw^1qzj*-;5DfmZSDeh4>F`J}%`*?X) z_y1l#(trK`Kk;b``rseeR_w*?Ui1PurpU|@K!!Gl~?B&Ed|23I1l zBoT|-g5G#CM&Tei0oMUV0;W?FIyDb80jF>Y7)}}hoj@8iN|2}{lRyRCP{VN?U>Xge4SGFE!7(aGor+K!DD(_S#Emo{ zbbsfF+!zYS-Lx3Z;FKH9U~&y^5j(_f+k##i4L?Z81A|V9Q;6)2f+sry+8}4?mWT!4 z`-#N>Kp++YsVzGIl|iEc8iHm3sS=Dt@GKxvh@t_eQvxNaFlccdn+bs0SmyV&;|0Ki zb^s8qy!J7e8p=*Zky^w6A%5B*cjctZ3YEe~8wd)A1hcLRK_j%78fO6mQ&{r@T)IHJ zDoI5mPD$8kM3ANj&4HdBPW9NsKGznKh**y3j?^hgEhGRDq#`vMG8rm7g>#__C~*~` zBUl!b6wqU=Qft{U!nYygHG~f5VKO9&%oM3XKoxoel8qMELN1sgV;T*qz@RwgM)c%B zgB+)HID^wbp)o)Kh}og>VH2dLu}A>o9ZoZ}AO8j55cmN{X+Ofz{Ix=F@B@xs?(SOC zml{G#)c$IhT3(ep@*|6|;L!jq2{UUSg(KeJN;rNvno;m)Jw+lnKpAv8_>MqvB|KDt zKcR7kWiF;rkdzX>!9g>#4L*a($t2taAZT!CNLWO#;0Ql37)!(fZJ-1%NZ8RzIQ|nT zNrAe=0BJvko<#>{Te7Nlrt$O*Nh`HK`k;OJ@of@BhK$`3d? zLfs;CG=ph0IK}c4#wl4jHt9zJAHT%Zm* z7p3rZJ^L#?S|h>PUu%OAtR{3RwY?65RmxwzDNw&qI53*QbqYK#!l<_xg@El6z4^J% z4k}!)A((KSN+J|E9YLDP1iCgN>CZh}8{|kGD%!$v1%)#~timAYUK?Z~*@n-(SR0nU zga()67*iWi75Cd;u{8`wS$Y6z&@rDQh!Q-5V8o_%XF-s(un;I*RVyiS zg3)1Gf+t3}+V{7>ewyM+bz>N7Y{qE(84fF-plnV5^a1P$|57`(WoNr~t-=+zXa z#Az5M^%TkA3I>oGrEn~WqK-6>Q#h6g11d`DaT>-t-djhqV8U=r36lULPCN1{ssh0w z5x_vBP;AL1l*O4cb|(v`S;LR}Bdu|EVZqXRTtTReT-I))11NC@BQ$KG0kbU)jwRs$ z*XkJ~QWRm{n@nglz(B*F<+xIbD}fTHqs>QuD8a@YLi)&K|M-f$yo1!AF zG{tznJ=hjRo4W6@z!mht6~M~{c({9X5qAP%xRy-9m4KAfqy}e9oxkXQ{avNLo*uDI ze-}*k293rIKI&{n)>SHThq(IUa^T@^LKdl4qUK4wF!8XcspC-}2G=nHSng(6(i)&l zc^T^AP&mfm07G*fv>sF7TpASb>dOA+YWgJ}U^JRngP8`b@A=~1jM=9Pi#eD~0v?_S zwWqif=+w#7z39|Q+zIqTnT(du0l_2D4Bp->h5-f*&nJkX4?(kq zn>nxGD-@b-^M1A>^=ETX9zho`7C|qA8hEf$_YijiK{|!T0I9~4a2>%M z>cl&{Kvk!4le6vANl5}7$pB2Hf|_U~4V^kUR3k*k*K|lx`B@cn{l&{qP>0n@15{c_ z0)(K$*{&?=UF#`4i69L$@Rg*vK^D77JtQd|X@Qg^s0A-!Ftv;Maly~RmKf3(R7%xS zOR}a@)5%#*^pHA@k#(9$omqf}Va`*fSM7|Qw8hE?}1M(6C`>tPwr{;LP1mo$# zjtAm#{~A19Yr*3o=_sWB8UlgIIpcu2ge z6+B;rrHjP3I+iX1-SH5VRbL^NE)ws*#^T9iasR5Z)QANL3sOiBU#$y4GZb_i>|!f3 zB_5{wt?SoNQX^bgj#p~J@>S!lVUS$}%I;xKs-<6?nE2KflKy!tQns;$uzYb=;tTD+ zIu=h;bcI;Fcr0Hbd=E+2zeduucZo+0 z*If;dNjOqLv||^#un=jWH^?=Ff?q8tc-O@8udp|FiAN3JVM(H|sZsqEO6o3=*3eQ* zH0HAQD{_lkl16t^W-jHm6c(Fbu0CC%Z?(kYEs^?IpfT0XUu+8yOP7C`Zg+E$%ywm@ zzF&gIQ{rWY=*~lA-NKhb^kgBr^U)s_@*ZCUQEG^v;%$c5#RSp4I>azR1?kSms%nq+B~rkEfH0sT)g&-bnp){$NDGo61s*J6 zX5b#5r-O%Yepp(|!zg<+?{z}eVnDU29(P{DtGyefBNzhH@U9P#D%3Fk?7SfAxUvKI z-#vTz@8@ej)#v{Q1qB2KhX?*was2iCzlXQf)2rJ2zh@WsfA@d>BOma0pI&-Qk${6i zgaX%bt2aOM;pdz^B(=%B^W{@At|++hDAlYq0JT% zfnkHgL9gIGARr{TPf$cqNN_ml8xjU0!vkGFSYT*aNT0|6__Ygqs!vdOL|9PoNcar` zAeDeV=B*eKF-MIfHzG$sCtw;4(Bc@oxrD(fExX81LF$y;1`f1llEz&Cg>!4|2~y|6 zfkLxb&^Hot1DYkrxZNM@4vlbJ!2*#2CV?Ui>IC4+I$44?Et#lJ7fID1OhM|66roOF z0GSLOGD!hk#}JGWU0t-#eAC_PEzw3(|Wf%7tQs^1RM=tZe*#)5Nsi5k_o6y zBn6xZ!kHBhoj~XzBo(1zj6jc53JBWC%e}obLPt`3Y~}$O7@EO!XtxWUfKfQjLnNGm z9M|D0LIDH21#|(OW|0pk4UWKxq|m=8M`xkbF&*Mb5}`CeSQHTI2L}L8!6^lS=9=|5 zr6p(@DLm3Mewz|O*HpD|wA02Bb-1c)nx4W{IK?ek)*=hkvTbxNsU%d~=3bf?Fo716 zz@Oy?2F;eE?K|uQHchG+v^$aA+5;4%5_hp&#LIzUA8_IAU$E+1MQCt=`v{Sb!WB$S z(lMQp{f@$Eg9h0LTCbwT6$zM*P++`)FchYv+14JXQ0NCp2gs6(o)urW)7b6w0$L1}yYm3R1@<$!KX8Yr9%pNnmIbf?(KDB$ZghDI}9r zBBB`iA*g9)6CiZ_FiZx(vW^>;7A;vw!Uzo}*9f;ja?0WYy(v^c(~dXHZfw9H3zYJ2#fp9`=Gcc`QgToi~6q!UQ`PFMU=%t5QJdpzAxQ0x2 zHglm5P7z5MLnPqQE@%tM z34|g+;0$mj!H^W2$0rd;lu(OJr#rX+T!YC;ivNqGcrgpD$-F6&!f9N`Ans!zIf2w5 zqW~mDs0kgWsYT{B{W0&SR2Js%0;;o*;~vyzPId@97d0qcixDRK#Pt}3GzIbn4MU4l zxW))Hgf0;=PEP2Mp6DyL zj;1kj8!WkaZ*t3|3g8-C!BC`*P`E%T$T1Dlqht!cr$fnyLC0|)Kr0Y39XB%y@`<6% z#)9}yyZmJ+GWjkc4pJwe31~4w17Fqo9IjF_aNvY^|CIot0xS$p8!pZB^n}(}b(# z*QR0f7WlU*kC1`TKWeKX1qm1pDXL zUV-_sj>tm-`oXjcq75(&pUoUYbd%m~a(=#_CykpKh?LYt}NMmCE>dBJef z05F*0>2bz@X?XQZCMk_FnSi;5j?}p#$EIYN9zgoP>*YPIDv5Y}zNG~eWl zQL%3M~6+zdZ5wA&BKh{uYK{lU4V zp@_@ScX6aCG#H_!xn~7~lN(teLhhRUrVdx&G>uUNvQ8C6=+vfz7YIJ~2@T(gb_SS+ z)Ztu2RFGOZp)+Om=(XxE@B?BiTrS!&B$wn_633xPhN9qOodg7_p!`j>5X}$_)M=AY z7(&gGfT=O~GjeiV;qGJ(Sf<>XB5B$cF$@kvK^kEG#Qsg_00uNzGHoCjI8+U;W`h96 zn20y$1l7FaUpY7w6IjA&uGBWeQJ95ers@!WY77)Z@u7Mp(G7)B9;aM@lWp9X zQ)%v?BARXLP*8;^QcLKdp0L#;EkF-loJpl2Onyxs8aRYwiCH1QOyLYh=v?@`Sx~~G z>Og0#F*pHY6GF2>xS+F$OwrMW({2~&7L_>6n_L9R1X5APY;N4x%;)MCEn5;N;I0eo)ko!66Yr0fCNy!BZH- zZ{aQ}f)R2|Xk7vqP>ZG1;4G4t02E((Vrca!sxi$n3A^;%D`soeYcO;o5Jx7)(`e?knL`#@MgJuY-Gt8ELdk@7 zZP|bVgv#t^V8~RPBVbMVB;`_*%NU>Q3A$WdZBPrBRMjj6B@jtC#R`i_ASk6P9Hh}C z8y!h$VZjU&3ml^)=p-XsF&BhGIz$XIsc)87+GArm%r2 zmGIvbtapSODS*P0&T;5}VhJuR_h~|Dp*pCZ!gLTRu2UMceA;TEF}!18>pxzc)qNUb zFyF+$G_@NO>Q(_c&gKD>p}PLDjQQNWMXf9{R~0C2We@Bk+21XjEM`$aAlx{FB$E_S z5-@AE$Z~7R;LWYQTBeLxFoL-vQdJ8zE@rbq=ke)`pD9Iz-8qvfA$SnApqpnVpvG*K zMHDt=-3n66rqWQ4EZQ=rN~KyQU?C7MRP1mw0c@>m&H`x(h}3CtnnpsyQ}h}_LBR4C zK@?1onED&W>RF_qnI&jreYSOF&h#P1>Wv&W)sqXm&;Ki>8JA`uG6f35f?!iuB|rPf zz8_37@Fmmi4T>*vk}b-h*{V@_2g67LcN8H`(YO+4CxW0E2t>jmVzUdjLCWCfl1NSA ztl}Fv3qchbo`Nd`E*?2v6GJFmjj^Yw)u=tVxd3koh~N_tTEcG3dui%JYy@Lh?MGQwO)Hf(1I53=DKG2JU5!x#(A}AnoP_Hl$ z8W|QE5+2A#TXwckgKN;qi+WN=6KK`}&CIY>p{2TDdObzzDFUYFXuv9N_bt*tv&R+m zOWAHCO&heRR^i<>K_kyjlM2FACbLeRn`cGcSm8u#&0?0-y{-~4$i!0k(jbC8t zTYYz869pP5aSb6y2^}I%O_4Nhnz!IlG5}LBG@2c+-9A|FX%Rk13dnhpX$XXv>j)sx zVrVawu!j%d=9dJR7YCq&sLV|^LZ={pYXQCzbfB;v*&XkBA?9A@KrJwes05h0TbgV2 z$-=*!ZsW61MFL5(T~O5Nw3uv1Jy(DM6^{Ig3&0SCm`;HUPQ7#Cy`K^39j?_8jL9BN zv$qY)OGy*M5I+Tg&ErEW zT67x0Y=|l6=B7nZ6PNoMI#RP6Mf9Rf$2^N-_UPtLkw6W&o-nML2o>v}p~18Ej(DRo z@kWWOaGjEUBZ1T?YiXThlooj+KDjn=(QM8JiZaiZah+p~rg3x}A=gB8so6J{8@Xh| zJRl?FfSISJWIkD-je@k%L<_6Hfx&%XT&-;x9QwUiXlP(?pP*rWP=u&kpx0}R-0}tC z(mnVaA|=^0mjnQa_#eLD!Y!k)>?ZJOHA!f23Y{CrRdX)pN?t|a8YK;IokBy>tkaiM zm?9BpXyBNd=4dWbG?;>qc1B*AkXPlZK0zfd0Zx5LT}RV;0fCM3z#W_cs@74N${iCd z$IWzb)qx;v3+86gF)v0PgQb`zLQzrA5+DIlIKVVC2`HR>n(LGDUK~Bk>J3e!jFm0B z%r`@z2+mEd%5n3O753P2ergcD=!nkW#gzd1U`H4$EN4Es#V?Rd9HR--d_2cFe%{s8 zo-sE$FiMd?B=MfoJeinkG#ZU*AQjO~s;bYjrlH3^d#GJ3wHOD3ScYDD9`Jd|R|4k>E{TFfk&G~;)?=J4u*Z+Hab@_Mw z|3C5hi}U}`fd~QYMy1a_gwDWH!BkAR$q8q(8P;X@VNa=m0nqY{1z6T|$*x2!?$oJ2 zjwxwi(EEW910_HYl%#^aC_u}tHzEOQnL>|mc@i&8FgUwXOh}GtTRmzl;UJnj*Sy-r z0_Ib~V0f^&l1Zg8zzUbY=E`kA->{H=Ze}o@1z?;dojRc%SD_S+0tY0D27TBgipAni z!uuMe5~*)z^fWtE{;7y+rzG^{9d~*$rs0l5r*SF?r)qyf za6}k?RKK_r2+^Awu6PQ{TPzP%W)e*2jYsqUun>-!z2+MP(A8n2f`&YXA)j{R57%?m z;S5YX37y)FJ5Jn<-9sr59%M-Xzm={n+67np`C8)MxQe83UK7wQ6zDTIZ@6JEz+kuap=>Vxb60!C`&p96A13GO%7gygo50l--KlD^Po_uFLGE# z2v)&M*kPa@pno}v5SSMm`4gMj!w4<*ys|p25S$K(bW?C(A)4N)RrH?~_94Igvr`gG8(<~o(Dkc6>3Fl^%`6_ z(Ptt>0)>F~2Uok9spdsZV6cgPE@D>~1bWT{n!m!L=FJy?XFxcvAazRG4|saJyCZez zgku+6CxYf2YLJNy2c%cnU$Y{VWD!aFsy= z9TqIW&F72C+4x|_XZEB@1CnR;dk~;}1ORA*oV%inHzpY66pV%^M1Y$H-9rZTi3);J_ZPW>_3E`tqB;_{$A2IhtjxvA^APnFHD}1)>vh3jg~PlZ97J)VzMc zEi$xUSg$^TaqKk!TBS2^eq<^%z0D7^K=!UaSB$=(lWK1Y|M%moZ0$wa`ddFAg0;U<#J?Zs$e3^OO2e{Y_DeLIM= zgii$7L>qd;h(X~n6;$I4oBj%pBG>UZ^6)zY*<+Lubv z&;f9_Gb_+(*%)Eowu32^kOfXS?TmtHGC?N@F8e{bgwA|aeZ-(}K%)z(c*QkQ=qIjW z%G_(*3k(cRf`P)nU0oq%{(6i_aAQa}Mng;B7r@mu5jR?VoroJ*9&o3@vu#KOxg*;; zcd5QMP>Iv18Ov)gZCY(BG&bHexS{bG5YlMw`k;8hA@cF;{mSD1aZY4$#}$9)5mZW- zTFKz=NML!VG`&@8qGX0y8z|Gb&5sQ>&}ikHc?YY?^f*ED(5oXw_Tgt*WcT@tpCw9C zixE2R4rhQSGA-^6XFry8J)@yrF$KEb3=YciuLlLiWZ`_xkFz(W(d_zaIW902mX|eD zw)!~Hbz|mH(t?}Uswu8u!C^J#{LdN0$FN8mrh8~#DlM+HvsC-H!hX~L-&^R_`@agp zjf$EPVB1m+&7TPLDYJjUNg&Sy`Q%T?oLVJaW zM}>s-2?v2;VIg6D>|7%B5B$nq&d*b5xh~&m;;!uAvlc;ntdFra^{=K|>y#BTSf8sMGG`OGm2dK{Cp#FWr z>eTu6C-^@bQJp$}}3t5c_rt-k+ox=tNQTlhb#l+`_x>eR`o6V#_yM2gkp>ywto zM&|W=S{m2R%Ic8lc%;nD!J*yw<^ycTk6c~3W?x-mz_0b3z)zEvsEQ=5maS(H{-lImZ1=+T0ci?&=;`zJnmUFe(oX*wpfUI|-OLaM7^uYI*0N{-Wix=pUH}>mJlkY4j+g=5HCz z3xBAAz#h!X&1fzeEpJs5xxIbC@Na4xNHhC__Q4y!sb!Gzu8Fl^mfaM|a}Q22)I=_m z*{Q{~VD29yv&-uG=l8X+WOCWYn!~mdO{q7ztYOECR<-;lUF1~@W-!`H8guiYUo9*F z6SsW(uQ2`<#=pY&R~Y{a<6mL?D~x}I@vkuc6~@29_*WSJ3giF7!T`~tCyTZ3e@K4P zeZ-a(No6bY;s%urZBn%`^u^mFiKXuz=9jt|pU(}PIpNci`Kd<&JSR>1^mM*A^XAR8 z;FqNt>$gZ+zg-(4)Y(tD_@iLK*B@?4va*Js&6dcrcVuE~pjc+s`AXU~JfmXdE?^h+$U zd3JH&wASCxk2;#)Taq;RRnguS^YCXy1?$~xzS&70z7SHl(`)+Ef(!Ze+lp_+?jj4{ z1#}LGZ`S*8|Fxxm*zzMk?g}P$uC%+q6tSUk(6ZGleaDX1KG?g{!SJql*N)QR&kjU2 zC_Xj&U7YXhwZl)IZ@B*L=Ji`XxvgKA{;JUy(ss!8?>3CwaP3XmLI$8(xZq~!S>*z;E+rPj2`1jJY*UrqjJ7KxE$s}IZn_PCbXTMJE z;2-_#E+}qUklepu@ad{Q%R+M8jPJ^ZU#h>M%BWdBZ2jSun+s>9Ozd{^TrK=M)U0Vs*+yl@2Rf#4R`!9DXQqIZ`nCR`S|+Sgy@B_UQa(n zv=5!?`|G~dbJZn&#(m_y>#wTTM|IR~8kVZR(x7OX)9Y_n`16A7VSP~l_P2g35xFk5 z<4+{3?{)8D*)6w|30qe^F0pyJq3g%( z&fmnvyt#2y+{UG(TXDy`Rol|u#PLM+5y^8WcPI{pYOt(}=+!1e*_tW`tuehSugrOM z-Z9-CpCh7xBUQJL`Rq9kXTw7u>AD!1+UgMGcljCom_UjeGYEn45ys=ay z?^-Vt{mDdwu_fB7B@f08|M>3K7E+vSHBhqP40TepWANU`+YW_H&w1M~cUw%^iQYT1 z*7=wWc-0`8UDjsXA>X4v!j`Q({pW*<1w$70sJeb&lJ2*Z(I>CW`ZFsq{`Bv3>-kXU|+a zG`Qe|$tC`$k$pjX^#&Zd?5us6Ytm-#h@7Z)v1|2y_QrP358H({&a9eSnm6vSSDQ`7 zw6|4nH??woaMdF+fE&i-zB0RJry^Q9S&6JyG`1-{QP1b(81mjI@sTKRj(WKj%7hB^D;cTb@f4WK4vWYT_n$4L5-S@ z;<$a+vtv?jUi@`t(cWV(nx3^k^1B0-*`QI?`;U=1+1+xxXKG_-^EemPn_Ncq*gvsf zMxD&Z;vY5Ht#;ozH%T2kE+}y6(Vy!Vbez>Y6T8rCPu_>ObGOy2H=*$HQ*}fz$1A7R z8O^ijTz%&VA%)j_OkRuK`OK~U$>tZ6ZxhbbThHl}u}>4_Doki z@Z3<}WeUARb)Fw`BiqSk!R>C{Lo!+>OYC=IdaDZ|MLVyDHw&JhkYbhjSZvp3+?lwc z`FmHU5Bw>$(cng$W^HZ@CY~saSvRMSmFP;d`%a9@)%S-6PHWwI*sHw99qM)JC|kB$ zlpNBs;nTM%zwh*Zzgyat*U6VLGP_H3w{jG$vg>W^x%K%byy*K@?`J<9nV0HsCED4* zCd5B|?CZhdJATnUO?ddOq@Xh&sdqN8FSw)XB!*s-X#9JkZ&#||yB&k}cJcB3DbpUD zPR%^Az7RUQrcV|(>EW>Ouz%J9-k6WsOfLJ+=nI{!MAkQ(+GJfUBc|lfPmTI?+;hyh zL)mpj*3UcX?_6G5WxUgQ_YB>%)GXp9=gnM1^4wvnt6gpFLFf;ePhKr7jeZ-JyR|TJ zRD6uJO*@B*ij9v{kDFh*cxA)_|G6W1gm?q{g1Hl7*TTTCP!>>p=ArA->z>+#hL`SL zZ6^Z_GaVF#Y3f7u98MJ#OU|b7uYGE4UohMTxxmhu;z>jEw!fKT6{!wv*r<62D^Yv< zT=MXR**hY)C2f5uJZ^)#mIK)(0vNRVBau1huUzZMCw4Y}reZ!?QMVFJ|6-eOQsy zuWA6Nbw}rAG?zrbSUo~yZ8K-^vb-&67Yl9cpZam+yUu$5hCl{v?0zs57N1yJdi}+x>(_kZKE3ur1?8709PbuvHH`!V5aW!b~hIIpK;d!bBBa(c&#qI0w^ZWkF`mAtoa ze-_{EV3}RkZf7q5^RtlnkIUzN+HzxW)m-(Qj|ZZytZnSO_Jtl{M)C9HnWLRbByj_4 zWagPCZJEY?2P#9#=cnJ1Hp_!U$=qsd*W$&ko}0$*+)jkteZ5u8WkHUO?F$0CKA1QN znu+*FZMWxdC-$trVK2}|U47^v%h(rW{VsA*)#E*JIX(WkJwDYZ-xPyoGP|swf}vQHIZWONjxg)t@)FaK{{klk7UV@6c2lYp$zUgKq zvX(a*ws%}rIIVlq?fKR@aj~6e*0B=BHqNCUhx8o&{>ZzFyDq=JcX%L&5!MpVZNpl_ zfYs2cv7fqp!Pv^J4zYVSzVZ-R+b9Rd-}t>efA`HpKc9L(`|2;FviJ}?*h(7XvwzPb zWW@>PnuWQB+rKn&J9e?jwo$hB;Pf{zxPAQipN`N$e_Xty0jHw#o7orO>0&YbcWkqS zQDpO-Wj}8?@-eEu1kalQp*6`}wW8?7i}LGZQ?!?oe;XOZJIY-d&9m>X`k|dHL-s@6 zhaq?{FzP$f$0b?@aoyx-hNntUqyk;96bF>qG84o$4{%&9a!v{89Xvxcuzu&5qXkLwWK`KUj%&Hg4Xd zYQ>c3&f`b>c5nJaL)Q5&&1f!3qgOaW&({0KQmbpXM7c2&>wX)UA)`cXJH-6hqs67+ z_a7hn{&F<$#Mau|7c3SX&9SuyvzlaH7Z=CHen`omdT#daK^Hu%MApw;_2*WldnQFR z+v}pli*kZRd_gA9)tt(LlF|PN-y1pn>3#TA zesM*!Es@_)B4J=uhID?CMAu_vWrHfihtwi&i zBs|h=y8Nar=kTJI_wYZ4Gy<|^dqnk%cIgV1N6z=3=)@7{l%LT&`vbj91U(nbZ>6Ij z9mOs*n^V~^q8!4ESyq1Z983~R4liDNjZEc}!5hUQc`mu|jV%nY?cEdajc?g;WW%?s zbIKY48SodC?Ojy9Y3zf9;$N9ot`S`JwrZrzF6*6h7_bsGsJGEK_vMlYQEToU4@XH( z#WomLzxNR*lxwEFamVj-4yV%kp#J)c=cAxs>>D3aFyr36()X_pE$NAV^{boR^3${y z-PRAJ6HeFT3L1lzH0Gi@^rN-S?ZL~IZ|X7jlJnSG&WoEZT95Jx5^;R!Mal7Et7BZ4 z$duQcTsGBpJ*==^MnL!b^6tz@DfSPKmXCek@KOi_o1Uq@Te9;-!r+klqLO}`AB~gQ zWqtDX?k%$RaBwFpyA)ylKY48zL!F{B)0?c#|MTViUGoCwcYW#fACBjLW;D+}cw<*v zS;oFUMGNcaq$S*~m>qZNEy}r+{ck)Ua__^72jVA3o<94yn3HX^%&uAGhnD_UBD~4( zNkqcJDh@_n^LG<+ErQ7vkbiWv)&hl-GUb zrP;?(Kzk~V8ESZ4dNJ>M$(5lW+D>iC>FXfd$z>j1u~Xa2z%9|F1&MJZU-mEkb*-VY zVc{dxYQlLZ{2cweo@;ML%8a&)ZV@z?VEx& zFghe=UYs$nGAi$C{`2W8;?@$g(1=|0m(F+gZZ-1Uqm{F`CR1iay~$-^{{B2&5a;*c-WyB*Kl&(s~gxIAtfo5(|NryFgQT8XS@xZN0HcPut*)ciVD zq9L|1J$+J88Nljn3;F!abg-cbhXif$!Vl?|~Q65Fn&3uI-}6yi+5t4))_ z^^?OzTyPj?pfHyGLC2k5bF<_x;=?26A5?X~&m_Yd05@t3H3P`~=s z#gm`fG2>@JRKMvAq%=Bf7_AzE{QMt;PB!*N+~_spYBxGP|tx4?^v%MC+Pf9+H2j z(7bxGv`cg%W79}Cor*_^US!0sOzwJLSfOxe4k|xT`py^ ztluM=nKoLXJvZ`*np5IwB6+S$;erLW_D<_yAvn(eNz|RZ`)9i$e!dwIUva-p@D=a% ztB&+u%xTIYd;5YW0Yh3^+uV+de|$H8LaJh1+MQeVS%B?DF!zo;=C`S$ zxW|jSDo@VLPuqX1Ba1{U%8z~%8W5fKdd9X+Y-0D!c5>Oxg>>5vvKy;lJsdaUP3Tq0 zpXXVRAMEJ9@!h>?m4!VXJUiva>DKdllgp0x{H_y<6DKN*@{>MH=(w}+S!dRHkI3|y z*W=vTGmDn2Tt9%%g>}`@3mO6U1J91G?hu@d<dw<m0evpa9kr%&XnkWh1dPtE3xQ@7biU4_-9^Oadha_ z^swTs>g0m$p)Y>&_w1eGLlu07fpNp0pC|8@7>ZtY4j6GM`8E-BpO`J1X#I5Q=u=gP zuM@>77XmCR1TZS|=Tq<7%=dB(xD-5~{po?3iAUm6N~dp#8>auXbm-phqs|?1z@x_{ z;FB+}c*mS9oA*uG?Bs!!r)+(%cT6lzPrS0FsPMhv&Dgj%%i`ROd5dL3t+ShdTzO@8 zhkj|_##gYqTvsH|Z9M3whBo$2bN3za_nb7t->q}jpoi^FyJl`UviQ@!=~#Z;^V{l2 zrS(ed$EL*}>(M6t!GXQ2*X231V_qbMwA}U}r+j0I!`O*WUpxQ&?aZoPJ1X*ilMS^l z8TM{aV!wgSw%fTmaMK?R>&6(T^)GIVqGrC&>6f4D z5EDG}T1C~O*zi#^Gzkw9f{XiRy&7|%Z3mwpM|c^E@9UfGDJ|UnXx_1`*E!v9-F|U% zhqZ@;{?To#=$V?6@0zYpXKiPQl{BVr$KWg0HcY^cc>2lDo;jxuUij6~c5F20{;1-Z z?~c7&ZXUArS~{tGw(4fO_WI=>TV9+!kTqd(zr+Lg?)HAyqK6@+{N;uNr(W&#k4x_j zK8n8Cu-8ZX{iK>*d9xeI7=9bRYY|$C@4&UHN*;i>G_Bn}_B}Gwp20FKo9xdHdQ?KZn_| zwvw08Tv8dX$*{iJ#HLN`+xPF1{Tp}%TpB-mo*(l#WXS@$_`3}w>m`TO5BV@XdD^K% zM++9;z1S+Ihw4SgvSVAy8rWw=E^c*iz4yb7HsjaYUh;l&>d;}eJuB;$Fws9byAzB8 z`_61{>u~kx@d>m1RyMRL>TEa7vwIG`e@Tln+a=dyi$^YX$gJpk^_1b!VeQ-ZiPPHT zYoFsoHqk$ynksvfm4Uy%hbL?a>%`K$HKV!Y+_|+WFrxnPtm0wWEw|&x+t2c&-Ryh( z$9V7j{&6v{V{%JB6|Rh)nLp}d7g1)#@SS(w-<#C$%EWtrPV88GH~mh__@U4w8};bk zx<~KU`-dh>W_{5~kv!KUB;%>Az0)q)t9eC|P2D{^H|zQE?u^XeM^vea?Icb*@j z)>%)C{PZEYUYqsVZ#Dfs&I^;Iq}>^|Y-ir+XC+tKWLFh@<2mtF&Ig^&yXiN_#>-N& z`@eZNcE%3305+`NX<}b6_flNBwN2xG@%WPi`q>W##gsXDd?)(3@8TCP7Zn$rbH4!h zKnTBne^b|%e+&(FIeqQSR(;XQ9a%lcy;xP{dpXI@p|hxLNdA+>+KwZCOXmuZm!UGd zO95TUwlMTKh#$lm`wq?4o}WJ?v%-IW>e{$hXBPMjZ8hxLko*0M-bDp<7i}Ay+EKeH z1>65k{tvXS?~b;(y8n$OL_mG-@|o)Q9$~Cc|G`QcLo9mLJ45Cu(k|YV&v=552%2XUA;q zoi~LI#9jAhG=KU=l0G0q_O9-M{IjK=ACKF`7CCtZh%h2;^Xn(4CS6)HE+7=UEph-$ z{#0BWSg(z^{=HMDJFGds(Z=p~zs@dy9Npnj&=GMmu(5qXlLq18);4p3;368Fjr`VYMd)hAznG`s>%5*cTY0PCl}= zcUmiZliM#v9zRqv;{1G7CU&9Ohw|s2Y>T2R8qB10XWs=6Tb6z2^!NouZRUHeh&%Lv zC~19Ro^59FTDz;Ix!uaVHW*pWq^+beg&i+f*xU|Uwl1%1%9S0;nZI~HQx0VR`2L*Nck`A|c}A}8)jL{A zuT4>YSX3vIv3;C)Ev@+W36IfpR~&6D9{WTLh8LA~*}Kn0kUnptsWb%k5S{M;Txl;1zWNob$h-wLc4t`w3Fujm!H1!^Mre@taqcVq%pVa?W?d=%Hj{t zcxV-=#&2%!^Q&_Mo1*S%_?eYu>*|%Merhr7=74sgL!o^x-88QJZqUc@%^y3p?JNo@ z+_~+~yyY9GMcrfJrHbUak5A2?YTKuM#j&eB->vF9RC4V2NOem3Q%|~l(KfnwV!weA z3#aUF=rncTnu5fV;m>YH-YRr^zkOrIMw{_3lgL|zD_na1!m3Gs>x24V2W`a~9$g}f zRzE6l+GEb#fej4vqCofjoKffcm34S|CHj7+4zoNmD_WclOwCUjUG{TU!ha((+wT6WsQgT&2&(tf4I0=9cy)X zPmcTR+tv%ZEjUmRSw24mI*NAB z(6yA7-5eB?>a^KKl-BuO_a5)p%au9p7P~HojsEKW)a7o0X3| z0=5O!yXJH2VTHJB^0;Yuv-m~xn_Ldt@w9T_k{?42L(jgqexmMwV}|q3-+NzDB@OA! zww~HKfr$g{qt02|Fo9rf>YcfPGx7Tmd#{@!9zX5vrKUX_=xj^p9=hdaZL_M+vc21$ zz7UUV-J|M2pUV0_6wQJK`?ZnzzU?1{vvXX)UnI|cd2+%4n}bfLua&$x_;{fw6TAHU zZR_kGlG9T@^o~8Ty!j4mMTc4SGWC^*ckW)>-6OFN)lKZG?tf$InVutt?{;c7u$ZeF z&sZPS2d+GC4_#8%Yt)VGby3RuQ+uzowY}zRs5q}(S=_C7*Y5Fqmek2)#F}oKAG}%} z@_x;z-tSM^d8HC}=6fbj54qPVvI$#LP0MJW?ef^Kz3j$`v|o1j9hBQO;8Mc@uDkZN zZ;}R`VB~jAi(A{+A6+erJ+WV3TI8T8bbVJ6@Nlob{-Hy8b00pq|LJ)v1-XFi(NJj^=fFj>?c!U?fv73I|U7{>>ArizO8I%uQu6LX>X>Vlx{c>XKR0S zhb&hc^M;bY`F2c$%8m<;&)c_j=-x%;fjWjwR62{~x!F!ev6U#W(XhSa_AeW9PxrbI+tz37>GLI_TMw;r5LtUT{W12_hmNY!usL~C`+9V&c=w;R^(GYBNut}c zCb`0Pa@o|r>l{SZ!Or$emff3ieg5uI57YMh1V8S!{4O05-}TP7H|tv8YykD^iZTCb zx93|+%CW7pTr-X<81u&Z){)i z%D%AJ#{T|1*@ZPT$3Aq3&I-!g`1-Z;&#LkT*ER*-JY;Qi(D{#*=_dwGYyG;sOWw6d zsz*=i7ykIPb=}dr^1g#jYn?I=*6lIkMc?g``Vqw~GrO&^Td*Z@z|9QoILB3a2*nU?P{D zFR>Y4M{=zy$7jQ#R9pMWG4bTBLVdGORdY+9oZ5Rdb&I3^#O;AFXBm5{We>=ngB`%c zY1+fTWXT>_i{qM>jCidXD*5*O6-d#@9%SX#vzuJ~8-Q7fnf8bC_S|n!IsMToop0yz zyz~QZm0cbmeMNb9MFFv*jYyvR=|)8}k@eK}_D_$u>2YS(+!J*SuZMx|bq#lCJUcYP z`>KO1W8WoF@gtv}-O8V~E?>My+8Gr-?w8_LQp!j_rNwUaJW+p1XMDH3asP_Du}f(E8)eiA$cW+0(hRDBws{yYAjTGn#1U zpia>4jOLQpP2xXTPnDb=e*eSu1CusW4|57z+t{_BpB@#L?=Wm{n)WPVRvjzRktR@M z{m_9!dnNq+#XDvmbmwqd9oFvCySrt zFHVjc8eDndifd-oT=n?xbmzDIIDoMwphN7~%*Mz6x2@Y8uMOT9o$BsZI91mF=JwWC zQl5L=*ulEEb0T@}ppd0EZCCXNV*{V9^WA~p=@Ym3dc%}4g-^Q8ytpc1oAZP^nYncr zbX!oh>+Y${$kIm_vrkU*bO2MPrQY%$W6`c|Z=dia!6<)yYJS)JDCG|8r@wh5ysdiM zepv5a&;=&f{ocELoZ;E6w9fCC#2t4JJ!m%TpdmTBVhr2a$Y?GJn7uke5G?vnEj@0QltX39-%ITt6`B zK;@pz+rEz+m{BJa*tfpmKkD3(pZk6K<56n&oIyJ?+7+%D%(isx3+|A?zf6`*vF`nC z<$<5R3rqhtXHRy$Yd!GO>%W;caO)T*AfryE()z$Ri$9f59NjkL(YunO&gWdfl!2;% zGpHt9!FCj=d+2)5Sd-pq2b}4nUr`>-iNp6m#pl(ahfRL@Q0M%r|y-7|8gfL z=v@a{hHRa+cdL<&s>+s6OYQGAaMQkD8oh6=^9@}exv~wLm`~1VE@?3Imxf0-?0dgq zh)a}v&cO4zFxQUBtf*gKv16=X%FFt@ayPu(%!tRYwQZ&CMqP7$ z9l*k|wUWkkSQGTCb(llNO!2q@_kwn=-{s^kKX7PZ<*C7kstRe}nexe_e*XVa_T5oU zZq42%28FUCZHjz{N{V~E zM?D^2ySsb|%-8(=kP1TwYZ(GL#8sBsg?&#QVM&ns?0R zF+zQ7e_FVdZ!^5fmK9J%@kiYV%zuflNS zG!W~OE23iNo;wbDo1!`;hOar6_Hd#n@Mr zM&B=~U()IJg=|q5CN2BTbIt=Ef0WTq@l#c0U$M%M8-2{w$GX(|Ts8CkuW82}<(vo# zhpE0N?30+z%BLAs#;KaJww$9Stbm2Jzf(3gcfKu%@xxrA`*K!a)oi(BQ?w3WRuxeC zN=xXv&1P|iTG>BOy%|gSaGCGXz(UXbur}=+nh@k~ z)FVI3x<4v~KJX>}qv=U@&tpG$!GT>p43m-OWqX#dS(w2J=FGd#Qfn0x4;)x#sax>S zQ-VNYpN{_MtY27bNaXSObQE8g6)Vp3-PqV{3>-pgg_Yqyekaee$`_ZWM6su-> z-}~mWlq|mqIMcM9>ejh6Fikst?1bZT(+pg_}ogLjUX#{>4lP z&1R&?9hP?X;IU7lR9a*$^?ve7QHZBaM;?%EQBhfcXA^R|?cmBGjhL!VsNM-M(Ltez zPp*drJuR(*eWCQGAvfdgqD(7|C+FvI`ozF|+E!Y%DKM3zQsQ zpdH@k3!;eQ(cwmHUtg6H-g#3#NPaD=a{i`fZs@YK^4fR6Zj$=|AP~`v#jh0|@0bEt zOJ6+xxXk0;-ee!2S@4ZE(w4`LpbXwMfd^p1VXr$5ImSo{u~|2uxwz97l!9V47~7u! zIypmV4(6=0zp!1O=R4>cJ{4j5#U+;37Qw?I=uTn3jn^1+I{2g7#Np29Ew+)bqFzpI zj+9VybFSDsEMS{e`kp@XK^Lt7{|_&ix96@5+a;NXFNVGY4~V}8`5`6b^lqVG`GP?1 zsOQst*xemK@2M%_t_b~fu*dt1aY7+~@&KPW-)huJzU=g*t+vlYoBS3B6=*X~l`IGf z&;Ifd`T_Gd`9ql}VzHjaVA+;W>zcKw)!75Gpx`qiaTcLvIoa65+F>b6$21 z=TH0XA*3*psGn3Gj0yg*Cs?fyFQzLU`#xO#v}LK%sxI3#$JNuk2t2B+7CGTmxiYg^ z`IY(lE#56g#wp2hX#FW#drTFAj&#AGBnUi5g zGYYPE@aRc~tYX6EK5pB0b(}JBAc8Y~uh+v3qd4@Y#*=Bm1nT!60=ZodxF?%3TcaHbAr&eZC z#^aPL65M;2wMs<1yyepw>&W0Xze924lXb!E^z7=_>boT+l182nWm4sB3mhwc`oFe) zB3)^61Z+CPo!J!tM2Ymzdl9mhpvIhdw@L^sOz%pdh&8LQL%akt^<4Lpx8doqt&D*r ze6Gqk*kHmTUVe;M=zJ#jXn*`y4R{X+>G~@7u|Jxvgrkfnv*kLKl6(gQ+io55*{+uU zkn3eQ@T&PR_;;pnhQ1P6*d(+%jtI|re0iWZJQ*D}^(bE9&l#IyP9ZPjmG7MeM^!0W z9W&_%UAM;eY7|Ewqh(fZu;3gX_k|~i8tz>SD2zTGU(3L7OXdge0Gf)<9y@D7R0~)5J&G0s<=I;3X8o z1ie_7oa@X8-@9R*gl8emh0#%i@!*;C*9AquK%?xsTlMtnD>+o_U7T$BQYF5F^|Jvv1S7^x#mf-kB13ig)sXv7a%Fjw~kp!d* z!l&X5Dnc!N^QU^}SicuJfc9exrN+XU>+-v)Qv6V(z^(ddB9F1@xiNllkbr?im6E+) z&5yqe39-6RmEeJK z*8s(l-#*ILe&Y<)So%JDmG}ays)Sw-d$&Yv_+AtZGEf8MIHc+f)2?FK2vrNQau-el zr)C-?P(+P&rlb%I7v1fMr2{;k=9jdtACv4)wW_=4(QCrRl?IN%l&aF*oQy;`2p(L8 zoaCpZch9{tpdFmCvLYz_uw-K>KTzeAxULxppK=e%3!Kqu^0iyhyEtra4JHy?1cUvY z%-r++FPY|7 zncNE!w4prMy(UL)m94m!%l(ru6TRC72496)(RSBAHW-qXc4 zl2BS3FLPwir78y7EGw+?RLSkJ=HATH z1dY9;oPGYyTc|kC_gpRBzoIjL%8TZ?>uzrb6=*2TDgc=bp^(v;UBRbhph})OWt7{+ z&1-T)xpBU@IS}OXk_d_@Dx6zO&u-KUK*+GZOzkD!NcYM5oMYuthNq)Wx98XVydAZSD2CV~<<-z?gqr zCwnx0200}kk}1r+xL2C!l7A7ac_`{5D++_U0zqTr3J(hY^`dlX?R&UERMfM^M)?|g zJ~gHu&5_d9W$)&nhKMNk$4>LM6ksG+=| z<2hB~2?J#(Yo)r)x4ft|XN+%JB!Vi9EiLS7+@~MKF^raj#}~hitE+BTW06og3kKRa zMiMnZ>%(d2W5&X~iQHTA{6RVUwvR`zu(p8h1}}|kR+DGy&P(>^Rc4IEwB$B>+nQ|9 zI$6%z7^W6w$#emodxX4##22%NPtK)Ly4=s(ui3V>_(4I#(*kllW*$%TfyzFq1FD^D zvbB$_!D)4!a}YF^1udh7x<2htxmL$0#LK?OCTb_09Ia%2W((XjdA7#@2NfKEYh18#870 zA9f1ed@KD0x-WRm$4$!YqM)fYtw^+ms+%zPpsjQsst=!Ja<2#;OZ)!Jh-RE%tM&BW`4 zgrfK#_1{P5?t(GJ48z2=4nMK=f^ovOlSk!wDADQr``bvVq0S(GqeL%zp^)DW-r9}t zSxAmo&`rFN5tHKGag>HKU91R-%afWX3@`NG=!|&bhh|!_(H+wiI1x?_5f9eypp;}t+ZUFa1 zZtA_7LkCht7Bzo~f*tJWMUNVtzuTl$cVathZt&>kH#b4U--hDI8+9L9Zi2bllJJ8D zCm-&!{147YWiIu85=-Nhq1D*wbYIvGDJf=`4U32CFU;C3rW?Ic{c{X*kY#1Q+USzk zK5lo{y~)M7W2Jp_nmOh)Ua!!NnT|U|NS&BF=K0uP75Bwg&h;dR%Rw2i+Fb>bekb!F zkw)kdX83lBNnc~-%Ys8XF3oeBj8a86*=Yl3#lku*cSnXUZd$64!+jVfN549CRhCGrbBe`vI(*(NQgiTk%7U>bS_S zYqbm$ww*4MD~$b0Kfwb;OE3{$wj@kyc={mERpHHF*4buTOJS3Ok> zgRjttJg1*fGLd$ka8FSBa=yD|!tA-06pxP@@ZG13BNc^Spwek zG;lRC`-P>iwP2t zkA`|B+ z;>6&PZf_KaWS9VxRGtVIWe=4$WTo$0q6tzrAc2CDx)sT#Jl<6ZOGU5^v;#*uWnuiPwxMcfS|GYLuX~4(km%WI}FEP zWPDg@aqd$j6K(iz;rzAH;ymh;=NI|Hk2(7GzMr19?fe;WYt9_Z-DEN5R^e@99+~J8ZYM?X+xhdTOH(ku_r5;^ye-74OIv_ zG6D039qJB{iRq4O%xE*3ZY+5Rei9TT4$&7|Nn z>aGH1whVv%aS~k_K7q5v;vsaLId#IcUj1s=U!^YnzE^roxTyJ3H~x4c;P>^e_6Y{| zVlg+Vvu7Y!n|s%OE-M|B@icuD@V~!}Nbo~SRNs;tVTEgUDoEuaMCQWQgO%(7Jc-ma zWBK#_hG<3-)x%*p3Z^Ce5&Z#i)lTksW->!JzQ>qrSPyP_OQ$(Z+o?V-wAdlQCOCQ{ZD~k5=0S2qq3uMh*pmqmh^$F0dY8oCCBmZ;Om>nV}I@u2vPl2GFejeN-FE` zzz=T?M4B>Ma8{p)%0K?6tjpOD6plJwje170Zbik|!y-dB{Xj!Ux;*Ja5BZw;xJ7yx#crSY{maHr2R=3m%p9>c*oTuZ@^9 zkfByp_op367{Zh=ssOp0!4iPK0|NGxuz5{ zWm<7Ai_Y_AnEiR$MehG$hZTXK@cVtJ`U=}3PvrFxbxb_1%Nd`FAEogB@!<_d5_L|s z^8Cy9rQH=#o1!J6@}hC2QF{AxU32&qY!3?lDe43+1SPZ^8C7S$T4><52MFC8Iz6`tM+Q>BtGsmbYIYWF9@Bs&xCF)#Mjl z&4`_lYfM*$w;F75-$(aFo$3%Fl|eeCKXADycP@b`4a&cR6$eHVHUIJu{3+wNZkbba zy(uJ0$t~TI=HRfeMlYy;y6JH!j(kC&{lt@F2o<>N`is+Q-(qnNB3?W$lb@~1Um;U> zSY{I=iK?rr2G@LE8fm77J5U>-xa4YB`0`zz0plNnLtHS#Fomb2H_smjzU&|JC1^wI z$`>*Vn}oxtO>N`ci5)5H+@!Ph&}4~cKT~$*i=MB!eb-RKX)he%nzA%;jhWw*GhJolZ9uE&KNBDgAGg8@IpZshcqSrj9Z1FijB% z8mr%EpP|fhHOJTdTbnUUrHZ?$fwn-Y=MI~YfR*9%UY>t&LASSF(m@Ev&S9^|T$e9V zW!xaULlp&nNQp`5x5aaCJB31l_TCiI-jb}jZ&B*D)rz4WI~@7uoUw&vp0 z`%L7{Yy8QI779gFgaq=bOU?|3rn8F%1mr~3s7E=y&y!tCfbDSVjTk>l zKXN8ORz2C88xmB`5av$kQ zRNSju{S)~ZPwNhY{@M`m%i)tTEiO*!J3><)7lJbA69CWXfIiPP-~c%u9_nedcXiy6 zFywI}D1#mz@HBO(t0p(Qy_ew&f`y^W(pE*6@~35i9k^l&L1P^fn@c?eGUD!CzY_QU z<)PJ%{9I4swAl_*tAygnhqcpU7ti&|IZX$gIz7JGnjSM#(;OTY{lk;_Pu+dZ_Crdv zG}_|3*jpPj`kw`;6otg$9Ih{=UF_0dzWXN=h(~@%iGW+OUnSs$nSGC5vSoFLY;JM4 zI6rN#*NFAF>`Ma~+3Jiod1!6^Q!(7ua*GT|YDB913TE)Qz-#=fFF;kcmI zTKnUpDuZitO-sOugF7;~8xS=1>1mm8HNxa#1f`$uXkcA{%)lMft>|)hBk3J3^6N>D zOG%|2H8G-wD30rja+k+iu8dq5Z4!C1BQ~DLFonNP(z);o_FD1vzL2fc4`+=(5|un# z-b!7La@Y|c!(e52i~9$X0mi+F4PWEGU_2+gxwA`7t}3^azTmNcWe;uxanl z@(^`o42RWMYTKvr1F2t^=T0c>5ZkZA*HAPe-d-_mYxp>Bkpz!l2cb#NBne~(Ty@Kc$SnBfGDWf}U(L|nG(b()A zc=&r{=91yHi7;(Xz6<4TUy@be;S=pm3V)`^K;-R6lF4{Z->GbWA@Yccq&klZJh$Nb z`o(LT0Xw`z{;3~w>YS8Mv?(D~U3N(-C}3$aUCcu)x8_Uf4oQ50;>ZsPGBGLySEE9t zeQ1cEHf`9{xksH{$nw>;rG#qo4uz;k<~` z7&^#P>Gjg}Z>D+y8Oxc=^C_NY+a3@Y11w}bwwKtc7JPfiIGHYSGDBX zQtK_@+y41B{{8Eom2!Trt@0nLh#l_roDD&_T>HHsfSrur%6i?Hb#b}aV?E&LaH>L8s&XtC~)Em1l@VAys%iGV3D?J&cgiIMyrZg(aFnhLU#{H7q3O4W0H-U%k7~p2z4Y@#IzX?Qo1~SxFnc9@8NM7M9-}zCz1E>w zQ#1rV>#+}3hF4a(P3zemL?9?K_~RLB%TOG7Dz)&FJ|Xrg#rpeJboU2tI(nA#-!J-+X2gQ*; z)b4xDkMYCALUH7GwRB6PmoQ8%9M8EzMKgSDrf)qE36Z%c>CXfS0 zH!Xo(b4I_(ky8KY1r1-QI+= z1zOy0-;-5I-d0S65DB-Ik*D>)jnu{v!z5QR-;@ic9V9l z(*yNY-S@QBx2~DWIR7*^aFHg4$>_(tSrUvM@!k-_)YAI7^n4dRiJE_9?zJwRf^Vg9 zHgiOk%vN`sqryqAj3)PFF!_JYfuLNTx-|}FJ3rp;AT|h}P%a!clio_Js$1rqSWK2_ z2~)fi3ht2t#gRFc*0KRvHZzi_2UU1m9qb_J&Q_IT(~Q!%%bBLz=SCeL=jdhl?6eO z@ja8#kA&jLXuMbQHNsxXx;Br}M;Yzln+J_^T&{dRW(0!#NeL9ub_ik*z63a;hGA-1 zfqW)fGLWbh4YNge>8859JSAhAIEt4$PdV~%^9Z~4{SQ43USt;FL4B|?{P!5dggns? z>A-ZjN91a6M~$T9)a+lmy%Ejk7BhvRV8lEHE5p0Tbln3#-~eOW zX{E8$2Z?oF-f}Tt&F2LPx1`Mr`b(GY3Z{YC;Mb!lqSId>-mO4!WHEnO1g|!R$yJHl zLh|aHdDqBtU*y9NGZD*XhQH~(f|cQ8qldswB*79+qDt|w*?9sQ_-N*pZ9}j%^qG1Y zQ&Q}vMA)AzF6z-20CFY<#gY4!uX=-C-bYWOemcx*=b;2ach27MD$*y^)^W?*E~!?m z{s^(CTFotSTKH;{G;atx`T!e(Qtn%w489^!hF{f!-%}y_A*YZ+#rj#L6v@u%i_%93 z5iOf3BacPFKy(*Cs)f=;-0w}+xM*ceqv^`Tgdy)Vsrh*QZi0W@So2pSs^ z4D&dG@xz$XmEnz<8D&*XFifslBnvL_6Z2Kux5p{R)GVT6tnRoC=+v_rDS^c@JA#tn zreF%5z^sY>A7W{R!<5a*EAz{{2-Huw?iDvE=aOtZU2hurjneaDmTy*c??9uNn{P>*ug`^;Y%38<<-)u_ky%8+_t2nl61Bpu zeT@@f62^j{&?%j1!ahT$4UOg|E?b#$(XEms;{y3jIkT*n6psA1-lNg$0mm_Zn8BUa ztJRyx>=QqyuCY8Bb838=Ipna2LmBv}8Nm+-wlO8Nr?~Q9Wq3#kLMHq;G1+}>a&+^) zyPlKxJFeVm=Be#7p8L|-KoN?dh@w--H`kyrdVL`jvBu+S#%etvAhnHrdBX6rebS7v z)MyxAXHLrR9pT_4s=%iF()r(^gKM7sioF4jd|SOIx?}O@Yk7HT{s1Z$xc&~qaM!A11W9WFBkL*E)gtrRV`s~Qu6_nh9tbbX{@HY(`A$P|wnPn`=U>ocUoJ4)5LKX+1*qa4Gd8B-y$@nEQtu`rJV zCjHQ4G?Lub{QTSyjAIYk5fqtuL@sz}xNsCjWOOIJ&lN&ri!vQg5Bqv;gco@oHd^fF zHyz5o)@OqH?IRy*S^rLxbo}?1lc?Cebc|l^qiT;-7!FFTH+^PfKENmB)3S(37Z8-Xpgq zE;1R-FVswJ+Af=$R1f=fD@YocaYWk+3$h7wQ@UE4{f*8{F z9lp0;TojGMmF<3lf3FWgWB;-)0vjIJm>_6ulhe5bm&a5Q9$s|`&s)3EenVC8>+A^1<{)95_VR0rA5vmSIIjIe8UAN*@kB*QL0>>d%v>ydeQVP~ z$g|-CsG(9ok<8xZU}6bGQ9=l-Oqc*M`OcX5$m&K%kNY?6s}@R^u2qH6i6e74!B4;Q zLr%S~OtWAGxWz!w*l&90vJDyep!Zy4@3>$>^rq6yAUO5A1PhS{G z)Hvle+EXg&oHNtssLbpx974oo+wRGcd#jmGEH>N5MAJFRUbCkrUy>#MCiaur!UBXr z8z_$aGLdvUnU!LoxOV^0_Tn+sfTb$l%;=uf&0C)>e_1z|kTS90T6dGJk@=u6U?C@n zrOSpsDnlg`&K99ai48(r8nhhm^1Xnk%V%q9zF_-X>S}1n)YYHCkH_!R0PO`YWpjie zS@{sWBHKsL6m(c((;}%1e@8+v)EQQWmw506c3xc_aK;2xhJ)|7zZp9o=H-#F%dZCO zfjC$hUM)!DBa9yLGSCm{Aa%R@Y%h?D^>?gjT_6M%#Mq%Iw?A`QSlqky6(Ry24749Z z5pCK8m(qbwr1dZi? z&@2Ff$}p0sx1)=@_2@}d-S;Nav8Bv>E4q8R4HcoGS9mJVj?bLDNDYwJ}U`(SJ>|p)haUAZYCDu_nw3 z2pXF~5VF=J)Yg$txnH|9#*|DqZn0cyRPk`(GFU_Z*bhNt`4Hl#{q_)Ap*V8u{1r2I zD2_aL)6l8hHYeTY^!a8CZnU>*D;&<~l$ZCwDUKHd*0ajZDiR2W6H9lUDV z(G)1?(}*Gdyf1Fvy6t5v2@L{=Mv)LS_T?2JAfhC}%J4}yQcaWnkZH|T;cd&yhCapM zZfZ+5d#Vqoe*h&0aDIKSo&*F66Ocd=Bgn5@5l9UTlU!Kvv>MyYJa_)%86W&MR~%eR z8D#1b1dSD~{2&a4(HCMdOv`uS+nR4&A!zJ0(a`2X?~j?!di%^9FCQ>iwdJ%sY-e*k z2Q=4wx-z^=oy9VYULVM0aNl0r>0p>zP&ug{Y;In|l+a;Yvz+aXV)3Gjo?t$V82MFq zvY;?;Za~o3szyD}a}YGPEb0B|OQ@4ufLhd3#I~qB2u6KJj)t(2?N7=&4)?O14kgLA$FMrj`@rNde&uo5qRP z^Vt%f+kMX%1xLs2K`C78gW|}KBi#2xpfETag2EwtVvxv%pgiJx3f(R#m2Ac~TCp3< z*8mw{8toSai|2pl~o~tJ4WM> z1wqMU0{-CvL1V|&Q$7>v%JA?99S%~^kjY;=N;7l+c>`Yr9tY8D0>!@Zsp(@FKMWd* zBje5|{5S(E!#`sBFeSxh7kS00xY=sjDLOx4s^;7>NF&P+nRe^WI#;$a+7m;KT@$ z;zjQx4u2SGiIjC~_&RbSiS=<|5fA+)l1r4MuFifsqhkAfAN&{Ag7w3K}`-PrF{StWQNF|H>iLAPii#&3V z*Q-9H^HkP_(}o>IAZV14Ee|lu5Vp4m7ErP zO~9-K;QXc26#(PcgiyrsWA75^Y3M!z1vY=gQZOY@G7DYxjFVf{q`=&)4{xH{) z(pD@r$}UDb$`2Ms5fufVNV1|ZZ!SY|WZBDlk}R+?Jj=T`#C~{6TXEbR$-Z+bQA_pu zG&MX}bmS1N<@L%BDZ!okhyj5@s9~76tXRivp7{r#A^@w ze~pKkj?kXM=}&i@-d9`TDPzg&74}C!H#@-sL3f_ZDh%5LfvUkt)PTbgaeEm_R4B9h zE%jjRr;#oim389wy#(4JvKSOc7MqX-lHuo299bZH(%^v~GL0zA)!EN2-E#osKpVdT z+zM~k#}B;_Q7~P+#EGDUDk*0J5mXd{#u{mwpL=5qL1SC=&0EQ(X%8gzc|Qhq6!SfA zUop4^-W*;@_Crpkb8bD}1A&TjASl_+8ST{qC}Pcd$NoEXyx!M;l27RmO0JYf`f`WY zGtv(8k3!JcqgQJH4+!={O4N$!HynVVv5G^jwGy26kp}M7vJUG;Yv`oO!X+0qzdZyg zSQ*~x+r?18=1yanTJ}cgvdaHDgke9|JLDo47;)BM>wb*#!X%2K3nsEaUC5}o5Po3N zB;(GB{_W;zlL*G)-Wft*kZX>4LH}oLQ3x;h_m1@k9btoGMVZrm)($nTTXWXa)vcZl zspa^K?&9XLe#o>hv0ROFAx7TWb1&>Wmxh&GG|>I}K#-x&0#g5bZ?z{pZglFMYv9^g zsvo~gwd>i&HZ)h5ZRGDSewMsUt*73p(OA1LDOn_MG#%yLBR$Ud?4I0GUrb?t5x1vy zel}7WNdNUFZCTh(LBme?QwU8wymu7MOnP+O_pS_4g~LF$!*dBO@0e5A=_Mo6`q2mw_V(?mvabrmdf0 z3cp~^6i(m#=_i~7kprlZD^lH=?myV7JXjPcDxPNF9stYzI-f|%*33AZ`2XN#->r?2?S2L}QBx>+vU-I8kouBjSYNs-Howk~tH)SlDjrsE&ExrPA>#BlriQsSQOXdHU z`V>+1rjjbh$Hj?7IklL$HP9h{0#$QA2gORM<}vkd7Z;9vZVpF2ml2j~h+#6C9Eq3P z>QGOw0e8C|W6J6sFa~0?AtRs|Bc||KF~NUQOi1@iwrF}axGvRmSM>4?tHlPqRw)Mypsub^V89r}{5sf|S z4nmZnD2kYTZz1-O1%M&cBvPtk$@LSvAjikIZB;?hV=*mp!&~oSdlo6H4iyx=jZ|$O zCG^4uJ4nw3pjZ2^^khWSzPh;ulq~uW7fJ78UFb6Quh|)P-|@Qc#p&4LMDSIb_h$hJ zsKt>3EB_e+Mk*xD-8?`(OWb>`cCoI$a;Zfs|Lq1tI#xbY_i}4%so5!8Q^fBKCxWkFzdsM~*@Pnp z3M%{~pPd!1hg-vD2lUIDmmSQIu0A3lo3{Zr)y0W5ZgKy}W~Dt1;vxfDJtl+q_t$D$ zf&J4UKcvLO`*J+Dwlj{5U4Dd=cv^^*U`eq`=0H#k6xYZ>s`-`%70>lpOjQe(Uyi-dA`el8F z-p4sDmewv__-+-xhT-37fZ%KqXPvjgnD zr=00IhDcOB==${RtG36d)wRe-_f|L#py#sQ!;h zq}1H0E_P?PYVb!7ssW1oC5Sa{@BahEjfArWQoIoXtsa$x$dyi z|GdE;6}i*CvLLx--fp)4o}AZwG@Lu+vYMUpNvU0M>9v`b%^h-iHdn=}SLU?fFD|tK zE{Fb&%a$p(6a62Bx0wyiTCPBb6oY2^cv;XWFHvJ)mGnfiXy^T}=`R{9K z8G}$013=BUay&P)%RfTRo1pZz;-ervzR309UC?88Fb$h+W%nIt9J&lwIAsM|syAS% z(p(fPrKW$h)CaO#rSlrnyb*nl-qej-yAX?!imNNQJxO!C$&V^wa1L*b4am6ikP`i| z{~YJDW(VseYTfJtN*4JU>*)V`Hhrd>AA#B{cCPo_g)}AGq*Os^hIie$w+l84Ir}AAJZCy&qA&HUD zWWdUrz-<(ckB#K$~uhnr8g(*(`Rh`4U+9ZpGBMFF12I zTIldl2Yo@cc;wqIv``aMBnoPeOHxUB7e=;OCtd|=Po1k!bQkMB3{QWjts9DA-Gw+~ z?Q3Wdu{Al(v?zERYD9*$K(a2qFZ?sGM zhLUV~kH^>o+xd{deg7w5@{aw7fa!a0S{e*R-uM;F4=N2^L;!T*A^#h?MD5S9R+8oT zxHxsT;Qj$^nw`A@?5y

}*=OP>>d%Cp!-ABJ$bX5CWIUO}8Qb+hvvZUhRP`H^Cfc zGcEh?9OnO@x70;0R)8s?>e`nNyGSLcOD4s^6s>qWkAD~RRGrsLKt9*ftcP}!654!D z0_jE1H;M0to_nPySVMHJx<>C}e=$Ylg`iw|R%Vv_|NGj**L}2{CKrdFM!Tq4EHe87 zKzhEOtAo4P-**3JN18ktHB?yt+r+cdenTz<8xH2mwILb1$dy%Q%F<~y+2_KfUGO=q zto#>9F4NK5sgs%nzA?-V6i%_ zuyUqzl}7Oc3*heA|3(o!x&dnHL*`y$QyaA6<0nwU2b=s`@sa5nQ{{G71UGI_CmHnL z7r9#vv0Pv+z7~8ra~HLENN}(w&&y}vsR%*Phv)xR|Nrrj;+wJKH}DiDy%~FG7l#`g z9oypI;YLeZp~x;yZw6hXpM!i#O03$9tO|ptOk)T@_nH58%9Jiya1x})XW@Kv7wg6i zz4^g)(*=t$XX~`@fFkt=L>gI+=MHiDN0I&r+Fq*XvsO}~#g+phhvCX+%0VsC0a`o@ zXtDMmwRl#}XMC;4T1koH<6?7B#F-Es8c6~`@~?j*31+<1BvLA0dydjB4(=$DoiX6~ zBBNX_(|^xqv3p%3H?y{yo%eix%r4FsdpzB=!E-`uCF-MMXPV~WB z&_9b>PYn!m&Dol3cp`W&VQKLvj$C|q%LR?@v=HB5BlyshsB5t{K`?0If#{dZNEWYU zz#gD38nl-g80bk<0l%LU8bDCJizDBZTq>CoAg(8?S!`cqYBAD!!Xkf^=)?l!SXs_< zta0-RC|Oiv)cQNI{U2BRk7w486>F=(b+0nJk=_q!2i7@^BJRl4Z|BkIdCi{M1-+2KV9kixcCfEgGTrPO{C~SM zfBho}as60vcj}=vlGgo~I8R*Q2S=zhfOY%-bzLHtFRGvA11Ys-+Qf7h4JaeYZOw{f z`YfhBneOKQb@vGp1mq3Uys-hTYeO!oqSyYq1U{M?1_xYwX|zi_Qf_&Yds}X%EZvDZ zp_HL)*&mg}{}|GPU?tnRmmU`S7*nxM~LhOr_jbO(vL!K|$d4Qod~Wdy24E4bl? zwfPPY4$T8{x%C~eXzRRoJY-vYxiru^5&xaPz(?&m@_#xA{ zl&ASIei#-gj(oJ@?brLTGCUnTxk5MHbTJg%kdJFQhm1M52RIqK2Z|%_ISc*>aRZ!0 zZCEoYQh}hc-qMmE`nP>Hj6fnw6x}EJaU2?epa4P3XnjYZFuhlyII?BZ%0WUEBZ(^D zI2;A17wh_zK@tX|UrZDE8Ad44o2Z!U#`B6kqj>nRK0PUeTa?WLa)jYZ~e4gO7 zZ8V+igpZQt7lZ2Nh-D?^cX5t1d^`@tk&mZv0=qd5L1W+EdY=G?;>fa^AIp^wA67Zx zvc`~5c0F&baQs!Cc=5h0FmJgIIEH%s2`G$yK?B3oB6)EfvGUvxSsRKl>)q?L#cxz- zP+csivava$rw=wdv#wy6S}Kyp9`Aub(-8}{el>ZIR5Gf^f8@^XNx+jZP@2{b4RtOZ<&W|G6wkWwgx4>LglAx0< z0D;2JFp#Kcg3hAF5eQ25HIlgF^|gMvFjjx76sPsAVG|!78xT7C7)aE<@8{HD^oWs6 zKV(|no3Lba43p6&KZ5sKd8VsXVD6>1wPNdOCe@2{ATV^m%JB9P?|tYIs2LFmx-6^oJ2J_Wq8?&9YL`w%XKk= z#;c##j#*s`WH4ee^_}e2C}>zXO0zdr2pYRBmU_-_58(|IM}G6*is45nj*L?`(xb+Z z`%`ERB)4oYW5(hEIw}H+BO@$zU=S!w7fzz;j+qnyP86gknKo=|WFCs9ir~hR8nxYK zdu#gylCOa`Y)vpsMhh$K+Q06!bP2h`!K+hUrtVg<1i(zyZd`YNg58?vvt#=NzVD#Pc_RTqW6kE9?L8o9tcRuIf>=f;vqsdGT>nk468C}p=mc@v{XGE`iWspc zESwdEd7}wIV_!MxxnLn^Y-ij12}!8W)iE+Rc9_nnd!AZCTBZH8;txMRWE$j#DfmK# zA5tQ{q^m;^MYQeFG;OWl-pFYB+~UHf_H*O4v~|%PXXm$%`de6k4+X151?B^v08pw& zNc>#yHY16OrMIGAxt`Q@Jn)dKs&R!p?ZM7ez({a`uTdDkQo!jxI(vnbmeG~r+2rPf z4?|nh3O|7ZH{U!xJc6mM;B62QAoM7>*|UMQSlYW=TECnj??;!$ zEoQzI-RUO7U(ejYN!0v@b3nQALKH<5b-gDNB8(zFImKnbBRPY}+w6FTY=n-HZ_4j;~h7i87eH$tFaPEGc zn2H>gNesNQ2s0Nz5k0wyzQ-|s7)81={A6Tu+8hIkI@i|WejmE5?3wt&9!qfjzEW_O zvS0AR_#iEgNI`Mrs`u{95GX8w6+z*UktpXxp@^c_E?nApUb?hd7j)>1`)T!Si%T47 z-2WfD>FBI)%PltkA)AI7)}GE;J^BNDFz6vr#c@A61BmMqhAI3~bAC3QM7mt}ydin^t=3 zfuIX-*x#db5GXA8*KHe^2RnkYNIxv~uykdCk-DA_hIO&E@#h>YlcYRzc zv^kCm_zf=!8xE7&1y!+yLtFokt~ZZ|^8NnD zGtIn=;lbFIFfFo$B>OT`lFC*IVHhbvM*zleVMTg zWB)zo9=%@ge16~mXYTvHuIpUqJkRz#qX`$hkGVei)1x!j-OCa*7*{lP_svpM7SO(a zvOnRZ&iIq)JaHW6{j#Us)qFmnyi*<##jP#ILgeWYASe8WjqN?sCN!Fg=Dfo-rBxX+ zL3-wSk1fKKa|4!0VCmQ?_KXV71o3%r`DetgajCx~}j$8%M z8BhT^6GzQ=*ccyO@|Z;eb=d~2V|lw7(@xAFOo#88%s<4Tg0`7IKfMWU2%1Rvkp^!3 zxk-pm3;4X%#twS>72BvAI}NnY1VL)C<7ObM)Z39_o&v4|PizLWMLUPr_b59r`FMsH zkDTjH{e$`yhEJuNfxyt8hY(S2j7x7SM{2RdjV7P>zuuq4N6a7LJiSEl>RQKh1NENJ z0|Ice-{y%$V8FvSX+)H@9ANws>uuK zwygKaA)?%9r{8>Qs>K?{nzpjcytdR{!ReK`&!c$Tf2-a4PNdbd$09d!M^gnPb{^8v z;!x@P-B+nlM4EGG@ zq@aiWXnK`df`{7|*Pf%RV$_>*)~>he|5=jhOzYIYy{$^EDx|_cE#hs~0w|Wdn++M-~yKuoRengSDpph$y#TyWR|@)?y)i1#>^VE{6H(na4V4>-ltu z-#r;6Uu9bitVIr7izVo$69BOBf*($PtGV-{&kv9j{&ZW=<*T@mG9~vBiwa1EZt*nn z-&L{D&rO4yB7Z7|#hVe3r2|n4fr0Uf8$UAaEwa*DR$NYEc2{0v1pM``upkpVpeO4I z%aSK^yw|$Mq0;weyi%o#WXNr1x)Rj?;xkg0ma?4n76j;*lt{6BH6zGFmMnh;IpI4b zP~SaI@mMde$ro&7@rA$sY#y^wS~~ug5sy*qVYg&+M^jf;Ka}qN1E3h|I~=PWSW6uX z^16zv(4eFaT`rGz8z^2}`FBxfEI_V$E0eXTBOEH|NnV7r#(^k>knnixs(F%sgdRGv z`CFW#?(4Z+!&TsH0ytFAiRPD-0T=lJ$O%uB+Ht6B3sE;JW2-Bls)na0mM}U9FX#A7 zAi$sYv2KnGM>`8Mm~p6}V`3#eTn%|TqvSgJ$Z?X)8!63CPW$#RC%%25EKC3{Bn487 zeHyqY1n8qW%7U4z9Hg5BXf!prb$(zC6riVCM&+BmQMUS9g4T#UEDQ*347e6MoC>?Z z(qqBkTCAdWaB+sP3R*n#q7PpM-}DRZ!*5fKPARAOZ%7h6R!ciVOMoUNpeuB8_|p{O z-%g1t^N3uAEFx->zomDc8(lu8*BBaF=9sw4eC^;S=>niNJ^10|l0o-$2x~JPP&}Op zK1RkXaB|6&M`~r>zsMA?^{1~fu<+nn&g;Yr3qXnQx-gu~nB?$~05}6=5K)t~Hp+E9 zSTr>lys)?i;`6Xeo!MXEtPrrVgBH89cfNUR6JZ=G==vtE9+pR?0I9|1Y5EptajBp~ zuG)CW+%@7&(Px%h=^s9Sbh!DgRY;a=@(vDAm?)h5Ht_s^ov(lGqAUo5o@?C*KVKGD zV&3O%_3UFd(0>UNg_BE|q;xgbvQDCSteM`gJ%(ebJ?gF6t4Xu91$Og~T+<&bhNyQ0 zrHsA!^K7@lY!7arz?yYgC|OnQe~jW@aO%MNi8!f7OTv19Tf}ZBcVMUtt_D(zwM>yZ z%5s^GLu#>iq%?Z0h+_F3f_bHBKAx+{JNm*elvi&CS>zJTjQ2#6sI-B;;eTnB2@Zwtf8!XYiLE>tJHe^W_Qz7i(XtSfFK z@{S(f!zQKkUOr&!Fd!#jKxtsJ-ym4A%LsM85T`FxX|@qgSf){ zv(}!R&)7T(kCcb&3)Nm%mai!Lwlz^Qtw;S{xdEcU(hMy-BMZ6Uh_msLV)@E^VKIL^ z&f9SO<|k=Oy>r3t{u2v=>a=dS(+##{fFQM4J^kqa2rh&JYh8Wnobc-AWim()O$Em01qOy1a zN9_!Xr?cT{kJ7)vh<9Ye)fi!NNyHane`cM|KyUq5Uk_S}`Y$hxF21N{@_OCr|V#W{n0?#5jXHH1r|Fhutwb8{@ z7gf-!F6c{l?H1kLH^_uB38dzd#Ov_026xKtCvd?LK-a}sR@D&eE%zeD^2@Ra0ZTS0 zo=%su^$>o1Aay)m_rgm1$oJ71-Xl8BfWXTE@_Hu^Xh0liq0M9k`D_aw>$>z@xB1MH z&Brr7mGKG@i~-}EiZe$6;zj~jG}SifK#LFy1sz00O-^5<^@p*}Y}d~l$H3|{;f2n8 zaX+V%bq_oD67!CI$>ITa?>LGlab?^+3=l7S6pwXn#;eqQpRtUF@^Ulek+|Ru_D(0SvrIKdcbZ~84)#El`VV=%5sN;|`}J7KUF%DqymFTxtKJ(hm(ZR4d`oAd{H!m)O81n7(uTAq0bb^o50PS?=lO!X z&ae=uv|B#{RAuYqK~9@f?3&3e>Ezs%2K3n?3M0kxA$(zqf0`n{x!i-f36d=}7s_qJ zCqDb-MdU9Ks(m~|>RY~1%aw%s0giZ<-yRkLwgXyeR+JD?FPVY^Is&k0s=$z~b~MRI zv@(|_HJpdRQokhqkqs!z3atmBZn01lkYqXbs;Q(@lc&-Zc&FyNMygq30IUIlde z#g8TI*y>VrV~)E6W1yb1!1|DRAnlYaBFZ@0Z5#n=p6=E4Tj6@jtju3ibSo`@9y!L| zMH3Dc^so_Rnq^X;e|75GKg5KOY8mS8JubY=a8B&__f@ipC~n4}6)^IC56g|I{#uck zB@8FOWt0TNaov+%+9NWB%CUP7`#F9e(G$OEa(36BzHN;!m;a-gQ5xibHS(kut7cyH zY5=2)pMQqy1PAd5UHHN`vw7Um`koa_$vfTzIpJ@nj-Qc6MWRYTPIxZ;0fKH`q?l4( zLHjRgsCS)FZW!I9eD<2^#^Rmz=C8Y6odMqPEKATs?0{2yn-b^eRR*ZeO_ zEqL^diMkQ(>ZMxd3E^&1|)0c z+-B37^sW4C9BmA%*kluVe*>jN2tJq}yTHYvlI)hg4@b+#@3Tj@55-4R&8*zd7s%Vj zkaiU0gg=^Z1(Tx>mO3l)*8eE+U(DO|b!9q!dn~_=6ijG8B1+-v1=zH`GB&cM%ONq;|h;WUb; zQ|45?&_4PaQPF}k^9}IewJc89uEHbRIOw+8PUW&mqca<4W5|WRc_|UARm(8%(*-6m zfAg4DKx(nmsRc8!dq23gP5IhbR#-cH@cyEL3fsoT3m-d<;^~AuNh~%_pEp1@Co{hI zk2>Eg*V$YQSb=#@my7!v{6)ak$Q4a}QB-QN2RA9nJo73&hf%N8r77kTE5G+|rY;Cq zG!?cx;r!~s51ykF9iz_ocCXPZ17aV9-Q+%2i()!2;3IwPM zpmE{J3kIQ4)n$D>m0VGuRC;Ec;IMorv#<~&ICD0qU{NnE$E8|aY9svi-W=TD9|6!I zq&=GQxx%(5B-r$_Y6;}oYV{w55Jj1+59Lk)h*px&aTtY;EOEf|NG z?IFmSBikef{6z##emMQBq6F$2{u8B_ZFAqu+6!~8zJ#q@{zqcuSdMd7WwsxvcL~|K zOpceE%RbXl>DwA|GVVd?OnD1@+flHvjMp;}dHcbM;k4`nM~r`t)I3x*uKMSv`QP90 zgDaZ)quch=VVs|iwaoV{d7H&Pt<9xDI<6)&e;fT?%d<$ae7S3@&k*!%9SY|3m4tVV zl!6N4ZLQpGOr2NYaI!P1%=seVf6J!jT6QrZ0`=9^NJl=TJO}{FDwVILhd5 zbIN?jnSDhkJT~Y!hS>VU#}8#)+{8zPJhVQ6u=u(Iyki<9~0(K4>&`pUE-UM{xMuV5i`) z1>;bK=61F#fFMW(VH|KuC`J*}>U)(fi z!V4b+xAP`DGuZ>PBJ78^JVRKTQS%5)ks@xNz$MQ0WnDleXp6`wqc9-_n~v7XEOeJL$9{ojCk&7 zs(jUsVq`3-K_hYMq^Qe%N5@%d)z1o|Ne2F2%KCJT=`EAk5S`4OG- z)WhqZ3vRGB36XoDo+vH5N2$4En|G8(xX3x*<}VKAt?BIvpjabTzp0NxJ}l6dfuvjykDyNHYVh2kXr1uu)F~$+)nZ;C8F2v zfNPi#>(0g~i{<@AOAACrzANvTUOI3%WZg83C*x52vJbI$3EA6rs&X6p`;(|V0~gz^ zwO0L!22W$08}tc?a9#N3%0;&Rd(s2^`SVCIPbUWl(?MCBp|}e}<#yo(qrrr);od@p zm~H4*gk_u$pHTcQBqky8$+bFrs7N1X@^ZGvPse(6PYz+5jstP1pg|Xmtqy*0pOgST znxEM+y;;6QPyL?1fBLV7qgWS8QR>6u3x4L$6q;xn! zh-45Im)&MQ=Edt=5@gO-yjI>S`8QBHfQZVy))Q@T4=z-9>dpVKkh^=; zW7};?jugw+a?>fXbDSJ7ZM(YW5#b}78|F^kb=QcuWc7Qi#9xoTun!THd!?nv{rKQ$ zZqb zW0{eY+ib$0+%TU!mez6Se31~S^ZgpS<*~vxu4~`Dh^R?WoiWtp>|jwqO5(n|g(JyX zo=JnUmD?2NpJZ^)0eWq|Q6{g+;};D3!JpNFI;9@v7Z(1$Mhs{)bt0+6Ok9{b@V$9S z?{=Z1(cmo~O6&5y;)hK?u5MF6QXnUMxUB6hQZCqkPuIpwk{3MrEu1;`BgV+c$iZ-i zdz(opjucZ`2o$m|CM|sRGT}dNQ?#G{(kNeHrRS{f--jlPh|0x|*?OLGbiFcGv)uOP zsvJ1e40)+80Rn^lQ2&2@hd0xwgyPZQedHxLW-xlbY64oJ=kGh80E?#DYG3sDEXW*s z!reA})=Gc0w9K8d>0bHq|BN@XLGg^9N3=X5br8hOC3Md@B$y38x#O}&tf#X@)8lWK z4+ufLL_ALv96L5R;)gUAJ#O=9KRy1flsMy-MF{=`A^!gl6(^BeK?eKpDkmdN9TG0E zE}u_v1!fD{*hAg>)_>o8cxxl^0t#y$faKYF6|c5T%@EaY=c{9sWPGyjPQ_j}I1rkfDRdr_BRJ($s&I z@Oj!TT6=G@=R!gs$kBgf*h{4@nHfdD0nw5ed^&vYQa-#ypd4gc6izOQ_@e#bApJ*% zXfu(K_9S)w(16ysXYjSK;#M}vGZZYOc{G$h_jy!P_l?N&rGI!w&>fObEl8H~)`WMdn{|(1eir9(4dv=TNJV(6Qu_Xr%6|_S{ zMW@0CKiZe3q(h94%`4UeKGiMX&JsG4ngE?onuT1=+e~?Vd?zR(aBB3c)J+=jUwe=f zzI-IF_bjLi6A-pj25E;bn)BHZJM~ThqXO*uF~{x>Lm563Z?jX1^pAI3n94W#l>*iN z#FoAxo}GJ5YWYTu5lMcrLU&n@B}M43-P&DnSdTq6@fTFL)Ti;cR5pt6W4ZcQQSc4>O9TBkY|R%|$mG@?}aU9#^?VAKASa>1q3y}>idW!hp# z5iQFZ)0|ODRo6j8Ko~8#qp3NPRU`YMdv@ywR#!e1*W~VbHLt2-<%QwDGCObU#s z^9{!4cb=E;W1qYQ=&liO*v8EK%b=eP-FmI(zH_GbU1O zMp$PUS&VHEEkJP25C` z)6*+Yf67@kL+^P`lICvi3JEl~E07LjN9mAUeN6h2ct~l_SaR>c+>Z=V`w;fx13^ys zUv*4v91n;yYSAyel(66ZGAPYq4cBCz(|Gur9lL7rB-qn7B)m(W02$kNR*p>;Wz0r~ zspJ7|q;u|kQE3igfSsG{X951Qxig?fF5QolkFTjZ^!}c0b)Zzz3Lm#V9=Yl+!;!e!~VBdvFpZfdaqFgy45h#5_q@`il`grCkv9*syZ{>3N7d_oaSoGUK{#`i4P45l{DU%@s?IqDO~Oprs_&54D>tatl! zsGxgg-dD{*h{X%9M&jcAEB%M#H&XF)G)V~-I)LFmH}{P+zfzCz)$*g)KCDQ4KLl$# z06f(k#nXv2R^UIi|HC|Kaj7ZXV*akNPPofw7isTnO4oCNvQG+F#4~x^<;WGS;)c+< zsuguZ?tgm(uAj_neF91Fw0S-pdaccCAfTH*hOO(2?Ew;|jiC9|RQ>j5!<2!AI4jzo zN5sN~%O1oJ3xJug1J`2fTop~y3qVK*hGoV@5nMrk$au>)Dv`I1?Qy2_fl{haR{tap zyVG%6n}w?_`T7r91i)L(srkgDNxTWpfXu0Ei@lyulxbR3x$ug-|L*rn>;<4!ZCdF0 z@^4zE8M0cnJP6k$#o<5*Gt?=N2POidwu;H%V^2w$i5&qOM+QgYUiwc#(SFU4lmo@) zPm6ijAojH5;5|%;_NV}J`gJGcsIJ$+|K(GB%hk}0HO@E43PTn#`@#%Dj4Q7EG-gXD zv%e=TSawu^xiG}XoHg~Rc)ef{xdV3tel$6Djbbc9Sp9rUCpa|& z!gk%SfKSFfaM)}q(~b4vs&wf6<2A6TgUlN+zka=L`V9;O zhW-|TlZR6y*SSp2IQshj_6dlPr9Cd5>!;|=!`w;>l7B8#vSaqX3iP4s6e*1F)#2v8 z%IP%q!1JS7?EyN63)rFT%dlwbm*2CdARL4R#y5Hgo-8@qF3)7~rUp`q0{$VMd-C`i~~cY1`#C^^nz+Gz-k4^P6DSo8*x&uN2HARF|q=KXul zD-=*Q;?Sb=b7z5IzL0#&va*Lu)5_|1seO!^Hl5F>i4DwcoD%5mY_ zSYo0>@_KSkq?@&anyz-=bXO(Nw*}pUahz2xBe;E`1eJ~mYle+X>QwEWWm?Qhu!Fw4 zI8^$s{H(l-lEvxW4M@{inhuJ~@uxvUFVz|G@=SC4dB_5FarXuB!yhpwDd9Ic-TZN% zn;Yb2hRz-S-)K1317()ywB|BDHOesKNK^`L&cCJn0C~88jSC6{#CAz6*WJRz(KRi| z&5|pNxg)>0|J+_DygtJACJKye;)7vbV-fV~PqeN|7lYfz$6>%NenhIK?!*w5oquf|Un8JM+Iu6s`yRv5of?_N45GCabNQrc~L6Bwt%*&oyIWaH4!Ol~b`r z`*mx6(l>es3V)FnH&Y&LvhDSsuoW)g02pO19{w8ye8gHc=yp6&WZlv ziB9v0I0=9-kw}_iX!wP%T0Y`TI70NJWDQ|du8Z%pgQ()4sD>JC-zltDwSVzS5efP8s+PeOzNmD$#M^r)Hc?yf1iWAT%V* z`c*8j!njB=rML=vuA_(+t+7?RG=uft&p*dy)>a-%EoZ=B=(SQHON`?zQw(W-9|2{! zpKmDWK#R{`2PiS2#q4gF>-R}%5G(zFGO14ZH0Cg|a^Y1I&C>TFV6HqsMID<>d{?3u z&u)DG5x3lYxupNziu8XTg5W77`rWVLlGEREQ@KY{)*6h>rPBy7z&DN}Wl(QX?3RP# zs$4;$%9@RF&e7g6?{4nk010zNQ{{J;TIC8eJHpcL`_nC(D_n?Fq6_W);)|b}93b!n ze_%MJ!&rpSdrSERsk@B0yc}jX@rjo`TksgT7JKZU3?2{{gqMd_6-XU#jjfs(UkjqX z>~Nqge=Oy4@wx`6X88{j%Wqv8!=D;C9K~Hz-B_fG&NK&K>jFX>e~Rxr54J4R2riTr z^H$#KiE(IXSohnF9DL7=(YgTQ>^+iV-1^XOoSdXT2V_J~?`)mnJAeZ@`XC}IMxCDl zKP62ci?z(+O%Dm1Tz9JCcN-%P|wzy;l8Ym#}?|Eo-YoAnLSkEOqT#JhHQgHA8W#~o1!{M(}F6&GN2yws2p}_q*n)d`>UX0 zCQ3%KKP1rnY3D5h+cus9IpJTU)}Em1A=*gz;KXoRY>=jvr4h@Ecki#r9=6U{WTB&z zIP(6x;e``!sm_-m+DHYmVClnv)Ku1;ejX{7{{bhLh@yc~C|-WuDKzeoGge(mMFV*E z$yWoM9zbf_)x>df;9=sS;4-6&7jf5A9adXPhacMWsk5WNUj^Z03G*+VT*Wqyoz@ z*5Kj7y!Wnc^B_}op)CeEX!J;?g6j}amh_Y#PBuN+7y>OmJ!tKg4-1d7axfaa86;Cc zDJeA-O?6;x_&X9YgV6aNUsEJUBpHpQu^b?7Lc=ovsCfv($t8Y;EBjjVNMny%Y44ft zYvf`WMeP^upR_fPG9Lyo5$+U%KE|Ef^m5fd?hO+(+P9c6y5w;h%XRU|U+EF9VgpCl z-}F(MK62x+?HvigqZ!3bPvhyn$0B#&Zi1tX?ncaSc2)2pb#k>M1~*%G%PGB|9-jD~ z^DHvs#KkjU2#=`{R0J$?_I~sUIKS|TS3_415|#!+q`9)69vM%%^2CH1(6Q#rZ}Pma zPiskQv=UQLd30ERDVesq`bdUf18zHh>IAY_dVvkzxKt<#d8|*On z;pFzOtrhTZC`a1I{;~&z1NYKCm>z+y`BImT2fnC|%>skK&I#y+2yWZQs30E9d&cyhm#qwTn*_*`K0?DcdTI*hcl$`+-VcereO|t zvr~2Xg5xtcu9`*ez+HzmcqFZ1UT+fUxhA&5o1wFDIiHl1*cA@Uib$~;nozhwBxzIh z`NuFcG~mZdT?M_HH<{V~kh8Pr7T{1QfsD)~gZ-=1YYGn4#Y;(E`q|!ZnJ7Ve$^M!F zK{%O_nip{J(FYP87IA83lvX3NXXe!U$V9b-y#yD{Ka=$(Fla-s7UQJUP4N}wYxb73 zmp`fq^A{ohQWk7TBefS1wF*USnxtREA>W6~D@Ft=7-$VH$ap<5zE!TR-4{3O4(x$0pjy_uoDP9oOOa;d|&g>!BE4tuMuT)E;AyD z1G87ZfT2e(IBqnJYs79;#+KRI zTjW62!O+#)3LR5+wmp)$4lFrA!1cjPYc)~_f=iV{d#Jm1>%_WeXN;?}(da_~I9ct? z03Q4UJ~lNI8rsxvEz7W0^7MV&*Gpe%V^pn5AxyBXr}xr3?xX8W>W`;{km6 zZnX}VO#n1`wjxq2-(Sa0K=uUUx8|)(zEcY>zHLO0KI??3REuxK9M;bk(2mWm2}Uk_ zzDcJpq*LfI9W$7LdH)b;U^VZeBgOLfJvgl+@mOn|@j8L0!cAh7|Zn^!-Z8$|!IeUwjf zHVw;km*`&AiQ#8Qq`bJIslmn_s{-H7v##sI*T}S)INDW7@QQlc=9e5%z4E>F`!AdW zLzB%MsrkDwQmfL|xSx=dUMutCwo^1VN4NmU34fsH$`i2sfe+L4O!1RpN{qB$jY!?{ zy@$>y6kkq)ae%D46+Rxh1GmI|J8qp=GBS+SiEvrv0XtxpYgS)QF0pe0=Qvc* zuO6y;fM6nBzF3dV$7xN2UxTI5-J#Vlb2;zY9aIZUJfh3OIP&nBp@>PmvQFLTUi#b* znaT2iKvi~T>M(~2nmh(GLHOYUc;A=%*UHQ@mmP%59uTgKEY4=ro{pGD?!Y17o|jj? zz1KyyFE&$A(s#N`o8S8Pgpk<7PmJn4_;-k=wvh!xzb2AV%(no zo!%Q=fKc(IQ(4}utTw>_H>|Kc73V6C{{VDn4YeEt<{#e{pcPfP5Tcy0$0FNs_$amM zq;=R7?M?W9y9=7znh?Z)C6P&olM|~FO&rm;!n!VDp1N)Cm6M0m1!5y_A73$gb?3*| zC;~jhgqS1pr(zXO{#Xo@WgBiAkleT2mRGj~@-`9dn$C3Woi;1Bd-3=gtEvkO4^Z>q zExt&OvzSx;-u&UJ!TD8im?mz2ex4S^qd=kHHs+mo7x306$XX zj?S@<3@LBHQ&@$Ts$ik97#m#?urMSzb25A)_;k@w8|)C!C)?oQoA#6n6`R)tpDOcY zKds!Aa&{@iA`&kO<$Jpy;_tw%bKUVO-ug8*`5ZSXm90Nm`z4k4{IaS2T*JAw{dW?=kN4Pvt#KJxY?}?Cbt+#JZ!~?f|m1y3I z0XeQ(VgJ~gMDO*g+m9Am z1Em67WA*vh#}aMK5CR`)k7aC|gZ|EA?Z9o`Qm6-0Q8)kt9n8N}826!_pr^Qpf8qr* z0bYk&gM;NVhIyYRP=m}8^`q8NgoP3(h+%IIiGfiuh-Pc zRBxr~l62~V(~Q%dNv>!jk#v9dNeeFUOh{6eJs`4rH*-5u7u@^=_(?T1{L0cD!o#M@f>%QiM7$z z4#5d|{jc9<={e+7_&=#FDh{I3bro?g?=Y1e6Uk1s{$>r_bUTd zENe8mAu)RlI}#GDdZN)@YF3*=gHzpZgO$`)li<%-F1#3)^QuhWH>VTOEQ*z|sJ6hi zr-zYlg3&LC>~#_jRSULentOFz3<0z7#kv#adv$Md$);rb+L%Z?t`^lalw0|rEup>b zNcwN*#~o=HyK-$#Xbc+^7=fy1Is!yD?uyx#zE+TngyKVT{+neeS$QJLCXo`z@CKmU zafL&CsPgAvP4Xv4GNE~$X33sk4pxliTEmvCA0IvFno9F#f#kM-& zPYUuR{|`CwjDqlh54pY2=Q*m8s8Wi{-UOe?SL6=j}R;w*~recBaS zx;Bc7!tz?LIj2UuFVNHtVVH3PZJ=S5PHMzgl z&t6O9`;>^F=arPX04s}yQu+C%NHg7P32BA6O$p-ga{me`8JWa8y5}Y5*7=&m)UBo{ za0!vY)!beG0ZDjZwB4FEFlKp_RgsRq77btBGht6b*cv@nBfzFD ziozSm^QFpG>b4Km(ue(LRwU_F_kka=ALD|*Z8JVNy+}237NN@3lO0L7I9ek3Kd5O} zzLNr1lLm8TNbNii9{p70uC2ec2ky&o9SaS8j-`G3>n9XCcFFvWS4hJ(q(<%D6HEPE zXvGMfG0Ruh|7<(V31*^AEVlL~Dr*q?GqJ)lBp%i*3}KIgYcbt*!Dr#3V=NgNs~iWI zOx9)fQP`Ic8hG;kiBA>4`-KsG^uTbLh`gFN3~mTbdS4)?H6Z<~gUO+MpLIN@N z7D0xpW$+@gnbt}gGW_A^mR?35=*0zMu9BCZJvVc32)bEn32t#E77eo(YjSO^`Au4@ zk6HG#p-=qe2v=~f7Kq9>@t1XULt25;iTcv9$pptjIlmv44;ggMeBDw~yQI((ck6ky*z1V-5BO zHRh2-6|e{eTRfa6t(Pa>w^I+P0rrelUli{ISgd+5K|0S3$qPYe`iYE#XeoC(Ok?dMn=ah%u5+!oCtK_Qb7PX}m`% zDyH9PQ`Q66kb+)z-cKsp8WQm0x<+;U@@jpxC z+&jY97gH1#lOblvXJhQEx*z?rSfH|d?3-0QuW4Az38|_(>k3OQ7?Dcm7wgpFHRQ2; z@HR{ZT)*)Oj76pJI=XDdXJspf?kD*Lf*kqmjuz$%y3(R2&6B6pUlKuvUkVsY z#5=H$=Py&*c34tZp}*;3b6DP}_0;Vj{wVqTY{-hhk^tX@ z_YJ;Y z=n6|oe<-nKL&tuqkq*~uj*?*Z9=UNBs<<>?W$Q759=efWAP5K=bhYHsclBy-X35R| zu8qYZ@pFcm5iXk)ye)t1M5AK7-t7Lw>z}M({*DRpE)m>4Z_#FP)bYhPI3na(-;hn8 z)9_|zVv-LpgHZHV@463c62Yd`bz!M)HIbADlQR=r9TwWZ`Kj3L`jNo6@{kjbs~^W3 z?wS*((CFFyQ-p7Y^ML-z6c0ny(F8}2HS+y{V6bg-qC}#*yAD2t+GpKBUqm-Cc;3B5 z-x@9~iJrAhQX!#8o@qA#Y+y8E_OS`a7^c~#TSN&kew%P-+Ow(WnKL$E`j}{3OZ>OBslWUAqQ;ELI0jc61A7Af_xOe2Srf77 zGalL0r8|>MA6gQBy~?AyXJ0oL9DQZOxM3INMQZ>=I~!d~S43*`1M9hA{R$B3y^AhY zLGTcSO+o8$R|k*M#3FV_o-=Oc(E&jXc|83Uic%Q~B`Srj&_)sDPIYWAig`Ss z{zb1BKelFOq4vYDhr7)f;Nv3pbnRNDgK_UCO*V=P?IAi#nyF}>Zf@-^%vjl}`uRp2 zo$az`4YCI&ZXBE8CC5Yr$ZsiY@k?&??3AcKJDWYdc)F@;zS$5?y9S~pJRIQhjGCD| zH^7b4fnu7;yG>z-p>;5PU8@9q=DbV$hg82@ylM_rbkZQr$b{Iai$%WMlh9~49RN=j zAr$(;P^j1bh4&)Qs=8To>N}GBE3ER6EIh-(sh6=!z2qC~8&HZc(rDEc&q-YQMxW97 z04?#acPeAN?SvR@H~=CpNW((InWI%x`Vyd(wM$X;*KlQK88wKjDZa_hL6jNwD7a{0FF0Y{tT)4{BAV&v2M^lIOQ*5ZwZZ zVZiVN8=6&>>90DE($8el8aY)l2Wi>P3&=0O-d`1b#t|27Rb)I51>V&WsiB5D74iMB zGaf}To_ber2p7tDxl+{AWRQZ$kA_iu#5hO60Pk@On7?tbx>X38CS5D7nH`3I5Cfkr zYo;XoB$PZMQkf{g8;6FGa@w9FJV*+hj$aLCYj$dxGT&JLT93?q_XrHPWpno)D>F|q zO}zjLzFDt^_{lb~{2E3ktBiy06k5 zMvpCT?A73$sMJs_D5q;&6nBpxHr`qf^9R?}VU~jLg1h^sj;=05k+iWuJ}aepF)e%YgD(R6adkX2S#M7hqL~Kp2Uokv0$1CJx&5>pubeUs z*A1Bm?_@YZoRTwDF9zMA=eoBT?xj3?n-VG~MD_W6gf)?Cc12Cwbb4CXhs7ybdT6&b z<3{XQdbIop<`zybdQokwrmqLv5wXN)S4U`RZ1=3!nq>S)P)d*bvv~iSyReRSN`Ddv zN>YX!vgi?BT~tKrEcUK-cCGKG+S5 z;-B4!6xWdPy~L2}4y|O!Hmr*p*vndmouKYcBkj6uFCUNJ^jEXBRIWl z1C&=7L6`E7s2jQCryAbDn@&cs^>$(l3!z!j?45;H0aq)mJYYl5Te~!`L&es$S4ty< zYxW?~F?~SBH|@mj5+?tytCpv@xN_O9PyY(;SiBb96#OWZWET6-@X4r^2I>#Q%^obn z-^T$c+t>bGCgUc#W&aG>?=W>NPcbqz0H3Ne-97n4B8W0TE&oY z#MbB={VIJd6;sjCk6qK6ha7{;MZdL0{ORr+_Y>z!!JMl~`w z5xRW$P6dyvqLA3xS~-s~NF5<>Q`V>LewOoW`_)=e3HGd= z*b7-h>9_{^?J|pT=xk;}HOXYN;L$yetR+Kw^m58Q>{JXcpTw5P-TwI_y1#pgZ*JZJ zs$e1cIQfl3nV@}x)6g<3*0s0N!bdu-l}8g_TbytG>4(Jlu8DkPZozP-wy0(jt=O4I zkuvO)Cm_OC?7y}7uWM6^??2w*p4;XDhkNtTcRQpxs?&VE+`=*SWg``+Vq7373=EtFL$*L)R(wa?4>1ljUOIoU+27NrUMI&gbxs%y1!l__;CRLL!zak=^i{-6fx2 zEk#>z@t(qdO7?`*c>e+#e0J;3P`>)C8yU2ZcR#pQ=BV%(`?!Rz9H#peB7e7<$SHd! z!4WHq632v1vX8@+Zr;sHYfsbCGt+e|O`d{@<`TR+m|9l6$gFLW*pc%_JwmyCR7$Ge z4Ro)f5ia~nackN9$R?7DwReuf7V5i_svUM$-&=0t7BcXpxLnB8vChcuJD6pOL{VM!5rD6DVWs)x=L(qkRM}b+QmURU`yuY!Mc};Yo9|?=H^gUd%`egXVoC(o zN#6W&W4UV2yf)>qXDlkYw1G^pbXm2LZ+dB(5Y#p=AIJ~>*j?fjv1>Bl=xE?BsktNikV zs0Q&oT07l{Bjb7TlP66N;mJPRlo|AOHb(Jg1`6mlFyHu{zP(x}zmWu8(TAc31D*=h za-b$Rf9G5l8^8NdTlZLG#*hcI&+B0Oomd1Vo3o(SzEGx9w+T#aIMAXXj+dMd!Z|ce zAzAaIZwmatX+h9QkPur26m9KBiCFBv$6PAuLyEb}672eYje?t%l(xjcs7;aDaJi^zZnCn;W_cJ6S*-8K(`-|Z-)~i1?Bvoa0sY^X* ztbt4InR@Wm?@8r(eJgonp}M$#wKz8~@THW+>7DPTXXXwBN5T3|#^?3HW{jybWXzVTGdu}X=AGOKukT=mlwq=-a524rG~ zVdUqnM!ApTeolU7vRN0ei_WJKQBX%ayxl9kOh&TiL5z2Yk;l9VCkVn?wRAAd#&)Vf zOFpHqli4-i+Z@pY!rH$YDMMiEtf1t}w6V=Q)?6Bj-<=i-_k%yvh(dVe$uMDgrJ!$L zv@VMdp#&#wX8NDrk|~_w(&;}ItwtiFy9jIEp@4H8&T$s4if1YE0O_Ka5QA;bZ0SLk zB_{ookoq%|TjT}7c%wFeq?wN}Obzw~?D=5JVB}S<66eDl!(4QbUep96dmMKL+Yv6l z@nH!1%cBwVPi3y0a2EgwAr4!zOpJK;fEU|qZD~rhw$>VHOAxGjNy6?NX^T}#c7h)! zEQK~X;cfcvUM+7tvIy#8(W6t-xYkOT??cD@LOv2ykxNXGIX9rzSwu3oS7|xhnP{!Z z!9vNjeot(MMT25_7)YB>BL<*3`7poAI~$=DVO=zEO*UkgBH-(K$%u#(6G8zX_rqBCCI1 z(b!(yw9bmG)P{e1CSj?wHJ|A{V6TYFQB8NPI11Hv!@mL7ywSO6A}<{AIo{!8{gQ`% zN%JYqP{TK{^0IbLG6yu!!B<@#U;iN8TUgX(U9^#RUtI3)Bx4XkgJTYhh?G!##4Eh} zA&(*6bsK4ZfOAKF*AsI$bOrmEllFq+dTQO{mnL=2P%nDKfnc;(yWU z^>gK)KNZlvJ5%%Ry}Mdom#_L*_ae|v+ z^8@letT&~d*jsjV3_^efp;$t?yS>U28kl2P^6FXm{AFUhQ#R_kPLt9tdWYvpGJ^#nx!P+9wit?b93VCz|Q`nhC+w zZYb4%gZy@#xxy2X^!1uOhPie>g~#S&H}u049bHL08o6jK6&%R^K6#GV&1HQX5uax4 zx)&b))Q@>vj>n|%u7Gjv_Hz~DeVm@cMDF^IW8eBXiBU8-#>|(oLqPkrsixCoD|1@D zD4?v?weC6ey@yO|2juGhr0=&Jxn#kK7@BDA52TRF14+=yZ z@*O{Vc5jCQzaUnS%~pCmfVAF>op0U6FjwBk?{N}>&sgr#?^gZEz5;$G`+(p9pPde) z=LLwkoX=$fbzmLpx2SICXk8i-p5Mhd+*v;JF7T^U|MRJqZ2bWJdWS>reVIcyX$StaFDUvX#&31r|wx^X1CkfaCkbCL)VT#%M(TazVt;8 zbjkoCa{Hv4Y2CY-QBM2y_wf((j*VRZ&)QWtmm8vtAF;a3z?~fV-If|J?ZqnZ*u8Hc zN!|Tl88sNB!G%Y{(cI_fh|@vrU2Wg#ruI!nOAUeHjl-E5fPBv5^^j(E+!*k4T(tFp z-*@19u+`^v(e+S5PE$Y}M7$*NDZ5HGDffBr?F^AwBR9oUe^5uW7l1jN%n+Wg52AoR z=q$|=bY$0$9qgZAP7{z7>A~+JRq5EhY4LNqSy*^(yaBGlCq3ilv^z}HxikDDn(q4a zxk?;4Ioq0TZ19{AkeB5yht9=rDzNT-lBt#_8uY&Mb{5p+cA5xTP4(Go()2jX8ARHA z9Rt{=$sPRjG>q$fOq%t$p(WLprQw=8T?(Hap zQB+dU{mi%3e#?06u(7X*%+BlU(~-!w&G8BX{krWhC*9@)gYOPvK=$pK!zex}$whpMS9A3OLTYO7vLyL?th9b}a4RdELZA$hkK=sAl`&{78)U8?b+d ztyf=uc-EYo8s`1&IxEP)bv4?LS{Yi^b{$|?O3+>Pk>iRT^W`M{@!Y&B+h+ZsITcg; zw(vg__Lal@s^x;SXexMb^I5o93y;ugN}sS-^YsW|RhpI62qpaJ{p#Ii*^d@<+`WQ_ zpcs#l%y7s5W9B`dBj2%Pt8{?Qo4!#%^W>%H7EnJah+LCPoCviby&k2KHqw0*t3?%Zj!lz4r^Z1wk#bD!Zp zyK)CW%dKsxwmM$->H~eB#@#fKedVN`4qbuo$Z%@zXStz$!@beP`_~pmM*#N^D)<1ZQ`YM_oTzE zhSBkvOpT)Yyzf>64=P|*eB4g@SM|KUuX;C}tqw`7?V}k!_HHt7uChMPmsLNUcP{}l ziFo$we&T`aAr~+^E;Fnz*X{%U-w~RdEz<5iOg>9&f5?&fU&^pwIt#vD{kK4$r9St4 zZFi>yuRYVgM|pp+k&MQ%-m^xa6LszdI(PQG-xd^}%zhrtBIon~%#9ge&xbEoZQ9+> z*X?r`p8&`m{`I@_+OH#>z|q0hD!=O^s%IEw1{JlckL9)$)?Lr9#jl)NAJZGM|0=Nr zmHhLcg|9;%B5s#ji#gsaXZ3_~T zf0xxWWKX!@FI;VuPu(mHc=PXo+9R)vj>6iF@BQ9+UKz@r$HEH+!JCvI`{|t5F&ToZ z2LZ3oV%Pkdpj^L4k-M2nTRt@?HCye^$%`@i^Qn1t{WRZ`_o_CVLG5B9&aQ7(*LA3B zcU_m2gTBTjJ#Mcn&&}PQqKmgf4)-q}T{knki+a^5yf61jNwJkF?!>J9qa8qZN}I&j z`4SQS<3NPWPOpXbFthV$3#XvVZMV9>`=H^KD*yINRi~A%J3z9xcC+W{uro*hr4y&6 z)d!}hQ}1z~|HuGn`CrGyvW(xnV#UOVUY*xjK{cZMmGkDSE3jLg`xN$TM}KGIajv9x z2jp8$L*UlkYdx=%MMt)0(-Wh_5i}k3$5~5htnJU=bTWC*%x`oam%~<@80|XseV+ey z`*|)%W`gEy`M=Hg%B>1~>@_luWUaUkMgs=H&G`yLN3e7r7j9qy?cTK)ok+Ux=T~W~ z)B10!=hr2<)n}eo+r9R>4w^5%3lZ!ZsT(g{qm#M5&sSeH7J@JJucp}Mys0+3pU%8q z{b^+V6Ia%Ly(<6{XPKo;NgV&RW`E8AgKu{sZ` zi5xzZT94;iy1BCJ-eaG3MvH^9y6#Jw_KADe?eU`j_j*H;K92iEFeA`;xo5MKpER_l zqhWuzv4;C2ZC9O2_WL{*d&T$r(YLqK6EvaQ&JQ?Tt^MB%fwjeay&Hb0Gf1szTT63_ z(%LHj^ILYgt((la(dOp=X!qEyU1f;wdG@c}ZJQ0h!hWpsJgTU3CGR+xKBFS=T)>-` zb_Mpl9+c>FY_Hww7~M_IuI_ByL)R4=>Uu5Tqh8qSeth1P5&2z3jZS-U9r2#4eJp@Tm%x>nZQ`lI4uKlhW zOaEKW-7*lkzw~zha+^4m7v!{m+Hmf%kNX}6#iX>k?M8eQonn7A8*f4dwFjm+OGm0X z&2)>afemiUnAQOQ0%Y%tnK)y1+G@@m5Dp$tYMsk(I^YQqXnTvUeD<@keBr+co^0iJ zU0#>GvEOpm7;TWx<#9TuvEJdM*#4fBwBKnu+c#wVo`Q4jpN1U&bzSLschmd5W4QUF zb=%=~Wgob{jxYt`cK;HrLw~Gv|hhCPJC0a{i?-WkL#^t_~yG( zb!*P`R+L>9X07w&y05~v)QofYET$}h3KtMU%VlR_)6af!5<3g5^O-2huZK$F5fK~< zJI4C=uvh&Xiq=1AhA;=&dMxrN$NkKG*I}UL6IoPdXZMid>x5(uHli$7^wJ_WKfG6ragw^1M2C2e>pq-%cfY zBI~8G+0g6y`I!uQOMfq=i3H}}ob+Juo~?M_@?%q&Ko0H8o}NDaO9gO@ckfg&rSljU zt1SI0XKI<}mXyf3TkYM1|FYkHPzw@s|2E63rZA4IUam~exy87TQyoijX(!|HjOIlk z7B{s$XN<1m+tJBVSM#J~Rj;Y7}RwXJZjhNQ{em>Fxt@z$8_sSjqY~8wh*Q|Zd z%crgC5~06o=FRmOfI-}5K92G9uHA5}uGsc}kp;aBk~*`qK~R7Pu+=g)`3#Y5`4NQ7UZCqnf+8JCfJO+v;M;M>cP z*XKv8@-Y~6_4l@F0WI+#WF)?V54QGI13zydMi!x(_8D7avXr}9KuO)gvvZ~S#~)HZ zP-ckFVGYtm&GoQv`=#~2d`4Yn6FutWmH&1hx<)sBLT~XrWSPDT_qF!~iE>?{XHoPz zC|OF~G(iy_fGS5@{em;tlWZiI5-EoM6hY91`4&gSB-)~z?SGru7MB;?IcE)K$JS?M z?*ZP@-;Vd@x&YB~Npv{fUIwiqJm3u6)W%onK^q)H0ADgaw2lMjq6$Tn{`$1-d;(_ z^}F~w;%m3NQQeeN-y{+!oHR#k#TPXH{sR4{xgF2PpgAw4Ks`HSc2<*Te-@N`Dmmvj zX!-z=V2^{%4s0Vud*w`y@ALaH8R;xPa@@Ot^k z2YHQ^i1d8OHMp%IyxtQ)0{Uv9W;L78Ht-}PVCyvkgQ%a)dxOCZvPgyY(?nj|?;>n$ zyWarM-WvF-4Yv*!|5{ca_<4tuHoH2v6$64^B_DJSEG0$CCDgkw`Dw?we&_#@x1ZebpqA^rbB~&kIip2@?K8*Z^=G5QI0`vl{cT8PDOK$H6?XKn;0v2uG zL)-+Td)p2Vm!sIP`G$ki&dKE-oLRgd;~au)Rh^YO2pUY{CUU7N|eb@qC7$^eu68ljiyAHVQm^(lJ zM9#wjX|_hUw8}$1B0abHT7|9S8{=IdvbT;Nw3?ow3;%1UkA<8``G8~Xh=niUg%fiJ zo?irjo)Jw4cJR|pl464(} zBbmP<(=|LZyFkOmjyXJ)49>wHjax&F%{@{?hK2v@vi%5g3z~FSi|Wr~G8V7@Q=b9D zU(pQFlbgu4GSqeptE#=rq3b54yUpngj&%fU#&7vPi1e=av&n%lF1ZX(zqv@H3c-zK zZQOt=C>z180iL(rSL!yZ8yVky>`prj0f(iirp0mNy*$cKz~naW8!nWl6motkTF0Z_ zA{oAekRy-S)R3I^sz9J%-onMkl;X{v4R;!7UuC3YBUR<3bKF)D`Px=dFIrGP;fQ%h zLfjGce)BXdQeuD*aqXi2mh_SO8PdnRh)9oU#kP!Lf{B|4Rbpy_%gu!TTT>wk6@eAy zU-d-xoKWBot-Kl%oEz*p;xZ9jTrka!8k~}#I$rP2zl^EVeuoTG}B{0DStyq z%czkXSY-qTQIc6%}Fd7)#A7GhLWiNZBf#aqzWjYuG?5fIrCBmvoCQX0V__zcR8*l{D$bd&yx#jh#h|5s*eWuUF3uPLTpf8n|K%ZEqf@?vl zP6=R4r=ccG zpS4IwW~1^a{iOMxtnh)pJ8j_)r6R%1kCC<$aJ2SIOZYyPDwXbN`^6!NJJ?q0tTh3D|qg{)9)f zkYY0t$wntWrKD_U28y(gkLX~t|gZiyu& zifKd|>iWnAcSd@1@2WGr2Iht+=WZ z2rz09wBK-hf^%SCmZFW1kgzTH^G(OczU*5C zp@DL~;7pj@F=;BiR#Jm5zreevG$3p%6k>G<~nO zIHIZuW-^keI5q$-iw4ivP;xTupkrcFWCSx}|MM&x*Do{v+Vrs~&P+y8E8jv0{Vh5! zu-_G|dg;UAXT@Rn?t}>$Db|X0Ae*WJr0S4)y}Z_tNg1rl9p|_&&#T!JQd{az&%m0- zLp{c$Jn)f(Snw+xTw;V@M|rdB21#c`Wk%)^1bSg~Mk3t1hnWw9n5^u$ z zyrsX-h*#@7sN`B>OAQQf@kl+wa~~1(39B!{Si@k#I9D)qPH|xBI!oBN%ty&)Od58= zseZuFI$YSlmVq?nP)l*05j7;}?k!?C)U_5R^xARNFNYYzr>4Tjt5rWG2rfmjP8sFh zWf$Je8v_*5%%nUKcH)|O3!!+dk3pnpcuJ0x*MSFTovUZqn<60>63>ctxf*>U>@4}e z2VfKBgZ1!-3R#Z?>iRY_^OTjV=pcXncT-U1{Vw;w-Q-D2Gz9c%DKUe!)F_07eKJ12 zQ0h~n_?M_k4L%K4QA};xCxU|d^t+d{r6W(`va+B&;a#sOKC)n&Uv!3zNGQ0)18D*X z%?~Y>VH%Die!CMgCWflmdLNG-C(-DOkEodwJCk`=5li_(-hlMFbIAgn@MVyPLN zN?rKjdsu$#yY?Bm?e%VU_|+dtf6-RMdIX|s<)9%|uJ@nE;U+?TTch%$7d;crsiN;Y zzf66HEt5e-qzR}KAWCmT1DteEt=I#^E*wX@9+zfr*)O z2$7*6D1KIu?SDo^kdy3NtC2)SALw~uO=XOzh1wDZJyLF zC!lh@ZodR8cAhoP3!d>u;{ES<3w@oL6p%BCG}rd&%kJ<4&{zxo->%OyCYk+TlrrUX z$Sd0AhE{uvrE;2S`q5MdjSk{6ybO~Fv+O3~e_-%|Q)<7bg(6P z23pW!Me{xgVJQw=(}9K+bJVpp<#3XPhX*Of*pS$dbQ*1WrA@a3gHY>%o&k!BY$gq+J zdZ>p8{X&`h%M@==T2d$!mJh4q`vAl$M$Dx&?*(baNc z%`ZebQR06~iA+MYZKDH2Xb73c!A6B(P~a0Kkhz7yT!eJi~i#1 zyl!=I0;m2>1*B?1Kx1Q=|GED(`7L*fyVOOLbhrQ(kuEEn0v0Wr0Sgx$aaD086eaY7 z0gd|Kn6-aKXsM)B$0H-_jk-vYDwULUqUEJxunX#xA|@h663AAp7)Y{rS{XQ5m^_ zn1|3`{ynL^3S%ux`4@j|T(;7lgs36I8B3xAz)n;-m%_@~Ohw>|OrR2Rl?~GjgyvHI z{zhR9{I7@sni&G|7x)7kd|tE}4ce(fGs9d8>Yw|q=uPR2suJWv!eCOdC9DW`D#{p{ zw7@a^4pd$PhQKNln5n-xIYL_ViGhi*U?>HIs9U`x;0RJaKNbIZ#yMCWFS&YhD8PaR z3v-MLPX%(v3DdqP#;9x>v7kUZUfvch(goMY;+<*^Bz93<$L^J&2zlx}0NEj#n5g5qU08@6% zXBpc^jg*1wwIL+Q8%#vew?G&urv751tFqoipzx~%k#+dHSp&rJ8?V~jJw)jqI;QH+i39(35 ztjCszwiMb>E9E&}SlKYg-K3ldu~o;PUP8aA$J7#>E7nY0s|Sy8MI_n!EZ*}J_dfjJ zRCc2ZKN4+(5d(tq6NDy9iyZFEWB}LnM<7 zXjR6*#;}k=glOjr_e*%}WPAqi;5bd-yuytqlrXF!5gR*5|Di;aO6{vNh>ZRsAZ=Ja z6$<}sjS!ZB?D{ec_`0G+`O!56k7SSPBWo^$OU>th1V;7G(_ZkjSp8>H;(f3aElpTs z!*6q_kaL|7mmhz^Rm6=BfBzndA>j18Qgj%w(YNfv%&E3kF7p*4PMX>O5Du zIb5Vh+3HD165y41AX}-qMEbL~&aO{Rvk}F>-9H``MM|VBuxbU4!pPA&K>VL}fm3H# zT~$fbm{C!Al+;Z|^=&}I| z#r(x44=Daxl9_>NaTW?pvWtl4+q2Kn2#S4iNzXHqaB1$@Qpuu}Q#0rdk^KIxQ^H56 zc5#Lz)CcsDP>4YppTu(%Wt7|i9_J(`R)vz9ZicmANUbC!R-|drWEel_|8-+6e(kwM zhNRoKlauM9IvoekrF5P!m!v$hL(52kXQC!(q9hvB(qE>c3SUt_+wIM^>58VQ?x799 zePa}?avsZ-9ZhU4(#1>inD(bRGYLaEX_L5N{3Ufan4eVoqjKWY94AOwK8HcZX8?gJ z^U2fqC(xmbT&0PjBl>s1wuqWJi?Kdh>`mEWp>Ct?#3+q3Ma3^$yasGZW0GGZ+;v5f z^A;qqkbG5j-6qj@6wY903dzdcks|H@@Obt3JtZu1Nqej*M{X`@WFC@pt;o+z*8p0y zFqip&*9km0u$_Mj6o>lS{fP?d_@vrmDJQGp(dv+LVZY4WhP>Z zh*M#1frtAGdIWmb7C#TMesvWqwESl+E|fi9(4bIHpl)`$|DS-!wj--t*`UzeF;1x2 znHwrS1AVjqi6e|&(5T`ahKT9{yC!>garEF~ubc(>gHUn)+1ob7Kcf-lg0V4jgp77k zwJ6fmg7-L6j*U7YyaFbAq&g?)S!96CWE-bsWhtuO5BPrAYV9=ASua?n8nOKSAQN0H zI*1=oS2OrRu(8?*=cRW;RTLDr%Z;}?QFNmlQ-cwlr?cn3|}Pb_F4MV2u7ut4>eKqV?LZW zu`z}D?*XbG0<{%1xBHMi5BLdVQ)UsJ$R9DUBaDF{Siy?Hrs-JtrHL6Z;(2lva+$dR zG?ZKZ4yY1CPK!P~q*`?xO+IioJSGbFAiB-)4g<4|@QE!V7VeBxxEQnkDRLohiL5~p zjeNlVkNBvxS?m^)$vbnM7_LVY$Bd2Q_bL{HG~ts?06zqw^E8u^scsl$kItNRi=D-G zyPK|189xNn6gb#JXU=K)-@G#wu+fllJh6Z1mrRs@_t!%~9P`q4A*n@%+@I7x=Xv>* zg$;$t8xQ?(x@W@>sIr!dbbgIf9k?lOLNE7+Tf&wn(}kw*f*=$>#5Xb=Ks0XNyry!(kOE($4g* zJ!ThhR$~h_9#P6|k!PO$5S9V+bgVzq`@Tc70tvCytPA0LlU;`EuMj#Fc})=ZcK=x- zO0nzwE+PjP)+Kf{GHYpOA0=h>7JGEtUC@D$*q3)iQ~wR8`Y#dAI9y!H1C!6-TyhgU zpMlzmiu^J5?;!gjDigd&_K!g{JWH_vqriM6@Sotas!mxO(@ZY&X$Okaz8iDHH)wBz z52j0hmKsz{Uh?%qUNUfg0Xp*2Gs?I-5rrqz?|8^*?gMNNaLQ1kGy@YrZ0WF8xL#I{ z3RzzX%E_lGMRg^HJ8Z(x%REvxFcG%?;q*~tWvts1pCJqjVKmfXe}{#oEQtuc_dod8 z!7@x}`+v9$9bv2}CpVIULFzKvAf)3<+AW}pxawv*eY_dd=lQcob4;>n@QAOUI^%cJ)pLi$O6^is44<4`me z&KcQ9UUw4x9mZSiC=d?gtq@jZ6B>dt*)z_`hc9hwnpNA_lV6LEee&T;Tbk-?+pAj| zdlm(RE=awK zY%BCh5$rb0LkOB-GXult%ZlfEYP*-x>S z{pnQ{bRj7#vMECpkqk`-^)fPnmICfCRQd(@yWYRqASjAjR&O>m@_bAjy8E06YlI~g z+$s{{OCw ztUxe-J~(`oXc-D-^@5E5gJcD-ayZOx^I=RLG|L2W!f_Mj<%%W>3ce~N#z)7;JQ_Jc zm&-e2<@A}NT#-AWN)E#0WuR#mSh#Q^kTd|rjOIari~uraMFB+PFcBaHLLJ0$WfcY& z+EWP;>9*Ar3^U;>%%5>6f8OOuSuJ-@o{V57R1}SBM#y_82MscUDk;ziE_Aj8)5p*- zONd$}*bo2trV4Zne7Dm&VQLf};Nv5DVx|P3pAh?R1ZC`6$V$>W?oS-6&4!lD7q{$a zSCsPd(G=Sg-bV`WGeTJO{G^)%fpCYjRkA`i*&S|6CmoLpMcAfkg`%cP2=w&eI9j+o`xsYkdCRZq`^=+dPCDhPs}9`a9B0zEyfTOArQ zzFn~nV^LP_#Y>_;m}4z5&MgDBWekWinj$4Y75joL!fsq&VuX+il03LiitZB|KmYTM zGIsagCqXo)q1!OGnmrsjzd zNGGw2BU6g$v=eH&(nt61kxthPFtgedUc8J&B$E-lCmjW15&M~u+=ki14prH^#o=+0 zcvYkujB*?s(P(Ouo76gqKHs2f%Nk;bL5O$=WM#FwQ;-$v?j3WP7SsElYoWU!RbDz4 z;XKO>56@rj1pMC>7jE~Pi*9I4zQuR%zV6(f=Mzhp1QYUnK^`rJMlAkjlL|KF>W7Yy zn6_X_YJ^1^tJ|eEBw2)X1%@$Gkt_uo#LU3{<+9whRkOMwYeWeo+R;Oa6^T~?j<0oO z2~@|lPE*;)8=Kl{K^Qa$-E!8-Qtb|u*gn!yKp-}RfCogidz2A~asRX^RTYsBB#tS? zR=&ZGefRb>B%`qH)cCHkBjkr{I~)GG>Y0ZZ1FQxA+MGY8Pzbc@n91g&2m#m$$vcZ^ zXb3TlgeF09Cq`Np0?o`2ZH2BWS{gGf{!a?AMpKb#2(s$D1%oii3f-+8u!|oXr_n5! zOXNKQx)KB6nq3*F&Q_6N$|%LcDooQFHM5m%2v&{kS?6JeUr0UAD!hX>7D zqf`rAnkjWPBF1e4Z$(dS0tB&?!H8Le5YwI>t^t__i6Vjo)=gp=M8_NvBH}kgNL5Q) z-Sq03wx*VOl;dI!>#0f}^D&fZQ=9F=Cbg9cnr_PZZMN6v;q90JCUiIHP_1!HAQE7F zl{zP5)rN>AWdz~7-Vgo zu``8S4U^qVu@t16glS9;Rz{=2Qg;3*BOj~l zvWUTF&{}p(oW(0UhV>Z$97)ADO~{E|g3+d1M9Q_1YigiQMRGc05;IVWURi-jC^#B$ za-Cp>wq~!eF8~xR?cBV4YmgDuYiZ`lgNMW+M?kZNkc>w_?TiyZf=Me~24pp*m4Pn7 zP-Qh;hG{M|42=lPtX~W)0fM+9cU%aCK&>JmQx*{v3^4;Fni>JPde5(?sHOu1zdg{c))O44R7^QQBx#V%C~kYo_8r;+fsVA@=uh^(+!#)H$#Zz zG*$NE?T+a(>73X0-`LKk&Ok*kH)uhayN-mp+`}$op4^b->=`F)>0vw%J7;1T+4FSG zugEdTLs*w)bU*{SP((}ouw&X}!{Y@dNmx?FxPjeJv@pwHQ1eX;u;f4#wDfx~BgFRu z`h4Sa!(c}dP(Kaw+0IYnc96nc5t)JsQ#4}^+TgL3mXX7lY{wmm+)k;0NYjZ- zZ>3YR1jQRulv?Li2LQ+j(*#qPCKsD5wMy`>d?uuUI|G<4Dr*&ke&I$Ej7N3wN`e3P@7LWE&A{!fuQK4W%$ zEgV?NAYN#aPec1tVXG`O1uW9}w6Z@HwxY^4pEm46(H5p5z?9tK`XE6gnIpdgoMESl z&c)db_T#9t@+}4LrTNdLuGdoMvDD*|7|MGo^?zTbO{#E{e(lyaBKU$)qF@S&tO}#~ zp5+Dg1$&pu%3)r?g&g+9R_D6#_RX>(s7 zY zX-Lz()~P9NYL49Yf?$*)BNIgMMZw*1a5R6ivH>@{^nk8+5N|sc$idMWy1}4At17Pk z@U^DmAN#hTvdsz#%%iw=#W9m|Y-Yotv9_(frFyPi?s+TYhPb6DQ|c`Ui+Kg6W{IAV zBAx)uuG~uYOAzSkDd#5M?$vYvce)K1Jl(mUlLpvl(1U`4XQeRhbO1YBNSV+W_{Q#K zPm`CuoRC!pxA*R{y*ara@CG+U_EJk6q#ZX8Oq0Wwp&V82EcfoY^HG5qMXQ8~jU|f@ zAaQ*LO?xJIEt0?}Pbihq_L1-nm6CTVSpQ+XkHgRu2am%ye;iQ8$1H4j*}ne06^_>r zpuaU7C}!(MKj(SXvlaG4Ug1z|8N4FS|6 z$S?jt&-{RZNsOdj>1Cb33&r1i`gp9SPeEZ;D@>u6<{2>d+jh~;=;}tBe}k{Ve6rV# zS9DXkU9B>j)RYfo(3py+@&H z%7)8z&|V@ZRVZDo8by$^j+dts-#2kw6J8B+W@|>k;0u}%S;@v|o{`3(B+2%>R zCRmFrT#MVL!Aamul+o@H(oYep#EW!i73Lg3*>Zk4#)>@_2db>P97%{94y4{0b`^Jo zG)W>h@(TCrA$78XPE^#@9`iN3y^E}P&wB)A65yn;eXNLGc+iO)iEC3$HX|Uxd@xXz z`UQkM9oQg3A=@p9S#cFS1`!hvU9r-#%1ykQRLJv=>-NV|`Y=!G;5N;q)Ds{w3?(psr}SEL6?I$TWHMO;Fp%-!5AT+@sGr6omS853g_ynCBRk z_efYEGS_3K*VwP&A+R{be$lu=yKV|8+o6Z_oHr9sulW-y@-Y!8yv#Ck#^VhTN=2L> zzb#TRAv)9~Qc!FwTjxgY3B8*yrSfQML?-UQTh#M~261DbF|$p8qa6DzTD6^4ZD%I; zF7qviImQz70LFa3#@W|+FJp`sA7q@db?-P&a=Iec7lb^!*Brzd!wuL=O>Wa=42|^J zT+~#gDUdt`QQ1hdZ9-&0uBu+$*nhR159qk zNE={I8Q~@XMbl>#wFe@`&|?Hu8bjm3g-C&*O7v&A1yXBgV%g4IYpZd`xSl~j631O! zMg=%oCl}6fk!U0uVfnvZb}6K0kiE?_!;}Ic&?~+bdj%T!OV8jt&;RJ#a9IPG62q!0ftC@5D4fgSf>&hx7MUpg_j*0#*4ZD~KQp}yUH zk;AeM!vyzg9v>Ya3-+gNL-ld(Z8KYHtEaW*frv+=#Ua$x)V8+v(zvRZwyxf5k85kG zZm(%-oL)C04?J9VSTWf1tYTNuA)2EY|Ied3hdOHi|T42h}oGGAeF6;`k;`&V3tn;-4=C~0Bd7U6R z3IJ3|d}5$#UBG}ymLQA5OhYNV-Z}DaPp%-sb`(>dioiA|>=IZABZ;^l*s*&|6X$#_g&MOF#`$_NIO?4LAZx$7qYvPAIVwPI|eN+^N^`{AP><0FQW zS!krWV^0CXToL0)@KBj}P!%AwE=5q45jr6d6axxU&KZas92r!ZcT`Sr-qJF6G6sdLooa++Y$zuVB31^`(gqou%bCB6B5FPU~WUf_dETUeL9uj3Angj@Hks zl6SN7R4q1VLR0-FlD|ppfUE8}$Hjw|4=iALZ%2hJD?0(i3r|sORC4v0YmJG+0~U76 zXyhi-A1kt2q*K@Y621ZQm{3fGH$MkV?%q^GU6bmXxvr0etKrsVvOZnN%1Vwsk=58y z4(-?^c{N69I>mGu5Eadm?5#E0(I(1vmI$UWZ6&Uat)?J$l##H9(3oZk3Ms%8rG=_{ z>@p6jFHbB{Q$D30)27sn6& zxRt|Pbci+AeedQFg~3JRv^#%Px>1XUW5+a1^3)-{8gx@j%I5Y)6iTqg*n z;)2vlUjJH1#RQmN8jD8g|EkI>;-zJP6vXTTdxj*PB0^Ny%s?e;-+>fag#}%b8vJS$ zi9|p+j73Bm^wBZo^dHyc(xskZm3hY0L*H(DnG_v#A&uZ{39kr=Iwd2L|Cczeb3G7= zpbb)TH{R34H_EOiRJ_BA36#i@k4HDS`)J?NB#kwX96i_SC z`vUs^I}R#^`hXK)!GL|t-U?&(6fuFbC!PSYD2q-*%4X2~`*vZfpd`f0YDg?`n+H}C z?<@W`j$pm4THQ^$`B!~x6Pnd zlL0CS+oq8T&;kW%t|6PSi7LYBEruFJIyvFw6JZ3j+Ex#;ibsN&TePpS3}R-2BpXFM zIz#5LNyHxhde1D%XhdwsN|CCS^W3dDfX1e_T6dm6Ijv$G(1(5&_=2X;BZ}{=&;fy^ z`$D6mnCg5vE~~V94I5jaWT}#%inc|W#6xbmCR;|e;XxM0Dd=8eZemKVG*sfTVbak5 z04PwEp=#F4S((Muq7iBYF$2RX#0Jk_0}QVpK61wDNy%6w41+sT81+HQi@?Bp4Rgbm zu%|nEgoN%IT&kuMM`U08h^K=S@@KOJL5$^gqgLtH1>zcj6?1IPsEqPq@pDYOYCNJ6ungF z1xeMoHkhht$)d<91nAOE`m8M`Xh{zVai>vm#0v*IuqmvGgB}(_49b82b9kPbW1OB>aoMYvSvk%9|jPQ;E`P z88N;@;sGUdln2bRRS0>@M5D1qY^K1HkkMB*PkI2vl2)oIJDX)F1RC&=h{jA1NobS0 zW{gnRs0c+brFya6kfNqgMAj!CzO-?AYkOUD4^PM`+cD8;c$5YjFfmvz38oOVKhbz7 z_Qxdo$v;ahtV-W<3IItvuu5;W!`===K^H{X%#pBO4wLS46Xc%*{F}bACTz%J2KE{o zsz3dBDOFh^IrJ%Fhrg^3az{%&afHa2=4PPEw)KpfW{|YR4rro0sf6rr9^xu3>a7Lo zNsCU~MK+j1-5tP?Tdo>VC+A33c`|3B;N+K-!6*ajiXeK@UytTVxabS9yGxI9 zE-jlGD@nuyx=Dy(Ju1h9ubkR)my;;D(6fCqLU~JV^|XfCNLC8@@G>fOy3JJ^?Rbss zTi)e}+Nmt{`~m<3@%jf7Ajq`Q?JOf~u&kh_ZfJ|4Xtv7|u0P57d6aKul9Ic<1LjzR zqw!zwHF32t{+n7mqplG&x75w4ZmR{eYUh#C1?ti4Z}Q{?Dk-XMoaR%_rx#Jdl3zQ_ z3bMjRGi9-R4iQ<%M$!xm3<-GIiobMsl04YV(fg>KOBnN83F-zE9SE7d8ck6SjSASoB`$4p@g$lPODIwZ740wNIMUQ z0Pza7-MVb#ye}2~V==bOTjne6middb`IX&*tk8v8E9O*iWSJ0|PH0Z=4DzvEh-#Lh z%x6z{VqkS4&(ip=O#Tk$Ei@;kiG|=y)6`vYKRrQ3tGI&3$+p@?H7>jb((nND3Ollh zrq67ZC0MJ9Mvmy`XTe;ZeW zj1QTyBR6VUkq2wujch+8x|`*p#0fUt8**%oMxRF*-#}fe1mfCSs0-u@wHhZXwO7km z;D!t)xr>f+wPBgcg5jWFvtY0cbY)~Q!&5#ZAmvmcD~t3>ieydY-o@+&r}Ee~qg=i! zqe-A^+LdZ4N*PeKg6@d92$1a=0ov5o|pn7gAo`s-F zf*}E>Tq2NW%&ILTiiMG&Nrx)2vf+3203-f|vk%)QG1bm%zx|Y1xG;`_*4H|~m44Nm za*hXuperb|wA0K6!_2@eOK9M=!3c$T!U991xfn#HW>+;JsHPm|J-W1U6bvnJ2htDvN7BbN5y}(|Yv?tpiB(igpf$S-ig_r{gq^&G zm-wX8%(v7T7u^XjBi_$$mM5{70G2)xEc*&!=|gyWcT%&l@?G&zYlVnBm-81dVqQy% zoRAzc4Gx`^RT8e6hO(ow0pVuOPU?Uv^M_?>)Fh@&DFdPmBTnpHwSmG)fYOR+sUI^a zo`jWliMNR==D5cLH$I{Jl?7g=Pq_n0*!s3QNy2tZ%bnr|6gzH|QOwL^ zw=>E3rq;e+mKGIXucZYQQXG~@fBP^*%=@U3W?OwLmT$$3pr-kS!Bi0QRvSg1u~_6F zYI=$270lLhv*6z>7?ABc74b1g?WcczgP;m{Fk{;4TgSNbw1oJVw)$3gdB70^?dU^z z60(O#m9d-=^xDpzszuXItKa}6YCM|7XjDx#O>BbXG@UQTm?v=!kq(kMJG+}Cr&7?s zG63zbnPpvY9?bZwBUF)Pa9M+dYSJV^w8?+*k+4**N|X`Fhf5s>+v-~}9E$oHJ5+=d z6VcXuxwU#Om%`$qL%e}O3UlRngM-)x?I7VK!NRC#(C919A}kGxrow$N*+*P&lFMQC zC=d=~%uW`Ch-jD~9PWTQ{DZv%L^@!OWOC_sSUfBV*$xIo(4-4qQ#}jjkaIO~Zvz9` z5s1iEsCKU~y&iH)1~wMZK_lE0_Tb=q2T}y}n)jz_r_=t#SlXX&KeHYmt&H--j^7Yd zuGqbKasy9#| zwUUvERf9mn8;P=JvEhjsO%|c8G$rARsKg*BNVAPU5fR%&`d`B&$~}^e$I&gYAOVVO znu?tnlMSW}6OIfXK!dEx7z+^|0YTF2coBRqu4b0MPL_gK@Fpn(g0$E|T#JZ+3h^ol zMy`ydXv=DyJc^W|S#B3>h;m<%$=+hX$2y-#w*UKi7VDRJy@V zS>m2elyviwfX{_1pJi3WeB8^c;yb~hc<;LzgDT)qMOah;kIG|GzFf-7riyYY8#RMm zYLH9qAf@7aXpl>N_qbF)*M9fpQjnVIaTWztvmZCAu`#agNY2!>4o+Z@LrW-KrO;U7 z0Eg&XhSF*pvS{*P5tI$?6nBGEFR>f3wr}|EMNu-y(gs=D4wE&gnuGl8yU5S_UijUS znc2xK9EN5W^@FKZ?2P`;?r4w+xtWlImhTE9`gWL7m)Qs7?$GNKsdw!56@+9zd@ z<9_!zZhselcjUU73bUF76^H5a52i9l;o;`BeRwyKelikF%x6GXJQ3>M-8--5K5QH}GV=mIm@ zzVB^h*=33O?Q(}%znbxH!pAlg0*z@|?GBKHUI`!e+aY5bJIxMZZ}V-^0@E%b2^G%8 z@K)fFfeffCvMAKhh{br5XJxgzQ;-$h1HFU~Fi{ZC2vq45+3A1Ak+PJxz-D7RmySp` zGY=Wd+hL?XE!-|INH{EfNJ9PT%9%>LOlzsU<_xF=MN)uV?A- z5EMl%i|Iqk708K2H)^p|yo*^5|DbOg*ZySeVv*pQ4Xryj)k>wH;R%Zv3IXJ#JFIK& z9LsVrf|Mepc{n+m=z<0-AbZQ3gaC6rig)(*fcdVb0t}7@zrwvcnU48s^=6!Nr6$B} z{4$jIRF#p#(IuvVS8}B5GUC37><1P$MB@91XNL#mKY155un!4cAKyrEjT-UZ7s$Ii z_q^oWmXcNp`H>;O94-$;fa_VAtA{?1oV)Q@w^dR zaoRA_LVra_v_)@4`?-=;^&BXb*YEvuK%#!w%M!2yg0e*GWp>s@L6U#~7BO*q5dlHB zJLXgf2%xoY#<8>O+DQBm0udkJE(zmJ9kf^(+?xC#FEX4n0zV_bjXS#C<+KiDS9RXNdriMPzSMzB({nZ+e?<9C>Smm zU%FQ8S&9;0MI%AK6fK>GhWijOuVO_@vjS)snn8Y3@b$Eb8@zpKbs)C%{~kNGGXEMI zuj=C#8y}zFqzYer?ExYlP?8RaF;HYm&@kLg7MYS}dBWr>uoEf?&?Oiu+xm7ER+fl^ zrrE^2pj+1v{VYVQMVJ2PONs3Q5&Nv%pgegASOZ z{E;UV(JXQlJMhk9DRFI5peYi_&-D``U1MPr-%#?0CFG^iDLy(kQ~Dna(gmK6m9IdZ zDx1y~o#|;T;^%7ruPcZq2 z3lLBux78wNCpzK4XYn%UOY+*(HD4%%^RYdv5+;&Dzr>zWhJ_QT|b=&QRlAaL~x zmx~f0Si^G-+KK3h$Q`WLL_rBM3nS**-A1VsKR-2g0C9dD-!&=M`w+PBNg^_rgts4M zeSBqhNa*6J`fZWRPw1jzm+qFf*zHg-($H)!{Gc0}sfn7B0BtqRcBw}^BQtG*xQt(H zJqpqB(Xz_Q3OwoY(ecr;@$3heWi%bCC?lsZDl>MzjY7RuzH2@`>G^SIq6`Y^ADGI@ z3O_is*p83g|6tez7t?B+TWV{n+iIsJ@*ZCt!#FAz$|~MWmT8dy=;V4!Bse!@l7oa# zE#w(X-lzOl$eu}IGyZK?KM^^Gf=u`P?aev9bSaQkQL!Wlf{b*MM`x<1$bT8gtBSWa ztyumIKm2_2X`;Wa*~E9%1~7=F`(P6B-R@cNTfH~FUdtAnP2kHScXi7Mrp?lL>}5xi z)-{Q+9#e6Tt9aGGZLWOU@Z3oQPo;xJ zWoBKFpT(Ueg~dqh5@a)+(u}Z_B!tkVA*2^_jUGL6r|6LN0B$f{GdO5=a6%zQBlsgN zOTlC3!_ttMHel&e)`E;$7yKHI{$UDRi_%aZ<(xoI*dV zgq?c>E$o_>vJs%SLmN2?2oBqdU=OwRd)E>BZT zFU3`r6><7{n-vTeyWeMH7vzNU+v}K%w@?ESw6l=BhZ^!hKz`0OgGq!k?2+lAr`6Xe4t1w*eHEfix1_+1t|0kfdF9zwF6A zBdG2vk#~?rO>MU4;)J*lw? zalmC+$t*+hw(KHl<`lUDy3vg<{WPipOE`kXJ+`52=9Z*@c=k17UV^_MSH5iv(V_B6 z-p)yedOKEwOSwgRMD8x7q$?pTBAroKc|EeGPT(sx0!M8XG$a(xOB#>Ac93*wQZkI2 z&_d6!`wxIOqaQfV2QUCbA?IVdtiU7`%))2z0F%bK#R+*{BvrkZNHS$`?%k?rX%qo< zCJ+#^vJg2dA&_sTfHGWp3?;IKToy&Tq3O_2a*+V<(bsCQfO~{_^?c6eu&f~CX;2Z6 zDT@(NE5{8`Id4ko2(uDOfN_!7*hrkcisMnwHk1Si@?VLnXk}%vi2BKOe=N8?dhU*% zn`79Os2zaNVdWMwh`|F?J3$iTEeu^1+_tBV^LZ6lull%j1d87F*u~ucx}JZbt16~+ z`C6uJZ$%R#6KIyHTjtj?;s33-L9sRgXU6lg3fEC6S~@MO=?JsIkku5G(R9JgL`Yb5 z_qDrN(qa1w3VM3V6)j!vIz@dPG60rX(1H=9Ynq)v+ih4$aGRA$qCAuU(Q#ubZaIvI ztm+nL>0$N;PEBe21qhPX8Nqg_r4r!qr8V_Ut+fe45Nu_WU}lg@O%vWB92^;OMv;=C zBDp|vkq!hGrwr4{TCZs7c4kSMM|c6-p&W)yKAd54i{GF-HyOv0i}-+^9`e9h+;_(I z{VeW4LWMna~7+n(_a!_vY8yZ$!=(vazz`e4w=finO#`#r6rLsher3I+mufz}aeNeGRwYuQbyVr2A@LP1(qrA`O(U%};Q zD@N(CX7sA{4R__Xnw4zdc0HFyUCLIy1j{Qy!9+-~b-&n#3cu*88Z0Wf$F7))DCBrCY(p^=jtZgOGhChnW+0B@ zEfZ%*5`5!@VQ)orIUzoGR53%EIHEfP)efg%FoE5X(c;&d4Cn+7GIj_3o{HD30e`P zljKhq9f@5I;%o@bq%Fr~*|tkgRhgCniYeH7*Ic?~Orw9>1}(PCSJpPb+;j7D>fNyX z3_1Fw+edx43-o)E<0{+AEEOQY;#$O!>1OBZOlQRk&ul27cxK-THQ>vuAeW08&`PCO zHL{Rzd1wqv)&5lv>-O?JK9{kI+YI*7mhslZ8SnBH`18fa`<$WiK5t~a&k`7~Ccs=V zTpW0NR0=1Wb2Os(`~hJNhG`gz+rz26-Ir6q~$Zc}9&3oEP8eQkVYl#RC-o9N(34C9kDH(@YE1s#xR5^Qj0!$?MVU__^ zEM9SCWd?Lgz3?Y5{pmIflK%al&dLfpPGRjP0)@d)Y2@ggsra^f>_kDOpW#%W$PKE~lB zCu5Q-9PoweWL>eG@46rmI|x9gfg_%PID#S%ozY;Gp&sTwII}VkVzz1eyq*VM5ICx4 zhf^n}frGj4K&6g2#o$lJ3kiVLiXR8^Z#iYiK_mvRKcx=nc2<;xQ7j3z-&s-nsXL_9 z1tYR<_HN)M**jfS-`#Y#-0kL)#Bs)Pp(y+}+;V{L|*n-p=0c_SW9+(?9jM`rCWEe?t9bced(D#Rcb2{X5rH z?A%xKtgIl#CD_JPwjQTr`3`#Mr-OHIogqyo9_LDB4JlsW8!y39!U?F~f()q=$2h?* zM0j9hFjcsU=nc9N2er5ah z?|(RbcT_k-65#B#)m!fhPg##ADMW-1NP@MIVL6UU;qGMFXxmLJERhv-pcb@XF0IWc z<|79YQo8O44upfUjZ?vOa00RyrHjKk;;8Si86?UY49dhKFrYxk6di&K!+K{0|sqJ=A|?V-SwOk3iKffUEtzP83Psg9!| z6{MC#T>EZ@(*mXg2-&23c>y3ole=sT1=n# z7ie0XkZZBX)tVvVZdq}XHlL$#%3C{93Vb1?iSED6a{xaQTzio(29jY2A%YCjL&89W z2>V=VJH z$TjgQPY%VXXf-0zf@82Fy#~0BjqI!0{(_`JD3~)z)Z}fvq5^S9z==1&A-$2)Xm0Ut zrv-;o+3KxztGB1cF_p_qusZtgSwD>BV${hoZ!EHW98OZ=+Bvva8F?!(%jzclb3Lio(Zy+zUCsANtx+n7=#h!65AjOwCT4JyKEp&7DO0Q7@t5)wH}lU7>`Ry4F$m*Sy}GpKO_ z)n1|MP66`a*z@J~2eLTBJ=Yk)8XcaKyI#n_a#gMjXi=*ph~5~2j(3oysel6^>w*y$ ziPJvD34vuBYI*dA+=nGGH84rAnnC!i0jT&mq3LK0otEL|+zbL%zIZVe>qzhYl1fEc zC93v!G*=;Mhf+vLcp8v!X=qiYS;1gEu<34^7RlTF`Pm^_6Q8!$r4?s{hXf9WP1pE6 zN+;?ojAJh(*HY20iW4cfT=WLxSQZAjULq3|s&SP;v_qqCs;S-UB(4T|mg=Zc68nE7 z@(0$MlA8H+B3bqd>Q%niycT1wk#Wr2G8GSB%)>wqp3+_z(}F^5M4d_(mDeUVk`$HI z$?$nZqb?qa?IW>mLu{2wGgh*doHkidP+f*#2eG7mSfdZVv04`?6 ziVu_b{*RyF55t{hZ|$%pf;fw|N^EOeLI;S-09iDdq!9@Bqz)jn`A2JHh|2DynU*o@ zsO3C8cRvex3q2C&K&GLsD7d!p%7N@CndKD0wT!}<8Pfn*VZ?kdR1oCFv1)S}k#@;R z8req4y{sb8f{ThoJ-FA=f0AfadDu)yWZa@9X1;fuz1Z$(G_u39AAjT|RJY7CocMx< zkMKU)>vvjRwPEJ3@RXsD_&8$tJr{QXSk=UvyocLn{ywe}O0NJ*@KhZX9PUFv`ez3Q z*J+Ev!NpQ=Lc($4h0k;CeE#I)<>{NFlTXD|y6w-Od^|sWd-VR`{N&Rw9q$H6hAN^) z@?F!v{f-po(r6#0%)uVx&ZfdlP$C&^m4uX8QV9{EcIjk}1!AQb*|HJn!z+Btdn*ic zuw5^H0Y?MR$+^F3&y^ahDYLJS)W4Zbd$qDJv&ys0t-$!*q+DgC0&~V$ZA#C=FU&4G zOWUU8I(x9$_0;8TQ>$$<<^~Ck(OZp#Xnj#WOyYaot~YthH5YIiXLdwo5}b-M4C*u) z+ZCDJN<+JxwjkWpE?+Wol5eJafsnMI|XD?l*S?T0*J;D(3?p9P^ela;EV#5vaFs_ElM5w zch|P6mLU=T{crSSEg!3jkxK9)o4Uwqp!X@9$O>Z6?2-&S}!Gxt#uz0M(-IF)% zoZ~`U8xvS)f6agoR^*%Pg>%HXHwXzElW4@p_>d%ii0SY$Ntp_RmWUf~g+<@|CVbMl zJ#WA_q+uWxGd@&(Dyz1w_;R)oX+(wu2lCyqG(?h2{V?=KYR@q3PM}h2A&giHV89cG zz--v^Fue@dKq|Ygk;FF8F-JEvS_Lt$HymQ0=Z#-vI@h)#ozciF#0o&>CMmW<IgwM9$>X=7`Fr)0Fc^d+KQfB zqO%0RF;y%!075lUF`#RvIb@j6sSQ^mnnS9Emi|p$9F3g*48Z{%_hLvJRitKH6c+cJ1b#KvH7PFAaxDwugUV}WpjApY^hyc22 znHGQfn23ug zcwj@QfsC^n2}7HG{S;$C%F!ws?3lZEE+e$U*s1ANqe3-;9!zyyYgcpq$d7=^p}(FL z+mywoJSgf@9wSuNN2sJBzC&EgZbe*6EdhCnK@cIKHr+Twff|w!1F1T{Jbra>czJsM zlRR<737bm_%6w7E%NGEiKw-Zb;L&MxAsJ1Za(>PB`m-ZcLwpoF@HCj%OZ) zi?Op}X8)?{>>xcz^@|2Vc1cON7`8YCF4qh$r|39hWHjbr1}cZwpjXoD+GS&%*3<>a zf!WQgGKCK5sT_GklMId^I-`sc(E@2_ypIArNJkq09k~HPJV`X#5HwdtF*Ri>h{>)< zs2vwpR?v}zQDxXm{INkow(C?JqgdX$Uv{3XGZGmuU!b@*O3NLv^e_VnUJn{PHWxov zNiF|I;`b`(*Z2F+`p>p9l*SV39x5a6752%YU~u(z(6I(&GO^TGeHsSptzO!zqTj1x zZdc{rD()y~f8;BE&A1t2Mn+QDE0(*U%TT#aUA?fgMLou0+)LyON4t(Vn(tAUv4Hxi zF;(g*HI9?Uj_8NM40f35r`5ljZBQ7n8=73391r-DkG0)>5en`cU zp-L^97zoY*1hn#dLkq?IK&o#lZWwASBI&0ApA8hA?I0yiMaDgjhiS;Lr7EhrHsoxj z3Cj*9%&_QVIz4W;ElGJrp0UANd7oLBW#%K}OYvL9BH(|vVi`Pzf14hG?W9YOtmI57A-rV^8 zfKo1YOl-e(L$K+CEf|7xOXV1K?09$k2!s;0jk8*g&0(jDaM}&QryVa12)9B|tJg}G zR{mg2A8ImYXnf{_b*U>wytY5W(yjSMCW1mZ_*VQ=lcu80*4J{wh6#9~1r-_1r*f_d z=AK~bDsq`m4-d(e^#Nf2KWC8e%?c#xxxuHcAmKAs>m@M0XwCPy z7m~+g0&8&87bDKK#;LNNQE|8mm43ltdq+l!c$=`=f-VY@$SK-$ zZ^2egrKzRRMY-|z)9mUlb^mdK9iYM{Xe)`bf~CW4W@g2yiQM}4moE+#axqNkyXnQR zVeg%n5bx!ncba&9s4qvLdG->nBX6VbF#X0AH2jcTM3ToraSSjapclu)PujaWcJEJ zda{sN6?97q=zJg|rWhgVu?VICae}p6sF1b>@yfXCqny^dtJT(+r*RfYMG6CJl`kXA zk41{(Xh>g7;kMUBYY>ap6&D4&;_kXuS($>*EIFX12g&DCKn|JA&@QGjLX8xE)WDX> zk8QxqlvzQ^JW5MfGBc^nX4XL`N0;x<5B_Q1=X7P-5OBpl&%MC8 zuQavbAf35+2%7AqN%(y)o9>6X@>z+E>L^_DT%;YfmBp=)WdQgpz~WjCN@cwX!mzX} zRQ--v#}4NH<97J++kuTM%)%bZ@~y6|+}^4JtF7TsovoYvT=1$_GhB)qhio2vI~O<( zW(174`t_smdMOI47g zQaQ5p)iRW6JKIIy4qvN>raHqtm`^q?yxK)&yIPGYy^=Sj=JHiqow&N9a-w3532t4X zowTO9LXy&$$5~)pbyg^B0|yy%0qs4CBTf>_bp^???)vi#IhM4^cq^XlEu2bO$&9;iT4I!q9*#u`Z=jk6I`f)L9|* z1OwoKcMn|rr4oi2^Q7f~wODX1woQW_8i$W_J(r(cDa3PcC!ulDxakRwHE zDalp@q+2WoM?tGXKy_e>SXnV{Njl_YQ5gg#9&wnCNTf}?P9v<`f5om=A6KPf9@2B8I(7z zLGATW8j)X9tUwUO!c%?H&XgMA1<}Z|A~QDpT^i$vu@EIq z--$BDSW-*l5WIMf=a=cW0;Pmj@@8`&y-K8?|YCFiCbzhZF*4sRRp7 zRmR`NDxbXBsB98;OI&<{RHAWZVETWCZff*RbTs2x+DwQVE9RjD^=UV+JO|2iO!9jG z3j}@r`>R8v4PQYYhU%BZ4O(6ohQ^@>YA*C7S8K6DH6Qmo<;$!hXBuw+C>1zAel1+F zhVYio{<=fijXDRtTjWwTni}xL5LY+%MS{4g&oUb4_nCc`O!{6Xeeat9apr<)4#&-X zxdAsTziz3oTMcd8s&C|$I@a^;{4J{rtS_wCd1_j=)PdVEQw_K24K<8XZSK>E(GY_w zNb*Jza;-fYkD5_JfB<7(`j@*wM|?85Mg!}^> z@9m46;C0kUXs_mH{b!rqHhJG2{OkSY59db*FE0v3Z1wx~B^(|eU0gI|-fhTh)qeD^ z%kzWxho>j6j$ao_m{s>8SxugkBT;{2wwEv7pPin*g+3k}ULODBsE~ZKI6iicGR3o{q+9g=V6c5<6{|Mm1bg7Z zV9lMXNLb;cADs<#NSv6tY${FI30)=z{;0OOIjV!V_>C>R8z_-N5SFqE9&WTYK? zN&{vg#sPRJ0S~IufT|d8WA7RxFHEo(OtXgA#X+Ms@~z6ic~>{=U=T!GEk<0>CGQHT zo{s~-4F(LoQhW3BJD~v?PP3`iV+4H#Do1Y=P_V}BZWyj#HejGt>ty;ulETd{m$a_W zKvSzaQd}ekaMi{+t_Llj53syxtH89X9ROZ<5IaZ?r52A_a|{j-g4vak`3SEb6%y4{ zYV~iw5+E-Z>bc4RvpN8DIp{2jUwIP}PL+!6(4ZU|Y?4BXH5$v2-ars^*(|N~Oqxhc zln5m-y#Uw73-0+>8vuKVlb5L%!V5uB&ZW4=ywgR^^2BP4d=;c#C>U7(s<)DZQC7iz z^Brpl_Nx-Ac;+?ZBfc&)HvjG(pIz^C|Fa?gdTRdK5xkXrBgRO5mG5@C|GCdGBKg48 z1#romG2vK>Ril#2n!diRr3y-OsAc44e8ozAZU<#vw|pU_&J+lsN;l36aC}9VjGGDdMtBp|3`+>mtVy zETRN`oE1g=`Rd19vo>;V`XqI?GvkR@g^85Ml9&-dogxgK&;Wzex|Rb0f;JkGTO5EN zk&;D6D&0QX-jZNJsuvoNwSd6-NNyg<%_F&aBsa?=H1n@*wR?ry@%5ai%IKH4!vuN1Vbgm_nDQzwPVZk2zx8!LFB**JNs z?Vk^cYV+B{hNAjfG0W~}ncN>@*#n2R`#KTJ9?&9bz$^Rqi{q79ee2dt?#c=}$RZz1 zyvQ5j0A*H+NSY}EhX=NbI@h_jNV1KfE6YC~YJi;$boP%!6K_G|N157{NF-Xqlv{MA zu?$mYf)I^jtN)tlvH`J2YwwjsnMB0StQ4hKx!`WC3phEwJhI~il2IhaKq~qb@P!Pa z2ZHa3cZE?JSC%GQ@gn>3uSs~3H*7q|K^g^Ko!yYq@UDV!>e^GRO-$iR zBRL*ZriA`SD8v!L5r0c2L}6-4gc{EuV`s=zlUvBUJrv0stL(7;z^+LA5`sCqubbJRXA zwXn7}?}j;S+qvF0Q?i|<+ODno;GY-hV!KpLE^~E>$~e^2|6g$_9E5aGeq*x9Rx~7N z7^DM{8odbVpmuP|1zOU{in$d8ZIB}&c4$>Y>T0N&Hq~uXKuKy=QbEySv0lO|)KN7R z=d)&8?NuS1y?t1LP{vxz$3qqVxgeZhQm-kldy&q=erqoWp0^f^0pYSQbdS!?7%tcV#2jaKXvhJIb{V{IDhH6t!o>Fa; z$zjDSwfQ$@kURM{ha&`S`sWx&YFWQNJVS%jzrvgqxDr_38sci?#}}pWq_y3)$c7TA z+W>~zay7v*>?0ECV9p@oO}P$rJtQNvmf$$_{9O3!bsdCDYKZMBbHce1;p21w?15Y) zU|7$3g7EdEEq4!4a&d0?jJ@9Z(ZS1iNA4t8sW{6d*J+!po*2AF^{sF@l6EQ|bH5Nm zT`~XNebiOb==UljY*Eu2c7FVigUciI=IAGQ`*ZX^>UsYB=LlXMoxH3_R#A%|3eN96o_Hiwt@*zn>^``} zo46x23ThC@6#l-3%$9yDVC_3cD>mX8Cd;j%u{GW2bA}&H(l{` zb0undfsUNKuS|sniB=n+P?{$3qPo*4oaTvu;%bd|ilj3c&?!=HR8U5H503oU!n_ki z>V?dFkn*wMB2>T^IKhq~crc&J`>2T}EY8~i#|ic`4=gB-sPq;^%pwpQyhwR@wj}|; zYzU&*%{Bi>5H^IQTIM&y|sOVGI$|365@Kl1%fOigrhg z;dwVIx!sLwcD9(!*WwoIWxr- ztaH#Tq)E!~51hvq?q?2EbXN;#vS_Q9QsSa>Fe(~YczHEpGJNI*3Gh+mCsUBmzroYv zz)Ay#jdpLZChSn8rSFslU(@O_0u)GcmH>1iiAMPWmw1M0f=dggZ>4BhQb=mbUnMl+ zFCi+WeZXbk-r(t(N0O|A*{3skuo$n-maAPRI`jDWf=@#%LGANN05tl{OSpBhR&Qf3 z;YTti?1l1vZMi?peQ2ZpHn!1leX7i6*fhCgL;`Uu(@j>#kv+8PRc_Ss3)v_V?QDf1 z$-t(Y2FFM=W^Q3|1GPj6;M!W21!{rXVTMYbm-3a|kkQ}lSKnKCRHU-5)2+(Z?QWo( zG4aPbRTL`&6yxdnCg6DnWJ5KZkkaS>V@#aoC*=-{6hq8DBicu9bia0yC!{pM%`1PlKMoyIrKE@Lj&>(Mvv9h8A z79>>0V({Y>4rU4aV3q5IA@#KfsYsdKg!NXd3|Ll=B=@?63O55uZmXDMvzu8;XJheq z@7hDsj!4GdlMd+Gum6Mi94FM5;d$ld-;%yrCbG({PPtJ{V898^XGtW_v-fu+rm&3{h8q??POUNzA9xKHwnY9SwVQ3 zoz%>z{82pAE-(Xixz>1rc`dxkAUTKxhn|oK;Ho8*o#YMRG|N`f6^@iYtP-OR1Z^57 zn2i;2QhL>QvaEfyy4_!`It=QAu*xdMGKu`D_IS|7Cvv?i;AN@GohM-Hmo@QOx_sDeVc;QC-fC-7jir!-r0FG-S1=>xR^ZDfUNIKMP0}gW?JirBbFwb*8r#{8UWFTf5nzaBP~iK4C3KR zhr!FY7or?F^oIs2BEv*9k}q4TXSo#CLx<#nLCUdm^57uGpdIaJL9oQotJ0(v=NG{Z z`aIM=nChcQ_czO7_Iu8xt#FB zgEx4}va5l;3=(V*h+ruk*fT7zhuV@swFO;Cgqv~=*?2DyBB(L$&+eVW{%oqSKVSc0 z{j9&!*MS|s(4oBju+QX1YuaqRe5JG8>iFHQos7D;tebb6rLUe3y7vLU+jy^Nl*#Pc zxtaxjFn3~!qX<{sc1|)W!-+FWNq~Dkox~}}j=6CwmzaNIlrm`pnrIUzKr`Z0AD~9^ zY6%sk+#tl#N``<{g9q?NKB1{soY#baNiXf42C~jLIKH{P!qyTe{#yuc1ew+aFKp)^hG2qRkB9I|e^cdZh^r%V>$DtFkl| zI3OeXX%b%Wg!o*8MaX0DPNy4|a)}3Yw0+^bmmHGEBkl1>TbQijh(DfZf5h`__QXHL z!^{M;$PP5~s>PwUeHZzksp#<#vJatbSpFyn(br*0!9!-*Qixx38Bsi*wo50vW~V%! zxPQD8x9#LV#8a0>ctQglW{0kRQ)OX@4q`z!&^b*xPLPIq*Jo))I>4xHr~|&mGy=6X z9l{4F94tS84L`v@bXrpfq#{AEc9?qJn4*M!*WOu&#h-kZFto zUrR9b0SBt=-9GYyfJkT`U5(rFAQ8m;HMa0Xq<44oS*?B8EUKzkWRdRQ`7CWl_^Uf< z?*ntOX6Tv^x-UL-wU&YPL$|rrIChJ{ntq+5x7>B7T?#XfL%(Tp%irp^HwO9)mQ=c> z5A0xm2x?d}G>@nAgTF=Boqu``=ROE^#u|Er5c9`aEbJdHFV9+?abNz1x>O2ZH?%Ei z{nEzvt1z5@z~i@lzZdfX!^yQ2^H^tP?sXfn_|v=GL+#2Q*qQgGFQd7kc|7wT{F(Pq zg@?I?^e8?4<4KR_SpW}Fg1oYV-W^|D9G{-NKRi9TJU@NgnZQ7o%w%WZ+hE#Bp!{~V z!)#T`tuNtYyRw2#MkKoJKtQkkisSc+2pap+K-ime8*&KRhpEFR9jtI1qy)xl{_Tb$x|H2$&cMC@pC*+!hc$D`^6?1VK zg;SCE6$!Ci(sl|E{GaK}N6hymoPN%;)goScs)K~a;$S;?`&Na+W7zlUM9_z!1>~gA zjn30ZtYQ_zzgro`wN1n>g#>q&(A(*YbU4IG4i<4`1+gsL;qlq^Qx$^|4MT6F;pAkX z3kg;LYbzgwK%9DV+?DP@oVzqaqBseDC2G$i9qZkik2q(ACKP$9B9v4lB`iD910{hE zr%?35qUg3q5LetOp<_=6?B#mi9G?ZdO#EuB9O%XvV(kx16)U_?!b0} ztQjDmEb<~2TS`(EK^hns4Te+X`3YqTR~z6d0CbQ}uz~`!mRJsg#1P`!Ql3Cu~S09eYVnD8KN>I7maC42Yt^PBT0!z%#s+ z1k=1kV&3=B>c@{r2hzwP=DGk$hFtUsAmeo=HRCd)doF*ufVP-VXw;P|X>LPBI(_ry z08l^7v~&z0s0y^cVWKX2L4Z8;i((?kTeS4nx1DgnuW+Q1-CI}SciZ;d3}8HFR=|=^omNwzCzW% z)`2-}3{F5AV$+Cww=g?qG-dhXT#@w&{@9)$lh7EsKUD)E`7cT6t!u1YP7{wraLS<@ zPe=LSRE7AEWM3qKP(3mVytFX5!c%!Z>VP6Ng{^ocR-OupYe)eN15}LlvjSBMW>efy zip}y0VRY(SXCF$Rp^;Ycx~+N!jw8aeE4q@?s0ametJQp!7_n9FAY4cO!(nz$TUkNc zHiTZ|o#zHzALUg7)3UVO?b(ZcGO?&_q zXA(kG$7z+4lu~jFHtRA;v1@h7mr=e9Oajn%xo;IfY#KA3VATwqfV>AFtA4n=JiFKc zzC%`gaq$+Z8pYfI92T_8RH!5K=rGVlWD6KNeG5iB@rFa<%TPB7hV2S)SXg3U0Ne-g zrEXyyv+-#j(Z|5&kAcsZ9{5}`6ZS6GW2sAcjA(w>h~_F19t0#OJ|eN;rV}k2vr9cb z+s~GtATJ=VzM;s|;uXyo?W69Yjx}fk(E-cdeM@~W>?#W*<=TBIsgvG6hXz1gU&ogd za(xEFC3X_xN!jk4UT=$bEg zdJ%V~uS#L!LVU0ULKvD9~~ZC9=+TzC|@$eILQ~1NGzt5rvQKs z*IVG=?2;h{iSF7;t}TU6#aztvq?}EETegZQGZa*^=dU;B_{WckM1GhC7%Y?lztoZrzVWPj*XyVIS00~&SKL!zhaB9J?dTrdVWs5l`#AQ*tx{W<< zjx>$EoN>}I4dCeEq3zBl5fU9GRdsl%M6HLCL6VxhcU}xkjT|m9`<84$CD?Dsmygnz zFW?|A9WiCi6B-@bRS1fnyRZJPqoT_|=DS&lRLS%`#(R1I@t)?ex!T&D-{z_!kB*%* ze<&TnDl6-PVib236jlu4jYqgMq=^#@fDl>|LU|#la_hmJ;)=u_k>M3hbkS<#tgI*+ zp_Q~M1doY_MHwF@_~L)xq5#J@3V_9B>A(Sk)oF+sJ0M)FvZ|=D`co`RXTOG7$k#jrP&zuKU#OI{_XLFLE|Fon-SV7%J$bKQeJwD8yCFr8rX|mz4Y| z`;d)#UDl&p4l&361sw< zSYC>Eceb~r_IBbW3cJ5zVV7b;RjqY#il0jZ5q8&-@|&8qvGkbNE+kJW3j2O{b4%{~ zDr%9Z7u8mpWr`sw@X6_=@~1CsLWpTW6reI%%hr!R5TC=YU*8Y~X=r36WzjZED8Sq! zAwwWQqKQI#h7etF`dYkzJR4IcJ`ZpZ-~a_U8B9C20hHi@D1bZXbMi3+?K1T$mHpU@ z>@I;Gvnbdul*;utbni#DwAauYE)S>;49UFOl;Ln0_GHg#*4345H2kkI3kODnQM0Y z0(3U{L67+y4M;-RAFoJ=2iW6fHF!sHd!Ov9naIPqPd_CyBO z(^(}QQC33xXwThz>TW5mxM=l{Nw|-?`q%z$e`lv#BYv{(kEPpV?(UeoIXYILc7#^` z+)G&k1`jy8MguW!4z?25wx^l%`K}hPR=9L@YHxe$VqSe+FJ9<&>x3@%(rvR8Ic6Nu zl*cK*mkxhkZ-cr#ovg<{O+qcB2`kpsXSCgEvi*k+?(}cP-8MziO`4ZmCG^uH%Bm^uvF5(1muk7sk za2}FzepOMatP@>Gn*e3>3?`Lyh&;`4`$qi6De!@Ufxup%bwpYcLL=;2c2lYt8GWQs zkd{@c(}Da~a5>tFQ97&{y=r~KUAe7hCEK@M&*c>7ZijMNDP8gLnc6Xh1&h!qiGB0x zsTSxI3^VF<=Sbav*Dza`vQ;m^@=8!J5fW_OFSen=FS@D*iwf?sE2bg}IbICgPz;5m zLTL94m*;>Ph@*JR#2JzV-*{ozTM=DOh|e8W%#bFI=*~d3!zma{V0UD+__ZbjI)Q_X z-9f*n;x#LI*GzMR@+fO%={c65A(VnGm- z>x^Vd`O)1b2(Dy~ZU~ILqldn?qN*g($l+r#iK0o4Y?4FbsvbAnLNu(~<1;g;Z*#Bf zX6^W_!Bk25*BIL*`O`&5VwZzB8$vT_%W+w@?UGYfre%O)3bx)gmu?x;=-;+Mi!Jk& zwGA-$-29w+H!MFxjy~!3Q6KIC{hs8w%C<5~1qiUX7I9>{*||E?S+T-18;U5N*>^$> z`0^^q<)Q|(Qt4HVEaY1r8pBexf7Qdfy?l?)Wvt>hgT1t6y!CL#yL<)ye6jI9XK1|7 z8yWAj1jefgFjov02i_i)!inY_jVL~UKv;ue8iwNba4Ii3`kq!kNoPAO7I=v{-F3^3 zv^g(cwPEvayz1q!@McMlylotEn_O-4p0<)k*ZJ>SBEo~WZx>Pm-%=Ybalj;h(=)QM@}VD39msUuD?_|x%10${b`$ASD?P8o6#iNWhnsRO#56(wO5 zOM>lpR@8p#4k>lPh^(8v8+b|fP8Zd8H{C6FySXHBoN-(zO1}hc5*>{~soNtA4Y3DC z$>4zGO~TB)S6L{5i$NNX5-)&(25F7*DEGn;O^BaRJ%VDA#Ia8zD zU$kcVjT5c|#jkg2v1T$Gj|;5{rjrScG*S(0e9UpeI`WO!ie)9jpB|ri9((hC@DpwS zV#{jvt(x^tPA`uxTz<>vtE1oV_n+?Uz`y-|zwqzo)7{;tf7;yH+u7UQ-rC!J`ltTZ z=F{D+KcW8T>a_i&;)3(1{+;V8cJ3>A4rw$>Jf4PHr1F#2Bm-kDSuY%*zrRZ8$ksvs zx%2U(gUGN__al#oH+U*8LMojgJ!|6H(wHH$GF?Y&_}3YwcVFG{>8^_wb~@j*eb7G- z&QFd{UZd7IzUh1;1~sq1mtD|~!i)>btL;c^lK`yU!D=2+c;(PMzw5}T!av)ih6S-P zSg#ngd6LD;rZ*8%h(tJ$mKAdp{sf$}5{}*-TwETVzkhS|)AJ{5;Hktyl!)c%jPWhn z-ddl(bGYB8GWEOeS))uW|u8@{Ob=uM#>@ zX0pl@5pDMO+-E!P?FRa#+^%2H*kfpbafA}(B+V)Mr7UOsWdjBpp%~0`^p=FJXvs#j zOOLvIqYa60B3>OwLyEMJgHzKkRa8hvpM5IjC{;`%u<$e~{~zW5lY32*wj94nHwx*% z3#%^$I*n8l{p3wTEkAbk`7e{N*H&E))u!#yi!G>6xt_JeyJ2ofd>k<>4NYX~&W5*sF)4apzluu< z)@w#LB13`$neJHHZc8Jv`yh&oJe_aA0<6B_!_WgLB0o(M9Ptb+N&EQ8^HZLssu;z* zyHIq2qgRoRd>U~QNw9Mz|JDu;%oVNrF%GofgH3edNaj_=D&ae*5jFHup*auv>|OZD z5&2CQy;k->HkQx z6=d_rkKkObbLvLwpCQAdN+p11sH;(4x;0R&fCeMWQ#|d->C2<{XQ$_v&!4R6IG`iU zkpnS5S?u}Jjoikply5(MLJmbA7>#0&kDqrxx-7;%xP-HR_y6N+B$-cLWW?w7u$j}9-kE&Dd9yIX)57(0TK@$?C-170vVLKh4X$x8nDCA})-#Vo1 zjmLet?`4m*wW>D6v=;ZOJ;dzVZ#lp>^Udz6HMKYu`=XEHu-P$cN!Q2xp z38bvp1epg=sq7+fkLsE3hv=U(q{)q!1nv6rM2`k)Q&+h`MYNzC`Bc<&%LV839K9!z zysiuqdc&k4sj?%mocD?zX<$VFZh8n9yH3vBUjHR7618F}Wx4HsnB3YY$KT)mD{u6^ zuWus}HWy^o=qVK=A3h#D0+b(+RrIDY_;C@H{)wbCE8b_zx%8iu? zV$JQju#XGZl@deLnvwfFTz}^q>9U{z;S8oI+Nf!=_V);IoM0bBVqxARXdONaDa)FI}9 zp#k( z17DM-HbJW)6E_Y0;|cU@|9Sg0Wwq1rj@7+A+H_vie0?$hAomr&EW^-#0%k2#seywmf@*73oX2uVgfbNv_|I5N zkg{95_v{5E|JDGTzkyG?xF2=@+C|;>-38XdYo%oebVc9N(lobugd<0!X4ca8LRbJy zEPnu>UbFh*ioUd&;qv8gy;zXTuKmReGwt;~(b5r)4i9o=IKJ0K+fR3`lsMrk?FAV{ zI5-q9*3hgLpmh|H&>9(0s;F0#%tPk-$~O#ZaG})S(BSC~j(nt&fboM#@&-?HDasRi z0p4S1ZOnPx17q`bH1HJK_kk1@&;*@>%OARYd!esKJq2AD%-Hb?Y}DH2wvI_E{p3H& z4_;%2xjbY=mqQ-1BXv6~um3LULI-9ZQYvBd!6S#~95WhTW2DW5K-1FPW0ka$u;sO7 zC03#4vlcrx*)J7~YD&|hyF&$McS)~s)T-CH9Np&j7uTGs^`f)1uI-m!mZ`-;v}$Nxk`)PCEY61F+oiS->6t`y!9_mjDA(kz9PBn3 z=h!g!Hb7O@EAwo^c5ASzmRTEf&UM(Pini%L&rkyl(pefRvl!N9oQrvy2Dw!Jr%#>Y zJE?QXYp)x!XWoHYi(NF1E6m8EZCI@GnL}RX&G`b4NUP(nHgnS?)Yn+E-e+g9yIHgN z+t)f@uEj=p(ZQW}T<00myN>4E13C8?D%aumgQqgg9yMKZ<8T!dwH~Ls(r2ffZ)Btc z^}NF)bG02KRY!|~Dx{oqv})>UnY`_|m0Z=^4_+zj>=7*2);Nsy$y<-*>>B6E(=@6) zO(N}$5#uBuT@$1_GH^5~t!Ifz__0WP91ZDpq`wQFu3+v7V?FevSZf=SJE1jwiHR2x;#U^HkvJv5#miopPbsqP^ZQYswG z+vf#o#@z2|adYnqPg##ADdRZke%F~?1tdXEyu3oc>kMfE)(410=*e2hkh6(;d=mFS zH`4nC{f0&fj*)YX+$#{>>z`s~vtQ!hbqGdJhUnkO8KUl!kD}mDUG$&t#Bz&}4=L5_ zC3XT02}HjCuA}Q-TG>6N<1l@gT#G&|zx?Hu=zF3-F(}_v?E#Ybp;VZP^!fEV=Wc+a zPKTGGAlMW&JEN(}1-FP)&n$I=R212?J)l!`2q_=rUa9I&wo~daV+y7yP`u^kG;Vjx zSNgE3>^U}FewM}VKbK(h8y|+ApS!c=086Aw4qIwA#cSkCQ-xJ4(X6Xk4)d=~vDx{u zq0V9Zd-ubT4rW$rOx%}I-z1n>AHK$xW8PgV!`HKibePbH<0x24g+n~Ez7IoRsvnk8 zp>H!Wwc|+wJEq_rhjjJ?avIZ+j+V1Pc^uAOq5g8#rayZFMtDL494=??O_J&g3rTBu z!ZG%*MB4;IETtlZUM5Dwtls}9 z^1KvTa(xHib^NP|E|0o_Or!g%%U9kZ>hpRYv#K1zY+1vgELF=kC*}U;W7SryYh@JA zd7N9>#VbnD)T7ZPgtf5=k)5dJ+;k{d_}tKP9VHgh$)Q7t)1SOaI6GyfuFGy7xM-|B z>p$!Fp6%>xTSh(EsB2T6x<1J0zw-@!MUos&c;!5lGqIXnpH1gvk8}&oQ+@K9PTjW} z$gZ_X8B~$3u?Ma6G&2=7a*Zz3jRvJnUE&rUYNJJ2ni|EfzMV3qF-K$f7Sn0SF4|6d zF%7^S8!-i%+^VA%$g=EL4tBXlWn`yObg@7ds}lYODu{@qtvdUIx|UVfQJcD=qM0LU z;*7I)gQ)DaAJp)b+f-e8MY=_XOhHo|S|BBItF|>mYAm4Ee!5zEYD|RJx~f=5LS{HJ zUb)mXX>LtL00J5=74`q=6NX-*3i^{IBMVP0Glg^NWc^qIg!W;lcWTY<=H8kEA zJm@StckEy3p~64fvnktHXH;Biy3pS8;K{WYf?S=)Va;+V9INiS_}_1c)4wyC8ORvV zo9aSltWS4cwxmJ=U(dq=8{US8J@i694Ncr!1E(Zi!WmCepFwyUCk#q4}nC- zS)kvn+-2RnHJB^(#JyC`rtS-mVGtvBd+%jNXX;HtC&5vG6PL$fx3>N7Fi(izz{F2v z0?nd#)x}@Et_s%hG3U=+CdL|bG)^G!ymoa4O3;cJ%VmBhvny|lR%Wv^@}r8)(8A#( zx1m}WQO;fk2xyI-j_Ni4uqnTz1qQ4(=ffTI`FJnP}#C&=^O0$2gxpp_XY2 z_uI_kx3sxj)VcvCChG!OY}An1?Lk(U+0W}wupC5-+|E?Zv2C5A-no2$edshYPEw#UaAcxag{ItQ!diqUh7eFo}w zvk~Z{PoL2LTl=5CB{-(vyMJB(+09_o=2?q2szzl~?F9GQ(8Yb9M@j5!Xpo2H0<9YL zI*I)XN9b0!uu9)vyWG1uIL{bW8|ml4jH+tX(nqzfj?Xp14+8T6LM{IO!5)gMqBZzK zwme{@q8hiTDsX~%D#=3^R8%$B2{*Uo94eeGI4>tFEry094ejPbR!k8_D_QtBboRL97L<1v+8KZf9v;{}U2914=pLi5EM5f`b+W zV8;I6-0JU?_W#qTkNf{Vo{yGg@RDNr6k@*CXV9?l^zXwr{yLbx|l&@Eal zq;;e!ky4TFmjK>H0^McP2^Ts6iPtjO)BpVodk&C@wR4j)oaBT}9-F}LfLAba^g zzw{pXBR})ee=D(chH_+RhUPP17XP=mTcrO_H@Eg4>HmE^RfM{XJh>=^E)eA$!Css~ z=a$~rMW6XJ#{1|r_I^!qhk@o`vbZJf|jJJX-)T zi~oDt-!0z%cXuA+zue1HACOH>@H;PNwVd3cPI3o2ovov}$aDcpHczT;yO2+xoa~K8 zOIz}NyMe4)qv)2LeI9_0WAXhDjDVvZa++wsEdFn^|Fn4j+unPW|KH0qLr`Z2!e)yy zcxCg^`YJws>Nt+G{EOogO$c;=k_uweoxv1}GP*XYsn4L;LMw-kN-A?bsr02(;YrK1 z=}Cz={f2%`DX%0_Pl^U*CS}9zQw+@&o}y2m)P)noxi-7jWE%3NSMlSs=(8~W*Kipv zPJmhTe`jZ}NdKR1?>^H1`*NuN#Z zXjc4Js29pn{=m?DNBS*Sjyn_^44gCxWm5%*i=JfqoZJy)UEdoE7ISAxhIrA-D%xHE zP<$4DdY&r&U?Pcy>Ho-=3Q`#loHfaSXUl(!_CI@jkMiI9c|KOa9M(t$N0g32e8Fkr zjj%iNHU&XcIaV(g2KL9Z{pWQ6%S9_p@I zqZ!AncfASk)tSgWj)!S@fjPXLuU>>EBs#}{MkFoGs#cSgMrHDDXJ^XNpfW;>gXFbF zTOq5U2--A#-vmjJ{qf_}yx}lBSqh|z`jL~6{1zj9t#mQ!UtZlI@`0(sUEAbgl zd>o0z@bGRG3)6oh*(;nlBpTAY$p8C$JKH7s|IVZR*S$PNMc&f*;{5vfx+t&iabb-s zwz!P!p;8@3Lt5!7l}{nq;HWHCFMCUsO)4rH)XkMv;Xu_)WftE5A@Om+ke+{@F1 z?xkngz6pLdJD}2f`Z`$#*$wQnvDTxP4)H8Ww;&MH*$It)z~SUrGuAVTDkg6zR^0Sb zHoJ9p(qeIsvbx{VvoQUSFu$S6RZK(TPkg;obS6#ME*#sO2`9Go#LmRFZQFJxwr$(i z#P-Ctjpxt%ee2)*Y@gJs)dyYOy{fBfUH66S17Kr&qs|?0ZOeD@`}Rtpmu7O-@duT$ zq&V$rGig%hGk9PWcMCrcv|{2_ed9MN2A3xzn~hG3cw`Cdm=LY)-Gi&J^#wDe@_NAf}Lk&c^G(*#gMx$H+oTz_Q&38sE0#aYfh;2;T&%!Rs zzUE63wNzf(hC}r$?Y+Yq@JC+@1!HMtfnk#owV&)E< z=h9@gZGHu|tlw64Dypigj)L;O0DlmjrRN|Poj-xMy@jYL=z4xSso?Sc5Y?LIF7oH3 zL$ZkqHl-V9IP1Er3EX-$Z$cIbl2 zi-k@T4Mkz++&F&|Cj^gI;lI*RV&q8V--kjVU1L6HNzlilE()C{dC?-8*_Gi#cMmjw z<~Ca(MLe>O5D-eCU$MWAY)Qp>f&4N@=tRGOEL8w(rpE8?%$9GFhZP`CB>t^TKJ@eP zDs?5C)c#?)i62T}M8T-3!vqi2ZK=n$vx31g-NbieTbcZ`MmCA_#-wl^5q(f(crY)>s!0HWh-dyzgs86ZjY>VvrVFu7bkfY@teV58O@(4(XK*&OJ` zAh&=hGR4TKUBj@yhylZL|4j}Xr1qIj&+g73JqOUki*1i_$fJ|N@XOC!9o`9O#!HAT zx>IcwzP^G;DM6fAaA4nQBnRr>y7d}*Hr#w+8+Va`1FV4joAm3zOKX0g|27mQgl49j zkBn-h+^(cpi-L=FDXp)p(3c5!t$!RWYz%toMMO0i^L=Flx`Cw6(^>y4fXLz)F!TID z2$LN^o2Pft&uv}5`~MCjjSrtdp_+)_%<`uN$w++qxs9JOg*vs4ISq~Q#_bOjSRwgD zs#m&LOi(kmE3h*Ap|Dwk=d4#(qU9#CszgY0AUYpd{cyPJpQhS1W7 zU!Kf9Hv18rYz~))4w8c={aPPwfO#6oLt(Pce50BvT zl6f5rTO4k>hh4%eS{FTzzs=03pG{6CW{|MAaXXS|%)WAX4I^lu{_TE1YaaYba8E%! z`E&2r*{j6^%zfe@y!Ly(OY%-{jJsVwpLl&JZ!BP-HWx>Kc>B0O0b?pfy*-pExcVC+ zeV^67WU%3PJqd=uYc^E9`azKgs_c<;nMT;C-Bkp6)fow=TUVE;~|BXAx6><>be6(nbrAMBj?aO95u1}mz z+Ak_9&5d0@>@P7hlxc0Ce+vQ(ee~ya-uX$z0j;l-_xLZL2p|2P?`flKyo{Il7%E#3 z*lpHm*U?rR$r??i^e0j#5~liNd~{VW;t{pt5Uti+Cb-P|70Rgc>yuSESzKvxk8gR* zoZ;sg*ei*xmL`{7g5T>0SKY~Hy<{~{bi7KL%&x-5Y;gK5x~W5nl-;GYyNTI)gjd^f-1;WO%nvwUBtROkrB33W~=;_wdn|w zTPKnOuBBZ0HdASP8B_STogBUI>(35WuCxvhi@(q2FSlOaSfxNXmW(M7V3sKG`+(2U zD)~g{B}aI>eSKIC2E`B*$PWi*2?4s|d2#lzu8Y@69dE)@N~KOL+_S4@FN( ztsI=79PfJ(Jz(SR?=2zi2R-}3`^57p%*`$QzvBFp(Z-cyXolF?;ltClwK=IFsz`Ki zIwaNbXKclhuMa2Zm|EB#!7zTjtS&xJuebGV2y>Z#fK}gG4r1>tB<);TPr^`Ge2WaG zZ}B0;C9~(BDE8yO;X12aZ=78Dc-Ms!Oa_J;eLk6DyBM2)9D++&MRfxe#>H8Mf>_~( zV2pzTm&d^$vM8vq$Ow@eKN!Ue{ul^R{7sCKl*840$6dd;Zui>mXgv>)<&7EnhD#jA zhHwp1y+}m9vss?8<{)gImU^|$wr!qW!DYH={-|f@GnF7X4UPVIwMYoBucnPx5+59L zMC%=nEX&Y7!Tx?I-rQQdZT=aq)&RbuKf;|E6(=bJmTToWJH~9Gj9<+o>0xz*!^%BF zWBPDNygCXdZur&Fmb6l6upfRf^v{8x`*Lo}b4MLMnS`FCB07|d5Adi^^Ta75d%9uZ zBE%1apc%6uZk3t3r<5W;dv|mPkWY>GOcaBv)>Ydjqfr^w(n<{cp?*Zjdh#J<#KniL z=Drb4kGtN|Jq>@Mvn@K8v*jha4dS(Y7w)f*PiUp8HctdkLR3vkROUMWlgaUJHn+c3 zjyu$}s#$d?7-^{xdWQ?36yi`B__WZzDJ%(eeG48L6oGI~&fj7?ampzIV~!Y??1I`b z4T<)-^3z}6#_R3)y?wrLJ(jF{FDc+9n~)H;n!k1I70wGHFK?WJeG8}}8If4&3@bb$ z*&lOOtw>`ge#^#<9dG)FyX36XC^%9WiJWe*OBU9Fwd?qz=z(MQ$8aUCFl(MB)z_!n zl68hbPv<0Gk>@d;_UW5;t~gw>S>e0Hoy?&b}(*Qubo0%|t^8Mm1(xqe`KqrR%&Tms`rtkKX|uXW6T6|B9Hu zRPd1zH2$w07nf3bx}2`6`7{LhYr_sf2gVYQ6dX|w%m zy_ylYnMg>Dw}k14Uu5dctqXqvvB$Bq{U2C*EerHv{_{L7?d5w#rm_Viay*V4uK|7ZqL4CyZ zgWkdD{D|_Y5TDJCU7}2o#nN)ete>JH>uDa1rqUIA4t$~kAWKdfNcPHg>+Kzi4u;K* zQ?7Fbxr9;7M6rH>y&U1f9cJ}in+d%uGZQ@?opv!XW3RC(SY}IP~;^gBt$&!t6dez-Qjfku);ma>*DsW1cDr2X(*kV5~C+k#D7ej0Z z!!wN0>j6la|3Q~!BbgM;a{S*?OmWn* z&;Y7 zYB^4a>)$!KF2?Fy34RmT&8j;aaQqgYApzDgbj2nws^1d&NA@>SG3~uuf5#M_j7Bw( z9z2F^f-zRk!ssVy|G;1BB) z9n&5A3spQJHig81za#8K6fa9#Coj`%^mo#;j`0IT*!dx#f8jpu#7p#Mel!!oI4z^>~ z@9Q3a&j`=Lvb(VnrFlB}4Ic;Xoic9pm?*kbyhcYn1fWw?@h`$7_1;nA(0tw{q_k=@ zG06eXTaE8Kfsyx*zq&~23P3{KKiXUhZGi_775e2yGiSSic|*TfTTv_r>nwtedzc`p zT&v#XX_3D3ZV%M3no_EEZ%bB)RCRBDIh>C2t0w=t#lfmx(5Y#|nOi@iP9_fpB&ODOuZ@agIR*TBNz@=uC`^?h{=o|$pRyZ~e~ zhct3Q4*tz4szDJeQl}z?`lzud;oiM&SVD z2d@jK)>BJ)S%EXW1M$Pbe*f#?ZDr8l#KL{<7Vz`o<=`{3@Ee!DPStXeL(tN4RO7gA z6pT9;P&+qc(K|{I&u6ZL)EM&WbNlobsUI%t;o{-t9$XsWg8vdjjiHwwR|6*5Dfp z!fP#MO!M(FQjD54Tay)6=BcKK;V~|BQ(MK3&>qj}OyL8GuW}~Fz^l~jtOva+>Y(J&i)0Rs7 zWCq?;EWB#}`JNVQaE2gKCyrCm6$74KnRF;?0fE)4%fn@VHTlpNCHyLm_nvDSPGxy3^=ZV|WW|YgBJHQ_r+j&bn4Bt-APryIQH~+CJ4>70H7eJ$ez+DqO(k7bHt{T})oAD>lwj+jT9K+?t1P}3 z_TucGUi2rG%6c;aUcn z$U7!Uqf7}Yka*OaO>39cskGo9pFep6uDA33#|P|;*E~27WXaP?@NAe!H6!u9DHzM} zH!iX74z*x(Lt_~xnVFiEn$QXI`mdYUC_Q8!y!!-lYxfkuL_7Z`HD5zAL8LFtN0yEK zArLv=Qn9gLfcZ-LG;|UyL%c$n&J%yJHqR?7pRu!_t6lu&Z0DNdjp2nBG=vMGMt(wK zil91jnyNB5+>}EJco0=dmsHYY0q<^tx;Um(g=97n3NBZYlFEX|DZ8q(mUF|fH9|to zu>U-8L{oNkn8HS=r#9RN=`(6Av3=fH7v!^Ef&5-}z^!jVLCp2cD@|QhXT4LgF}EGB z+rm3nOG1Z(b?!mahS|pb94RSNzBraY-Z`4z*VAgw{Iw|81kf45j zQ^uf=H2sdx-nushX^|{L4Xu+QCVZN1=)q8ke*01)Q6`J%O?jN@!HX!9JNA7tePp@h zl%nTDwol3rSSXeb)%N3VD9IjavLRHXd8n*|Ynt0v7-Ew_Loa2~&PQSE%(}6^lGd>j zzoIg6Z%AGo5(QRENIt0$OkJUP!pXJtpGW<~H&PCSh&RoYSU)&9ouocBljvKWE1Kpq z3mc>Ko@1vObhD8dpnzP22y#!c3`lyCMpM?MUc_IHkeP|>GpslIXrfm1zaeFM8(MKD zeSKY+-Yon8fG)s4{%yZ@ejM#CT!o7*q`S7I=JO->R06@qZWU9$^$s3Gss2@J+RWx( z-v02>4Lp7FQEddfD(WzII<=_n{P3A6y@GH(b;IrBM;AKl&ZI6KGW$`~hH^%b7?K!0 zN%#;_D}!ra<`3tmH#aTI!c1F&@r>h?T;;w0I>hr?wQx-jIv?k}eMk#6xSkG!vv3;{ z?u(GZE-FD&BOf)pxrq=F=Tq69OLlLoZKSBtJmzUOmE`LVN`eDRyb_Q$Y{!~c6XfNi z2KbYQv4U41ID>A+e=7ijh+c;U`E=4FHH9+SFTLXAGReg|7aysWsA1N$Q$FvhmoHul z*f>pd)#jwXyp`sSdrl%VQebsD@4!E~f4IKKxVUUgkR)Ws1DcSE_Oe2I@^7T4 zX(LUAa?#c1R)5HXJ-cI~$}&)M2+*SwSuXT9nSAj8n>3KY=$$uafLlZq?I7x6WOXRI zm{zFmclk1U`o`wvW) zVRAGKdArz@GdKVwPXTg$?Dmun$j7Aw9T9fE*E*ZC&yT#|8O;h77xUvrL{?!{ix$5?eGo8)$Fjr)l z(1gF`#7g9vtz34Gx>#nqH7AWMchof+ub|EIH99Xs7#=0ty%6?HX| zV0EdTgfFRD6K8gMY{JBnyf;HE@=%J;e-O_({es^J{c4bdhE^)%%rYx6i;R8(8@Wk* zB8%<7-4X7rnQ=-yZz*+3{2-sQASzDLQtXTh1)y0LEh=r`>VP?fSve)X>b(7xJ}p8K z|4}n9QDi)OO3IZjQkwXe?XDQIPnKftl(ggVyZN7sZMaf3&9cPYSyf{ab==boURiRb zRcj7>)h&w-y2vK&`(4hf8fO4I|Hi$2Z;SzrgZ_lSM)Mb?A)WglEB0A(B`nurIkHaa z6rP$Vl{^bHHaR&6TR8+sF$^)WV#h&=pM!%2J-fX6HqWcTs=b<|>Uvu>=9!o5_2hXf zs}>p)8nbjAiSKcABs6QJE+xNTMab5I-xs|onfpL+b4k3KgMe=Bn>IJ-J9fl;KU%n| z!nHrQ1{`-47iQ?3sy1%8T09y#t}K5|TGp6%)dZ=p+D)phA*(JC{YA4*r@kmLC!MlS z+#k1@y)9x7R=dqLlnr+7=NZdR@`u0E!MgM2-V592k-$csj0dkDFu>lMsXfoxd zHMdfSX(C}d>`LmZY9sy=-}^E%p=qZhdW^@w&C+Q6sA}yfX-Ug6h}mDmHZei%pCWED z>@1zNDzRvChteTmfrmSeWWD8dVfs1B%};mxi%D>>)!~6i8;QQNr=mv@JZzQ~o>ljr zJ+A#fM&ka6_wk)ko0@WE4nA7VhEZylr+BWqKWQ{+m4+jUTYC!q-r)6&>0<=213I0= z&++ED!kVUu5S@`MvV}8X-=~SHoy0qzrD}X2Y#kDGqu{9h=&30qr_t!5!wo!90AJFr zWe61eXp|u=-uTrDKY3&bMj6U_&}MOIUpxA?E~HqwpaD9%m}Ex2|06Hnv&>uKOagrTA|mkR7h4 zKG41f8XF#mdfNeZwG-fu|+xX-JT)%VVl5D*vgIs;KVY5<|>v`dK^FNn3QnamxEnS&k6Xr%0 zX)Q$wr6g0S9j<$pcdy=2OBUuQqZzq(X$u+Wgf*rkDe*`={!6Dt#GNGTiRgO?K4|9G{pRN0Dz7enC?He|G{yqe z{t9+da6jP=A#gTHJi2lxmJlR;Kz>su9sE-egW=;l@utC0;g13<3%fY6uvBCzFNiI| zg%N8HGw2y^--8LGQSU{C|K!onBfD&X9ct|vt?De6c#v=CbRn0!W$Xyq$uyIQS-*0V>z7YR!ZmhpN*UktIycofraF=7w+Q`ge?#>&%bVCoAT-2K&zo7ZMFIHF#db zyRcK) zF6hIG{4P}cFIM4TO2;rN<$Z4(9?i!;KYyciG$`uRAb;Ow>EeTGJo)i$hOi{_F?$U% z5^Pm(#e&y*9Lz;(IY0 zENS*Q?BCUI^YeA~oUgfENOhil(j&lEqPBzFJ63}(rJx83x;GikrEh6zUVyP_wvrmj zNa4to3GVWll9ii&j+M2nP2{XU={m+8U7#2pc_bFgAD05;U zjl*fL_-Y)7&T81=SX5>|YpTiAIMcbRGr`BK##rwyKL{&L1m?>MOL-=k)_!|r(_*?< zk6PUUpgBG@zP8esM>%q)F^+R3p_Bs=QQ6imvHDbF7Vs44TqEta2usI@^uXQhz15w;>mwY83FXzi7&rO68X(5a$G#!+-dQbs5GO3_avzqhv(Ayv% zjXgBfO#^9$_f}wR{TaQlrSFtZ`BMwifEmLr*~G{sEufl9KeVAQB`U)JVu{*$M9g(> z-D_^gy#$1bP(8?;S%HV#7!v9Q0p$<)Xh>g2oxh3JT_%BFBii#WqW){X95Z$G(=S<{ zt;NVC-67mc7m^x?);n{&V&6{WTa1VLsE@QAK8KG!qyhMC5_G?>BHw3WYueZslrl9RV$d)_-sf^PpUrm`Lt%`N+7Xp%dR5hyt>mqe zWQK_GWPO{j#yJ|S8c6;GPXLrthCQJa9qe5YQ+V?w%JXqn)(;jh?^R`gl<)ps< z_laDIG4h4A9gUuQW_J}G}-gRHJHiT@pANZBjmw8dNsiPTXp3UGUZoYH)A zu_xzCEjW;E#sa-F^@-tqV9-369V{&k6XX9Wl-Vv$`HCM^WcVzo(JMHow!^>tMcg@k z!JA@=*BZ+-SWqy)yfC*$*DO9op$iEbv4_lxP17pTHb1e!U&;22;ePZ|E0xi)b0oLD zBvubm=pHZHvLwhP&d-*0MHDvxU7hvuH7IN2lRQ=f+b(F7$yj`(mm$$84bqtYrtVC# z&39$W;4VL6FfazN)Y&T*jBhI#L!PuadP1V!@va7~@R2*4aiGxD5(ik%mO@Qgj42vH zGn7u_m@aaS9IC?4E$SQ8%D#`%|8fBGFjj2TqUH8j5()#N#`b1^d+jLk;@d|rKYRrx z3#*qYjT#Bnq0I?H51+YH{nR;RN#VF3WZs6>&C_R_VPYJMkaGyP6QzffE%uSkGHZHI zD4(#=jqn+cTRA%7s=7_!Wqh(q1OMNPGV<_Pb_ic-ud zyRrM9L26G~cLG8Zx**w|> zG=}eWG`VIQOd0)*&S#2-cM7*AV%=@`;$@t!pXfNq7gzm;oRmje*y?U>k*SpYf*kYL z;nX^i-~D37`yQXFT}9I~8A>4$(F!uS3cC8+!e+N;m}okRBi$H$vQ-SR;EzQw3pjI_ z^Y?uJv1xV`3XnUhRfZa2a=u@=XWH&Z0)yV)lUO8V;r!cBZ75-Jd(3|cD&+>fq@D(8Ku4?y z^kvsmw?N>AzXl+_T%5_P=jpW#spl0C^RW}48ES5Y^L`Y!=4pXzgByNK(mwblGP3u)V zLu?mSmz%e(DHsj0rZyZiHE4E^c)>B;qL`|^0E1=wcD*-I8icv)%4>M@w|r+Ro ztbNJzvJdMHE|?=4ZN*w)n; zb&%H{hud#@7hF1yP!?$z`WEu2L5NJ0zF>;r#Twhw5+oa5*4YVs+%_(CanV&Ji!Ff&yj#r|#NnEav=3*2 zA0E_8;55%-q_%ndQq}bj9B+Bm{D{P6#bC^yhiL0C^5k!cUsJ3_cj0Tv!mhaEuSMl5 zzX9_htEdk;QIa(83gLnBVoq5Km6GJiZ+A@k=TIpOTvU`y22l*nyE}(4tD3K1P z9%ahIB-bo$-cJyrHRE3J9XQ}StYsbH@I73!meQ6~RgR71&WIJc3AC`44ix_?l(qHxH}DypX#ye}lkLYQgm(lWnJRg#t+ICl@JF&=!?JraR?lTkElcir z6`{L62Voh4;<_vNUNNQd@OB4*{n%UO3r6r!8R?iWwY`4xFkqzW{=N9NEiwtRe_bVCVmx8d5nxiZS!9t>7T#%4B#l-+4h2MuM zmu)Bk_vgR$4-QSBuQ;TSwVeFLvgYeYxjIm;we|iSc>6u?|C>$}tzW|ky(Q>bb^Zqr z-2txy`mDXrLcL2-%n1Hni}wQRx}d^cyzX>|1mZMsi;`NYb1TiVUKK-n|MK-AbHM8Jrs12edsd0cuO+zwFlO*jRB;CL3icyZI z5iD0EeA1pR)d;NnK2|KH%21?bO|40BEY~5ko5>h)1yra9Gh+9*tG!Um*ZIXO;>oRN z!3H7+bujZ$yy)bPWGq}{I1NJ+!iAlQ8xBg>q25FDgnAbbu06Gp>Tl~5inH_3ATT=# z*CF{~HD`Q^uEFt@5q&TW_|M=7-Ce-f1R6XLOdbmN{#rO$033%jKK&kygs#)Bw=316 zDBN};?{CHJWGR_S3X^IHl!?q)0*pBxaqoGAAl_*Ek^&t^V-vzOL^$=MZ?%_=fZt6` zJvC>5wWPQwIZfaCmbE`gvzc z4|X61+i@;yD4^Rn=oI!&`w|2Ycwn1u7w=4#z(tqi=x9`IAHC;z-QF#nzO3vYjO2!2 zuV42|J%F{FrE)oL$Gt8*o~8>|7p?2}Ib{GIKQ`*7$iF|%GZS}W&RVl(u+6!g$uqx9 zA3>}!N0QQOIucLx-bgh);dEZVM>%!Er(?197G@ECfBAeMy9yof@^;-|j_sgqpnixWZcng-Xsb@MhhYv|X}krl>g33>Q?O zP5STu4JUcdtav|sR#$hROU`u?ey6JBxtOs`FiyStTO6e*k9rI8wP1-Nya@d>e$2M2 zFG*bx+6;uMsCg>SIg*e~>&LSjR`_)bh!X)kdPS&b;AYGAt9-J~1HV`K;FecstfoAC$+Zo1pm`J-0u){Z7Mtcn*n@V&wGn z@CXp~tS^fA<({^YbgeHMw#|NrF^E*r+*IzPGsd966u{niLx_uvf^umOy#OA;VZIQ* zkgSodz0v&b`Uv?!7$P3S!C{R0GVcmd9A|5^`Gn7{0q!mjwb;0sv)N(=5W|;H-cUb0 zcZjZ(h}TY@DUe&yNcCRxq5onqlS&MU{R(+GJ8{1;G-B!N+ak(aIcD_W=D@&O{j9(4 zuk-~V2UZL9qSqPm`%9)?0>QDuM77%L|M=L3gmS4{GgcV|K*eQ1@|jXOWBIkBE$TJC zsKi5u#LeguW@ix~(Z?V`!u24KT(a67{ksL{&-zRD!p6c?)#qEx3XDxMWdF+X=Zq;x zi^1;-{G-cgoFNDud_#ge5sL&xABYr?!&(F}mCqWy?H@$t%#YCt);G4Z5`}|bz!)Z|jZhU6M7$h66lq4@gDS07{E_A~5FCr-Xn*l&0(0Omi^$Cl`f%WnZ|MqQC zy8w|sKwGs8%@5=MnXA9Qur{|F&2wlG-(&=7uJN{Q*C!sUwni#}KJ53$XCJPc7kDi8 z?gzLXwBjbTZB&FSTLrqgy5=5T1Nl8#HZFnZ?$T;VYs&CrS`9HpnXjrfMMZesY*Yer zzRyb3e@9ymWe3LV!;z~Bk$SGUDtq)NHY&-ix}Ic~8DthWmEJA-fyGUNE(QFH;lPH> zXQ1!fhXyv#giekVNCBEsTYIX}^X4ik{)eU&9F;2YH`@ziZ!l#r1hW(pEW*(alvl7w z!Lx(c%fr}#0b>Bs%*db)f-;*fE>->1TP?}`m|XHl>*s;P*VpLuzU^o2VL1tK6Ey$& z3(nK<*Mvw{`hM79gN~*lRep@nX;J%Cd@k0K>>)QD`ErxBRZOC7A^n`E=%ww+_Tpc*|g}gxY|wEwg2QwlV{?lx`Tv3w~P_{V3e? zOKaSwCX?iV8s3|%l+ezfKd(!J0&K&$k$fnNSCGhbvJoQ%?0YZ{v8b+ksL6SNjMIT$fl7fA(-=T;tf!zhiPU` zj=;%0*Dp+k5WenqW;FK2R{fGUa43h6%ib)Vx$!1{7e81Zqbbj5 zDOYp+xsm$ez}GkIroSJFlsCB?OiVBLCE=nP8^T%WcfbCMGA+s<_bc_S(_!Gc1h0ax z{H7G^cO~f@rbFd5JbX3j5hpb2?=6@Pr-Q^{K@2qaYKf`fB`_}pMb`U!=n`UDeOUdJ zi*_{C68=$1`Bu0TRobdaiU9MYus@`FB%>i_D6a@}ln>5-Dx18gff{#s`rk&j_rJsk z-VecuF?%Q$YP!dBX{?(i!Kh3jUr{p?3}@d4D5mT&D%EN==?F+83x8$MiZKPoxS@ok z{TfA%NMPEQH=e;LZUlQsVc+P1GU9)LE!G%CCQ5jTZlQ>fO3{W?K73?VGdb02La!2K z8`Cv35I?F<#xiC#LK0>RI0#Pxz>UsLK%U1!vV#+%&w{6{`$;(%$wb`J!g;&Jck2II zLI0|A&|DTrvsEljcwIE$CpSO5Ff;26{R5N2}7AMkLZ}z|buH^EX`av2`M`)IP-(I4z=Xi@ZFtqPqSU$ z?v6D8u*%QR#S2PNdK|=S&ljSP2Pyb4hpZ9EhZgX2GYF3#!ks_~Asrbz(VHn86@t5a zv>SgXI0xdjkPu=A4UEHI7KWEGHh>TeTD~4SfTjkAlJJX)$l(xgPKe91p|Lrc%ihZJ zEx)LBwn{^@EYddkOciIk-vFG)7{hnmMWa0=4#Qe{bTUJ&R{1@DsCfjf)`PJgHJ*L2 zT>RX9-L}qrxFVm}*4l`tT1cj_ANGUE8QV7R0`pWVXs;xJA^qvMhY|X6_Cb8hG#@EF zfAuqqaHKNE41Z)J~nKP!~(Hgi*|Q~76d~);%9Ns;*#Igr0zBA3 z5nZoR?}dC#hL%7mRMOHAIa3LlL}yCrr7d2R&`!>q02|l}4!{`jmHrQ6!UEZ|o2Nx( zQhD0+*aEt?q)O(meRiq&_)xS+9??2oxC}7NzF+0_(tPn7-ZE)~@mKlk?VNGDzXj&- zpWpG<9F`vf4`T)C6<7FcT|GOwRpL8}oZ%ak)F!7UUObRhK3IUrvEvFUNR$(#fG7Tyv2|Kc9edpjsYc82Xr_mBETTxzZ~d zy^aZo?9ZOa>dW8e6@^raTeZX)DMSVpUo#Bdf3*1NUie+(3DLEI1p1J`Qt93};H3jL z(131+ZhHg0$+4GSofQAbQxGEP@9nSo5j(@)p4TJXFX&Zhr5{5mpj&nV#EhdTF9sqX zw}GN{yE|mrMf{UleINWhI zMiMk|m*H+Ll^-8ftY3&Pf594KNRsA$3!zJn@s-pmInszW3vAvwFV+Xm@3H5i?jqD< zN3M#&@}UjE=~O^WuDYS=*Ari<9y1}0d&-JJC_TS;HdE~6k6vL0nDcxE;PQSly*&2@ zG~cd*F?_?}$=P%CY_Q{S%$Pr5~ulm{h71wm$H^l>AR5kUW<%xj28(VZke(q0A ziNNJMogGujT&sDZS^X zEB}y4ln)Y3F&kNS6yO`uVus=y^6HrQSu&o``Gt*pn39}>eHqR!|79E=tmltogM_LjyACLe3jP+5=p}QSD6}yTH{bH{!A`;Q|%ETq{c&-Pi5tvtVY=~j2ZcsN)bcEgIAuhd}A60gpU}J&#EmzEu)3a{m8cvHZrG7 z@x&y;ZkWK+nn2IHkX3>e?Orf+mFglsuKJ; zXDkNq#_7wda_NQ!ZXmP`cbJB^4);hz71O3f=UadN(DneKf$ukgu^(Qa7;OauK|eqN zXxvyF9@|>|fD9m%-5Smj&T~l>(xX~fA-+p4I+}$gxSu6_pWVM&`%OeHi^2%fpyZ0P z5ZU5#x?6`DkRh3rTJ-7S(E%zS2tNj}y>z*Kn%Z^EV!4WjG$-%v8f8&?9jE$ki&tlWo za9dk0RttQ@{Fo%k^zC19TP-o!%Fr_d(T2Z5aypz3c9imd_`_iY%6}{TSHA1WAlqfD zvLNEh`k^Cn&~a_c$eeW@ZOX~=cLI+01Gj}FUjHHR-IF#cEbJ~#tKq|a1bP8{>BF>! zp~2BmILWA6b>d0UvsY5!rRPGo9qCAH9uI2ko;i_=8qb3fSx%z_!gAX8kW7(=;o-=) zo4=rASSKjO>d8^_5RyFXm=GQ}PfRu`^M(h?yMJ(lh7QYxQ`FxNTE{TUfBsg41H2mO z5Ul}zg_deLa z8}b)D6Bm{C|%0^g`agFO16lNKfy^e3;%ua{C+5^3ThhOIQx3;W5axQxD z7YXgRK5*M85j<^4A7QYc!15rh;scW{&Yh~Y45SWcpxeq|55cv6JehPDoN^h6`C`6V zZ^|#WGbB;h=sQ=xyU!{x zOVItWkn$Ty``G)H8>t+5Mph4F7ZBYgD;kw*th4+hDI`^cm&H-{UI8L^ey4P{^(&8tsj_L|0OAWG?^}8k?zDOUM zqYa9soNS_DA2o6Ag$jj=zZ+}FkU>lf`#IL`1x`Eh2=a424bZ#+VV-Ce?Z4*4>f5H>{0q!wJSU$v`|B zt8r?bG%m23yD`h%n58dY1zGJ`(r1N~X;YHpF*+4_+Y6y`9cIk0#EdF!0U9DJTh$Gm za5j#BmYjT=vn5IU@--C+QyOEA<8&jN*Jxw*@l3}H;kkRy&PbW#>ILgE zIjPSlU3|}I{l4W#_o|hO-A%|~B9`rOEq&W(DXYir2z1*E(v6m_BhrCqs+34(E*}$M z=ZM^8VjbgG<3)5zcvl{!DIexQjEl6dkDSxjHsHev6S(cuk{AnocsYH#j{(;1&qC;AT^p&LcV4Ve&Cx}@2Og**o*R->&`V z``5Lqy1Tm9-S_J2#IbTRIYo^*m_>GIS=rD*9YAVytt04!tjX>DV*ni`&nF>TpFmYX(nKv62gc6={f}# zV5PUWzT;=!9vp>M{zj5A$7@V{RX?IkmqN&Y;95Jx={O%kk(F~d>tzR*@V zYC$=D?l$~yY`uo?&9Jo6k(a7{hC*O1`n zj%m-N$6R!*eDT15gM*)ABfyQ2OE2=3jxWrm#I&2!(RAL7XBNE~0zLlG)Pr)!-V;IV zps;A0p|Vpq+rj=)lK}Da_2Ij&sF`F#b(h1-bGJ)|D-IRp$s-sCIpDsd8qy!r%LOxn{DMHp5f;Igv_mEU zK6|iKo)n*ChLQj~%gE&gkPGW!f zUv3S{i6#|6x8t)Y^P-f1%OX%RWT($eFvwpkz0_ryaNbGBg(DInqU!#Q*%@wDlQI9L z5URc#oK1GhB98rD7`Ub+0IH)^6+{xhMiNaHgkx`Y%^Q^+!)wiVIrfN%O2$~5qxPVA zIBZ!)X7Y2p4X#-G$Xv~Tv(+TZHV-mhW03jh-hRKK=EMf45F_aTNCfm7f=|xdmC8lF z4+FYE$jz2e&<@0G$vS*0TJhP?`il7;1*(?+_?ll~+qjy&dy*nlI$zk{=KM4QVmWZc~&J|O&upwjY4 zrW%#uu4WEX>Dgi$PVM<9DA$jgP{tKy2Z5B_wo%?t8cJs6JCB<9tG0aP^Nm2Z=H3_@=TzYPssQ0n~X*A*m>3)_rp~+f{ z%#bfG_^xfATfMoxU7fkeKMOvaMv&i52wxiMp=?91IHg!Itz)MmJ_Dg%oJ^DcSkimLTA-t#CA9z2p-}6 zPCW~=XAks1j_SJ(j7d*ObTlvu;>b;RxaM%zqJb5y1#MhPd?Mlp#w%ligwdfNpoaAQ zEXXk-cru777*{d&gF0%!nLK%-o;Yl8xR5ynApixd*nk#}Ki5CP0!egCZMh215C~_Z z+J7h|v(H59ZEk6MVQB>D%NPp8&+?)yyL=kUi++ui%eN97UjVw~3HZMavvZGcEEPY9 z`j<`orO~(9WYd&2Yv@?+fXH+9({9QC!N37e8AEK9!}wGv#td!Vn{aHkKiHUmp>uLY z6PjG^0YO7m)KW;AJc{N98;J!`_vV7>eLg?-XurW9o|YRl?O5Q7VCfUC6ox$uh=J@^ zG7+MZ5sEPKXyUlQU_z*mOnD9*)2E`zad4cL-^s{y<0&LeE^XAqwChBdMHD7?On8YU zF%1GWM8y=b2O|*Y%UjWJEM&WxV{y1qXZ@*rmEE>623JO9FtKgxA#yVQ%OwQ8xL0W4 zhw>HU)78ue!-~t*drPov(a!e=+iqiRXVLqj>QCk@O5-=NrxVMXooGxEHDqk z&2@#-Z4iuefkSdKm^6DHACE93@d0$O$ZVvh=9Fg*v_3Tz-IcE+R^$+i=v%@#hO}hQywsTgfSuW)qE8UUcos{kUh-n@w z)ZI@Nu9XISqR4${t>-p4t&(PFv&?wAf_G#??A2{sHECUnwO{VA;VqL3cV1Yq;r|^r z&Ja1Q;PtRTWEQNWU$rq2kr@m7olGiT%`R3H`vWwUX4Rn??s9=v z&wV4x5Xl-bj~vQq5eh?_22afScFkCG(qhQpV2s57MaLjZoEZHb(s9QYqOY z=-T{B^zH~t^pBa~9dj(|*>IYLaw1!X_Riy>?tVwgu%Q46 zdN}1^7!IYu?sD8jI^+)>CyEe>D)1KWN~d64gqZ_R`jmyZAn7dtXP#pu@aSFK}94D?~_m#JC;U|jn~*H}S$UJY;+7Np`fQ2$W!&|+1|3?HYX1^3O|9EjZi zgR9WXz~Pu9W07cT$9&{+VGL5u3u|+RzIo`WeIN?b+S*FF4~Hw`@}ay`Y!xo3!M~D5 zy$%(CGZg)&qEl!lVsA*$3snRPYr=4h%Rm68KhwKwz+IAn>+>kAyaDs<=nJyF-#6$e zLty%CciESb4OYSn#ixz$9%b9W|wHJwuBA6-Yg_K>~bI+d4Qm{S}Tm zzKL230yRW`S0vqVkdolLV7qTs8oqrXB~AUbW!K7}KyKt14M`gl%4Iz)Pb&$5|liD#Kl3iW2%~v?YU$HCDIY8^$LQX)I?_L$UTf-te_8 zs<7wIph*>R!Dmfa!KC&IvV=AlXUepDfWBj_JXqCcmy-#-13HSqG8~~-kWo135glrO zMxrEei=jj!m`h;RA33|KV%V0?Fe1+pwSo#*Jw9!j*{s9zB8e>JNdqh3OH4n4in0D%;7II z&a3>e;)rcM6N{W3R%sUtKhscDGZRb9t}~aRs!?3)abttu5`9h5!}Yx2a{D3CtR`L> zLeQ;m1%uQxN}117f~BIN&KUdJWqrrbXjo?dTSIGJ;ZPzED(_;~E12@5<$B=;-EmHM zImP;?Noi)w8Ir!JRc#TRLXrx#EAm$J0~=Razk3np>KJR zIO=l!4`)Z+dP6CCymnR}*y5SNGG6y$h$Ymn8yF)Z#ewYO^~9mNtkL`qAny32%Uq2P zQXf(rMJV*aNjuuMXeYtlcf?9n%G&ftLK4E=1#~wF|rV|+uaw8`eRtHpA<$b zkp+LDPYrh~9D0Z_!6l;`Z*K%-nK~b@PwcnVw|iyLVv`qq|5Zz$A)>4Nt0-J~TPV#_ zk!dEkRUMl*A*_sjrI`t*{?au;!<`-1sF+dXMQ%1}Mx_7IYE}@i1S8g`G);IfwSDCOi8{dX*6>WA-S^zc zXeDc*7*|;+s!Ct4CbGWmn^&+RD-^s@Lo)+Xu}ta4idmRl{xms@8r-!3ejKHkO7gjp zsfaF7jB0Jgp%K@?E2MK$5N6X(hJMe3Vj!`Z^(Pw-oJ1CLS^Bo73O}zRycu-97%Z9YR<+d z*2Lq>syPN(WUwF)zNA`66Oh&rAdzchr~{Mhs=bnp z`mXPruR3}R@Vm2V8wa$emCMMdo%$xD3(KFNi+XqFifF)nFP>BafemkX==u{&{AW*9 zjDk&&39Xr$DOSGNrM`VnzT4uN!YYC$o3eH>{FBPZKIOjvfQ$RPW82sA?EwgLIVz9L z5vECNMWYh9^hElV#`A*Lk6J(`!CJba2&15!O&63GE0(~}+xF__)Um&R=lg}`zo+^n z@dT@?s6^(EW zz}TC0mIJP}KY~IT>#M$7w*XfjE-~F0p4Bwri+3f4u4PAEU45M^)Y0Mmk}8pGL^k>It2*U1l5o^!I-g%g>ZDN&9)bVyL^5vb55Y zxVjvdz@oBxaL;7A%+2I-dA`ZNOCR~y%HJVfH6WEy|LNBJqiKMAzRRor(p?5><1Mt` z`JWZaQ9M%7w4HfuJXWLm4uwYQs=?pOr2bx3zCB-5m zR`vV-1XyVkRukwU8kCC?jY)S}IBQ)g#JrY??6znb^X50lJj7b$Es5@w($Z-;e5W(t zL<0wB5`>&@fiBwGw3bLeE2^vfay|<{vCC|A0i^l?7)?I*`~qCu&i@l46JPqqw&oou zjr^>^gfxx373wO=Y^N0qJR=LsEUaWYSzC;yZl7o9OC0b=-CtQe0JJpAa!a0 zlkWf?|E*L1<$IsG5Ka~ga0*2h=$#0WznT48e`3WubV8B{8T89#7skg2_1*G2@Obb4 z#9r_E6~F*c)8C;ZS~k4nPwN?Fo#}iX$xIzcjOZ?})Af-28_HP$`NMMX%kobuw}A5L z`?qZh?rH8(ZCG!_bEx7>b2iaXP*2QP-OCYlI@BFzgzsA>Xzoy!L|g6GytTi6GL zoD9gON205qOnspNL(`V33HQ?BH}x*W5~$}=a0VhrH`T(}rl)-31Asmn3I#`Wx33~3 zacIXj3I3)7g;#*_$y{86UOu-4$S6`=a;?-i__y7^<@Z)JZz2a+-0=Vu%2TUm7tq9q z1C%BU@s(v+F?mJIuLB)*^|7%4qYw<78)MnMP}(G7(%MsR%OtQZ0`|OednlZ|YA~dN zEoA;1K>R4&9Q!fMT(0b!#h(mNJ`QgRbiUxfp+sb1UGA0NU$rm2o}kJ5E{B#Fpzrfz zbU)||AbAXENu#j;tDUJ+JvZ{X*DV?E%tHTX&&UK(@r)8ze632!3Yr=sT(rgOwpC@e zR46#1RA64GfcluZX4!wIi}6otufBg((^o#`rGGs4J3tHH4#40FpypJ?Ifpt!8rx4H zMW4*A?S6TNZxY!|LRV;>4I;B;F_Fa4N>gDuQpLHIq2AcQipr_uA}imm-}L&N{(v@8 zF)+q_b<70*b@tJw%K_ls_S@P7XpSpmY|>;JzLI)a`w4)1b>7I{;css1s|H4QMcj z&LUlO2-0op9S=qac7YT07!j39MNoE_F+ne$XQ(?(N~x96$zMvKd>=^gMAJen80JsN z6+t|)ad2<*xw^RN;8O=dWi{z^ZiC%fUX{v|yExP7Q|pP+>ru9S3MnQ3WfPe0+x>th zh*-$2{v7mpT;0|3ZUDwjj~12`o{SBOOX)2wYDHxE5q!Nvj3?jJe1_CRB)q6slX~J- zDVo+-N}&x_Eh=}dJcdsY<1_q9RkC18Yx2TT{R{kZTjGd2Jq}#q{%4dAh`jJOCd3(x zEyQl;k}mXd6W7U$BXewnaM?y^mt0SU^9fQoIFbxr7qUzD zJfp_N?SzBP{47H<=vw%q9$Fuz<*0La(Ayg+f6mE?CiiM^N#@vajH%K7=F%oLd z3TS$5Yq#oxT^?09>QYX4$Uc`1#QPw4i$k6q_Ip)l$Bt+`0szd* zi!@uIdq{Hm!s6}S`{1~0SiP2AZ;ZI)`Mv&yZtWQ0den{R>wIed-zhI&_(HwX=k(jr zfsi8o%t74wUp9+Q7pOz7(!a$SIyGbeIWIumFT|&@ zUbmBg;Sg}&{Jrp2_m6V{+gf>zs1X^4KbyKuz+u zSZWQKn#twhsM0xL4v}~4jb=q)@!O>I=KdCzdwb?#27-)8PC_RP&ewx z7$^bC{_da+9B`FhGlX?J!ejh6%oaN66s8iGG#Ho>U?$p{ls)he{RvF3vD`cs*xYK` zeqD5{Kf(R8m1Lt+m~bo`vOqz=CBK*9y8Bm$$g*{HuaS5a4f;E?+pBr@%r%*=(hkeD zCZ=@BX49XqX^%u+LB~{7i=i)o$GfE;z`wO;KKDEFgm%SjPPLz`t^YJR8El^v41*;O z)s3HrS1&SgKjZ!?IoN#IC?)%(Um&g0%3_k!+up34{$ zLGp?&$xyiwCF2m|m}kYoH_G_=lKS&Lcu3O=8yx5{*U_)C|HMtSb$mcm=HZ|BfOwl0 zlZvRxh}v~kV7i!M{UHk1!J%GUHzC{gbpe^U-{S&8;X?F-i9f6G8&*IFKEF)vVrVlU zK??K-nRpO3;>+@aqnjKlRL%i|D2WTJ0gBe#bn&BJqsF9r@Nclw>_J;5`vEnjFDRiH za^wc(3g|JUxl(^F6;VTM5oh2pgL3=f%LRk^)P^!^Ps~qI`ad5-d8UVb=qLX8{0s;F zUY(n(fTjCtDVuYVmUZ++HKMW_EfMWNk5;2u8*rmlE73-Xy_L%-qg<>dCAg|p*HP|Y zhm=@^DMnNS6&ej5mBaVdCm1x_c50TYn-f`FLK`c?9$MHZy0aKu>Qk074*$gYMe85j z*y#_%wUI~ftF9GJk8u$fu}=W9Lw@lP4?S|g{L_69;5d0C_v?FM#hLHu?AX;%Na)GQ zwO2kh<7pMlG$}3FGj+Rf?X!08 zkNoq8`uCQ*_bqh0xw*l95lrX1-fl17oqz;m1_!xE0R#j%c=TVY!PLp9{ zq9%yH=>9X#r0=ZBWXYl9MPi9uc>E^BZl*ip3m~hve{cU5AHDbXczC*S@#yt;>V@3O z?ZLkyKY*Ahz!mQDl+rjz7QsI5RrB` zgIr{oNCRYu9FC!88y1B~k!gadIA^z0h+UG$-@yG4<-;f6p7x`wowoy@on^4}Ol37f zo3)%Ok{lW(;S68OcbVhkw`VJOLQb3p=pQtiC9Pp?`Y+dha zs&RCPO{eJX5Y;^-JWT~N1=S|I)F}FcCbP*5&zdJLRf_JQgUJonIkzbw*LP%oc2}7<%&7NQW{jMOmsnfwgcazhWZAOsU zt$|>46`27~I=%3M^@%zo37wF2L%~Y)qZi;#!te;=vv3E>u?_}FxXhMZ$O6lH8V6SapT~)O8M?;<+yev&N zGmXk+Y_X*{J71nT6br=78+qJWGsB#zWAq|{Du*>QA3rPn{UtZYp-B$hZMT0#S+<6$ zu81UDD~0HcKql7#B$P@}erCjvqfc${WFdnc&qMjzNp_=$%61N0*0seS9jB7uEkw=b z1F5Ju^KXDLuCwfI*@qZ#U}$sbf6{WL)DZHMWnb#;Od8qLpP5GyI4OITL?$^=5Bfs8 zu=1WhUtHbyi+3&Od!{ganfj zGDKrhPXVNEFqv!`P`ewzdHndoDLF(IvDX2|#uzq%#Pjp;i%LiHo%JSUqPCz`EtV=4 zlX6y;$5Ti#h9{B5TaiA)qH7=O5G{UHW`zAi{ZL& z&6OJ6Pg}$$i6_tI5@2*55jc}BNkzkE!NtFd&Q47m$#Houkb(3G% zQl^Jas=(Q6vw=G;@sR{_DFyu4W>ULK7e4|%NzEs#%%H<8#7v>Kq5n9uxFCyW zj1d^#H6aYu$fGbZ9h-4tk-2CxMC%z7BhUiqeO{md8mD)hBn!9FSx*Qm|AcaEN5M{W zv$GZo^O8wb8v^el8oQH;iqd#6FzLGal~=r1|w>`QUT zw291U4!}^#!6oduzR5H5)lUsXujG3--???2^S%{8v z;>y5_aR|?(5$bVLj>tM)Tb*~u=dT1VmvZF#?tkRx0)M>OxeMAfVYAz-g@kaN4ToF#vNzQcP+u@rv6{Y(p7%!QsT_-Aby|^0B^IB z;mFj>^^doLS9k*A|8WaSsEkFv@iv;QwxJdH28#85r`F##9ZabQB-d4qMyQxwmV)P; z`RSzUfU@)mOz)6iz)3#yUf3>LV)tYNMv0uOCm7;`SXN0lC8LTj#C~&&zTIbO-1yrM zS!p;=>ro^t*9S3bgDyUkr=`k{r!P1dO68{F|g51A>{xD(oSZjla&6*j$lES1zsv@73Fwwa$fXD&8CIMpr;e zv_8v3NYcpna3wO33Cp0hDh=>tINYtnRHO5p&<@k0CZWj(TxbTW*#tXAEw;md`<$Rk z0iQHI$QM_d_TWykIA2ppR3c2{ow}cr(-+s z%Vp!bnrpdL6-<~NRGVe49NIywM!8{?Nxv5~OVI$u?!Gg&8eM}s>*FUoWKBo zr*G3$$);Di@0_C4wtAY;q_Z+0U&U{p)D8og`&(+?$HcQ^TK1Pc{p~0l9knp>t3yv_ z@KnF4UnceLGWDE6HfxQFmMPPsoJGBC_yd}kmmP^Eb07;NOLZfC?A6af=X%fPG?wmd zNL{mimRY6@nK(!gWku;Ptn`GH?x%}i808PuVltKPwOQotv@ifLeasEK_tRO*6ZBl> zhL`pJTu~&}RE+E&ht?!L0h23mSiUY7)Jux?xRG9-k&64cB~yLv#+|c2Jh>j=+O3-< z7H)QO&l8gsbH7JfQd7_nl;#xeKYmTtPEj-$GAqufouj3dnK?ERt2wGYn3Tjs#cu%R z#ZAxRCKHFV)=;XA#|^XHtDL2&wKXH$g@jx$GS4HqEM^(27BN*RbOJe-Jk8#YRzcyB z&mPKm`9>@tX`^*nCt29LyZd3N{Z|X zGsc?|!8b(2(Dr8AAiV$Atwvy5c_s+Jblf4}w0Zmiacj<)g<2mCJcPDFU;nlGyrY`m z?x>GS_h)J*X;YT0QVvBj!r*lY5lHX-00cFB;x;-KpoF~hHHM>vZ18RIxgB}O%=IVp zM<_~>aEKAm9?8Ku02#u$nat>+34LzhTqk9MYdrG((sP+iwRE0sUc#GCvh_cbZwFqR z(84b>Jt#q<=_Djft)4c7!EEn?c~WAQ#%8D(k9lZm$&vVdtmar#fH6A+bw*q`24}~C zC_H*guTK)GTKVSDq`FXjivQhBazPuRzcUUxeF6-gi8CQPMw!|cqK>#!Kj6dRpn(0( z4MQ6$VRaL>Z*~d-M`)%@b^?A5*bz^;;`!MpX^7nH1P{pz~_kJ!N%t&P?f1l7wR#xZqvle^`7 z;=(CgEJI}kZ!Ee3rQ(Z{8xpN9qWOFAY+d>9-|Je4LmrT#gOtT5C0|bG#G!LGwi$`n zOXByBi7{rUE9t0Cc7LU&lDTjj>mYQfm#iPJLReV7E7Kdo6g%bF1qK37KAWZK?FgCu4lNb@Xoq?PN~{ zn4ViO2|cMD{iXtEocB39W3@ts^_HPva6|EchR*O>v{ExM3KN>tcjFlXV?-4 z)I0%pst&W%svj(aCj2*=R?*Ed4@%_$>E~#%KeJ999vx+s*$+8xk~b<|c$6l^z_nzp zZguuUcfO=EZ8#?0mVN~OUN-*4Gz7e$A#nx<+8supAOr2wjzS|u5C%rK_ZKlz0+(Uj z8$41EP4Z{gs6;sfJe8!%xyz!h=xGQykFPr)mR?SNUM_xq@7Lwt%Yy;n#fanO+Fks+ z>0!b6ad=|j@U^~bpt69TEur8-D#=3y1@J)@rX~BPBKvMaW@0q9_BSg{u(>v*us)r+ zR4lk<#QB!4DrmJpJKj3-gD&r>&$vokjZ2m z?o@-d{p-yBq5_x6s8C1~wuzyPhU0CL4iFi)+)ce=%GK`Aa?9@C&64pwSZxUYTSOp+ zZ&EYEKSoW)(hp-CQA>E{%}4H=r`z_7zg%IvwW#z%`?{B$rH!IIJUF`eM{9BeB50ih zze+b|Cr+YyR1HQdVdiS9}rSm^XHILYzXP zQy$%ZJsfPpg_rmor3i`m25i-V(=gYQQ!qTCZAV)$#=b3n_cF`y}`OR06Z zQ+JeS-`z@G>YMocP3FxpbtC(JA2%|~4*C`v?44?;j?&K;*#xz#1V~qPl9nxxW|KC3 zKlpdD?C}YLcq8@G7;$p|%{mc$&jnjs(rBl0HcozB*^#oAx#YSf@Snyo<=)P;<}8fB zYKt}lMGDcMnsL!!!fx(^m(&}Ff2pm9p(V9bwiMQFTT%VrYAIxy z=7%QC}R z;)-BNe!=~Z%X_)S(D8)aJ|yWyNB!%g<5vMCmvl1=aoDNgw-2#d#GDf&U4S-q!hJG80cRD)i%I(i^2Mj+kr3*DENO1JV)&%0K5*R^#q@4`buh=3c4Pz09%VqW0Y7Z%L9}%Grfn_VCv~X6=cd|^z{``Ap8UTKZKQuS!;v% z{eVnhgk9N95gs5FyKjC&{~e1G{Z>K= zv&}R5T=%*~yDOVC1hom_->|vj&vq(!f20?1k09lO-$xSMp>om-bDDv}M@I~hH-~(}!c{M_a@j4{I)*IvJBmiP( zuU7j+_@1~eADeN;XU4s1f2Xjl?8wFVY>EbHcpZyUFYEefE)S(Q?-MvO+~{H%)x@Mq zu!$E(f9i{4j)+4BCo2vVWm^BN5<7>3tc#bEk5V_pv zRwXT>2Odz5!WiC39~kxQsyfc86NzN=bb&3>>8HW zpA%g7_jHk|=thso|G#rvI-Y;$%G#0~N%LYY9k#XBmJJ*7-Pgc?0gF`_G#qaaIQ?V? z9~U>r6B9Mw* zoB1EVNMF*q?nw`2rRBpuw>q5UjDx(d&6nSNJMiORa#jNH9F5;UFFIvfRD-C8=S>+) z7OTp_i6fjld#>E9QFFEN@Y3#)r;WJFgXZ@2D>^D`FsiNVBobsM;aeHmGmvOo6dz1K zCR!u3u*kBpRv6{l$g~ww?n?Jv5bfw;jkhKu(>rObo2${wb1_+Co!REI5^d)iuB4uF zJCb})!x6L$P>5dYG!=MJ8~c56+{-!B{VEKGb}gvbY0UMfgNm@K%&Dx~DP%oSNNe|w z$PL%K^1#<%=Q@}-Ro@Sh&T7}#d#tuYc0zcRvb*8zf+J6pqPa^&|Mc1K?73OehAR!J zC1D<4QD0Ij2{Mj=73s;9RU1GYIVMt0*O!vHp0;LY3-s(2@&QZ49#bD?Qvk#m!Ei$oD4H;F~ zP)&04@OOr8`tBPHqEw?nBRUushW1kc+6XnmCaxMkp_ZZ(Ui?|}T&3nQ z1ufcOWu_xbTeamqLpY}&F?avttn$W$RrMU>P~SrF3ECavY^lslmPNn#5C^b=xI^Z0 zMz$smi*q%p(b@P)E46cEHm!3-9V=>89nI+s6n}jdLRwCaAE?sHK0>J-R*mX%F*{hqU_HM%?|zT| z%@wl8f7v~-KoL7VA7FJk{u3{>SU3VfP{^N|#9QCgQ{%I18}&3rly&&|2`m9Z(H(e1 zlN0)7<{Fhp0t7Zi28Y5$*$UPF&vDO48|<70;&9a2(?i8rjJXSLM~qqOv+lso_yMJ*Sc65$BO?s zRi){)hEp`sbrMhV#aL1f<$knSQu0+DyLFI2q6k*b4d6Lg1@?p4z^e6>R6rXp|B#FNb~N= z=Qab*JW{Lh)^6Z>77da#m~}Rtq6Dmv;rmf9?mAv&AX-gp)lnFnI@W2{FXQmW=;=;<{=H#0fhCM0SAQ^ z*T+s(LsKA5OQiFwAZCMIKTI9lc`z6$cD{IRR;{(D%=R0WFqi!Op=C-BVINx)Fgw;H z9)G(VEX_4bWQIbCNX^Xj+@2pgSEmskO^*0zu{bu>oa79TF0N(1mKk@-WNw zCMKC-k?xgI>!8Sxp^*;FHA%diu^&rdNj!rpISK6Tp0f67M^U9f zUl3ul3+OiSn79!PKekJi{Egmcq%>KnDB~R`KrYQOxRBbQwWT^{72~MquJFOi5@kJ zS&L-w`l=vR^yjEDW_ONUfFFyU-tb2b$Hs%sc@lNY=Wb_-daH(}MyB*zj4~Q`{6)Cz z1;u#tk?_gpHO_~%aFecOjQpjD+TI^EQx%0NfB_{TJ6WtJ!fHeDK&GFe4Q+^BE+T(hpPI!99Ede7HV;uprU9d#%k zRNs|jy!Fh1ovY7@Fxa()8XxU_y28$iN-vXaxhI|=f_hno#{g89?MqwQCV%6d@#$9x zNWgqix_p1iG|g)-5UwQ#OP$yR#{3;w0V#b+(^R-D_r7US)m4;!ZTr zrAGa{tCxVVrlT+8(0+9pM+;m&Zc~CdqJkegebsTQPhL6hu8b5zO$ct)USFh`J!Akp z1le>sDOeMP5mzrpvP@5>VV=XoQuzyhQ30=AgHhfUd!dO^S%yrXOv8@d2hHosibqw; zWiF6O@k524$=#Bi)NzK zeD{6v@7kmX^!YN{07~ciPYB?=HiHLl7%s1N3N`_-mi|%j8aEr$Uvpn44P(*o$v%8S zWBw9L5B7bwua+guc=`$JQ%kZbAq**X95?FNy;P+L%awp)oUft*6mw(iBWqpjQT9V}$y*WzH2+ z%QM^PhAc%tZqs+b4PERu48gUcT)93I1!3U z$q=wqTMbKVbnm<|_g=q7Y8?)!8;Wnbkke{)#Y_`}JrG-v>TSNo4D|9!izL@s%sBI4-?38F~)Z8|4}TrDI+xF=ht?>eexw9iS*!UomDDWoXx;*eFZ4kq~8YU z0Ss>bEh_obuPW3pG2D7`V6At*vBM#t9RJ(Y?8Pc`AfVneQ^Fbbg0e0A9`PQ?iD)Y; z8u5{N_gH#0tzUf}K902(AkV#zoU3vcej|<9l$l=a;TzE_U$*95Ha9N3&7q(~1dM+( zj{KSucSeJlVETyI7y=uj;-yX{QLdajWbGPtS1byA^Cxl}TL}lW{KsKj(yA0%yU-B} ztfV|KChIVgC0*oO0d*$pwuxH2mHDK!Bc{kRm<(rTLHd>XQ!ucZad!?YS2rAik#>~o zw4ZNPam$=K>J1Osl;Wb&ZBUB+iWj1jFu_JIf2q+S`pRHPx*vjZvO*4D?&G_6L(m4K zL)0HCQ9_gp!pL`sO|hf0q%rOrm@&~$@Z)fq8fc71e%Y(Xh7s1{4^~i`MQe>d?Vw49rka@R;utmNN*ZI+{g!0$S(~g-)i9a8`GO)A^E#DfAs9$A0B-*`p zVEX?6YCx60Qum&I0`(EyKA)#Cozp~K*sGKV(Ig7Ci=YdKYr<}dsAaHbHHw+p7Eo;y zlq=u^ik8&!T+{o>2#^Zq3MviOs`w zzsJ@0)QgwbudXViX8DA>heL3$nvY!W7g(osYNo%legk$ZdkU_rFPiB8Xiapb7W(KK z=*HUTr_enA7_IXG8s`^n^Al;CpIp=Y{Z$w*V~d<-8|s*Ue*KaZQxz)orHFAii(*RtN&ZS&A$j_%0{k2K@jpnYYd!Lq(v--dLY7boI>67{XX`RlW3+Q*(%b!H5y!igb!)JbD5ixaw|*hp5|$X@x9!?BKWG}o&4SI? zeyyfK(6A)p&_ZYV*KIxZZ=ik^3#k(F;p_9a?@rG?oS&*GL>Puyv>fKzkK!nq;wNO9 znb=m+dQ}+y-wnn*{i_D^nz2;u9lfQ1FPws9&?gDKgT1`-ISDfA=QKoHnr91&w(to# znbF{;x)eg*p8fEl!GZ*g^GN}KxR%M3hI=HRMV!p3pKvp!jOAiVpwlFjhA{Ws&vG?& zgH}W==bz&E^(=ndCV%}(e1WGXaU!2lTUP5Pieu6`B2Rz4I6wUjAGvwNEUW^}w*P%X zuH5rlbx7!-guXwoprdp-w>gBF%mI;Lii- ze@N4qE$1{@C->>kYWm;pbo%A^&wg+CCI0i1e4GU7kB$Dsti(@KzHj&m@(Id`imwH+ z+JL>t7mG~h&&63tu_jq%QxbRWBKcz>{;=e~Ej+Q3F%&$`@-;*i)Kygdr*oFrF*6D+Ke*!{)K4dDk>sRY z8=4myK0BH`Z`jy*Ey^@Q8e+y%6Dt*=E*zycV?*x~zL+Bgp->D&R{0@MJzWgld+Bou zaTnWVrD9u3C4A<02SdJ?;~0t3IAtT%renH|T(#q)c$^!$+#^qK#Rg)srVMdq^w+P$ zdr;;~{9C?VF5z5_1Bpwmzc+69y(xuijwAj;h6E8mS0wA$@R92X(u*kLowv8iKlC|y6d7-G=8j@ChxNx31&E`=8DEUq1 z2lRqw5loaNp^I>>e7+R_j3Ngh6!2mZ$GW^s(m8OB!+ds?mbnO|5hg|s7vUke_a68_N5@fe<+*$F^I=oS)TeO{LryI-z zPvP6rk_%Y~`oWFy7`%DSo_hFJ@KIr(hIEEu^ z$T8k_bNK=+2I2m8&3L62xa4sJf=1Vmkjk7mkFisnfAs1(kGCJl6~9Lqv60SzUo7*- zLpK_ttw0iB9S6kHUM+rCRs}Jsi}WI6V@FG5Lh$b|-2S}+h-&@zhshv95sVVbdF{-K zPt?q<1m>}37e}{r<>U$v)Xc32WaFuUi^8IH#gbQt{S|{?X;yW;^;J>tjHa<4P_q4D z8#?8oZ#?w4Y52g#TIVRY7?a!&Vfxeb}nsetWhNA6Y|l zpE}O4hAupHp6KOj`mh-pyoy2^_}K&PCzZE1GNDv$cS=)aA-z(LiL&*s@SAI@RS;z& zU1zqd5lH;WMBpL9HvLVFFj8ktt%0Ajm}X@|J^FIPQ8bP=vz{hwXWHr0{wJb z(j9G;u@S=6A{1NP0`WzinZ2$HGfMVfbw>)lz*p`mou~QoG|FC(UpF)0*C@JcrR-um zZMSa#huRhqpwxQ1(R*%GdPoy*S43^?j(rIp`;&bh5dW2iPowy+XhKSry8iRF<8?dhDs`cD3pl7N1s!5-{W$YjwQSr43r{1SEm9$;yR!oOJtc^Bm9`NzFaY^$iIllFySRkBZX#6vIV2Z<+&x+4O=>P2| z%|9B@|3S6?NBc|v?@#mjwOXgKUee!jvx!|4zvW0Gsg>(@5kYq;4&|hhKM{rh`1+xm za?9?!Z&;}93a!=&grz*mFOMm~J20&Yyrq$kAZDpW_E$dmF)0Fe4k90ImKn{6l>zsynVUn-W>Csmu~_OHKg zliz-8fK%e(-+tS6;TDFhEQNvrz98+vpzU0P@*_1~2o6cO^|O7J=KDWQGB#Dg3F@8w z(qJdpH>O7^;EwvP6%_vbS7GocT$+HmhiU^xb{zE!F zqY3%vKgssf-ZuH_e-S~GKIHS1{P-jJ_kV|KSDkJ071>U<$&c_nDs1(H_=GR#ag^MU znXk!5NTP(Wgc3FZssI~HLqP~ansM`PEGW(`&7#Q?o$hINmkn22Czo{ z8@9WZ`VYgw7y0j#eAe23Ys$9(3jCQg@=s@Tbq9&5OVcuNv|<-2$W5#=vj$r*Joqj3GcV>Y=iC+~(Men#h3 z$u=%LxBZ&=;Y&aElYnO1da(L^j?v@i7piD?@yiucE4{5pE0+JR9b0GCUuXVg5(W6Q zoIkCY$O=&Pwvk4gas^hYOAzNsWq0te>#s*G+}gW>@+MZyw_yT>>+y1hCOhzBrckt1 z3Ptnei8W~x4HG6>vH?O(hD4#VgQA?dpG|4LXu5Sdu%${RXHAYae+l$&Aq3b$80hIfqp%1 za3^xqIwKroI2;Ytr(UrvppeY5`|${f!)ew+Ddx1)hb4X{Sj~SAwB`@OYyRN*Hchvw zT>w0}DbcD+%Bh>aP0(3U4`ee@xS?pfR%-ncvh_divyuLvoVW}#)+>SA1{1`ph3fcj>wpH}hzJqvEZ(rW5$!EflYtg2;G^KA1PTx9@{ zR)VXhz!i*Fu5U#M&oe)#)1^FCsdsN*vN(>C>H9SFbGrRGmA)z*-vcUNAv1?d@K_|# zB%+}V&puCh?#D3zz(Lujrj;0L>~mdHn>Vj!g=u&hO7ogpe93b<7mq(|Wchwe0BBH1 zs~nqdrh!4K4ODA+*tCi;n#`;m(_X!3rQ5YSOX%}1=~cP{^7A+qy-1<-)?*cnQg9w# zGHQLU2kgn?R0XR6)vzeo!>csGxDP7QRQqNn>#Qc_+I*$`>CXa|E>+VwZWB6x$8t>{ zSFp)hhsU|U8x*N&j4ThVQq!$Yw{#qiwvIKWjtVc?xIu!xeQ@ohCiARh6cbc>YV70U zQ>0peid2eF5!15kgr!R&85M8>lCugitSxy!^I-cwN?=`esn$X%11X)0oS)d)cegal zqR@uTO2Ss$E!eS?v?jM?KcA;iF$2xU0ZqsV{{@vOH=6c7+Bnw|s_AB~so~v!)X~dW zR6O-4nc|*1tqBcPnlDK+meMSbDE~arK~5Sviiuh0j0ge>(OWP>_cA=YjLNj2oZ43t zKjyUhQzo0(MTtEl3u^y4Y5|8o5cScTknN}9?P_N=*94%WT+I_VbotfO9U-}bFrvWj z);$jXkFTEY1b)8uS-GDV84D=qVn@Z}FNl0=^-E7-TDOw*eEs!i2)p*2Tw_n7^0y&N zD!Zoo-NCkQldlLI?TRyyt9i?$vZeQc%X8V2&HvzrBr-R4J&uvu-OJe`nElQ>Wm@Ht z+R6|FNg#sYm2axE8qbQUI;8?E)b4Do2JSwb^)e~7_0!Ehc zl9iIOXdD;e{dks!%Mu~J)`+cbmtdJHQBC<`9d~OuO~k5dr?S1`p_*;2Do_=CwYTTO zUe(&CrI`Q9@s5lDuR|X@ioK%s`{H0LtC6T$+R_d!*6>&=gn;!$acCfre-0GZq1kR! zNUY|)N}bJaBN|7OTlYqM_v*vdx5t-fryo?G*wU_mEb%I1^A{D?If-Z-UeZbR7xkOm zOl_A0tIgV-`pLib-=#UPyUJ&OzrH;F@ZItE#~Q|6g=j+4Ry*x+h%W1*A}{1r;lE zzAvqA6_zSLH+0z$$_-uC@MXcUT#Klm{A1X&U0cy4U&t7)gN%k{ZbDY7n0B!3+R+Mg zzsP7xlTaBft!z^=7MIyFStaq9Qwzr}vBS+ShU3e1mnHQ%zhhZgeWLP9%6LA_DE~Qj zbC#9&>Eih6>W6oi8xXLE-zPKkkGNAB#>d|)18MWSwR$06?$_hoFTKla&t?4uC~alg ziP5qU>gHpgSTV1LcYi&n%p7)uC(!$e$Wv#cEcet2^k0-shQrmfS`eOXf7mzxT69 zh*SmBi}ncblBZ>xigRAbyXk70xpnSyis_5wKR?(ne#rhGAshKVEf*${I#%6%FiMd(6q0G#s2RFJ! z63#>K(Vxv&{kueu+|z)dViIyo_x&^ls5Hs5Wy+!?Z>h~j4Omtii!a~3zdpPCaQ*J$ z-RpPX{NuyxcPGcMKU|*u_xtn9v(u}y%kR%m&aVG)aaLoR-Tr9;Zj3by{kvC}@4l(g z{2bBRu*&yYT;uZlB7lDpz&|5-=8FK1K3@dz&mUno7r-S~`CUYCl>m>Y(!#ytDq;}9 zF8WGRq?TH0+mt<~Gg*%HQSM~4vt@sB`8Bs(ReiNyU|C0$N}xYhg>gVxFN1G5#|Nk~ zq-LTUYcm^8bz_~TZlas2H7n=oy6BIj+&IUrkEhtYBhjjtH_R8P^v-#rg4;+Ty6s~E z%T@->6qcja{3;J z|4EVtr??IArQ2lJwVRI_UT_ zZ9CNV%8Thj;B_%s4+zJ4cz#hyTyQk^DO{bMje;k4i-PjTA(YN5vnGDh(UprhC1git zb;|*QUy>aH&XUt8_PZ*`N#0I}`O9=Z==!=&4;m-@b58r(u3zO~UGm zPI`|%*!s454;u2VFJ72g5J*KR(6h4`hr* z3Tw5ohm@pm&JxAW`vghI=44OD<7k z{`xDxA;0}*!m@T0NZY+}TUA~t7-oL0lpXs*p%4d?Sn7$ z|5JRN((y-?fBszRK7BHZ>I^>76=~NMeJVY;Va2D7t4gmg_f#pCTo_2#N;Ya0s+L@R z&|NHf#cnyu9j~aBy!PD+YiTm@CIyM>HO2-diC2}ZcFlZ;Wnjr`y5GC&o_?$9g>LUE zE5-V%&;=;&qR<8Q{;Q+Zva}ggN^n|tioA+L%Y}SeBu9};`4-D__??}P+CNuGP#@4gp3za97f5M zq<(PYL-(mCf-gnWN;MZzfKTi!Iv z_u;>C`di-kmuw&YtG}2{_r-topZqr2w}8feaI;8dMU1WI9=}Vso_k~eX6w0^&(p2v z|7+_B`QFbWw&3La^o(zLX~uq{LB8chA@%p=a~b<->)j7;&n~aFwsOjIzW+xbZKF?v z`+xH7@!N0CUcdXsn}-h?W99wt3_Aza```Xj|Mk;+o{;ZeWo$~0?SYdMfdk^d$&|)y zx^*1Ky5W`}61kuOfG4KgK*)l{oF=*KF$E8Z>*Q^1J$XX@*=Zkmop#?F{zzKnJ3k@a zqdn4XcL!U~$#EFckRL4tL?t z9=)YWzDIAPkR}1$`)LxeB%wjRm#by(v9W+HJFG8JaSSt5luR?qIZQ*g%@VSWAl-OG zA#~_j0u*|m8xR={*nCbC@oygeBHpbJHWJWen^`*>14-L@;B{gu1?ZVX33lttwr*;n zThGZG7J{=C`i=oYNIVlO6JO~^g={z0eGRvslULC_ELZwf$3CYaR)Js`0B1|&%C`if z@R^^{a74y23vTQLO@TPA(E4$VYK39c?s{#3+Hct{=?($4`&-Y+C7rWd3iJN^T%OL~ z=l7D`ohMNq`SIoPn+uu+G!YsoJn_cAFMb(8v$iGiGfI5Z3O!2X27eG6{DDCqd^Dw_ zLp!6kozZa^7EoeTd&VQe61c)+>gPnoc94I5^KGlsJ2?1p2Ws%Y*x#Q<`D`)v0ybBX z(Tabhi#XmFkM3?gCs%05tE<;Uw{ZCO`ugHZis^(YAGuiBTfkwBsyip~g6Bf1+ap-N z*(I^Rq?t#~lRRVLA`oY}z7fPo*3yv2FlH>KegaCbCzp5B9yVRxQF|zscLwGXax8De z9m{TL#);5LrmDgm$Wxde$%l-gCE_H{7KnE7XqwRQeHNeHr%|@Nq5(@naVT)mr6O5{*Q^3j)-hu_ z&oe(IhQ28RNdhV)$(*5I@=P3fNaQS7wlsGYXng%!~*(C{e>=9vOAyac8z?Qe7DJd%Z z-6CF+UdK!d>WagL%_yPw{ydE-f!3E|f+4$01OdTwa_Qn*y3v2TiMUSf>7eZ-IQ((lJ1-mp-Sh_gO3t0?uH;fGLtY zV?5_0-SF5_aGHGpF-qQLp%z97ᒒ>Or-ZpT3F~f`o5=#=6i-TYjQg~eM-6)wR z(Y-~qGAR{P)WQ{#(N0(<<|BxVN~|Y}`iK!#cP%MLuteR+t>@(V^Yb?s?=G*8-(Ej| zE;t)a{Y)UQ5{H0tpnE`aHV=Ftf!QJvprV`;c9$TelaFi>@|^r2c#;;clc@o##q4a6 zB+wYl1;>hF0u(6f@ZL01LWq_ip`fVXnXyeA1C$rCgkmuqDtAYdC;;jM(*T3kiJwS; zKcQs2B&jb;YUa3c*&aMOl5d$}Q69@@G#eFuGvgP(t`|$pxxNINO)fGf4mYy`tX~p^ z4v+M;NhmqMw+1FHZLo$M$$qzUsmrw3A{R2H+z?P~w9F}mLujb2Z=fRE8h4f?6BGbA zL#Zg(x5sC1k6*q%I|WX0&*y#|@56spkklfptU?KNZ~Ud!p85`ayrdHGtSE$#@q{Il zk>vRDx49oB^2@@oWJgf0P-;H0Y5R&T1*Y{s0eJW^0Tlg?Zu<>g!Y-m6+(j!qaIWwY z>cNI?ZqHJhyrFp(1(NhQADXKN&`<;CP$#NO@@O6@!OfBtu@_Kdb-dJs+9R)6Muy(K z`0>CKDx!LAPierhKP3sJA#m`qAU{9}MuI@$>GYk`QMw(FafO6ZXfKu_9F+(v`VF#C zM|cxgrIgAYEIeUr8;%S|b51E{)2Wz?Q$`r6M4(%mMVuw&I*Kr^5&uWdB8#~{9hr;f zCnVy0L8S-}wBpLd+LE~tsGL_r?LpBlke3orh{7fSyljyi^Y>hk z!x~7_O(1=fu|=w`_L}D>>fyR^)$j5yV8mz!xA0#5uD_0w#r-?UX&Qkqy<+eT?%2o| zjOQ&&E=(z=k-nweTwN_HQdF^t(=SRsg%G*Ojg(4%4ZN78f#M?)lpu8rAu zS^dNWt4HB70Gfr){reL?n9-}~7ip>q#9vwfIgK(hkM7ALB@5VL|CdEZTjQ9GtBSQf zj;i*F_(E6ng^aZOCB85UBQAK;CD7}aOCg9!HH-M1(EF5Tk=R^6CKKxCi;V7x6{@$S zJZLuz66OjiS;iLAnY7PIR)ILfrECb5v&@Lvb~Q>*dPT>i+ioJk z*aV6-@(H%r73GbJxM8lcm4#Dzg31_XIZ0V6DuPl96-d~?awIpBI;hO@C>T1WvQo_n z0gWYLIf&_rx{Uqi2A4iExLE6uv`WBigaQPZs+Pm|1SY?VVnF2A(L7T2>zgP&U1ZRx zODN0+>iNa@{r&Tc?}y}c;m17pgByuwn8#!Lg*8K0Z1U2GaV21!U)&CrWl!Smp4!s6 zpZMTum}xz-cn&#J<_Z#nrAO>EONf96L#G+LUq;E)vv%Qe#%^e0jRLmbeHcaps2`J? z#h7LZ%_+B9ktfiRX5^nUn$ZQ`PyBe9M*###&uKoR3%)O||GrF5-=ERA*xjmx zm_DDcNL5F3*ln-<)}K7!CG}65j^U zD!av~)snxp%r7HBgHk`s#SFx{^@{A!2S<&_fx?^G94tlhB<4u8;M!DHqVF>%-PwYi z>3|Wk1Gi~cJ;SYdjs$(DP`i@6%M)|lOQ8WsoX#1!%OYbr_z<(HR?H=%yt+Pp_x@UL z$y^NUC%G~UynwA~B+PV?Fw<#e-JXzU&L>hqiMTjUdWU&2%gB-~h#zOv50_xf@e>mm zWUVDTqiStU*@=_1~}EbAeOb-2+HM2?J8^bLg3V3%>j#?|#427XRsr|Ma~3XB=&( zRXz6XJLqR@YUWxd(EIaVuH{l}B1{EgzEX6L(=3Wfw_CCph6T?-nSx?J9Xfesdnj5D zlpvyh!^U)d!D|}g?0|QT?|}t!kI?y;!r*fjQY-ki%!I8C7gT&@Mp5II3?+yhOCA9? zO0vCSdjlDC*hY3pFlR`I!ig;Zqb-rz%OJm%k}0r7%~_Pq%pQ-j)1T6Sbb4?&J?qpp zHp1&@PT4}SP8QtITz`}LnLqb)AzI4=IR4@4s)xlqtvkb+OUISsmnc&op(z~w?+jeE6e9wbzeiRGxi#LN)LNOJCLIt zBB)b!CBejm;C?u#DsK);2uo?gXVE0z12#Ky*=@i=Qa8{Dn+mkyLV_;@m>#zG`u(1G z_^^H0-aAx(=t-G*SOgv(A>ZF2x~)GgcrM*?HXuWv{u>osZ#+>Uqf%AKC{L{iwGd(= zcI5OWIXTv6)ER7m4xIrK4u^-{p<~jQ^p<8h%l4qbjey4mL&j8b&34C~_ zJpux`ERU_|$HQSAY(c&%FCs~?NCwn=3ei5`!cX#QnPR4Mdf$(v)Q+>U0Yp^(v87OG}^b>RldMAi^Ljld=%=l8701{7Ynn87nCI8YEA z#4w7H$Q5cUMaBi}^F(M|97S7U{rg(_9ED<$=CV1rDp8X&(r>rTX`II~o%%7k%CjiQ zTi2PNaIxhrO&H0H`k}u79Hb6^6#ab=f((|+dIr0sd8YlB8$e7Lo z1n+nnN4X74RCK;c7?q*(?IC77CeR}x1A|jaqXNO+U*wDjzL?SeZP$r#iuS^FTW|>d zD%>#f4DVUpy>ijijt?6IyO|vy9^hqktXofotMm$C3FQIn^6VcdvAG z( z!)P&wbBXFV^c%bJZjjVZXl#22lY@w^4iPmAs;ivl#cE%$OWVH-+))*;-I zbfefD8APJ_5F7&7P6%4|0rKs1E6c8W7v+rsW}qDKV&RK%bhN)1N3D63L~}oWapZNp zw%0j0>Y)IGfr@wd&QI_Kd9=ZX?U9Y9^R@DrW`gjf;#Dl2$N&SWE30@RG8K1mvJm2% zxt~(loTuX0&{BGKDc$zREakAUltT|v6prw&wO04}Oc zSE`H+b3=paddvjG90*B_5*2VlJwDS0HtnZQm=J+yel9g5v7G+UyI0ZlYOZ`w=)&pp zU2=9yv*ndEJ{gBpLMf;oEGu97Jryu$jpUQeV$C%p7y2y z$>?t2a6ahv5XtBt*@Ni}R|uV)=HTTSl>-iXsl z?`hyEd->?0ht=-dR|~o$^5O#dCwFu#?dL>Y5{^}&G)ie4CDa{NBOw&yZOPof(c#AA z_~M)dejH1|67+lH92NA+3R7BgQhxe6u~WL0khiuX5Y>5WN77wedVJJ0V8J0Oax!v? zYNNff5UJFNJu-5*E$xrh1QDTYt4M4bk{u~Mg}Y?r-|-gjjjBr1cQn81AnV&7~ zwYs~zlU)ViW{FLT7eXu-gffl&W0!e?e#vLleBY9Rz&Z?P zw|2&*e3;72A&!-00bOA?D#OSbBtS^Rykq+y&jO;&(`5xwAW0<3iH(g?sfH$g1W!bz zW9gWZC?P>i{fsE1aYfK|UUxhN6WV%1mk7Wpp?BbaGG$;!d&bI?Gr&XX9$e{tleafY zSRPH5fd3hVoG*Cz8P^u6MamK|04gWFkco6rIpaT;M7rO=JE(|szm3HOY@-?&`df$} z#Dz&s43nqR4R922iM?yHDkNB%Hy=nf4+s6xTIMqF+LiD}99tR8Xt;=JCga>x%z^fL zg7d~iu?w10cwVK($^G8MfHTCIa3Q&VePxp;R1SmKAi1C-i9-j~bsm%kY7;dw8gdl1 zx8PKYxy68wwL96BJNYWQM;>fdhFS&)a++Pli)oZxsqhfFGlO>XP(|^yGbJw1772{F z^EDavKr-jMI4;p$I2mnM2PHNj`K-o8=B>1S=sUK7w`kaxqL7Rb@ni6iG%4Lx31T>Uh$DU zhonHWa5loFcwSKy*lF!3}3@ew@L|2JTy806Bkkp2pKsdLSUofXqtd#p!*U?pM>tF zp!hYJ_))yb==Ch4e8yral@8$6KyV2bH6>$N;T|=tut~UGDcV>^+pVL}y+gz63Rmv! zt1B%(faIkESR%^FXy(6!dM>9?ru_Xg|5Uo=M#u%D@yBWaEFp~ZeJFyGreX(f*&;Ky zVT0JDVGqk6J(RlD?ysOEI!^}If*zGTj!26YynO8r4!s(!S&?Enq{fh3hA<(h#>Q#w znToy}sJbS@RVpy<1Z4r#O1%!eY2uQ(N zu0;=J(B+G{H1q5jtl5<}rQi$^WW;5quQAG7M8P)U!xf042q%vuXB^`-e( zNaAFYMKlTHWy$)NM=f2RrBE~W3eeH z0-*&`_%zJF{6>IHRigv1GxWL`sX8ch`oJJn^(KAGvgj89E52aiu?ps(8L`EN$*36P zF{ZiSwH{qpjJ(cslN?zaf}@-WX~kD^rzW`#k|%mzA35>bt*m!s1;~=gNLMi^loN;& zluC}%=SR};XLnOw_ziT4fy{u!sBN04{k(`WA+*CyBA(lmxP320|4XBBgLd$N6d8k=#i#ryY&*7Nd8?Spxufwu6rFdJwy7>W>$=Y4ZSq zLt_Tb63H~c6l)o}-LdXbrS4Y;6=kbp=$e>Kd_~TcVeupuQX3fOqQrcAmC`_AO{ckx z+!z?t~e8nE&7Z^Zy$3v|I`@ zr?B>uMgpU@gqipO4o@C>Sw<^py4g$7Fa`T&`n1{5y z#?u8(Z22o&G-f z5nUNJTAva7*g~Xc4(YUTF-CrzMv2^liVwnVC^-J%ioA{jnsBOYi$0z^oPj6p%}0>iLPKPrx{CA z8j`nX*B>sAf3N{ZOT$AQ1x0OHC?Q6N>DQlgTH2w#)V+THE0Oa|-@P^H6OMRU!h7SASX!*WJI3j$w#bQ77Ber3)U zga>W&#sLc!%-;|gM18OYA40Kk?_gD!wzbg}Iqaa^X@SS(r7KH+}Q?by8prJ*LKB|z| zwF;=lQf2H`p?BdT$WfI$f69q3qs}>as3MeRRIoU?q$Mt?9GXiH&E?Qc<>dlShqSbb zMX1&%en!$LxZz}xDvRx_NEZ2>(Rgm$c19mpCCyeAC_z)fg)@hx8?%yHAyxmI$FncsY4Dw(1#Z?m69h1TX}|JF#Jq1}g$*R$wR zB8#{xk^R6%eGgtFR2HRTQ2Zg8L!6vhP_d0Qjyk$A%PAOy@<%vI!v>cLWl#Cr$N;~LW{ImGOwV)xO$2}8MeAa}Z_q>7D$2#J#uDyVrK}C|n!e>GH z=p1-Q0=rc~wK8Hi6r2$FzbQz614vKMFS=%%_`Zd{my_7Vi|N?KlzH6hwG2OpwV)vW zl?T`_93Y~g14KZbC6vmpOyYBM6=e$$$V$y<%6L?&6SHdj2A{+B4G=1HC0@VrGacL0 z6chTN!&3T%rF6_v+8ZrJmn9gfkPahFDYYCtWJ(=qkqbxJ7rk&>7ftBdAq)6^?(-YI zZ}Q_?DGRN=34O0sotClUx0ImMl0)x5K|tV}!s2aWV1J{$mO8 zTD%@dNuK#j^8WI*O@TF)T(IXy0P2;>Og3A};B&Yz1AJkQ?A1prsWu&u>In)%Z7Dx6 z=$*38O~iGKScu?vbf81$sH{k>Fz29P2LZ%HOCY3cvfaJUVY_?Ewt=hKffBtW3%L$b6H9{;k)D0vyPvB}mh6^loM zmjhRt9YxnW{Nsm8O&aE|zDC3xG2OH@wq#q;On>MqKInNX`3L@Oz8fo_|j+y?ST zPf-;RAD~#coE>ke-))>!BVh(ziUV0|2y$%)PD%_WM#l5wI1)pmHxEjYLt4*P_JBe@ znamx4n1_kUH30)kGF3rhI_C$CFm#O21WP^x(X#6echO1)dL`{u@fq@J`>}~(tF}mS z<`<#d8TICQIfZ7YQkNS~uWzPTCg0O2EL%(}wB$fCvQrvp$**mex9WX`Xq8&|Z7U68U2jk{h;;`w;ZOBFw{!^FNU;$` zS=Cd18gYR)l9vR~j5YLgzvd})B+~E#p@ho%PUn7P7d?=4PAs}#f4@qNML4Sbjq{}) zHM`M3eY3k}p!0c}v0F+g)ODIu&SfX2e32zoRSWU+oX%6YcVIWtCNmveZwKg=VzQc{ zX6JLz%R9Sh9bFSC)!S$t-Opkjxb8=mE8`uM5Hpzrs@@p43 zR-`ezrUe@?S_=$FqX4`%ixf8tHhu=Jf!OH}^z=75yY}ZGRJXBE-IqK7NE>G3%0YeM z=d-JP8B>KsHr+y23vThAtNNVwnWABO)nS_K*Jr>8+Sowbm#hG)%Gi~h%-CH*#>zc@ zCuB?lMSF0_QUFPkB!FlASO%|i68KWNi`f*~#gjWfO9XvZ1m~4bVpGOY@er_HphRe5 z9W$|Z;UvqXHqEFY)-8EET1EiMTQYsT935pxFcEMY5v=y-zy;f0*B)Ze9-=aTwjGvJ z#S_vjVxTz1KIgK|fGOOJ($*|&a}GyN(3UV26Kr16X_O!^X0taS#YbM96B}az}Jp{Z!Xesb0Ib*XfulRD-e-q++$>GO;;1zW8wR?Yke|;*j`^ zG1*_doWdc5zFQUv^;ID=hRWBIMrXWlL&wA7?h2}}rnz#j1~u=i zh1S2=H!qg;`FWH_Q~OTEGTtKpe8V!RX28}3ss=QH$Pi>r0k51!Cp(s)zur9DMN{mV zN@NGCOb(nvfbq`z^IgLQ3<~3D>yosA*zTLEnKtqftcdDVY!4j}w$;>xO|Lda^@_%*gHF@vtRt`I z^??^-GHXJ#j(&#-ts@zoRSv}X60HT%S~Y=M&Dtkv2?j-fH>3l9yz|r+2N%?AV3yG? z(aO4N29RHDRE=V3I-^K>c#OUZcg5}yE%nT(>hESc`7-VLzPfr{uEd+sNeqoEXO#Fs zzVKu6kK;G5ZE8+o+@2Y?yf#~NzSNA;)*awM7Nt2a0PJdjND?|_!2<3MKJ zl+}1fJeX0TjF57dUG)PR@6e3b+x*yy@-W_?0|R!ogXTmhZ1`cQ4iX~uqq(0gbuS{w z=Ln^>)l@ql|3rf##thAv76Y}XT-mfvjwSoU#mFpxfd;S%l^Ft+`LtAJ=-FcTZ*9nriYHUFyayV_IyO0x1=X zaUtDYi=twzf^t*rBq~j2K^#%p#Kc@u4c4FQxO|^0;smecGr>slff^Dr+~hp#EA;}l zo`5V~j+}IEt)V~df^y(+txI&4sX>);G02v00+ZUFtyWjn>sJa^Z3rVRR5>_o6ur?f zk*y;W*}jNEAPPCep0AF)q1QPq$hJ*Hp(E|t6=&Yvz?eAnI)4C->LAu75WAjtsnrcM z1x~QZ0vZa$%s2gm-m1Qd8TIF6&ca1Z$(RPdz#3VkK4Ev@l**|3-HyS;*Gldsv0(90knQL>%NI=klG4ea^@@8FZ4;=ntwv+n3wAG!@P zq-87$r4&mk^RUbhVj7MuM1##6gmDbOyYY#)L9ts-#*F1W&-_#^^^Kq6@+i`~(1Z*- zXuwEsOkawDkVjUws;Ew1bN~KY@;mbHxb2q(acDpcO4d6xE2R!drGG>&OtT~l=fJ=z zTLJTB$}Ha_8J+r40I(9Gt}bYx4K=jRQCTF{y$|R9{kxPVNIti(4@_0XgMyuIRA`?) z(k2p_#BX2ktKYxc<7}9Mw|Jb63$Dp(+JrSR!%3}rail$J0B8fVVBhO#2!+g{imvS+`SnW?e~$#8#IzXx#G4 zCW-5Mw$?Y&@APC;6t_SRt3YMZpNd65Rr!#O6h?)H)|%Irl$;_8ofkbe^d5>r(?pSB+y01Nf7(d+~f~-+tcx`XU7^E#IA@G z()9RWRMu40wV{1p7B0GyMizmH39BjzP%Ms-QENu;Nv~UIMj^lK4AJWQrMxOc?*#q2 z^Ou!!LL+roUO>t|r#azF2xfOt94n_lyp+{#fmKBjLK zJV0YkrCwZ3xDjJ_9P0rOm1_2=>g`pkwW6pnDAJ4?Ld5=3w<8xni3NkiY6orC4658( zJ`@p$n69#1qsFiEEo3^9vQRP`^l+$5KB}0WU@U`J9h(N#E#9kJTM^uJ%S167;#Gr_ zMaf2AF(@_;XEI(|PiM(REa3D?xn>$2kb-x1p96_IVaa4vs0gY=d!!hay1?LjWdWYx zheo@0G6px12NLIbTwT2;Y%+lajYwNcaRGl#C`?`Nv?VtwK*9tWOyH3BICLvZ`qwX(J_UnKTbmrtzqa`gXBDd zi9?O1{IwY{z(6CJEF zOB2>93%F9n(HkAt8>()<5>L~`IF16MQoGQ*=5`ioG#Ho#fyX%=9}Ej|)$dnz%VKTB z0V1t*C0t`jMp3I4Hgl;a`3YeOB|&0(p@_+K%)Rf|UVB@JeH5^SvzWeSQ`HO5#>#(j@Q=G*sfKVw7Uy(CJ&J9N7g;hSgyQ@vV(-niaAmx(FN7bl$EB2bnB)KJ<^t*289i#}=C4x7qs>Jgy8LM`sAie2T_4Tstk1Ieqy zN*a*41D+7BRr;R!POoAl?JUqfK2u5m`uKDSd;)R$vTUkd6Y-D z)K0KtGFXpF?ASP%VYHh54>oxzephWSz34UJT0aC3(zLPODYBc`X$YC znz<4s3Tlp~W>7ZGLNrOLQp^R2Z~W|r(0Q6K$=px1{3iPf{`wnw*<_B&{VJ?9XVWRH zF2M=`94y)^n|0VV5X!`&8Kib0_YDB8KmDOS{jSYmk<8UO7fAq3Q^X4#Ol~2WWD;r3 zbwa9n)uwNB3a<)L!w?1_O9hSFv`?3rOfwlt+fu)xim#^n9^s<_2Px~IflbJBiQA{Sb0l{WEwF`1A!x}nAm6S6?o1or3tFDwC@ zCcWYNPy#UD7gTV%h(fxr@&k08z?K@cm9dz5vwR-!+GVsI%UF+W1B+}O6#`^)vjE1a z^b70t`^L*Fbv_|Sd8+(kq$5`SMb31_nzSt789=AbjORMC8BL(=m;l%hQR<%3<#_D# znWe*}qLaudW1t@y;FeHb(VS3KUkqCwJp0cJ#elxr-X2*?tu}RowbqVtXvXMna0?}Ie7Ai5M zn@$x2tCVFWMuwOxkR>i58bK-tce5y`u_9{4pm`Ute3{a(uxV#xCua!Qu$J`s$x=qJ zv5B(?zCdCnY1V2jBjWQ`#O=5}_qYiQDOdf=O05z#(peaWqz&qs(F_INNt=cst9wd~ z@WYT7o=;gw&X3;^K}OJQ&F#0>;|E(9#MKFZPl{Q5k*Q|-VkWttO{vNO!Hwr2c^3-I zhuWzpKx!RVnqtgkY^RNl?vbHpZMz&SMA+FDtDy^WWl=6cuBJ*t zvZIt5z>8sQC=Y3omzQV9|8@TM8*=jP@!N0CuKxP``G1bHueY8*KYjPZ+w1c;XXMTK zH{V{9muKYi?7!ciU!I+kSMM&#@muo#;+xCk)3d++&xr_{%VwtXd^BjGuVf1q*A^w@ zpK4z|ynT0lcIC~(A9u>%?EV!xU711oVywuW(5V$*(55s3jfUR9yB~S7aHak>68n%q zMpJNe=Vu`*UitjF6>L}>ns;_aZSTk%j9?CLnF=MIFu@|lzC3?!C-(fg42@ICN~#(( zAps&ic<1VWJUgQ2bT&lv_W9Y4PA1uK?3yB93rl;iH5`nN0Z83 zzM?ri4+Ek7oS8}681dO+?1}F^KGSIcJcm}K_P}>dS3y+=J*Lh~aVWssGgr$JB;-vi zyE2i?W!twRa5ky7Q%gym97YD#y6kl3ap^J8585$Jo@Rv+uOeeTEe-&TVv=TK5N!kE z03~eMoqT7jlifrq?QmsmXQ-ZN?!A%4s@Q$h>pgEz| zLBv~`pM?0WXo3}+Q1ER(e%@xiU zsZ4a3u`H)@iz8oV$)a|H2&_q4K!iat6^+=(7w1Zkwai`~VnzcYZlUU5y3`aJq3;-> z$>r-I7$)?;Q{+_zqNHQ|->#r%u-DpUWP3u0S7$U%<+4s?)*_0}7xGfb=6;m8lxf-5 z(4;UGsDm=h-O!~Bxe}|S(wplb4<_b+6Jpmvlpe=;m-*u=5Qb`HR0{V+=Y`z2(*2jW zR0v>WN)s|y8AN6-1Dzj~lx=LtlmwxhF%*uUQ?GtA{lNLQ&yognYdtCj$qmt@?Hb;nxByK3#-%uHE+qt8{4ka z0`JuT$L@V8sm=X3-Xn7wMvJ+OcoJ%=%NGKGP0TqmBto;@h)d;WRZEUCNwr{2P(3t}vD1Moa^ew(`Bz3mEUZKmNiqC1u_?&`G8b&eKV^|sF8(A6kBxZ}y zRMi!Xm zI=*VTnH1Vagt@OHp_Ule1&7dAsMtc;pQ2aW`qfQTo;H$!dnS@&xx#Md)b@P7Oad=p z8NFaEh6Z&QteKi+?#i{lNI-co<*P~^aKSS@UL;{mJ=KV}RPquA=$K@NqSRgJn~Unh z&1j)zy7aB+IbgUZjJVgX-H`9z{GH5Y0UfM6_f!-Hgwhwbv)pqBTt2#r^l6k8R%YXM z4~yId@?S2_vDKjvgniqQPGQ_xS9$bYUd6zK9|F_DQy3J3>I;}vwX9z%UV8z&_QWX& z^;8l$0A0N|sJHnWq5SZ|?&w^Jxa4*$gBdS^8=9ZpM?B{v8AJkgC2(C)4A&$Q^KoocUymBn~g^iJRTj;;`` zVzrc92D*I;Yvn4uM2My4JV@*((?t>MOjc35TLS-9?)`<_`ciCop|G~;*|&>{yPbHw zi4e`WtPuB5^lz;K0E;`pD45Bv+J_qF$*#@hBTZG`(;_QOm4d?riOsjw|&SoZT7w}}je#?^REHYmTd zYEA{#1Or{k>;>GeQA|RbOtc|MKI3XWy9T=CFfN!XZw#-Y?^pwP$@FT5D-h0=V^iw#5nj-d10Dz%d8KZ?cEQP9D5xB9M>A^5c*>T?2=<`^ zwk;(5q}x9rJ0XFNn8%sn_lRMk05jlVcAZG6Zp9wM~N>KCY$+$ zQPsqhZlEq5B70-k#tfJEfwHq=LCKHe>Lfa7673bl5UPQsnV_`1B&w({*$a z2-_-Wqpi@z7j#4=n~>4f+2!|VmmmKA=JkiOzh7S-e>i#f_U)Nq&Lgtm#hKfFMH?Z4 zVaZ1}KDo1j(tcpi@W@6bBlV#w=Hk->GgTyW;Z)Y`%^@d#8d<0&Ubz@dSqgq*Z)JvfW+f<%l7TW8XgY0W`P|wiTQJZ=?Ll{; zg1LVON+^b)?+qp~@H#yNqgx6=KU{&XE`y4+ljF{22)K=JZx?_ov!V_8Ga==WhmRnb zT^bkw$_RQI@jQ#h3)uq#w^`F6yq<+)0&;sBZ1%uAvJgzTt#Uvg7W$CbVr&)w6m;lV z2nVIG_=a;hv=D5tt(}9TPlPFeqhjS1QC(qUlzgpV!#uEYwn{p$+!Z0aBrK#?D!_EK zM@G8dqspzxS*+T0Sl)GDgJcop20MY!wpR*%K17*Og_0|!$So*SzDN>4HT9iRq-c_7 zOX+e1O9;24nZVeC%3wC3D2uIKk?fql{P6zr^)A9>6BB07PTBEPK8#LbJZ$&dWJktq zEM;{Dhzq2$%b96g6vrf&MTb;{Jt4XrwhucH8As(EDKcil{lK4AZOhZBoODUT$a)U0C`s6zG*aZj%QwV+B)&Y1b24ISihP} zS_rnk#sQ|gi7~D08Bg2O&mEA84tDh+_H_}-P2O} zk}tkLu~6Hkkk+c4p(>{NoFpuP<{C{#MzNzk=OAYahc90qpXl4-lyNRfIn!k4n%PFV zI%b%Bclz=~*Q#aNZlU-G;&^la{sXFL>sDiB7@_p|o@f!PQMiED-ug?E4{pTyQ;_M< zcJ%fB>+_Sdw^wJ4z&StdcDp_7_u>ETcDwZd?y%Dv{H4=B=pPJv-GjmKFYV4jx7+;- zX+M0(=AVTSy#CVu=&{O+`;&agx{u;FuNALZ@#Oak0lQv%PblXL!L_^XcE9!|K^0Zq zP9KKxST@~PY>n@4i5IWWF5g^{Z?7PO=>65%9=SZbxO{i|{zQDe z2Tz@zUtM3GzkDyg0RSD3oKjE_plRxsn$5Oa(Kg{TA=b{J+7U!7XLHFDO%+7r%-s`o z-IN;GQ=p(+FV+m9oX#XlWOC@0E?V6YLNi-TXXHqxUq#%gyybbZtTM5HrOPau&T_); z5}FZdaE|gNRH|TE^b3rq;JDt9RTns!W`2_Ehy}F|XaaQV$K(t^S0=GYloqBs0f0=T zW+6+qC@?IaQ8mFxu+N#QyOptcPbSN$DljnVJ+T@{u7VnWvKg#`q#o1}L4K|V^vEj} zNSQ9OlyS=Ku9^eaXSA)LY{ODG*@<@LtL%@I^3F6WbF4C@g<0vm`PfVB?*+iv%{YjO;|wt~?$-i&E(@pX5uD(hQ=p zcLwc$+lAqT!YDUh16t%f_Y;s?`OMEK*ASy!GNuWgL_y@oMd)ar_Q?Oi7TaWpW$>?T zdl#QNg!YHgZ4@p9tc+m%PypyX&4LI7ZX3m<@JwC;IF<^k$+TGL-9Im5S_<8!GwG(D zt6X3xJtsqxr9pt}1CEj)Ucgr9idCQt$Y5~JCi$H}FDcEDfQ59g6kaUB$OrcH{VzE{ z5&3urRobgl_midkE~8wP4+P(Xsv#Ko`hw({pK$B56{sw}iH)7ZCvtlL++J~k3Px#} z0h^~0$m6nvyj-RYg()l;Q?CGWDYz~&DDUo^hLI0h!)Vz*u5Z2zu|l6Ru)CGq0t+gjo{QlHzK`k5 zk0*pp>V=nP+@5TkHEkZ~4(Ph8HEx?;j z?M8`x%DKHPu>X8-B`Y$t3y;APG$%4wu`6-JbH0aJmJx+yAT-A$T)H=er~y1uJt2=@ za6T!m7+DK%`W_-91uQ_j4W&sU9xP;ZJB$d43|fr*0VtkjP4r%GLUFAc9|M-~Gzu1M z!Q&;F``L}OBN^#Pi(HgP(?l6V;f!EootP+y)%IJK6QAI_>TOrAa7n&4%hoq=t;mBn zP|(MDX;7OCX$A3rIg}8F8Bvq5MM}mDa{vttkLg|WpQ{H30Wgy zNefP%N4M~2E13D&R47ht>Bsr9HOVO5BT<&oTNXgXU74F}FCVlWliC)w8K)IWXUVyA zD91~p`aSH~Z&I2`R?FcVC0Jm+4U74P7K5-{8PUPcfwss4>Y)R=@S%s;pZ|1r=zTy_ zsE!JjVkII$O>a<$c1bGNicW9t-_SiW^KU6gd3r*iN3+R96_TQHyr=#vd+*DGF?2u) z%1SB(GNV@pCAQ&=OsIXD#zNhMit4b-f_AB?fuEPFXVK!uO9=$;uA!R=4JhY+7QyYD zWKlBJ8V!v!@52{=hwlw#DBD_B=d-^L1{VS(B}-1?wC7lTp2j4B!2lQxW(I>9l}S(R z^?sDDpgN@PyZ`}0axE_8*~rNzuJ}}_y{?Q}13v#+7he;!LXA z2^=?>oSEvDnvXF^sxh2UhO-nUDv?PkqjIGvMI%{ba?4XvmDnAWYm}lD%#^?eN0^fM z^yvEH7Mmwn!P7Eo6VozOhNj1OmTK=lNBThmQ9s41t6QMmaqj@VzDTk?Yew%2$!3-4PgREG)|VA z?3*w_SY&b>%!Hla@rj=e+NmeUdjbn9%CRR8mW1WnUMOADm4lhk+ zZV{Qeu5AMp@&^f@;alb~*#WcgX|$akWvpa9J09bLQ5vLH3J4IF5Xlv6DSqUYcqeCi zZbFC?7|gg}L2y(SfvX@3x7@klc+-Y8FF_!4T4n9RTIzP`ScuY`jx4i` z)>KlOfHfh{K-p3EnL$@gq(D|i=OXwKpEMPqG?)p9#sP`8Z_LtCq+!f5%vcLeSBa$0 zTTB~rgs9gytU-oG!23gAcW}ZsnbVM|AfZ8l0LnG{iRQZQpT6<5Y#)qjR0zF zIw27w9uWsYd>I&1A{!FYg)orDBvFZm5fOwxlPd%?GIC8^gT({m)dP~G@5|^O@+{za z8FiHa!em%MB}eN>Patxe_u8d%C?E}C{Uyu7W5NuHhHdLW#PTr-@h)%IN}^R5ZzonK zsitb5a&W&Sn9)%C5eny29En(xeuzB6+{o|CsnAM?KlHQqS+$zfyvf}lXA2M`^`eXp zd+FQIut|bbz|8?oo3aot&PO zS|^9?*2&xEar30RjgFh`{dbL%ZsSessMUQBBy`y7o-{kceV`#>oHg3r*8cfXqm9na z+h?bprr2%8X<v8(H)e1;p1(c>_q4VT8lk?LvOvT>mKFiw1w6(>+lJ3;E0=)8 zIRFCoB}O(sbbW|mB90Qc03&R=KDdekP{pBj)+mG{ac0hUalKcwX%MFsT^P-&<}p+8 z#t-FW8hq8X7;G**6IWRAZUyW7 zqXuNe<)ffDFK^ihI&LhA-$q9Zt+PFK!Q&HZvjphFT)u+#&K2Q7qKYj7y!TbSGCBnjliLpLP`LrA};5N2|XY&_5)S`d!9@w z!e`2(w%}JUKp@w2tdi1ML@VZV(;E_S$~^6KD*H_?ysK~<5ExY?h2KhmVe|H#zGIoB zT*>6zkXUZIIE14EaZ^drx|t};2EHmu91g5VFh}n~h_$W^?M4x0P z9vmYEg=Mr;J8QCxGor*^=A>C8(Wth zB1V4!MyRuhgPnthVo_f1O4~=-EN`-sggcr}IdDg{oLWhG7qxKz{(Hm%LMG^^D*u~v z8#fNb220T7(nY0!Pt~4LN%!s`XB)QU2F`=?3W=Qs)M(ifumR5WRV+uHcMFPgy zgQRFValPqd_X15PB1#41@G@c|%7`06Xi%P5^2A-Suxak_S~Vf=VY$F*S0ZiCL^>VT zf_ad2S6~k?&RYjirlowg4;sM&6xw(G*8!08vLp5mgPw0h3b)T_LeZ7q#E`h0N5K^!%^3{$)syyDa|O*MF^AtEJZe&hCT$ ze?PwsbVTr_WqXAz5%Ozh@8eU+(3%j4#_f@)n*4@q*2u=7QY} z*xQIsCnD;g2!&Ti&S}`DG(Ps(7{~6&dElAf?6=zb9|p9KgFA|Ux5a;|?N-zJ-_B0$ zLI1m#--G`5*Jd#Y<%KVQLxz4>M}P9dC9qW2ks}J0{Lqg}eO{mh!7pXgaNbf!H#hp8 zlVb+09g?`kOSHlPeKY%&&#;3wA%{;HIlk4pvxVk!1M1l{2o!6-xk2S$1)H!dm7!>P zqRVO+(nO|)4VBPiHhOG4m0aVAxFd=j6;Ia>k=e;hBmI~G50WvT;doR>j)9;Rv^OD+ zvM!G1+C52nsn<=@TuC&yV2+ke&%?yr)5M4)u2g~`HD5B7P->#&JPA)NF;k)`6*gAm z&;0)qaIdbTTD5xYFKAEnI@PKiiWQqS$EhMdGd;Xkn>mSo1lV-QqZv1914D`Wa zBWK$wxz4r&^#526G8`wTmcnE7`Zcmi(savb^$^{{k z@@gWm@h@anM~9#J%}ojU15LRi zg9A8EmQ}VCNv(_py-7r4>e7Ir?osEmCjMVm|L(|tcVFrXM$$24t`O1ABF0c*EU3f* zE4xvg3#)fQW_N*iL1qa&M&Nc(&xLDX5Ru%gcREM)+W4i>V=^F7Pk2f9Tz@hm5rZ3~ zFZKA5P!H0^hIFX5{R;#*@!_VRD2HQ;eyslZJ14d9u16rL17B?!2n@wA-W(F$f@z%bt-*q&fuixwSI-TzGYW-Ez&;z&a|JnS< ztB6eK>+%m_f@0=z)=9KSNHLgEC9N z(sLa2C){QZV^rk`WqM(>pA3LK0rJgDb>Yz;pv@v5*4}k*K%*-hdBhWJ2koK9kGJ&l z;UgHMMP*Tuxg#5wHwgzs7}phHx-#8D-n!wSr}ESg*h?_ zoXyMHpO-sZmCf>#Eo4E(6Tc!7uT=m{rC6&JcThhf_#!=O?r0ib5U-~~oAyZPQV7(b z*dUTOA$ntc-Ro0t)`J9RRXwpfBVxtCa}v?(SuY~k>&5<<&}od&Pu1$nRDlU*tT!Uq zBN5yMf&}S^^;54@R$FNG1;Veok0aTG zfl@95lGkI(j0JQs2q^Z9H6%L0NSurY`d0}qu#`?ONfh}WDZRmrl+L4I(b}k2Dn-8N zZA5@MeyyhJMak_ZG>X%6l5XQr!6?Cyq5QfTe!2oU;0y~;U5?c|%3@^w1Q>f9Z$sda z@>fMs411o1#ef<#%|A*QojCH{xYXrKj}Jjf`K=&ljIT?0NcMJX&vu_ztJRl^PCL{7 z0UdMZ?I0Xn;ThBG&|HZoJ1|yd!dyTu?oA^f{ZEP~aeh*?cuwvjyVn(F+-y*b%|y9a zdubqRZe}^W;je^vg7)0v%MjRrZ)hN&K;#3VPKX4GF;(~YM34q_^0syIFEpWE868rQ zFi{2syHwHX%Qvj=KA2@}1fFZ|y(x zcmJ*C{}u4bxvTrvZT_D-FLrj){$JH+5B~r6@_X?A{}zsBYBa>>F}^;XkZ?cA23kk8 zXVn6dxwb_qol;c$m*MNKNWxu5yVdF%{%aYBwB`P5wQ9QjkBc1GezY9eYE|n7(--e` zty(QabQ%-*x@zxts@3Ck|EtOZxo8N|BT#b+g9svjdf%e$F^MrB&UJ?MzHx-mlHX!* z{xgtN^DP>ueJ%jWJMP~Cf%W+Riu*qu4oP&U%fBn!|9kO#H@*Kq-Q9iI|L^1Xu>U_e zn!{58A-T$h<|(iI~IxMdtp`v)TjyzmMMo|No2Xf7P`#p`Eq# zzcsg&AJfI3FWOd~TieQy>uP`N_4(O@^0)e^J}7?=%3t1Z#r@wO3cgW!UH;## zK2NXzou?1>pL_W|$o~)aA7TGVUEi=>rnS$s^buFBz?>gr!#!RUySYIz8HN7aKSa>;W0cwV4J9rGzNi0IuO20vMlShNzH*a>7P^IsO6*iJj zC0G9Orv$%&u5j#*lq1K$ACB=vMxRzFR2YZhhcxyFGjBN>0*2tOBr3Dfs?OM@`5Y>j zy?Thgmo4Ai+~$9rc#WDpi33RJ9+CK4b%n9O?uYH-3e{0*h#q^Gj3JH6;N{~7FOWO` zR@?uhm`ws-1^+6o84mWA{eQQ*o0k8dS8EUZ|GoT{?8~WLZJmqpU-nA=-*Z3x(ve%& z6j}7==5-9A)ZvnnvJ#~%L^~^tav|zt7vuwob1t!xhZYUjO|d)GAFA;2CWluAu%Q_hG#z3aLqz()*jyr=vDc8_TNN~N#So9hSJTfNsvd&6uNh@c7Cy;GOV5V-S*m6%rDjOoeha!3W0CE zFFpM3=XV$R?+g3?Jb&>#@ZW+Ji)R2M-%@Nj>lf#GSbT zK_f~pWENT@6NtX_Q9wyq0h^0;ofto3Eq()pdwQk zBtJD;)u7P`hh9J;h))oYCzUZ_3=dT(fk{LU z<6_Wb^KF*Gdd(O9ZYspG$rf1M<5bHAzsWqW(e^jhyOvFu!s{NVOgH&WCT*?Ozp2Xl zwdXbjbL5}@sDgR$>|G#VIH}Sj8|D*OS?f+SO@$|v|e=ong+W&XIsr`Q%`U9VM z9dK1^8L8)!Ep|-e$ah(41D2M~zvcM>LM+BH8B7C4 z_KPay+2_J}pWs-f5h$n^dA(QP-j4(2CL7S<&<}^@fLxNG4!QA#I*Q{_83YQnX1H;P z!l_yUSlLt$*5^N_WJ=0xLTRALm48pP-wBDvJ_HeFbyR)vyjoCYIE=C%PNvD+#j^>i zBXQL^Z;`_y3n(K!LI-tJyxBiG?KJB!G0LBmcb+Bfqtczm;7K{bV&Id&GeD}?Y{>b~ zAc`IRKA^*%=z-}UExyxfJekI2b8IFuMmN{x)p$6@7>bcMMw^Sten=QQi)ddhOvBWW z4rGr?NP0UX)8iRgUeElu@m*!gA}~&n@DlYg8=(?03b@mVt8fGC2dK95qFgOk%eDHm z>htFhUL}9I-wN^{Co0D08%Hx1(}zvTV@XSLmD+4wKjhy1_y@{=)h$sf0JJ$S0T(m|Nfl3%4izP`Cx8=f2uIT$uL3)xht<`wa0 z7yjg68u{Vyd=gM>fq0evxB~v^Dje?&m_>M}*HfB?*IEUX6Q;uDX=Tcq(poMU9z?qyB(eLaq|BEi52 zKy9(2vZ);Iz%X*?_jCC2m+VT4By*`&vfXv~>}_p7@Z1NU`>lEI7hz{^Fl8}`O8IPU zUwmDMz3nXJZh6gpVfm1aaOC;nuq4}3l{4>cAOMK#;BUwXU-~q9?M9Tb6B1w1=%N!x zI3~l{tBO@53jxxO+ycTblZS;j4LuyXvsD&xQW}=8Q8^1aAfZpfSgpKUVVmUvx&^Y5bOiK6)M?_Dj@v4#o!<&V8?7KFc zh>U5hLCB}P+LMS*NEFY&K(^=nmxhEn;(&b5f#`hO`L**lq=kCO!&dUJm3*76M7-cE zzQfrfL)h~~mP2H)W~52e_7zba`_(#&bdkUhe7Q7WrCOf+4(0jsdkxsVs=(j3_eU;& zBv$Eq9m(Yq=K2^B_u`C1KJ{MjR{3g9o{i}hcI1}#Iwnj+5#@ktuPVuxq_oWb^tx89 zR;#Zn>M=D20)#mTdE83m%_)n*<$gfj3(dRYXi5@;#A><`jnL-G0>zNhAt#`iMtDe^ ztvgpOUGA(^TZtB*2PIRxB(jbws=q;2%vdnTZ=r1sYOATDv3SU?p1J{x%4pb%m zoWJXut1ymc$s*(r*(%v;*$zn%*$;Uef6n&3=>2Nu#k&aOIel0m5+7!F1MM zE&@bHKqyZc0iVavCHoQaNErJ#U=|7H7kSOqwO5q|A8qnVrLSEC5xl8Z1Zl6dSKEAp%RmCZRW>et0KrMNNsG z1d~99IE|-au#!Y+gVt36b^<5?-k-V`BtF68mG&1KdQum_8=#EA#PMi-$P?j9_o@Qb z)7UnzeHOF3;wx$!7)x-Uw*;9YsOI&=k7ga>($KS)V1AMHyRo1tbGu*A)GGVM7c+VXXnL7;Fa&6r1 z+27opVs}QV`_{|9oEasTM%S3LucYLxHdLpXPUJImO_-deTSbx^%)DXL$BcN0hKldIfltC% z2I&G=Xfll^lo6&ieP!-g$_5lBi^+Wf<~dWVKi(&Y$oiN5oh1a59{!4koCiD3|7APQ zl12BWcIYp;Y2N)f=5vl=zWnja*E)7t-=e>gWh}enu4mO+!M3-Wkh6k$ZxKab`SIx1 zVa8Xiv-|7r0@}TOpEIq2gvH4%R+wY^6-;BQREDqkVB?Bs7Q;|40jN>pRYiYUg=e|i zf@VQaUIToq)T@f|b*a@YB16?}@uyr1L#vxz%Vu_q87!fU361P+g}(q0 zq7D9Z+o%diQ%2s!@g!~5cwgx?HkeQ-Ou=xG?03~T05?;(G}Kfn=;a0lh(4I zR%?(^KErv9SznTd?ANO`axrEd5?zw0<9nnTy3uUHG5v+iS~k%xE100LwA9KN{X%AK zwJ~qBEG4)8giR6pbhVgn8{_(%$d|=ARSwxsW4E=Bj<6*r~tJNrD z8((oejY!t`n*T}LQFCgoWYb+}5njzaE0=jdr`};i!}x%Xu^&o?YpnE~0>)y``??~7 z(N%vTvoq{RsTG*>J+Iy50!i%+OlJ6&1< zg)Nf?_~ zPLozs1s1fOE_DZmD)-#uZU-O#okpb84`_cavqVx&%c-AX+{i)`77lTM!9Sum0qvvC z*K#toMq#N9I0x0g)S*V+Sgw7}u^2|qm%rSJ$70%CcWS@V*~eXn_v@X4AZuImD^tNMCFTz)5+05jN2)>am#kC2oq?jHj}`rq&Z1Sj@>#{Gl*j}IHl3LDB7+e}`ghn?iUb`pe8?q>3>Lv8*ge=Em-^+l9*5|#XLK+FGO zG+ecfTjKxMUhKR`#edzcJ$=akb1%OeSUt`pqTbYvTb@%#&N~u}dnN_&1-s7)qx`Fo zn$UdiY>S!$0w<=-siO~a#oy?auf7VnX911}G#YbwlgJO_0dgL((j(>|=VIC?QAlF0 z9+vm46X$*8p}Vg5!7odDLr)2!1Bm zBy_$J-*08uCqqBH&I1c^>F)xukxb!P!drXY*~A)+r4scT&2<(fAIw0OQK z4MbjxW;Yk+k65SmLm6y6uQ466{tnaDHWFVTPy!-Nh0ek!cK*R9O|$Nn(FF)6dr z+B{|{|9|?t_F}i1&i}GoeeuBm@8h@e9Ypf)V>T)jHqc>!hpcdT)Og!_zvs*x@#o2& z6N*1Oz4!d7C`usl?};jQ+U+&Y&W>99jW%Kp0_S$F12hBHoj`-KfEpu?X|4Xyo+dn-%JMA?09Pun4 zokF40Jn6K$tzVnHUz+cGzc!A}IUYSmLgvT*CFxy|S#RWf9tnFrj@$-B_#&PPM|nYJ ztk8Mif%=_yjdt^(_w!-<^zC{3NSK0&SN_i+qQmnjaMC3^&HeLstNXt9^J(kkm*#t2 zgAsQc`SGkQbLK3rdEDr9o9*1XI)@JLs9pW!^q|>m9q2kC^+?(GGR^$l__guw^thRH z1z+NKbWE}!4;tOZn?|Pz1Fy?lTW1EmRYwee@9ebGecNt!_MBvYTwL*>-TJlJ&Nk;o z{w0YP*E6R8bwG;0M^~EWOi@y!(`=tKj&r&;Wh4smcuDtEKEiBWl}RT%p3S31r`y`^ zG#l;xcNV@Rz%2G%MsVbga*b9(JGyXR*MAW8Fi zhs4v#Z9O|_?Ke8z!`9Kl&V{~c<%xQsd@It_G|Ye*mo&do7J)6kDOCJ^9|b51`XXv&C(`ZMH*%pZIIWt0hl`_c0Q$}5m%atDls81ky3x{L%y|A(B*s1OsMA&Y;dDH41|FhTF2lfaI z!y=*x_xpZ){6|?JCs>G0N4Y>+XUjqO6BzPCnWTml07Kq%uk*gsZ65dDH;(yY5b?2R zcpNxJ8O}+2zz#XXf3h2;x3(#HQY@Kf7TxNF)|7tfh+pk*}>5zl9QCL5mTheL!BBu+*$;tcAO0gVX4VttGJx(xX- z@)?>?E}_tnaCQ?##Ek>aM}X%rHzFh~@LD|yYp+^<#!2RMB5oc;B)~E8IIDsD=;D}y zMl%S*%F7ha+NZ~7U7)?*L95+6I^A#ZG2L@44d_7CbP9aU=M+zt5O1pI`OyM_oM<889^6jRxAx+8)#ROI4NJt2&W_JY!j zc^lCPddG{)`x)u}xO6c&l z`D_y4Sq0?UipWdwL!10D^&_y}vJLUhd{r_Zj&U6M*IRn}vg2|fvmyLS|&BMm|QFqU& zT;ixgCvgRav6Ao)RZkH{vL7U%_`=z9(z7?BVL$!$>afCMNk)rAm~@i%N*BcUd!KHH+VJSY?y!6hx`jJRWRAys>GOPE4L zz-XP3v>i0B@puxDJ^1Q!h)(gWeR^=d--XTHL4IgC(iJls%~r-uF9*K!AFuD$jWn5+ z%B$8H=Lzj*r}Mi0>g=@LeO<}q=~KU#FKsN6?QFH?Z*5s7MeMm^Py7dC!I*kv&l7^e za%{5u=a(E5&)A9A!zP%dIP#PJmbR*ZQ_(de1Mxup*Us&46Gz!W{;#Nl= zaxnhn6y}9?^KJ8AfB7X=eqyeu@{_N)rpiy!OX#-dzTBcIKe5)xZ4H0Mswh8^i(p9` zn(Q@={X2(>J{CC{HQVjeb}ygbx57&t_}T4-F9R(%CdG?O>^4qehU7-E&tG6HdA-iS@?nic#S<)0R_cb$W?8H4lU^0vjTMAyC*F)@t%{j*^+k z66?v#%Rp%vezx@ z?l3M9>T*n+xga!?$g6Oh*_12yxy>cZG_Os2aWAa8lHqj`3dY*VL&08@3#+bVwM{M0 zg~0S0-O$;$l&JtR+WRz2NJ1H{Oskqn4^q2+%w#%$bU|ii&g=N9>=QJg)6i2!iGLoQa%#p zkKyKf&F>~++kn=7Au}|H=omG;u^*z>=$w%V9pexWK|4pUQHR8wBeFz8Pq0=n#K0x* z7Y>&^%1RBEQBe(%kUEnO|NekW|8121U$ykpr<>aI?Kzh!Y?&e{tmKIVy}|}k7DP?5 z%6{&Le2j!yOTk)V;Z`(^LuGj{-q_a4xgbf-Aj+sc6*D4Jq@xdLL|F_1e2Jk?h=vG< znxggoqpbPjn7}qjaY7i97)~7Yq%6TWi=T01fD%5o48*Ob|CPrWZHC0<5(;0(VK9SW zcph~xNL1pxE@fnEX{TCew{^*%Ea?zbzvU3ZT%z*4Rw+F~)Fnu)SXgFUtinM+uNW%c znEK9~&y*=(q}C-;VJz|&s0N;_P%it6QCzlE(QCAy*;u!@6s}gVK7`hd$R(^lq?fSz zqL-#F`ERfh{sVM|`b~9v{s9(gb^B@FBGuLOB26%W6Ld+~e7vM%01eS}GK{cCINLZs zd)sat09gx1fjN*K9C`IgKzaZD5OEa`^{267rl%)I91`DqaEwAiJTR6siY^G5@FnNR zXhb3c^cd2sGTIj#(HL`*3Ss`nBpy)@RBw7oqDYI@nx-}39G@R`TW3ej-r3t;Xa8Lj zct=3E_{m5-on*8f(C(Q#B4dm&LmpvnZ|VBOmtz0=_|;Thf_m8Zr{2=HX#etPR;QL-oHPvo7s`aJW~j86U`CKwv!{ z3sq##_!bd14dOkgD%8pi6wqPE4}uwT1Smcid=A7|*U^Wf(atAP>uA5n<<)&8Zfck% z9P}DhJaSnHr$K;rUVmRhfBvakE&jvNhMEt^DT?nC&^mO|$Hlv&>*~iGv&vAB#68ho^JpY)PO z=u#3#Zja}%X4}m}O`&6-x#dAXhd!f&7|67b*{Blxlb%Zh8nGS@y`I<(IJYXe`vJkx zp7W7>sE(b2`v&gweIy@te|-7u<@2BTyEgF-ra=I&YcF?e{M~!Pd9Hf3D~r8}{NX50 z>eqgH0YGWsiK1i9XLtu$zo)vaTPMcB@P*Z$7WJdT~e0>fBs0-BCoa zms6eB8)H9ASCD?q-Pt6+(Pv4UY(#=Ux48j`qSk@xIG%u?FX!bkm2OGQM2(kk9W202 z01fESVD0S1ka*Qb}Io%oQK9)oNT8 zeS31QR!T8bWXqa%f6R6F@k9?DY~4=rMu3?oBFKV6qT;5&bBca=bl82=EkD{l`F~=i zk${og%U7#aS$^P)(KMw>pdIO|CbnxhQNmMN>3FK3{0RGx7(jq8GoLUy*e_bt3`Si@s(GNeL1n=VP^2P2RJBkO`_u zfFVi#m=_9cM6Wsmo*wcI)QNEv!`hbL1hUXS^t~)}j4uene8~{bU;UV&vxq`GwblXJ zJZl|niE5p*)=BTIb+A|bPFDTJ4+3Gk5#W`255WL~ZRCe;FavulUG3TL=zEhmL9FEh9jZc)V>(IqSaN;WokkJY6WCsHbHY%G4A7rw z7?BAoUAcVdRcmucGH((i$Ef$io|e}^ZR4Z`nv`@n;=DSH(dG_f@*KivNZO74n2}&0 z92NMqpy@X}ec@N0`SPyaY#i)4eEUnjr3%T>>K(OCnu&O#2UiIsLLMpBloXN$01m;60F(}$ zij#mjIW*y{Jfxc2Zz1!wv6b5&AbhJBf9t*6kyB8#5Q2(kpOPm&L@7WZb!?#$T48>r zYN*Il>=iA2{8*B5k_#to;f!mLS}Ts|Sgd{VqKtkMUdS#5j|Jq113&a*f&xk>WpvJn zVDB+S9_dequw{1Xp&#Vx6~&vHUS`Rs7)L__Zrpo0tD@aJXtnulot`Kb);g4ubU={L zcxNVi%h4zF{r3w?L0gkOpM{VbBV(KtpW8tD5fR&oni0O|B99W788C@k#tx7clS!E`ofXkUOsDP$88ewH zwuG_+JH@x z-LomUdD(fGlkIW@1HMX#>!&% z^#_OXX6~y`%_yP?Dd*#AK?SpmlL19IoaVJ3qt68fo#KFM9PSm4!nHvD)@Yw((F3(& z9WW=S-DVa{A9Fz;^cf8-_TzvkOFUo9i2_|BTzlHx{ZJbhZ=l>99;@R-%QnD@qoY*; zKe^?HRFmkolDWuC`=5o+($@1D8^N#$G^do{VkZpA0 zgH|e)K88**aau;rpF4q0Uz`MpwP0>zA>F3|oksGbwK7su$YIPkR{WvX@!4s++c@c> zRjU+l6f$W#k!>p~y0ze{E#Bdm+jcS;%`mZYZgfu%PC>>-Sj-8?zAg^jX~1Q_fP}+% zgk;cL90W7Os4y@vFxl|pB=or2aDi~(Uyz*1xpft-^~>v2K4D3bZm+llj|OXAxZaDh zj$zk?dx3C-eT7COm@qVDC{n2el#%<2JoZpXqcIH9$QRd_Vo@LD=d#dKH>Aw@8xgld z7`Y@7+)M;V6o#%wzB@v0FolBz;iD2V8W3?3P2q4D2A)wgWkiBSzq@14lyrYbC86&q zT$$5Z?Ht^rt&d1ni%6V4mwaF047W&gzcUyR9 z#fej@=!cpX)$PK@fs7vukxMy7&v{GGS+GfwYvQ8kuMI1eYT}3vSxPxJW%dnyj3a1M zzSJkgHv_3ISw=FeDi^%{Xs@{G`Qny=Q{tgtfSVfH7M}of#lTeY38*8D z>`UEqv?W_kRMCy+D5O^iVz{yN!jfgw^hk)RW<=l&!X?_QJ`MfrGK;Z$L9X2q4u=Ge z!?mkqrS|mM^Jlfnl+$pDgDv6EE5(GAVp>xDC_)Ec|Dy8v$YC!fmj^D3!UlSyPFoUVu3SrrQ?^H3&ZYdANs5;ap3-H7fR{l?IXHwmaAg2ZLC>rspZ!8+ z9gT%kytyE=xr4s{URD29g#VQ+o70o^p?Cvr&I>jq+pv2^73@APX1q<~_*DSo8b5mcp$@04^-qua-%x@7 zy_0Z?#8wI3EjK1muG9SwD&AO~o1;%)7}9GZ;S4pUtIZ3AA&JkpLa)7qP6xk`S?VH? zIqs>^)zV)wOc!L99VF?;$7k4jNp{x2$PM zt|x*ws|{41JO~1{O&_HYIg31Vj1I|&)5RUxrB!LPm=jPYOR>)28qi@y^4M}fhXP&A;+NENEL&T$ zp;$(}45oK8;jL+>1GXsK;>4aW&&)Z$ehi@-7{U=j6Mv$%d&Ab;344pZ?3taU9*o6%(me3FxLoIeAwL!>Jg_LYy%w@*o&Q*LLOs>;V_=yfl zEUsz;i3z)_uu|IIcByiA@wWSJfwvu)SRB~$wI>>!rb2t~@i=%#f(ePrsB_^@z-yBa zhZ+gEl$_$XRcisKa95E8T)l{dy`|S_c5TdW-Zzeq#FCY^F=1HC_CeWh+6ht!&O$)~ zhFa^O|I)&L`P$az$?P|dad!2K@lKWI*iJ)yiT!|+?48H@^B4*IFT>*mWZ`E3aW6^{ z3jC0~G(8HW>G|;^_Az`6yPzL($?x@RiwPJqFxo%|aHgd$XYroma2A6zY6*=Y0FS9E z$tW7g@Hp7mKnL<#9tkh~h=$;nt(HC$nylEM;t~4!u!nF!)uR@VIGkUVW{?PA7i5-% z^hrb~%#_ya6gD<^T`55+RO<5e-hvF2{{c)3^Hgc&E{rE+TcHy_-LSd@q(nawFcHdI-u8?(vo%q;%L7FF$sI#5goQ^ zEEq|$DI2sT4x5l8+~QI3=J5Pv|Do>r=hM>(5oob88|Cb}KJ76QzyIeMjzOSrRn%&>aIA-3Ee9ESDxgDvOHx9uxDX&|{1e|cKNQtU_@wE* z;d!ZgTntj?lw|$vDx~JON?p6g>jclGVurt^9l`#vb3Cb>>W{z z;TwRt=M)XxD|j-g#3MiQN)sH#vx+XA{N)rQ2*c%uP zd8IQP;W3FxBw!S4bvVFP*Yra?1}(n0W4|9!@&15JNa!&{Lo|eFv2_%3y=7wqolm#~ z!7}gLu#{LGoiqvswbIOGvii=p@@@iKea3KKG`=pdC$(&IeHk^Zp#esz33ec2oI!`Q zjY)QDAqQQ!_3h*%%fGIVEJQmTfb92~IOnQ_HwJP`3}HfHDQ-^r*lh_fTpV5b;S$^9 zk%3TJOdnz8mP|t33*wcLbvb>ELpXj}Y~xGK!&FF*AW2wLAU>=<`m+2N8}MO7rxPyM z-aM_BBsOzEHDPtT$CEx}TU%@G0rG)W|roi8|MDRqGaQs$L3ivgz}vDZ^B zAWkF3J1j(A4og<1n!>C~P` z^p13iF;JUZxMiGOQU(_e(6q5+5npWX%*8}MeEtkAP`UF~_8KE{TgzP6pWrDY&1>RL zElFsJU;BdVF2+6zo}v-K7iZKD4ewQy3c8V$$-n!Oj&JaWmk0MEea#ttFrcWA3+iXO zcNrUR9_X`(>jor*umGVegPup?pll{X5ygHuC8-gK}L@G%l;j)??UohWf?`=$K2Kfz>9c8DpBVw)i^x8q*WzZmkhmei zxuVDwQ0B_wRT3paRNh809lJOdz9HhEcu3M-p;+n>6`9}#JezH!$~L$x>CHqqb*Q`3 zF@=I~f?NOzy$h`xP6q2OCQV}UV12#A`RutoOz-uCMlsrNbQ?#llSc3Kyt^luy(~3% zk6cJd`sVLz_aOtEk&i6}~BMiO?rmB1_?=p$Z@ABvdRoH-INT8BcITxq{_i zC&~l3s_GzYW=~;TX`OVsrJbK@yt4!Unt0~qFS~ua9*r#mc-(|k2r5t{umNcvLGOiA zQ^E~=CNJJH2-%2q4&{Q++Cp|~!MBD^8kssa0X9rp!O_TQ2z;$q#&pWJ=>bi_k^7%Oh_i5T))db>`nfbf zPNghRB;jSw-k1d3P-B?k&8Z?MN&rB7xOLdN^G>t9_tQ^56;9r^PW~kxYt^Un@ooF` z{A{mQeNj+FYt?F1=DE>Tk55nDo+ghv9;1H4=N}R>H z7%>UWlF}M~7~mn~(Mk)EHx{V5c~?9A1+J`$M&9SJIjg18rF}vz2)Z1j@`Tg*u@F;`qetG6j>?8XI6cL@~blqPmJ zPwa&015&jT*$F*Wa8j!>a_uF_F|`+@wHSE!`Hr$%FX;s_cPvVSwZ$S=sFdQ7L(L<* z9LFvpV0Z}-y(~8ahDr@2-f!he8^Z54z_EV`c7QV+kFtSJ5^qHHJyG;%Bn68Q6*s{X zRy2o7;E^-1{M(S_^CdR^0}}a{L}MY64RQ*@af~4>PnsT50A&6KR8M~pKR#g@R#GbsPRmr;)+d0%vEJ> z6;8D%iLrQ-1~M;L)lA!$aWBh;=4{!91GV6cYg$&+3~0yUYGBXcvFRO$FEYbQpxx^R zKL5YqLkI~wVIBR}IypG~t%Lr--|lPuYmBcEosdv6D+r#;ALVf-5zf)_5|QvnD}YpU ze&mliD@loDV?R8`*QXN_3P-8pO|4$q-Kkcq^W0Krs-3;!%}%{ktL{8C3o;U`yF$D5 z5@+=0SH21Q;qaIZ4{4;@d%CcM+19h<`~Xg6U_>DHmpvHCI6%NbW}D%K$Bfb zrO=KSurCUyN8D%H^Tvc@s8Pk6obPjRc$kLJ7V!-Jmj?`$f|&2z_T(&#DRZNSJx7Y+ zKixxKHU)I<7}qzo`+^Wxj`1}Lr{lhejcE)*9@2bd0($kGy>!&hk)3+wWUp+Kc_k7d z+LRRFMIr&Lh2=KHu%?uw3Q?)~)*8vU^2P;~?=ogW`y|W;ZBVKvr|B)^lu&Axq%=Io zv^*^;vm$9371HEoeELiho7yC%0e=fJGaFw_YDTFqN^TnNXOY~zP|#ZzOYv?znH=C4 z!yRM$#wFOhgnOYW^9j2d+jIKh$cg%t#tcFwLQW78yTVj*MWYMJIMu)=ZNXr23Nyx} z5tKLlddS4(QH8>foRLUoYs<(Ho*(sM+5=G|6~CS%um^Xw zG)Zy!+pIAc>(jvXajL*$Z4OMR%i7yHqCIh0->zBVUrLh%b?ux9nZLF7v_Fv1^9YN< zMOZ_eqgvX z-Bb%{ljaiIP)EqZc$P~Y`phowafZ8B+~j|w(vgcCJ(qR#DBL!?Qb&*QHuwZYb@b?5 zdi>PUqqj~PT{9G^7{kwqyW?blrHB9EwAlfZ4LFESB03?_t&@-iss|+J>oJ|eacV*X zV+huQFUdMH|5b*?SQH0KNwkl>l`zyN!UD;&RFyPn91%36)RTu3=dmC7@k|-llC8|l zXa>d^(~Jj~LfsL)3ekYz7>U%x8s5*S4(8o7gMv8gHN>>H2uXKhI6e#b6o) zV2M)uj5?2yZRUpxvRtu}l8$Tu{(^SrP8zO4J0Gw{CjpxXxLi^M=~lzAOrAzv^(U8T zJq|;au@Kj#7GRFdo82p|;jgkdE!(}Qq?X^h3uyO#7f_-Dro+TUwr9C=wDCg~ka{nq zis8!CM7eGN$PX{+1@Q#0{7{sTr3>wY4CU?9LmNWwNRpe$C|1M70d!Aa!drCvp~E#=#yE$c znHWh%YA(StLZ?E2{~$Jj*1^0kH-Xl{{F8a&D%=-4bPyl;;YB0#_Vs>})$Q_F-10T9 zZ%$;!$0|A~UG^ zxE;>35`_Ymsm{=fSCI`AWTcQiXF(kK8&y?kiIKBdl>tpao9@1R|AM0f(e)2KHh z0+GzYw?smbK8Lx&NuJCB$Igbh@kQi-tQ!t*CcR9S@An^ys!p=U>o}CzOVmKJK2zVfmgbPNv;u1PIJ$c+kje`Spbo%yf>*Q@J zr=Ywfm8{!o@s@x+!Ti!5GS^87TdZ@_YV9>#$i}xO`97R zxQW#A*7l$1%0;DM%YhU})g?}PN#v4z4?Q_F**R8uCX#tJRgJYrK@LIwJWG$dWR~>^ zWJb`@eofAnm7Zkb2pB!gAA)3v)CjZ*qk+5|t%579*=cf#1CdodUwlpQlKxWqIH9&edK(VE>%gG_tB zif>&iuGbj6dW6|XT;;J#%pKD)$+Tm{d&Pg4X4y!j-K{ESXGi;ZDMEdi@jYJZ`OO)Z zX%vVaSaBNeFd7<%v^HeR3hMwlJr*d3YP>&vz=lV)U~#A-?vm6w^qA^ISQ z!ztE2I_hr3N2j>+F>^Nk$%q#Ui6dlbPLO%$*s|%Glq_MdkO3MO+C0p-kuoB%*zwTj zl*w?dD&e_LLo|(oEd)1w*@SWlLXS6gM-TxMt~cZhC+I{76FCx!Y+Iv*hn)AvYl$kY zPVeY+zj5^Lw9^&3iil3kDW?)rCoRVKv^OMiiyiTa8&MXoH{WJ+d$wP-!9F_BF-szn zByol#aO3|_GzxyQX61^2>DePV&`}0+M%&R5!W88q#{}viCs2Ka`*t^`#4XVgxv+IP z;|c}(ApOb>(K@g5?~S{BBFH7gHAn!eSxK6H^p(%FhBWEKIG!?2A_L*9i%3}2yC8$FsXUP)aHR$z8&sfVix^@yEV$ll zVx8ZzAClO()yN;8r?XXBXe@K&;w_=pnH{Gl64I`hb;cq={vaOt;q*G&qf~D=S%Q;N z$+xd)O3lov?Yt;g%hhtt*)r{eDKILao%wpcIAN!e57@3D=n?WsN^u3mkP(eyU=YHg zYI8bKci}{$bdSdCs(pDpCY61N<7W&I+ggC$fDf379g{cfFhk?1JA#Y~GN{_;qG_b= z&Ovf(p?yz!)-5v>!HK9TiJ1n21v1z6YW5+Y_WC+T<9aex)`FDDPNFOf%dUf}cqmDQ zPsy+>yAjI!*7adqf`rIFI4b62>CwB=qvO(}j$9du-@U{)F-Da|JLTey0w;SnBMkkC zK8o8ww!!DdhNo2uVGlhNVIqe(YU0Y0920kl8BMXzxOd4aZt~y&!26` ze+xeA33pXZ4=!c|ImI`P&b!{P&331Cdg35Inb6&Gt^8!mVw-1;ZnxP!*?au)-yc6z zOFw=5^ux#EW2?x^m-=y0<$v?4pMJ=%NEmjtSqqe|z5hW)Sr>i!#D`UEu6$^I6`f~R zgo+QSxWTvc9bOzrC7Y2`$^v6Q?5QO6%I9qChyHjvUYfO{!Rf8`=u!EJB$PM&#g2So z*=rgyuWSuO8K?M0KJUoqhP;9J#>quD+gDDkwT&lbaoVs0e`QTM{s8GI7p;8%z4hiz z(!tCgY~WrZe<A$#vWt`$G}CqBo*6bJ!Mka5P?N@bM3W;K|e_uwbWRf z-5b}5*20L#Wz5HqAvGSW6mN`9&EZjZWL|NMD{cB*JMk0O!#PTZRF%(i9@+GLw5yi# z-KgMy|Fmz|!@pq<|HfCF_OIM7vc%1{DDI&TMWfMA%7w{j`4fjEPCP%YLO_!U#BiH{ zbf*%coP1;+kZ1zep%bz@D6M zuC9=wFZ`8^FpmZ7VM!`hIFczSgq}edGh!romNPLYzCO1hy+9 zFu#mJ;aM)Mvp@D^po&$iZyCLSTC+dqmDwNJKFC;5@Bi65Yjof3B_)mZRWMWDeC;V& zd?G*l!#Goh}k}h)#=Qk}Hmg755yCvQ1pB|r`cAB~9q`xi3 z#V%)UZjk6I_^|LPsII^A~b%{c@{(;1rZ1wjx3PWc|w5CJ4%WKujD zmDm>Sy~>bpc(zMWhkPN@X^gH$I2JIFXP~1_i)ol-F@r!SPf8IHf#B4kg^$|A%eWAH z|9xIh+QfT@<8)Sr(++xGzP8)(8Jm)_aX9h?8hMd!B(F0r31iAuY-*o`@o6XjWAE2y zd(U~1$w6`2K|e}FM4Nx`W*vpekB-1CBHjqc8o`zD5l#M>*W`;OO}_Z-CUblFd`Xkf zKfB52sU~lw(B$c{G!gH;c)T7-tuX>i(eX&%$Ki@?ABe)ML!b7iVLV+C`nf1S$PCFdo zW9))epO2UbZ+jQlFUq>J39*mDP1)i`6qq{}qhENAbsnWK|d$0f*(02wh#K2i&;K1w4%bo1(i74k9`KtI%RdJnt=F}VPGF} zFstXa{%Jw9%v+;VPEV4n+FzcX3x2D^oXcBoCD{drYAIHZ zZs+Cd9?DncNH=!g>SFJvU3h-)4?FKyqELa99CYYN&QshmcMmKh z!@F5bt-OD&mPr!v6mmq!g|bS~bYjdk*Gd^EOrLKenINoBU?0UnKs?UeRWSE$b&LA+ zMbNo4>#qbwdqim)@`=C3?#Gq)pCV9y{>Pz*9m zZv9UZ&oY8Qfy9H134$`rtH-&OD;|!qv|FccGcG~c_yRHE^IzHV7drCJy~W`d_etCd zwn5g@FFwh*2F@3x=aZoyUVj^679sk-J{?0B?@YugEZ3pmbk$W!H`C-og3ThQUnYcV zq(WGkOtYv93N>KYZOC7PIGX`xvF~=k*WlX_Y4fPj>9+RoflRH=-kDr8_^v~+*~+Vu zY_{ettTqo%{@UcQ>+;q-^aa@(EcI(L(>C$^ZzLIrlqO%FN}-E)rp^?W>(FMp>Z+8P zX>uV+W|7k`6PmQ1S0l?T=7J~MmT6XmATsnj6T8uhddu3jo)9_+;ork6Q-eB6PS1a=EypBlLZ2_#O zU)bb}8lJ}~NO|dE84Wj{As^BiT>2jI)JvZ*?KOECNmpGpzA1M-1xH*Q8VuQC$AY0>=DpK_EU}c{3Cl(ywQU-FFz?dNEeYX zt?=Y{((v%K~-c#93sg17^WIATSz{sWD>7mXIq2@Ot3E7PcmXRpaLHz<-ys%^kW zt5IpgLtQz;o=3bC zTAFH141hKaR8zZh5+qd4m(?vfH7E&Hu{cl=mO*tk#a;Y~lGL`ORKjTrhX_Xzo}ta1 z&@+k@Hc-v1gB$@XrVv2GDQqCC0&=+QCO|=wXSgNfhdQzC1T%)Px-$buX#~3}?oT#S zId4Jcz^m&3b4`&+962)wIWzPgh3Ld7q`#))qX91RV>5MVeTmSn6uN$xU-C9BxNYDhB1*s{F38%c}qcF((eDwbvJe2EF6CBXqgF*Zpc zK!6ZJ2OC1@p@g1LP45uEV2bhgo3gtzyR%nR4CL=iuNxDqOFD; zhicLY2m0BcB?X1SX?&;>0vPrylJfu;67{I8Ct^|`&vBHX{4`Dp)Jow|%M=ktH=mLD zEvXpzc2I{j1V|yj^-cG4`Ps>74gYNOuN_qsgD?RCY$w44oE;kC%dmA|Zgyj99JfY| z3G=*jklEUmqM!h;Q5+-yC4Q3|&BAEnA&*MJ0lxnOJlk_*2ryt+1Jco82?(&&>`5*2 z4%1Tz^v-mAX`{9Lb!r%UVayLUJEuiD<0?6vVHF+_o^EV%C9MWrC8C035Ss(!Iv{S@ z<(pupz1HB0q^zM8mSlA5s2gR81j(38u&0sq71fPl`)*yWL^cH5@q+nB_2#z!`@Xdi_8^CH_bX<-!$8nA@|2-{8 z%S{Fe^M-jQk08Bp1ux$5tt_mM$57318JaZ*pRs3-{Y(J#erk);I$oG5bO#2A{YD?yG(eJ(Gx z+39{<;P|qdh2{{kH_@9Xm0cWT#kia4pRspo5xMczBZ&~P)GFf%qtEO#zKYE10Ug~G zePANc?d(N74ozKh!UF-uapvMhmu(TZ?wBxN^Vh|qxuH_&27J7yg_9)+6fIWqxv`r- z4U9^qTh>$sFBu%?U=i==&;V_)UDX&_v0&6yE+Tsm*nSM;ap}PQ>{~zZJAkuSv9sgP z))L|Epc;$5nWjn959;KlchcZseq$RFByUC~# z*w9#Cixx8!1kMnPL~kIok>EtggNYmK>+J^8axvQ>Hy5*S2^VwFSvDRPY_gRpPi($B zLpn48%Rmba{#lQfzZN@m_qylWAc70P-v%_iOjic7uxQy(D| z#LIQFq&tj(so^x{T@5)6dsmxI8=r?iy=Z3GKRsA9Gg!zLN-9m}*<~J@J|mpxpAjq$ z76SBdkw4#&n@XH;ly8*S@-9rVyRZPR0EI;D4GXLy?_24tNdohs6(1D@HU}UkH8(Qd zE!(1iq@bwCVO(W{zjIiJLJLn=0$LDU^RjBd#X&g!w{y}=ehcmZ!hNQ!GC7OkBkZz zetz$@TAQROP-`+I%>e!iXuya8qbwe-<|hMLkqueGUjBGyCaoz6f_}Q-TRoS#KGM^b zf(D6DF!Q=SKYOS?k#Z|ar`$O0r@$WOhBHp@sQ_(2lE1Mi^J=O?CE{R*YNbMrbYbuF zG|~I8KQP@}m4;b=Ho5tL*NxVMBsSu_gp)YF81%iYW`P9|c3J?Q>5pC04!-Vj0qkQV zTZqhZsN_47E;|@m44Z^zq=e+K*C|E)I=M>J?I@SOd0jmWChY=4yprB6R~z= zGI|TNGZj4B^%i8%Ea97JvG;pSPnwxwoC;#lL3t!@g>G^8F&~Dbti1i#Tx>`%2 z@&W5zbxnX|CF^6$0v%xXEgMx(WI(sRQIa&_ss8cP&g>;K1Vs=r3>6idI=FBWW zb3_d~j3PeOlW0wtxoPjQ`XM_;g!w(<E+t0d9(*{55=|sJ&u4)SBhI46Xj|RG+ z=^`O{7cll+un$K!;Cf8d(UK+L2>X3_HCQ?!I0+He47MOIm~58E8{LZ>=Vr6Ks9OybHgloSfh4u*Q2M(&rx()ROBQYwEYzV^rbOpy zYBEu!sd1!*nBI6^-tKY`##DS`91cloZLV)EpI=$Nfbc#(Z_Pa8{D>GNw;n>mOHP!S zXPbx@01?J1C^hx-TC1vSDqHKyYAeHxlMA7P%ds?ND%x%@6NKC68B;q#fqt$DCr_mF z`g#saO3O}+92+)_lAX?BJ8s}#qHdHp&RyPr2C?y!!3nO6SG2oay142+B zc@@qlUUquuLNYo*PbbtMjVZz#_-0xldVjhOjV3FO25($jBhUIN%@`ei;Ghu+F`!e7 z*%9dn!<`nP7-W8QKP>^uEbLjR}t6crdN;wZcVnDPPKlr_SDuCAM zz`2qRqxDL)q8m~yM%D`~g-9r?ck%Qr^UX~mO!6asW+-vZ3(moJMbLmL%2CiEN5RoYA8lrmjDTF6hced;6eU|s z9FdV`Ov+K(I8Sc$t^>a#aohNc6vL*m6H9Ys0e`z(fG%v=YvmZ10)Ic8v*UiOsnvuL zI;mY#J3>rF_IuDiJY|a$a|<22J(i|H$KEz>pIT;mx@LMcDP4b@;B^>DYO>K6ic7iy zwO|+Q6N1K9;tc@HFyx}ZP4<$Z?lW^*kXIEl8>UPB(aE+ZdXc!lys@&Zxw>v1XskSL zVRd6=1*oWQtSoP?Z>+9t8VO5AWDsX=LgHzgQY?iekwmS7Y5}Ks84<`a%)XIMxf@1D zriC6=>lzuz^v=$VVGC5CBcLR;7R-+CJmToG8}v|u=7!5OIU3(%m#6mIy%vK;B-6Fn z5ZJ~gt|Qx=CA%Zrj7yM5wmD0xN46P8#ItM2TBhTb08|W|S`);j1dw$=ZltBB6r@BY ze(f-4a2@v04wfJMlq|p|`NRH6X2i02aS*lP&0Dk4BYb5RbCiNOv`G99KF}*^iVyu$ z-A*0~>?%?4H4~IASWEd_e$iAeZg+sOtl$RB<>BBWjh)LLZtY>OkVJkbx-dec7*jjS z)kGh;r`>hDhkDd`+Qih3S}Wk3qYmn+{b~v~xMHWTYfr=mZsv1I?bJ2bVocNYY)wQ> z^x@-`P%(58gho$M87hcE-H;U$Rf!6g$D^*!a(lxSy3v}*}uZWv@t zjdT@6T~A1c0W}59`FgtU?_vhQSD65u%^#;fwh)<=87VTXE22uf6+6jMLu=nHFm%yq zO@|g7>zEQ%fi$!nH7hF}SOwNA<)k#efNglRA-9|)_g}J&=_}Ny+T{S@f`2(LrC{z`?hti6;&8YKW7DYl4V((>-%x4>RWA%r{v%Mn*ki`8XZd zWi&C{9FA$38FX?tZ(lqnD_xX!_8Dj&eKAzx6DUo|HgXZNp z6eyrTPobI8yR&&-c7fx7f%M?m8w=fTaw2`H*o5}p$tvdPp@C9kQMXK`aLL>3(nJTH zzi)vgL&#L8Q3R1%qhITlA*(b2y9}Rh8ysh$4&aiKVO$t$`b%uEx4kY+8x9AWF_SIfptEm-Qfacv7B6Qe#ni z;>r*F+z)df(cYGzSc}dSVKWEIAT1?gJ5oS!LX)zbNnG3rJ>>*{=32$1^-9@uR9>*JYjeMbub=$W|n*l>KL?i{51Cb-hbz479 z=9=Xtes&l9eM&bT2m|Z5Jf@7WJ?dJgs}h%<(`ug<{Tku)ecaBx#_9L2&^nh=SZO zQ+^2-eTS7ZnuBE}30-BZfIMNTK}FsTDSX@#a~eoVCA|V_ZCFv+$hbs512FTE0?h(U zib$Y}`tk*pjn1h7xIl2&kbIBk?L!N-7`Y$6b-t>00atzuZ@e6Vx{jZMQNuP^uMtdY zqLeD;he(K=5MKXJxHM$*=#+t6unOno&DBFC!AYS|ZoUho6`e)rN4-m``9;=G1qQT7N~6|LZaAfIHK)s=~JgBTY(c$^7^w)A0(8ErIQs>BJ&qWECBJ+0DI zgs2o1!Uij90{bpSyDl}dZiGb>uxRpSol8=Jahaq$CyslFaR_3sqaXOq#{D!Y3!OM9 zM(I+|m<2tIM8`x#!!OL(i-yMf^2(;B>biM$I47vD0u7Dz4V8_}i$PU&jTwZ2?>>}C z>My2QS7f$3!ULzLCs*IuM`hJ^5U`WZW=T3+GiZ(wr6K+5GI1G8N^Ii}s$r6~+RuCy zHcU-5al@kBx``8+XLR~+Nj*i9wLU`7Ug&3LSfq9X0KvfzTL^6dHMb2t+ic+#AP(Zf zs;bizV4|k5rZKaecS;3Vw=x<0WgRDRg^JNdCPB zm>cA{l<*!)Q^Ksx>p)ye@aKsc8547WwYkk2>gfj9{5aPr%o>_!P>wZSpoFJ~fMseU zbDwmPH~KTo@gOT!3RSYJKiTmc$U$hYdCWegwPLJkOW1`JGSDOG{A8707O?M`5ZUF& z!g!$7E)J4t#@;T0Gb*ko6@#qWJza%97IOlLagf?LFA4OU;1Hgs+jO!W<0l*JAq6W4 z+`3AcY;{l&4qu-oF;=Gp^#{>AkR}1$cO=AIKzYB&-^5tO7HvsZmryQ1|I2sLi8^)c zfw3m>sH~AW-0tXX;GD%dAl46rXVd})96|ARu?%(*KnC&U3_#wx{7y#HBN0#&ef8E> z!Z62oh8LNn;bYRT}(2NAmePX!16_7mznKR zclh%8AY^uHBAo*@rDK%uuPf@)?cH-!pe{tr_)ZHM z-%>y}B3Mhlh9izgpYTwTqsVw8gWsC9*T1IHZ$t>-D=s>%O(<@gGoi|gLGQq@cFa&K zoHHx#XvmgcGRRy-w-e4ZPAX(gxD9oLw|QbMYzYZj)I~EHoqf~$1sRme%?+Zgk;;7Y zK0{P&>Tn#%P7SFsa~cgUNbW5(hLIi77Q&4;0ZI(lQ~lON!=r=??ZNA~-70CwDk;@^ zaZnQJ3L$f6A(KV%)=HQK5-kQ$N_#4?h-v`*D@7E z7n7t^S&mjFrPg4!4bSk7Yw;RoWLq3zEe;^Ia;SL)=hDElCEkR{HfYz?q$mj1O`{>; z;trMNaPSH^)!i205Rec>xbI>#Xjm*}rn%T*PWj0-UGNNLUjkK2o)>4&XpTLA^7@9w zAkc5Z9AJI^8FP{dW^Gw>Ilf?*0iGdKq(hN8AqvXt>zXU;n#CB4hI&|ln*%5--D(#^ zTvL@)FvN^T&@uvwg+_oG&6mxvx^3^wLX$HdA)G@g!h zPXjA$KV2bj88IR6tQizBg=cAo2G$O!R}(V6QcR$sYy~DMQBy%N={(d#AJtOkp=~GA z+N0^poyjR4#~vuh-EPhn=`dF*fv?KOhTKz2q$6{N#PsBU+gq(p;OTZ;9py9Ic(uA~ zdvYmnn%TLnjNELdZdZ10!GyuFxkJ-tA+w$vU0xep-vK+{V@Hkga}UD~n(bLg7ca+m zD1(qZ^JDQI<0G_#)Tz+ZqnwTyw#+x#{GJ<=R`Zs6Vwj*Jfl7zbX|8<&{S(-?18g+~_SlUv zdIu+2b^;s#1sw+Jze^4sx~93Yx)#)yH8oc@E~s2=4*}Pjg&o^cNny#9;sJXFA4vf3 z{<~h0j5e)y371V!ugM*%#kwsF=wTd+aWpkfziOlz|47Mj(Lr9B(cMV9v7 zQ7X(4`A!J*WE+IAp^SglH z7Ig&nDt|WLipObl+ufqm&`w_9$K9J~sRqmeGux4JRo_)ZGN*g1@p{-Aw>?T&>+-eu3raavH|+ zj^9bQgFU!VGbXKo>y!a|gEHgqNg07Qbo|+q8H32nRf1k)18RgEBo=%>@U!1- zr-+R~I(LXwa!`(trp2{2)pZN9^o3Y${@?Y2SW266WoBB#&IjbB6nFbtTuLMDhV^&A z(E_}jE#zo?xvD5cB+1Emr$S;fX>f+1dBWZixT$ogq%=Jzj-TK|@JumHYHO2?_zJEh zd04x`S=h`D%@vMHhJ;oEF32z{^Cj_4~vMnY@=A(xV`Ho^%O@8q?tal@rMs_1i#H0uWr6xH`CYRzKM%zjzmzo2Dz9M>+ zAazmNPx>-Y0`kh$ctX`7u+Ayjwz1h0e`&y~z$~M1D36_Lgx8jVes**R1j!6668mk; z{jOqWz7AP!)ksGvGxLcAENJ8>#hf+t0UyXhaJ0BO4T2^;cQt;jIHf_+8t7e)qbZo_ z5X9{Fjf}8U1$^s98^=HahYOwD7sq5>Lb8@k#wCJAmFV_55_AOIa{=?L%T!`nq+FsG z&}EZniDuRjXEN%7-=XYEs3${BtkeMw#yVya>)3;dev?I&53uRJJS=+mb%DZsVP--d zm(}2zO2>B@vd{BHCRJQ_d#&K^70 ziawZxEQ}nBmX0Y`RR~8eF^lfX%94IL*goi`AeV#%wc(k71-G$_a<5>b?81~Qj`qF< znO3-|A;a7%9*b$wu{)xszL{h!nU2K&l{_e{)xhUKVaLi<^;?zqgxeIhs5(q3Pvnuv zcrpQy=~TBS5J`#Jmy<9v2wklsc3nX89A;$QWp2Y|Ys6V8_OdbKJZF8vFAj&!{{>TS z=(bA6cFGbHn%g|F+(Gumt|H^aW1E~HsA+-8y;tGI7_BAJ)9K=WrZwks3>c$ zq*vJ5W(ZhR-8>&Gs9X%n>M8)nAQMNm6Q#i(G~g$Xw0+toPHurNva5S**Kd4IaHN|e zAw_sM!I4QZrgk*Ru~;AQ*FvLHjeDR|j_9%vATpSv*AaKZl9q5pI&Z9nQgq*0sY7 z)DV*~I2&}>8+EfoD!T^Ev|EGiJjr}j&TZI-g|p5Z;$S_MgPy(qV#Mim)n-v2}s#< z{&?l8UtCraq&Zb-c6NW5FRW~Tp)zcOQfKe0Ch-kpl;${tqCcq!^&P5NfNl$YpQG&*_aPw z38?Af@=O7$!m(VM_*X0KDpH{0%HpyFP6sp^G&P!x7~;D2d#gP4DtMMReJMChN|G7k zk}zVrKwzVYnZx{i+$7z3FSFlUubGg_sH_{B+=fvQ)~{d+hye6zlCWV}RZh?(SDRJ{ zC+w9CP)KqfR4RH>gF1*qLn7V^Sts^N)K^nKuXS$a{IcV#>l<6kDk@rQE1S#0{ydSqiw-XH4goP^?c^bbKyJ? zH9HXYr^wlWsKh8ehpY~#4RlsU>6%&5z+Q4LRb57~I1R?u; z8W7*O>UH~I{!!knc(c3i;9; zJok;f&S2L}Mk?jCltVdzli~3bCXhW8G7na)h?O{&n@lJQz5`uw_{KX@IGgbIP>4A^ z0{jzr_n(`7<|XuudIt$I+kkGU=}24SkzxuQPoBHd#K;Prr)Yt&e|oSmSjZg_l6swG zW;n~3w{BG{6>6jlYGFSz9;(X9o9i1Fw;o^F*o5r|cZD#=ixhjm?cned#Y{A+m0gAn zO)YC^AWAD33eyWi%Y%Dof?#)dIqGcwF?h70WCa+ zOhvm#BS=dgU26Lwdg@S#HbO~Pm4;4D(qRTvZE{u_ZrVC=8ZwEU07sC}Lfjd8YcMAD z!YFFFyi?LL;o?STmEoqh6Q?25+X-;E>7A((_v#p<#)U;VMNY=mqnvYGk4r+WFUx^t z>Wt9H+AR#%(Ap5c;jwjh%{{n|GTx)>DoEy?g^4K11I3*6AO}J$@{q~gr$Zy|v1a+S|a=>s9I;*os94O)WBMen| z1}QU^wG9uBZ!M!KQ|2`oJIHmj3xzf8Jd9%;Sc@i;+6)KArCwm#hQq{&uFkr)$eqMU ze_Y8?W3YTF0^}lKR_y79=;Tor_z<|%X;5*zn$8sUVp*|;>Ad*DQD{VX*u!4TlAB#t z{4lY!7YQ7k?MbP04DMBNuza2ZUJ6=g#rU30IQd`P+7KkcX@YW+kZzISB?)2^*&zwe zLL(vx9u{_%lHgij4U;5zk-#Ado|H-_30@TkD+wv!rJ!|IlHl2dQxe3j4P6p!b6q3~ z-pi^qvfx}&h=su}HImZcT9FJ+92i;*uROS^AQlJ#wK9|lcg-P+gb-jViVsF81dVt| zg|ofEi-qnuox=%5Wv`)0<@kN3;vjN?J7fXcP=|YkDs-M_$^8s^!^QV3NS@Q3v`EL_ zj`A6HZWnA{xFyGps^{eBlQh`A;vVnxblmQAnLot9{EiVZmZ%4va z!?!SK8BkzEHMHRt1HRiH65*gtrh>s&%dF#EM!%H6#GDGaY<~_ti1{aj3trjcBDB2) z%!Q?B{IgEC=K;Nim6V7*i->aW!I%yKV4~c!>BCYtRe-BsOa0$W&#Y_us6W$HiFa_C zv4OlUahaHmqu%Af7ai5I+ACL+is8y%(i@2-qp$+DOUal){lwgfQaS7oO!JtT!@ygc zG2DxX(Af@+SnGqjfREde63vrA7!-loKn6#LIsV688StZ5M;(=)&qNEe$0dMpPg=AG z?hnXTc)Bef%porhCg~Bghm2271o|r~tI8JEG`E)F81mMJ`o`t~Gd9<|bYrtwvZV!| zni6H6bI^9syDV9RGce-lnBDw={>l@Y8_QbD>+7nj=V6JWI!>fin8Bf$-ME;kZ>VcS z?Uqo&ZS%rmFH_Mjw;5PuF1t46%wU`5zJyDzZJzcDfob6PD5eSv)e2n4)6&@LOws8c zdx$eURMSi$Xs5H4X<(MHg3~9(S^!0b1F7nW*Na6(157~Y1ZxipQQ0(IojRjmNNF1B z#zdG1z%m;oz&r56JLV)ag(cp5VG(zYz7_Vz$8ja zWzZl!+mfq?64?05Wp!7sKNRZ7wTswl3m0^#31?|1nQ$Gk=sBx8=^6Gf&Gq8s+@<2m zHr=_}PR5|scU=spm+wqmi&tDJ;y%f73uHJ)iIGh>cV^+#Lfnm+g)@uD@mp(UfgV#~ za9Jp#7?a^$dPKd~99|}j*f0^9Fw-+PVP<4&l89}X6edYZ8^*&P;f)w~uujS-2s#xT zl98k-2nMsD5}Z9BzJ-*)z;%N(YOi*&KaJ zZSbZuDbuPpud&U-tjowG%FLGV0q)XsCL|5p2$PwmUZ>QJW(Q8|BF$%i;>(zKd(#&8pgDwiW$=w&h zWuW&#g?3rf1?xjM-?7E&)TkhuDWWP-A*3lO%27~LJv<20JeYsFWyeQ4RaJ+eQ|{=5 zY|J6M%cHXgP=mZr(t`j4etdgBGF8R>8lXp&Q`CnmQq~t-QEsmK+mX zN%EkqTr?zQ<=#V5RzAofDJxGkByJD4r*Jz&WHNAzw@8W{f+i5fLCe`UJ*>MW?OUe$ zzU6XeZom-d2Wt%3SFaO0$Y-%t_&Hd z3M$<$$uZxcmj!fbFw&MhG29$n$}a8&YioONjtSUd3yhGlZhl;g17p+LbWT2=$rd|WJ{8pm1x*>qfyg-EF z!i>YtWn#+irIQtrdqy(O~oTiUrzZ$kYEG9HjOc}euF`UMN?UMK02k^>M z$B=;faf*PKWg#{lzESJKHIwdAEc@8RRYLsitb5pOZ%_TrppMHB()ut!hU|R+qrH#*M$*{EIk8xc@EMa zRg}-z{ElI9iYRZNr4(c99udx`OY3u*rmZlS!*4G9xB{T1o4oJ3l(v zaz`8>Ikw`mVhVO;1w6%7pwwO6&sL7{_;W3eL=>&(BrIpP7x_PG0SyOfzFn4x`4L4> ziZK-iQZw>kg%PKa_hQi|i@9cE7Yg3115b}pmI9Rq*$zXDY?_IC*eC6j4a$AdHgH7#8|q~IZdy6~8RKu-(qYAD_xvzO6NVqs5t}3a zhy7;RO$;dwAvyuLj3GvmP>X10(Qb|(q(!uw19RcnsvBW{QdLOn-Shr>?SV-3S~Sq}qi zxKrJ83fPG=)x*s-O&&_ub;WUAeRE|AsP0fyeE6feriqp8Bsqy>=KGoq;%ZcG@59C- z*##iE!3-5ZMQV#d1Rx0NHMv7paQG^sQ?NIVkILy%H;e*VA*sZcc+jPV*ImsuO|9ki zb#;~H&Gn6~l_yj;H8+I={p1eL0j{W5OoDybPlpDG;ESn%p~fSUK`{h1vTi^Hx-&QF z&@kT(8yCkcfEh3`SJ=hFPDgyqiE9R2Z1!(Z$#xvg#w1-Q`wv+*8!C;Mbw^ZUT$q}{ zLkZ0z&NxLnp_=NZ=E}OtMsZ#t*I0OjpAPsY04W+x!oo19T{$PQ;aeo zQZR+WOZ-TtwK~-T$z~)VD@s|xy2DfUC+l5uBEcygw4fFM6r9Ep%4(Wv%+Wg*mLpYN zV{>bBeQkMJbL;%(=7uIlC)JhBt*NX)@W>tOS!bk63z|;@i&}AKdr_)i-GCX*WoOT@CpJt?G}lc=d`?*t z&4JLQm(l@bk{(KE#|$P;z>+8t-qs3=PHY(^uJlw1gJ635I7MSKzvGW{eln7bi;t*R z^gC*?+a$CS4$19Ka_T_RpcPH%l{sKIDCxkdtUTqgj>xFG)?&Nf-z^>#x`^GS1H=2! zd6gj4bj}kVB;TY^XQn+2GJy%k<=Fr!KiA~MoY3uG`v5;=fuz;f#V;!MJ3~} z7$#zQ9IcuF>XlfZm`;<;ux7VU+@xF;o=nPk{=y_fU|0)~-=Y{|LWN$l?Z847}BYvId>2%5WTrj$>?2E8LQd|!OD-6_Cp?S6I`)oEn z*sj)E**&dw0hh+sBVY9i@mQ4{bDg8^C6D#6sGA~^Fwb-~sYPHF_eL;5hW&{1{oHG6 z*q~Q4DT$rtM3}ip+{7|SI(?pZxU!-cd+WSKHnAn11t=%&Qd#KX+>F7xuIx2|dm8sy0C(L_>i{lT7i15exgymB zKbXO10J}M$eqnQEV^&PguSv45)FmefI+mVHcl(1`Ftb%Z@!>bY2-e*GhQ@lN zHmmFAf!gYMjb+W%^>v`W3Y<_|1FEWPDx3V7_k^LZsnGqv&wS;s>R_g})cs@3j?DX) zY_q$lsYsj2N(Y_Es9P{#VK(S4B5|f&q+eZKY{=yP5ysBS=tiD|1`|+;g1X8@trca> zWvvy}jX*_4w%l&D3S=Fp8aCu^h&N4eWycg6$fK|-WP!!U!Z!^D@|F)3$|G(rIR^2G z7`#&B8{*6je?GB{iNn*=7mTfkC9H!Nb;)uCoBKeHhFYAb#vQ&zR}6y{JmCQ38O30& z4qOXPFYh+sJ>0|P*mhZB{N@+KIe_2C7r9k2T~b)ASrAC%AWmD|%K;*CH*${q)a+ud zc2cnnvS6vzYDz9zrVaSaY>CV&YoQKZdw4V)sLyG>tFdSUeI>luPk}wo_nhOq&*PQ` z8-M1&yv3HzR;`FKXLFg|6x7EhNfiLkddH$qctM@oj)lOaCBBiGeivL(=g9_0zB(nP z1L6S}1EY70D?Bd<`GCom&h=*hOc5C~27m-;6MMpI6^SFE9+bu zMsP(PdqbVoe}{~SY+UnWiievpu3Pvr8>!S#qbskNNQ35VFcx6Fy_5n(XN zJrHIl>GTLYA%e{Nuxgce9~jPaW-Sw^1oPs)Au|o5TI&;rcwGxd)?lC%puHwcIl!(( zh&P`VMstmVUZpWHjx9UBthK%YEuot-v@r&JJ~MSV1!Fo}9kVG^49zu_a#J2Ri5imD z0S)>_Jbj9$>QvKoswq0f{OCfeLNcTZSqu9_Na00Dm8|JTCF(GiH1x$>T{!T?#Yrk$ zad}p~SiB)%?jA`ao&qwIvJPN8fxajpE+z22j~Hx=xm0VXiw(2uw9U6cE$T$lC$H1l?!*f6&4|Yqj<0VbTft-G40Y5(i z`MykAwYhkJS6IwYA{k``Pe4Q45;ZpixC$&81jeVMW6l!Jj!`q-8eD;8$19TtvHIfH zttnIpP9nhDEkdKh!`EV8VNurDTwPUG-dx|fxOHJuWuuRu@Ejy}mbNcF5U!Vb0G`Vj zfm!OBX&6EX!qfpfv?;qViD#QhdzL!=Ub<%3n?C-^6K)|)<619Oxs_{sZ$W1>OCDJTwJYw^!n6mxzl4Ya}q)Q74~x zkg*5`Lt<&bl{rTWzYO#*k3?NtjeZ1gcA_V`+@GRx z4$wfV_9?-*RdGKLkk-$FE11#fbGmhG5KhJ7 zWGM@p%L_?-0&yupd%=4r(l`OkJyCoqoTkADVmU1?8Iv8qfgFUkW5!%EcpXCX;Ut=I zs2D&|qcA8(ow*+A`ERorjDi|jfk0|gyCG&6k9xFxof?JJQO~$Z$1~?*L5?nfec=qE za?E~`Xpc?_HEWKcN63e5%8yXI$IuXVhvD!Dk3bAgDy``mQj$f02=9v4J0%T9gNS`H zbwv|)uy;?`zJpbuLxTz6UnWOOT)8DR*a3T+3{6%#@TDLKkn5fT4JKkz1UAE7BkZ3r zk=54Li&kq0TRT;?3*Z~dE!adIFvT<2X2*+E(j*`UvrUPLND63!KuQ{FTr%W{6pQtN zC^VoJmlYVLCW1=zb|k53NQ^sG-B6@B1geHA>(Bs697Kf*HO((;tgL9QtFNeRt*!u2 z>6SHB!Q$UdU1dSg+zB;E^bJrTjFK}niI^ObjaVPh6EGsT_W{`es9?~~IP9=3i25z0 zi;<2X#9P6H>s2f5YAw`tse^hf(wRZ!^|cN4O_io8L@su87n@&MQ|oCiNm1H`30RNf zIkQL7K?hVInhc`k6jih>$fT2zlql$w3h>Y|kLlg>?O4iFb)B0nGR1%%5kSx<4=+0H zGQOHrhsJ!Vk_1N*eoq?!KR6}g#x;#Dac;~p+9cR%qCD8cxk6xc4=e3KTn)z6ZfqQQ z9ql_bZAoJZ6|pS4NS zZh5V_dbV1Og8~-303IQR17eCOpeC}1;J_fNLSp@pTj0!yFhix3#OzL*Vn?DiqCv@k zb8(sa_8PSVeML*vOvi%+)YqsTsD!xy;kg(Zkq{{siji``UXvjx5Y3R&gRqsJ7aZ8$ z4kKtezEFo+SoC6^rY5O(b%b>!kBdLhe{2=rPhjm|9xGQF=D3!-@rug1>F{f8$O1jo zZfkRWYx(@j@&yBakOIqjjr9u~n6kV{hj^?>Z8vIUrK?PdmSYa1-Va+w%pp9%jt~#@ zb4U&Fk8tbU(Z|6yMVT?X7Qqmkw3&C%J>?Z<#$9wt=)jlU0STPixc;(nvx|>aemGMv|n*?s9}Yct&9$ z9}hKMRuvB*;=%-yZb+J81?YG!DWEatcS4;$f%q^!Ycg-nmKi~G-& zqpkPFW3tj^Qe1`}_1)!Y`)Z;uZDmIx>i(eq^J;ni*vMy7OtG`&vpkcERshLbfB?H>r<6T`;l8$o> zO3K1SeJo1-m1#!YtGE+dia~G`GWm`1rg(81Q-stKucXA)#bxPKtwhsEI9mcMFM79u zyb}82lB|r%@WWtHa8g7IMLH$T;B<2cFJ3~{GJHOa#Sy~T4$r8K!otGB=~JiTzlDW` z&cDS)g@vPvrp}l;W7?GB8PleZDlDEdy|8c;D9p4IL-{0;t{hc3gt{dyq$Z5eN$r~2!SadErD{t||8oi5hN)8x2ueWU*s9jX z`ub*jR}AmNv_aFML6$N&{T*JOSo1XAw4p(bbR&)1GQ;Z<7kGrTcN27X#N7l%IxZ!E z-l-;IQB+-4Ot&xWmEwsQED-?+3-G2EFtI$SMHQwC8S;>puopPyYiLC1yQpMHj+f{W zecPjIU5>X#+yooL!xib2yJ6H(D5iGk!cz9=hG`izIb${XZ5iBe&A>Vqm0^3(%pqr9 zasy5Vm3hkysh&(ERL$UC(`P=xY{?Bq7PPW9N%&C({1tq0Xh;lhh$X&h{k8iuv`_Z) ze-jRZ59*y6w~==KpFYDm{})c3v3vgC6`u)5gxX{!)F$bjJ|8*XfK&P9<@fu{O&SAD z=HWu$1W+sWf@V1m)g-y14o8&h)+R1kjSM%R8F$!=iq)}9=uU6`9q!0sn zd7@IGqC$|L@0$P?NiyDK1r>8~>J+r71wK6nVFFAk^d%KTj)5h>zdVxEVxT|=1uC#p zmlpH@|B?NjhLLEEkZY*X_mWVksCY)OFjyEYDw$b0vp7W3E`+3n9O^C#5g&7?6G}0o zb2)K+6&DuzLCb6(-uT8_VF)u>>A=Xb?g9(Tf`S5o5j9H{6`IuYnZCk6KPBw|&ITUn zw@EVqT3UR7xp4)zYI}KcBSG?}S2jSAk9y2BhP3qiQAGeJvL$pYD)ixD;0sXZBs^#y}LSpn6GY=ClAF(etMgCKRA43!+ZX0!XdN(X~Mzc0|QM>IKM z=wugyODoa|bVE&0n3cVR!U7n0pTvd|_KWS&kd#Ou-uC-!9t#JGeTdb80}r~KMK}bC zs2GF;bA0AN(StwqZjXr*K|wn}rd0@PnyRtxP=dXkKf%05pG?^>3WC9)xNm6XM+ejN z)bb4%y4y+1hk`K!AcSZ7geogWfnx+F`T$_G00{Kk#2fI@9Rz0|Q3n->SVhwM()X{> z*Din4YH#<4elni_l@3|yW!a@5qAKkfIRR47|3!tfTp7$ z-qqEEc$7)99y3P|7#Q&BdaTvFCPW9#HBH?`bk5dtr01L7N2;_ zxumJ7rlcr7oAwa4L#>shu4#?PiB72L0032)?L%~e3MR$`GxIZ_Q^ZFf_WOi1l@$YO ziWF;5HDf-aF9Ibjsmn@73^o~3q^r82dwO{+sT)v3#Yu_}u%x7l~!aSZ6r9NPx4LX4l7b^_flzzos43ksebpFfhpBv}jx%*Qom`;e8H7r+aZ-qvyfl5j1qkd!XP)7>_OrapdO__K#z37 zIGpW6Jw@eI-Dt&`Og)4E_BtqtkTAi3Fz};de!w=J8l)Q{)|6!la-a^`i6oFsj$p?T zdP$s1tueKO_?2U72eC6)`=fv+Swy7_IW8+5vr%1ad8ez23!$2`eH!f1WCMa_oNY5F z075{6QS8q%iGX+mhpC(Wx9jG07p>|p&JX1UC*=djYC{f1)kqiALKr|OP!tLjlYAJ6 z7Lm@R(gmZfh9)UGnr5I9QKQIAM$=0qCPT$&jZ3|)ZECcyRhL&nP&nI%*V34HA&f~v zQ+xYbH7G?}4Z02ovkD7mTdxw5uD5nVDGD_J07+0~zm2GBmke96Hx+=@la_^olR${C z4XlqB%M&Ic3||roWhNP{5^!WrWZ4EIBUUveBW+OEV`_VQOqHSo1DThtQnd)g^BS&2 zx~oIOrWH7$;Mgin?I@`4hMFcvVZmHUhXo6@7=ua@^jCs1T& zuc9+2`Z{2B-J(3{CP>-OUE4Lr|0e3C*)f8=V7lFv$RJb(I95x@2^fV(%IZV4b+lZ}{O$%_F?Vsiq|p12geYr$bL zq^0lOEsjisrUVT527CiU_Wxw*|3k_ubH^Y3q}l(QT3j^Mx&K!*ecEpS->&#f0JV~= zfI2j~j@t^*xchoktqYkDBsVnF0hl`5C-w!PRb5awqEN#Q0DFN3=tI}K5!Z;pZWwc~ z|C#EU`}`2VkhSQ`tU)4A2{~#iV!WQzl1hj+CP&>p=9WWxCp!gCm;joZ=F_DYDCb>- zh6bfLT~kwUp+Kjl^R3|Ei&XvmiRltME5`rSqvO}A>FcqCH1fu1bCVj9QDu#~9 zMp-jr%_lklMTNyv(Q4a=^e--DqD03Q8WHLzh|6&pH2M+{8(nkWPD$^?Yj(U`CvCglw%&o;{uE?$_Zm?;jHQ6A}pAq;+d!r zM&1FSxNxfTof`px7om7+VId|2^+b>v*z+}ZQn+54P6j+6*6SJ5bk_D)1dXz`w$;Th z=NlbNEp)xmt+%3z28<_Kks@ow9vn)eX@&9GDVGLpFWp#S!>OZ{hKm6-CjyWg&|q9O zAX>I)pa7UZlRDJEk^t&*D-Mik0e;hJ^@Cg=s!4WSL4dT^XFwg%$pC(0``~Q}sL|5& zA%fc~bwI`No8=sfC4a6HRpLGaxpD%80f#S!j8P4PrG6IorLLLbGv%|K8wI{p zPNiejqu}&n=5(kksLTW-l4w=bL{jgxp85djf-oV)AgwIHb<;QzNL038A%N`s~sINNMol-IWcH_9$jeT z#-X9f5uI)V5|tVRtAHXaQ8axOJGLXq0c=_6FgvH{Y7Ew>9cJ7$G`r|wF55K-I5sP` zUILE6Uf$hmyQ146{QME@2#--jMo%4cGx<(1cUzwort2|xFR{gH!9rt-+oSh5nh9RQbZ_6T5^(I8Wd;Jq z6EU3PO1wx8q!|(^X>>xxAhA`M5rC~?r$0_ti3lOikYQ4fJj3ZxGHW>@>3WZympxx!1IwnoC#0O9U?Dyo5t`;i+{*$6@krMk2@l*#JVGN?S z>!dgui2|kogCf(QxzA38F(fW!f32Xs0|PW`Kva{v(QK<~9c+yX{FvaYLk$T=3GkG3xCEtdCZy4dW%pit^SlREC=;BU_LsU;FS!wX)TeY62XjfEM9NFa*u(;G)pMZ+J&7^xaV~wf1 z4uMQ85EHJf7*Ij>r*$QsX{{mt_iTllF{1k1EEaJ>wauM$u)Rzq0>^n_Yv$0LHEo#8 zg{PT=V=5s??V5@x5+$n-9GpwKZpd+1D=SF@@;x^z1Zn9Ybvn?pU=>)ARLQJJW-0_u zODgpWvmZ*X?&FarQ=PaZSY_w^k}PGC9nTT?Y1xfRlcE|RZ&0}9doBhXf~qHCvO(|o z)|*x9kOpH@o={RvQVKMd)iyva0u@8*fZ^go>wT@%%fFjZDAEtS@l3kI+s#9tpRFIP z#AYl|87((5ktGj6gAgMRNDc|gatTD&wmxownPv?gkFYS}5mcM6o24+sBk2V}j?&C~ z=Gdi&$yCWmooC7%@yIYRh6qUZOd*0IUEk8IZ;1_bS9G5y^P=g6om(hcKtl_L? z+|0 z{ksImlap7es@aaF>6}g!j}jL&HWK558c01ft`aVaJBVed2{op6^s&mweC9PMqB>d1 zf(0V2%5s^2R#nF~`nP+2wy++)8JZpU!3>!0n-4K`hXgsQ zIfN%wb8-~#t1-x#&r-9yu#}VKzY+g`2KzrTwL|4jRiFpKgwl~|8!7jHil-LNnC{&F znNl=ucl_5b`JCENH_vylZ`7z!zUuiEjiW|=@2BX$aXF(#jXHBo@8hFJjoK?Qf3ZGl zRB!_NZ*=b;=X8%6wPsXxMOkz2=y#t#<${Gz{=4w~7h4aw_Q>GK4$&aS4H%=Z|wT5 z{@eovBw15@;ZFoD?|bu_;-#$gH($AK&(=4$+`0eB+80~;C+>K6?z2C8 z`r-{=UU|(S`^;JOm)Ea<{MrX*?EKjHWbv){p8WhD2a>mz=e~1({j2(!r=M@)eA$}f zr5FCEZ9jt1TL*S3UB1dIlk?6Ay)a|;`oG;1-!ZlMrWaavoZIl;%GGz?wQ0=s*cSzx z8lO7(-5%w~AD{8Wjv33J`)uwTho8T?>&N%)z4zgJ{XgHrzZc$dMf~DZ?hO8W=acJx zf92mlT=Jh29}AzhvYz%n@7HUJm!A64&yOTj_)YGkkFL~C-m&4s>T9q0v}VI!-g~fN z?aIi%uiLbF`l?S~YPk6AC4CFup47Epa{D>WX~y`tfI(#Qo#=hIL2n_{p22&5o9Cdi20!D>p4aV6*>=yYK0FVd>ZR zcDxb(@TI@4-g@2g{eEWBN z!>1m28YSAVrjCX;{o$csd`+9G+<)BR@g=L5FWX)Rx4-b_X?q_&5PkiSy*~!a3dFIP2TQB;{jt76c=lH`)Zr;+_boCLYnEiC@`mH}ade$vf zgh)mWSanDIky8&{@aZF$Kljo7FE09e)~Z|HThz32TX4(d<6g_X=;mMCQTy7W=VolX z^o`el(BJXoeOFv{al!L*ZoEZVbnnC$k2l%)iE(*%{jvQDV?9BBX2HIPy>s(_-+VhU z<*zp`I%8G)`vc_@pMO;U=aJ*{|GRzRv166V?-Usyow4apU%dbJxtF~^`9;I1Enjf^ z?I!2`YT0Ob(a|c+VgjSy$Dt{NKDp;N!U<&r0qslSodCa$~r@t@zk_}1KakKTObQMdkd1tt4I2Q;jE@TET-{6mb` z{9l(gbw#$1$o`f);Dh zmo)vdd(RfifqyO7xX-!oeLk&(^l;|d508BOw|kENt@`zcq0*JuyLPrFZ=iO<1wTL-`Wp< z{CIrYA@`_X`q$5W|Dwlc-?$CzQUBA@-t+I>2X3*?;C!y}hfq{p|-&-S+ABckdiH>Y8Kc?x;L`+=WLa7QFT(QUj-S zy?DY+YJ0q?*69D)IeSs^l$9P-cd*H!`*s%mO*#6OTULEMr*-M}H(xq+&a4|>*!rWK z`^W#d_^ovxw!HN~!Nsxg4Vx2JH2mz)^8HQbnKEYm)`#!-Z~__nM-N(i&JC|8uDj}y z8Mp0tVo~|Ps|BA=n;3p~ed+d%OM6GXvt`EZTeiM=MFV{QpBtnll(FyleC+zI4}b9T zLh}2i+j6$vdFj^CdmnyH|Hr4!>gm5izU+aL>2=qX{;Bws6F+|Akgqqt{$b-;%fcW0 z`p(lRLFSEFzqRC&=pkfuy4J3H>g)xdJ+dS5-pO;OcQt(Q(SwgKsri?l^ZfX6Pri}3 z_pY;^+L3(i&Yy3ZbkRHI|L@NI2?Z`XpkduRf%6{1)G0k?%-_$rcKV?$`)^JhJn8#0 ze%t!59WVdRG*?|<0e$1l3;x-}oKSYCK6!FuD8oCgxmzx;7KL7`~v9^0Ng zyXW-JKfdJN@16eTvQK|Gv8n=;tbO*%s|Wi2`$|*K@jsDgo_FnCKix{{fA9N}cwyNz?f$Q?Ie5t-kF8w# zs7fb>oYC;6aShX|F+)5C{&HpaJLewq;*RJ4JiGtg)^jfY;upXE;V+uNs!d;>I_tCb z@vr}Ki_&rMnZ7UP)2Z*Mjr)wh>YArW*Do1!;(yLR_we&(tbA?np8Buk3-2Cx?YMo% zT|9lDXWN5Ue!oB|_}j#{|FUrkrF|^tfyA}P?M=A**oh5~_eS4-_@g(*e|4$)+QKW2 z7&C7D@f&wOqi*@zn>~;BoN;CRiu`|sluOWfC+FvL zpMAUhw7Y6wTwSzv-u-_re)C78a}M2a+}KYVs(x_yCs!Z-{o4qR`_8{&P4Uvkj;bxB z_j``{`|U5Bd-!=f@A+$odd)32Ojxx2h9gQrLC&T>9Oipx(`|?S^4&vc{`eV+@cgxF zikJE(R*%P&zGHFDL-E?vK7D9){H@3LxMv_#Fm3FPKkqwl z^3wj^#jAhtQ>r2wgB$lb_oKa@7(htecS`9^E54k4W!3i&-g(z2$M5^eg`?KC?X}N_ z-W_wEx^43-+h1SxlbxskhNxXcrrEk2z-@-tzI{u}#aHiq_R;&przN*teQ3^@zXm?M zqK6)#k)J9grnG>IFK-2}-=3H>*)qC|U z`|PEk|M|dqr=M2(&zwE3+`RMCE6%;)=~&IXW%c)x5j+Md(^(%>)gnrry6>OlqZ@Dd z{H{dLW#@(d_45g(AUEd+wOg(~>79<;^UunC`B#?_)dxPyc_49f{b+11?t5!#*QVsw z&A&VO#19*`e{XT!Nu$?QuPNPY>=(^TKY#3!7lX44uW9H!ZO58iK=kB?hmVFg?L1-o zsYLt={&H*gv;9}L-W>TVdE{+i{Q0BSKIeOG*48aw-`xGg*I$H>JN%u$QPb$cMWqM5 zf7|3`0irby7i*N6L`NMzzKfV9I>Pv{TH@BGNfSdh7qFWk64@776+rzUz_<92jFa2_n)kdoN>yQXSP4wvi~*pA1%Cb^M0W8rKM|I>oy;8^sP7F zaQW*O?s36*I=8$$F7K`%-Fw_oxaRV0o9+$;SN*N$^Vi;3_T0*!j~bmL?>FwOg#+;Z zvky7z>h9)TGE@IDxN)CFMx*bCsO`;T{{G7NOW*(VkEdVNdg9gBZbOoE=zhJ?d+wOk zKk@nlPy9GpGvh>J{rz!G@zV9T{AVJzJ@$TL>S3QpcPu$<%cH-3r|;Q)!LJ(E&d&X6 zd+P-+d|dlv&BYJxb0%u*<^3Dho%YCy0nB`--*LnFzH15wzPR+GqZ(JXT=gs>^7=a- z`q7K4^v@6Pd0Kh!pVD)sgeKKv)^9!b@4-AQ*Nx!lokrQV({o>c?)l3fTyzK`=9HY1 z&+FOw*bcp^Z_Lv&nNvoMhBu9=`DqYCczNu>C%%2ujjN81KIZ$~&F4(t7g>ahUwR?` z_T1Q)f4%(rqW|ux9!i+x{vS51TkzDXH+@*~)q>|ny?@vB>T@NZ-rBNx*|sVyuFID{ z`PrNoKm2U}hweSQ`?;qMCoP^Z8s7Aex--s1>{EK`*iWDSps(xhkCD;z>bC33_5-CG z^Ky1fx@L99llM*V?YUspeFu^)kw27`9u)Ll_lL7EWv{v8)AP@mF#ZQ0EbNw#yZX3k zbJvVo`_H{U32ymn+aDi!ch8)3&pvY1o7-Q$H@bzGj(z(!tb6dT$%kMI>8sG%olR?=oz?y3s~h?@ z7f$a+vtB+{q5qk(xaj?pFFNC^|A(!_+>QI3yJgmlwwy8JUOfRE@Y1F4{rRicUOnXH z+qNHo7a4VXKR4(4M=lJXeZVW)s>7xms9a0wLBS6WTK*M6=2WDS-hTL(N1T1YOPe?S z1kv*`A6g3h`_|k8eeqedMjtd0_iOu!r3by=<(q@KYWmo@qm>8FEFOE)W6P4K)vXz| z_PQ~DzivhQdmA?X_}qt@t~m~o?~bu!)^81tdIe(YZz%9KP+{p6lMf?a{k8JdM@+?{bh~`+B77?A2%f zYYx#%zR~a|<)yx(Fr(KjU-HnpIsd$M&hO4WcV*=oBKa$}{{Ggk8;^YVlS^iknSW-^ z1Bts=Jb`6n{qY-bQQo-k?z{TW+4kmr(>BC0PZGU0@Yds})V+Vyd%vqRsIf5`-gL>? zC;bW`+xDZGk0laMe6-)~4~7oHgUn)3*J=|6}6&KvUzf zEpcRZmafn76>K~FszZ|c-7{wQ%N_lgq^I3c@Y_WvU;E#SE`92ryhn1eP8yw4v{&9; zcaJI92SGXDxQ$mmI=%1S^Jd@EdhR(7&fkF~eeL_>&?J6(%PYU^J?vix5DV$lHN{J- zpBak<>gv5G&nf(1?d3Ci-q0TI$5cEcXUp$aEa^S4`{_pxe}Pz!#};hdXVKdS?Rzo$ zQ8F2sl2h~#YG3)|?~lPaUpr<)>xUP-eM`%s$0VQm6|tt~mmU->JA2bnbTH4q=l5G@ z?X&gYeRtpT%g4WuHNv8eJ)gh!!JiNAyX5ojKY#e(Wkg%we?Y^!1+U+RjIA-_zB;S) zrh?DjIOK)z-}q+T2d`a%*N>$K&_1gv_qo+H?2X7yN3EwTVM+%6NGv|THgZJin$law`Y!V|^&J1)vSj?6 z;NEBa9M2aA+|>2*wyo>F_tr6ozKt!O=%Uhtg172jQPk{j?|41Zg%sC?=bnW9Ev3hg z-Ef}XbJNXbSJeH#k_CujHzRd&_tZlIqjSdmW^%)`M(l~d?l3`i-+N*PR$dpZDPH>J49{QAKu`(dK}AZKgU zo?E;3+^gi{x3Dn0x}@}=;ENxtpCB%}=#Hn(_aRO>ESPh~uQ8V#Rk-TYmRq}S{O$Xv z=N1!9a`^<%xbH(jC%6uO4#zVM~9!HPiz;eru`)e*%u_#ERuX;8SH1a@$7YcJo%qt%mk&%owB_TA z_46(!7Q@t>2NM6f=_J(USqFA@UcU3$UyfgS&bCC75b-hpqgTHB*bkn%?WyOUTK~%a zH*MOVcg(I`y4Rm)-n9I~e_Z^B*DhHwhb%vSm$T*k$GUd>`bRgHtT<#cUV-Ir+-Lk{ zH=KZ2=C7p#3!eWIobd2%|DTJmj*4>o{)XocIy10jXbE8i=?0O8QNcn=R63+31f-is zQjk!(5tNWlX+~*~E~N*Ap+magHG_QLdw>7VTJxN9c78tl?6c!Gh0il>GCI^mdQwlM zq`3TgC)Ub{1@~og7)N6?R8IqE%?bwXr{c~^`-OwLmWu-C<)lJ%#6wwqPxFTr-9z{8 z{@=pe6JC`Oouj1>S>5jNS^2;9BQV8?4~H}`0a-aRipx^?81o24%cnZ<5l1^8#N*8* z^z4NjfAMw_J_hONAjdZx=Dx{uN=h&D;s5arMa!2XoS~2VM+Iu%0ZreTQn&v(WQrVb z1|(2FGw;BfW|8t+Y)3!xobhYph&1Kn4}9c!i&zfhX)x>W5wbNgfu83JUtmwM?&Wgv z&O=F-Wm0@-Q$W%3>27`giYKHf1?^7R;abKN=8_HSP$i~RqUsR!{+Tt?!KYK;LVONV;!sl^xooe_)Cbx1SMfHm3yH#%h-TfB^C1A4 zi5VoS*58Wn8Lz-QZ2!V@T<}8|w=~MjELz}Etq^Y-N$ldHh!`#lYa6r_*qyX`WhK&Z zO`e;t5T`)V($Q9KmgA9e?)kDIK0-QrrlVpo1hQ8XjO2CX=XYg}R9Czt|JUF*=Ksjv zD!=8lD`kn#ac#JWe1&}?0{4%4T-*zMT>UX9mLq}rymCkFVzAVOxqWXnRp0tH-l?fo z0y_7O>2YDRn+&RK#4&dKV*O92ut%}+IeJW607TV2?7#2w_lOs|fq1JpzK^0^lcn~; z1CNB3jGiBLg$wFzbT=Z*z}vIlVlFevjEN!(o4@ZY zuP$Xi{%Ssz_biaw`$XSyqTrt$cgdZpNeamZFZcZyw|CwR@CIVVy{@h8eD3kPQd_p* z{82dkN3FEO%I+7-Eh)(srL+ZrpU2}e(|OmVX2$Byz1$UY>P2lqRf zJI(RDBfUJt+Td+A)YcCDTW;OBJ zr9X>@ect*9SQSx{e`=i{t%J{G+m@v0Xux!093(ho;qEUvT4w)0F8&}JW%+T(SEO)< zXIXVyfecRmpd4pEcZim93IhU2-}{qB`Oge?_!56*nsWGrF}UMAA5`PG@Vh==gg%BT zPSo|jCIO5o&;50G#K%bY-JD9HA&UGhNH8BR7^x)iQ;srEa*E(%DJO+WfWj}oMLvAU zM#umZ^@-27xe;*k2k%i09l3#u4Xhr~JcAjnHb=}J3|8)4Efig?A@wyTmEUF+TPql~ znd)JZua>jc^S$N{h)87x@@=MqZ9a3r9imZvxHPH!DtDJwW}KFe5P(#(q>+qVlU`>< z`Jk4F=GT%(y;r`5cws)?2HsLtI<7b~r3g-cmTx$*U8NszdLFvw!%ho11rQQq$Ts32J{d`pY`MqyYc7qwE5FvdsfJY>QtL-}4~= ze?$HF)9Y&v`BimZn@6HvL%tK)R+j&odR~i=NvB$Kqn0U-PVyA!k%oQlu@&y<;ALv4 zno({@-U%U`t&dGg>Z1VUX`p)^`z{lS^=S!M-;`nsBx>4{(4?}E^B8Bp3^2d-Ha~@_ zbp4m+5vZ3$-`OYb^jU9roT)izdz#zjr)#@~S$q`uIy3#IgEuva@5jUwSI3w34;^qH zc8=eU_1R{K+>XLU4;V+IJZr8lE=oQ}>MXl0yyz<|ys1GBZshfoZ808WM^(3Wm580i zAFn878R;T^x*KB0>(sta9Ht~Yd+$FrdPx3Q1!$(KwEymHEml%OT;ux{A5Khh)Jiz| z(j9!g0iFdDRIX_8uQ3Wy`=xhkPcJow(LQ9i z3x2<7Vt116VNi31G8`mNo)1ur@9X1(H>*?G`R8zkcvO;OZ0LG4$ zU3)3GUf&!KU_bDuk;ER0_us`q>)QqceImY|UQL11PndDkOke--N7L%rs9tF?^jG2A zJmNB{(TZWK?9sztxe8uqxtw*udV+mOkOLB+RBzY1*`+xp85)jJk-@(4K)Pq?vge%}?yYGq_Z`v?_TMZm+7!|qEH9ok zQgDTQNT<7w@JH<#90Z=8-5-qB}3e zqzd*L%WZfh1qwgz7=My{(_+t!_);CR*X8BClZy*b4^QYU>Ysr{HlqE za9k#JrBDgz9D7I4PY8&Ui#fbLYZSgDXV;ac2Y9GQCwc7;Ef|h(c=u7`4~-drGwB9&#?bud+V;YJo75Lwn99+^kMC z-!7$|mm~>IDp$I4$jFeW=|Mkh{lmj&a_Wx~R@2Zvb|c5GeMXVa@5D9qty6DA7=xaU zHI0H>2Sg2vvb$r~9@`|61>H$gZjKgq3RU>ioo<7-Fi%30$~AfmT>5~Ko4>SlHTqSm zs>5g=iMkK@eyvhQS5`tQUi7xRe*t144)w9O;=Zh?_i+M*_iBV`Ee^inl zdjub7YtscAYw&QIJi+|)h~}YJ12e)Oz1~2lHTE>JK=+;v>>P@8*k1E1p~V?6U(x2m zlK$g;RmzcnMsL{af!`>+$=CL&Q|w2_hoiP9?w&y%o*|_ajQi?;WyFM5+J6u4sbO(> zkD>%H1^#2zUxMy_2>8V0>HjSL2gHJzF{Og_3`TucvUoMB2KVLwQ5!w!#M=z^?ODrb&j)`G;mLE9 z28y`fPIh zG(&jZwik&=M(b0{uGO4rN(Wq}Aq2!JRRTIOpXh}M0a`MsGlJ<>zP`h<7ccht^x5;N zOW{+y@-7Sa@9k1IA`!(Xj%Vtx4)%-V89!`=jx&n0TyuGlpU{#)W>!3p=MPs1O)ABr znsN5sM|A6&uCVzrDU0s5rBopBv4~z~l!B{PzDEO2-u4y^9@eGW?AIK%&TZ_|?nJDo z?5l~+{b+yDBmhISRrm<$RA5IIpoq3i^mv`xtAc&gL2j>A?0uxp#EJcCwr;t0X;tG@ zD)0%^D)-mM>5}?-(uV$l_=l@62Z66o_39kX#-DsD#a|Yx+$1!qOjorCA|M1dp&rGX z$tfn%>3YkSvZTO2xn3Jzsrd6`OPEszsr*qgM9-PDq%3{~;qp;nMzG*LUR)lx)0XYR z78noWP+NeHkj}07J`O0N%^#(py_Kur#k51Ne-ux%pzC#zN-b4pK9x6o$C7WC!S_Z4 z0ccB*TI0M_y0u1X67_@0m_)z=?Bmuq=PqMK7CPb)ngnke$;e9~oAa<>kr?K0_WWL5 z$%t145o4U2{lPrx1h(czO;H*|iJ0M~*!EnDbD&ba;Mjfoj1aBq_^Q2RtDI78d@f#s zL}8wYnn*mx;i@moPA9Mbz*P$u%Tu3$+O1xDT~yxi@SV2VZlfQN4_rlSZGX=6b_2bl z)y;O=jC53q{TlKZWL%Lsumb)6OETNZphJyv{vzxl4wa3*Tfh;S)BDr2jy5etPBhH)0A}}z4d2=9 zZbIlT696f>j(Bx{nGLN8!1LKtEai{6JxTEiud7AO1t&ie&jdZsR*cpYTD;~llcNJ zrZlCAO{t12feqvP;|?@?d^Rlj;$era>XJnw0U>aWLc`hkAm6Bgeym?7tqkf%kCqno z)_4#eHupXsifGF~cld^+q#WgzF$`}DD}iIV1ru7O*TdcY1u2jy!#0MHC=9tUmBbw%)G37R)mf}E zUz3N(hu^mUwCHYaR*PCDhRxZi3m5{BU{2e-&5g^JddsrAV-IC!7PXTA48?G%voeqA zhnM)Gc{NuW$;dPDb)59}Ag6VUC$`u^F?Ea~>vQCIeU{Z$U}!#kqLXu-4PTg9(q5|n zxv!MH&c555Wn>5UlRZ-WxjX0mr%@RnTbT(>D#^bQEBK)5iN0egXLLM5qBXz`m+?Pc zXI2*0KlZM?*oHvmSbKY)oXxd3+o-*x-wJI?fzGUGJP62sqF93m9D;- zoP%=o9xoFaHbFbj7*0axt=k+EPB|T1X7n5R z*YJ0UJZU5}fvtHQd}Aq80why|N1zBK0z@fjcM=mby>-pu)k%k(+7PZ$ z5LH5*_!Y^Ky{e!seTQJ8%vFsYU%6|Hj%=pjNQ}%inUtx%PsR9cQ7WTo3tVEfm{C4x zeDAUfME`7dkJYN#(0eS7AZ`GD-y%sm!XUqdObbYWhGt z{?w~^A)0^qCZo0JLo0khf-}4n6SMdgG&vU=eO#3D&nB@{!!*Wr;2n8pYVUumt3l6@ z9?RIb;?AuNU#N@A0MVEo7sqzB%S*XNUAMmB?lsK2R6? z0i-=wi{>}_Kg=beaqjv7{pX)8rnup+et~KqXKD6N)Eh{Y`*@#RdKrLo8a|FR66f1= z4LHfh5-HteBBhGoAL(U|c{E+{cBJR0NP+E_-npdBd-x(X1ti2q*;0eF00e5RjH2apx3`ePfw{DTs@;!^Ut1d7sEcplkju$Iz*o=MtS0y5 z4G2_@1+iAJ(O2Ctsk7Pjfx&<%RNr8KrN)DeFCqD1?!W8Jpdozl>!7rdk-_n@DcLN| z!ZWAE>^T+-x^PNiuuLAu&0!2OuG2%T4eOf2ET=5_L7T)=gx?MIV(+4uj`=MbfX z^oX7<*7Tjx7Yw=DfF7{-o)afwotky_6ns#A07ikKQ8)G7!M$U3V!`_iLW@}9y{>lxkvA262tWufC@yxx&ZxFP z^~!xB9Hmy!wtpk6igUS$=Y%GeW!*_$6vzk;aAPNw9ZT}oJDSHZ3Bas9NVUGY`Va7S zbjKlp0Nf|~o|-J9bJU_Zr{3fWq2~4ivGZru<-K&?Z{9xmZ(0_E+|iwnui9&Akf9b- z0%@paUKiC%gn5wr5)c9}5!nS}J1e!9XQZx#P&J^$_R6V7`y;{+AN;335HyCDm6cas zd3*L9*&Vc}v{?6N`nz#vsva2~=81a0*S~)?U%HqQcF>8z0s)r2{{Zuar!k+>dDGJocu@tfb_E=){wgg0S$Zk`_HW| zn}LSZ(4KbQ{l_|^PLEGmQOIJT!}e`5-8B{zauL9UH}dm&+?@YhWLpgLYnSe~`W_v_}f^ zzwr;bKfU%=R=31kDd&lT4*uTCU~Mv|A#NkXC2T0YiATU~j(D-_u{16AswzP#Vi2mR-w zk`|$%BF(}hJ*%@AOqGLPeKyiPA<6nr{7WeA;Faj@WTVUPj`ThSI)t`z_GZm=L|>+1 zlUjBN|L@h{TM7+VTU8B*mZ}yi?kC{;kid~!*A#S877>I1M2HI^<9wV&L@MuQFyfK~ zoNyIhaVGd-UO`8V%N3L=0U-$W0SMIi9+Kx~<7?sWp?r-#7zy233#-uvdR}Ry_4~X1}mYj3_1EUElJf$UiW=4uiB%w0ssXRwbSBlUf`EB(wVbT_H8P;oWQN2X@{!l6O`Y2|EtgTvjgxEh$dhrVdYQ(hHX4Crbd zHoZ=Uzr#78)^K(?(4{EkpMl*`vx9Hv?+<5YSpG@=eoxtl03?QUH0nmQ@Z$gmdUrNa zDv!6@#LdpAu6BPjlGo8yL2H&3e@DEOV414FVQbezsTHDVU@%1bW!cF@L_8FSc_+wJ z0+z#4_Q;VD*T9Xq3Q6{3v5L7Ilsx5vy6a9^a`dlud6w(ABznd!;59~*GN#fbY?`F# zAD%sOlkvn`c<~H|K%%C-AyJr503iTT5-A&$70cI8vQ#S$W<|W3uiI-EHtFDQ&DcAIH6Ig1az*C(~A=VSwwd@+2>hv zY$s^0YV3HD8kQ2{*o-=0zo%qJJhGOGnzg}1?%2$6slsFM+)X8*rZRkr92sE;!p7>~ zc}sH{iV}H=E_buQFAJw61mG`Iu~3HWLNAvVpI0ezwbG{G#^R1<4SSMsydDk$DG^0s zUQ28SDEgof8eRrog(V6`dhg&PilDQ4!?>1tG#X!+R0eJN--yPZ6(?qq+k|T(rOb>P z-$x(((8yrJ^V$wuGjN}s5O5{?sawuWFU`vjvq-|%AYOp9H7z^& z`_Dy{xhEO3a1k_sR9MgD(FqQkxss^_bap9W>FFOjxIETd6B_ctn?O1M=iTAwJ+u~87Q}5v*nZuTyG+;N`N;LyKl4+!`5I~^v2^R9Y6jaKG@tnJ zTTCN~#r_g?0$eHg4QD0o3PhTh!q5{G-qrc0cNqr;jS;O}iV}U1I9-hK`!ktIt>_ zB-z5}1t|Jphroj!5~j zlgn8*qoW@@Bm&wBS1#7HI2u}5KlmAlbK;TM5)xUSB^@Ff%S-g8l1a z^|xl4iaEXD`ZqE47(++J>2BCr`N7XoDeRYG{59_$(chAKwG-Q)0x_a{e2kMPi^DjN z?PpCRi7hzj*9IWf%o{!B88bR+xQ$>+*T1}!>W_x)GM+c3HV|D&mD<>NN2n{wA<2}YA%=*sog+%Zp#_%{82HJ!wXOMwv&Wy4)LId!riuX1YL z7Ei0px)V~*yV>oC=2w%4zs_hUOGy6`GX*baPLB7wl~isOh~NkdPTBEW>FN-ugL+zi z@9v=bT_Zg?_y{Lh!+z?3-Q=A}ez|_$th5TV60dmGyU*mbbi-sejz~{q{{iOd$GZ4! zcN|jGL(%f>sF@Q$ph@b}CqsoTwH}lOYCw1w!*7rTtEkIQe%{W6`3P^!oa)a}iw-rS z##y@R9=RezLeGk=HI`3r>1UJfC zWxKtz)!2FHTR9PoBSn9vzlSMi=Kq&I*j@*hs&!9Vz1X{-WoTTZfzI_QkDRUEvBx@| z_q^tyKKAZTE~!g+jh2}F0KTg0x_`nLd=gKy!*|1>XbZ|t(3fSrhK{VGMuz{I!6*e*lr{nb4EGHNYJ@z1w#Y1aZ0g?S?U zOyZFb>OMqI|M2mT5P6IQ2SO&ja;bMF>~XsF`Bw%3h25S-ZP#a)m0#Qn(VU(b@_s8p zScXf5PhcF4(U0_W07x*ufTNk~k4`y^1cxowk7-@3zG`2s;JkCB_Zbc)`xT;`Hsnl8 z#fZN1^5B#|^ma!Er)wNo=^Mzfhd>>44BWd~WT@0zs_s$d`T~2(tM&`OPs5Zy^PXFc z6mYcUM4CKa>YF8;*v#4Mz4A48*{LP+Qaa9#l?Y8L#mbwRQAjTEFs52xss4KR&_|7H zlrA2-)7A47s*1Hv=ik|bgo$2rH=bX;CYAGxM+v-~wL`pjygIq)`%y>$ z0&QYRBcTZ|<$yrtI8-VQ8pYK83>{UFMLdv94B1YJp)wxZ5L z|Gs7-pJ3dD`!pGjPsLqIMxxR>f#oosbzLvbq|V#Lqf}7m=U2-6_-q5sPU2`5#i{4YyGCGQ;J+&us&Ly zS5`naMCw0hDtK829&_I7)nw8^QOFM`;>G4hepZ5S!v0g{+9dulA<0_tIR&)}AD8^R_dek6W)>K9ZeEPwKRfR0 z@!O?N%0ah+?jxmIoen_P&Bt{d|5a`@8a!OmZuJsPaZKS@g-Z$S%qO(4s47W@R zp}_3~UBXESuu|eMc&Lf=jONd`ukFD5rjvRj9_fDV$eVu~Xi@uD_lsVh@Oi~-kGVkH zV)g6uP47PJN2vf1sKb2}ZGoiQq=FCXF%BKAg)#J`S4?m;B=3Yo@;VAC)(V_U_ytg| zD1u?Ztfuf;BYaW&wubiFYTwD_oN-Yr%tuH^66K}ngCfVrN0Jcn>!Vb-SQ0QC`S1bE z^Y43A@@&fjPvaJ}lXAkXpxe0k$oY&eNCC&8U>uE(U0pR$M3AxpraoSfXV%YLeY#!z zZh{v5Y@*BibBR15`hK~QDcSXYO_mZp{tl=0%iWO31hzwY9Oi~{G$vneR=~d@$=qyP zeKvBhE?~f`252;!8u~dJk<`>nac=%vpl#yQDJ5&?6GY=BUv@qHbtl@-6SQ*dIDpn+ zo7`8zO9&JbONpM12=Yw(RaT;ngfIJ#Z8ggr0O!F(j@U0S;LOeKEF|^r$*oJEdW=;3 zf?S_C0D&f5Pa|=@6u<;SJcz?ZDnXtJ+!t(2$LGU;z{Z3f0`WZ?%qn9JE8t5{elND2 zv8#~zwd4;`Nxh^11gi5CMZ1{5ibnVM9D*g8IXE^-56eX0zgG3?U0{(Z#Y|KuW1LPAC zG-NKeS`DL_2{+~gWzHM?ZovG2-rjamz28ww>VnYY7n3IsAHhAZ|L1YzBkqm47H1=k z0+<~cc$7Iwd0MMKdJ~a+{$xUadZYcHyKED-?vHTLq{&@pn8^ookKhU zr~~C_oHI;-e?W0Tz7MD}#k;x>atp8OKbW2mwkZ&=y-Agm9(gVo44|;rkl=N?sgyDF(d&Zo!>pQURw|&1T?8t0y_V!(9wgGFh6a&KxL!mA~uQ{9Wcd2+H^G~ zBHgO*{8eiN9DF!-HevsR6`SH(NA8O{E1nYf_=Dp5BgYOyv_<;}=@ev+8NhBlMN0Kr z?61@qYDB>7^uW!r`UmEw3)JWRw^ir{(K_$R$U+(;gp1SU38ymC1Um}pi^JwgPwz5E zNPxxKvTt8-vNgF9$&3j|IKna-&qW{)tmk{p)n*y+w;%;Pu|Fw42N#edBQ6t~R7(9Q z5hQ<5hCV%%_T(-MesPVhsS3!534P%3dVzuP;*rPTSzB{sk2JA6>m`tIw%)l6qjDJ8 z28ANpaN)~ozW)LAlPZ$uacYwAjR5&L1Qz}-ZqGpbBX8)-jGps7=mNafUCKYIu;cc{ z>V}B@fj5Eu(Y$U7KBx+!C`^fT!@c{+ML^9ds=4Txd`1VnZ%SfiW&Oa-Yk}#!%`_OL zyY=>R=8p8=id=sGn=3BC}V(n>OWQlhR5{DsEt#TBMx)+2AfnO9V0iBacbY$Ql6vtt& zQtRDGVihP_x_q?cl*Oj-_l>;q0|V?P@7J)CHO(y3vv;>~Bvv@;e!v|cR4`E#=82SR zwGwg&;3nl;5ug8X^||hyB+lNiGunw^1rHtP7o^UGT8>`2t8n;K$94YKuO30@xW;fJ zImeJ>ST{x6J0Bq()69Mp^wYz%s{EG=zf%Nxs{F+8mDZ5GE+w_}1@3c^q@$ChBi&+l z#I_h#u~#8p(sd1iY9@BxLTvxP=jpm0R8BnxiCRthGZ)DEZw^UD0h)TY^> zbP1w0s>S$~gKjHSSe-}k_;~#I1?>aIyGRtW4(PC5OqP^pk9Y)fN_H4(7{Kf@(fA`CBa3)ji8ZBA+A-mtZ&=S>4;;m^PdO0zqWT-}piju9hTOWH8<{`jL`$(ZL~ym^t@#iTvb zuAsPSNzHC9AS1Uw`R3nQ6(xK{f2PwX=VG$**F0Gw$iUG|qcv#;Y>AK*UHQiy<9j8o0_Qm56=W&F(p&r>Kx~9W zJY2;5n3P^?$v#s5(jy-fGb9Q_E(n*njU2-Tk+uV7{%%a5S>IaWROISAp}zwZo`JgM z+DFgyu3w^u?D4>Em(bcC?-g;3-B2A#!@(w%O_=gW=_=*eD5q40Q_tJggH9n9HdLB1&|%A(K@*2!gut`l;oY??75-5u zlSJ7cclBt`#}u?xpj($G%f7r-oL;PI=x~yty+#PUC07Yh7<5=50rOywCp5{%$RDLO z@OVjC!i=TPBS$QNA&u|pIx8<%v;r^`K~;}$`m&+YAh-olG#^k(kR|P#YcLG z5XZ*um-ofIDX$sL4Teas46B<71d^P;68^1Wu>Lj~$L6siNk0S5+7G|JPO=P8@xVGVND2d%>!ro^)rBq_}umt0~4rw*UP5 z8dxnW>?T9C(Xper{%(`-ajWT-4|X_u@)SkO_e3w0qAdg6w0ah7mK?RkAsVe;yt%L> zWf~_)@z+}NB+A6b;kU3MsV)JsW<8&d=VHkykcduF|kX%hboN6CCsw%Eu-7I_@ zOMSwZMQi%=++Yd;%&Q`ndFiV?k65s(EmnufLQT{0e@zF8v;%dND)=bB>R#EKDMv}yHo6$p#(^fbi%n9;{zh*St?x1;{YDoY^1mP@>{COyO z+eh@gk)?aJ{YIRPT%GB)hSd-T)7a~OM`Gv`AG;46sTPWsP1PKiNV8XXTd!RPAW%vL z6m5aVhtca1&LF1rvUagN@5b?)z^xRsmh-6inji6sd~Z>Lhr{a#bi@A@#)+eB@gHPAlrOJxs@8F~)Y7HlYlp|2C`Vbx}D`kY*U-=lt zg7QI;5k+BwgK{_lajLkI44x&Ch+SD-S&6Jglb?UbkPty8wNHXYo(ux^drEZ#4Y4=| zO+{!@S&;2YiWA1ouOj~Z3is*=I$V#!dl+>%$~@2Ife(rZ^Ou$fUGK(T*FO$++s8;U zVG^1Cg#PcWKC*{2w{m!9t3(DX@-{v#hgmoAkTZERyV9Rj*qBa#syL^Zy16&{)2Hrzt?&C2r+6mDUqf>-kY^Q+!)ede`e5(0WYQ-%iwFq;2p@AA zi8C2P12bw`3aGL8y34anHZjA72Z*V@C zyS$t$DL{JbzeJSp25tlLUrX9uJ3YDU%L`xa`Twp{`a8dAAqd?)tNmS??{$4%@T+}q z-BX?Wrr&PipYr(#jk{{rKEQpF4*+$ z+pXSq&*XUc7&#I(Eemwmo)vFU;7S>aGs~XpcL9$R?Z+z|ufTAMB`B1`Q`;zG=HFt%x<$s9y*%ndYZf z=||@S6Ea@i*OMz}C#a>I7)Rp?|CKW&YWfZ!1E-nL+7cChWx3@rNNjTcB;AJq zEP$7liA>3sD?3=mNquFIK{)UK1`E31?U5lP^a)KWkGt#MQ!GTGI~7vewjOa;7YB-r z7mVg7ClJ$9TpXXHXmKGy&m{KV*AMOXo!;7;cP^WKGyTs?ecRh$9lKLCw~k!yj~>zE zlQ(N#w=c9;fxc|17h+BuxnT?lZwN{oyC6Lr!@}Y=!XC)A2aVre^@Lyg_jDEq#pzI!o_POaLH(Edx$1e!-`v&aDlD)pSlvA~_aOjlp&X5KCYhm;s1XPbZOSRc zB#9mkrL^lNlC58a5C=trjel#=PDVBb6ZS0+Ua5v7Bh@ei7KFnF$pW8A!pQ3w=}xJ@Q%6bgDDizR_P<8)58991L|;pIwW*m zu1urdzSNVu-Z9O~#(BQk{la#2DSqnKbe-Hw*9dxUeN<~HJfjPN{#HcM^4SQ#s)a~! zAx<-$TlbgKH8OwKb_piREG#hm4EsBGO~ne|SA-2I<_Pfa`IK5tH5x3fKFad10)Yx8 zxH(oIWElEk>lRbeaAA3`RurrsdZ9gHpvzkEF8kh(gAY8xn4VGTdg1{L?|*i1196%l zYTVzGp^^5xsw>5aPt)62K9CK4?|(xPAu&vGu~=43IU}Z9`TEAfnJ)lH2}>GDY;x62 zazLIkuFl<1jyOt6^l0hB6pdZjP5BGcEkUPJOGROyY04Stmz?GD^#qBMBO@pXO)8Tf zm%SigNJ1Aaew8beXtyrK#Fw_xkvhMkvr@d6DR~bmCGbVLIl4+WPX6Xbs~KsSX?58n zACwa$3R5B+d+$z~2B5Il6KekQ1J<-t)LSDD)_>*V4;T82S(5;mIowjietPq3XKB!- z)8jXREOFe5!|*bg0DK4IXf(090}n(wnLPWY)Qo9evu?zM&SsbI&QNm#a`j@uWH5IT zwrO{AE|$jmBywx`F#KeKxLMZh!$ z)(gGL7ZlQxL^Z1BX4^6q8X?e6+9+DSiLIoL9Z(rFU! zr@RpU0)WZT{;IC4J^oCkTbo{J5$k_PyU*;AF9d3gLecX56KM{G1hWWOo0)XeJeFs| z(beX7`uvL{q*KNft#+pK`@No=ezQcY+8tK`Lp;d!5z^5zQ)+-w>Kgpq)_z^D#kIEK zy>(XVJhkpL^lWDTj0MKU)g2V<8Gu4Vpyr=wZr^xB{6rqX2|OYr`wTPxJ$d8P-W|8~ zI?;ajn$Y!wcfwOxM1!k5+c_#*>8Sf>XlX;QW#QTsX5o zvBRFjne9w-bN8KZ$~Dd{<^HklAO!jpg{CV21Zx^+@-ZI(aYknQtb z?9E?y?xh5Yn7TQf7+#OIG+HJ+ks!T}Lb4KCRz`hceGY_DxHxpL-uny?F(z(BworAp zUpU}B==j;UP@=HAVQ!}1PC_{%g<*&XT4*}H#XqnVlpw&A^3(2xJ5$CJRp2DR({yCh zx_PjL^Wxv8Fe{mo?#CK~C=E&M%!^cM2RHB1FIaI1^wV_%cVfkGbl5;WMT z>aDSBe0O=y_QDi=Azq~m*GqLkz^2eE=XUgK9zx(PT%(ayOY8*&$K&azBki4&XNKUw zy^V}ZVN&ZFt?$2g%px!TPC;}fWmMFlsp?y66)GrUKy#UFT)u@jI27PB?;)#;GKisbT>g-o`mT`W+^03;HmA9tR-S$uf zM~#n&&M)p8GC(Lrwr3=owXuiOqSm%MNmq?dornE@YjX;?jy)LARRv-j&I-+{l|)ND zQsjM5FNyLnkF@DPGV@Aw(T)wZh_)CuEN9Bb<(rhxzgAw~pOVWm=f;xioyGZs;|F&%xdBkUZj8j?EzNRWF>3{lkc}jaVO~CR>l_* zhHY7Sf+L_e?;0#lR>><;b-NnOD|Than_c*70=F%8@HSgrI%Jqh>(}^_D;*(VLRl2R zZS<^3E)52R_ta%%zh~YTFSltJwKac6@o1jx!Zz86d8R~V_dlr{95!fft3-BU?I6%7 z6*OIepF9~k7(mP*R$e$&q)a3BOit!YMX%MrPsxY<#dNs4^a5RUQEE8b%C9<~vGlkT&C3`z zj&`5ZrBew&YGRGX@=5|m<+KApVYi#pHZI5`O5fkoYtN1Oe}W$6Z<1#`2=1y2 z_;n1&{XR!l6u_;_D|aXDA)wsF^khYVY`2Vkeq!iTf-A|zdY=K(1OLhjWh$ZV`pVyZ zG0*!OVF>eL9}%4p;^|FD0*}g(&QFDaRJAq|vSUO8eB}4=j@aM-`U94ve55i*RMDq% z>u1aH1p~Z1pYKy3d$kBHD~Au=B|uZ+cfW3yWz#b6i`OH|f7LC!{`Fx6BF3bH#_3so z)kWnonat18+qM8ii_-u;^2oD?t=9ugRjMkFFW7w zi~qR;Pm#m=c$>WeSj9gk+R$FUB?dq`kOpw|0InbqB@AJVKbZxv0Y&#GBxkElpLPmg z*rN&6RVfpLpQ=UZChxjwGn4$HN+`lS%|}G%AG>RcX;MI-()zmS$^cO}{6)A{t=V(e z4leSGK)Xd`x|W1+qT~_S#5qIymdm*o%ATX?3d&DYl+qpojl&I^)4hn@Y$oOUyoW?v zS16Yg0m;MAu`cTXpUF3zFT-i$OjoX|e<^_n zT(}@PxT!q~r!9EH^m^*DXxS$Z#z#IVVxl~ZR?vDMB;iKU*3aQ-7NzTp`m$?p)>78k zhJF}b9G8`PVP);=%|lE7cN*_WtBUG+K((VsI%XfqkSeu4B08IyN;gz)fnU`dC|&D0 zx%LDT17q?_W-bs`*`qY;2}^lJ&G$Vyo(_+5x$uT1ho&oFU15BbmIH`}t<$?!a^Bdx zozWvZ;8>kwvL$eF;I~9dPK*u5C*Hiqy}=$2Rx^wq=@|cKVJ^_|vbtP~Rd9#r!l=5! zv*+I~6s*O!(b6$RDPk!vleJ4I#LNGg0E#eA@Db4&$d(R5Swi$Qca47+XGV-4h3|jg z49m#RNzM9O{eyIHsT}E)dNs!_%D<_TMRK6{L#|M=`l!u|?UGV_&DK$!*l{Shq zPq&XM_I}w}DRAd5{JQYN5_q0$S;?tgC#*dDJ*TBVPQBlNVOt_!i7-?SBt?7Qr#Mpy z3^bc~@+IMa3Rd9)-81!dv6XYXqpfXGUoziZN2S>T!?vNNjzSrHr)$Y}W*N&1U0{Om<$UM$`YC=Uq2*AmU0xS`EMzAuy>CGzVtL96T zR~tU(@Ay*^UI=I$XX2{Z-nrc=9=GgqdFpF~Kr>XMk!p5<5-_0<8*r>X3*x_OzC>2} zdN9`Vok?z<%m2KOLTu8`3LRv>9A7i8ohW75psrET5gbSWekaPqz}X#<;1lS6MA%_q zm8iOmey|q&0@kUxfw8eNdS}~I$9|vPu`%`CzztNI9-(EW8_|SvS`sdxlY4~a2%mU0 z%6Lu>PQIpAfBHYYz*Z#c%Wd3KB`z0De{HDz-B%L*ObP;})^FL z@yX&*$rmB#%8S}NIecFw>hOMV^#9}PI{cyj|9C!~aC&6LmB`+kL|Io^MabT+BIS~c zWRK&EY>H&7Y?qn6PAamqGtY?Zk#U^yd)(C>{r-U0z2^J*e!kxC*XMmWNNi#8bxvp+ zlnh=0NU*A;2?L#?o@oah?CVrA5i7&L?`WH}2%I5i2Mky!SQv%xs7{|RJ{Ykw*-{2) zFmaIqJLIT|_2J4_&@1G2C%e$mvwcb+WyQB%`xkx+=Vz0m%;f5^sS$14yz5l&zF59@ z7ZERK{une5DGbaT@1g>=@D#dsqIUUwoB7No_mbY*o{7uLen(vM>FkAv(*rPz z)*+_$Z=` zpWrHz!7DtUEOY9pBC9j^(^BHRRz2WWw+wK~6O#P~nnclF{CcMdS5(5fnrQFhDOG7g zXxs^;C6#gGX2>@cP>UF1qwOvAFs}D^F^%_%RsUYyo&ggFaS1RY2Mpyec-El!_B8@i zovIe}1xuOu$bec%Vcgz70Wb z?%h7#-#dE*%O6tF{tEY%Hg||Izmc{GB#$P?)gFp%*39^i%X#4jiwBH7kNo~>?=6On zGSS{uI``W-)jY|xH8c*b1St%}&8p_J>v$tGJZAfTN6>h$prftke<|u62!=)x-{gOd z{?;+IALOHm%{I~Ay>RBkt-Q&1JWxz3*tl_Dj}tC#BsA8hC>DMyQf(vwIa3_en$9qM%Uz# z$M^+`dH+CRjwVG?{DWiY>k~*HK^S;jJJ=lG)5%5H=gcl$+#6eH+V}WDEv!h4b1^Wg zFgniW<-LlOa@j2{NKkOKvnu`qktGAzxM1LI3H}2{#hbw<`|m!AHTwvn^epz39^u1b3qbU=uCDzemE#LfMxH;r4@fg{5{ttG-{U1- zaiW&La+qQ*B!&P$imGVl<@-8&LI4%jv*#`wY-<4{E1MXZvCBK%|JjM?6AgX`3`AD5 zV+Z5q_J!2EGG^bWC@+XU20#bpzS1Lym)9I9)42;DkME6$Im?uN@DRzk7aB{nHWO`@ zXDRMB!!+pn&^f^dB7NM+|3G8LJBcF>8yJ}_`<0TF=^&~;(`?epCx6Z|%;LF@;@hwP zfV=6gEnl<`z8qJW50sFfL3sMtc|l>lc0bT-#<(f^^Sp@pQF?LO%Q;@$ z>eD+VDI<`j_}Irk$+djZN|eTp`zM2Z@ELSqQqb>QkYBH*>Daq#T6(1187Y?q4w3ii ze}&6yP1UO1o#caJR)BuQRV4HiFc7x?T%q81^LE7Wp5>mPg>!@s;Nk1v!<16+~W@Jhgt{At#>Vc#6s3rg>?p7cnx=i$Op`H z)XqF#?X7Eh=BG@l%v2Z{YVK8;B_i%PC0A)R-QZB;^40m#faL};MVH7=X`esmN!y-$ zFm2D(gR0D?qQz2>!7F?)t27{bdRObMNT>QQ{^PQCQ`J;ph2$4&OU2@cJnk9kW-tj8shBP>9P#9|Txfqh)`^-eTVF^$ z5UNfFuZXgVd$tQ0MeN>6c368;erVmoI0vyhMGVkK@+S$1J8dQ(J5U8|F4u+vAPQsv zo0l~>i<&Z>4--l2q%B@r4~n*|Rr!0lOq=~0%@%ifbz2s)_w{7fmSG;m`UZQFue5o^ zON|NucrUXrjopiu+Yb*iG)f~&C;lCex+!d@j=Zv|5+kEEtax>ytL8C+HY%C3Oq zn;B*GJZO$PFt}eAZCP}rDhX<&J%En3YLWR)UcV6VB~m}1m0OwpwXd`}%DuIW8BjX+ zdlU0pt#0GCNZ&6XlfMaIq;+*XP}t$E!nlmezqKOI6(a|t$x#!WMpnx=!HZYxq_L~f za{F%8S$rmr*N8o=AfFDdHMTOSs##{sUT$G^&Oa7TK}AQ&4Ff~62X#LLqOl@N(R`63 zl|C-m*^Xz)`KmO{L{b`6g)WNVf|RBvdwdM_oN7yE&@HILQjv;HV71K;#~I05>2$b* zV&gG!I8rN!=-hxiMm~>r@N}CK6B?rH=A^xjW)@YB=P}_yE_~fLn=ayVS-yXn=7a8q z<^YmH=y25lL9E7pJtHU1au38wZQQ7mUpLajAnUmcosQ>nSuUmdKIr49?Y_w*K`fOj z{07{jFsf2lv=!&3?VOByV$~c5{X&kK5VVBN8EC>f@&%%8BStE5QjH<|?CL>(vk{2i zoDywTz^K$c-KpE@dw9ZxmXaR^h7|tN)iTCxGIpw5ly#gv7z(jv$gk=mt_DU%*Qej! zS5nk8%bc;m*{R4~HwER2!N5lQ%&mpDfbEWo%j@W9x$O*(S;HLg^mSj7wnd9qjx?^( z4trk~hx5LlC}yYCK{JcOzGo!mLS3}Ced%UZFUqd}JQ$rwUHGN=%C7GV@hT%bAH5cF zzf}8btIU*29lYz;@4Vr&l3Y4Z$>0?s5My@(`aw@u`{_qqF3U6>HI=vQ*&)PL7zupZlGsq^^6B8lIz3-mPFIVb_tvs?QQJ(o zrV0|o=VXUoqmUB_-EIq!x1H|rS}%)coICM|mQT zoqrngAYBaWS=^eN<2=U8O3tJV8D(6Kq9zudJ5U|r&@Qt`UJw5qsAN=d-dZ_r9q32I ziWPx`I9Gq0D1jAir_~QdF%-6Mg!)CYTZVbJ)2&@ zdMlFHRXQUj5`$(Ew>ih1@8EveR%sd4N>8h$*#Z3sgS>1{L4m^NZK;o5f=yx0nBK8l zTmI>!x?*ai@qZArRWBrf^a%CC+)?$;;mB{QGOxH`6%rVgl)x1ck-#`Hy#Y z?n&opi&d0=65)_0Mudm_V*LJncqs}{49<9|MEx?i&{x_#AXKO{gi^kG6^RnNKM?st z{^N07VR#U1D>5OsG}%&qb1Ir2DM)GDXz(_~F}n^WFq6S81Nt{r_WBVrPgl(>&DI{rx{nIXyfVCEzr!Oo8XZ8Nx%WMXHO8DSxhirD~q~F%-%cTRe2p7L7T_If&TaBQA|iM z*tpT4Fk3hGCHlS7lg>5XGv2LldvJNZCrOC(nQqYSF?{vTWwqT-;R+?Kpyn9pJkXEG zG1A#%gj78B9A|NuY%VvK+md5kp_(HVrieIV+ATWk2TSFEqE10KE5{WemcB4BPyY&! zo&+*tSqi^3PTgkNdCfO7YEX1Jig*ejg*KKu^ zKq5^+`x^5Z@77hYgF%f*I`RL+vp=Hc@~qA%cFm~!bOu}efd)KMJKG7ony1nnR=nCI zCyN!yqY=)r}6tyN~QggDGUS0Ic|QobVgoivU;;3&9arBHA9o*uGbt% zL?bU`YUl2qLF8qtNu_v4mCfPnfgnK+7}zLS^47Z$ppI9%iL$$Fc~fxfxTZ1F&Fc|& z#MebmswOS8>fYavYQAhj2CuNz;9Je5#wPT#`1f|#I^~T))`|Ca`c|;5{F_%)8!+YA z;@Dr`LN;;pX zVXeV_n+#rYX@PhC1mI(Vqi9s-#Y2M})Ji>?82jrmO!IHaa6i$DrE8Eq>r39;d|ny@-=;+Q*5_Vg7Xy~RC9;VND^yA`K&9v?|1yE>yX2zI|W>q zLz1Ytd0^l;{YuaURm|A=0ld<-aRmiU7xkElb;boMr&TbKMEkJGDm|?C^WMqU% zC>obkwWeQn``EYti0B-xKJ0h2GhSr;YK~8rW%Om_GZ1Q`J117Xk@DHI)VblYrgPst zkOy3K7`SfZo+nY+3r?NH5HAzE6}8Es*!>`%F@2VwO*c}$fsGq^%&sDhj9^Vg?eUi7 zq8H_DV9vwW9uRA|0;m&~UdZ;r^ww1@aXJA4l*Wx2Iy@4m7>sLd4f_Y|R~Ni)+ZD3W z&HcSlxC6SFC?$(cOO)O(rHE5|bjFQdT@TGH+Fli0)eTIQf3)=)Jyn0;uy9~J7ZJrm zOjjlt+=EeNi${1y8HJY_Dt~BD#l=koMM}X!yTf}WPk50= zuNBUJG)lkCPDci>PzLj~sRP?yi2Io?_N$@z)ttLvoqj5sbe0i&F(5d4<|VNz{$n~PJ~^V zxY|jPdQmdNr*k83YV$=Hu^+etdXjjFy$5k_@1Bn`>raYfdD6%HioemI7KEA`P`p*} zu9jT{AZ9Ak&Zkv!!SmeCZrzgC)oQs7Fd2}+SQsc|{|LmS51X2hj-Cxmcu37!Q}fG~Mjg_}1W>hsqGqz!O00R(q!er)r%| zOIbA8?)4CmE@NS!Mycauey;C$Rp(WyKvnq@9SBSmhC&~@aUZ=If&IinN{#JXFFVz~K1u0Xd^TEJz zmhH;s_Q=%s3PtQll)(Nlua)VNcN8m0+2+)NLeGnHdy`Ewr~9S;@yU$W@{c;M5(nxb z{%+zZ?tgUWB=-|Ex$doot|VRN*MzIbK;40U#9W`|=RT$i$6h19PH=p;&!cbm`<5w4 z1dCF>7BfbWDqwR#rf@*hJ_7xS43Tg&C-~X+vu*no27f#m&dDq z#z3sDPL8OLau@-@RK|@whT;>3W*AJ4S3^)BYEFAtv1&+!LylA$5{ZEilIi`ed@>h4 zmT^GSl7N21PgH2OANa9i&1LN8DCzxJ9E5y{@zGHj@nE$Ob8c@}f$w?X+?il{bxkz0 zXptXP`4GPQ0V_&a-^R0wz9&>iZar2k79|LkQpCY80H78D7}%(z>V;r7dfJ}LU;A`? zcYR^4wvo0G9=k{s6}=YmK0Z?!(mARijR#2RJ)j>E%&1w>$Mn!_yXx)RZNMmeN3|4p z?K!E#^MPc0EkReZl#L>W_fk6k@oMkUj#Oaa81;z6ChppWqY8upN=dFy@iGTC?LrOA z%2lA3bcKN$nfgFD`)ZpX?lia-;`+D)LutXGMv5LzvEuEv-a8>H%iW5UfAq-9{(f-d z#tONm`Ce#RIHx^vHxWl>&Cty4$NXxsYOj_u_E(RCN&@|eZ!x#h=s@1`JCb;zgPQp- z|L9Q?_9({d3DT@r?WASb(ISIaIQFaPUn9>yj}yU*sM_ypbg3Q%?hU%Dv|!8o*0Y}< z80s&euBB_RpT~2VTRdHqKpmN2PunG@+0Xwd2{sF|VLt0`<=OYfVgCHF484Q8XuFJ; zmH6S4WL4>N=d)_G6j4zM+KbrU6@F$Wc$sy(@K2Tjhcz137W>+^<#A6x0&Sa*6Ijc zD3|v$%9uN7=KL@NIz3HfhR5s!_mWff6^oB!eO_cR zVc@Uyl{WuI&0PZpq+GO`Hy(h!*R(Uu>9Vh+-y-fGVu+sqLj7pa@!eK6w$HJz$)IUr zKtI9;74qgDIBdN8^;|pi-Xz6?v9l%G)}+Z%0m8Km1x9nur|`aKn_{#y@+Gx#V{8rd z6E$~N+482QLq7(hB(ahYZRa2jxw|5R9*oj^p6G}DuC=isDfAA1_klLI8{YH+OxMj&cK~C@b=-d7HF;s(? zxBZtAWWtSHVmwy=v{CqY$QT~*dbXZm*HI;dS4bMFXiAW$Bq(wBBuZny+!&~1{>QV` zuPx)J*nFijtcFd${$CVnI;*4!Qui;@fO}bVd5E|P$=(-f#hgTBZoqxMvens~pyhw> zD{X#0k2CWPu-#E1N|2Iz9v1qKW7%G_&{Z;7z1_%;N`?P(3_I7mVuMe#>-Q9se;s36 zJjX_e;z=n7@VMlOmV*vQmn;CcOE7!R#Jb_=g-HAsp3N7L0h8)24xb1dmwM zDnK4g5;Q$YwD7Yd2gQ#QHw-5hBF{?`Jl--#eBLDeB%_3VWMlccINBo~M z(evI~nKJNcJele1>0$l19BZZ?PLs*Pm&Y$`_Wi3*C9O<9_rvSrI`c+LD>D<-xzlb$ zg_L_iP+J$Z!8sYV$&;!{c~6h6=odiNRqbil%D`G1OtaYWJ^3EBd9U~LK{8qRB&2LR zcvQHUPe+#wUh$Gi)%ZKe&Pq0Fvz>WocWA&wd4YC^q|5y3Ih^vjND2_EN>@qnY#51LzDd zA??*<9(a9FtvgVAb?RSDa$9oIwir|;n{25O9(pg6!7GXll;y9H_p_PCZ&!78apV-L%In}ZsN^t6M6=mlCk5kL>-poFds@?N<5frUrqWESAk>zmqb)pGwjHDOY& zoPsQwvBY8L(CwVg01uu*KDzrK<89bliiwF;UUY$v`$5!0R!%F@rlR&>oDg(ef`9AA zX)?fup)gR$Oyx6!KCB@~>W@=xez<>~!nXo-pMw@aOnSo8P47LOle2 zKi6*EH4XRNccNws>*rV}!Uk=&7ZgE=gwU2)FP@^^MlW~9^BL0+lmwIyVCM@5O| z7)1jyx!xPIAf#7pSVjp^qMi)Bi3bhSb9Yr3-c&l>>mRV2Ua&IX3;oBbtQneMLVCZA zU2zXQfh?vnZjAlFIY}jm@A**$ea!=hPrix$>r{#f!ir!YzU8klN!LnC$3uolSm8Uu zc?%)x1;QSjra{fb@mwgruO|du(P#Ua!VO>O4-jgi#gJ|d#Q3Jh-ujPu76A_|}e`2BCni_mOey(@dxCo)>9FxBJZ>4{Ac+^RV`GQai^}q3Z z^zHs1p^+;b{};d2VMKf;xE>5yqEN0QhAzQ(Jh1hW6wY2&Ng8wuzhQlPM=9{mw==Ny zk}mdf#S0~FM_wX?VINm$N|kg5QXev$B<-XC7@OIv$ra#m3yhWGwE3G9Ux!=mm!xo+ z`bv_=eij|ZIwe`F=Wn%F%~KyX$m2-bE|^>&GMVKnE&_7D#iy`vS7l3?S;*doDu zV199@+0U9Qy%HfL_{PQMv*;1| zD?>MyJfR|(xc@e`2&b}jL_*Tg>t4U5@WD678AtivCZ!6BK;kJ7A&Orc;r}1SSRBNL z;Mjyox#~ZTjY#d!W9}m|H)PmMAk|jZ+Q(`FrC7+_BPWghf+q;DSL(z;aawcOY7CO# zn1fuE#Q!;#?S;5OaBStx?*0o4PU6Ry(8owNtr}VExg>#oi>C6g%a9)oBog8alq%)6 zY-oYK*CKhrl>bDr;`ySBUt~jkw-Un6VKp#X5lN4)szUzjA^e52pYsV-H7* zNJS-rviq!R_qIb9sYoOQifqiH`IG2eiShqa_Uv;d!84aG=NC zKz_Aa&aV?4-_0gIIf4Omc>zDq76uC0S|~H#!A#ywZQpnh?)lW-=0{HtYmvq@@gDkx zAfjf4Ng9H_W z*4$0kCbd_b;5}H|KuMiBmz5PxH}rTc^^q1$<*F&(B{SZ?|MR{hr!oe*B?1E*&9766 z#-PDdV$Hjb;hy^u_sy>VqpY9RoQ|LjBXH86P?36Q=KLgQIs;{-8Q*3nL2AgqmFszM z66r98{Pkio13_xECqHCJV4YXTjtpL*8>fbN3-Z3Y>0x4(A6;NoV{4eb6(xMMuG^9s zIJN6doP1z2w+ZX|sMSK(O69i_l!dWQasH$1tG&0_`bMJkw%Y8-#ZtZL+iAT(KO#dk z5_6qOUVfn;B{tAJ5cxy?lD>!fYf|~A*^k1bv&K=CO42^+go<>;r@KV-T?oI9hu#CP zO4YgphlPW4|D+60+zC-Un0%@B{&`3ZRg5W`IluQOojE@;?zQ}DLdph=~xU^Sav@Y|1Uim7Gw_Y-?Da1zqn=8KA@mG(`PkXOTdiNe^14^y~!^g4=5bY%`xz2 z`AVB#S>Vil0cdP>P$>#o-#Sbv8jm=($dnn+$*ya}fBk}i6v$O@+GRB-LUZt-V{x$| zfZo{Wp$)-Ae6M;uS0-sC)$bjKO$dT3SL>u58=I3!-_isy3_5$_eS`1vU5yM{pr;}t z<8|<&+|J#86AA35S_cdGhrml-o#*(?+eqE>DJUZ4%2`jt=7c(>$sA zq5O!=K?m~GbCMZK?mbq=SJ)cpplmrZ{?r!?Wc=z{^*^Tzr#TVB(;9?>BOi}Vjcd#| z5{|OwW4vWe&~_u!ih+O~N2h4=vcG3A3^y`2@VxGLJ<8*W-M35pr|Pjrzn8-XxFmU_ z0)3^;nVsovXpy!|BM{Gf%`pe}ola3aI{k>)BKT2{Y&V1xY^<-@i2Jio3&FrfL*10Z z?+D{Q*w0Y{`*K-l{sCf!3Y$qDg4m%=`wHQZm-vm_dF3?w(S-)SK+QQT>6r`vx&Ylk zBEJ?FAuH39c5ZL-Y2r9F0rgGE;1%7kRbh1Gybc%66Ko7v@~U#L;=CL}3S~4X!iA;v z5>J)u@^VfzvvNL2m%cDiBggdKhZ^)dg_6_Yc+ghTputXl6#EfUz2;hw3V$JL>4Y#L z)W=cI3g=dtZ`|O;Z`UgSoI?s@5vrMV-@kZhEr#{7JMu)m^p!Th)khEiNq#0}$o63~ zx41p-SBpyk=m>qkKE9anNcq`Xe11=Z$3O8S96fC*&IFE8@7a&CasA`bnDNf=SZ7c^ zi}?Sacv@mw?pR&Ex?zcN(eO6ed41fc0>~a}`}bR+0ydXxghG_W??#nZ?}hRsT0d)q zov9^|A-Zbi4r0{Rf$ffpGQ7}A(q(>Km*!Z~Ib85`1m+QsXMN_ZMJj}27}cOLYIBM8n&UNi4w(|^E_!k62i`Bwr)y%L{_l)> zz)&9kteG28{M)tE>^kZ5?`8m}z5MMGOBJ>Nen?w+cUp^dBJqhTYy=zeo#Pey>y5ld z=ivW{0lZ7-5Fg1tTbs7$`v0@=E7h6jSS6|21|{;39T-Eck!xl{lHefGd=XJDnXnP6 z7;`jp{xmtgr7SW$XaFyQ{eVL#antjX4yNlSD>WP6hAPPyaq0U16FOPQy;U^R13fq*5y?Sl>EKnH%^I zPDgcgI6ZQCr<-uCLJ_X0L^yPR3G^dwzP{bn$5iojFQ6eSNOSHG);5qgN>fa_qhrEz zsrbM~3-rMezH`&JE{YTRA317*UNogEPf!O}D0Nbq7ul}XfBc5zg>a$W;iTsMw}eaC>A+~Y zh$zb8$9R~Grj_ZQ(M%`V2V$8 zai{=P)W(fG=JIci3}CqLw@~l%gn%?#K#L0g(?Kv)MHgL|y4?Xs93t$+l9P!sh0FKO?CPc!dJH!AZY-Kw*i9y5{-K6Cl-*sb|K zEfnq(RPJui&IR-_6b9y5-nP-FLsn;5*t}`xUR_Rz6Vmk{jiG&_-g~-JAQkQ>>h0S9 zVWRrfiDQa->vns@qi}Wz(B;lmWrJi_~=YrNHrzy(b;Ef&EYHmtuUVe(c{TNn)>xH0rC4yvUrb% z;!IgqWSL9MNGG1zFQH3$<&y14(R?c5J;VdT{7|kS3~bcb(jw%BY!4bp;420TkIISd zd?KBp(OSYf^1qqPLI+l^6iInbonVjh^_4aUROs(%{vFw|Pif}vsyhgOGs+1+nvfi` z+}F+I==!p+=J|H^eTv|wuQ{c@0h&2KH#XLY5%h#*d_X<=CT4EuMy`(Q722b=UJ_TP zc_S^9Li_x=Y8z{9(tVCE5ZO^VikAsu5IZx-N9qvuH8Jx=<1Lp!RoHm)Z6g##`i-<) zpdVrI0acUBj;Hv{0+Lj{2h1z+`8@{NwJemRULzvuO3WkR+0)yYT4$e-A+dGds5idS z=J&`Mp70}chE?MQi@~TX6~g+jNc2@l0uL!R$tNt79JV(?N|DcwyLFk>@_u@=p!mJU z)I1#zl3VWxA3dWO(iXgK+x4NJ_ZDPW{fS$9CCpd38?MqQF=NVs64}u1e zqb3B+&2tQ{VZvkUC5){Z-;}^_9iLB>M+yw9K1kj-KP-3l2^$cQ(tWu4IU=f^^AT_pY~09Wa`{>l-LGGYJr09ePBmd%zyMDtc_R)!8+869FFyw8Eqox_`bD)x~*ZJzP^0KVa4WgdwVEL=F&z&9{B7@C> zf*v#7WKcIiGmG}M1j|LBL-wgl>cT91+6Ns7BYng0^&|9W#wfFS(Y@v zfqnw|5mXTEUr+G`b*~h?kX*qaTTJd|M_*z z>v*~6P<#4p>@+kDu*^jcZN&91h#X zsX?X^_!*=$#p_cGXXohEEz!)PJM_2M{m>IV6pl5qqmo{@LCPi46)AuGBf)@sce3)FnZGfS;Uzf7^WpNh*IppkfKZ+g!t=jTU$e*NiiRnf* z$3j&=s0l$`^+)=amwxg$kN9{xd6h?%n8%@&UnJ^E zcm4hO?N|BL7^?pm3j?Xm+=H|DRu?}}IM%!!E#7Pn+z1i5cQo4ENAdcNkrQQ2@nY~f zFsBA!fZt(FRetK-MM@+F&bZ#Fwi(=&5gK9CCDK=J5lm?FdiX+5S>(;CWj{VzLo~DK z<2jy`6m(`Ie7!c^e|)nGW!5cJ_TtF1<%BJNOru@h#&*)+pD|<7w6?Gg4ik33RTs6Q zz`B!v(5STX8!oixM2si91(G4T2?xeKo4zS+wLH$|x`UNt6wiArW$7ikj`${#cc;-F!$~1HrV3#r%sG=r~rLu3j^~WSlAdC;Cq|I6$942 z`~f3*qhr(5>=wvzksX^=32Cd{8v}I-Prj>Yu~+y?o3EaV^1cT+J-^+toqNW6VCj{Z zHmds*4~d&s+}$H@XzKNx!{uEh^Oj9FHX(yow7fRF7kd^@+X*J_mL(Hr(#!rM&7=o| z7iG(Muwe;e`=LXfihXXJ-``Ou{{7-cf-smlPA!MEn7Ujacg(x&k5JsMj2}(*PWR#W zbh6lG>Th(}cr(9H3)jw5$=71WJjE6h5ay&^-3FX3I}Y!i zudj5{MfRvSXsn3+j^$v(%DmFvZ`&#@KEuZo^he*m)J#3BzngkSF>OZU(4TcmXz1)e zpT8tGmCbnEt%e^g&l${vNZ&AYGrpqIc+?-$8G*oG9^ZU$D$Si4sI#7)Y)EILA;G6YS>l)77^6=X}w4t|pE8e?)-H zhq`EQqoZfzwVWvB>#?(Q{T9<8%3cs^;v*Sy1Egxds}bQ+W@ZN@o+-FlFvdxuE*h|( z2P&#Po`7C?c&?#Xb0Acf3|@iYi9?Ws$}awhS}9%1uSe~8kuyWVM{CZ~Yz|5L^HZ`ZL!--(l93!he5T$YB92syEys`1j z>foS$#ydc*Ztc^SVvyE~cJaI)F_PS(g*fb1v;RYdN-OD^#9)XO7DTzHLerUs zEvKVbYFGR(=zgdoA*KNJ-m{k2=&UYx$JCn5{TLy!=K$zH56!G4M5}H9Ybt8rtZDxH zjbkUvtc*JL0Gb)^IEwnU36pYe z!pDezc|twdTQgwIS}xOx~6WjlJKFf<>1&XI;ZwgoE7OS(6gZD7l)Y%AL_n^Tit%!e2*KN zW(4#jYVSGHA-nP2O+iYW`>MzAK>eMe7H}9*-Fd>JCZ3BZzI||zp+P1C_w~O}Q3h4p zjz4Hrvg-6uSg$SDu9II{4^1J~j~_aG3a6TKW#QX?%N?ubxjC)>(gW}ugn;DIDKlvi{1oBW62HqZ*-tz%&f=`5pp?Y`P%z>CQnRTviEpdiD!m!_r93xv5%R%87jO-$ScQ}pO||f+}wE} zLuw$fDyA}SwE68QjdTR#xA74N7n!=6jWx&D2Kq-nrkEh= zA4!#?Q;llh{B@B72HsYJ?r|Zx$@e7gFHdAXpJL?dTv%LIFJ2|B=on*+{%r68SDj90 z64Tz;P`O!5Ma^|CD0`%@wE0EpZCd_BsIAMa&5Dl%_KmLgF5BWctFnZUAQEYXE-jGH z$9MUS%RSuKQDEClA3Hh82gUeM8aM9K&>pI@8z7rz$LKtDbNKdy9*n-Un;?A~$e)L{ z=<(L+{EumGY+Tqq8x_C^Irf}J4v5#D^^YL+Fm6$)GE1MF@$^xQS)0mw>wcA_P>En` zou1#;sv-kv`=Xn`#*JRWp*}a+6_8xEXZoJsYzT^V?><}@Qc5>+reh#IN3*&cGCLpN z?lP-f(*n7Urt#cVEmvsiLSkU|GAbbk<`a>G&0UmC_uF;-- ze+jDs+soA6EB;bGZywGC-1bHDQ5!dU6-OT4V&_2)tvHdV8qI6^{5((*=rcnRQ&kKW z#v)Xc{Y_Sf)$BdXQKfjFovDl)`@YOR05a$YJ*_QP-7-2hQq8c?9IznisiJp4odPPQ z^5a&#yNCATt&ba@c%hhAg_N+hCsmUcq-5zAT#38;PX<}{ znXWI5iWfW!QGEMme4Aoc1}e(FPzj(P@kRD(0Q4rvyL>usvu1r%&RfIm<}HEKM`|1U z>+j~G)bQ=;?LS(N9$L5w`%$+;5OZxo$IOcu62-oO+!g05pY8=@wzz{XUo^ES&IJdZ zKz;(DCcy8X(IO=&d+TE6Tkcrp%zjuIbEYtgc^h+&I470PU-)dr{I|6NFc6L_Kf56M z006lQz`z3<{Bd;Zs+jW7i}|x(RxGW0qcjVs|29zksc5m;gI;-)NOWFns^}jF?*jdZ zfIC-TKyQMWyk$#LAoU*ga(hlqauKi76Fw33adRUuy>;G=iuNfeHCQ_`gUY}>8$@Z% zSQywUIO7i3Kz=PQv&gP%Y}VjL_ z;1!?vS(Ve|fllFyf|P-J4~GQA9k*No($iJ+Kq-wto%>?B=F3gWnwpI@ZaWcm0OUw* z-1sxoi3_<7ZW~o7#Y@5gjqMI02c!z=QI}M7l7(Jav@=+Eygbb_fRT<2Pyrh^GUm() z13dV4-D&QH(*g_NH-3N}k-MdPoAgfCOIlaNOnU=G^HsvLgdXlyud++osc4%;VBomK zj&RT|k=4&N)eA`{{l+bE&nEn{wqmQk`Vsqs7**Kz+LG5W4#dX3pm`YZB{C*61>k_D z-2wU$;V+#R^hlDCIaYBXFNTG@2S;izJa34)J@9sqNv;VEOV@DSPV-FuP9=pFBb7!PZhtc=$7EDQO?# zxp-r+f-f`=)bT8N%PYsZ<3{Ol+;Z|jF4$d^$OrfE4MmR6B-s1F8I3Hkok{8{TP~F}Fc2mh+)v%RrIz`5m;5=)@W`&|zgo4@wnCRT zJMmgC?ZT5sSwG~xCA}Nj!h^_Nm_|oiffYIXQxBG2iHR9msNC>{`jew3m`^Xd0z9;< z6tSDy>ZJ@{9Uci?lL#P=sqqJ(3pX9kO5P(^O845okinnDPD%UlwXd{!NxDK1bOB^n z|LdY>odEa#g(j=Po}SSvNq6E%Rhlr6Jeq72zN5;)WjK99^zn)lrgyCPtN{y%@{$Ug zIbWdd;`OvXpw!AGQhxGmEUqn?!PMerC-Lm-qa|#z|E@~AQFLde%U9%Uq-#2j5{o;Zo02im?)6E zVBuGxW%iCUv`wMozz8z(0@7etJAL)%fj=x4%`AVDj zd{c;mhJqd}ZOpz-6}0XhMm#hKwL2EY_L08M9AY4#OC>=nJTaA6e{@@u|OArNZ9^zCvy$dnI(nrh~0?4(lM zJ^S(?V9BeDZM3)Q)=^oy0Sh!AHu4YwZBcQxhhnx>S~3NWDa!aQ88vaskamLhVGVT2 zsT~~8!Lr`F#}O_T$45(ooYm&V;WqC8%9=uKbbp*42t@f&3(cJGyp^JvrUHa+w+UJY zBGi{4llW!&PSTz9?8!~w!kG{2c?gy8IyjA}gYFOcz!OMauyJE-v9KR!mpU>fWjU|O zJ1_etC-#aqE}%knE4SqDQ}dFP@{+iw2DQ3(-G>vOLtAxpBxu>Yu9Lwlm?k|gAzxF~ z)b3`y3k=50?lp;hwtr;8p+LOK?1CY~gA8#774LY*?kqn` zdQBk#Dnx!UQL2LQimTT!?(x-{%-GV6$HWc%KFDy%ip8^ANPOQGqS*CD@Jj3nWDE#3 zp_}{KnCdJ)CX^Y>l6x`1Sp%8zl=Mb4H{haOor{hZz}~4#ddqDgavJ!6FRBmqSqu;3 z35z?do*gT$58D;m7PB)EIr8=da;G{AA}dU;G{5yNP9{w`f*Z=NKnAbau;aZ4sQj68 zlGlgry4=QHyW{+n^eFgGpj4^2*1p>p2+F{yg%9spw!#HZ9Dkn^4vI**^6cBHlV7AV zd8U%X_D28NZav~ERH4=!R?I|82w?BT)gFH7vB(M$js8tZtFDV?7X4OCl>og1)LX8W zVD#=F=MEos`wpdEfEX~(k}8X*tFPy0j|Mo2-pX>f)iAc(iHep#(O261hal%g;5MVN z7wjgIA@F^sJ=V>HXsr;@=NE3`2L77BI;&U&-AP@CX-((W5%%E)vMPs%?IC z(wsr}4qz0qyS^52pPZ@r4iWD%saO=f(ALJi#>R599`EahevE$qxb8+v2KG(Gm^n8^aXje zfN(}v>n(fo4wi`Bz8bj;X5yqbWJ8!-ANGr6RsiHFmI#OMJdPL1fNyy1R@bR$`ITXF zV{Uk{Tra8pgp(T70^v7^WcW6%agFV3x_o0KILJ`?E#l%eU#Kb2k9gFl@e#z#k61`Q z_@Z^OLA%;%KJAoY>vy8RlOT8Zs&KzA9r@du^;H$SvcV^i^OVMo23fBqIdrnnpFcE) zuqq~9zTZ@FHFWYhas4rXzB)XTs$>)rhtH<-p6%eGq*d2KGmBQfqs!eI==HIJd<6;0b&ZI8bYjt_2V%pd?zH)CO-M)`A2KAjr$+a8?Q#jPLr zvZ63qn`~gU+6LYXyUD&gd6TkuEGk?_@jJp=o|VKY~#>H-@s8 z3(pHfSe28u@LW9Sg~zd%!Cm`BGE47~TUzeAPR;+c20*%y!a$8$zezrwLiE=gd7-Sz zN&V$ZsGqnQh&f*qkx?zTrJXkW zJ_X;Bdh%0wV{BFqTPJ!bej9wYAlAk`@~z~NQ6KEAf23_dme2ObybzIBJ(RS>JA5vH zoKo}0<>J-K&&W;@&qCiJ(!29I<>)D=74bwyQE`XujVht3697n16b3e012iI`ipczw ze0Y<0*6Md|EV49m(ZU1aRu@tcN|cU4ch~;*)3ym$uir93m)7g)>W3%Y@P!(Xqb71q zP2A|RjbPJXU6>`(KuW*2zQy741KrJf_Wu?qE08?ON;nPXhAZ#BDi24!7k<2g3IMN7kE%L-qdu z@Y-kAvJGIIiFI8J{$cT0!+^hkf8 znEKaZ6!{;wyv^0^6)-DO+j94N2>VVGEB9ctHQWb*L|m&rDRZl1{3;<9s8fpi>wWoK zSo-CU`w>0G8+oA2zd-Al_+tKvE`?h~j6rwiU7shCl}v2ocr`DILhktN5YNI$K8Tr=fVMKUxlB$b2WYzeH?BwFK=56Jo1&ClSsA|q1raQq z9su`(>79xDDK+~7=;8fi-9etOY@Rr`zTPbM3f@s4*!?f#KLEI91yo+JySiw%KWawu z?y}-Pf4}%Ll)%7K7bWDJUJvF;H-P z#uzjg5fQw^xV*)hEez7CX8CxR+L4^nrVOD}-2NaPC%rxkoR7FZkSAuy1r!Xh)Z!ni$e32}MMnZ;H9^d#DZH*V37_c96dJctA6Vege z|CE4VcCmRTmiuh!`Sr~o>ifQ)`!RI%K#I66d?Q?CPlz7a*Q=KOe(wIrochj6S(NLx zYxkb)zx|WJOKWv@1=(e|wd;<(+LgdqWlrA#av8poZgttLgJA=w6a1c)NXH` zQ{`W~E%l`FpL^sNGTfF}|7LU;<>?t7Kv{{{k?61UObXV-p)?5?^xv_{I8nBcj&9P$`>AS z?{xensNXnff6|2g-BX(3HL4mST8L2U_m?uT$`RtPXTVP8e#~TnBjKAU#7lokiX_+ zY|y;xi@$p^+Qh7vr~h-1p&A)ZRaqUxQzDdlE|%>%>lC<|PplFSjiq-c4#SawfFeV( z1vYq5@#{OPwl|ZT6ARtA|5c3)U+tPs5L zs)s+AYqSS@jIX%$YN!6U--ROAG{RmDhjmrz%q~tpT8ph`1YsaoPAJnLU7Of*o9fS9 ztv6TSujhC1n8#PCkcIy%4en8{i*-EbiSl>uV0v*4Bl7^&=BJbtIDCg*co>d`&TtET)(;THvXhUYY}g2drkhm@U8CS<+R{Y z3X^m58doDD2t!cHaOV>Bk!XT7J~v^%bBg}grbbug4cDZ9-ql!lIPy)^IiYhmhWG6j zD)(nUXZ^Ujul21!_~UcTOH3PhnEB_iLx*qO5SQx^m;e|NIynDRu?XZlk+a${_LeAe z#VrhWp@PdIuXJaiq+Hgmy8C57bE2w$a!Z|hcbj5<*MrVvdHLBRT0^h~^RkM*%-BqR-5^acjn&y;m#b-`gsz>NKsuJ_Sfy zU&9;*oUDxR1+mKzwo0gx-ai9ZzAT2Lf4PHgR9m)iV2M1^W1_a#Ll;mky@C zBRTNB=UgpV-&hXU#J4LbWa-*B{CY%(e*zYe1SLWZVPjUq^?n;~{IzdyAG#dmtUJ0@ zZosj0pcR4a=03JRGz%T55BQ{6wP1-ahj@$_XKSc(ZuAfvvXu#M^}A1&&(FKWOtUDs zFGROj$95q#Z5zrDa~eD#qG>sbx2^2c=afGTTi=xq4QE(EgG z2)~$8U>3D^^Khe(#VZg3z{2~zLI?Bx+sM;ijc={r{ET2kAX_Er zU5M6hesc7H7#9R&o1=Rtq+T++)e=(_3Kf#eg{=?byfF)8f7)Dpu6ogOJ$hK-RrZux zZ_;GFpf>>C;%W_zsJJ*H^jr(Sshnz`qkrZS!q;=1movhzU+X*VNbP}m>%hQT-?YMw z_1j28lfWCqnVc}Mr858sTh&8zXSv=V)WlV5gM5ig8O)}-p)i0yD`;2v$KpX5C$boD z4P1Z7V1NRmTXQ5 z{*z%LuE&i#RwXId#S&I)t$cjWx=d?dD-Wfk2hs!ya36^WgSxotaBy#utsd7zv6^SO!oOWfuR1U(%uA{kSV(r<_;xVw0v?CbB zts^~O6Q7;AxBO<_%BAG(@qYt_^(9){{KksH4}Hbvu@bXLJDtrjuQ-1&K{hc1^kUQQ zJ2HW=fXr$loZmj*_lyq0H;D8kJ2S-Q0J2Nid~cBlVie*So4S?M%vs z2fGrU!cdc6L5^1u&lh=(zntl>uxBA~@t~pkJFt+w6=9-x2dGUO!j8C8q#-9DPJo+T zyqX}09zG99ZpgYhlbSkT>^irYmpbgZH4JMVD4jm25+jiR*yyF5D_w$@Nd_OHL$kc+bTN15AF;`tcELAkrOmJYL3@L|`3m-B(~%JKL2h`}+= zp%0_I*50l>^y5nnJe_kYRhq5u@$QBBihfLm;15;82+LiOa%<82qB1c4MU!!{KK; zF(P-|HWcF6X*;ggw_UGU=wM%R@pPwdL{Q4B9)YU>c%8j9R5$bevH&8#8sAwF8@-kM z#wG^ndbYbXC{%VUnd25MGSTGh?kQh;y5*6N;XdxX_;w|}mxar(vp$Iq4~IL}njnT+ z!KdP_IV6pUs%H!}kBlspEuWt6J7`55;e`E0MqmEzYjrF%q0$S}zjDzNgng7Ez+>IL z#xEl;;<1wb{%O{)b{}L63+>%(P8t}nVr@PmK)W-#1|D+6T=l%2T zxUfDB%?$Kn<%};dgHJ_rrdxaW3LWlL%}7w5xJm^UnXgDkVhyA48n#L#mu3y7F)Sl3ev5x84j`bF2Ud`j8 zVAp0f6YegHpphtg7h<=BARq7;;W&G*!mVF6&&Ho4;5(LeWth1q~nzSgivI{ZbLV=c$~rkBEqchzELckHWn&WzZ5O@37-o~hYH z3e)%@0?)Cn2DgbU5Un>Sq^Axw1V%8Osr#snLpMR6ZKib(WaIL69}GN^UCqn|9**Ap zlQl6P-XcvKNQoC`DB>IR)!Z%N6z*XPQC`wi6aqDIXcAaJf}6QBvOm!pM$Zm5Y6Z$} zd%b0K-6ICu^?mcb^Y9AIOjyC1hRLna6pOIivZsBU{PgC-B2L$hUBRJufL`oU*Od_P zI_L2+(xbW9TbG%E4ZR9f|2x_75)lO&Q+tKh)mlkHGPwjDQi+e3|SU%1m+H?fmiR+cg1fu^Gg%@4nL8y9wG@ZS72R(zPlK+F#K z3P}$rvbBabUds*9LF(b>^%D9&69qHcPEScjq+IbZt*43YyYS-N!y%IybDKrCBT-xA z%9sJU-we43q@gFh3-Nsm-6s2!3k2`q2@Ezurl)tKO{-XIc@T$a65I zTri$Nxc0NkyFPW4fI&dKFGhen2qKV($JH@E*SMlp`X1y80$hJr6G~hz9$P^pXdf(q z4^Nm$ciJ);8@}J#IMduSP_Fu}N0+5RGLI>&IbIN!N zVFucEhgT=gzmol`SaDs;do;>oKS)^q!f_CWIB$yPCY!^9#n6P8fYpGNj~?Ic4)arZ zdaohtl3;BS2V5={&(IP;ginh{T=1uuvp4%m?XD0OH{5%9gdWglbgUII(XU7RDy#mf z;k?zAZ1GLg@>>|6@&2yi!}1nE8WqAfz`qVw&9#+!z$-t0w%vlLl2&_6Lo@vch+@xz z1*A&-pDm1t&(Erd%*wBS^GbMkBzp738)y5}%4^Ufkc{}>k+WH!)w`a)e+ZCrk858Q z(MBMjr{YkUc&|4c_#L>Xr&qt)QX5=mfH`oKXfx;B^J?gnush9SPC+y)i+7vdIUEk} zS6+)Jle2X6=tkL)=;4n*FIG%s834dMPIDhy&HY|^2_jB@HIrRN?XNd-wuU?UfRotT zG?KaNcH1Q0KLlc*?M!sma<8a_f7i#Mw}4*kbeDN3xGcUH{iZU0D-xb{tG1OC|NUpt zBfmtITQp|W!^Gn_;NM=yWxC$&vRYcWaL49>5QGqBKrgmpWcd~Vo?(L-=<%Y)B{J$8 z;2}r4P=)->pT|OJWiBNgu-NBeO!bofe^FbHY>{}e>y&_iGW zX=`G_3WVJjIPJZA(h~fBwdm+?Y|c2(X5irTFw zt!tFTD?b$ZAKx){(RQLJTC%c+9gXmHoRFrnBKZSWWX}OpC2ps|b5%YQ(I#tmBfNjh zIA^*f($NE-I9fv`Gt)9zk%pXjb!m#rk1js|1_<359E&IBU3KFYq2BTjEATu!q_B2_ z>Cth}+G6KYkZ9BuD4H;!cR9a;qr>yS&KC0XwPAypGgRf6Q-U6Ce;>C^VWr;x@mdS{ zRhyjbUbu#41{8w(hxU)gIK=l!&;$0zT0)Ih8OW7{u5>$s}VPUi-m5dS#imL z;y2w~Xzpw5BC`L{Tvq*~ui!1jl#Tz-_(LhF9wvxMMAE25A9=U6Nk>+2&wp zz8)?B>zB93`l?|5wrgT($2cE>NS7n`Q#|AB(Zaw&W;S&59NvVhc>yXv*9JR z_HAt%ldm7^MA1qgU5Ic3_e(mw5$oGh`>Vnk=$jxOdlyYa4;#a0XcOg;ckmTj-f-Sv z{G%XYz@#JX_mG_Q1fviN0AY#dXm0X%wIE#_`Wet7&BI!M!|?b8WMbl+VxG{?a6wTT zRdNFQ5>W8FlrOb`DnPc3-^^c~nE?=n_?&}7VIDKt`U2n<5@OJ)(X!7RG{s-eo@^d^ z;A_XPGc8S9!wo$Ah?$k@go@UtFGx=G^wTo)FJQlH3&Idn;W!k=;B|Q@6r^?XV*IYn zTP%HL(sUo6;?Gjf5iAWCq}@o`Duy55=Co3q@sCG#Aw-Y#Cp5g$(i%(2Hf| z&=3b_>T3g^q*IJZ*@tWx&UYVv}N5|wrabass!F)LcMkN z;)6rf8*f`fBl4sk3Ze-Pkj7-4*dF~H6aH}8#{aT!yh{sw%7nHJGWbw9zqMg|%O4d9 zyiMf(_=~7iqUcjc=;3DcF2u?PKYn_^4JI`pKjf~MUg!=>O-~(~T3h%bci|E(*n1$c zNSf)&NH>U>|9oT7x26Ku#Y6d;CbFsofUrxl1UOeU=!V3Z`5 zxZAo0SC^z*Ki9mf)l~lF(}zu>$%+OIVBGLIA;jQbFE>67CcX}7b{VH>mFr6<1nD5d zH$`)26(kp3#-V?JHGvv6c1lc@wvqC?%A)Z8p}e$P^0n2p2*w#)=jma6pz6k_%EZ_4 z$!qf7UCjPDuN6Dse}XT1z=jQCR}Zr-KIo}qGKg!7p|Tx~>NK!sU_kL;&iOV)zgP9- zRLQw(c~auM0<#{D4!;a-MoVW5BjPizTAnGCE1>73%a+;Sl(JhxX&i6aLupRZhSj{> zp9~qVf2)+QZMIaBs9kin+r zazc=aURAVd)wQ^|o5ug5nZ8Dwujy*iy@%|-9b)Qg4&z>rOM{3Qv=O8cok+ABL#ivU z*`mq4v1#=x>?JKTEjO{xP0&6N*Z`NLOoQe!g=LM~FKU_g&5E&;O*&WMc5FyAQkmX` zIQKR35)K^$8Gqg{rXGq1zuNBB&!R^b`iyoEOGdw7I9fo44|zY^rabxSUI4Bxz5Eol*MFoVIJiD}Gft235Oops z44iX`Y-&sFP8S25g|^%p)m9jGWGxio4F5mTtukq#AaLmFljAY)o$l! zJfNpT9TbQTg~HVmLaNO-mckcl>e#i(a{4J(A>>uk!WNf zULi(}d-J5R?}g!SCp1(G1a>Q~g+iEr390g&H29_KeECn=#lZ$M`8d|Y0%#ms3h2e= z8eilAVXqAcWo6Fan-WHB!k;dNx~UIg9lbX1Jd|dq#TupyHs15yDd*FF$}WEIFN-)W zFn$F`hqq%WAVqa7`T*cdj`RINQ$O9Ro&~E))X;kkCFgnt-KcaJo4#Bl{gElsY%NEgu_02)=jDQ zt2q`_@_(I>U$)W`vHvzgC<%F_Bc&|g&-vww;dO{d=i*TP;ek6bboh_po%;!h8!DZZ zB?w>N&P=`euvhWHF9m2FGzeW~cA_hens}^YPtQOC~D>!r%WH!8Q*r2GG%!|9f$0WTKTw9hB*_CLu zh_?RisWt}Xf0yL60ENJSn@0Y2+79?gRwNo34D@0*Gvb~wBE-Y1Lp3sFGnB=&BFx@} zrlm`FD}E5}C}yS7$U?O5#LGv%m7Iqm-&JwfBg-Lam=S?AWTST>zC7IvqX$Zky{)pl z;cIGEX`0IrU6h_W)YoV;MJ6|lhp)Z{LDOI2vmOjHeUys+qUuT{p9%2yg>Zc{< zK&xLfy z)$(nVwYyP)CG5TdK9R|X_M;1bg@SG3u}}2Rm+4>j!1}c3s!&u4w8yuH)zR5*FglbmOJEfVJ5@zUfsqPKZ7uT0OBhTQu zxK!h3HFJh*J-9_(v!d_aV5F7`Rhrt)g|etb3M_;zRLS_0otfsiAp2j0>_Zfw2f!#H zMCGxSsky$D%9EV?>>dmE?=>PqbT9A{JD}^`_+FW766uJ ziiwt4U6)Bu3-oFKm$9J-Y&g&V^|qa&q?czu`@s)d@2%!`Hpj?vbyra#*d6%ItJfk! zNqS@q0L2F7XN~jSjp~0vCj1JA!X&4Qm;zuPSNETS@fo>Ek(^60HIbu1xt=XMb7{|6 zsV~a_NJ`_gC!2ll>7Z?|)EaCQ&h0sc?^2r&qa+D%9}K5D6na#FC?1U0=H~^G9K)E4 zCTn+P1GmCrq9%e(x`wDU)e@h&{&SKu3VTIIV>tcKes0BGqayiVj?iL?aVSjXtk?qp z%wsjLbp3;SF{ESnLn>l%e?7wccf*~D2f7pO(}b>_1W513W?8aSiYoW0 z4SZr8t)a@NUT{HcP63#Fn&)i%@0^^yV*%p#H^)e+>$Rc^)DjS()^6|NFPj_6bRt67 z`d_XxLuKL#^>)V~%ZDPc>*vNV;?RB&ukpE{S9P1Sm94~k&R}BUt?8h)-RuD|YI5NZ zbCp#h3kxCk?AnZe&G$eClz>Bwodr)^-xsd2!Vh;T?i4TX?oiw*Qlz-M4{pUNE>obm zySqbicXxLNnYr`7xgX#rlbp%PBs=RIr98mAXq7g#L^`mGiFkvh z7s_mg?=}|ml8V<|pjv5{Y35fGK+hUB$lg%X;%>>h4Ul~}DeFSS<#f}+yNLhv+sQ%F zn)DSxZ@)hGQZagdCJ;H1NbYhwPr_#ZzC(&;2Ji=1@O3{+fko*}91(4^le{>D=m#$1X^VJTZ#;H@!>fd?FmQK-f2@ z;TvypeLoqs&Y!W-H4F$mjd@PW*jK|6=8*&2HgT#4IGo_gh(|SMC74C|Ms~GQ5Q~8%Z|4m;>ev?NF0v*RHghPUm$MCib!9XrOf$GpVd=>5 zyqYfl%MH^XJ8ON#@`Fi>DDL+_ON3j+WkkdvhRL+NZZ_W!l)Y+q!2HMaq`EK6M)G*( zJ3bvR2fylbLFubhH?z|1%|gr#PLq3ha=g@I_UUDqnq3rWiS|Y$Sg_^09Cz})qDYS5 zM2VEBXKFYjW#Y8?jC8Pp$NV@~v-yy)p+gQ*B)ivRr5~kLEp$8Gw%9lQI*5%QF^T|aaXP_?=+6(eyGFZBldJYkVw^clz+mv_siv;okKS~H;8g3_ zBYHrmh4N%w-!#FUt{^+^uo=Tj25fSZnF*ZjDQlu`H+1!7YPa$C*x?+KGa;vi)`ihQdaU&?8WS@Up2zA5MP<*U#9P50k!1*~^t z6zRp&F}$u7HAovDZDpng>(c9$a@hF%+u;z4I6E&^S3ffA1qzi{_geVJXk9kY;w-U5 z?An1)5VL(5XZ3hBq|y204UH#r8_{9OtPVpL#E4coqP~AB+38ECAOQ1FUibrcY*S4y z2pwejxn|e(ATZ{76P3fw;h*^8*oW*d(b?#?>s>W1stE7w57-kp z38|&OS1bXCT(1y6@!c`bOPS&PW4vECHl4c@DZf1~ZR^FV=&YE(=-Q4;=O6q7n84bp zBe^MIbboP-$eINn;4R1*?uTmfTBYHJur5zDb-!1}dK1Udb1YmKH`N)C&$GC%T%=QJ zEgx-1HpE6b~mMEE;aZUR#0AKz~V?*C5zpDcP;)Iw>VD94*kQ-aQ#p>rbZ3F z8$N=nPU47priWfkot3|e?(=EOlPeCq1me4^PxN&4G+UQ))0JHqchuy5uNI#&dzfwc zgnbPY6%IGR#smVWyqQm=1y+arc$WIKhzgjsoDmm1Yd(o|X-W>Ggb^*0n$&LuCL4W* zcd9&LWb@+C6z!bT9&BJmcOZJ`kdSkkyA?TypN=URd_S86qRYL(C>?1#EM-~A0vjRb zui2(L7-EJ{UpIN;p6D9BP9;5{p==&m-f5-QlS2%~is^lm2{G9W(;HSgjQH*bpp52B zVRY(hJgOZ>2nRMIPg(1EOGGlzu}RA%7o&4ZqD*k3=Dn27MdJ%W+|A>5>`TG*AyOSc z{}18$^Wme9>>z&E?x(S?YR!iif(Vx5`#$CGBuye$Dj*^rEX&FSErC=1rSJZZ86)a( z=Wgv;?wWc7POMa4^eT&wG-)Z8T+#lM}_1 zfQC9M#-GTbVz!&Vit8fS%5_O~tj#Z*bvqfo00EyLFQSqeiYHyom0bHGWZi!up(Lcx z)iohm%bm;?HV_AQJ>_bKlkfbveCpXu&Cm9qb2c~DxqO}4KckRj9m5Z9;g%6I=HL0+ zrI+odbbRCo;&VKnkE_aQ> z4uZKJ9QWsYeap_hy^!a=gX==Yj!ndZ75A#kS!We$Z_b4b9eYO7CFGIod ztD>vR%W4Pybw%>Jh85J%R9<4_6zHD$32o}Dlu1f3J}ukHMOgJGadG7?_8u>6C5f*WDXMDz2j-#?Wtr%AfbmrKl?sVEGJwc&feJK7vZZ;Z;+XE0anc!R4K^^&(bh zkGlChSTcQFwtZwOnFY62@u{U5eGu)JPU=dyb-vC>HOJOenjoSOq8qP)HA`k??TI&! z87KxIvNOzmywV{IqFG7#!1n7MV#P%`(BLtQkEP}7j=b57%MW^3m=lX9ij&thh-hv@;QNLm1Pq99ZD;z#d;+_V#!OB`Z8T!h>Y*~ zdSATi`89D>=I}o<{K|PeS7A%@?c_rsNPMEUTP)KTco?RrmyBJzXo$2XfG$unb`w>L z1#1X>t!KovzAr@ZG0(%E1M-_mrK|x29<}f1U&Y&X>J!@a+kj|`w zIa8aS+OGU`!{UvFz1u~VS} z_uu!fAgxn_DaUVYZYDo(+5bJK53qw{IB&ornr~S#5mD2sP%FWbk95y{sWzw}PM2^g z!e4_OD+V@sWA@}ovE%5`H?wq=!VeeND~zFMzj*Cf)aB(e)Gb74v?w>e_~V~Hd1z52 z?S1kcwE7Fsc5sQfoTcChMW*@7sEXc|MmG`JC%DyUm5RPYnF^O48ms%gdN$NQ$Y#A4 zvz0J!be?n5rM=x3F;TW6f!X_<*T-j0H93D(tQI8QCTO?4;gX0sn(wQML^sWo6^x_q zNnhp@0G5}yilX04IA6P9q@qeB^5BFP<`^swS?h9J`aBIC_!>P$DX7eY)K>7(vg|FVhw(d0>*ugqH``6$J4v;MIX8C z<6Z5;Y_VQ;tp^ae_5#nQfS#p*SuQ=SqTh(?C%1kVB*lGIPapS&qfoH7IdOlNS?N7Y^q_xb}L>#MV z?ie}{_-*V_#q}Ec=Uk<_KsDcM_AK{1X6bS-ME6*h_4w}Lu1qiY2tbTQ+uDa_9E-*8 zcW1WRa=TwHl8j#v_!7JwFlBTYC1bnTzVR~C8 zqwvXfLgVxgJf{HEEYgJ`sb^2(Qw6uOhM#DvN}3;4`3n_44Kc1^SAa%-3>EyV^OEXs zvpCc4q-*|tTO(1VK{pkC5T}P78hk%_hZuZsm3lkn;g@n7sUeClzofbUou_(9&Bs&T zp`bh^{I_<>Pm)FB<8l`=zO8MK3^lRK#TQB+-$iFh`Mk5Miq22oOz5XBj-`pID z-`MYWyE=?IpAr8ZRiZ6R5bebSwI>;&HUWryppU_5gSd;=B<&8tdsTTGs* zt@G@c)5k*KmgpD~rkI(IIuDJK;>q59ZrwyDMq)^P3S#nm#Fl>vy^sCie>dngToN-# z_g}+bB3Co~gkS!$-+UuP9{5u8t4aR8cDz&1XR{CY{WW9e%uE8>uIZa{Evu}Dq>MfR zW~6!ShY({DnOOU=la$NWe;ajah29^rM8u~dd^a`%rlkJBKJi$6rwrs878I)|pS}YZ z#FWo1Uvg^lI^K>dD?H<;>YW=|e())qG+2aq?lN zAyl@BPcT8^y&Rx~h8fAl(CVc%jJ7cCSBor}KprlzbVm-tMvp%JY~XblzB2e{k&lKR z-7^L!Z_Dna)O{?%=BEu5TPv-6T;EdMO_#>vT+9%T?4oMO{WR*TSmA)z>V-RthBn4~ zY)5Jzr`bv&`EN2LKWJfQM;HY(^lKE%C6!5o)2(`0V%*2UG~xF5>EZ{FA`V-Wm03)1 zaB+(D-mrir%qDHKY~^D0T34^bR43`6t@aKJ12ek%-=WT16XzF22ZU^ zoax=}+b4M~P;69jBtT+56U_Wg1lZU+Qd<>mc>T1L;94y#u{b(|Mr6fIIjT<3SiW?eK_2)X zPrT7ihPrp!_fWek3w$G6KAh#87o|9Y)zqbs-#gUxw_#kT_Oy^fU5R^A>UVX9FjW*d zSo-YpbCye=ZtqXF=^FAK&+5sd+d5%JIQBy6d%Tb{l4BxF7IJSxJ&RG%CApW@mh69$ zb>t$e2KowO4~AcI<@>gXxKFi}bY(pIeSZ9Ui2$Wonx`0bqIgemMJ+A@=PJj^EztlY z-XuP+G>maYMOv>HVJBTF42s%+eE_--pMR&9!(12t%6VGfXkBa`FX=k&&~yZf_W1`p zlYKpvuNXDDw4vu?pZ<)et{D|*58WeV!?&rxH_4}Gl(MhBg-GAa0m9z(% zNWF_Nia87Df?V*0SVwflePfVWOiS|C_3K;HkeXL})HTvm`Y4bZRIcuv3`Od=o^M72 z4@XHZU?NVIyYpVNA07-)DwxvuFS=lzwx5z<6Ql;l<9IR2FUZQ3hn#PGT%DLHT0s0{rw~?e2DH{rf3D81d9tri_$K zHrBMGQqf;*nI}}y85tv})?61VuA0&6I3Hm2Y~r+hHeVI);^ve=Zx(71)6?0l3pKXx z(ndCZ0m)qB%g1v2YZrN0y5?TzeytKjEDaA()FiunkK%V2lsY8d{7Xa_Jo3xft|%P! z5MM})wAFKz_SfFb>eerxjw#lj%DvtS1c{&ndcxg#oZaH7A(czT*5IQl+kO5jSLnu=VcJz8Q&iA2X&Ko5w!6eKBLHEKG5$Z zYI?_2qyPM@mRRfJElmc9aDu~>bJ%>AIqlvTeouZSq*+>0`-!pmDas2aXv@k-k(4+h z`{9~Xb3kau=!eTo=47Xtv8ZIaadtUi_Xn&3QYSNJ@IAVu?CM3e!cAiwWTZ~ z>z(zq+4t#%f73sG3HNT%Y%^ywx-X@%3-ue#ns5H1#4H`rP=z*?Z(7{hI1*E4YW@<% zqJ#PpvB7be$ysW4Ezf(%z^K@+2{AP9&!rWLxPPD6YoB|f6fckaIMhTA=JN9WmHS9@Rhk7QC#fF4A>UQN%-d-PvPbyRzRA0FC z#{W_g$u6L%c3xh6QqcC3lY%=;vgZfdZXT;i?oo}tIe$`tSIE+Gtu4PH?zW?OL#ocg z28fsGkU%@J1v>xOi@18`%e6`1Xbf?uaQo-DD{Vqkr)nwW9C$0qI65v=gk{Md{V(9M zgitMUXb>FAwCtvP>1~RYo(7Mui;rrM2>v7p$9f znH84>WctOfBhrC0kmqfm5~@=WMQ+SgX2hN|ab{v$w96O)jponUh)AH@Rp@fbVahR& zi;kzy{b}+Y<>cHh`j&p*tkkM`Fl0lc7Hn+KB%)nZ^c{kzE^4FW@GX3t{?=aooYI7Z zQadjhMXU+W`)<*x%j1s+`wu8={NXzCTskKL`~0}DVlUe^IE$nDYcKyF3u?X={pi$* zUbcIYV{kdZ1a^+XTW+|!WhltZsD7cCvnm>_%wuXtwPx0%p>zeU;Tuq1)a(lt3@NN1 z(xrAYjZm!2bH^g>k{?@0^$myiDa05*J!^Yp!>4gbof)qx!%8Uw<{C$;4Q1|#Pyszv zxyo*Y$#>Q^e9oelwWdd)L4K^d%UZ9bNy0x^Xo}@2J0vTdTxy5vB91L$1vwi7k+rz0I>ig<*tU=ok3KG$NWS@k%&Z;nwMfx7^d&OU4##5nR%MK3&Mo%jktW4j;k#D&Kqw0w zUn`E9S=p0AoLHU|z6ejObo?s^DzI9ZTJ=LEH>K=1XmnRw+wX{3d^3@OaCU=Jb-K4y z`5qGi`#Hf$i}1gwGR8_h4c1B57o!}>&!pzg+*<~rI!Gsa6*hsfYlP}#7%Ce|0_UH9 z%rO(lb-}>{(XZu_jBV346|zE-{4v@oppl3{eJZAN5n${R=REPrqrhBJ{pRgirQqUM z-M*|@Br&6&WUEodP}gk(>qp3QA6#-r5<*_w(j(6HgoAn8VcRzIcJ()3Wo1dEQOXx^ z?fu8k<8uSh-(b{Y5D|W>`K5O?ZW949#XtUI?$J!)sG$=yzxD0KQ@ zM3x>hknEU<$wyB9K1a8xn|9x(5`nYx5FURe`TMB|bvRJ#ksxSetVsx~7spxL&qZtX z;Y-R0{O4%D#FV+uY$#&fbvH|m2K$qCwu&3rCquTDSnx#H@=~;-zjB%eb7A{7%!|VK zG_YX)Gnb3zeHCFUT8|ffDSTaEcDsd1F=s_eay3GWlbQ(b`q`D<&~lD)8DbKs*9MM{ zTf^=%YVor>w({p{0}-eWIuPev=Ti5Qy&q80NI`hL44T{4~|4nerJkx+|PU%1c|hy zhEAHdY{U-B&v8SI&=4>mz$hplFUH_+kbGJlQ}!s{-s1X(@UX`j#6$iH4w^C&!`9ve zH7D5vBdv@=6NO+=@Vs>N#4zvc^`)J;)2yJHi#}D)>qIZ4d@V&&unOrB*HXRu3SqI|-FC-#2r0X<5)f0TJ%Q^TZ8M+FO-7qm&%uVgmk9M=rY`CBUXJs$End2;9xrh!q8 zyR3JcUwR6z9x^=Fr#We(#xiecZ3Be;T1GD0!+vkZVRRe~ch%)FBsv}T3N2s8-72j; zxF1Gq6KB-VkuK7Ws^`9Xr?uN7`)lbeH2x$Lrn7!lqR#GNk@m*|&MzKq58?AYmZox7 z6Zxz8VuZHhdw=NJl{z}M3*o1d^%XSezcJICE!lE`8E`z>sIawbu{U+~5hq)YvKTla z2pbWRr2k@|)Na5nu(1?(&-9bAO#Zln)bTr7LpD&iv&d5sC%|&*GrrjO0%6fWJc(Rz zbkFFC-bB)t>M!A)ZzkGqp2O%bZE??D)3lo>DFyYc7cY2_ynrtC{@H*3WU9Pqv+9jP z;Vwu5xt#IR|$O5tbFE-I|c$-7`gyy3skoKe{7i%YhDI-F^ z*dej|Nnf(uSfGrc_7fod45gx?t*gTZFcYlE5BFfEJv-5;Uog#8(LjGh$O*q>M$~qt zCgBf}lhx zXtc}Hq)-_GZxWY*w+Tej<#JHK-Z8>ZtmZB}HT_LIN)cH3c`~Qk_`=%5I|aSXI%K+3 zX~UWbn~QF}lhoN8ytn;TF~j^a`xij15kE>&#e3+@_Rrf7%I!h3k?BOdLHzUGW{m`k ziXqO)dLd(D(WeRa3oIm)SF)3#7*aN^zX6QoRYD-MwR#n87t=)J(lh1Wi||NFLqxNk zF@h5KtmP)qI1r#Tf%T{B0zfTIo27=4h@ypqI}oc=cU?uOOi{y$^2?0JOUb~($JK!W zDD$(59ZAN6nd~2LAQXcBwjMb5nm?S-H)tuJS04SzRF-6WUw<6|ZRmC--;9lIQDZv} zZ0XwIHRz_BOL268hwqYyt==D|~OmBOeG;H`d)|FOg1hR7AH<<#DuM z<0Y3r0Z7Ur%&8$Jh-l*1-WW>+`1NU^rSNx7CO<565|DtK~f|s|_sFqde)5L-QRc-bnK>5EFPfl1 zueyx`TLFh%Kyd9=p)S(Yx8K49<)>=nkI8SeEi2lAIiXy@AQmgh+A#ZxC4<=xy8>)VHV0LPj4!jO^ zXe=92z=Q4sRAC75*PKb^n<81Qy>r3a~AK+mgyDNndWxo!JtLvhPjX0hHKM_+N-Gd*A;mgnjn5N<8mS?>04PN@*VvN%j6-9bG^Z6B5R*Xv{9V}r#-4Lg6+9C-jyamATH3-p#x_w=FgbvYmS z4!HGl+S9%t$G2btTE2dr$Mk>j+I}h!(`cd-`)so6q+`N5(cJZTGu1qRthz3Dmjj-r0}ZZPhq zGG}T2x42wu;(t@6NfCIi+wHpk+;#S;4~W+Nzy%C=AcO2_Ca?kS?^~__2Ni&qv>Jc2 z%TMgy(*xU&PXI8*wcq+_?(=(Ra{aczqTk7^)2oO+^64VDA#gv=tNSJ4d>L@jQd9E* zq7l<;n-5UBzViAP__{{nchX(cb=ki9*7GhW#`SU$3JBOc^Af)6%gye7Y%2Gq)SUu6 z7E0+~T7Hn2d>HlIqyionYr38`O?>XXww_M_uj?is6k=~6Oy9)wkG7uoQ7;onNzZNN zb;PnvX{yFp*d|Lu^t6)L&pO{?k{&|WXC!^1A`8WbNV~8~Qc!a1095X{aZf2GP z_g~IU?z1U&iig_H0T=<-Zr1m9J%N*ZL+Jte&nG5b&+rsIr-zsygOTLjPhQ{wOsBlr zrn8>=BfIUpaK0X?r5hiL*L1Ok_g$x#aEgx}leXJnimZ;8Lw3V}N2EZ|JVoHseKmMF z0esS`9GuAFc=5J1=(xHh2$kf?v)9pCW5MMkzmc)+_`7tKr`7F}aPO z=BQ|`T;uE?N47swxSZbp^}L#h-9g^>1~9wsy>Ni<{4r$va@)7^ZL}-n+vVon%$gN| z7BpuiG@WVC4!P>_TP*}UZULT}r$4srioqbVYjAZ(w_4X5tcRg9-J51#S|$D6tJVA9 z+I^tMZWe`~WAv~|z$BS(F+JD~<2swPjB*=p}Oig!NJ=dIxafrS2QgrRaIYHLK zF?*i&1Dv1$K<^zPSj2)GFevM2|Un-%%6@-muyXMZ2HbA0*e zn9xvq9j@@jWUUdq7aXhW`M99xMt0H28KrIaq<(gEmyoV~J4 z{!s><$uZ9XSE$>M63^w}H%s8{Y(kI25f9)lU+e>u{cYIEB>C5aNXw>w)qR>@&#{C+ zjqUBsr1jxAxTE{SOLfX35U>-Y+jE}jvm;_#a58U7W=u6#x>j!`@Yu@tGKOn`k z?BIX!+jxO@-%Xyq0Jr7qS0C@cI-s-mvnPktMamF!jn4t0F$gG|4LZOSE`$yj1*jtK z!nxWX(eLR^>WL3?Q5M*F`hDx>M)|t?Bd&0Nwd3*#>3Th|FS~}s=k6J@3_lIpbL#o% z2~cWA!hBydnlAOfsIK{4EDIzBq&-(RwfLWu$d)|pZ$Cstih&unmF0jN+@a*YKOa!1 zT$_*)BjlUw##ijPrX&+Sl+?*;od zD5Rzs>En#B>lN4JEwXRBo6-BYVruJsCt&lq>lg{VtI6ICv7-pMt`PO&-JGJC_P?kA zwnCCdL?8J8Q`NqJQ7~b*(^-}rIjC!DG$G;O#zbS*YyBh5nBJSXx z_ghq;h?%YbNa}Lu;q0bnVfniqx%bot;Ii`;nlS>|YUuO|c)seeCi%T~}I=^z2zv%E1c|kIst6Bf4@Y76y}|AN;>t z^UjpOPKXsbIP*CGLN*;ZjIV3xGBkd7Huqhn1$>GBL=lg(*5}w?V0uf=m*wHduehgw ze!QBor4(BIp;=ddykDx6Lv{70OZuYAl&TnKfDUfaV)_a3a;#QwFEGrmm|Uz#ZS&oa z(J0bkO|2F$3RMsT_ekXIoW#uSJ2DHkmW*xJF+4h*5v`qJ)2@C(Rtcf7`3I4~io-_7 z!SNoHA|uEr!$D8-&XzGEo$+&#)W;ICrjua9P|KzyZpH57xSe5B_WjR~9KHPub-t<* zsVbS2*JfR9U3Nd|`C2vd6=65(4}wz) z%q(Rwxy0>P6?qE&fHR`Aq+YtcNA5PGv$sws`$%c*M`4^lo8-t?$jo4D@AF>l~3 z@9=LTV{R0YqRPAqjZ#K9PIWQ_v>AxBF{=5r#EFb{Qot<96Cwi)9Gr0MIOP7|NayTJ ztOLz-1deD^OX|Bj*ti3YAzFpXXcLQ2N{P*=oiOPyr@JtzWPh0R21R&pL`3Bd4&g6o z2*wCr)@WJ!L{Shwc%xr@Gj+VaKDw+k%=}&asj}t>!n6G*VMkJsP%3tVOZnEG{j{`LYRKNVX&oV#P8*D>V70N#q{;e?*_vdReMB#j%Jq8J;lGn`#85m2QEwP z!igovgds^O1i@=8t||F(*rzi+P_P8ZwyN}N-*iWi?boQFIhejHeM67&^4WGY13-S= zWg(7;V9XwhHT6-DPMg2~`Wqp7e#8%>HgCV4l9DYdi)7+)th=$>MG{8s74?I?yDl$p>z=mHCCZ2c_0hGcrfh59K?wF| z=b_BSQugl(n9q(ZNT+D{l&a96#f^U*z@gH+Q~ZO z!a^t%HK~53I7;uO571@;Sg(->qJb5@_a(ew_grAmdtua*3+eXMX)i5m(?7%4;?o1RfEGciJT{5GXcu&;I z6IuMn&c?2cZ^5%OuBAi7I^_!`ax~evr5}sR3z$D66>Ws~;P&rIh5E#PQRnj{_EJvX z_!=ZV0z!)TA@CoBF}~qVB-0Go?Ce)&CiujKNqCKPtdx9_8O;jPD1V)4#i-k#b@1uMx&G z>fSNzQSui*h4pegDpt+elLrmU+u};$JSy~N9Q}+Px=Hn?X2o^H%!8qAD zsT&gVwzd;PDzr9CZekAp*0V9Pq=$HxBCnb4@USaxMFK`50I(|`VZpA1kSUlRDk9{8x6w*J)`X*XtUs{{&97ocoXeB z__MC?TaEB784mD?ToLV;CbC}0202Fipb*^a!2v`Q{*@^me}=DMXYpwSB)ivhrb_;g z&u2sX^2Ss*{l9yW>OU1qF>P5L+_5#UVL$v+Ws3|e$bxRQ&*G#^{TCI!b`SrIyOaXHG2)539SUO9jL0n|HEF}8>+G+!)>sJKC&gi?Fc{(tRIPyD zhb5LTK;ltNQ8=G?@jRMDB=G;eSXJ7;$|2m5_6ey1ycrlADqIn+-wVUMWWRUY&*a{T z3A&f~hh53TsoJ@h`JGkGE)eeF5r4TLhXb9sp*{+!C&~{3! z%75?2rSJ3DUmyO$OEpcP5D{w|V~R(}-qR7MOJ$j~xqPuN1#>fZa9>rFc&ru;&v##F zfTF{q$gPa>mBt<`0J#-nsT7!sjZRd5S!A`k{87Y3!1g_N-PEtAx#xTwa{eE#AF?i? zN_H>*Q45aWcCfg<%i=!SBK-~`4v!-DLM|OwNB$zSa~g-Go%K1Y)L@m6rhZGzGDi02 z1w?5OfPoL=P6^f|iH4MEk;uJFYu-N7hGOABRvBPQRpHkN$4qfQ!IA9>x!OX?c7>pf zs_J86uvpUs)lG^23AIXk)TI_VW+T_perRH@5}YT~8>~>;*eH-)F)_^hmuURH^2e6H zx#W9^0o$ZDMhJjuQfkRZkm$Xwvkq9|;;sfdH##T_#3Osq3hyN)0FBi(1Cw|DNZkyY zDyfUXQVFUWW{l%vC%doQissett8R<}m+B<;CGYF$R`S^DBp!2S{=C8_NfZwKVR{@P z`>Z7v5->AQ@iZ19`er6t7^UjwYrEa9g1aN8lJF9Mg6d&IGywaeT4r2jc>~mF^3;MH zGlGO7mRyn(zrb|pSJnsduEC#4Stv(sI&9F@71DSinvNFG%DN=Hh@QPxvOZCvw|~OJ zreJW7{DZ|Ha_&XytvRA5-VUcOfGzu1>RAhK+Jg(j0QH^94Ay_FBTN#93WzwE>6*sN z?nuu2U9#wdoyJ4gsrV? zl7|Ih4rwyvdh_K7o;Kb-EhsRYMrtyc@OYrz4nPYcG}bqgstTA6UQs!69;zkm=-(O- zUS%3|n0xq`yV)}BlK4EGcQxXEDAz&=o%HoYI{Y0kE9alt%Hjf^0d4AeB%6>T+e2%J z7(QTRrpk&sO{K~3K)4q|;vPNSu8G>sZf7@CP%j#XeG?raBXWe%s*)D`J-4jPd}PMx za4tuaZ82wfvoy+a2)6tmp<0nvnQE>yYMz`hUZPQBork4n>Vu-lO7e)!)c{Y~LxQmV zYH5OhD|u2P!WQB!a{L(6RZ1F;rT>q7?|*be01Om5NSD;J8gQ6$TrHcnBMjk-inF93 zJRpS@ro?jH3(2MbwS@~X!*JXdQg%o$o;&W%5>%%}DYQTntb}5a%KnA5Ad!*Wf)`R%n%NCoZ0vD}1y@#c#NnkH$? zK{N|tzeDaGl_V-Yo%5f6D7Ely-0@*dvyL;`C(!)>5jf)J{82u`CX_p=ZfL=qSZr(S zP<=?Ija8kT^0b*FX(UU3w7Nc(uB@0!aNc=qcwfvcOR=7}b#=QZHOq~ku8nkDT{GA| z(9HUJs27}61&7J3BT{#QxfdqQeE!Kj-t?OL$z>kz$K8DA!uzBFc!sAw@on z$1C+Y>Rhu~7>8W|j{dP1f0*?fYlqnydXyK{UHY>mF*;xL1Y80;3JbTDVzz;NLB=q0 zIt2y=vKiUJ8RycY0*8uTSjS)OQLx5FS)(}Pgpb+-OqgTzXPc$$lqva!t(@7yT3Wm8 zI$9NKQfk)izd_P$yIB_fl?)1lgd0)?gd6P|e)twa#QAPQ_5iC5tteB67I#)$gU#bW4e-K!RnjmIx}?EDiea-|MNG59pEA+y1s3 z_~3X%rwaxay(`O$J-AR$8OE9sy9ZErW*D-^pLPuv7~?JwA{uE`+nkv##j{?Av(WD$ z1m$s6+raD2g}DJOq<+W72$C5XT%ep4Q2sVsU(ST zmaHl3-73L*CiFp~d=OKQBWG?k?oo!S((vf}CKL3-*Dwc}qCU};ImBnn8|Gj%j`FX= zsznUdbC)8`sWPY%TxV(8`IH^32tps@NwdLXyVr+7TRAR~lWyl$q3&M!&CHJ7w_fLg zGEOFHlIa~et!t@)l7ZJILcrkitKp22J`I6kRz|IG(D=xb3Vko^2WE3^jx(sK_?HhR z%^nIHvR*%7h=Q3B5qC~+;ud(ZYx;B zo_XtYLDcB_s6k6!TdU6m^o%(-wAfU1_^XA5rG_m>w51b)A^gAiOnfTNvQk_>JdJ#z zgvfE<^23{bMC@2AEvjFi3H4`eqH#@x&&`RWDCYav7+MeR!VdRSya~40*5qLUCf{IZ z8cg=3tB#i(x9O!aWb6>FDzT>y3KFQJx_yr8lMcw{=w&i*2zrT8m zESzbUwSKPaKZbkbxaq`Ozz`guUT}VT84!rfj=F0IX$%V3kb$M5rY)Kr!jumoAXM}8 zvTfT;Y9@9J1TmpJZ?sU9b-x!N%@=(!xzN6?EPfk$Y9L7Z{_{m0!4c9l6Y5fv zUuBV}O=U~927dIRj1=-!0huG$e--80)k5ecS`YHsdw=w*@e13k(pp9K9NkicoeHVy z<@RaG59h=3*^vMHf)XkYLyA)_pRvW%yf*XsMYL2|Qp8T>Po9M4EepVhz65nHLmV6V z#bpeR_PNrwz&C@wycpRd?4Bzu+nZY+VT+S2#R5yEaN(N^6&+=HEQa8A=|&v=WuO0m zhUC3Pcg~@5#)0rcf|s*9;~k8+h#G!xlfpH=THFMr2rrS2IA3&ADijO-N5pMcXcXSM zs9gf_lBIxbmFl@+X{j5PWRbyiw)9KA&{w;oCmjrNFcCpgMD$B#P7h;oE?LQ%N0&M$Ji?R-+&SkzQ&> zn>fv@weGTqZTwi$(p_?@nXInd-V#@WzZgOGZ21ISwd#yBAtLfcNFk&grZ1_h@19Q_ z&D&WI$(a+y`07pUJ0Ab-{{VqNe!s6n!X#XQd_a2OLXZG)deC$jvArP;x{kqx+Y#F) zfdK^s01A`Y-WOsE?d!-(}s(j$X-mT&*r zKIVg*?GeA9N}|Xxrp5W3iLvjKXeH>d1DIdGTckmUIrqfCs{3vNvnNZrdr};e9@#2m*<75_AR!T7^%Jn0X5>4uQO_+!KUb;USGph z@;l(mpLh0V%O(Dw3ja^l**hLv(`ihPg89aJY(vel(h1c3To7Z~;FAblu{d8Ex(i`M zeN?Gr5JNBJImk*-+fQe$yu=>T=z&y3Ko$_`w+S@f zXC5(%Ur~41V7Or7s|%b&yBVOw6360-WK3D3D0y zWe~p#%@mGBb+Smz%q)+@>6eI$%2imLs&VROL*B*F$=q#{s9!=H;XY2dYAqIE;f~GC zs;%ZJ+ZoneIIiS*ncyfHgzMnkq{2nGM0~8g6;>~6#=%!DWqO(8%$T-UB3%hb$+AzlpykR}p7Y7E2bMO1g@$Pie*U#>G>YL=4>O!< zj=K&NB(ZBC@=_z8t8%}3%4V!i>?v(l8>XRA^In)!YAgsBjbI5ZyAREP}y=8pE7& zV^+)<4%cyu+??@>R_t~3&~dOHZY>$=y#3fK0Gf`+7yE`kSIK__lGkeRG_liS1MZ1$OSJL-{oTt{b- za3PP6ya+n6!}seF1x!Tr?|AwckbIGM7#tUh0|CW>HzN-cF+zn>L@}qmqATF3{@eEV zmhd@R34d}doNTRB(yOuJ`=pC~w3$TIO^RC)4q`s#MI{(fk6=%5SYTP=7S~iK;2JKI z*7VkG4^_oJP!cn;o(2|U`(%f}ftb}LmL!U`@7I6@Fi%hc>}3q&v;|b9!A-? z^<=n8H5HbSZE$=XmZd%mce@@4Ixg(pO%>g=LBu!5`8*v@g+Lv*`c}&An?4uE))oLA ziQBVjd_)-cS*#L zv=S2aX#j1Vjj&7BNkl`YB#H)7l-#BPriJF#hdWr+{S6{u`6y*;E6kUen4E}1)ogKBQB zV(pT8(>OUQRcp5khO#gYI5c5CMuD!XQ!b^Eu5!(GS+jObd;;z-{zK7caZ>ECLExp` zQ-%ddu!F{hZAkN3g>VbeZN=uuY9#U;f<*xA1X;tLvwS<1kztQ|7sZZ&!$3OV`M?Kl zIzKyT(;`$+!Tzavr|guR^4xsY3NWb4c!yhYU~iBotg%L^Wuob@G9JT-3!adFYHKGV zz(Cl_GF}LE`CjY{xca8|r%*QgAzwCYC{;6*O6lkC|6XL`@1+XbUb-)rx)J%kB z#D`OBID0ahUiLLEa9cPWt_90GBpPlC@JTzQ0zy<7p3J5%$f!~5@8TghT|>%cJ;f*! zya5q1eXdon1RYjT-V_iSl|wk3=PFf8WYp%(!jv2PD4nW;O)DF4Km-0;#`uSBHRdNU zPX(sYn4iycy@~U9Rw-HFjk+k4J1@3XO0n@&ncpt5PDl2lIWe-*XachGWNd(%6wPaH zf+`|%u3|MMH?qz6b56bNlxz}n2KbPnO_lw7JEn7u;(V=~A6}Hr^RVqj6-XS*B%R#Q zgL0!W0Z1aJyHTGxXbw1k+H+tBe%JII#a!x7IIX@7`1X$wN@dkL`pNFfLb|jOY?9vL4@1dG7_73=!DRoycyKOyKynDwnmMn zTS>B6O^{F95srptTkY=dI~+aQ4VQ3L|3Fr1mOJX@*eIE5sN+ZMj>vQ@6;nb3DXo(tstjGZf_{2;_Xh%g0rDJv0be005wL(sP{%p7e33{l`K`*Cy}| zN+De<+3JFgQPs8lO~nsda}?41*|XR;z@@(kUxJlH$nO%V$^h)J~W54tqil;I&_ zX6mKMLlybkxhZi;Gzg%@6E~qo6*TjB#*Rx|gbgKH7Cs)nMAmebt;7aPKO5sBbN0nP z)E+y8x2RDQs*s2f!9IA%5~5t~BJ{gMrTW1Q4Ljveg8gy6`;kUm?O`2}3aA2&#LsJ; zE&k)8MMO+eOYww>oNY{EWk{iswlPZ9h=sbkafpU8j+7uQLxP30H z@cx6wB)uejQuz?FPIJ-yYHi}FtJaKHyd@TSU7cOYI`ahkF8Y}ETRN+L3vd6*naW%&9|HJllq;i>K*vK{3!vjd(g7i@ zoQM#ZD4%u%unc^lF-$rKI>9jZuQKj(jP$cQUNTK#HiK7r=gz95{;z4zlWEETdrlf zU=;rt3xEZP#qlf@K?y@X13PRG>D_RM*rZ0))<3FN>QuUGNL96U|iQl+Bx>T5fhgy zm@qh)^!oh7Fi3sAk-N7JC}IJjpeX^8Ld%uvApzZZ&=)Yz3C%S#VyC2>AzX~)q4Z-w zdBZ3+CfwYIQKaC65=`1Po2qPadeG&TL=oKqNWTD@Ao?*A2*$~!mCB2Kl$9 zL%I3%lU69;_Ty%?czg9g4o>O2gP4FA3S6=n5sw619>#?+J}|2@Bet29@8?0%2MOGv zz(-@Q$un_8!M~;9N|}Y~R2$Y}RrO-YtnbhZP!eHxn?y1;862@>LQ+op{I~5rRph}tyg?*`$7!Ar|r&pMC zM{6qTCY0Oa+x?fd!UdBdVZr+4vd#JeKIWP@>O_e+ezBvW8P9xjL5qO~Bc^ zs>FdEkaQwuodiV#p9n`e_P_+%8>5wKIC)I2n`I5lExM9|!wac^E&WefTxBuiK(9{@ zO4cU;C99=Qtq& z>|j+$+2K1WcXIiBLxrgFS>@g81Z|C5d_>3cBE!x`^x%7hMngCzBMdjL0Gw zkuA%Ll=%&&GKRJ{r4t)R1Omv3mo6?4cp=kCZ?Z3~luX4To!u$RG^JUkq)F{$pEvbh zZ`r&zltNFyTnok@u=IeqY5LzIVPks1jzi@4+sx{}78&1V$ zs2;q>bz~ELo#-mLVTrnQqycl_v=O#{M1q9Os zacu=ly;F(Y36dwOPR(-Sm5Nby-YAe6$VgQ&NR<+*XxVr3JJ#42g)^Pz%5xN6+xJ1_Jrn4l2Uyl8(Dc{qdYPO&%be(Dnh%tm{3j1KrG6WqzdYSJ^7c zHp-y~#BADIWJLmtaI*jcaE=E0*UgZ)l55J7>&WGXG1H|dScj&HT!|=^K)I{2jC$n| zQM>iZynP(m-k%(|k97BFM~_{O=p;H1ptNLdWobA*bFr^D{pE6Yxn3zNuw)9j$paC` zc03;1k*0uNF{87mYry3v%$UXevj=`qv!^+wAalyLenQGQDoTU_a47 zAS*XXf^OA=QVJ0Gq99RA?TyE|i_Ctos?JF*t~{b1NS1TM0i1t*(kHxK=?z)5&9D6j z*${?-dg(+fYGc zNCPniBR+_HpkU#SO>|CN*CVmTNa3;C#k3nc@Yt&vq!rz1)At($(*^IIi+7Y042;e}@o^^Q0t%X8>HLM^T zfJ#kyL?ZsLtP3)ZyMzNjcQ2cwP+)e-BlJ?((6C0$s*qSQ2B_jv33kiSJ8$47R+T&4 zjS&`6=P`JwsFh}vLY(rnrC3Ngt1nfnFHPN*(*sx?R8$ZPH?0?OghJ|W$7m2r#P$po zMSgq4?`yZ6w#Q{jvwaJcSY5FTXEriBW?yM#A+N1~d1M`M8q0}oCy*;6N5lO37hTEJ ziZh9bHwZi&BnJiM+x0+W@amiFr|g_r*}g6=?FOE}1PD7MSISVf`dMPpFZEoDus^!F6BXiEvTJ#XN`u<7Kdy|x0}C#HxD zsJkjV&Z;dlh9$~PQH)*IAeguKvmZ)b%mfMxDL}h{z}RpYswdKL9Sx?HC^iemB-&S; zQce|wT!m0nyBJM*v#=XGP)b}R%2~KlDxIZJt8F5*r;h)Icmm@RNDwmw9Q*O4> zCl)I5sdn~M;u2bA35j#HkTy*M+^0$pNg_g2(HQl}bl_ORise!Xf=Zs&g*=|%0v=Ch z?T%4fYs=h$Kw|+KL!FzQDkLr7gtmQRQvQ_WE}GyrzN}DFc6pEMM>O$=5URDAvRMTV z+UNf_{a}mB5U}Hp^DZ8rM4(rly0XX0{9hHb0n7CfP0Ch2Q`$#)&Y9=jEeon;8GAy- z$s&Kfq;x${I%YjlHQV^_MeBFbi5Yt^Wiy!U8Mpsf8kfUZtRVh<7qFIEKudzwEdiQa zLMiLYL^#%4QCtB6S*Z~TSxhr^V)mQ9`sFZvb&C}$g0IixNX7O{$_cg0VJNlKP|A8J zr9%xxl_hA&kPfX)NwXY0WYQccqV=4zFKXcF`^!A$#7jNZxRD*hZ=lk>LgkV6WXWuW-TyFBP=`RvT35+v=u^I$F;vV zpO&mo4suoky>vjBCsr70QTltsmsUB!QzuWN&0U(fJ#JPph*px`0(EVMbQ_3=j+82(K0vW>(Yv@P zpPM+TiIf>@Q_P84Ly&7*&y~agF|s&W@F{Q7`f@H4Ii&1ti3g&G9pXn#6h-1T&4My^ziokUNYK9EqEPCA|TLgwHa|=m?-Tp z^UOvs0LkxXMaN#v>wac7rcTIG6Rqws5Ll1;6}Tqh6MIJdKX|;ZOVHYJ2=PqLo|?24 zE@x$-AU+YraQCT$JIThXTXR{~b7|Im5*k&Dh6!709*TyE&pqgV3cUk#s}0lha+X`Q zTx$DPDqj{d&x91^Kz+OwGqzG@Z2JOY6{nsC#47bM;ZNi5+)^QEEqRPc$tvH%A&oiT zh_l3n%UC^};4yDmOCo?52ql#0JLzL;23;3&jt{yvet%^y7KyFO-*&!qPR(wsp_-mu z-Ox%ujMxrA1nN5VNgRutn36#h5Lqn*Ckg3?uB)7OS^lfq>?1kja5qH2qoST=Jw$TMZ?BwCN4 zo*!t?>nu)gVQgEc@`*E!!1e502M|S%ASm0T9w5TX2Eh8G)O|@-1z`K~mc*CJm@EdU zFH4k{it%-}Z%Gu@ISo^lb-2;|;h4&f@{pHK37P9q5E9_r(U;Q5s~yjnDvY`JH1Qsp z0I0b`^=KlGT*{7=_vu1gMl`JBI8MdC?NDq`e`)4|8`Imtfh%$2gr2OSV#76K4R3Hv1Tt4(fHB^fr^B zPb3qWbPG`}xENRSs?RB(sntw%w3$if>oPb9N;W`S6Gs75l`$h(?6KVdwWWJ}m+P1a ziuTwcOD-fyA{XApz6f5Ak&A_K=d&(c7ms#v6ma=01(h8q)P*fjGpX6h~jx?oD&*YNvW_f6q(pA z0z*?zMDc|&DtX0p%uJoUqIG@bYz6_2GbcI-`Y0yA@?sOfWwh{#h*5>}Roa9Gwl<}R z4x>)aJEgBX|IOz|bQ=3q)l(VWb|t4=)>WwLStCfsYWrDXv$(K+aq*V5J67$G_=qua zzj!u zPZWfsGWjIMaV2Md{P=ZLQ9259-lX<$0=g7<#aL9r7L?&ELaQqZ^-ZVB?P8joVbPM* z0!|?rd2R)g%hKk$)%u)n-JBRQUr&I}_PjN6Ugmq3OMThRednq^=6gBN z@gLUohgo~RPZQcT-;5yRMReDB7C|)wc2JI^iqkz&$57si38(pP5Ax7dZDwf? zr?x|;h}uMwYwj{Y>gSxMy#!`gThK(#aigyz)%SGDDl{!+QbDRq63M#cK8+J+95D$} ziLe-TDYSqR-BddYT@o0GxqVY!rfvBM_KE70$DXx7HdZqxYsXU#iR zrv_)SEoOCy*8GzYp*1g}v$BC0N6}gktu-c4YqIN;lm=r(e@`d}zW&ZrQyiR2v$`He zDI+V#RWpG6Vr^=qOVepX(y`m9$#7TO9ip_J9+CIE>6?6+a(!=Zp37F^jY!9biz|Bs zVK*6IAH8(p{5g}FlWMoB+s%&6)SS;;MrrB}#BM~xBu){mD1w$Iw8Y#2>>Yd21I9U7 zrv9f$lygYP!x`@_>U*8yOPJN4i#Y3(9fZHDPHW1%NebEif#hbe`=H6tjNnoHdEV0;)-RWT-A~X_NGY zDUebzXs6Q6l`6{HN*Ooln?wa<=K7R~OHA}8Rb+8r#pUBz3Mcp^>G6ZqUQjJU8i!fW z@s)akTNgnW&qhw>POX+drIc}y<60N&EK-9;%Eee%z79+(Ii_0Os9nFWVpW1L(o~g$ z=0wpO6DG2iMIzggDg>%fj@onMywh;X&6I9Ci7GU&JiC0&D~A9R8&3J_Afw9G(Zv~i z{MjW(S631^uptY$P{3zc-ygIp?@f#d?xQ~Q20lS;;$qGIO^ctc#5Y%9=9=SGnT|jghM&h^EkB2 zqX_T9Bw{#62DH?~)Px!cd1P5sMc(w)$9r4iyhHzg``RxYgtt;w7!ph_cXa<%c!m#w)I5>l05);FAtH819sM-2!a0v4<}Wkn&CIW(f|D}DxyA6A}T62M4O{TMbV!TL_k*g5Em)5QWsjQvo>Soq*-Vs?Xk%g zsM9YxSyRb$c20G+k=k)^la@$4JzaOZVU%Y#P@2 zDV4NCSZIGf>&l4b_!Np0k3_JzKI=kgk-Yy#+yiN7Rx+7YYQt)?QmXrKh7oQ^(74ZM z%*(Alrgjy)K>U~pyLdF=hPPeL84q}<bBPOjlN~k?oK3Ekr7kGF37g>~N?|-Wq|Ppe@Z zmTARo@J}^QrZpS2#h}-`^)!YX zeAPt&^j@gHrio`S0-We5uR0Y)q2yHNHHp&L&=Dg&lZf__CoB|G+1A!NI`F&sg2t#? zL0mGPXw+a^W0$MQGgcp(nViB>s(gXGMcumkD~6N9A~2^3%w^=P2T@P5;QGr4+&BS5 zmJQnG2Yq~t$dIX%W6CD$`dMffa)DhRN3f7+v#MA-M(u$J?}JUGU3X}e?aCEx6NvhY ziRV~jXylARoILyxhjQ3DOckkQce@6@A*H25ISbvTFBTMM8gMU^{mxNEV*6G*`(x>f zCJ8?|HaFLFAfDBaT24PWZ(Rr^cY)y|qP;=M<3^n<*yHS>6Pm4TX3=t|oDMb+dZ*L( ztQkv*zLHbXVxnxD%mTt%Vs0!=aqEk6-WRfNzf@1dLEEP;lBr$Rw|aM`Wi$ZHT)^8o z9T)Wxl2^Z9)-CfDhyy}e+DdkfArVC_udwM0GYJQX1q8W)z6*tSuB`WcZS1x;h1gpz z3u5MzbF3@x0yOcmEfJ|~C^uDxVA^kF$GL?O1JGGG=Fdc|-%=n~e(`yW{G2AAo>s2Z z!G&PvP7@k*tq&VHA8x`8XZll^Ik*bPd{)o->_8b?G3JtTcR|kNoQ3^}y5|u~q&HFA zAd!b+wq!|kE_JZHLO|AarGbP6vwY z>1r#+qHoB}W%5@otvHqZDrKF@A0SfZ^l;=AT_&di?81~DE^95`cOP;jCgnf~o_}Ln{BGAy%98w$OIg{=`agc3Om95fLm zD$WnvcvN*$Exg}Sszmi6LBj>3VV6aos=MtCT!|D|7fPG1RaI(X+9wUuVN#iOJpwDR zP^tT}VpsO+hNgmIAbGVhk_M#rfWwt*nZBogQ=@1JoCU6rk7UxnT0T_*A3>bHD4UA6 ziK^acDVjbPLlFr{LKC_}Ob5$4gLOW09BT)YSYc5@Q{O6KJ=djc4AoK&)dTio!zs_1 z%~-WkYa7`xh&|j7WuC6)29de1(h)Qjo$e(Tw>+;>fOVX)bq5aTKk%aYco0DDvp{!} zB+R7zbJ9A&OBe<~`ZP%r66GaIq|6*8&7f?Wp{SEog_;W#&*Nwtk$#vAQ6Gm&e-rl# z-uFuDW1TrF<|{SQgmt?xy1+IFU}3GfGFgWeO(82RCZkkJ<-P%-gIB*{R=;90Sj6F) z+ZQ1K^`(gGb}+f2q?1Vmnwv{$%%>)Oqn!Gbs~TD`fLKad-1_=-k;&8(k+enm)T;QJ z$>nG&Km(dAWu`7QbHbxyKCA5enfl6SU1q*9DN^YvPRl*1?&_7sqZ&E4Vn=0DoD4c0 z=TFio-@&q4{nWR^?8?tpq^R^|t&I)O#mXfa|wae7JLpE1KI z>j{Pol%^q z$Y!eprJN1`erTocNn0-VaojUS}crvI9>q~I7?QKY8^4{!iU_&rjtemTX zWeMwmGsqv0*x1gZrb4KAllgKg9atri72g74HbIxzfM^6^9PIXJLVPLI(n0fi#FAl1 zZnUADmg$@pV2!b&4+ldL!NxkdMesQjOHFgE)zU&ZF4EYvTg`7bU>=F({biY}5*5=K z8d{{)#~(&LEAUQW8eFUvq#1!dFHXH5G7qgRoJU-YSiRM|-)xUNOkt3`oA3)l&58$+ zyiA|>B*9Ua$Q%&+;yFm(g#z=Qa_VuC%ElE?jP8uNY2#4)NK3Pl8IG+)nBJz*X+9-n zkE+WSxCJfk?Jy#uC>Ix3U8y0NRx%gB^JYva4=SS58_Nr~t*o9!i?=MSo?YI&?&QfE z+R;r@Cr>V|-Lbm0a()?|Upafr7COC*HkMy*n z^~GhTVto{8Zm&cG8P`SwbeEi$i>qr}%bQN$yZc1;mznF}rYqfOJZMXC$8Bm!7_2G9 zK&^&TclKJ2C|s$2rFQ%LJ^jszR>_%n>MiKQDwCna9mbDH zJ})OvnvR`3DMI69vXZO@jnGN7rJN!ex!c3BN=Ud4Z4!d+vQXr^PuQhGv~1wqvQ36D zV30sP(+3($ZXzDS;AoP$%bO&D_n{$cK6|>;CPutBXgmCOC+?{%J=vxJ4 z9dw`MW{N`r-m2bOMj%<pjSaN+rLASW6;n(TdOK`jW@`mgGl$KuJVI|EXHO*NdSd%ely^q z+=oJ**f9a(r~tna8zk!b7JEihXn@s`hVDrA02nO|W_?!A`AlvO!DRMjFak6>2IS^dpXXQxE@cW^(&XQA2 z-7+ZSbBZE9CxuBvD|&l0MjAOQDx)s?Y~bmty8IxyuyGEi9jqiBG-46e`@_9rkM4~a^CMl8tI3^pJtP}G~^FwjZK(!gsfzG`?lEwp3_=9-Fx8rr#^r)25CRUOGO+y^(ywf1m43|z-$5m{%)^sE?e?LpxA#E}>AW=dW{17)4ekk-0W_vTvl;d&%>WxDXKs6NhME2wCpa_(?Rtq&KgD5H{@Bn4rlFRt|C;GN#sCu|GBa5Hb2jepExx;Dp$hK zxE-@(+5>l+B+Gj=PU4mbB7wRRc3n}Mu1gn|U^4J8hjue%Ym1awsg$)|cG^Wk%|;H_`qIBO7Bt?1ve1^^5)93rgq z9)*_54Umnkl`{*ATWcFHy?D#o`DLh{nmOL9RuJ&04BKZ*n8UFm4+9evuKT&Tf)WxZ znHmo+DQKlG*0_MY#Lgx=mk!GwH++NPD*r%A(H~*Miaa|;DQAV_4c0mE3h3TV&J7xE zdxZkwZW8z5g*fSn5_K|cO9IO{>BT0IA$4)J-6s>2U*4}zsiO%R+7#If_H~WC69O_( zK$3VT@ABCLsEZROkEYBUv&T@&83TC9)Othos$KfZ{@TRm8Wj(qB@uWP4mo>glO;sx zudzJ9h!9Y|O}mmqn=3*p&IOVlMofWXw0RFMjN7@p;6DFap2lC)Kx5;g1)_{ znO3&OToEKPjV?sKDGLgIi45pt+&ZQu9n61-6S1K$MI6g1`-Hx!8a@zBsoF+8Eu*-&mj@XvR*n|}H{+p9ZF$8@d zq7!weT(xLaG9l>Aeb_Y*P!Tw}eY2TG+{Cw+Qp6>!XhQyUNIB%;TNLyx)inVLf-ccG ziD-Ku?trkbSyLgrj-jIia;t}!?7A~=DClro>40vg?jbS7*bD(E=ukEk<}zXN6ZWBL zD41Yd(}$dUB6I;987nV^>OL5wIM-4b=A4PMmD>5pUg5e+z&x@k158^5)Kc{xWo}Kv ze0fcWIlJaekgP>{f|;<`wweikZd#d9sgf(1$So*SJ_rI}HTjz~q)3oNL*a4+BqTPi z>A={zk;Y6yQREw35uI2%eeuG^xfzR-bxfF9JBj1Td>EC&*eumb=!A&b7>eo)5En?q zEob`LBHu@eC^{r7>~YnlS!$LcGLr1|@E}fzXZ68EkTx^(K3dqs3Rr|7Lltk|mSr3U zc0#^jCUw=ko;ev!0xeckJY;~{y!%kJ6V5dm(uU?-4ov~d0brKO98=V{BF>nugzI=4 z=NR_dGJf08Zrq)^4kN{xIn`9uwmTs+odvi(V+RO&D&j%Zc}6=G(^@?fCph6guqf2- zPTgT)&4roaFd{`QU*#-I-3kh7=;R9hEsokWiEuPb<(#lU7XXE{H?9UpqBv;CycmMh zIxKQ!^%bA?b&#{V6U61~EM1nu0|0qe;J%rtwSKs)0fT4iuzAnQ~9&7WRatN`=m;(t2sS*}|wW zDK*0`b*rlU+(BRIsjQh$R0+1LF}QR#A#qa73G=9#D*vP6YU~15p^~b)(^C49*Kc1m zR7;tV)=@n}R!qY&3RnP_YfRFz6+2qZZDd*U@W$zdMYUUUb)5A~&NMo)#mq&yDrOkn zx^#L`)v9IDOse>Yb>j8$-bJgTZN3>R!U%=OcTuTW6NL*nrKu|>`Li$LyvL1HXuI|E z?75Z2<<-sQiOA*tl}e>jqgI3eEtN`{|E)C2)%q3X+FWg}Uaid48&{OdbCpWv3RJrE zCMW+JaK-D2(&KI`JGiIGA3Eqyo;T;@S+mcZw@U`BIHdwN&IkO|u9Ql(u^(}%DC>4& zXvSetcUB&2@$3};aBF$v{3cphT|$d%t4k|eD{HHpkU?}|bGd*vme)7dmM$#vp9}ET z(#q!6#>(jn{1+flcF+<50|72goszwomLr-*agVFDeW-Q>5zA3uoQb*$qITvMxLntz z1`3iCl8SyFGB~d|wZM+jS5dXgbNPcn4NCRmh3`yY8J=7*X+nq79utXxdgCPZhPe?qSwe;u^7!BCzukH4j51Rt9h;}Kre@EARR30li)k$st0?JOGoITFXa_xY;JT)TH z$5ii65@K;j8J`yzMxR8)A0nRy+c0r$8UUYgV{b++I@Dt6U>6RFf^|mfNge4FpB=(F zX4MzDD3@n^?uuvkfZnoJdwK$uzAn#F-49MIwI;yBGX7jmDU1py;wu)7?R>%76bYC5 zEWp06#CAMr_h}-9htfO5wbi`mB1bqd-D?l?)C#rAaNO;CTG)yTnCHBC&hKr~!+r;` z&UoczveO<->oHABTH?IdVwrUiK*tdas9WHx(8fOS(Qd@Q3qbi81gh*8-v#!h6EjhK zo|4#X7MTCIuk&zKmV*X`I9b`^eI&kO+j1Z4oZq8(h_ZGg7`GmY<(| zLR-oM?4_|3k zXmcPA*MyBXW~^;yOJ#!H9xe#%eJH`_fRmugd`G2Z4AFi#lp7RY&BoYVo;VxTFg1lLAHnms#*)Qj^Pfmr~m4lAbTze zp*kuc#ZpCrn%-a#&7e?>)mpti-X;aq!#f1DJk=qvqgkgT3rP{*FUbFjyZ6PyXgMGi zWvLZ{m{B8x65FswI@CT4eQs_-MRk~EF1uvcz|R}Ycdfy-hk}SbyIO7r#3gZzBMQ5- z6VafnEE+=9*=KM36Y&hfK9pFI24KIfZqgHHJ&m#-r~#>*7hpiRT#GAt>CVX}cKK4M zv(7;)9lrkB7K#&^aGutSqVJ!@UCbYYkdub{33Fg+-8y1%ToeWB!M!`+`jaeJA0Ui; zyc-W_!iVaUt}f}QI&XA>j8xoDz`>ayIvz_?+t6{%;tbWW)Oz$mQ%%4_84NR=s8l9p zjLMy&3=Ol#Di?si_H_Fpyr?rVk1KiG~LHTBiXW2 z2;x5Cw4r~HmIq71)ketwET|iH;D4Duk<(@~lJ_IzO0t46g^e22 z?W!3u(m|Y{F7Gezp0GC};?j^3F0^dbS6hetZ)BiY$6MPg_98e&Rhw&)YyyJF=}%UqrZqPqJrxb;oUED@l1L=7 zFuCI(3NAI0(W5#&Y2J*ewItVH8h(7Kr&rguRu-41#Vyg|5{Fo|!BuXn9ea0KA|Pj{ zjLa;omqkjMo*2?~W$_-xbR>6LRk)x%{ZgobWDo;^ArvN=SBp&k4Cl@(FdI&gPjJl5 zDI2AipP1bWsd4cs)lIDWXy)3?P>QSKef#htTbQSq%-+{&01DBLku&_r?3xpBls=0J zqqB^au9vRIIA)eQnVkX(#12$)1uTU|UXc%SsMjWdI)VO>D;5MtjwoCOx1gukP|k|A z-k>}PQ(A+3*td*VuA!v6bjhvNp?a(%zjM0 z6zhOJg##$k9e9JjuE=3?j1nxu{!`1Dm1!`+RuX;gW&*TI6efY-=q&$qMc2HMMU8OcxyGkVs^=}p0G8&$nA-xRUY zIlYyD9&g%0^GpXuyj7`FSZm!b>kCzy^HBYTF-xy}KNDIueV63swmC^Khi&-E?sCsQ1eLjq7CeH&}k^^ zFGUvali1Q|;({(jEdOaryvyub$+W7+1%o5g=x2&Ou8w2GdDg33vyN_`D4DCeU4N4}}2>mNz%C zj2M7b1mne^Uaa_`5ct0#D033hu~6V-m3CUJUkXAsm;LDLJHXk~L6onF{n*;JEz z$I8|%YZtcA9Sa*93#(fz%bRFz!*9!56<%ye)1x+LjsZRENBD_`2cn%J;I`)1+^#u zc|eB0PgVlKrv@?zNY|%b61ZfhpuOFN6qKuxp9A^*gisV>UiKMSwk0QbD(9+K>R`jxtNw*wGo38`})LH zulTTiCK$HMn72!P8#~-aal*n7cS!+sf21TOiA+|+!C zhDkhA06ydjdKQS2G&Gowy&VcpQdz#3#W9tWpn@ADd9efL9kc*9;__Kgl9#t^6&<%W z#T`Aax~I2m)>*i(yG?1KZjUj6f&$W+a<&8JiZJRBkS7IsXD<$1A_fr(7*tBXA@CjP z2Q<<9QG0KF)px|&zC@uwZ<*y{hiksV)dDHtiL$R~oO1UN2i?MUxg{h_Nj+gOpB7;= zK8R=ue9If6b#Cbv0T5UI%mt|tqtIW_bc`3pNOXe~S!^INVQw?gj*!oM!;Ae6bJNjt zu5JkpYCXr(t#{{nVk|1hf6gO@UrLtiLG~_d2 z=2R>5yB0TEYNPIpVBqD|C4R2vg~7q|h4uC2)uoj?Pw^!Lv>*)qp$uQJL-+VI=*q74 zB_V{iCj6iv!zj{df>Ns)^+_Zunh0yIVBd;Cd@n{MaDDdwvG?_VZR1Gezvr*ensk9) zofqiKZrb#|DTFq=K)3|D*N679j;$m<94l)%K#u15+rJ-;UM$&8NN7uU?;&@eEw-i6 zNSYaqMxz;#h_N3z?gfr1vTo*9vPlUXSFUz5NlYMB#ja1=Nte(TkHjgAHX4sg;6H35 z*sa4hHOb1V@DRHLZQ0h&W+7M6ER3CNbr1@hdX7K|{f3bfP?97s5(fry(*}{ufNm(| z*`8qAg?TDlu^7vv)jm#KR^WtGVgh+ctx4pA;hM={i>(#r$)|9Bf&1qU_0@U27&&?F zs?0Nqk;94Hk$)*AWpbE!Gn>t3b95u~vZYR0=TKY_iKp$EO!9f6JA|Sw$Z#!vF1KGY z5OO~v(hKqx4~9;t@erSrsf!>Q6-6l(N89z2K3K~f!(=B3*@-2&-{x{Ee4TCZ8b@d) z4SkXBA$-mXx|PxxFNvN{jRK1_@Gn%qrQ!|4*2UOBK@z!$L+q-+L}*AZaTKOK`-HV5 z(bs9VU!~PN&>w!^^S6Tkze+`U*EW{>|5u(qfBHP_|Nr#GiwFPz`}l33Uk)N-Mp1*D z4SPIgwU+MVhsTdmdm3q4^wxi5rp4OUFN2Kj7#VZ4#*YAeYj#e@I!v4 z)^{l6zSBZta8n+{U;}YF4fQ9!ng%#dMS$a8VrdhbzuWU z3y;ySN%ZY%srvKZ3XhGsIf)30!Oc_J_s)kH4t=;Op6x>x^+RXsL4>glfXe)G9-q*C z96NqM3t-O^DMi>!dBjxwY6S@7nvPXspG2grKR3N02B*w+w_Dz8GUZ){+kn8RJSqHk z0?g5G->Ey6Ny?Q>&JBU(mg|IYbihw)x6$Lr$L-T*?eSxv2rWNkl66HzMqW1)Wl6(V zCW&(bBT~6aK>-$Od<}|TCaQ~!$$l>XFqkHp$0Q_s$tRFtjS(f&k!V?1N~tYEGy37M zEN()Isnw{R4dI?lM!x}f{W$->lb05Gi1b3?4ZoqDFr6rv);Z8JFJz{g=+DE$8W?|p}k3Ts@Z)XIv)$G`vnJMX6$0nznSBD=*^X+h>H z-Ymqj4t{@&@oWGs^w}Srf`ehNoG!CeKC4AL3ZqffMFP>LS{eNe-vh(~w z|G$r4UV`=-ilZqmY@k!Z)04(1CWMK;2u~>%B!Fym(&%=7Yj^g$sM+bXJ2h_6VXP?q zCxA`CmKw$?@~sTeAw;vb=oS*au2w)Oo29gtgwI8KXww?lcSN*_n#i`J5pivW;wXvs zz`wI)64O{bAvDHg1`1hE-}=&Q=}x9KWbN=r9)2WK{CT?gQ}+08=hA6UWbx}UWgmu? zc)Au(oby;2{uhq|!0X5;qO!p_pknHvD>&xqqV^iU;+g!Cp8wVOUxf6y3-jO3|J6#h zn&SVR-G}}E{roo2A$Bee+bd)thuAGi=F`0vil!k&{iz>#R5_9BL9Wf)vVN%Nh$$78 z$e9O0^Jfq=-5ES-)P<1M)SD_^<)|ZQncUPpwfFT zCd^7DC|a7RvI>SUk;!30Hrk}4P3_5cwI}S32(n~6T|Y#6Coi@1V;Ve2#(d($qZ+a_ z1dX7*32~HEaWq%%Ny1CLrkmz$-rRyYS~fio6LU`!!;iR934-K&iBv+Vi4ya~J+=5u z@upKh7t70ftY+4_uGXG4~@EUFABvz6QXYw+oDOA+8 z8FBqZNR;O3oCxs*XeW_>=?8d-o78pq(NrSqIfXkDej4TDge(#AA~Mk)*$^E!PkWul zZzf})bBm6wCzkD6Pb{GSO)Ycf0>Q$>dKjqY| zR#@c%S4mkl9@zL-JgcFDFZ{7(nfM{VYTokuvZa}$|EK4#FI)nQUj9`U=ZC4ex2gH! z<(c>5`>fA;+j(O3+pW!i5eof_EY5s1jn!E$y8KgiWzPHlwO8d^7G$0J{v0bZ1S_xI zLE!Qg5vu>`Y5EJLuHMOe5W4v~++9S@Ut@OuA`<6eJMguI&wcOo3rJUJ_DDDou+hzp zjr@V4T%N%JoF_{%TZ*7oN`u}cA~A7EK+)-8_p-|WTay3oh<|rqstQ`tF{E<{Z)cHU zC{r4gdIM*lJnH2+>iWw_%XVK;uM4HPQE?SUWa zY%cVXN#JZ~)H;H;u1R%JviYj{o~ay{!s*ztO?KgMJlBlL5n@-kIm z;!xTfVaLM}+y!NflP=>Da^d41B*;hTe;@y=TzZVkd5{bu&gCFZI-GxMmD7Md{U=eTB z%H<+sdJ_>4j^C=OT2V;535nwLoTS@0kT7f*GL&C8BTrWV2a;g{s>`u@M`(zMmLUpH?~h1>#-rQrQZs&#?H0v3~_z8`fT@krBZn* z>9jlT?~^eT-WGC#D`!R(AL^W_ivx`-6X61Sac>&==zmi(iOG|qA#-w>>|QxcyV)R_ zO-H#{eW@XpJ+n7 z5;`C}VWJ2Kb}6IN>DM{o`j8e>LYVFqYXVAQ>#J zCN<_;J0SB=F?8kCLzRyylJM@*0G7%AB18j8shjQ{aS92YUp(DM7+~G z|GoWZ{_4Ng{J#P=Id^scy3PM{=f%!W+W)Ka?7{#4UVab$|KG#WOpXTsJa(?z6CCa( z*+6Tk`m9nwBG)!ArBaG2|1#(Llqcb?q1{Sl4ga-_L)voxwQ40@{-;F_Y(E(eY}JZ! zgXydHx>~6eA~KCJd|kEoJC({&y8jhvfm}2M=@F<}g+T<7KfUkK_87+w8_sox^}cb0 z(30O{aQ;0IRP#L=Cw-;>i97D!1A+DA|BCBB84huDr^~-9-2Z#=d^f%RKi%DZSpVMsSp>DTh~HNTSFRI1mxmfy@LSVeNb@N7{w z+tNn)B{F#GAw5#)$kjYkNqtDykZW+JhWe1M!F82PdGUHd={R!mz`uak1%zBDb^Xwu;S)#N`He>> z)=p?=t^MDc%gRsb;?EZ?E6`@_s9>|NfB6b=&hH zbEdbBE^yoZ{}-A2zfYf4pFOPq_woBbbpKZo@q$J9FS%{|()nMF|G|~QcBV0ja6p{3 zxc_$jf4A~H&Hp=3AM8K(@_W$#AM8Ke{*$`CVY*B!pK0MEE?a>)KXNqpcwX%02E};H zGlDE}K`({`f4wZ=fqDc1O~YW8e?R&O}6?mMD}dgW-oH_6IX>IT{=Wm##P}(b1~T z*!Fx5l}lbNL_dm_Z*Fe$KTfRl6Z^^oxTGiIM82@#z3)%0jfW!YCJ_zT<*^0CCO*R^rg2;krzWXFemuHVq)+ zyGF@Va)CqHGjVmIrbn3*)ggn{F~5))V;aLV8*8{`As1_ptp((&bUph|qQ|80Hw;7R zW>zJjYSvCuy^{&g&0+x}R*VuoCHlooK1}OdJHHmXcd>SUwV~3io%h}L+E&c3)$pAS ziC+tW@4YTP{O;#>7ya)m`~N(D@jT=I`}D;_{KtFwt*-xxvj1~-rxUi=OHT& z>i?NzlRG(o|JR(^6ry;LV?SCd|5sc8@0$6I|8DdDs6I>ke^y^SeX#%E%kQrC|K0Cu z|DT5bz{g$}T-91y>iJ}e9pgCiU7A{eg{AW^d47Npjhz?|rUAubg>=G@@cjC!DSg%u z)wMFsNgGv&OGomi$3D99Iiy_erUj05Q=8<6494~L}yU*ez!x$*gS)QLwW zP$kYSJaK=+U4-^nzdOyiP1HWLw}o9*T0cv#vP@{!j@o2kiuh$%gZ zNMAChW@<$JOjsc+98e4V@n3O!54vPUNLaUatk)m}1VprTs~B~z_Z)YGyZ(Q$N(1rA9XWpZ z8om0#w&e|yy2VJ)rZXDjv1Qw@m9Tjw%s&zGy}AW)=WT`{!&Q5Jtx2bJB^|V=r@ty| zjg@6Z{_a(o2HnBWX# zQ=yty#GhXHll^Jrhr_c;KpX?atMtbe@K0A^cxS*Y!aL1RX&PRODKv6nue)rWT9H)3 z0R{b+Qwd-0SoK$B15yU(SK_AA>w<>)y7JWM7Rc2fY#XtONBk{P_#h@RGGh0#D*C>j z#95JGU<9Bx=csHdhdT(29Qyqdx%@S|k|N1msuf~)9XWej+Yd7LLFRsMnfq15nHx-L zj3YZ=tnKly>xj3VrP3|0xv#7r(vcH+emJy6Te5QIy$J*Wu|4=3JaR6561{dKLg_J% zuSj&!jUy+Z^Qye?TNVtR_HA=cV<*P8bLB)>O{ey%oCCv~ zh0fS_O*j!AlURWePkFT`5t-m9o`Hd^ZvBUZm|FaRylz2sz9;#$^A@Cq`;dpFoDmeg&*XyJ)m|qPk)E1s9z~P^s=g{GUy{-y z`_t=crBbQ9D$B>z7;q5!Amm9ao;Rn&3zzxj zSUl*~b}oaa=QQ(v74BP^X|q+ojB(Kt=H=h?j{imX3+S$bW#OupmMgcd4zk`?mMeFg z``gD!H%^0ch+{N%u8~9v@Y@P198Cvgv zY7L>YHoI^TT@Il%r5Jo3Ll^Hw*u!D$I{`IFFu%xawq1KwUhvT*uT=WlMG(Q8YDJJH zr@i85AYFeLV(%;pIwB$SDniK|j|G50QY~sEyWF(A*J7sJfJ{9(UkMQy8*ChU6XJ(= z!j{(*=m{_hWQfz)4uh36N)xoI3a}GE3Gn{Zy}w8Yb^A=?w=U}LqW8NinP%=V zV9R&oX3zfO<`lCta=UN5{L`6Ha%pspIr~PNob`tC+gX=Vc&ubu`ld9UwjS9^Ev38b zSeR}#ZD{cBZr#v;tY_f38!IhiC-jAe4WldH&pMGW&=p}ak!}=8ZZNZkQQx81LnM@P z-wk{m#v(`;z(SL0G$9mIwbPg8j-_HiVzQXr7hs+0enx(COjNXvlf6 z$1z`W4D8L;#RnT#JTnA_dL>AwXaL9ZV?{JZu36{FAR-trVT}F*?tz8a}1l=EoQKUGA1N4 zmlgH`K=3x$(`}>5Ax$ZM7sr#dS(Cj>;K>)Ofi!PKr&mAiQ_?`{{c7#Fs>Ug|UYnGW z{+hIw{j^$xl&~4jYs~nPG-SSBt&xi{?c(SXM_u2;&Crcz6Nc%pc-AtBc3Hs$g{7rd z#^_f(>qy2hFi;`JUHq@^Rf}Pa^-)iSe&^wxHdlKwiVz*VS5Hd}yRESc^}n zRy$o<0fiGM9(ChcfO*cB90XD&(#@wouefqegV;ZDqBv*YW_;q!8Qulv_chv^I8odT z@EC`&e&sZ2HC13i+v!qw*ihx3d))2d<3G~~+x>v_*D^~a)s&w41;&jmG;ZPG2N>)l zdJ~X7>V7LHQ)3jC+JJLV{Zk!ky!&2^{t8=ZaJb$GwsDM%hh zD;>@ltWVV zq4N#A0&Z-`*YcW7Am8ROsgjVaKO{y~X)x7*E!`Ba+)8S%y~0sbxKA zRS#O#*Yyp!Z7I?2ALM_0SWs42P`=t?@)|v?B=@zFAcS%klkXjB^H2F(IsU89qpah| z_QL@w{hN|-)i!R4|6hHv^CA`hb+`KTA^*?4{BD4ItVu+?sT;REtA?z1I2iYI3SbPo z#|WeJo@-5LKDVCmnga|crqrsTbHVX9iu2`H4)-K*;sJ@q4BjO2!+3zKN7Q~qEo5Cx z`#1`5%(jQ6J!itxX!w|xex3HQXjX4tv@w5jOQZWD!9iJ*Ix^`2R~pvcmHwN zYw`$wI@lz1z82qaW!T3NT3{E=oR{*Qte> zO4n)eY*8ABycYFtF3caXPU{CE*m_=LDrEf~rmdqT+E~;9JsF1%8~*)NSbeQqS^kgx zVdTWPL`Q4On5FXn>GSG~-AX$D%WmbxgZ#gb-^LFR$-nQ=QK7Jb4gzOL3kQddx4jQ_ zYi993kLy;*|LpcYu%{v~f%w12vRM1H*El&jZ0$AP95(A#@3_&k3WdG1PN#W%+I!#Z zbX)D?da+t4{MKoloHRSV?p~*La@srnaMJ8`PLB4QZ|WBR*UBxk-`@MR+3D@Ik51a% zX5He?;?XJ;y3ONm>$LU0+55Hmq4&OVc*gMPQ5;e~_Ahbo0?&FQ-}7+T>oMduAi@{+ zWH`zTJfnr~hc49bzH4-v`@LTdI_^Aq#I<3S!lSVzt3$L;-QueGo0gv7%o-^(=fOXGdx zUHhn+bj7)J-jOlRg4}PMHr_P4O&EAp-dH*_;Eg(b_J~<{Z8wB zvy*Mki~LI*Ev~0ekE%4ynWCgdx7j&v9OZOvN^ulA<0ajb`3SRhWhR~Mcs36k-P6`y zx7q0Iy)*E|fkR{8rPztwQ7+P{x@pW)02ZNdLdo>Ogpzb*DU`j#Ge)o7=IPnV0!YGq z-o^2Ba$C=iTYHV}=|SsoVdp~Mb!g1i-Ze0jlHfzL3p~G%2Yx7$Uiu*t+ApFL?D_-W zMbwS_NnAqR5t#-m%QYmB1n1_MplRsG3=;@&$Rwv9U^J!JL;V@@L+TGlF(iM%5i1Ty zIqJyDahWhej7uqG;whn1hRc;71gMW8c?*MM^u4gL>e$KdYDCy+ym`|)J^Dwlu?ON2 z1cpIGk<;({@zEb8jvN;uCLQGhX`L(w;ZI=54@8n0S^x}L)4lG8?rHO=_n~pbn1RQ~ zo;l;d(#kMN+5>UOL}%%ONx$SPmzMlH7mw)@t>f-#}#ODiF$4~D32v4POP zN34SQJ|?)r&UnYAwGA28peNEg+ilq+B#_Lowhq4f-^4FmgD5^ZdFL z`7!b-nh>U;kPtI*6GhmK113j6=1@1nI4rPQJprp;DLrE()1L5~2N4dO7<)|AKz?+7 zOhKXdp^iBn^LzjxY}Ov8u+GWsG%jAICYG4z}Oq$ca96C!-=)0mZz5?lz_ zzjNHvU=zegj#YTyIBe~6QQ6HDEh=r-Din^I-EQM;!g^Au)UDGIMhYr&olrg@2Ng|* zQq24WkqCOnii`Uh>HfH6JaJ;bAK-;xK89ObDJ3at2;#of%H^x8E3T=QTrviGXfS0P z`?BZLN#M-Npx2gpUV^`M@E=n@0_!c^;P3QTw*GMB#F2l!t)?$KF8c&}c;$r9H907$ zzKChcR!=5M{MFNSM`Pl$m5r&}KthaBlw5^D9*!M9poPxKQE$KbCIP~9aZ8s%vi8Q_iy??fM3X8ji{LpZuD`pm&?TnjV4t(q1Uf->0 zX)?>@SFIB!6FSXq_jT>nNxO6Ux}3?=Cx0(rnph;u*=o(-+OkNB*mL=s_;*T!G4XKS zIz^Tu08#>#vLgrVh_==nv32vj2muVzyBWeR|1A zI-xS`jtH_tlws_%&Y^`i&;fy<;KGPHrYSu(c;vQ*zkn-Bj|CGf zX+x2{qOpJFP|?RCBco=g)9&>0<$Wu>bOJxS+%Ps!dSg<&xWsN_6*i9Br_CB_fghtS1@n zQic<=14)J3Y)SXrmBfUT?n+|4F}k8vxXrX>6E$eK}{7 zndlPh>CDSODIMf?bQh_yIpBpZdppdmZkyV48tU!s@KWlou_@2fdF5o8;P#uRjn-k; zROE7pafwowW8%yOp@c+Uh1<-gY;&L6T*9V#ZJNxzuw}Va6TWOfYro6z+9KA+e95abXlO1}3wS>V3 zE_uIjxWrLbYOu75a)`LrnSA)yxnuvQVgFCX{`u2Q_4$)I(<)4zA}K8Oi3GjE29g#; zMY7UpO4})Rz&Fxq$*Q?D|14Lly_c=7P-uAL|-AFKX?4;_b zd6=yh^9mG7bH~qjZPMIoMgHyIKy?^_@7jDLA;3vH# z5xNw_k=x@r@NB1fpeS_gQ@1n-$k3-`5CfU^9Xcw<{-o!UfJC(CgkFy?2TWQO+`Rxh zQQi88&nsiA;J$(Td>`@o?oThDy?p*Nd)L9<{xk^Sb@k&{1ShSyx{{jXK*a`89-Uc zN9t_W!QMc7 z&cu(Mz^9mMyPg2YOtBJrqcHjCGsEAcCWl1+&<~wJ%4Mr4ta~!QW<=w?krUO6TcGGz z#hX->TBTNQC!hpTX9h=IF;jpjcd+SW6yQN@$B{oCV-J)7?wmtWNaAFvW(zBsMnIz_ z^czMVVe&7+jyvL(HGk~KC2dfzx z;0T9tFiRqCUyX1)Vp|VT0pA{fR`iunNJ`)kSsyFaO7flt7*9}D z01R>R$GlLWBXZT{@YIlRpl<9$G4Qtd#*u~op&vz|Bj*Amhp`N1^3{(iI*ACxQ)}&` zt&`UNHm}w_X&v`YTKo0l52EU?eh_fm4F@l`_Ye#)c!K=U4W{6R!UPYw0*iB8g4%K9 zOptZKAlN^nq6BWqp{qXo9sQ^iC#bbdp+gnuaZD!Z9t)}Oy3;6P`vh7qZcQk%@c?~B z!w651edV&Dm#xh$A-r*nEUn((>PlaSZ5tyk*hvY8BPOfE7;Wt!D$XH%iiF+Rk0}lY z+);r|3z|-(WrM5VbUWdQqSh#~hcT*VI3hDd=*QRjqatfuIesjPo24~&VB4Z*YTsg> zbSBDt)k-To#hV@5VycZL!ZRc%!F%oF)8;=YY`SPyQZ0y%9w)`dEQia55^$uId%|ty>gDVvhu8$O}QVYof0Egg30PF*+ zY$afh4|F&y52=#&+em+{E#>A12;a)b-*_)pPKiWc1a^a*coUt9G+7(A+%z2-`D52lD7qUyhV*&Z$zz_Wxqkxb}37t{Q z#d}PUhx^kZESaa|zz=fw6~&vXVzcB^>_kHhZrt@8uIM!PTOBrA?PDpzS_eXt4lwd5 z>&(QV6njsQ(%;bGEWt~TtIO-FM(U^GLg9HBXDepboZwKTG zM;Sz{;?4VJ=S{oY?1}xt4|Sx><>(Xo@yCUwAg}uJBG7uaccN)lkn1O~-D0ple@=br zwhj+JWFe%+NE;_9=Qhw@g!ytJXN0Y}$RikL22A3Hu>-WlWK!l!XN5Nrlc_sG+DztZ zd2FD}sT9h954!@7sm|hqI~o%YJ%3tR4XCJfNQQE^LQ^XC$B=CrvVz4zuV1HVPy*$O z^-x>x#e8L0;JEo42n9Y>3DxAOnwB91@>WG;760GT1#rcl@dgyXOL7wZ+Givw7hs)a z>m~);7KDWs&E~JE3s}e;3`x^@r6db2DWX`&7*ak#uql$s z4-RF`+*hBPQA83_&d1e&3T7880}3-Z&1*kKUkVI5#Q;?q+$$#v*8=%lqjQ`^54IKS zfH`iTHnU**4pa1DKcj%fejH$FiD%55Y@lt-c2B#z=hboX2FlIhu`*6}*&0}WbhIkq z$G7~DY!cm8G8dU?|BLWh+In7tOw4JPvoGwtWfqsnSa*d2TRj|iu!m9_k{?c{aox1P z*cg3;iQZ)s4<+Uw#mpDx4A9#M<8VDtI}1Q@i~M@9cJp9~b*<-k-k~4jeuSM1WE!2= zpxL(lF|?A2Q#xw?+;MdJ{3L+$g1(G}WRC=78i|hvXQZZ(!I*EX_(QFulXmB{aeRta ztx~*^$fW5+v@NOV)`F|Hc!ytZ+sR}!!^FzDaoXN*gN}_HJ}032x=!Fu1E%{0I2^_! zB!b>LK`=vTBvgrX@$kxV5Zjoepw(?cPN#xO`DpI={!d415IOMIWYA#~2)Fuxr_ z@gure@|)5x`@WktPdAr2h#vdio(dsHjr#{ z#oP1XLT!wN<}We*@%is)%MWRc9S@NKynT&cYxr+J$;a5I(s@?wYm*@oE%c|c>NfY# ziW8?)-VZq~vfG7?eGxwvB9}6Zp0k#qvtX0L*VskRUu#w>*~B3k($wZy*V#AJF%G9q z@lu@--wecd$uN=`Rhi=LNA=>C=kr?zR*_Y*wq-G66E?_hzcxVoJ4d$13UF|;$?=8f zN64Na^?|+psMXsN{b8z8>-a6Ip*=X$Vf$#8Zxbg@#P}d_2HaB6w%G*e90OCuCZL8C zvM*K7(Y9zg*@|vFM;;WIGL4~#!(Q5~dD{=|c!X{0 zjIka2V*^Rpg1$ztw_=Qu?Ibg{Elw6k*u7vg>Y$;2iNVuQTu-OmY%N1wAR0$-d6Kg6 zkGWaAuz}vl)0V`TD|jh!%J#6!q?8|1LGi-DQ@E^P@G=Mq1BXx-t_+|l>@#b~r@!J^ zS7BilZ!Yj`ZlNE4l-1w!@V`Q2GkP*U6mOu-dBKEa8g?)6%+wK7zkkIuTDPRH?Pua09G|caz48)j4}Qh7)I}hD z+*6~gw7+DSF7PZnNWzcHr^s>RDJ*edG!(a(1zo_Qx3V#U5EgdGAtO>aXmB02WKBbS zJ>jxhE}-J%ffJ}{`mjS}E%MCKIwT@a7k5OLR;AHmPC%I~#afbNb&VlJMZFN5S8#c_ z$EDmMQMM9|5`Q`9Nq@w5?W5*$OPSb}=a^J8aNsU$K!#-@V@m-Ua&(o5UsB65Y;DPc zVi@%@nBL8Vx2ByA#3FZ#<7>V+GiUO86GAsoNYQ7rD1wx!Eq;vyqE;Al?u9W*=a-D|UPjrZ5 zepMStjN4tgmD2RKOO?Bex7`m5yzRimV!@KHJkj7Z725mYjDvSLnBb^{x)=Tgyf)cz z$dQ0c$tihTF&H?7yNo2@DkkFgmR`4cYGQu#p>cG`SytG_xM3~Z2Wh+MBuF7R3k3}r zYORC*O9TJqysgZW*>4QvEcf&APL*cZPDAI?@dHM(cOL666D07TjEv)uxt{^Vy|5z` z_#u9&dlU%M^X4P^G2Dbz&<~mB_xiOV1T-BOZJ>QP(~_67SWlgB7K1aYjm8jwN8c)m zC>lufIM~=g`{G(24ln(Pgy5DfS)cNqEMK7F5&Gqzhn#@ON2MMyIPc}oAW^_B@GJ@G zlc-J(mAhW6u(84F3Jpr4QWLN13x4d|F9)cZhw&}-c-2(YFqHk(fD}fA#%2w186>v` z?-OsNAiCQOFH@$aUk;k#WxcosGmgVc>D2HqHnVq z6>ILWnyTs&h3GP)tzVjIx`dHtX6s}4$levcZW5pc`#N1)Qf@#D?U$e?Ii7b&h8+@f zL6R)W8ZGg|CS-B9cvQSOI6K}uZX7kwE1%|a)f_va=fI8=?3Gj_BDUBI5ofrD1Y{^) z?^tq+DcVr-mCanwC+!L5XwecK<*d3s=}{bi_{WJ8j~1-CLTl%wtQB9{a%O4GZGELR zUvFO+A|m|96o>AtZh4L$%=EDVSN}_VKmrd(bxS;YR>2t8@g%~O9`bRd^<|5=Q2$F2 zn`)ngC0W}N=XbX(=;Dko&G8u=ECqKJ)gptH$S%OJlFn?>{@fnCaomgPM6_e#xOOXD z|3CPsZy{^vncfWb|AX6-TJ;u=)X+G6c9drPT5Z0fNRqv1RkTC^_MiqW6a9 zrRp&?NSad;{@Ig8)GZ-U58H1$?bF6-bFY1TP>}5io-HcU;@b|NQa>D$3wRRP7E>e2 zE2ifY-i9Rh2Y5V*IXDt{Y#UQFXp{>WC&u`i`y=4%m!J_ zFAu6jNG#1>!KD6PM8aQ4|A0h?l7QC}`I3P9B#K!l6F!g*)l!l|NhVdce9{wUfSTcySADfG>NWP~mq3%!-QojOVW4H=;|xie_<- zVBR~h3Y0icELj_jzP}Wq#07zM@R(d;^SU$Jp>fd-AEm;^WUE0TO!?Chv(g?`ooT4y z1WE^TVzjecd-e>C$TXrU9%zLzjxL>`ZasU3c6QNY_+QZ-o0>=xnDdBuOakW1+%$UX z*rYX3K7k1+aQ=IOuD~SDMwc<1J%#f$IPQv2Gz~+3!UbN|+zXvC9xD##daP)2rDYQN zmwteUVqFuyJtp>C-3dvSQMQDzLUxcP8ErrHQm#_^2wL0dGg1K3we76kTW@VW;F_f0 z*g#UN$J)#@-Ncb{krg^{{D2j4NyvjgQnoW@^CBzxU}Tf0O?`Py7mgdr80-y{gsjqu z6FFlXv8E3fH?&KP#_#U1ngi17FOc!EQZA`+q@M2oGVknLMGHqhCGX%IB? zz5}d8Yv{O9C`eAz*<|&VZROPjmimn0zNmd&U{7k9=K2z97()YsQW5Nc$2fxyDI1gM z)ItfmaOvC0N0xnEA6bZYH~`)63vtff65eRYEir`g4NGxr%EoS+d*M3Kl^-s#JsxTZ zrPcJ2Bi)j5sCt3D5;88QkDU;XUl!Z=Qu8q7+9PNZ#uV@mtB<}Y|J4S37?J6O>9sdc zYqr2)U2rmXBI zU!}b-pFv3`7P^N4Fv!v3TLO)#)@n_3ol!Esj*uM9k*ko046OG;y zE-@Nva|5@GvrEe0!T{ z#r4cFYbrtl;4z7jKc4VZl9w4 z4qtLd)`7T}wASt~fAe=cXoD7cfYejX8Aw?wxRZnM*)*-s6ocqd0 zk>?61vCZOD5+#CHeu82$cAc2}hVX;pAx?XRI$|GD771R!v)MGNJOP&_wU}_H4taMv zCQuMgkPD!ppF*pelfin-q)1F0tgm-CpFNj{>AjwiC`NmY)5c-zxY28$oz}Uq7p3Nw zxV$i(bYZbPBtv@VF0AF}qzeR;Dqa%XYd;(=i_2tOR7`v0h)avo1{iReE3UX}h9 z9F{iF25LeU59!QC(H7s(mF4ZIGFue4dFYcYk)`lbP`QtE5-Jv)8^9AEk0(w<*apkL zPBstVs;Yvp={<#IrFGmrwRe85vd#|tYwYQhzwGwydNj5O;87D&A;>_HAO?ha1byI6 zO^Gz{sknGcA!H*`Ig|@N?Qq?#1>YJfX=Liy1jIGKV*TR?F%b^Vn*4c3J=+6h zl}j8&9A4(EjY+@_Iffb8oGNlG6#&GBTZOGV>oz;}pMU@AaXvw}bPpCNo{eZSmkq-fDMI67O z?M2>rU0&1)Juyg(sS@iUNC+|B8HK8v)4qOvd!9p{a5_KcY6`N{$Xmiuc?-D{RJ_qT zI_DsHmn?Nx8uZTOE~s@DN(W4Z?-Lc3wZ@==3n~XQM+u7ChL|>Wn0rRW(0vq{(`0KN zh;Y6`{}P9S(6y@);C)JCKjf;A`XCh^ApnIydcQTV{D5QDpT^wh?6`f3)Koyuy9A1K zO5>}W$5+Di0jcCfdQ939PKqld*JMeCsmYKAGqCQn6=k<(D~6a`2BiUS(a7anO8&^8 z=8;{FV;5I2yab41%dLPSyMg%o?L2LR``rdk>|cT%;KYeX*}x}>H=_KWZ1hMZ6pIiQ zx4;vYH-~KS$Qc;^ZOHKX;tT&ij{Hlku;9rC8HG7<>_AwaG(DsMi2Mzxmj1whY{JU; zI*yzk*RXR-!7Qe7AL$8!aqQ;SgF8$Hc#(y_bUhAoYh;G|mh!2=UykFV#xsrbD>h|5 zSLL};IMt#c#^OyH$h=@w(`{ecy(|-&wQU*>B*SUfw2Y`3(2m8nfjv#erdJ%sWSW&g zxz`PR_FpcC5aM>i8v3nuyx;z( z09wu2p+9D#B&Cv#{qV@SZclK?9i@sl)tbG#Q>j$uxus5IJN4qtPR*`XcAn}5DURh` zq1~Fz1ik*1ErNbHJfgz`63OW6Oj$ApiQ!kzDrEM~= zM509NngYB?G=R0Rd;&4731O&0RBE=gMk21fc0uKbjG53p2{S=!l&Z*SdJ8!vl$s?e z1<%qgPm9W|NLpHjGK)OP$luqEfho)4>@OYj%xMSc!J=$FKPj=n`oN>O15!1VR5U8+ zmjxAMbE|aV_yM1(_)-1Cx_9Q`FIcGxVZ{by^ zoT@7}(q`1ONtwlrO`13*oTGXj_+pLA*Xg4l9*%>JXCe_s4uvr(^Tg}gyl~GHu}n@W zj)3@7*5hwTd|ys|)1L3;d3*a_kH%5m@>!#-(A+ZhSV< zpoOfPY9VdXTtXZ22$>tta;Za|*~L93aO=e__BXN*U1X`btf5EY6TK@n^vHPvJ^@h; zJvtK}KQ;8|t(8Vs4@Jty@C)MZSQ%jH;oomJyI`^b2hmAHCOEov60$(mfaH8VB2zd{ zO=w^Y!CIV4yw1#jlVQ=AVt*-#_8o5}4AqG+NAe_9B@Nn%Fd7o#iNlGr*bn@8CXH*! zQl@7#1LKTt#)C_t?ucB4Xn>sB#qRtmYUs~tjgVF&iZE69Wc zxu+OnB4UTI@JZj+L!Uw_9r-~*6F%(hCr$)r!Tt=25B+jVIY*v_dZR*ObiF$EYdjky#*T)<7d9GV7 z2Gbw_OO#w^Ge1<2;fj@%v_u2&7qmOK(r_i(`G6HV3D`uzWtt*rw+e<~^3>|e zKbc1BF&MIpfw(HQ0CS|@>|Tk7zX@|1wtHSlvfsK4w0pk{lcUxTzxQM$K;AVLRhma zCkkl^X+U%RYZkV|beTTpnOXP=Q_?}@Yyn<0tYxhko)p;^r&vyK#q-6Cv5MUStvE8y z2zaH)i*3@m6MQ8?6532E!Aw0doD2ZA>L>CC8UmE3 zMOu=Xreh-V0Le2z#w03RJq#~E(nvcXL&@!YdC~wYdU+&KH5!{=6m@f!6-~lYZjL-50xL5Fh&CMI-d~)OwQL+vSP4 z13&{B`chK(1&)>QpcM`4x(hhw3+ZCH5Rw_U!2Dt zrsQ!Z#1ouOF^Kiz7GrAGmT(wQ)v|jjxKOAZ=VoK5rOz^t=O+aFxjY49?aZ~TecWb| z8B}%L4(D0Ph631BWoUKc5kIrq_akw4G&?B5C;&&jY-sp8CC`|R0(0r_pj>fycmlT4 z$TvI!k;uWfL_-lihq=m0p3VWs&YHUMRrG+Y8xCtG%_hs&`}3l#ldSP74rO+c7e*Z( zILs`yAYR3vb`?&^ei4;(xxmi}<0q*Y4u%Z^9*861f)=jWM*HpK%~RCa-$#e-w{Kg= zZ&M-9ILR|;`7}RJo(%@Mt2tYr(q#|CmO$+@jj)wl{BQ%}#P;=K+jr^Sz8{G=46E?8 zzHot?NHveQKcg!b*}=92DUK>job-~&CHWqDVra5+Eb~kx^Q><*)*b~h1o`tUJnE8J zRwIxZK}-2HS=&Z>l7%Cn^)P=3k|B~K(7}`h;%>AIuC!*S@ud^UytwJ^^6O@;iczR{bTXQlEKb}e;|~Bj_{AN>|CtHV1STz%)H7)|H|)yO{== z_I~BxP6@wWqsi)#Lr457k6B`F>5fUd9V4z6|E`;5Bc67*B88n9?c*g6^`Xc2c&X+$ zXI!RHz6%nRkvYnyw1X64nY4pmCwiLysFNA_DUj z4{c4U2-hkTp8F(3(9E0mlell}2p zs!FTdJ8bVY4&SxAr+lx%qZ2dADTl;Lt1&+54RPF}hiu|TgvRU5x87Xc^sCmyM;AI~ zXheb}PMiqb_|J=4!B57lTwyRhd)Nt7l);?Qwp4^LNx8_C9@)PUyz@?%NdbR!NMLH4qBQU`f3 z#PP|rANcM&c)5LRmy5jiEgcr6?yF3%7tFLCPj zU#(W%IK35>gy~0J`AqMSCf(SHr<9S%fII6V99GmSNa1TLPb3dqsX&MZB`DFN12G#G zT<_Jf&TrWdaje~HWRK6&*(wb*mN{~W8olw5D)!udY$c2syB=* z!AZ&X%`2K>XJ%D*UX&`ON~vmX>-NDE7#Yw`e?4EEuv5ziY}VlP2>B$1x&ms*h(s|6 z2<}j|HJ!-2a6D1EN8)w2eR(n_m3@ferwtI@UVz?!4VaD{6*ub~ipEoS1Q``XP_-{b zQ%l{QgXH!?`=0QuTV^PN6H#3g(+vg-bgn0>*@t}6>#G=z>*-Wk3sNRKiL@{*yACSj zp(GVPCBw4pMkwpssSnE%Bt-t3C1XC?kKWmjj_gNW!5N9)y}&myMwNIwrQ(eQCwe!- z6n#b?`E4N6;B#ZbQ(Fpd4?W;vB9bOPL0_=PCYdG%P*wetx<;8!VFKAp$R&;j0l7+L zFL_$o+5Ks^QXY{jJ0`YE#uF#Pc6>!_uAfue4{eXcwsHcHIo53+Ba?maJ9NZAJ*zx_ zwjus4__W8}RTVwB4#mhSzG-yd_1-r--B$b9LVhx#yQOOB@wOp0Pa3DE&CYRs^W(oh zo>%OjKYse#$Ks|@mM(7flJ zr$&T|b5z`5%lQr~4y2OJ$SHJzu^;wil6vWLHugh*JRL91TG3$iR(G9l}r(i1VR{{D+ zz}|SQLsdYNHT6vvvdiNdZZpX$*K^k=@gj4a}!eI(Q@%d>(m?`RY&G!OS{sh&b1RiaW$NyWJqQCtmF|*-$%QW zmG4Fc|NYaxVGjR>Is6;nY}&tZyU0*CJG{7u&Wl>3pQHWh?qMXh0re#i{wORH*ZWcE`h95t&Z>&FaYZKmVE}u>{iffY5{URYL!STd= zv+W8V`rKbh3-efTyxhqbGhEG?;hjI>3|DFSUuA6&`M8#E8AceLb?5OLG{tAjCq2R4 zoIui3BD2b+<|LxYp@11;472^Y`nGF+gAEsnL|Brt5sqXEn{q8r-#QbcS59m@A_oil z3`1$r;*COK&c;IZVs3uXJ7Ihh`(|U7?zd@aLQBk1TKn7@)f@Ps_u(H&n&Vr|7HF%L zI6MYCinq+&f%auQFh)(#EyF+xc~AHKC@-0!`nXz#zw9}qj6QM>wrOzH77*tavcYzx z1?CqqC_KZ3b@oSH1gcoI`nJ{!s5SdzUY`At?SqH~_2D1Alg8=0dQwv3uY#WP=37t6 z;uHDVALe=dt+Qd+trli>11}*yNVf+&6LgtdIKOG$uo&NY+AZm3uYGjV?lyDLNq<|6 zi&;`fL`0hXjpv4ydpEX^><7fXK+YfrN8cdH^bGl?)y-J1v~pj%d!5!v{>Y|2E$)d? z&=}FVJSYYe`@YWVPpKna1d9h22$xZ zM0L1oE&fh!7Hn+DJ0Z{^autG1-q=8I;rxl_B-D^EWF%Q^1d=^&pT27yzm+~u?Jh(3 z$Z^4{&qj=gx4nz&7on%K2{wpea`+FOYebk9fAXOb!z( zr&Ii@rGdI~7?K9A<}N6fPYG^7N2KY{v>H#CW|mW zrn3;mb@Og}3fK7(-4kkWA^mpyqcd?`-9UG~jdHeMdDW-r(Qt8fb0$Q;>-=IlV~3n+ zl3%Nz=B63qMpPI4pq`Uf!H=8~+qt^sqLSz<*f>HE^fKmq6-vNQ=%N* zF3aUTly54@3rp_RDY<@&++Igy=N!Bfj%FwSK=Tkw?V@~R}8 zt$B;6&BK$u)+Ow^vNaEVPPUpz{g%SCgFXK{X$Cx{$+xFc=;EEJGlk_kw3)8DDrIJx zTu72x6-{=r{DME zqknuS`7D!4-Ghi09lg7h&fvP1pw8A_SytyXyjWc4VX42@gm&uHigG)zBSLf=0Bh+N zCi$X<=P?SBUb>Emh8xe259tgpeGhx`rH`rdnruhHRacI0%3V*w;n$L@IbVdM+D`V9 zk13B;sfX(HFi(acefH{>iZR4Vm64zm&ZK*%u>Cm^MtD4lXPk_rKbVG{#pA_iU)Jl$ zlEHU0qgWaS^utQQkS|w*Av$asFx1N&7>Qef^)JYNst})lq>qa?YOv;|$3+XNA_Arn zo*WLxrT@&|ksV@GL0ZHijI57gsu8_~j$17#2p@~ljqV+ z60Wi}I^2xS1)0h3LqEhRk<9?~V$yRwFE9C{$iyItTg1ALW+Kvz<9Qr~VwF8YRGlB6 zCllv7u{r_(P$~kCeSoZ@*0_c2t3S-ja@K#SqYBFN@&II5pHf+a;p&IHa^`p*_EKmm zs?jk3+R#u|#qZprweN^CoEC`FFEGXqCy*l}gtpKPRZ z)`G}^S5pDznmm&@vSt>tX6OS7(XmxXe@(|n16;(%bmANKsll+WZxwfRkM9AQhMow} z#I$J4>$k#I=;3QNbdYUE)j$7#pXSy}5foea^r!07>!@fTlXdXtts1G&RoXWhCJM?d zn*1T=L2@@$Hu=m%f=?>rDSDwizH;Uhig6eaI?8cfJc*y=OciCdccW}=pYr(Dc;HL} z2@Gw;gtaM^dT`94{&*7bl+6@V)C?I7Y9xR*hd4f?INIYdtVYCB><=)8E2hEJy_o$S zolL`vAAmMO^Z^~SzpTxIQCBXzGBG(mB*QjDeiNhYc)i#kV=|5F#T)&xW>-qjOjjia zux^D;`T`eYbD{j1U#XcvVo!U9bez3VGP+pQ`}JGg)H?KwT$@e z{I-VmQvREG6$KbiP*LwB+JNZL7?NRABoDhm8;90}G9m9fm$ai@$3r&kQBp&IYL=u% zS(q(6{8g=9H2Xg{$=(=-q6S7+AX5$2P*JazENZKFSlmJoInyC&quTzaB}}q0HYZzO z)7;UR@XHyh@I3c+V>c7D8X1+i2o5l)13Vp&vF$2s$gtND{$uJ#Y=`BPc?PVr5(Z_^y4_tXst`*E17f-as^nZu_jW$9K}(5I10Q<%wLFjgu3A zZ2j(L{rg`|uDss?-T!Hw@UTSIfBcD6kk=IWE0>HXgkr1ku6cMQ-i>fDwhEmS`5aBg zR$;&SMm%!oU#n2yfi8Kf`@GPodRSC-KS4}JI=zp`y{tRUiqLy(trIz#MHc2nrO-p6 zvB5DrY zvDdEsY#@=JT2a~v2NN98f*<&fQs(Pt(+kL0(WhMh=aPhdYak1%Cf}9PE_)eptR92Z0}oka#k4 z{(kSU^`_J4e7Frl;0xoVL9k4@NR0(tdy@fXRagS#hXaCU&X`kmlJz+o9s5YuX@vvA z;PR=_G!{;;YB*IR?{F|?l}fCgoO_8!t+$;9cDVGrAnd|M4eZ6Ga1DK88|st%zV}@>R#s0GE%T6p||ty^@ zuvwR<7Gm?)nbI#~ur-)WyMI2!vEY}Ca($a9g_Dk)BBt)KsMJzkmLfh&>FaR0*vLzj z#VVId?Ehjfzy6qs*m_*oK_@(qBM;RII>h4DlMS;huU4(B)?_I*D2XhQpjqg80*@nO znTz=}^zhx5b3sYD+KBv?L{AZKAbv_5q0RH!bTYwF?b9avJ0Ms5Z!P@qwnjwmTmXiI9Gy+F-c5E^WUYfV)Cn@4jx;*yCX|6-qMhC!AW0{ZNpe2(t;NKx60H zd|TiHg<-ocOJ>~|v>It;KGRTIvCp)b*6~gF&#OPxt>>lcPo;`pXc~6q-DMLReNo@C zUX*r96~z8qwYF2SsqzDknvHT@K7%Qk3vK)ds&KLQRbW*YXQfk%1kj=Kk1C;r0vM6X zgUoEp2`exzs8&w5{cmK&fq6C@fx-LnH~1nIzl^BMCVmlFKB3NW##W=_GAtx`*zb93%mxDj=fB|8-R#)!o%|b+O*y?XVEZoo5J zkj&~(NiY^&HZU?7HcHJ13CUou%M`T>=qXWipahW#V*o2MMKn`|70`@zPz`u0h*e4^ zqqRUAOTpt)FP99ODf(f`weub&lBQG`mj%&bpu8k*NoH}krXjm)?TJ}~fqObej?y}T+8H$n%+li4PU+-3iLzN$+ zPH3C_li0t*wT?kl$Q-8g%v#6r1_~mo3;3fz%4!*;qkvNl7c?!o5VMII*u)6XA!kMb zT1Qle!6?#~dLsFRk(>4w-VZu4LdT;yb=A`Ba&t;tajrNywTA~a zv=Smgbr&G^HFN{aZh-x;tfMJYz$M!Eu9={$pJRYTR3+I0eSv+TozbX3YG?`hc=;&< zwU;R#sg2_@XaJ%})@o{78MJ?Y6ee?te2|v@s^Dp=##$ku#_$}SU7|7u{zodn**;qc_ZVC|kIQU{5Oi6K<7P>RXWoM2@ybteNW1s2bh!CXCACiO@ z-6&D+HlZkhL>Qx>>!)c0j)WTj02y@KS$5lCF8+Ah% zc_LiY*K%1xT6SdQ@I)*NykwqJAMZ8;k{g;+g~WWlt6n6*<4l-DW4Dd3pj;PDywz#@GSGkZ6R3kBmK^hYT6f!i*L%T#qK+@ zAXZ~t{Y{z<*3HJ7od%>)^>FPbr}~FJ$cEF*I>{9%+1WwH3#u3|7&U5?Qc2PS;$R)h zI3-aO9Wm*MENR9d3lUw?(3Vw(3w&4>gqDEsQmdeTk{p)hEvSW)sD~E*?^zXwN zCvJzDnhS`|t1Ee~%87Nve|Kn?r!;ZGUZKN}$HEL~INOHf%a)lCZkT$W3O64kc!Bl= zc}8q-`YA!Ac}ET1Km-k+#A^nsVW`UjSJ;c81)EaS0)3Um;Ay&YJUUoWB0nT<&n(W) zD9tSx3yQO^n2=kXodvRTi?cIJ3yX8JOFF`mAsNJxn~-qZmMIoOl2D=6R*e8lymSa; zA7o!oHB(D_J7$DBj<4w$$nu+=5yK{^Ktn=FXe}5W-&y3*MYrhAfLt3c(&A|P8Ji-t ze{Nrl7Cn*rVr^g>lel*5aH{Nf>@X%l?%3f}sqWZeFcFV#Ak|HWo&e2?u(T%dQvtvT z0KG^n-%_9g+3;(FIRpFPmv*51z)z6_Ho)$(4^T3em4}058(w)eTlxq-nT1`YKmje3 z{{t`dQao#u{*zmYJ|x&xq~vQXDVyL+*-UZKP$6z}f-%Fw0TlPJb(zLSw@2rDXdV(N z?j$=#(klA6s!T4>fZl00UGI@2>U!GvxT<_L;ao=@X{Op&gLR8b4*HtTL^R+^J(tiy zUBwr}hL-Qvc(_0Vyk1GOqJWan1E45CLB? z`LQ>PM=%v7Z6WY5yvBKnZ&G6CekwgwRy5F8Z{Wb!)5x2K^i>--4bukUua(cti8G9t zgCjp=)iJU(Bb<-Jaa}|kv&P|&mXSe6Z}T?zeGFS8(@whsZIi!fEAbJOl3)dT2y$?! zh`By0qU)*>xB|TyX*wxjL81^sGldUl>v`D(P6rHx2Zz5{XbzJj=?lds^6ZVQqO6{@ zP@Ko`mL!DPWwG0Fg} z&nUtJF~>Z@t5-#SLupv~d1l?oHljCGA#lE+Nc7DlJ|y{OXax9;;i?V}O(H8Oa}FT9 zl&tkP^)XLd-&(;*f99(ATUuM>biwBxctKQr<1nryz8AWN(1gN?ikeFk4 z*+E=mfM-|{#3nb#$s?D*=XxV`%iCk@6gYN2P>M2>aLU>wAGnwnIA3juLn{&&c+njv z<5EWwvTnr*Pssa7oX;!YxUvJg?hoZ0Q9G89u_oOqf@ThsLAe!)?N9^44NaNl6ym}` zE7l+mcpsXVGc80lSZiL^B|s<$Y( z)a+q>02B+`$-m2G6PuLclT)VlE7$&-Fl zRee~lWE+j6vSC3oFT7Z;ZL4xALaCK3ghguB1dLshPF?aCL3EKeVAAG`2bZV-7BUHU zPaMt=;^2T$M?0`9gWKhzEb_)7V-&9RjMC7;NHlCja{7gmdr?$en3-Ktl3OrVOXmcI zIiRSxuqeB@bTY`v%~O&v;M<1`D*c5GYs$ZPmc2YPB8vl{m0$s*wjKo!0g5k9{U@|K*{#NaX8F2x^XgWQIlP zFaRK2{Lq9@6Hw*Y&~nUjy#jszZu=FFzztsZk7THe)tk+VJF!k^{)=vfW_lYqXBXfXyxQ!d? z;TBl=G5RQ&53OfV9c!9E5pNFx)zp^EeKbYA(H~)r2ZmKksG?K-L59BpkyR0*pN)BAen^5D&@Qg-H^nFxo{3M)|oQDWnG*p6<#xEpJbm^m*NQ4(ZW4Hl@eXc#inBI<@%zCH;VKbi;^Kn)of)z8rIOmLl0x~5t&&Jn3YobIanus|2aAE_p>ssMUxf1G z^5smjb`}BCsj@w`afnjyxXq%WoDz}5Lv#JeBBCpQ@xLV|gndhyZEN-}*#~U>{^c_w z;>1%flZ`KrS=hquCvL42IiPpKO`>O+5%P`7-&>Bp$;W6GZIj>$!w#gaR z%&D?E9IO&f1+xX%1|&!s?k5=yIV~14 z(-;^qm-)%GUFaD~dju*UeV!6MqZ!TsG7F0)gV;s|W-}i1kC>B4F!M7?GvNcf81M+0 zA{>g?4N;I;SWuc>P)f#_wAAeaTvtQHiEDC#EQA=*3aUmx3egBqviYJ}Rx|x}|{?cAln`w}_ZfAFOE=F^P9++6Goj zsOJI_Xv0g<%VdXryK!dEMluO%2rqx!{R6A3rcnoKtI_@@eHc5w>S`lJZ z8aC*iS|lBjGbE&^{%`H5)d)P?iL0S~WCyS6bhSvX%$rJeZnYveUa8wuotv;>=-Aw# zX`_%?%Y!bf1FpY-oo{iXhQ+zt;RH>KEQHIK(@!XZlsx4}F ze#mCGJeX96SJe|fysTb2Zg|ojOVI5WUWO@Pe-ck3<%LH05gi}htC`C2ADVDJS4&$O z6;a(4fNd?00LD-P&8kT)ZH^--Q|?HMg~#U?ix z?8Z}Cy}ceb5TLrZk;MYC%$JQcyv(P_@*SmCM$gDoQ;6D%Aey;)h7qLNTe*v7CX_X1 zB*h;M9Fg`1bk|C-&g7P1aZzsFg*AZ;?OT<5mR~qA+g$1=nn^`(vYfI9{&(yF{r33RwE~D1KtE8*Gk$<7a*d}O z(D|_ds%Vx*@1qA{K4mps4+f_Io5(Z%e6_Jr>nLAH+p78OR(tW&ZF5Xv0CwcVjKJ6-!|jjSh`Ld4AVQX$g&Y&Gf1owrTLrW(4cEd zi*xfqenv@YcJcV^$=VX=MpLoFM@mgf9h}mvdGMY9u%5r^D^$_Ot+g=O1cf|P#jyAy zNxUWXlh!x@pE3^vQ-4;^SB5}PZ+61!(%LeB%OdHiAg;q#Vn09aC17hrQ;VUSwn^2$ zHHIea&`njcrGq}7J#^CvFzTXoKrxswU37snJFqJuwlLjD;V3(><1sXptB$fS2&sJ0 z*zsCU7WQF<&U(ii7EwISYRxgz8u{Hsv)bU=<0)OpwYSbv!LGYO7b?m zoMrBqB{ibTB@6AAlh*-D{)*DO>j$*FT5Z012g@+!FpOoLzZ32RyLG8%SXlwnEd%@o zWh~wkG6Svc_~Th=DymZ~A(ywu3?fp&5#n!3R1XoPF`m_noRZBg&xnx2Zs21=Xezwt zAX`~s^mO>_XAo%-60K&9oKvbUFMCOXL{MUkiHIDit7bga zO3G;k=VLrbfytHgVa}-oGl;B0CDPZ>fa;(Ci3;Bi?D+3mP(;HZTsTB+*{VQD$>jXJ z+=B5@#zNFF|NlloRHZF*Wn@}Is|RGI6i>xkOiCl{f%RV?&;qQ2E$C`|CdaZ!B+<=y zqe8+eY3K|=<%Yc>ag(j$P;2>~IQ#@&g2$TiR7C|N`lst!q7U<@8yhRtp>>VDlt@XQ zfC)0~W%MoKCk~HcmL{Z)WN_IL=Ak+wf~yf5^kFq8h`9k5d|pX1_k$Ha#xqX(uqeUM zOzo+6KHK$e1jWcMrUO38LxXgMoT-D-;S9YMse{s$1(AN0=#?s|i}Xe`m*!LupUL?H zoInHho|0x8D>JdD$EqDLHwvcmXr)H<+A_8gU)^RxF$0yvb`5j8shLu*gW=pfnyAdo z`a%LKH1wy8Id13!eIg6OQRV6|2rBeE+4$k&6b40gp-(!FieQFA5VGGNvcg6c@TXgC zm;(h2A$0U!99DHnlC@|mE+I5>NUztSq$6P73$V{>6eSi#$tC##x@hVw$(41;m5gfW zzfg50X(nwgtW-sdn01U5*3lMI`Wrb_Hh`D=vasmQ&jk|eg((GfOjd(sDIF^cS`LIi z4+-Z-pc^*LazcouO|@lAh(uaoM&d#oPg5lv6nB#^!At9>f3rucwIZ~pAPXkPB-b&d zS0&-7E6gI8siVaud!joOR;k)fB~O@+sCd#3pzTypHxP>T zYLAm(JBaM9OYAycu5%cXbr-n}7p)Peme`BNjI-SJ5x*D$I{zO`xwhLX5!)$K6liAi zL=6XN54)0#6O9Q?Hb!_O!#IE)*fn@Md&Af=tm$Fw&?+lrLQz&mX}0`?t!9RRNx7xt z!1(ORAfq4)Knx-YR2xxh?L`Cq<`H&ICnd;D&_!BzYwh}n?+J!-Qz)efo+cP7Df+mo z62|9i0QP)ZtmeERwlQZyL1sZle)g24a^z>D-jAZnbvusPa{&?!ewfJi@mc*_aqcg4i7P!5nju89c!(D;B>odc37|gLSopPt1Q^eyzGnu zFri2iTOf&6l*tt)ETT7B!-qRy{+~TIUiuddyma!V{!6`=j=MBpmRekW5g$sG|4D?; zb0{$hM2K8}fa67q6@h&K`~ihNFMR7mLZOnW3ZjV$fZ}O6+dLSMjZaMgaVbY|aMUn+ zG4y5{-V`S&b4yKNWw~~U-H8Pjhn%uU|M%_DQ?}^;8(UPq8>*{qi=707oVosbh`}I@ zS{otovYLtdv7eJ+tm=>?8?A;WR>rG#{NW;>h*+#gh&9*xx6YPz>JL&FA8l>YT3N7a zAsT~rAP~;r@fZ$_(DjZ`jM<^)trAbRpiWz?+=xJvja{Nd$zO-d5pIQbtE2*(KOtGR zk);S5+PB@R#SVs}nb!Y=A&W}YwaRq0v_%2H6oo-)DY0Q!$Y8PBpQNOe9-&nfIJv=L z{obP8FOvud4 zE-A^Gke4^vjw;?TB18F@8Q4jiK#LgxX`1jacYq2Cbap-M2_m@a*Rrx@8F3u#3(&kk zZjUvPRXCJO1^-;Ol9LoDxih&ff>T9{MLg#XdPH(x?R&Mo996Jvuf$SdniR!g#6@Yu zvV(wU5o4G6^?8%>$$N(Oz4|qlQt4#`k!LC(3dH_dSOXG(dY&Q<%y8_LJY^bFP2r^L z84)C*ng`je5aekA_-Tk;n!Q4+ADVO^}7E3f&M|!0d{YNqnh*6c7i`2xqD9B2fWGz zT=oz(8zd^}K7`%$*&oJ79JPn_1lkMiLQ|tWi{_?Sb<`#-{nm7ViQ#74(oYIP+Wj;@ zesR_6?Zr0mLdf8RRs5nAaTu#MShU2N)ij31mcUU>!FwVOFT*SFEgPcE1vMq|rLuVD z7kQ1zu92)%$Y&|raswyA>nB(uyVI#$teEagHMpBtDhhl9opAZaI#W2B^mnHdyF3Ey z{q*5KGyRlD=rQ#U0%*4ZwKOkC+8VAD)?gy~+*BrpVdZ^FZs4*Hb0j&EbXSC^dSjd6 z#x}~UTe)l&=c%E2mt8U*axyYY3yUYaCuSFyK>NYm!KLFx8GE}H;IIcWLSts<`{Z}h8ji=v~HUdI~-4~a;- z%|}<${bZmBVUTy;P|%bpvS#)v@+SGvMj4Y!{TjszeT>ZzeSqPIJ}}Cf{!{gF|IDBu za(>yWG^F^n@+J8kijnPKd?8H{1ZdZdrA0}|Mb5+dw5tO0jY5u>Fuc<5%T)d@QkohR z6w}r>(iI#g%8EHQFL%t9`FSZYi4Y_v*27%ZIH$9O=4)vl{=;}^r;6E>xL78x+?lQb ziUSte-+19(&_sA;I|aUAEb{OLZM*z>F}lY@%S))Ciqnzu`2Zy%Q=Aq;(lJA8*4~u# zn8#=fJqJWY$OJjeEjc0q;G-$8w3)&>j6B8oq(6iJ<&ldGkx^tgx5zVo7?LwLP%IZ^ zpCvZIc$(wINcdT5*6zH_@nYNgnB&C=d6@K6d{`z{aKwq`r|L_qd7APH5s)rlYuw%h zRPkst6}1_4AT9Oi%C?_GPl0B=#WW>wY*95&33LQhEira!Z`vAhYBPzA06UP-MBFiY z^R$nur@hk1nbi~@2^SX|yR7ARlPzaNwo zNJt19k`eM9e0)T88vw&ra`0O#4?{O|oJ590NgegVow4GLBO|E!&XECzfzVOiJ<@?9 z-amp+iFc49V_D7c(DAKmG)2n1B4!7fUUrdTwL1^P90%N@iKI8ifqtqUD7IlcF`{X* zrXzAAF~VP0GW2LIUy=Zs2pAQ6njso_6bIf0E;SldI$jNDidwNO*}^nFd|_zRAv|nh zFGk7DCM&+3SlWsN2F|vmR5%8=>eyO74*@R(t)pUm%OQ;XPadrel3+AJb&?RyNwAUx zvWaYv1Y@HPkpv41J4#6~`B&{E305R9NP;D$!byTv$JRe{0qJ8DTOa-z)5U3TQM3{TFQ6z`}Ls7gn zLO~eBLMn{owO%X)!|fcMP-NGOJe3K*k5n8;A#j5%&>GbC_E3qz^C-C=L$AH~9tWxC zbR#Xo@wcIUgp)f7#}{VFF{5g^Kv4;c5w0vEDrEeqDoUwrVMCKD42)SCkMq^nx$c$r*~6;1U^>OH=om(HRqsi04kMvW_Du6>M?j z%5J)xsXu6HZJicT!Zq{4U@yy}ovAS}$y_!a$|=b$?wKcg5zY?Mz3 z9S;p-t7A=vS)3sbw@^(Zh@g$ZR&0Qg#16)o6m9_|CpCxaL-rSwlbf-G&VK3{ltg94 zbT#UXMk1xpgTp&ZQfq2`3n2J`)*aiVaKNb0~t6 zy=dz^$;ik^h8i+yP`=v|CpZJp_>04JSDfAHtcuf`Xle^KG^hz z7z=wuZ^W3BbwXxA$Xl^Ui9xvpL2Dc;!rk-sbEF6ct{J3~Zyz~W**C+$$`>LtE-xBj zRomOjq4VmzRg2E5i;MSnS-Nq@%3V^LQ97Z-C7?1GnxAC6>zI)lNjL1O zyoD2Dk8Nbs>lrxN408%?@P;!f!>Tr`wT;58i^wF3%$BeL-J|DNN*c5g24SvVHB~F^ z4mzzXX;$@O2_t}v%Zn5Zi-kaPD>JSR`~gb#lt#FuBQ=6W94}HHS1501IlC;J8aK*& zJ?9Tlypn7t%1)tfbGLb58`}D!LM6is1pm;?cX+b`&P&K<@^Gw|2x)MLb~30T77>J@ z7R*0Pwc|b294FAAnyIR$@ti~alt;iXpgQz1Necor+u`f|lBr6bSF?OoIYfVYddU8S zC(1Sdf)SJ{F|2|5gRl;zRE@*{`UZvxLp@ZYM*}v|?-7R4>FGhrCkgYR(r9MF(3?g=1e=}}O!F>?p@=?^H*`aYu(;HnpK)dBxZ>=LtP=Bg zFt|vJErwDH($1b;kX4+WQBqh?G_E+KB-;$SI6E)n%IqxZv&?ZB#e~7-7FSHjE}m>` zVptH$6TyNIWV!7tVhPl|Bp8zDgN#hll4N9BFG)sbE0-iAGt`opBixq4Z4i+`z%1S* zDKZEeK@?jpXMgmvo|3dbnd_D98 zBA7^_aa-8XhNVcfC)Q+lM29y191YMH|FbgvkxwX#926^EM@yf;s%Jmkv0(%t(BdG# za&?Mc1Nr)+MAf@NfRwsGh~mVG!$vnT_47P18#n{jmj?psFFhtm5e zG*V6(e!$V5#)1}-w>$^1s#AxNK#t=i11rmdY&!g*)`e*&J*ikW;DxJ*_-R%5pxIu@ zuwGDH3fQQv#r% z$pm>5E2~B_Bl>}Sim#DRegt&nE^z>5IEsskDR9pUSc)q_shg%BtsKMk*NxZ_S+tg$ zFcaBXz*Od??@$k!#{l?dJWx8Z5*P%J=}V^iuxNEoeQqmxfy#p2`=iM`hc;5|V3LItJH%`O6_|~k|7X^W>C``<9`}>1nbz4r zX3J8ugs>$b8AAm+H!YMsgw>(aw}O0_BU#^?oq~lMCG-0vSl(eQX<%W3!==^>3NhJ= zD2);Oj-gD*s0>If8-eu#KW-_C)s(2OW;bOSQOP*URtCWpAebqhE6`P3@K~J22pV;c^7NvWsPv@{`!WtX5f(GH*%2iuW9Az z?->8lmJTjPr}l?dnlSn$?XW%Ke>iRy-Nq2o5Rx|llQD!T64@dek$j5dTWJxU;`p|5 zJZPt&TJ+MRH>*r%DkcL8Gp=+-mugs10x)CPVfK}2|7>R_Ihl;m9t`kD8ENRDZH_PX z2_0^TwL(36IYYos5PU`L^;i!EtG!Fz>lCmNXIT%I=9O3|UDFfC1%;*AsUWwC<>2Ly z(!3H}vV-U*l2Y$$5b$$erm_JVi|7;p)dmweK(kbZkCp&9Kq1dmF)U19mFVQC_rt4l z0#!?U0mGtFVpA;WQm)rsrFkXp%))|#?99@_Vt4kHxh16~uGmKO24}ObsZ~ybcG*v$ zMc{!CQvs3ldni%H5acm}NVBxLa+5%d%6IL?#Xc2a1Wc@JY~o>KAl_%hH3BYH=GUrX zJBDF>lpvtW<6E5O1dnBK+c7@(D+RrP+KoIGEseAux$SVkt3a|X%xrh)mL9>$0rB%<+Ha192X|Ee3@wv>J(jG`F^kS<3gUUk@?U>f&38)f9!dvyA>3Hxfgccv{USw5lA?9+WiT zl#v;7SvzD^O}^O4k9U(7MRsCO>cZ$_=z5hv)O5xh9;n_VQD=s|4AKuv#?`Zdr2I^q z6MhpFmKTCu5z*lJh`uHUPa`QW8wuTK5H?7cUE+MZ?rYhwk-i!slh|lZxUhG`6)YWS(pUO@4z%k# zG<`!hJR*als!1x1?27=Tz! zI}8wrh{JjeebliXPur5Wz5++x5fX&DQK*25G$ zz$;Bj4FxObK!$0y1;jX#VZXO{@8_il`V~j{I6N?7o19e;_6as~o@I`9*cfu2OmTVx&S2e{}(Qv`Zz~nc^Sv@Zh`2eeyP)rAW zjE5qe;kI`DvGpA+uVTB>zk_J6$;IVVEmatR$3lNLnb3`>;px&3Mg9Vshvcu|PUnIz zcHx7g;Fn9<(eRH^(H{6I{8*2QR)U|fs_2M1ZcO&r+=9lO5?5hPiOXJQw>LLda(q1F zN=aiz738Eb16?TzRYI^L-U*z8?CJJFu}ng9vV3~2pP@D$K@+sgc$FNlpQFS(vBudc zHvzS+iR1OC!fr++@uFh7jSkm*8VvPNOb0nsLLpjPbq(>K3ZABFbf20^YG@EN?ocO4 z$f46=4m+v=L!Ushi^4FFZjLCAK>+r2JFo*o3a0MKI+KPWJW+?gP^Zq{AR{CjSNT!I z!%P^{D}0fyRA?<(W+I5?Q*XM`T1MoEORT(GX2kUp7Z_k(2&IyAc!Z4*LF992YOVN8t6GbU!Z z3yUNdx+FpyquFLtN{7o}lwhl2H>FvTH*KZ5El;{D6FKe126p`lB-kPuRpa7jy~4tlQj$?z z@CY>2EK%h!K-U2$1Ht$-Ow8EAI5F9bR~MIH+3A%@5m|ld{MHaE1Qrp{+bu++!Xnn9 zJz=B)izA-|!41H@4OuJs|qadH|Mg48bfl?KBu62x;m7U)qpU z7@%jH0s0Bxj?KwKzN9pxxYV6jn3<91F3v8>%gxLvEex{~>1T#lAIeG%Q^g;#mtBC6&MoX2CZu2SGKoi5V1JFlJ!sI;+DdT*pMi3}&pY*TIT9?Zph(9Ks{f zYGw#?_+*xjRvkkTh0J^&MQD~_0Pi9mMd<`bPt}k|SaRV4Ij~9-9aZd z>|qvhDWqOz9t3ra&!@Pk6_fz)O$j39^U=KCLd-2FDb2{s%Pv-fWmn}Exl1P(Ws~+7 z!`|dNQuI5|B+O+ zYApGw0QoI8$#;hCJd85?semaStzY(hDqxB(gmkJfv(6aS(Lfj#i;<;NXr?G6iV66s zfIJI*bRtX;KsghIkHYah?U7iH_fz5^!{2~$&{|+daT%;Gq1j*&O+U?wfaScjgYg<` zJ<9jLm1eXTc*oNXt_ZSnlzF0Tk7`O9 zR#`)fln>36@1T5-wjpdz!_gz$0XaCKw5DZBNfZep`cSk`P4TqXA+b-Sp=iVo+UW^C zchCf?csc;=QyFinskS6fSJCw)BG0f@@KF#6km;QQo(}jZ4_!*vi!OV={oK)Xh?uAW-Aiqp;%Bs11czTeoACKl+V`yytGL3eukyJ zvWdVUz3mC|yd=ieoFKB4p9UN+brxt51Yr`D)Tm@!MsaqQyPz;D+nt*QXttK&ITnh4 ztsE+IfYNH3r;)w^EKPgS9h!iT@i3yV0SE!w!&Ei^Mg&qrhaC&pL0eFoH<2!4ID(*P z1(vRt%T{vvv>;Gba>OE>8I)O=UsPCQT67)=>he zqFGwn47}(TmAArym6M@ZFQ}#x;nHCr%WuzDLMab5b=__eDF*Tt0SWq`_C=?XflreP zv^b8+M#+(g-@_)rw@!(eaSfwOj0ba=HgQxdD7W@HWpT4)?tUbC&B zJT<`pG^5S;2DCGwP^7F>?AH)9@&rI)pi*ls{iY6$qyyO`ITYhVa_->*4eB9Dr5d%? z_0!a%A0*=73Gfgx3=l(P0hORL1Ooc`^cdKt zuriOUl75w3)kxO^CDi9}RZpkKH18sPF_!0oa&)zWb)+5_du-$7Iq*CIw}16mnc862wakNOWseDmUvW_s=t<+c zOAFnZPfzGa{JwY^Mb2~&HxT9c@ zC(^vYaI6Ioa$^KZ5Gh_%6ZFXd^ljvR$_B1H(r?k#*vziYpDw1S2N|CBW-;RvMw6!GM<%X^nfVyOUbV z>+GW`c0!=g=au7?VOHF#xe;23MKCl{_zjDuSaBQH1oa|&QsnOBw(?fZdc#OK-U2Ew z`E3Jc25s|G4BIKf9}J7ct3ABaQ%&)rPB%ND^Ws$9@Nu-yFCh%=@QB7pN=ix^He?9= zHz_H}_-{&bQc|bnA;X6ZA38W?_|RdUl2Qf_OG@elk|Lc%TYiF)uI!Z5=CO>E`-}Xj z%bIF~2|(VUM@+?YTx{t48A(?vaMn`1lM9H>t1Ee~3g;7>N!6w*@#j?e7^Z*|X^;wH zFVAro7Z#Rkr(*CNrh--i8pxG_H$M`qA3F@cwGwjM%09Wf6f zBkiXGK&a+|KCjfBVU@5iT~GM~K01{Iz(v4Ywt$i4AzM@~*^xmX$}KbpNBNo-J@R*6 zN~8>5N*~GJ)^U7|;akzKfc3%U@>DamwAawc$5jc$R@&;i%Ob)ixWt-vCSb z#V0h{ltUU(+RR-^wtgU=st2WvpXP$-i8`23E~tmNV5Vfa*_6D)dZ}q)P|Rgf>bc;G zO}6Dz^~Ey8*!Xx-D`#>NNJy~t1CuBQ9Fiq5u*(pp`C7tONE-8>>Yz;P#+rsHNXiozCQx;f^Fnk|Q~FMAC>9Cn~$(qymhy zHra_{%+6|>@`=^cQ0OZqDaj7X(`@kI8yL=F!Zs8}W@CIX14(keMgp_WaF z6~;Eoq-}=Pz+)RV(lmqeavQ*2T!Eu%QC>KR1ASA^h#=V}N6dJPwDRu*lL0Jbi|Ce| zWP>NsG8t2nZ0Kwcp9O?YdzITrl|i4c!QpT)EXZXU5oB_#NHMS+1nOHNa_G`EUfti+ z+Tn26ZLy7lhi3w!fKDNFWksriAaVg2W_CTIFaZWUC()p|>|}e?Nd*EDZ`*AekGWz~ zY!a&j10J$FE8!5EEQ^6FcC<}dDEZ=#{I*B`{vfduNT!vO=6R0C!=VU!t$u>?jy~G5 zX)ka%9OSu4o}av!N~BglaFThPuzW~ZGXR`$rw?!pD<&FNpuY_OObdY6MvZvQHu(g> zI7exMEG@AL#W#eXUy`ko`J>g|sUP_#;{BhkV%U0|T@pPUTNzOhAoTv9oHT5>asMAO zEGgyG{(mxl8XFU(?Z^R7bp;1pWmK$3snG+Pn{9&Nb1Tn;2%t2tq&6A-*P;BIBL6!$ z4L0`B5~DC4N~8g3Y&5_R(7XVvRd{HJp9``g^v#-^or2(Viax>N;YAZ1cMaXp8dx=S z1A-;cg1~UB+e3LI=Mx?|r_l8Ap~^2fr1he3K-x5cBz>i;6sN7 zX@&?jWkvv9sFUnOl*q<-VBkpl5(SssKCTMIm3>?lvNLe|BT+80D76w9Kf_j~NqwQ^ z9j+^EB=t^UFO26YM38s`rl~9Q*ZRiSCO6flBsk+80}_D2 z+hCkt&QnA4P6)smo9v8DLG>^sT6n61Yz^&oi#){&(l$f09?mP7$OF#tIAy@C2;#qx+r5W}ZBosmfft^^E~6LGeI$dFYHsz~b) z1Rqyf>EkGGb93Zvb2#2Z!+j0*Lemv!QKJ>OGV$^po~ueMtfhIL@zRN7D1lC#!24j} zKuC2up$w#1cF$3yG7&x(gt{s7fr_maV_S%P^w?McQt?B25<`}$1RM|I>FJU-6T@z$ z31CE0Lg?oBS|@-ZLk1`OK?IR_4aCZOf~3>hkBl9&%&D6C{i7$S@CgapI8G3O?gv4O zbYXHh>7!WGjPiPQXjF2%rE>5xf@G)^Ngc-oD=TT31g)V7v8Y99G$7fLoQCPr=|Nf$ z-4#kNz*SaiUz>zB;M_Y70%}U;Bu9W$UJ0nN5%TXUP^KT*d2BxMzO z;7|SubN)9ZC3%SP{4aUf&{Ofhlkw9J)aus8sCEZ^#dg(<7C$hWa>kNB2QC(*{7DHg#?`zF17-bFG9svB$Ps{ ztVBJSC?T*UE!(!83sTV-LO@y$8`4JC(yS;zvdOIJQTG!8faIi(+;sAKtrQTKEZZN9{@mUQ41&M5os|Itz4ST2Gomtg1ed$s-e#g-E}m! z>HCVHr-l|$lVPv{7K<{%7?Lz{7`X`!COKt<)CeMP0FaV2#Q2>V0YVfZWk^yIB!nD^ zKs&JI*Dy$7`cerpzy(pi9zImSZGV<9C~j-3Q>-z5BY+`ErY{8bTT(}n_6OXOB6GtC zj!dJWN&d8ut^qzvGgi=Ws&dQeVnEsx0f>v`X+I~@lH0rnpfHHgd zDV)6Yp^+2_!GNqlAwcCXI0FT&`k{=e){3Wv0LKb6`Ub~OZL9lRZUIS;2E-Rb8E--c z_MNsSWis(YZj_P;AU6_=gL>&&r~I7~?KG)vtbLSwBO#WmQ|VCku&}(CvK?}))TW>4 z3AkA<5EQD_Pi+9y&~$+EF}1W7jvO`=e$%gN1`|-*DOwoQztD>GItReVO44k$X4@Za z3;lomiP-+fF5gBwMws*e!NZaV8|?q&p(#U7+5acw2f3T6vdO`C=wiBx5k$TLB>*$5 zKzo8boeIn@s-c5JX$z0r(CK<8v)RM>yd@&XQ&qG+f(0|VGPQ40)G?JLD_9EmPqGi;SIIac6&bRJiwl*mR7P=Zj$@m@U`rinS_x~NU5Q2KE*VW zj}xo40E&bR_CeU*9It8sFC|hHlz_qq>Zbut5UY4vnC{byjnW#acFO1D>IyivNNugt z@hWI@JEM*XGc1Y$qyp`GbV--@r2_la-U?5u_6>?uJBn!^Esb43`K6Ue#2R2IVgoAY z?6NRA$*r_sv*g)Zg`g2B{xWvcll2A65N4#JHrsHtVpwx z{i!~Qr&wze|67hCn=z#Rx?Rj;gsPc4;b2>tNC=Mc!Pdy38GC9lu?J5h2Zwc%AXW05 zL=i9YK45Y#n!3pN>3oI_inM;_N(YDB+93xWEsS42CN1db1~g)DX+ik|M% zBaOB?a!b&p)%~JWWfC3FA^2h0O_nB>6G42da7(as1`L8K1bmDrzws@Ua_S`w%%;3D zH5Zi>D9*?)qInO^ic}TtN=Z_`&!_73-wjV9=?A^>jHaWvo7=uWtAF4U8?it|?&bE^DVoy+CruaLXh!3dL&n%GH%JW-8Bsc&N=_Y07*` z^i%`;RL6jLP7s@{yY% zcR~HmE!(h!HW)EEmiBXA+NW!U(M%2%qK@* zh3cjSnuh6gB6*c`Nn;(cKGFc8m&Vk>L~#SLL@vPjxT*$R87ZGxEefeml(L|L2&=M8 zCZO8YaE$)v-k(*h+i!=)*S$4MX3Z2Z8Ng9TS5$Lc4a5|FA^}%EgwPEVWawrPo>0Rv zUU;sCA*Xy6n%#-5j4c0$#Q!5W|M78EobFbI^noM5Rz*5S$n&3+AxXoB8P9(PCl5W9 z|8-J+t}iMWYdhc8sZ%Fg?zpVtPM!YtPwD^NVmfu|baR*bEuA`bIwLS{ve2oMqo4Hu z&h-zEuI-oB6x=4R4r7?i_R5neiL43kDIe>P(Lq zNf;UMo$2MTU*FX{I9Sv@?sUS)S&l{Bdyib!$vk+M`8&QQ(c|^5^LNsMk3Bq^FR?=-^5_TEKv=H7c{Cjv<}1^82oacVJ6Eyk(EIJFq37UR@n zoLY=ii*af({-TQk?vIJP`ZUQ##lniH@3j=dJQcf0Mx znir4VK54WSmNU1t+V#kvH$q#rVow}pZ59B zV|MkuduGi)UO)59zGwW)HsR%@^-uWkzwRZ+Cnr9f^Wc(~4^H{?s`p)UXB5h_kH2kp zO4;>aUVAB`!hho4eRl>w>-fThxyzOw$y@l}?>85<%KcMot25EFMhYz<=Km;ox9e4Y~!nS+sb}_t!kI+;Fr(M-0|$Rv(I~q|9Ic}Ck~vL zG2_IpZ%-WK22MTt(IY><{L!?JE}mMuXl?4-*Y}z$6YbU^o$2Kdz4hx?){*$)W#$t3G`FiKp&Q{9^QrE7?h}_1`{GVdD?F z#cz1H@(FQ1LViSIkBj%N_+j^+z~Ezj@+p9)5ZLZ&R^D{+vrhQVpVD1;|!5Ijvyl(Lu=!)}g|AbJz z*^8cf_k}f;Umd#7vwiB}_Xi6HE*kRt$_GARhx~_X2|T-E%e5;euZr6@YVD;1SN(Ik zO!hwK7R}lG2=V)HZ@{2xpFBtvv!5cd_4|w{`z)P>cThU|plpmfN zTiLyPVYSUYWgG7+7p9clPw%>Mh{PkZq&IIZxX>GgNNcG{L>YnSc&LW+@z0^E#>E&aNXZP)P@4&$L zZ$6aNz;!j-uUyVm`b+Y~#%u04Lnco~dY^*x6%OrDo%kF(YURqNpGLdOj_&^Q`q3j_ z+_vMqm^XU=Bjvj}2g|?Plz6|-^}^b~6Ghitl-W~Zp21z_?|6It!G37z-|f?K#|z&E zo_*?_;j52-Fe$V7>%?D%_IK@@pMG>vS$(Iy>xQpcw`2DcMfCnR7gAGX#$NwR*ZDi% zKCp8F`uoe(F*{y*WJl*S`z~$#>H3j%jZZL-Zb}_iur&R#l+#?>FI~HMzHU zyZgQ4JFo54&07fOfBkaLi(l?NX~VO#f0{lm>2ieiqA4+(0$=R>sS=@(+;ZCC59ih0 z_{&cZy!N*nf1P^dhW=In>v(#`>y%;~IIJSSD=~aq0C)mc*9e*gLK}u-3Nl=sdys>zXmM z(^I<69Qn(fvp!n8?3a%}eV}iTA@Yo4$ENpjj1(5fAvE^JTs!8oJ(+ViyrmJPo%JTc4KJnSRZ@A_L4?lfTOqXY353c{h zj(J)#q#vI;ZBUnPS#bwfO|H9n`;m=5JmUH8vLoNQAbnn6 zIXk6nYt_d`Ayd0z@}Iit+1guX?OC#T_#KD;y`L}N+@+g$!lJrg=y%?3oVI`4`W>a8AVP|MA_E?o(vpBe8?On63I#_h{Z<7nI?mQ=VcKR7zkCm4F^8N$c z9cf8Ri>l`ypB)E~o;=vMGrj!8l}E2f;+Oc}RkfcrE^)8${1&`)HRyeJr|Z@-YAn(k=XQH>{QYYhcOLxYUqa&#+?Nt(FWPnI z_=O99UGmF^TRv?X@${WzXZWG<)^eol{2iYTf2J$MVfQoZTaN8HYwPOT#t)x=V@1qI zJtgS9j&8iBZ}ZCExv}T}z4n(LyKa(&{8354Zlpa(%U{wGIPH<_Un^Z{2Yz2jyUGss z1nJ-nxbe+=X~X8T-rW1{dvE2)U59s>zhh;~uBVW4zp%w~({<}UKKgcf&!vSwPIz(c z*&zMPvKDv2+Dk^QTJgf;-`;!LJ-y|VElV*VNBv zT-&L040Cq3TP8HqZ_K;kmZxh=9BJ&eU0(jG_apnC{Kv4T+*dul z?64$B7oA=2eRciF#{SRuy6UH3-teoC_4n}Xl(P9NKkW}~k260Qa`7+T<5MnP_wH?b z8$Rm+ZY^#}i~H@U`<`t-<$suW|6AQ}md4uIvuMuTcdm+s%y;AZ7w)z#O>92)$d3by zXOutnnMCCI>)$$Wdz0`>-@1?3&2Lhlrz4u=cA3B9@|PX)P_B!?s1stw;Tz+={rro^ zH&41iBIe+jS$Ec*c>lOi($M822JI=GI@8O$IHzdN_^nO5ZBX&$gU>td-|#&5dFqi>HC_<*G|t3G_apY8PVO|SPtMyo_**RNZF<9kKBDzzuspZm{7}H z@$?l#$IR~3^5&U`9P55N{O~*bMlN%0d+_;cBvf?Fra;0yNnc1-SIfAr6Z>9u4x7I4 zmoqC*i%p-Mer}9w^NdmJzTA;N_M@yBi?)tHI(6ynl(HGS3f_^Veo=MIwI$bf{cua) z`x?fc`_aRnO8vHVdAaAquA=9wAC0%csm$pze@DuYyXK66`+o20fzQ45@leO8!%nXE z8?TO^-KpiVu5>Z!*F!em8MC<4@aB(}FP_KUcx+7R zuTq0&*PpiK*xO&EUD~w!=+4)?>yYW#(4%P1<_&``fELnk&XyA;vp*YIyZh^f4QrEz z)k?cw0#u=&4xXI6f7X3B{q`?tCB`l4zF^(R;T17mx_x~mIQPp(zJKz!Z@#`@=jx;9 zLMNl(%+E(Z|IWRxdFOt`H(fkTl-iZ2_i-HPGwnACnd>EuwCC*`E}3`kmunYaDADtM zo8$_7vMR2Z%|CKv=RW=6ypCR#-e-S}Z8YSnVO_^`W;flO(slX!Q-gC0W_N0Nw#&=U zPOtoa;i7*mc&lXT6%zT@ckMENhojS1G^GBz^rPFhJo&{}=Y9G1%0q_>;ob_GQrMY? zpF4Da;6~Y38JFJY>CC)gcIa=MF=*THUteO5|3`TIakv2oE@>HCxoz!_Uq0}`ebwTf zsLRCkK2JYe@q#4QEf1afq-*uQx@Y&Ves|--kDz+LD@HPGzxCA2n|bqlqmf>+b*7iI zUp5ScjGi}b%3E_rzqxAkT?-b>$exWPfBKFGSJk|D>Aph`q@kUEM9ikZ#_1nG*_c0Z z(MopL>l-&T-f?*M>q8g%Ax|Q`*8JU;>k9S{{QjVlxKad=uIQ`HDbI(L2I?UQCL`{BMvw!RwwP8`%ponw;Eh~KcWOJa8k%DGo8dg|R_ z4X@pq_Nsfq9h=7;mn6Mqe>Z6pzp?zQ8|p89?_6XdT|YaeEcfHCP@tYZbI|Cd11*ma zuiM4H-3Y08Q_Q-%rcbHwRr}F9eYYX&@$$q)-6!qo)8l^WkJLeuDLGg;kpI=g4_*dw zUe;xy``|r$R+e9MS@7dqku^0gy^kYf-r|AsV&47ggF8lc-|Q#3l4nq0Q4Wz z&y6|l)#jxYo5v>l6ASJ_Y9cXaQ-HZEL7H{?#a+MMch|Y>=8HCNyk{7k(*-f>?rqwz zv-#Pd>Tezb?eTGoC9^9of590&z^$jX1TI(}_wDENZW^EUAlzpj>$>p1pJ!k2>NnGZ z)BY_rUo$(UY|o?bc0!i?u{&12IO(Q+%u#Qy5%b}o+$WN>UfD_Dg$Vs5$(a>>A?rX%I6YF@m3|BZ1eNR#yKOpkaRuIuzOhdj5isqV0Q#_i=- zeYzy&Jvhebm^GW7C#t`2-}BksJ1^UHJvv)|yGPNSw9_`Ay<*M!2b!P#TjA=;-0arkDS;s{VGg-v^F<-Lk9qZ~aI1_RN49{g-p= z={M%RcF)b{9Ut;&22u@A&rT^@l{E~m_kPgV-@Kr@dM} zxMA$%xReJwKV0Cy{fApKk?ZOy=UBUI1ofc zeBb`=l6~)=wRQE@&$rJ1s^{{>J@tXvma;RR9I<@b!B_5o=$i+|k4EmtT`}wKe!u4U zZRf2>oqoX}=z%3H>fZa&7p|08=9%>7@n1Yf_j`Nwoj(jlJMDezZ=zk>rVf2(+4Gld z-sSW3lOUgSM*N1`yG^}P;^y(w-uQiFUBS_%AC%X8mxRJeOV{6;JKEh`o%_PuALe8l z18>ENMIV*@y5~QSzTIg1DqD^pwJh{FBuit*oJSwOEPwAPsADcq@8h^)%VNpx9CsIF zlbcRZGn~r~-3xV4SsD2Jp!m&8*$HW`y$;x8LV6#^!-Md{=HS4-n8;3qWtpBfXK3NCHmK^DG^Zw&F2Xe&Tn+L6{djFl208Mv8`^CRv ze$HRR>|J&^H?7~^v!H4lpWeq&{?o%RLWeYc{FKe3x30c;q5Y$m=JvV=8QyPpJLFim zZ|+S8o;&Z;%bQY=l~g=%QTGL(KE7qTM0dx3e>!>xwS{}*%@60dAnVuBZPYN~-L)&f zSa$z4U7>y-)GdAkP4&8|rBmmaE6zN(;Ji)4XMOzW&P|T8r|Zu|M#`P(+cz!g&z_j{ zL7e-0$OA{Z%-`|M@JDm9W_N0_pLt>GiUZe={MozDwkaT+=aTYUzwFfw*_VBHHMD9| z5*Kw}@ZEPqM@YNylxeR%J^lD=GatRD_keAPeNz&W{=4VbpO!ot{MEYz4Lf&sO4-!P zPe+{51H3!AWnN;?>1?pio0R{zY?+)7E{`Z3TyX`1)*Qn+n)i2x>wPh%|HKkfuuIyKD%3?C;qeFr~^N4 z9^ACdi>${*yJLn=Y7$;P;(TZ1(its~D}EcB-e>>lUNfQLardhazVqgqrMoBfKR@=? zs+NqeW{s%dS$Oe1LwEo1$-mrFe>=Kl{K6TYPoBO1$ys|3&6-zt<6SGCwg2{F_4X$x zT-R&Xad+^Gr%yZFn09#kww`J0W;PzBG7jIkCGomlBWGT;|M0`_T=VzU&+V>TJouJ3 zSG&Z0N1mwpX;j*)1&emaI0rR7^z@3YH~iD+!KGi^^^U%Gj;{VKn7t0X2U?!AU32`K z-yd%tAxbZh7EL$s{<|Z{YjS{JJ;J zAmZa5ORrgc_+LYp9v-y!ibLbiww*KXd5M3gH8WB^Toc~ z#fNrG8&mh~zgGo!f4%mpp%>iI_s-!BV<&eyqwkZA{M)xKp4WKf@#QHW_I&E6E;l$N zWmI&x^W0DE+Y*LCU7FCdXwLXguKCUZRd$cdVtTHy5 zidj!K9N&2DEx*s0G3&K^U)g_AYOib8uYclzGcC#a(yxy_4L92-V>Shr@n`1D?$q*i zw`-gatX*}?c|{ptJujW_@^aU}^5;LVYXUZoYbP(u+I4{O6{` z`|owU`9*O1^Cj(ZM*N2COP7>OT5=*N+dE@7_1@B@L#{lh z<>3Eu@zqgLw$I;iKa1`z99ddISm{oYhE+jOq(r4dIt8SgTO6B)b1__Z+ zx|dFYrQfq4&+q%Z|L!?^-P7}#x#pVuev%#fW6X%!&Ym)%tJtGe>P!2zZGinphgxot-x_b%e=#|uOXITiP3!HWoThgS-Rp+S7jJF`)w1d{=ybwl z)2ncRfzY6>r?1eG{XC6};hR?Vxc^SX!v~fqa%?{zG}Rr2dWwAz2Gj^&o5xFwnJZM) z`no}~Yjiv!WaKsu-UZ&<$;%FqFTIxL9fv8oUr%e*xCl%;u(0VYhcp;ioCDbReCb4S z$722WaM1dW;m;q!{@y;#K~s+zaiy7o!QuDjwX+fZvJ&X;qBr@3O=Geejq`1NT70qL)%uj)}%yO#5uH~R1K8SX>Np_H_tu*zd%60+onxE@sT6f zAQ@p+B?t9QhT9~TqboVQw{7I zeM`%S4~UV9I=wt=61pPm(4DRX=#fF4BPY9ScA|Fe3dGAr2Z9~TMQE%5$lVIp1JHfC zx+bEht|`i@rjpQ8Ll$Tm$bSF36~agg?L8a!usP9svz&I(lEgQy zTJ6pyAwi<12434593DQE)p(e=mX7vw7(RCYVI1Z9R!q~tHjO#b1oU>UZ4%fyAZT2Y z*&Ds_$S#Q__-?vNON@|9nBsO%hTXY^dE=W_tO)`UX?sY-(24V}KRV*?*D7x!0?@U22G@ws)--!YLe8-n zu9j~Q`)Q0rDGE~-O&{9K;2|@gQArS9#=bAxpJjO5EIPwWjl+WYqLcO6B6&f3yKdNM zqnFFX$@D)DsUG+=G9m)d8;vyDqfep=_3qojE}%%K{f*b9)Hnm?E#6vOHh6?pBOm@} zgxOvn{7U9ax{jqxbsQNRivBZx?+ohn6e+1_@}uE*W^7oMyPLiUO#8PQtR*CedAG5jH%k5|d_94`PNJ@_J>-)!II)hzDLBjS zY~+uARf0F?K3NK@>Jw0ktun}{T&F$7IeN1%&O!Com1S$FA0LR(d%t&NZwvf8Hl;|BOC8lscREbDAl%Vc&;D zq@WEbW!7uYw4?&BQ{e+*Bn~;bS6#G++7YEpq1p4@3q4k^{-O|THo)bxhLK0=j-NQL<>*!DlvOufrvM*AZSsC^ zo-S)_BySoVh`qmVIRJclqF?WHHum^q+4*Im>MeZJsth%&U_5+a3+h#}m6B>Im7%|4 zEkg|aljpPfg@P|%rj#*tfFb}TP4J9CThi)xFfJbjWrhgc=fUN12OXJiOrgmD4z&gP z3F_Wn_`wcEv>%&*A}NklnLo9MgPpVx&|pX2#m_pW`=4{B~f^rwzS>Xc%Tpg zjSg+rTK=EsnAIELEVY{3mEgAQ)arW&3Ah8OR09=H>6UKd1J#t8b#^Y3A$BcgiBv2? z=l3<^gM2~6Y6~710XHC*6dJ)vU%%aQYTOu=@XtH2nF;ZdRq_h+(~iP2oDM4d1a%9u zC#PTtg(~#NwKEr?4L4q6L9+Rh1b?$tn&Gjb=*_VqDFD*Lg^;clcW;XiGAC;Pey0Ov zgs93r4iWQYO%chgJHH5ffJ0>?Zx?Ze%&Gj;tg~Hfu?rO=Eik?J*pByXb}un(j{$&` z-bB2R-#qL$KYXH_5M~^$Cd<=TmM{N%fw=75@%=k~c%Tg-dy}cBPgpq4&C4mZ4Ga#Q z1{7V^%s#U-0#jQtf;9Bz`47ELPvUAbI^va(D-`GXx@EFxGhyTMLeha{P@X3xLVl_x zAfkrv4l6NmMecv02#OM7MH5lQqAE$nxfIs_W&3kuf!p(qHz``}ZpKJdx)3m(5T6+v zwy8AuhaNq*e5veV$%>rPxp&j zA3pL!T_O0^y}NPUS5Gp}QSC7sBGvbBFtx*W9UJvkZ!!|UVmu( z&$iEb&oR|cPDS)8?{<^Qd2D6GH?1Q5N~q|EY9RQAA)nFp3XRbOH{HgzyU%Q_Y`^bc zd;SLkm1XJcdwe$E>T0L{mUbtsITbpys;Ll|^H{0&9B>HWn^uL3{l-BBIZ}4=k^4Lh zB$z~h@{cP9tF4zDGrK(fkRPeBY#qjbb($% z0auP=v10qr2={NW^WqyrrWz=b7BUP)AQ2!+QKyTLkl~GcE{|>ocXc) zitJMZ?P)s&lBBO|?)uB#pm%091BYX!Z%C(3{`gpOP8PWein`D(R+|y!hYldn9!X3~ zI$MdS`u&YX9y!J$rMrI!Uk-33X}pO-J_9#9s(Np~-Mck7m&`h|(a{ykK+Mn|A-o1T zN4)CU(bFdQ=QDB8mN=R3wKAs^mB9}Xi#qOu@+v=FW+ z`|^PxEWv5rV#&~5Yqql1g>#|v;G0&x*m4)b2OuL9P~ocV1{#{P5$)#pgkw*9S{7sY zhHlZ@iafA64@hu2OHom)-@y~}aWTimx&LetN;XbS+y8t^nw8e~-|lMgQ>51l=8c$Z zTjOWSl5#*KcGu0hL;dPujh9ZU_F~lL;2ztsW#omBeU6yTZC`p_tTSNU5tmf zo&gZ3lQN3B&{4mV73GI&BcRb<_7z#_!4CgqjD0qxLP$UIw6wEO}KRXQZLtkD8sehQI!k%a}5~=*)d3?n(5a%?!?CC_VcW4@Ml8qx! zzQsUHk$@fUV~l+`RrqGO_m^;?{pY^<4nvMAC|tfHhNH&FyoNR$wA;3@3`z{&y-CFRF(;` zUby+Arg1`dtNT5jAwigdA$GOaiz|7Xr2S{LaRGh3qN zKVu*edc6_-)6sWcjEH4&*2xbK6eT!sM3i4Y+j`cFB}hHA$}!Jwt#*7P=Z7kUL{GmI z9>1dKhk6Z6E7CRTrM*44f2=_$AWtW_gdyDTe#;+qOUVxpgy4eWQV;BmVh7Zy!V=(0 zYDFE#S3+tymy3LcZ(3E}lk7u=jARElcf;5)L~nd!xQ&v5>2-xP+v{up0B=TiodWSd zEWx+56lvX~R;783W_JiBmk)?pIIF4Xqw#(9M&Z9{Srl?tZy}+2zqL`CQa~A`qLhAF z+#nwAMe2`-4_G2{3P*QW>#oj7UJIpYM2YTKP>l3PMjR^qXFd=#ftQz8R9$;>_6^w+ zysx}ezdiNMBr8py1c^#72SWF{=>?YpMI$(-BR4yk55!J{8-Sz+QJq_1m*AY32Arpa_LP z6n5k^*qyl5C76=k48&o*Z@G5`Un=pPkEGz6Ryp;iO^_i~IlR@6Pew=!Ix$Zd?@%ybJM%xLE3_n0SK>V71JOHD5!(bMmRs66iap%NkY zi@XFD=8NnF&Re}FgGGTscv&1&yEypxfHcQ0mvA?cw#%d0zK@d842&2$5q?me#fKyG zlb@h2XSPx{48dN2W?PvIai8YWB?2OP>Wq)Jls+l({D2{lk#JB+ewZl9N0BJ##Z4p1 zoL}2&w;vDSYAjVweABAO9ifVTC~X4HFJ5#z?=`A&2o57olm{z&$9=^Mjy~dSNddIK zI=C5~)DWW~=S?*1lMG0;=?XfV%P|TmXX9joD`1?yN9mIyBN3pb1efPwMt8hjbM;Jw z_z)o>gV?ef5$yL@Cx1NfJM6W*h@`~EX->r4NQ8R2#_vx%dD*7CPvOD;xu~Q@XsSvv zaZAnWE`?C!qSu}d_l!%h{F7h_#W7xm{*z*S_3e@V#~`P$HjcjRna-H2RIHLKP7(jT z8hk^h>29y4>C{@?O2PFQd>0xteEWu?Zt4;OAAksQBBWi9vk8dhJPe23l7SP>qHC^r z-z_R>C~>)hTs1Hhq45&}HMx)EzSZKd6&6!%)I?}E&2zR^vk#L z0muxMYGCN3t}Fm~%w(T&fUQ^eXseE;;9>+fZ&n?~)(n`WhU2pQRbZO=Xy%(dllZFj zZDlaXoXEmLD#1TlSoXZlg`zHm1}7p>$S6RmAgsxJk^;l|ET0|nO(}RmL#4|kgoYd^ zUL?Px#?!Ns$u~3DqHa-w)C5lh>kq>Jz|M6Ttc{}PwR*lrhKzg&-u*{cT1|NWwGOLO{#aVq?2v?|&c%NZ1z)<8Vq-bf$jici( zikcVx)Rq((`2rM3Iwip*KF!Y{{Ck12)N{8U=dh=cZhu<;*h7Z;KY2Kcga>t-Y%=v`Eg8wth+5QTLyI*iNGWHC9)|4Z^F1Qrf-8N))ljQsk z=YUev)$Kr!tcY(0c30g2{-*#tl$B|{o$~FziXR?G2xo87i)`h?0SxrsY?5R?PmigG zgK>Qwb}Nd<*a_!7!LD}lc)x+gs1M4 zA|r2roAH$rY{#ON^SLNF@_9lYo`#yWn~vJGo99%6$DY@2s)4mt5tF3INCyx$+VIv_iqlAh zz(-`IhY5aFC^a$g{4x~-rOPSuaclK^kt$m!Wd?38?P}GsB?~3!;~ z!udGS`4~sNx`*q|+{~H-d`zZ7#amG?HEQS=41q-8bc>Gyws8H$Hf@mR5|)rLE0bQ#ySZM%|@8I;h#>bkG$t3rW3_s zev7yO?&MgbSqXw=S@!`fHu7Fu;n#_Gv@7Vy#xG-?Mc4S zPiq|KguN(30x%Xs+%f&+7tIdZ-_dI<3x-Eq}SB;z!`Uh;EvJ z`KWM_R*t^fY0-aMwQS+wlycmFNvlnBU_cn97MKuzPoVBLbo-&O~uts?1 z;)>>UT7buvCo?u|aXYt-c9tAh1NqY@kA&ImKLa5BT*~rTF;otd(_~Ny$&F6WADgJd_%AkSD#>Ro7xk(`d?0+s+=d{vQ zEocQczKUwZ8aXRX^}x<54t|YDVm_CgU-Rx0{B5b%xUg;)iW1!CrJp!i8p3&OKTA4M zT;V~#4gjfP-0ZE$oY7Us5i(u2@!3+cKL)l(e=(HWNN_Dpa&z-7zMcewyGAl#eEVe9 zS0%+4m)d55PJ8M!!zLya4iHJT>5^hzJR)z6a+k5y5J>*1<|mHU4B35IvqX7 z;{YGi95Oxt-CGi!)^K_40O+*uNMn*>My0O+65)31I_^)C^B$ClbNy{Jt{u{Op5Ia; zs*2HZw3EA$e|l0AjVFB2RU2!0qu$eEe`x=!>0}OE3XFUp6XDLmp_>hPkz41nbXslR zlbCif&F(<3u$D6PWkx4OT(YT2Z2G91` zXXB=A<3P|47jI8}3s=f2_;2}Oe-m7;(K~7LVe5ICsdJs+q zF%Yoc$1zJuo19sTqjHYIsP>&uG@$byOwWIPN^*+_USe*?OH*irymPF6@Tc5 zl85LU96tIUDmN|8j*!l%TJD<(f0SW+amoOoxYxU+oeDyqFy6dx}HJuZvJFo3dtQq6FV~ zxN*uKe6uT!(=`sP{P>ya2!T538hUoON>gaGR^KPj^9S}-)*Kh-PQz6`@myGqByhCs zLYy*I=ASK;)WXr{yZR+>#icdsN(Ro3mGMohL@QbtQAkekFt)}(x#4Ed;0MhcK}wHgZ-)ju}+je@09@Cy-zezP#^s#GVvFrRKuMO9Uj-$w3R6>dq4IBzC|aI03& zN2Qud@%m)#jK&lA2!GPJx6;AbTfXq$j+y{ujFfl5*}iuA1!tqt`b2I^ypHX~U`#*s z(WG#p#_vySsoOS)Z1lTjxmi+Ovt;&hMuSYDG_Hfh>s4jkTFG}GqlT)|tY@y{ovxWaJ2z`P;@uvco zW%preT=hbs8WuDp|7fN_cDEgru;n2}~I9+c>BkF$VM9sh-dp92+2!qZIC zYpJ}p2!9mT-pEl${Tr#QD=un<`w8kwpnR14P^9PaktkH`<_HBYmIMw(Jy3vo|9!7Y znqyt)ZPJQ%QAxZVd7<-d*cXurm5v*c3-H;%_J^R{1W2!^!UZOVb zY?9l%3yC}?_;$64A;n$3Hd~qY{0^t>^S#ihMAkz&9Oj0yH>F%{Q9OS`lC{;o_H_7u zec(@@TA;~%a`4wkWO8#K*@gLQgZ4>JCY5bnPY_L4{MqykHe9GbjZ@3A;Q(5veaeqg z9(pf1)h0$oQ0;{JGp%Y)QFW#Sd{%C z20)<6H`9q+uLLr{5DM|QNF~5Mjyu85Y-}OoJ8V?QDd>D=gHd(VX%)2e=JR3Q9lZ`& zSWkH$o!mzZK%lx$P}J)gl0FaoP)m@#;f*B?cW0uN+c$X`H~aqRG==3T#t|@HJWl;c zIB<);-u2-|X!4^I&MV+(tDa-|v}(Vj+!+pkFGmX|b0bm6H$cGMQ9JV!#z46w1Qm&! zy>{bBRwDC4ko3iXA2aMV(AU=?qCXeCtRVnBem-&X;33@m=6@bHKIGb*Z*?`+EQC3b zfJa#qpiB@xDm|s|#J8*R+@2bjiM?g=3e#D)0yOu9|gKNtA zR*NL~0OXV@ooJtdP=*8<2?2-ht~3cYiIy8AhhoL8h`0tqU*piP6r0OOq?*&a zi;?ihxD2b)=CjY3t=$-+oo+RXdGiRK!ie%ipOL5rMqPzKnH3CO*D9qcH15}n{yYtU z97de%4H>VHMI&nNUOZc4FJ5oo-dt-ZOtGz}uRt|+<`EBQWb->XCE$U&Q1+&IqeS?7 z6er}{Pc?=Fch3PXp)~`Asf7@`Lb1AA6uB8u7jl^f6!&|bGe-$|#Ejfda*G04CGR;! z;DKXs_NIB4Wq2}b2GV)k_j*(5qu?F*AKpfrt%l!kx?ndhh7ofq;>*nY!%U@mJV$no zh=3^9w-0RB7e(;_ElSnEuI*JCT96#}T8Ab`#ki%Im25^AOf{7866T-} zZjCl5SePwRUd-QCqZ>u)eJ7%dsEiSAE)yplDh%UnD5O6Qn`ov($}jE=%WS$3fgG?=;4@#BZOGS(BL5UpNQ#WSif>va`Mp$tRG}PwdMM@1 zRTT3425WOQkQp1M;Pi5l4*&9z$G};8OH;2Dp(o1~5P!D8wR~FjFsdC2MYQ9>m&-!G z0`#LAlKW9wvJi8iTs#5;e;dDVsPlm*%rdk0f(AW+$F^JLdo^avu|&fNf&KX^s6U3s zL(vaaNf13IrNqWa3SI*skNMJx;tn}(;Q>n&IhK;*hGW74`Sq_w6{q5&>_jJ=xa$)#F&9LH z0n=YoT$Soh^P@_ATah>nnP!u#Xxy_Xgb(~CQw{8zNTwkH2cWnb_By5h-DDR2;^nJH z%P!fhihtk8nUPjuZEe*f+jfR1SnHIcFpN`&{2wZHWf z)HTcMM?pV6NUtuiT%1c4;I4ixdfsUb-S1Xb&sgNT5J?6)St`mSc2{(VZVhuC;v-ex z7^H6M;48@beKqa5zrddm&+@R{;8_ zpl;dF+u6mjv;BV`x|%#lxBtxVwKsJ=R_ksu$L4C?kvAce;?cX3^OST2qCKKb|An1q zCrn6#Tj2P3?D#pg0{uNC3Rw?y+ApO@NU=pe1UV!+jWi8m4q51bejcXU)ny*qc~9Je3nJC;P;ph)l%V_WkMl80G;-*l;96YzXvA`5{s8=$Cp4;()RK}wN` zRAPP`?Z$X2O)=vArNbXu3O9@|)OUbzv)knoGpK2nJf7^X5n@O%jfOy(6;af@T00*^ zAf=qD6}x5eanHnv_h-JzmnAB;%Ke?;R%I`j654M_<});+KmD%vG~qjoKO+j+0d(3w zNWJ0B6iEV(WErnZ(P2sjC21-??3&y!ZR5Yd5icOiiPpYi2Z5r)L}C%b7RSW2+RKhn z23H>Xp%@|2)1(4$@jJ*-To7qLVC3tW4l@6-UNjlC_Ezxk0)?lbUWLxlQ~ev5&YPH$ z34;@>XO10JP=rF3pP;TFMy?2IB5&AL;w;tWG3OOPHM(iXy;5?FK3+A6cz2Paj$z-6 zQq9)LM@Kj$GhKS$tQ~X-GO?o4O@K~&mQ1R66g>o<4Ug!lW2y{@Mwuqbe7~npeX*vX zy%OEFGEx5djndRobz`TCIQ0#D;0>v2pyGhjA`zGmdo->^GD`X|y^-5T(i&zWc@a6{ zfNA1{-tM!C3MCt0nk=~b(Jg;gR5}FrK@`<{lrm&lXZb}@&F#uv^`3vEZk-He4YekJ zjD3EAc)k-R+vL`|KHNy=vooSS9Vhd(x)F2W-H8WdmPJwX-X!}#3lU`B-242lgeUbS zy@lZ*@wFihbN(Qri&w&PnuZ&1QgGEgCN%k1;91AvmzT-bfy#a;FQC(YODj|ssR2xj z8Ps?2h1$+XV^Gs2L|oT++n>5nb6>Fi2K{PzNvcivJ;qtt#&|>BVIDlJ7wh0^Vn(IE z#&OY1m57QZNKNpxv+2r8zItfWw8(A#zT^VqcoEh$9u6k+IUCWQDu((bZRiSl0FW7k zYGCL+Eh503Ow+|s--a+N`KpK6y7x41kGmrO>;;@ZAhF;nzn12$(L*J-nQyWu~8kr{=NoQ&knyuS7Uta zEM~CREOgvvcI~|bt~_~yqUL?9A4b-miEdsy3o%cL-eDJsF(}zuT$VJ87a;p&StEkKL{iy2W9GpK11I*y|};mxKt`*mS3 zMZolnVx|SD>%9+|FlwzfhsYu=v$6l#G_=iRzc_cA#MO|n7qucrNB0 z>4kr16DZ$eX!M*>G1j!1la$4Qh6$%fLnKHP5{_?L#r~w?0Wurl<8x=kgjQY;oXno- zywN6txz$9JbYV04$T8|l*MoThZn2m2Mt?e~UZz>&K@q_?iz9s&M%w-Xyw1F zZzo%CcB64El+G;f=HHbV2873+KabRkM9L>?k4vT4Dt&F&uL2M#xgv_XQ1kuB%}7^p zy6mb>i5$=7@vESnRP)x0sQ8i(@q%=JK;vGfzO%(y^+D6cXW1M41a-HRDin}Gz)oJa zR-PP>{c!V2(~ajZ{m{9U zcXiw>`~tK;0`;A|daiEOHcWpPCnZyAx)`P&fwDD+@Gu!kV-$AvLo^f04@E){JslF9 z%K?Z{#Fu7rFAGQR$>_<5XD^xl`n!gN05YL-5+eL~0C3z_uE%SP!&T4}_@-5bIqt+b zVchy69Kfe|zaFpC{V1ZBUYEVx`$8V)K@nkLX?@WBcJyV#qYw}5v;@O+62o@b|K119 zJxTZ4k;&9QnX5a&6&lz%FgYvk`CnmEQREbkIxEf(iWzXrNgd}(bn%J9d>;7Wfyz+! zCTE~43n!btzQ;1f%SUQ_-Y+LkUo9`0mmIPET^KcG4KCHT&U=-R?`~dIsgw3Po3*x= z!IirbK&Soqj~#u$oeJx8GMS;jKUa4$94DQ!&n)EgcN2#cNJS-`xWl48&{XtmTg@|S zY99hcEJpeX>ITKz$oiqHfwrXZ15(+K)(y36r+-Wo$E&yXZ(fR>Lv_^2rVq<-zlOWR zefFO`A4CJe%dF}&oD79=GOTu|!UwV^w1fpQgry2WzQ$S+6+v+wLcqT(Tw+(xK4an) z8TFFq>Kq~pHWcVb0`Wi>g6QcHmQs9t07D|`^wKvigv+skCe#Vbkng@GxvtOnmjYeX zR5yihh?B$noz|u=sBhWV_zX8padz_rMO~QrxRMDq_2_&IAepa)@y4nD&%=sx;WXH~ z`Q;j#76KX_+Cb%X>LpSZOju*>Asq_mu_MNZS+TvK{ANrpsC83CR4R6n;Q07wtl zW`D-y{Vxqaw&Rt~MEPo|E*J8w!Ere4nfeddTW#r#agJhqd;r4Bm`>zMLf6QMnvw)+ zt-kDWuaJz-uwrG{D3#Q9?V}|$&=tGzWv`q zl$RMtfZUhT4)-o^u7--D7yAKo^~!(uH!TLEduDaMN%6jH$Pame_0>Dol{fo(`}`@N zpWv9gR-FRwFqh#MwLj#iTfLYv0`yv9BYHO0pI++H9D*x8GUh|f?!DRR>+nuVfRBC|lGjYbg{vkn|Lmmp|APuJ)*WM8kdSSieG(c#2@g&_34=jY2mkUqIRH!&v z$4h>plSa5==fJ|AxBDc>NCSM+s^gyecVvsv=q|<7_ML}ZH6=m9V}&CHDT#!%WS8u- z7cVU)>YK*h|MI@WvCCIy>+V(auV(*wsc(M=tY>qn;nJ1O``#;ZeDZ4D=gy_}D$!T1 z^+PSFqjt=i>b<>@g`-Qk_&_zTuo;i0}7rhZz{&zczlhRa}Y43s;NbzHHT;-!RY)S90?5QAL z)i*OJ#y#^4mcBW;5#j^Y6smz;YXh{R;58VXr6_soO~jASEWO>=XwI4rV{5K;gJGA} zKTi3#^mEtumbu5H+r49%>$ zx^96a>BU95U*UiEuBqCb&lO=pOV|T_dq1XCP>h5~X^b%aPlG^}9NZdh2sR3PzjK=* zd8nwOPdggc553eLA<%8BbdPQS`@wtekm=qLsRqKI(>(v7fEjU`C}Pszo2i*TSKXaz z%&X;VA{WGpzW?u1L`W<{d>n>FOV*g-c7cJ3P}Xw*Qp%K06qizcixiL}kFWPMk|m6m z6ggUcKS|{feoOAsbW71`l#vJLk^ zoz$i}#O^U_$IVs#_RRkC!qR$a#>i19Y5bPo7y~MET2LMTd;>*$1PJhBsK?#~muOnA8^w}*R`kUNci}-O*YoRm+0gf6w~xMkldqBBno#+d^Yb!hjgcnuz=X?+&&kBG)cAOonh3W19CS=HsYbPoj2) z4kJ$XI$~>Pl%s~Ai2v(Dkl&g5xtrSxlV4l3_hK~ zo-x5VIeUUbyaQ2a2-M;u)g9)CgpcJA9Kb^ol20&;xe4Zv`*%Gy>P7lJYr{4U-U>~c zCqLg@_udmTZ`}7d`G}s_s2{Q}I9lD!A4?XR4@r&ifb&KDbLq?hgiiZTXZABKEj@R? zs?@r+Rs_U#fDq^t6q=?Gkc$RD01~^A#NhRW^Y%%Dt$D#%V~*c9(N}-nxsMzqVCZ3Y zp?f*f+GL&hSe*DK3dw?RT^0SAA|%=0uUClBAU&loWX^y5uKc-;LI*$3$#fFf?sQZ(44=Bv49a&Kkc{?Ziu zAwFe`H_LQEz^=$A_fE`9ZhYVkT(gNqTl6^@`=hBR!yR1{XGY-9`WGM8bM@D@YT)PD>Eez=twfS0DuNM}z6uQ4n-)c4p|`XR#}@YCbi#DP zUQIe-ya_v(0uLi|bM5Y8tpNzkR<93N8Hpv}fpd`j>Gxa-elT+G&DoAP3Q=>2%<@Rd zQ=ckWaW#%g z)I`*3duX3ln=j}xV<#f{t!8T%YBC^)l_?b`i&?Bsx|yH|g}Z1P-Zz4<_oz&Wl|iQd z!0YK`9ajDRpFhWQ9*f0YYMC1xX-m)(S)Y95DhI18U43H~)8hz5u-Ezt>;C3qmIlJe za=fF^EKR)}R(1A0$$IKE8r*FEew%~eeN^G6o*EF>cvfUyqbyS9l`7|lvLwi#eyBqO zl2}xsi+AlPg>^(R;klD`ZeJz+{^!dZ*h%rNTC=(g2&;{y-LoahAUyCfj^i51S4@4P zU}}WN3p(HDYW@L^v1>__=OX?4Z!fUAHal@EgcREm&6Q|yN9DYUFl5id9TEw>bKGay3@+P}w^-D&UvQ}W_KF5{=ovgt4&qPIRX z=N%(ftirBw#NOg5*~0~rOWR~6*JZ#kZqZ-wPaezRhRnatsujNQc!9YSf z(TbwUVihXUr?S$YEBkEzms>{gs`&(+dp{Td{%MnpZ{4hBXy;-H1R5=erYYo(L0kpR z;B~bN^MHIvyZo;0M%mh8tJzRb*(JK@Cf9Vems@i^W9s!JSdcbq8tu+cF(*N)-o>}B zBBhj5fY5NM9=!~-ZuO}}yEAU9seG@kEg5_%ei`Kk0pi{omhCzX!}SWjG+So@sWd#0 zl2Eg$q6&{*CH(+U-0R`6j}P{WHVClx+4o@lSI{GT&2sbyA>H+XzmMU#-{(n+1G!Xq zWbdXw093je9kpRjHy z;nWr+kz4gh_m^T|ntD4C$uXi4K0G(HEBg1p0f03zFR}CyMa=2^#@R|j;ZGj!Px55Q zK5cyKs-Z(qanOwL?eAOVIn<0;u?A$t@A?(@zdo!;K%acjG&O6WwxlvDo%Jc^k39g< z<}id0KlJWp?ehZDl&ec~@ENzoDhvWfJxuQHbYb3HYWNu}U#yCI8>?ZszVB;qoENfK z4S|;HqG<}}SrB;O0?bCDrUZ@8xUJ?xQRuF>^5E}BEg|&D?v8V?;+!#S-}Ku3=ED9b zPmvJlt*2<3!rU?X`{@-x5wGv(oTZ!FVig^hUGH`acs^zS>qUIUhv@h1_YA@6#I-JNUq7;>SEwx-C=AWd--+Q^LIa+0^f%pZH1cWjk zyE}VYkI78kj?s{XKyTsbo^GZ`r85JLE=s)iPQhLSHU3-=AFDtA*B!Wvoi@hW9Sy;1 zzEP3Jj*1;o0MdyxglhzH27@Re2z|oIEPx3tmLHdxtucGjC3I!-|33yQ0t2#a(-VcmZmZYZTo0zt|f8zQSe33}kqBed(xpSgE(l3oVd9RjoUWP}Sj zH~$vS88UX6@>(_4` zS_izEu*B z(k=68l2&i8qBw{gx!N9G@ok0?mF|XbT{WYWqL3~LR1`(+FIDfVIP>wi=SvDxz%Kn? z5>Vl*`f{qpg@siRM{=m#k-O`M$|T62rr}xj0t(1AOI?*WOR`S?998cBcCb<8%3J(> z>4&B8e3|mnQ->~CMZ`M}>j0d3zXC({1peaTs9Z>@4%V+EOBoC@AAkHg@m~e2a)O>& z26~vP`Mr_0_UO-9uWq8!9e^SGurg;skdn~JDXn_-#8+TwfTP&0ca@T=e-`$ydgCh` zAE(U5j#@J?sUPttkWy(`K%nHThH#DRpZuZGN`?zPZ_EK0vYwby5a9!G(&9jCM7}YsTz_h-+V#4{GWqq!PX)UHE7?;{hP zaIirKJFX@~7c!&Pebv6dM_S7*s8yA#D(%4ZnnSsvclm zoV5PgAByAGpFA)i)5~gSOZOYEpC8e-aQyLqSVrCe zk7TM!dhofiYyS7sHjW-WB+wK3Ey7%a0>8SLxplj7-@0}Em zRgFHB?~6I2iYYF=%ZN%x;agV$0ypH+xq)6@uk_QK$ZeQN_{Qjtnu=B@$F)oCzyUoe zJ&mw~`*YN#r(*_Md$RCPluY=*0YU!s_Gon!N{qnjpFZ?E%%BWJR{DeY3GF<0Va~r& zrgZb%ReWdOe(2cfvHIosxqX6!t_@_FsyHxjvJVF7WGQy*%|B%GYiH9HJWkFuzZRF5 zlX2xj!Vs#v931VeX_@`dYpx|tm;o!CK)wr0# zLg2EGz|1&hXEq?FfD2=?4|yH|kZq`D)4ZA^G1w31o)l^9q4M1vwM+7{v<&6?H_99k zSTWeTG+_x}MMOJiH7;!?Zc}N$hCt`YiUYea3%mdeg`4}*taHPz|D?3pPT%|3XPTFG zAqyE9s;Bq*m@jnl<(X8PLTj2K*uZBs>VBNG-4snpGA~7@$57dWgHtmLV$U!>!?EifKKsb6duv1FxvtclF+;IGq z^5&%rP=LeFBx$|s^4U%l1JfL9R-SNHP_p3z^;E@yEA=s4uxM?=?aFt%bxZz}I-`c` z5(m$73Asftwe%Pmjd=0dyH#uRW?AYV%zA3#ldlAdeyAcy{$zXpBx==b&c(fgD0iv zII+(L`kle@qO|%cXK3W*PX1VQN6+j@kgqg0M@!|9_FBQiyqOFZ)KnT=v*|>gkqV)J znj-E>&BqWh98bi>O2(qX0{-sGMkuIG4HNoMdJW{Wowz*To>*x+@%&B5Eqy8HQea$ae3HT2XA=~1J*+57lyb8&C~ct<#RnLe4B`6%?57l9 zIV8}|jcY$|Jj|}pOZxouf7#uLJMH|Qpkp{Q^xQH4;Xoe0MyDJC^(yrf9%DPg7C}f6 zZf-+7)srhP#$23?0bxqUOXJYO)p$u_j)an8XQ?J!eD(lD`aYUw-B|UQ3xL6#TwMP! zYz2&M>`sYH+&<`kZN>BClHd$rIHDGb{gohb!X@wh36q&ByTWS&Ku*8-36GuK-m-&! zWG=RuJRak77O5=o%K`?5y)fG9PdzfDZbtI z{c8z6N)KZwxh{D%1xMKo=-s#T+4hg5t8V^3uC6>B>aUCE+bBj)wooGbzLUs0Wi3MX zourgWCX#&_evzF@va9SSOTyU3h$6CN&pMXKK4clj@;);)L+{_7<8!uq?&sWlzIT4M zMy4Hu2hx><;!mDFfN+Yz-#MMO8yw3`PxP7gZGO0KW%-j?j3jIWuka|=N>^I=y7zoy zHg!%R?ctn;UJyEvkd7;?`>OCJ5P|-6o>yM0+Y9xdF>j7 z_M%!J2dh)5Gna%$TKiY!ib=XnDOTA{H@Mb%e(|_JV7pEV(M8G=`sdF2(Y2@TPrLB+ zAgc1H>2N10pvXWBmKMao;N`d(>t6pkWL(~Ps)m~BFt)8!r)==f*ee%3cj|4iWvw6K zhj;>_T|GU@u<1m%`p-P$=J<%B;{n;K6JsQE<4Vv)Q&v2*Z#Sj`+6P_vti9eaa$@a( ze%JxuL?AUUU&$Oc*=KArex(jNMEhL0+@3_m5*Tpbvnb-7zWcb1yE`~#TV9a{T?Lyr zJ{7IW>R~xsIw;F+*TD=HV&D$o?dpI}Jykv50mkM4JMN zjJuQgcn2_x*}0zPy862Ez_FESj>YZ-$w40}A11?YezW-4fhgwiyfXBZMVSKN@OK2~ z(okgyU}EXq^(D*eLGiYA8hGEEoIT8;Pw&YoMzZ}oqG%aLtRO3tylC?%Y*Fgfn zJGnhs+-|($UUZnLStdmm>F0Q~E$z2alvT}D7&*OR6@|HOn)G87PPtZ@-LuR7-->*Q6zX4#P^K#o)-sZ2yc#bN)v7;=IpakM65fj{IcFWhmiwY=N95!BY&$}j9 zz{2ecsfQI7Fu=DZRE1Ty$ZfhPE@08W__!7O=$hVMhsII*R8f!L9%Ku_Fk z$K$jjP1+U`DUGW}m&Wk0lxL**evI^+`j*CMSd79^laoyd`z;vH9m`(jez1+;;InW& zgcXK$u0!2opTxWRdCy6R4AFOU(_KZgimNB_S@6LZzU)~|m-2Wn-@Ziq-tc_OQ!*fA zxO#vnR_n5sou6pC3*x3RZ`3G4jr1_e`|UuclXyIr%W1z42D<6{Y%oiaQl*-(0k+e)qjTOG(tYv_2zt!&>}(|qvs)gUt3qRk68TCaH5-Or1| zh2M{T;G{D^vx?h)&rU6Xc{0i+V$&q;qV!09)m{|P-Fy)xsM6Mpr4n^^nD)BW!jF~s_QPCETmPK09sDHB)IjO zW&4Y=z!MXKMw~H0vIMel(HmZxa=`4}+mhys-;sM>TnC~$G}3oNr>eQOMXqB|s^~2{ zml(iAAlY87i8Cds@z*2crH;(M(bnxH9uFqxF<1_vd%s3G245k&jp-BpZ6h1);gh3 zq*9o=SEatf)i!gd2$5`WB(&G~MC9RuRuMckDhLIaMW{r)sLg>RRNAl##VWD@~Y7LJQqIewy;Z zJx%M`yjxllea9=xPNxrnsGhk7^urP)NLuLqsuH-)qGN`eWUXZvgbU}X&)#s0 zvXBrB$nr_!ucm%4D6NX!Fz^G}W)^lArjGnHw!AV`E z2V5#8Y$j!kd)(tD{)bbwo>`sjv{t4w&<`^y%<~f#Drwo0`RFg)9OZ%O9lO36l0^RI zaS143&Mq|%o|PKM7ZTupj}>^aP&V{6YzVYyl)x&gPxrKm_~EAsMRgq z`W#~3FcDH1_9)ww65g>K6VRygV#=Rw`_(=Vs%x~z=17jvUBl=O%mp;6uzSa}$K&s; z1eR`=`os^Z7lFE&OG0&O0^SzaqH`LdZnaS%RvzJV%$r zplyR@72g0y)K3Dgh+P+=*vw+G^=d`j1yc0h0xv3297HtVg?;1iPvV&2V6b_kNlBhz z!E^LG_lKRU{HFuj-t^!LdykVVQWO24_X8;Q<|VD2PEn+)URcXZ$UM*w%QrLFWnw`- z@*8J!oouPJR@_u%TA`jJC#IMrY}z|M_Xk_mfQmtJH#^s5Ac3JIw9xo6pOF+iW?6=? zHBQ}N+kPc5Gip+LDUNh;%=r?nR`xJlsePuU?%ar-Lk z>3}vY*wv&~EQ|De;&~s@iiLKkRk~)h13SZQ{*(qnrS@hLb~VbDdjv@*f3UbxcME$y!fRo(agN9JAi`i}8d_TZundA#}Fc zDOcS{fry}CQ}LHvgQQ4oRd^H=Rml`4REPX5r2;|hU~0p*ZR4$#YVWJ{!k2$EN8IeKvBS+L8oanaEWa|Mx-)#4KMV4)|D0hZ7-^ZvWmQ;=W;TfGf zHwWRD>?T!{+%z_ZuZDtzx$MDa;nLUNMgS;&*=DNliscRA&7(+TmK#@NZc46+9oI}< zXfwRM7uRyhf&z+k)DgfI(BP7L*+P1|>)Z>+Sk_4QcE)!0n?=_yYc^miaUXi;5A0h? z7zo8u@Evb~pycglB<6*B|2n=R%>yx|&E$JUkK_(>pgh{J|7O<)jcV$-LLEmP&Knd^ zq%gZVUlH={(5iq-Q#-ovG9&FQHXRYn@nZ0cl!%FLL`vRqsu7tzX95sm z>&cYJBK6x;T-f=wT$$)#@go1a2hTdpd8BkYQ4D_w-s<7Y~Gk{A$QZv24g(%b%^COK|h>ZUcrGmDNRDsdXPg$ zYkM`$sTJsl37P3H_A$LKcYiL${Q|9@V}0|emT%EF7{yyJ(p7uSjaAW~*XRH}XDA8P zDX{!sTYwA~wfli5?Dk<(4grZt7d|H~6BkE_opnboSPF!UDHIXfT}&KhBsN9&0}P-50*kgTg=! z8+ZLkV9&S>QX>2_Nmem1M6e+8R2@>was&CKkZOWTudE5$D;-Ldx= zzH*n8!$<%nD!Y&ui0MTkm$=;lAu996Yy&>26O87yPNw|>F4zVC8_p#h^mBhN6mEhp zq{ztQGE-#t%1qN&ukHq>DnB~;kDjRCcU{;wpNolOBLyuFog(6I zF`p|Py(8nPM>QnU%^&wHNY5cNee{*4QIM4(%r>dD%}x<5k$&0 z`@tQ#cNfEysI!FZ!HIWA)otz*7-bwmW~lO>Ni`2IsVGtjmpC6dls)8!o4ry#_t7lt z1}8lQ6sZp8`=$+S`NMAKc)DOC39Gqa!7=MZJozjm0{x~3AJSQE(R1)~Bt!H63`5Zg z_k5JPw>}^|dipsjEB<3XD>*r$+jt8b8L05HwQGsn8^~rU2^H}V2c6Z=JivCI%(x(( z9oV^EIJNOCiqsF>1U*c-$k_usyXz3B&i?b{kvJJ+ekG|jXoVr>22`#WzpdjG14xmI zbq;KkUhq4+y@OivSEx~32U7sqOeLWrF84vq#`aSavhlN_Y*hyyOB}(Q5g$ol6d=NO z8bdF&CdQFINKYscoF)`dq_K#=asl|;sIu%@R~*mQImIs~<>#hJb5xv?0XkMhp|< zu1g@Qm!@deqL111<_7Sa=f|U!E>5@jH@-2s;;S)4Qt%kiw%Oh(#jT0D(^?Tvv2!&7 zWXMz!s#ESZSyT`-Ufro6llDu=w(l;PUD$g zbA$1)<>fv)epX|V;WDXL{6w|x*XzDo(s`GaKE!T!^0`*y<1lsVECG9PqHVjnwF^9> z9jSsFi4)oz=C`w43W#GTgKbRhEB8D*yF1xDbE;qFADgWBZU4aWl)2Ij33ii4asQ(~ zE4`Pj%j1BJTuHqos0-D83Go5?VRL=DO?}Krw_da0PH<9p;Qg<+`<73V2^N)79cGLu zRm|ZDPv?SUegyhq*<#UXZt&x+$6GEdj6}4q@?y;gXUN8JQ`eTRRVHaRVOZ=GCP%bK zxy*oYYV$@uQ^^TaD-0&zzacCXF{eMQQavQbrAST6_`B z5o#BiqM}!0-X-OzvviIs%MuDC!~y7sg)`|Q`YRi2ZqXqON;D1ybAKomeE@gJKG&(`ad{I^1tt@sjX1jTJJ_? zMsvH6b`wc>?hNhR-pgODcI`DX<{{dN5NV(v_VwlUOnOj&(zY}~Xuo#;^FKJMqP`yp zIAOZ=nw@l<26_}wq+7p+@fFIVb9ga=h^EVqPM7AP<6fh?%8NGxu0Q_yp0WNs;!2hd z=Q#qGxz5)`1)wN|d%j(CpKbaFB-|?O4(pi^JHNiyuJh-PMCdKVQ{QvEqAZvYB)h7> zn@yVWG9;jMbTF-xBSB8dzNu=}NBs+^o312O=bhf$C{Eb=w+YPD)&6zQ3&X5$q^3y} zgR^A6s})h^Fuec`tRC;{$#$Wl6MPdSYfT-=os~)Gb|aNUrd#&ZXIC@pjylg@K=qrH zxF+gnOOjfHk9zeHEKDp;y8T+>DOG{1W-TPr1j*#@`Y}53+e-RITTKi;k|*FX)ytb` z)}kmAdLvzUw(sm+pRyD6$j$d3r10wfBv-r!j%x)7;f|#W?RlIuYg%NqU=*whlC}Oy z!&?ghWIXj+*6)G?R`qkN>GLjUT_^1y60n~CB7?d3-&Epd;m>Kz8xv|FpJ;fyDwa2N zUHdUCs!}UOkajNekh>Q=?CvOo-?5ID`^ff{r>^IYfm#La!De3yo(bikQ$#X4i7L`W za)kd7_&_R3O=rB^_LYfXmG6DU?q;+kL%vcXCa&9ZPEay<-T!(!X$;XI5#aK<44$l3 zK=KFnPa8$>hn(p?zhB!iP6JH}C{o%~LsyD2Jz15vCq)+bS#1Et`j2JUFRkMzID%xd z?S?JC{GS(TJF8`hQnxSBf_vEv`ABt>C2vox4RaipvkndX!hyPTj85=fkgWB&LhhW` zz*YxRoG2ypBr5VB!}9!RAy^7|qn+4}D&_w(3^&)ia)%ITukYy={~E@zc$S0c#p5!r z;Bo0=N7IAj25THKWaTFln+fXwEoKg2(I1KeM0eEW+AtAJ&YTANVSEyCSb%y&azB_D zvK9FXJ_C1c(me~Et^H^N6Vdmy>C%$_=fnWXnFXTnRs41!gd`v>upD&JlvM~Jsp`G2 z*1z`Wh5~#9qTmhxk3}1^wsr8wi@DW$C!9~`lladk8aDZI38IRGKH~qt#Lorj<;X#& z31p_Pr-%LDbgZ4aH%%cAT^>Kb(f2Q&MrMU^!TVPqP}YsMc2*XebEmvXfKW--g^!M`=x0E#g8sBuRcPHEOpCmO09?)*h4Rs8l~vxr9(0Ur*zKnWcEJMk?gzFvku5b_ENtzMza=WJ*79j2zSwvyX*g6 z6Sc4P;>5p5ikph@P8dWLhkUsiq4Zv&fFeJbs4HEe?B}pd+9+q;-cig6P`&p~JB1Wy zb4(bcM2ymLr*{8=)%Wlejd{>@VSBJy_a`cmWOVXzoid_=D^Uw?J)ZfI6a<~nKX>+z zei9@9XH@H6B+;k?EW#?}AETC&0z9VA$wQY@Vi7bWqJ~G^_i802gQ#Hh>=^xfwP_tv z^~IvUrEqtmE!@YwyrK#F)&oM7DtzV@3>F<#lv{wxu5IXlt5N*ds0oWo^>ldIj4d8F zhi>Qg0Qd+L^8T&=m~PmwrdwFp6~-3_`s~NuW9PObZz@`M$B9nICx^7HpP~TnFqVXh zSZOpd8rwI7$^0?uTQL4#qX=!n+No68Et8YXCm%BBGYaMh$y#5d;X&L3em~J~+p&!H z+jFPki0bEBBb5!hJbws`=n0WciCzLlyMbmcdcZ`lZveks!|z0l?zV<1?GcIwV)k+v zvmu68VpvWUR;HZ>xke}&mS=BiFutyGcjzB*o?fuC-i`dnsN5OaaAJ7Bj$QT%JqG_k zZQhvho_ms7n9%bhiu+my4jz7$_}8d(3z!{IKSIlow8+xS%p#Nwv8a-_#Pb%S*Na7c zxh=z5NaMK>LSIjGx=P^IV`a4<$PW-=qScgs6~y$q*2VFUdN%vUN4NeGv@44;8`0?_ zqejR7FVn-V!v6R|zbzyDsQw4!9o7vUE}%MRHwo(0FLuMH#${ys9kdI$^{5^p;BKZBS=u+eJg%1LQMR zUN?SH3Bx@=>dKULhSD4`9w+al02r6ktIPA$^*R_Q!+qy(P=Z{qw_lXO=NPL>ANjZF zDE2AoI-?M~-5S37s6jqA@^-=Ob+^I4p&6q)C$S5=yBH9!43`F*Hzt${JAefx-DjJ0 zS9&ol^++5GMT&YWNqfwn=HgVx%l+qd?!j_V>(rzHU_*6cn)&3OsK;$q=kC98YI#WQG;a9?c&wO^PEDJ>|YarEmsKf^Wa^a_-WL`;1m`h{boy?u3 zr5@xpBuA3P%W>0%sABPDq^MV;b_Rr+5J~ehTpDN0t34n7QSr5>XOs9L`Kv%TmOZ2< zs<`(ip%kyNc}PMs(QE#{WeCo<#+%0l-5`ew0)rDM5YdZY8lnI1#RNRd9im|q7L}U+ z7&aoaH;=gu%UPG>uwbdNbJRbQ69|g4T6CaKLIT zKbYztFCw2TdIrZfBz3F8oL#Y@@hWfzLROUsUX2henQbZ}X4Sale(=9wE3qo7M6lcJ zS`J&0i_~Ni0)aQ?(*6l_fzjjvRi;W3{Fp}=aJq*R1qC-7x7On zBJ=hZF}GnWJ%n~^@ou~_{5e6zkCLAv_`61XMk|*PWA&yXcHUpH?nn2h216Ek@$qka8uwBI9_J3o4Q*h_V$N%zptgkiN)=0rka z7PE7`S1(?UJmgQq2iwLUByap=-QF>>5l|}+b3BAQojSzgz0;nIm%UxjUVAG`pWI$? zgLmz}4V0m*dF<@)hLJ~oX$-e%uGCBqD4PlR{a?UMMU64gbuoLe+58%n_)9c+N}^@Q zE!uA{=C;+QD&Jw*{iLTmg6&J<9jVWJl74Jbfi!`H&DD8AUP*2y$)GfwnyU4KhsSLF21bQy)l=Z+()RAmFTi5cle2zQzI+Xz7eU!%MJRhp=M*MZ4+^#m zVI>_M*&tEm|4!roOp*-HvBFw#8ST(^)LwQ-Y$4YH6HG^b2vKU^z8RO7#_bAZGna&l zczA>Q(DZjh|?4d*i2k@3_!)qS>`mt3q~BR#xwu1MiNn?-NmB?hgVfK_o3h!liv47yTg zoR!X2_35!Yy24gL`xVQvNhdyISjH7rYyLT1IK>Scp4K5A90mGr=v-k{OFoQRp!udF z5lt<}j*(b94o}gPXsAGNYdg7mbTEre~Hq=ce`j$BEgKLTt z+EdIu{ZAogMBbU?BZ?i|X zN*SjiR((qfD6;#Nrae6+zw7yPL>-?l`B(c?b6<)eyD}aWAX)3{eGJf_l&8~&obI*oO1j{GwR%1U9ai5j z4=yC%SAV>kRMgYp`;Y&KM^Bq7GofQNyDp;~JpWiUX1+Z<))`jBCi(v-p0=3Qn|7BJ z)@?DKIsq2jua4SO%(9Ev`u#?vn8Wi5F%hK+yHS;bL!=$7Gr)gT_jXoii^SWB(d9?ikC@bp+8@e7+j2zL2BT9x?pe`nMKrb^JqExfP~zrD(> zu983hZUON6%U>_DRpW}G2Xs}pruE1t5}&A}MsP9Txn7{Zs1-JPg#Sl!;4NZ@cwheU z>a+{b|DT0luE{yeE=~PyP^#$2fic7pzG^ij4Gt485)h!8B^JO1JS%q^eRWk739^u9Nqfi6bcHPQ#JsXQoXW7p61CtX6qC zvYrmH8>y_*ckAheUn9h+UX%Nj0CsdDgGNQ!@%lmf+`xZOdg{Z&>5)s@-Nb8^ zlhG=w#6$PzKtJr-s~cT?%*aQ(PaAT>bmtE2zYP?Q(taS{(J>RaR8nXohJ~;L#Mfvn zgIXo*!Djoc;gYFne~uA4KcAMD0pk^AdY)=T&twd-?i`}VaUR2(<_ zKT5;|gLryZp|AnIMCQ0UKfGP5|L6_LGtm;~gGt@nZ-|$&)1mQ-M@^eGkznPNrv5f2 zD`cIh{hH(wh<$fIebSe!EVNb!n*WC*8K9Fw!Tkd5yRdJ3ApS98( zGZTCK_Zugk=>jOaf&x{VHEwbNyg2ceU=D5S5KFC7mOeT4xWTD&3Zs>EvFF}y0mn5{ zhkxJHZ?Yx#51G|K+9*3qdB!L{sViZeegCr2Bac8%M^kzVC^F)VAuAIj(r2+UivCY& zD!p(x`0%GRf&UXnc}#kSY!L_>$uxDiuamV?R10qjrtuu{lK1Z#nFs5Rt6b`V{F=1; zhN`Px;*w7L1#Vf->AjAZN;B&g$;8U!7vW@EeaPOMj<_ApVgU4EIO(vvHgjBhDK*=-%<3{ zViq#6a=BE-Z|WFlTu_j#HK4)Zp!;`Z$0famw+po&{d$xedN?6DX1iyY!`1b9Ps{Jk z?7MW~jUa0(V-qxMQ9(k2858Is+xUQX{58znwpxLK*JZlHwq6=vp{te|c~bw}*_u0! z`sDkZARxA*YLp-o#wc-mP=MSa8tY=_OUGL;f~s*zlv`$qlUZt+1wcQ{A$h}5P>gAXBfya+-VCp;qBZef__~Tv&$yz&5GCmZ9=MQTp z34Z`1E+a*aUy$jmffS*n+(|oTqw2b~9#IZ|eAKK&5>u}B`t{bF)eFi;YA5Zq!bl;PqSuQj`uN?+?N{N^dwzkeUxq^vK zsFyN#WO`i&y?%5)Q3)7I$^6erY|IhAM zh7NgM1oiI2uM+N2feo&!viVGSp*X#AO2kBgjolAEiIVS$*%f#8b@I15km5&k&@gjT z%BjKA`EvIGwkamAo%=p;4Q$@XXL0FDGySh$Dm|`)x$d=5Jmb>#O;yUuqmPo+b4ZBJ zRH<_cF6-?IU+gT;`>W39YaVY2hJYxbNGg+8w}$}L#IMPR&qvJHd2bGCvraQ&73zuwThrq^mV9+F$dE@8&a$O@P z`5)f3uD%(FmD>X=%B3QG&m+mF+xqrx@f-Yu2q5v4YHne!h;3QRYse>{A4bih|LYMU zp|13seOM51^(RjC9nP)iMXw~=mw`{EOG|E4M`l1SQb3XSm=ax|1F@ZTJPRT}HtH?b z4W55yzDQ2Opm4e7V+X?;w13PpN3)7gOj0Yypu5V8XS_sC*8lvn>VGud^J)A7*S8y* z2iWFfht?B&7sLaA?;ym)TN7*4H87!M#Z-Q5t0jC7?1Ezvm%Hn4&u_gbs=-kI z$5awZW91W`D}Y`6bkeQ%&FF`XmeBPGF^9v^=Dw4!UYog7)qYqEKMUs80Za%xtfj_J zqg!yPl+YP3wVFGFJ8~i;Ook--$}5J6Y*~w5=&6XkR=pf7Kxc|(6@M_tm!6K!X@suT zWrd7ybRn#|MJk>hTDF|L8G>naMy+q94*nT4CQoaN8sITe`#h+)6=nAAqWwnImETa2 zU3Zc{Ic?yKY0Y>r{_*rRS-a(N4*!5^4VKGr4A2j2I1kwgr#_Vwa06xLfvtJ9l#*ed z{gixm!zt-B@Dg*|8MV%lv^RBZluHBXJ5v%`c-Q8Ri3y>%Nm(&r-z^$2Q!+a;P0eWo z9~axcgO!rC+ff@pB|rSGp~r~~lC{R3hzoE4+@IX&*eW<3FtGGOLLbrniI2?9k+*g! z8=8Cl=J16VC<5fO%q=LO$ktb;4hd%nw4JEpPDL7VCcWZ6@=SU-cu~HB4;Pgzu@^bi zsnX}o{rxRX%HJ<;q=A6!W z)#GO8`fa8`RJ|a?#77GFI!M!HM<>R!!pa#)IbD3Mc#NA&U3Bb!?rUiF_yIjAtLps+EJwH1i;v^mVC7$=jDqiZNr)4K=3Z0ANHnAV*4@Wr3*b9!!L@=bPE>f~d?J=O}<{;Pv&#cKiGFGXYPvP^+Id zRl@XE^gql8lRU{QUV_JMwuIbMuCkMzNeO4M!-1%FRVkqI{t!+RxYpfq)6PhxwYqn5 zd$N56s6%WSRl}usR1fdU!XX zyD3gj^uhWL57gfrY6VA;;LZ^rHSt?S2<(BwOigkad9VI06%`Pzt)%@%Rl81K<+Zv> zeU#GDT4XvYe}d7`Q+Unv%L`xkT5sAd&&}!mAEq>olKk(mjoP7*@tUc@8EF=?2P9>C ziPtfH7=*x{z|3fZ&+%s&$KVIz_Ta5?+1)_k8u*mefu?ftCT0s&KL3=rQ2ZWg_v8kO zMSZ1lXbb(FsmhN6hEBH_IJ-nBph#P(s%MZS$_kEA0DS`*8YGcujrTN7~|RSeIArSXDajV*ifa_OJwa; z9tdY_kgW9u*)2N36o`}O?46ZBDcoyA{T+_Qvvw895n*J~3Rzm9oKNZs9#_1#zOBr$ zku`RFQUHPpq%v>Zqoq60<}`sf&yLai8RiS@h20%}?mR*MHc+q-ZPOEA(D@(p?%24f zPafha6U&k3H1a|GF6@5EOs#UqhluV}%eazlm(Tn<3mQF2(t8;&HL$8_wq#uNC z2Aenfi$(@s<5Y(8IGyf$a;+gO!KeFRVMsO0%!8hh{2UE-Ct`L!sXchy_bb+2&m&C~ z>hf752ogX6MeaUX<~6tkSIj*PRw?d%u^&B!fAv0-`~VNHaMx(hUWk-kvC}1*fRzxL zz}NTYp56#T3(%N1`hSQ$xX#H3A6jvz%rKkR4g9&UA=GDuAcg7!SQH1-ObfBV4r{si zRU*m>HhWN;H}-v=y$fVB4Ej0RV7;?D)-$YdkbJN(`Kh9}07@B=UiEP^$;VfJ@%qR0 zPy7(f3rfU<%8%wizPQ(D+1vFtog%8Zy5pLu3o`Ny3tpt%{U@Wm&rH|nMwRn^B?y5% zD}fCOI};7{Acz#u5Bn^y@Dy?l6i_*xxKX<{su-YSb?v&)sYBSt{`y-52rWW;dgBl3 z;X@18?0=xPiDF)@=$G?irX;biARm?aszu<TMqVhI{k&pp*Bhr>O!K#a63jqL%;n~zC)_EW*N2Zd{HsKi`;10{L z#bq}6HJy!G{HUT|qtzXWG8~C;{rvM%-&Y^v*F{5N3kk&~+}w~%NeU?PlOVf#rV`L8 ziY!hasP}bEhTZfo5F$Ta#Q>Dk3ZZ-!D|Mf5P}SD1ukt#JX#*fP8uP}VIqp30HSo7l z<#K`~6wuk~5OIZTkRNr)K&RRmMa6r7MaL^M{hl(>Qve!Z^G2rpIZ=R*(5}1BJ#$}R z1A@o*aU+V?4R4U&>3UA*1)FJaIN72=e3sDHr}{-+IVUw;ibmD>SRPT-tf+mzJ2v z1Nnq4U{;WBcXK6r$9buE>s9r)Lu3fXadx$B?7#v0y|iQfWQUl!Hz}U3}Y8AmY z#H@Pg9e-HwVR*2{Z0<DF{Jv!9NhZC361`5DF;v_z}OK2$a11G@&SCql(y zOr9@pqyZ8V{B*M z*`R+`a&lyfz1h+j5=-JuFO4x>b9*eb_y^c4rTgpSmK#^E(TIuyAXZL$@W3%+Ee63C zkR`K`1&-6HT@}ma(k3RNB!&BFdN;Llnsz9kunmvwSpJKum$@0aywOQOy|@ES8)biA z_=fy$WGf%6U||{^ZwFT4?$6j?dLbcUW}~4N1PP%;Ot79>^aA+kuqP8X^tHte?|imkE+-Y;y;ni9)@51BVUPuobN#OiekdW{z4Og> zgFQW?)zUtsk*Z8lAZ;|wEP7j$i^p_YP5i-%JEnK+!xHjk8^<&y*%kVaQmCk$;&JQ+kl%*ejNA*z; zgUR=2DbHZ{ZWR*V%J!YDD2hrawO;q?(2F)NB9al@8NWv-G8D%iAvS)Vp`ZZT2`i|m zGMD~d8oJYIPjD^M$as0nA9j1e`PbLODD6I;-})oHzRUGj>FOX^>z=R5aga#R-KF)} zR~f>Ny~D73CXvpE3CT<&Ixbfq2XE!tkI{&<`Y}cQQ5(%#q=CJllQ{>JOMI+$>rK3& zv_Ye!vK5nK)=7SPHk(+kHuR13karg=p&X@V5fR|vWAGV*y#vENR3D8o33v2aedbwy z4Uahue~%V>pGAJq)RMDg856OiB_z;GJS?Y~pN%I}5;SWONP`ae`$p`D(K9sT@8yT4 z-<3$r#(8&yP$YG_bi34(}#5EGVfmXko10x-l>3twX=waU(!=lf5W{3|#{ zd#kS>rlmKqK>L2Z5cc$2Tw>jUgj2PiT(MiaI$=vjOk6jmo1nW_3t4h+2Pbi{t@ZA5 zMN1?K(2+|Hwq^lC)a@Ur{Av?!Ze~$P+Duc&M5cCz1whGS-T znOYKspirBWP`>_vw1M9SnJ(F}`E`p(?m4ljbiEe7oNx^O5`>sAEO=#3eMS%y z$qHsGxRC6j1J8a$ej}O}@YJsV17KU6acqFG{I8zxg#$E>k^*7s9Db0Y$Dm^E&_0GmEdQujglv4mg#;&UUBGG@;v_nock!NY?s?F!u%E29vqJ{WUma=(`*j zj?vy7@3SPuDS+FTXk`bO__`{W5H4DBmol#tY`#VTMe?@s-vcPYxZc>ecM(IE2V!e7 z%WBHd^YRfScR9jkY;pr7XBH?=Yd6GJJMGBcD9UW6=QOxW0YyriX*~cXb4lKPp}Mqd z4DXp}iC($*?m;@~=LhaZp}We9ndMn87iRU!5}wUbi1ueeXYvKO+wVsm?#2m|eVF zT9!92PpVyAZ15pDYU|#BC)g`R=yg08{|#=0Pc~B2=YnuDQ9zN#!hCu_G?SO(rVC{U zTg*;ht>SqrN%9-A5zJoq`o(gP0A;!@%=J5;+XV{XD*@f^Dm9&;y8YakH$kkxUuG}) zxDJg_v>J&F-=H(Eb$Uf#WDW<1naaL_UAPhiu>|^I_xp4{f>;G%3t9W0^)58%*SODT zo-l3uPO^6rAzA=JbCH2znW~4&o z9W(%Sb z!=&{9X7alI)Aief&&1;cHJuq40P1Ec3Dv25!YyD>i+x`YS0O`0jf^N{muW+?^(Axw3%stkVP2{b72PY&m80d#Fi59%1>g6Hu!U%Tt)J*~x z&wu87z@P;EMXfNBT|KqGatZMhKf_`z z&`ctf^USX+eUop#H;1E^{GYIon|j`1g9JhDP$DLTtt`XoTf_*2^K%T3UX913r@yZ2 za_D28zZpdZ9~yACQC$YyElYveZ~KpUB7W)uAYmSRuvwDf_5UEZfZv|_5>MD3S>CX3 z3az9mj0+(pg$K>*Ns|pJHykK8(?&)EakC+@PET_Kw>}m|h`s2cq9fhm^8l1ox<4*`z*aTE zJH`A;f`-WN&Kp#sr`%U0Q<%ghUANY&MW&7cAYpNPu-Pi06AMv+7o`_Ln*(yO-+6KH z^4LWiUzj&40vSn?eu?g``yH%*CtACH(*j*yZ)9j3ovIcDF`-0E6j)k#)90DlPk-@b zmC6LE{@(nWh%XBDvFh3To1E-G+9*5mG?*8vzVo6o8u3o_As>V@B1qQy<@L4~5K}^R zDrVdGsQ|7(QNQ_3u%VL;HSr!%4pSx-K0&zWKrNf!S*ZHXK-AuoCD#{cOn7GLI1O%5 zK#^b;GiT5|lVrB6!}ar$lOz5Ds)))<%Oq~;$TH~Rx4_rfdB5pD#@%o9=f^s1!Jc%S zbT`qg;tqX3bu$xzW`&sECz=gm1)5n0kv}T8K7hnYjn)}KY}vU1Ifn}BfV)esajDA+ zCiY2e8bRdCYI;EkrthadWkwU!$xkZ@GMjfUvc{)hlam%I&F7(UL^Xpb8yCw zz$O;wz>usw>C0iq;H`wTK{YY(8Wf}5X*j4UpQodDFzFM&& z>^7R;WEwhay#}59H%v#D=8gfSAjE`2pH&5Djao@IP#b%$@XFk{%J$lF`m&$KBl2@S za(@Fqka>$AS1KXy{ZWn&2BrW&`+*ctW;LKpa;}>?%pj|JwD?I{tRY&*8 zH~yo5Ymp!7%57cj?Sm<^i6;X#94F~G>2%Pn;-+0Y&eQOYa^9M4ju!%@MeS2iA#?khx_4vNA3!bG(S!Y z)ChvOf)Eov@1|J+(7uuVLOfW7tLTy1Y+m$=Gx=_J4^SIG4I#t%a9_)dYX_%{CgxXe z3eY_hwgFl{-_M^ksCxGm=Gl$v$B`C%xUUDRg)qfP!Iv^r zbW{ZBkJxU0gV-RuXV72A6dW2e7V=~M?g#J|AkgABKJ>J31MNZk+c0j=#1U$`JUcXN zQGl8N9hHCqzO|QT7!Tt3#F`ke|ncPO5^Mg6x z+cAq$T2Y@}RcMVk|iWI;$<(TD$pPImhu=)~Q{O-?30;H({%-8L$*U7BHT@}k4 zXW#Sc03cRzd+-3vftJ(Y7JMiJe45SMRxK!_?ftc0 z%=$ZeXuz)5g1?fHll1K8F?coTf9(BdR8wEmKMun&NC+$mAfVDh6Qvgo(xZq7NKv{3 zq9TGK5PFA1F^C9QL8Qe3C`geSI)aFF6zMhe8hUTfItkzVzV7S$d-uHhujSjEl{0hp zw9o84GrOmwtYh+**v94{&uaU_)U|d~5yb;=#>x39(6PgAeqV3l=I38iQN24hTD{uW zA<#T9r)8Mr*CFZx`5HW5cA0K|NKG1=7+n7rp(e0u^4aO1dc8j~t?g}|6MxQstNnN> zHF#u$*|B+*yMYM;g>RJL&c+)cP(&O2*SP(TN&26gnw{m>T@wEBt|odz5w9!G3ZK0` zv~N3KzCZIRv*zZ$_P0EdkI&FA(7z#vS$-TnbokcwQ*!Ns;{X#}7w3OE299_qdPXPO z&I(B>yM@NimvLL>6z}vGmCCqQcD)E_j#u+fY^l}g`mL1P>DQ5{;2%BFcx6yoI>S77V2r*KT1Ag1rJ2UsGhp z77wPsBRKIrXI(7WURw=Sy=_xe%+#~1|M`#({}_@-77`~IK}W5J>U`H<`|I4^K6EL_ zQEz0c)R1%WKq~?{EWB^jXyw~eUy!U-F>i%01#yfRS1Uo~Yt$e+qLmqM-P9|?@9R}$ zu2m4+8=}{vY~_FTn2hK@+rkbMhpqMv%ys71Rzo?(?neqJdbjE?KcK@;Lh{J(CBksf z(d$E54T%!#RX^7rR^~GEH?FF(sU9FiMttpfpPk?QZ*Q@G8zJl2@W$r#k8mb9 zqE&+4iDcvID@PBAaf5+ub7b$h$pYEqJ7zG7mjh|NKsH)@IKOPziDRij|34mG6s zGHX)3Ct;#a$P0kn;%+5`mt7bZex{AzR7tVRHjuvv_wiWc;|llf)BaA|Qu902+TXw0 zJEeGi?KZ;5H1IlUIy=;JQ67LmSM*UlnJ&%)TDVFb2!H%yI*XYe0SX9Y2JMQ}EF6?^ zA_@VQz_kYqhDac)g)h4It`HW0xCs+sF>%+JUZKh%NZ#v#H=Cxqzr@1Sb+IvAC6LYj5u}PE$HpO9^!JK&lWC<}L0wpogmrgY2!h)#h3v zkJ~N0SzgPZRlh2?b8y+(&$!Cw@r;Ml6)p)cBT%GiSr?9rr4Z=oH589@j2*`rJQ^C3 z%7|9lV(k7B|5X0|((5^Er=mB<{uwB2Al~}hceEhv&=+hD8!3~#)6pFLlB{3=Y&(+L^Ku0Z5 zJkqr_9Lo3&hN|2$%3IY_xuUP|mooen_bdf395gh42j;W3!cFz>0M)63*kQK~DbNX= zBErlsT!|Ax4V?od)@58B$&DS)cO6?SitYDY>xZ-tl+FO68ZDUn$oSZ)F9}G+%!ax@ z@RRhwX{bYWvXPb&{4p94U@6})X7a5Twm#C^U#hlrT2S?XFbS|?b>TfXUBZBAydArj zu9v9nEV%QGjvlaMZzV`@d}(4wEXd#=W^7BI%0(Lu$lbkRWj|8^8*(`y&JTI3^458e z6ddhHco5~e`eyloFMkT*7!&-mHi}0&;d*@tsuA#X96Y_DEHko_^foxSarykgp>|~q zq&Uh;LwS4cDK`s)fOA#Kb4=QUV0P+75Ixv2u7W@SvUj?*yWh7rL=RT}r{UZ#t9ga< z(m@FFW%HTI<(9V*KN>*tPhmNd(NcPa)s-Fb>?sb3mQQ{K#dk4OeK?esW+<`oK&D}( z`lZ|*m!xCcd2oRPU$-*(v1!#(n*Awfw2mXIq~a!{@HI7z-UdH<+L3nN@zN0KA zYAf+ICK~8`y1O_aTyiUs^A;^L(c>2*26L!3 zg%7quo}6mUCToUQJY}eQXl$io_2gXdK`Y`g7qkfxb*ah6`Y0i;+!Nime8B?({U}L< z#khHnT|!*IVV9jZ z6-;GJ!~ln40eY}EQ3I#zs=)FI{bHrJTkjX_6qd->4kCo{e<1BhQ|UfU&7qgAJew6j_ThS?J3N- zlEb}$U7gX2ySpTcLLlj#NL}JW{Jd?5mVS1DF<$F5>We%Q`);)@DN zzG@R8Lc@n}JmCzRo!iH4An&Vdid39FMh!P%{G! z+JQ3Lo^RM(_DI3Dz2AK9Jh)6V6E;Xy{lpd_$ujh|jI2+iul`(UxNPm{WgKb;=)o>_ zUJij=<2qJCemEO*>k3D?5%``t6xKO5&HN!{kXnQB%$=*vXc_wNtfNt>S$v7F0wHDV9<2h0<+-C z7`a6$kM5UiV)zP270n^ZE`$5PxNYvW55WT$?is(Rj^g_!Vl3Zv`mNQ#$-$u zP?&{xwJu+DJZG1I|hw8CBY}LtUuTUHJM*EF3r8nfiUYjyEO z+6N2b!{VmX?roWl4mr0rOgDG;m#V$%7U2XS>};(By^qg+Bc9>F0H1sN%d1MQe0!;$ zvnqH?5eC|FhgHVUy_ET)RCZ0eNMtVSp$)Q@*)SwRj zv!wEersGy;qUAR&t8bzFCi}Za4@z5vXix}W5BoAuG5fpN9ajG7(~T_FczE`yFaCx}_p=0!kTA23-7g1Ei@4D&<}?ViGWoVS z9K&F+K9$wC6iTM9KHUgA0yXpz=)sDKE&%`}hs(nIhSq+Mf;b7Mu#&+ct^UUgF;m48 zb%053U>YbqwY$H?-#-9ip6-lyRP!vWhJ81{p|*e?>{O=(0kU*zA?kJc+pP##=B?^h z^4sq}3Lg5#tKOm^qi$wihkpOIT5hwoE~k~^{P{Z=KVdLJm;*i7vf-s$07RZ0YN*eL z91~BktA~X!b|Uiynm>&aXk{)%oY0tOq0Ds>{(q2L4;2W0%J-bt1@RoGp5c&a{1Yit zV3WOTAn&y5Wc}Nm9N^t?zmFeIV-&RWXo{qV$1ZMU^>-8$SD7zj)TjOZqh{-KC_jWy zIMg5{kGwTLZViFn7L@hcWqj>);kX(!#EP%bgTLk9<#o=(zrPTfR7#9mC_nTt7 z`vc>VK1}dapKwU@d1e_Wz?W?!%d*fc;HDUkF$H#a?tWcEJR2=V`+132^x2}U%($)WqM_ygM5!{d{G2N1}v1C9;4w7(6$gum8r%%%&G*gIP&3vqK7wp|I z&>6W~M_$t`daLq4^gn#Z=!F~O1yK^^RU9a|kHfeW6%{EQpdvd?s2XWI74}v26A5Ly zdN@f1AU2je7lTelUIw!XLwcuk%Q!kbFZ4{l0RL}n5KFq697|Hr!|m^5H z_kX<7MtsqsB)a9VqF4aM;J(5ABhmJ6d&TJiyQ8fH3E@nA4usJKyr}=UdHYKE%_cFz zcB(bEH00DxS0|eL8ohw%dpMg}_wWnk7JL%p|KshUq_JB)&=+*{KrPInnlGI^4}o5k zTKMtX-qvC*Oc2_qV2AZlMgM8j!qT>JJ^~R=jLu0Ov34jCU_K)t|KnJ`8~}md79ql7 z*z#^d;paT@k(rT$SIUK6)FjDXkb2w0V_5d3fCejvxzBYK?-zs};@uTy+n8J7DJdx# zPC^Qapm3Gu40+`8d&6Q7=y!?i4|f~vJSQ&ZK#u<4dwH0kcW5|4T1fcd?6_+%N34&~ z=&Hevm(bq7foVv*cC-UYD}8h#!H7IB=< zFVpsd@de`_28jTs?Ws+Ja#G_=!bkuDjkiGYP`;}N>ETdMffgxVwz}&^$Ic_-<7bs} zgnxtyouomfdq8g-5_Wgvb9JC9kR|Oq{YQ7Y9|DDc%ElqlkC<=x0FW&Nh@exVWS-h< zoq92IqIuBI$5udhN{YtAbv%sG+*)m1ReRG1LW%eA)i(FfQeUoUkh1`dgKsVPkavsM1s)tOIRj~^8IjCL>gol|;meeo2P0Z06lRqbk)TAQ4j zINp9-qjlzj-y!Oax2=Tm9LWblD55>6F`37=M?OV|J($AyU-EhD)B>9{r7eRro&XcD zF=}i1r7DicMC^|}k4zz*eBuDU+??KtR9^2ZKo7V=CHoZy-IUVu-JmIHDT9-%^EGnk zFVd1dKk)_fbZ2^+Vffsq>kB?rWw=h>jW4O9E6M-_dQpZ5;|>giT*g(_LDVf)uYWWD zFj>;p!X5)}!>vrlOl)Ihp*pndIoU&)B-3og~P)P8o#=yIn76#g?7heS8S zPND%wqy(0<+qw$Vkl46(ws}RnvGjBDhfR{{vL-FSxZ<-zNWndxuKb$J{OwX4()XrR zuPq)Iq5}=z48@a~msoHKhpK^81!`8=Dl?bgh)~#7ISK0<%t^haP+dvOU>qT9yxnYm zYOefh%>3=io)h=)qW8~wF53eCk$lku7(dzZUd@9`HT$mB3Gs7^Ec!S){1UhrEgjKJ@K3l(1!e+wK=%o!E%QG~CAS7sIp1&) zXigHtW>M--0gczcRnq51mSoV51n2T0>a}A;Sj=U?bS)D`?~m#f8s&!Sw#uA7zh%k~&RFkL2AfA0Ax#)jHKW9^GG-Rf(2nyC57|0f$mE>df+^Y zr}+#5g$TqeMyvB|o-pw_KlJUmrdpohZrN1=81pY8RG*OtK6jog{UNh3P;agf%XU~0 zg+oaKJ=m`%7kDAiSBAur636e2al@FfCkq5ujX|t~=jNRUQXI5g!)zYoHP@ANF71cR z!uP(Ca9P2z%Q!l`EkhnTvVFlDfV|*5*B3PT!?ogRu$p)kz2{)!SI>YPj;pt*hIt1B z&(i$91tWKNfI@xV*5AG#8{58(Gr{|LF` z90$Ly+EHEv_wnh-(4Px^`8N24Anj^J-g_#t0b8)5bCpc;swG~(GP~{Kn2}d-bofsU zdF1!fQA5;w0aY3>IXg|^m92~1_npz^OG-B$QmeY(R2Dy!2tBiNMn+rFwIkD4;_LBK zd;kQxf=2OVPMF!~;7~B2U%O=g+&sU;P$@LTsz$$G9{DI%jCzK3DyniLqTTs$OiZ=k z5(6UJ<>(3k`Y0` zk4&~m@sdx)3ga2=cf|XuWbj2|V3x6BiQ>s@@ff&_Lq&pS!}l8-6d9dyVYg{i!b{Pm zWig&ZnO2K~E`MkB?wOpb)`84|X#>_AwLuR9GcJGhHTK zMNB)~{2d`RO{z=jgGhTJ8x=<8qkP6+JoG8&It==*vb*k?_6b8waD)*%y%Xt$Y!8$k zC_4J4!uGn4nR&U{SB9v9w3NZ#2FxUdQa={LL2c8F&p~bIjyUQiNpJj;^`63*_;=)# zF&h?bAZe`>dE{%K-t$7?lewt=9&fk8Xih9CxA9xYZlH9rBGs@A7}of^J?H;8@-n)M zfpOO$H9i~U!VTo&We=En;7i z%_`3iQBIrBFG1S-X72%_C>$z_x*1UW5r4$j_bAD6iCECwVH4BG1FBpe4vGFf_L`R- zP~+-qFP)o~n;3JAkQm2*C|9wa+2D`qVWwthiU0>Pg4bx>NxN7T#&UOKYA;%?D3{wQHhh}Guqv-F7+hvMHraCak94((&42ync$C25dr%(`b76)3hT|#rDj(PIbNX@fvGQGb$xdK(W{-brg`Eq8&+t}4_=h9! z5h#Q_o|{|k?Tl9TP_;YHNtev1``4MMr9$OqH)aW}su6%S#Hq&7eMBjE^Un8GeByy^YPIl1VJy*ezBN7Sfv2=i}JT`Np+55gO>c-`2!}a{xy?bH1)aJuT2_noJ&7}dR9u*KIFWPhS z)4XW5QS=4V)w?o*TcOdB=bPL>H-H^_4m!0g>Ti}Am6V&;w|1i!yIN={j;KB-780TFKP@*4WQ zxvoMdDvYiB=^{N?aw@LQ_9$riUSn_!C<|Zkx8G{Z97*4P3!`wT z*%$ps%DROT`V zP5go-_gLN!rNfUhRDC$MGjCF*-Li1*!-BxGIzw9~5LzChcOtPogPq5rasYB~IBQGs zS+bq?H)9@?U`p4jz`4cCUX0Plz$AEbmh#1VdA#!K;OPxPVe(2+ythjXKl-#6S1%Y} z;H?A&7$|OC5Xn}=$(B>eL4%ug}zY{{OA##{fbsPNS*k%*nK*=d~zt>SZ z74osOBvcWOcovN!307;EmCN54E#&3?&2_N(a#!D`8*~OsKo9nH79I+PU)Cfhf7qm) zHcu@Rim`^1Hb?f7D2XqBe0>=hgyLZZ-U~X ze7tBwJ!6BN$rmVhTq2IfjI*-LUF2#_Qmq#xLIKt*JimLo zU+gPMfJw~vQ$!fIt?BoRI8+eBkwO8O_liu_3G2vR$Cd!kI^%c4n+cghV0<-%94Vj# zyZ-vX-4RcDSpfys4a!dT-TNTMQSC^@#jHRNHW0PU1u}M-_;s$*iG%Uz&1C6XgzTri z?R>`pw`vl{9D9&94&}^HmGNx=vl@f7zap@~z;+BdmL|-nUzCsyfTWH<^2lyRB7*FQ zXDWD2Cr0NapS$OyXMeK*6({x^EPGFmJHLm4S%nzJ#EVZUBB`~ z#a^1c0Tn|LFBLH(5VsunKG37Vdt-%1^(A?54YCjFZa0WME;&|%;neR;-;J@v&kr-^ z!%wzWtUZn4+6@YB;8&ps#Uzwn;=8@ftnG6|^Vbmz!9g|!mwPk!n;I^1ih+-%iLjV; z*pnnWd>2F2$PY>q@*}Rn?=(h!DK6M*tyKH-kMi&*Q7AG))$SFH_0p(TzWrvOG_kTe z*BQn-d}_ylj=Jf}GPl32TzUD&#dRp&raTp@_q6of{q@TVsfZXHa9-bhJb%SZ4}pPD!53G zi(@*@4^7KWMA+=xXq#(4%{9IPfgUwPpy^C=$D1UkTUObuE%0LF1O46omZe29U@C87 zf#S)mVvtp(2Wr@$6RJ^-Tb?&#w%J($#i!ew8xieqU2D2$>~s+q@L1UsWfXzV$lb80 zF(GEvv-^9QluYPE>N60YmEw@-CDCXEJ;25kve#hiP7z-!#!$`=Z4r_pdKaGGL0|Mw zF@he|M4TDAl;OYr_N&I)RWufF&#l^(!D#-p%qAKFy$Bk_&8s07aj1HLtdUf`R5&C? z_nQ^aJQ38BP1bB8y;}DwVtafEab{?`qg=(OF)Cn(-N$Zmq+h$_Lu?!XrgQ&ubVS_= z+1Xtl)==g^z#)V)@fu#cjFe~Ai)Gj7AlEoIDh~IlJgkkM5RO5?ef&4WKO1=Zg6Llc z=)wAaeszusep!ELUShBFG(EnBA=B|(aO2i`b+_BST(mj_YGQy;J>f9gQ+RfW*Fl~8 zQ<}O|V`zPowlJ71R#MMX#6jD<1&}2!n4aB@7ld!15%E&Nd0P?Vktt7_E+67RJPSeD z_I|6#@)@iDrLi!jJLHaMb~H%JzI&TJ*NPp41Z6lRnxc1#9)P$>$=-DjwBS`SL@Ye2 zth_q7JCieUB#+Xx`khOa9^ho_^1t1gu9tYiXnjsb{o2l>${OL8#InF!S|>lAKfo|O zSj^c)4lw+S%i3>`W?%G5L=9QsWkqeSuWZlh$0;O)9~MR-3IVGVof?JMi~BtaQM)3G z-oQJt5})x+buhKGtI6As3ARo`_IbuNU47ZA3C<= zwA2j%BF|w_6kIoNKX{z7vzp8b-xrbnwAW|49difC3A>2rS;4?V#G ziIi9vdirkJ>x#s-nlE-{ume2gW#{tZtvJmpfKr8r#J! zFby$TkAU{fai_7kkOJyHTp(8~VMZYVOs|M5!1i^oL8L2gnGq0!lLG#%+hDd*)wI1{ z1?_bU(F3l`vkpB=6E(pe91l4HE^L{?L6@rO#5kPT@E(lst_*qPCszKk90+(Siqv>> zV}&RFGW^_Eluspv!+qYS$i+3j&B6o%ePxE|yRed^h)bXH9yUB&A-XU*+iQKsx~HtA z0}4kNU8i><{r2ktafdFV^;i4epPlUlJ@{l;rOQc-oU5_5mAxa=okV>&0v?N+Og(dd zV__{UW^J^s(h*upn*5bX$^3ceE0(&wHweii??qH=P*3Gh>%S<9(dsi#AD~znszw%U zthQDPs^f%WE2|Kwp`#2)zU$ld!?lc&TL!EekkT(h0QqXse8$f5>1JgYF)#$OK=R1) zC?o_7;-`!X*ZP?Q7(Q?DFlZD_n{JU~(-aEzCub?MBk{{f03t39&m<%k+kKfxTAOxn z3E%EaWRnihoNPRM4h*d;CMcfF)N3}{I6C|jXh?K@jc|)sdNoZ~zoJG%_@~D>BwDKr24XrJXh6aG z%k!&)-YMsag#cOZNK|vVZSz{4bmUCU-gq)3hZ7o8(bT29_b#^3XXk>8#&D@Rl!f1Y zp!kqPPD1V_VenIp*;@%JqUtVSW{U*vg!S&mXX7J4AP4E*N^ohxN^DcaOipa(B|#KX z4465R8DO`_LH-dL*qc=rUa2pDIVSynw(j=w3F>r4Z4{4m;`PTMs1aj7*IMk|H7b$d z2|ve)mwogjbDvoBVd|oB(>xS@Di!n;*uj=wF>5dJ?VNS?W9qwv>bcN*B~vHrAdPxZ z|GCU~KwPT?=~1@YKR3@m!4EOGis*A%h}~qB98fFd&HaO9f}hJod3$$0NKi<8T`Z2dj!jLF|li*`FXeH;SF{14jG_peXu-1DdI7$xA4Xs?b-LMR;S zGvuU8rnj2bx0dg^aeGo6(ta*u=@dDWG_^loPzc^BRI#jNcnlMMa$^aqcWW zP|E*aXQ^lB==rfOO{d(SKxgExj?b6c&-#Y*C#lE5%nsG2<%fk3)N@BKq)XZ6$exzE z*mM6_$W~|KVr!$-$@?d!_67rc70c3bz&l^HAlp@!)WKur3Kl7RZFj;Yu@fH~*7Ikj zhZ05Yz~o7c2#c}Nx4Vc#;UQJRGQo+ zkPG30XHHxw`8IY;ty`k(q%Xd|sn@Zy)OYZYV|tol!wtqW7oRg!J@lw*i+wSeDgw%K z7|d)^JLE-C2s`|*nL%c5Y0k}yT9j^RNJ@2?an@(c* z6klfjyyLB)`;9@G-*@d}(`s#8SP-?@TnQA2>tcujbtg1>&f2Gaa{ttZPWVdhQE1^w zmYBOCVcgPns$Sw-D)?6rPvQ|AcYaoBR0A<^Y*NMBNrZhj$ zFx~t$mE)(y(B9onzWe>=v(`py5Geez8Hz```?u~>Fkj5`EKtwA;qya`g&@38gxa{X za;S}9lC{@6{=>7TkKQi98xLbNFRPfAA;)#{`%K$rTm#5KSqc3KzJss7QxADCVno=w zr+g6j!Mw~N{-GEPcfVuWm5yx#0Uhm8EV<8+X*#~sk{1?^iHJuEuI7_yyv~&&rNx3^3C{& zCdcH%O3u{@b>;1~h5q)1kWgVh{q8y0OHZtbpLZ7?Bq&rB>hC*tWW+>m*$AXW7lL9G z&JF7SGjMF(;G{CGlN*ObTUt21qN4{~VIgtDp)&VOi%dRl@o=hc%ddQf_90y>bD4w8 z3)d2`_|!~ve3F9Q6Y-V)D(iuJou#XdJB-eIr2Ws0Li3_V=keI6$E;>$9f5fzSNxwe zQMZmqfgbF0?#n(Pv9ih?zP7{d!4(h01PLdN#PRP&WPAcB*$b2H3@WJt_f(9w%4)bI z#IQuq`BFaP>POF_nu=x!t{O7!@n87>&Z8v1M&EaF=%TXvpVXD{1y`mM1p#5K%?r`*wB4 zWd9WN$i4GQcOE;jeyW0x+zL!up(~i?Sk#6grW&>e^0r5lnZn9QI)(}(J zJEq$R*^lH@)|O(aGvg=kpEzEuD#h1S)@xW=tO~rFD!8}*+m%Ost8~h1t}E%b>~WU! z#A|?QdurL&mF{Lr^U|zg0rd#cm%WwHV4VLQ#1Ai+uMD6yh?L&f$_jGQ_*sT3;fDfm zkfXuszUTT9?~WHlb@HL7_}xYKZzy>^BqutPU7xiTM*0W0V-hjvh6g@(hRl!IVZ4Re zKfMC+dqQsD(pQy76&$oPzC7|1bYKw&b>Gg4)ulA>x7}-H4LNE2F-Yc#U4iv0$9HBQ zFz%NRzsB~XNxp4sDNW=jSCiP(xE*Hh_j~!Y4fner8d7P%`1$P}s!l<3@_X=T2G*d6 z*8uWE(LRRv6Wh5Ts{)1bEv;wsz*sO zTbBuK)Fz|)wvYR&VL41XrYwcTL0U%$~YuLs#p2m|-Y1qxeU`Lrg_s%|_hAjBU*>aaQWS=-R0=HT^n?L)}`CMFXoW|A@piMdA_eoN?`f!B9CMFv6V-L z{7g4PC^w-~1xzs^3w;Rrx+1a9x=bOpRlN69u(Jcx^Rz?u|JcEX?454y?_V9L*Pw-y z8&7HT9F|UDug+Ntca}TJ(P|V75JZ?az*`}NIzT{YK9YA-6B)v2w@=)b0h5{HLlRF) zoS!LC@ie&n_69auV60&}ldq_boKWmesyjxzw{TPs5%8-d`9qP91jBKvDrPa{k^S_? zVW3lZg{mg7_A82G>>pCcpWz!JhaJfcn+I{HAjIp8Q;~iB zP@}&VtUEUu4(WT#{ZIZb2voj zVEhtx@n`N#M|oRdp32n2ic#t|*9y>sO;*g;0#TMY+*v)aAtb!s@0RTdtpLOguOen$ zUgT<>R_o_WJ+uCgh;mt}5PWJU@DQ#IRD= zP?QLZd7bA9hPY>y!~O1AeA`K)8f9P4)5;h#DkDaMirfZ=LynAJqn@b3pbpihbp6jj zLMYI`w=D}iUc0SxgGMC;kdgMwOJ2SVgu0xj)<)PdV&FoujrNvV;y%TA;!)BbC)>f`$j2wT>e0u|`NrqEMWTB`L=&_=RW#rh;cCV_X0S_k>c z5TW{noS)p1=fPjM^~Rpoy?}j+L-xrX+oMYNILyaGbF&%g6iYjJS~x{uVVx&Xkst?? zLv_OC+Igz}eF4b7VD0JqUY7kzwTY6ODzqm0*OkPr`6$c%a&5U+s}9aoOKo+hcOoTP z`HE6`(7F-akZ8}vBGZ06W{&nH2<&#n1adAnNd1w{)V}o5t zBNvtHH-LGRl1o*}^JHb&ZrU)6QyDlU`mUN&1XXmVhyeWLBdw?q84k{6$TjMvt*wgq zy?px}yE@}0KK)cb-lZT~;T4kJiInrJhuS(B{{Xcie|1Cm>R|JCYNHk8$w}FOEm#~+ zXF}D@S}R(G6c^BgwLHc1kotKi;pG-b%WX{ZUg}V9C_$(@8rDB1g<`+?qxM4Az%qTX|fC~b4?{vL0}_N49hmuEDn zhPeW%8u9z#@`W-@Q67-{)>-=E}l2>rK-0e=uWQQ0Rt=%2ecJN zmQ0N>yZcFt-v^zP?odJ4q4D`QW|f++Ur~?59e^IJRyrww363yA;4>+ii#+LIn0urg z_gWGR03z5C62_ogwRqdX8-K)rdSxyiV0NhHByC(1L*Y2t;Hllcwe#a`Go|?!Z}@FmINv)>gxT}MX?!Xd_h@GYx4d?(OX|{lM%}FC#Bw0p z?^SXRPfF-e&-%RSok+p!3o=v%yN)OYL52qAk8=6H}C0@`X zt=iF6!i?an7%E=42k=?**(!$I=`$Qrwc`Xm@o)GsUxi$VrU<9UFs(H99yt{490zM=xpb zrgmGjYEW}{?7y56!XEICoDJ}-Gd?t3p0Hb&!Nvqfz;mg`6}>qVtOb;Y?%HB3&Har* z^2p-$F1M-iE(&Ga`;FDC%&VzOpf*5P5=kvmfG0{@myBl!^XYGH9_2p$Z-?Y2*xKE% zaauV~rDJ=6U7`fxXL~&=C?Nh&X(MBtm2<>nBC?4s8Cy%M6EpCWxx4~ht@c}+( z9sb_qIX<9?9>Is-YuRdhFqo;5EyO6$dVv;N*q9xvwa~opsN(Je$OW!hGP`ZWt@)Ud zkDW;H`yN)l{t&#ew#3bvM~T>8w(y{NH36UpyZPzmDJEK#c1LscubDkLj~xcNc-e3e z%OtatoQ83WJdQmjJ@0onIB8RjekS0MXo~L18&s}MZtO+gjcVLlWjMR5>v`n93N@W3 z2G1RjYT+yJSuee;aqkiBwx1+QD94SS>Ak3rwciFd5s z8x@eiba&>6l^dF|(Hzx9&{3WKc!tWhI6g8na>}X}mK3!6IiB5L1_VCvPig9N?_vuZ zyVZ*tmJL5BKZAnU3UcjeD?#sTnj1ALJ3tD~WbQ8yYuKny`yY?j;{iof#!hluVI8p8 znr$A>_!V#)7IH8vnh1;W!6$1|C&WYZJPQaa34>>Sjk21bmA#>MN|L;%&l(p#UEFwd z>YEBWl`S<%LTvijmt|I?Z`b;3r|&Nt+{k0vSQJ6`@IHv$g{VmDK-n z)PlmHv>?%x*!|fDj37poNw}~LBC#z5*0NtoCSd7jePFo668?_SK_BV=_9KD+?EnM* zh@x4jRq8tVORp8E>g5ya0b8(_$j;E(s@uDpb_X4(L`I+otA<*l%@Tcz*Qs8d?y5fh_H&+dp5im}DTq>g3WBx%>^7bM<98OlB!i}yWF#4%p5G6KH&TJReQk# zHLrU^Vzy50nniDY=HexWYdP$jfJ-Z4mJEWSr>_&$IK*>k;2@`q&l!spZx(iKQ(2=y z7qVC%^?JSDVnd%-@t&YCAc=bjS$xs6##e0M(?=}s%8QoC_4AMR1X2prlcMpw^Ucdo zn)mDc4VN4e&u}fibYl9RI<(D3VbLLnF;kGMJS&wab*&$iAy>to@?rqv+iC^hRf1lruakKwL zVW>X1P5u0!Htix$lC)fX>LL~ZH1rv-bCE$n|537|O7E?@e9J>l6m7n;gXLo)QQ*1S zBJhs=ZNpbR=vfF60AQyRtO%P~5K!mChXnQGW*%Tv>&AEwpA_|=Dqr(ca4*ubH+OU- zs<%`n2X|*oxS(GuNQUX09{)!~C1X)X52*l;tIl}YJdt7G1X zoR)p9;c+!`s?o($}%jr`qOumgH!4%U~I0tw>=Jd!fX z!+?+o%ah8+`=bh^M8XSw{skMJX*=QNC4-`P5I&arTpcHuJzkLqpF{k_@x*>u>H5W@ z<2;eOeU=0AZD^~55p8;?t73n;rq%VB=YX|~u~D6IIOPPLGT&CzSI&CeWL(Qe z6zS#)u z3@C#P-tFmGeKFjKL&p6!8e?C*_7`1nkB$SJXCK`Q#qLk`yuwv_F>;OtW_%8MylmQp4GHR>oPW_YRwNS28CpAuk-#I5 zIlpXuw;yC-Jw^|oyNdk{?6P_4c4t=jy5KyJ0kBkWLyV?$CM!EK4xjLVd_U{{Tv?%8 z12%FF=uA4aH8pajCit>jH9ghPh`jeZ7u~p5bsDgQM+%QEBwvZj%UxVZZ(Q-^fBz0Y zbk}^n05U;x;zf#n`Blzj5|OYFVfb<8atyNJ0%)^!^{`ZcPXIkynUqk$K|fChMEMny z#r3_7C~E@XEBeZiabJj9%yf2=+2pT&o!nEp$6Z91J|I8Y7eF*g;>(ue4H&J%rKa`d zNLn4sJurGT^5ieDGn%)Z_LG~20eT3X`a+FzT7;8d ztl!dVv7mB$em75Bo@eel4zQ#D*!T#qjyRxVLHynl%2`dDqo zZk_!oghd;+zdQny*M86&ZE>VQ(70NY``d~9eh$TkEx;^Pay~E!mS|AcehaBKDJJAAMvwHCF>dBLs;I zh~;72pQ|^IK!@N^HZFa5WKn>(@&3?nly{j^hQj~LLBF&m;=zrZz*p5pakbabejRV7 zT7vf3uqd_|31KlJG;x!_-ddvwCCMs9$m1sl+a*s1eW&5~g_(%*<2W^Tki)l}`6)Tk z4&@4$-&Mar1c9T`dz4#dHUGm6rIbW|(sIlnOgEc+BVmdzAEZwct-+yp3Jp$Fhg^ozBKd;XV*_C-IJAf4!e z<_gbJz2)~u6vCI&l#Ik2AVL+ExLqpDhC|`=BZ~Nvk{vp?Zv1%%Pf$h-dD-l(#tyI# zkK+h0wnorv|8=+%{7PHYPx1~h5Y@XoV8RjdQ3(U-2D}vC(Yy|R;m;kBoeUA#p$+cj zbsrwhMvCA1JBZB(KLbidf-bKRAXJ{kkH_>11RCj^Ilhd>sZ-ZR!vVC(hVKWnK_DV?*h}#_+qAsG9Z|58ZOLiVR2lH?i)?%Uwn7*PZL7@~hetQ|kt z5C+9JGid;Abyat{1xJdHM;9}xd=976{zw!mky;{~7hw|NS5ul>c?y511aj`P6^7uLsQbe`fc8P4;IC&bJQ;yfy_E_mhUAI}Wl4|cxK0&X+}K4tWd&^jFw`st1Mdy@1!59a)a=X22uE_niaac2%kD@O5(`|4riCz|+Mo!~Qd+ zi_}fxJbnqkl1JI2yC?bYz0^drz3Qa1k0KG7DgVY|o47En|&# zS=B{<`lJQLReb)53Z_!&2Wt3gfW^^)e{um4*oi>ctK`<_IzV`WBT+dI(1 z_4ph7cA$F*_>Ob6FBte3O^JwZcM$qK_+Wcs;cVON=5x2i!)xoKGuR#cU!uv*wiQ|Q zOFuVn_h*-fr_&oZXEAj4hX+WROakA$OJ7yJN!QRyjQH!(4U~4 z681I)pp+s-@7j=tI@!iz-{dw&CroCbeK*l+R$HP@h;<^fEUvDs+2Xk62*GCpL*dX@ z!rS7gepMK(^+Oxa2f?u~px2B0q6vxzQ{X~EaX+rRC-;m;3Z0ASC>wSE%M?}YciU#= zll7eTnI|AU@#4fQ5=^qWID5X9M_J)VNSuiW=crQ7{e_T_6a}Ao2)Yc3V(FhZ(2j}H zPVb51CVhLGmzbf~FeSCe!ep1vwvnq|4SYz8GSPLeQVwj(d&u;@)D5GSO*33$I38YNslt0j3&VT>Bue6ua z*4jiOQOBb&cjQRVZpK}zVqUI>eP^9qm5ae+W?Yp*(?bp;00m8Mo{tqPeczda++Moh znM=)3^1w(W>{GdA%L8xTz06H-GWw($20;D&_QrQ ziHVT7DPeCsxjYBP?Bjc@ZUe*mBgW<#Ql>xbwW30 zu9%V290a|ghFQzyENQ!m{kcsTzFAk_nd;T3#(^5SiuY!87-7{;BJsd@SdjkE>);J` zdVFxPN9TsQf877`4X?z5opiT4*yM8E(BEQoi@BP!%hKlo>>2Luk!lL%2~nBLXuZVMnmBF0B>us3rYv$`mbeAw_9}Ta{1v-JJ2|5R8W> zUxfo?@g87zQ*srMD_`CQ_&4q{-bP^sNV!xt1o~tzfpdkU&1;!jfOgeWs({un3^c;+ zf&pP5;itjHh}cJlxMX@1pQwcQi+&Yg7cn>y!hUCl*;en&WjFw|`gxf5o%?I(Jap^* zvOLzAIzmzfd~k8;x}l@PV(XiGmD~AaQnU5tL0lVa_lu$EoAt|nbr)y| zbLg((qO_>~2DbB+iA(Y2C@*9fuVS5^q4u$Djx1!DYf`dbn7mU-5l?%Q^-I$tg&fxU z-RHab$L7rD#{A2>4a2IV?e>@Lo=(e|4&&|BpN1Ph|LWu3*?-wD+O<+Ex*XF(>3f!T zXu4x#tCe=X|83X7=4FYkufnvfulSinqa0&5z~Ij}Df>zLAz*pq-^?9gW25Ry;N@#=YFI}k-CJy2+fP=RTA!i3JD1uM#@=g|6~mduocg9w>zwi z<84in`1#7&@6o2p2orw>H@=_8xj8mExf?wXA*?s1I{u6+xzC8RU4QFpdH!?gpH=zI zOPcuxj@W%z%dL!mH1nQ=K`QI9?+G35?_nD`2C~PSOqWQVUM-ptr%Wd zbI(1@oZ8FK_<&UR*6MNG1aB8$YLp&r?YCr_K}q$SSsVGk@&`@7AcTU9h*%j1j2WhA2eBE1!tZpG1#r0V9CFOtW99o9#OMOe^G zPE;l$@O+85fHg2-Q+UZMiy7I@UD{4m{7u4XzGCS+K}lHfl35)B(xG|$efR(s zej(Ai4~xWW{1`h0S9q%hSJ-(%>xPQCSEYO*Z8pt_udg%wR>caHGn6)WUK^U!aTltC z-^Kc)J?)L-JF0!(Y(KGRdt*y>J%HVV`{}FR$E)B3nZnPOlVv@zFv+mguT-N(kg#7E zIA2%Kaak*qWFY15!`I397u%8OAu#LRc%t!C7{UHxnsH|ytPS)XklDP8;jUuLO`k^{W#u~Hb4)W)tM%$EI9e}s9l zu?2o94V=4bJMd)d$nD_P_6Ys8LE$u(j4j(Iq*WI!Mu(knu$DU{(`^jA3dcK0gC0rp zvKj@k1ZkX>(Cq)r47!6+guB&+x6~!z0&WX9CYl-f>s878Vqd~G1v!H$%;U!*B+ ze_wTu{DJ^iFFNSjczSYU`JN{mv@{_%?^1VZUiW`LfQo1j{q%_XDpST~ISjC2k@#-6 z0nGV$T`Rgeu<_6$5D-sw1;!g$_>^C)RkU_Kz5OlEzFMK*z(d%qo!MJy=)JHV+QV?& zfU@7{&JXD8?EOd3ay9$6oM%(P!#!87rT5JCdV`kq&?yX_Yu~W>Z<}`Ziupy+lUIB1 z`W3I8{dEgFPj30u9H0TgLhDS+@>{0$_4hTv;l{n~??XU!Yq#DU;KP%E4}?LNIgox0 z^MZT;l~Z^i0yu{#9Hi_16q(Znxx^CRGc@XpFh#<2Ur{zUa?&Nw^~f!dZxcQ&q>b8Y zrTBo2>^X}#?MVU!ebAt1ua^-CckVUAQZ?FEqmN61R91_KjpOc^&h;OE6X=L%ggRO3 zVSE>?{dPSs2oZD!l`L6ODq}Vx_3!73CTU)QRk3BZ`!c)F5a~N}rCNKh3lQsqWXRz%UmIyBm|XjCn@NaEZl&*kBq%*hN8I z50VIprV;fpeMn{cP!l;3MJwEc)>CcImeMz&Jzy%Xiy#e=2B?XK;TTxa*$x>Pp{YSZ z8^NK$;dF8es!XiNR&<;OmSmq|jy+<9-ox!ho5$~?OvJ2TA#S2BbB-WiVVF(N7PjYm z{m9;No#+FU#yY!rjL9^SNcb&PP=alowlDTMA_EGcq+sy}wiCfny=>)qcaxLISUF7t z!-6CRAM}5+>1-U5K=R(>5d%UYj;#B_!b)PULZozk?m?WQC=VrbAZdq_Cl{$iHe}%? z=Zk2rb_gP?M*+a$6#OT@ZbhMf_2weSflEemFrnGd4p{{OD(CLHE7`gJOkGJizPo{t zMR=bYnO_#kN{tB^Aamptu%O8{G}+%>)pH~dCF}a!v*rSBJ0lBZ)qqh^y#G+Hp$@wf zc=Np{7Zvc7Fo2-E_q@^Fq8A`sfOMbe_z)r-DmX7_Kj;k2QUT2c=o`}ldb>5z29I%CXjvSxYAvafm645)G zV4+yeJGOyjh6*2Xd$m>w65%DcCxZho!nQ<6A9(G$L8c&rOO&Z=R;lFr5n47m3_8Vk z(7F4KrC3`M2myy}<;X|5AVF-_0Wk#CFup1Zmknn79Em(|!Q(rn&=7%F2MyjYu}j5C1at}k4*0pH8y$CA+;`s;LI=9iLRdVivFu=ycER#5fkI>oUEyjH8W#By z$pVzN@O(cS5wI&Z3~!&YqL*e+uv=hOF@>cg-?dzE=E4|^1->iA+Hh*&fbuh|35m4; z1+BG2l}*Ba_?v8U^*pvy(_f3T^?GPh{la$HmVA*~ODDx~BWot)@iM!h9sN79eq6fZ zxv%w891(nCI%pc-Q^C2mx2jIwvO6F2!tG#`7Lppza_wn7*G|sR#b%`ja&v>cpk1T4$Z%zLWw#L;k{2lWq__`UzF@5a>x(BCKu#K`|nvC)ndA7(VQV zQ~+&sit^sa6X&l7nIW}zgo4|}wGj}Xq>c3Ua6BuHjhHhvK>zli{VN z-bZ3(VX!)cl>Wi^@EOcruR%Ioq&4cDgb1}#K{PM3e#XBK0s$x5Osd1VZkn7?DK8FM zjUBl0IBpMJI&p+oAu-3#+i6~HwezitS#Y-;`n(PZp`UO#a&kMFXx1ddP(fOCpt5?$ ziQnE?st%KH0iIukq+SX17ZDcf_=gZ^DpIc@b1&<5B{a&_LYQX)CnPWQ=(1}ae@}cw z!Zd#TicN2Z_>O+PnfVHDISwvpI^5&n;+v2I;I)9uiC{A7Dvr+bjFdozs$--%oU`B$ zj4&ea-X?njCS-D8p93Gk{iEG5XM9}Lbo5W=ia*?hKqFRJkz)eT} zl*+oXi79v}qfCNWQM2&1=@==$p|l56)(0Wl!AJ#KocM^3vI#2&OkL!|(0iKdO!plo z@VRCUIE3IEwjfNwWA-?K85Fng*u$78Z6hs0hjJe$ZNh7Z4R8N|eY_(iBfo18S_SB47w6 z2=7^g>oRw7xb}zBTcokpQ_xpu!@nkTDl4YJ3yWjh9M@fls8Y~mwamI;kB z&gWgU6oP2*IrL!0R=P{S!ZbelQF(TlP?E#!Z@I#kmh+-< z5`QItvr`>N+eu@iL@Q=_`1D?mOl#=k$Q)Ao~bDbjN2D=PYtdb#9 z<*bwV0PaM=SQo8iB8Yo>OL9CxP7DwdhF%l72cy|&1`c>U0-|^&Z}OxSiP(~;&@qEz z)|bgp2&Kr6$=~p14LeLHJ6qtV9DK0)#$deP`b<__k?Y|i1)h!ua)J+ccp959>G~%; zNW{L7=UQ?vk$wPdTQ#`izDn;HDO*jEex+KO`InzwpZmz=^dI;Qos%)e8T8TXgB`Eg z{#S+~MlVL#NVaOwB&$16wsK)no4^h0CXYgPt+`EcGdRU;+u(pNJnFC}h33)q5sA;I z*3bQDVcykoPX*0ARKNpTNTP)9x2vWyztlyOds;CGu6t{;e+Mlc-W8Zt;u`>jjTDWF zg)~$Z+XazC;6z@OI38Td`MZHkS&owUN}aXI4_bntM!qcl^QshVyX1i0vs_+xu(-d8 zXly{nU0(lhRT4Acv%Hse`r^I`4Kg^ufkfrYw*o z!C2n$!PM?o7$IS(4N4F2Jo!G>j388E0njk(xwS{4VuW(ELQ5^GZ|w`dE)~p)-4R5h zG3S%;+IEq_K@{{ zM<7f@5G=z+7G`$+rlm|e*OF;hphR7O~51KB>^KujNtU3g)B*E{s&J**JgQ;G|NwQmijOc6D* z{=S2vrmpxH=L@S3dnGY1DT&-s5sKc<%pT7y9Q7|PJ(;w$*@aMD@)oSYSXF8BMrGtW zQ*jCV-+g?uM|cO*c}Ow}#?59}qXnuw;-IhE){+tjz^PQeL3&;T{l<7`pp=Vje1b`G zyb(0)PNDHMqY0ekhYwb0g1FEMq0%Qm+Q@nJ$T^#5;R=TV>;zU78J-x}+WXuIn$dBH z44ys~R0AVtGM8P3Dg+t$S1+^7-iy%}f&x3o1RZ(}T{N=?9YksZzIA`A1eQzE!-kAL zLoS>@DBmHUb4C&-w0F=4j0_VPh)sl+ay(hk4p(n3nf8?pJ`L&7`39_G)h;TWLOLS&v7VKV51srVB{~89x z(1PULgn;5!IK@f#{3N8;keWCY;~1qI0d?h7YX29y>%$MO9g{d!0ECV|%DwoL2T9!z z;#sB$KTXxvimy;C7n9k23Jp93$%6*{2+M zRH`B$x2k23R-uv+ylTAcjZfX(qjbiREXsUyx-08_=)@+L3`-SZK*Z-y$OjT3;y2Kh zcZ=}5JYImw;7c`4LtYZTI!U8+K~tlcFc)BxPQWzhg?MxwIlQ0k>ecfh+Mzue)dFF9 zOSm12*>%l*D_KUp2M*4d76FOY=w_GzUAPEK9E{!`9ZUhFAnqTLpnP-j?d_V2AUO;J z#L&mBd6GYHBST3JamAq=x0sq5V}}s%Xsp2HwK_LRERb*SLqCFglxB_uxLnphbSY0e zh1v&#mkMM>y^vG{Me&X|XDC@Ql?9$k-?|7)c55`RR>^#tNK&xfF7@E0lz-5DD^3Pt z9hIxroIN+;U4ZYMxHbf z+IyXYuFoa)VvWgZ-w^l&irWA(qfkYG&J-;m;qmKC_b9ju_LLi@SMl2`pQ!ohOUdsX z$0g6S$JCEpYI){~lv9vCZX0?hgg!&|mzN%2Rms!hya$np-`ERzvDGfYuRZ#{QMpv@=0=y(Of!9!XOm&;|C~Ci(3C1HH ztT&v5L#k+UUov+vP=V>h${-emys0a3e0&NKURq|0e(LkQ?Fs3588V8nM;a#Gbqy4& z6C(Z*Ah%nhN4bh;1NMU~sC@%41A#kQU_%BJHGsJbpC#@r9>8xIPcr9#{I4j94E&r3 z*5Bc7xzy<0VY=q^;`XbJ}4k(&oJMD4pkt+9=`v%^*y=2@PSMKT{LFh_CA@icS*e6B*(}Y{Y(=_4GoDEY{rhO)SshXl*;#;1 z{ZW0=e9IfDS%{u1$C;x41r;_)_d2Tja;ZH=agftFEH8@5L}?f~`mQ>1hOBbwJy&nR zZyzs{e8kWk20R0*d|z`|U#%_$GHE>8DL^6s1xCN5m3lQ@#Ki=K;cWwToLJq}7`+s2d(Z4e#a9CU>uPacf<%=E61%zuC4v>1tg&>Q5@hAGN@rpz?1SXC zF}zY*q&mMmo@IVm>L=R0j~uO*gAD=QUv$gkgk1y}9_=e5{;64-!8-yi^ybm|ykT?? zy@IqdsojLjbY%y_3$wpR&)Csgx|ins=V7w2cylit3E1rP3r07zYwKnT>zo$pi>ssB z`Ups!9MM1WFc9?5Pl>g^QYaq(yn#EgFOcHrHWkP?b;+?LmR@IIPv0w%m|w<29lcW} z-BX_lM@JS%ffl_xG@v!YundW44aI$OH)ibEx#}UV+W%)Yr=Iv%XeP#KZ*kvp)~~7OR^_o z(_<}ikn%a_@+ql!I0dq=(yo!%Hl4=bbpI{u`KXHz6issz!HoPgvqb@$P>%_Bu1lej z^+i>5Q`6ct;X)>>!;NwgoXt(LB+nZPZa(SKQtt|hnSYWZtO%41Ee;|}0ec{eqjN+u zd;iTPVe-qJde?hzP{%9W;ZKYN5F)Vm^g4b_0R+h{$g&N+gnkabH|fFd<#8`bX3=z} zq%2do?BV*n65bzR{Zc2@h*vmK)g%eH^GoglIB=|~1JZqBaCJqUP(_lFq~Qkocp4Be zJE`EWlXK2TuZa>5x;&yTgu0}ATTHW5mnu9)y3egB_xBXh-;tsd(L@R~7SSE-&c75| zTseW(kCU)RG{hZu10KYwrGZ#NWYgv)De;2n(V;Goox`f3owLTIT@y9KqQ{-b)@21p z{MgZ-`IOkvgEZ9}2I3SSyn3HREB2l=QCD~Sya*XO!d}lz3N&@6vQ_SFb*#Np2Lr>t zxgGD&?_X>Fb}?Y|e+I%SmWmWqwQsqJs4qp9CN`Lw;3mKkb-kgh9mn=hB=C{`CA%cW zl$Wb#Y0SyYvm_bny$6rgzxNP{{KqJWc>uJ)kO%q5M)t9FK$d5NRJ zt*|JzjPhL~@l}&Rpn|GdU*D6c&E(?nFS04Ts}%IFl)3}Z!$q(9LAh?FAW_8(3gtOF6?Iq`CAP6;ZiVz4C1ri>y7A|{we5~MCt$|Yx zKGFNy+!0*3q^ExY`_$aXMn#{G;ETI#OZ#_#v^t%#vX} zBm0&j3&hG(llmvR5yevlW5*XcVrn|5Nx`SLLPjaz759OJR@U_fPw$MUP$GjF*>NZ? zh>ZLJtPyB4HO2*n@hq`+8-43lnszZf#3~Qe%6YSf^cK=MKT4Q*tP)>P-!83r)7l>S z$n(SN;$ad&P%+VES8$ z^s%QY8O(Tlv`>q;>}<|015yrN15nn%kC)$Bad9t(ptjd7+PmcicI<42I2u02ea@u0 z^Nje4u3;cXD2E$dzZZ0iZZf5CmSsj-IUHh~^J+F?9{FLW1fxT!BL=MQG?^biUf}h; zWrud5^=!(#k>o=I3)ugOxHzVXr%W<9K^XY;u0ysBCZxe*NVza*U)@0w>9!A zM#-QIt0x{qJf2;EtJQH^a?QJ5q^Nh!_u#_dHn?LJ0@`oh`3u;l`jB3I0Fdw3(I7Nr zfqgIAc%t|KeK9ASLecq!q1(;l;i2J;u^YT@2@P(fuJUKEk{vuA-V>rAEMCr~3*77K z^k6D6OdqEJA3YGr$fPilF)qv&-w@{ouhueZUuzda5ux3;2&#u$E%JhKa!L9RZ)N+I zvScW7gY%qEfYZ8!pCVLocuAD4FHRKHi7+P1Yr*Gjzn~|R|C|3W9A!}8=KO}H)I2J( z2AP|KfP^Ac|Mcf0o>{ETYq7SIYMO2_yW|L)QhiJA+vVsFIb}}%KYj|s3*txbi3DW& z2c*HHK7pPt0ikXV;q?<+W-|4avf_bB?iNsBJCSkI;FF-#{0N>K8NTifh9eCdBN{fw zN@|g&F%flpOohKi4e&a==OhMi0BT-8Ji|sLrtK*3L>2@AjJ@wz^cl^cy5xHmPUJE( zD`JkCagqqh1u@D#EtIDhF}6Yx-&4gmfr;{2fZ|C&#e=}o8{zpUqT6=_H$Ws8Q276e z8Q)D4rTBk*;T^ag`f)IVK(XV0OiNjs|EIGAEnVvW@7A+*(k%N8>EwgL-d{RGYgfz* z5V5hbs7{*#H1u|MYMlghB%GLo2acI=CCAZQR-~};m;J^uK#65P%um3%=;6$Mk4z^I zaY&juZ#@OnrRbW1GN56R!s3pK) zXOS~#J16Jxbg@LxROvD5QkP5{MmgN4ay|6r08fp%J+DzjdC?&uIk_U6tp`JkTcZ16 zY|UHQ@%^GI(Ar-!ghpZ!R^50WMwE={ZBB0&jZ{|xmWz~%MxgZyz?93HKvOZ>ICN@f zN;7VrZDAeUf5qM%dJ7OMiYAUbcl-oZFe)^GCROVgh}EjIW5KUgWa- zH&`;pbbE5U>B@Q0udWx_2F)C_yl+**H`4_5SHRBBTbTv%m%+{A>Dc7is8Ijpc2g7k z)DytnhE@V_W4rtg@Z-(*D{JZw3hEG}?@9YfkBHsT;~T<2NFF(+*xTp(wKW-sOQm`g zmHtI?9zYLYoTPP%Ho}{~PdNV+J{D&xVz|ne)Tw)9?;5j><@3TS#Ul;VA*=8eUhL_N zLb%OJQh^5u)?b#zbI_Q`O~vft?wfb)>9;w%m;m#F&1g8E*hqTfGl2922w!H{yan@v%$qp$k(#;y@`s<-jS*m72@G@;8juuQhzkCImoh{H6FRK~ zPHckD$$e(f&mnwd@c9^zpiH;u^#@%1B)%;Y@_V2mC(P@BDuttU)Gr6smfnQx3Ktf_ z_VHtY`c#f!Z<@#C{szI}*aImU4p8;He?WLr7D-;&0#7?9%Hg&ACNd%hj&@`|rH&tp zo_t7zQjtcK2OBk7;BquAMI3tcU9P)sTJ5sw(LL%c=pp+>n*lU!Yzss8CxCd5^x5_a zOs~+e6(^3)OI2Nx_D(HjQh0m0d2Bt#)0TO78OT~&XbxDR1x)gl+#0(9BJZ{{-GE}x zpsQ>o%xn_%h)cefyf!Z?1O%y>zJZPnX`m@kq2DFQEQ+%uO(D59J-7Uqin#Xl`?B%*IZvIy6MmCmgD-LaW5{8!Wc)Ha{s>)n$QP`(kx zmZV$ceM!UyUQ*s)ZAL_c-$Ked3L2K0l zgLxs_AbkI1`v)l0+ZD8Jj6<_O1*}DJZ=T3%{_Mptd&-i{9H2krBIdu4QqEyJt2cw+ zvRK_U=ol*=c@Y9Lx3jRV76*9-g6EqDXUkqu72Zj3I4w1q80nd6p+-4JbF4+oZ2B_YT!-GF9^r5+=zm+&idPiAZ&t9k`O3`#KylW4hfNzlQS@X6#sni&^F8!_Mu znJFa0oBpOjmsCSnhD~{OlZTRFn21Y~ftZgonBEzpVxoM02dXk=P`%SRmjl^Y?2YaQ z$~(Q%rP=A?aYS&&tHpW;I2iB%_HrCdT=S>D z95GqFajcbOFUJYra78u0#L-!%ax$gJ?o4-N=z8sDKa z)4NG0Ym@Dptzpgo0eQ>MJ&oUzVsZpOZ7QFf>VSy#3$DR4$p8brNub1IV3`9bx(Nz2IGqcv(?AvLeK`W?e0 zHMhHFbK$7Li!#)RJ=;cD^vOKtUUXsqEICY5vIf&C9mwi0&CW(<#C=+1s_ddY%EZ71|mW^!z9`q_S(D~8eu zO6LQDliB>w&(6-{U@%zBrD>C+RBBSChqerDR9blR&Jd&j)B094q%SqwA!& zHe45K%=NC1eA#ur5akT~h0D1=zvZ?PX40sS5y?1o(!M#RUfTPEWA9cDM zdRC05bt;8-jdYs|(mIVP=zTX;P#-Vyq2vau!T(%?Sp zi%OVw2&s`#ib|NoSFUn0=>Vpaq&`D&OmQFk3+$|H0X4%J8DDb45X1(CJ7U3=xyimZ zvSTTZ0>ib7dwZQ*m8`<6b?fa|6Yitd~4Ogwoj>LpPXBiuK84kwHlfJx%` z3-ocM&@=wo$D(P933)F*A~Yliy+#Q?Q9)$lVMUYZFt5^JpkO!xRveqZs+WOg_)dp`-I<0X+52H2C712{24qcAkSq#_ z+Zy%{oe!$`1mW7IdC@tOgO%5tWKbmk=~EHQUwWkUoGM0%3;3u{)S_l1F+tBD58kH`=s%A=Se6>iggGo zXGB{ItD+s3&O#x8j&M`eP=E=_bBx|obyYIUm=Xa=4zfAxW%>z&0a#5CVe^@2_UB^Q zN7UgH#^A7Kv1ZO=8CbAWs16$g4Q7v$g6o1HxpgH;89144{8ab3NutW77AI`6i{OX5 zC0nVLE4-Y#?x=q`E7D$^;i7wVDm#o~6!#39VbK1cA+Irg@lx|u`}_!EX6;1!lR%k}0I2w;B- z<~X?0kq=iXeh8ceJ$?5Go@*|N;{(5222JDZl)ZvXD@`$4a>_Dp^sROvkoTc@ffv*w zkl3Vg80pyqTYbUO3aOEWdQKr0qRDF63)GEqiBqf6?4DD<2zo$a77#MLuJaEYUzqK5 zL7X+P{f@xf#~tQf^&%SCbxXmeXoC{Of4l4u#|^2CHa0%hQf^~-LRLWT5b5aAdPAts zFm6;M53F%&E3ekztj5NLy#-*zsT;rlj!o6FuTz>LP?-dd2A&$Eu102SPCLu|z7U!I zn{cJ&{H1_@q22jD5c|~M+xu6(4v>9ymHW^8t3P3UEd_%b$X7OdcFbZl<|AkiJyCnW z1s`JN+VySLgRNrq4*R0RF(!lSQ+nff^tU91Ok(LJ2^0Bwo>G`t*IQ#<528zuw*EKd zyfc#-Iqm@VegE?Ii=T3(zJBo~7Jo2Oi`nle} zdkYCDc;}V1jrz*B@w44zDf_i?|13jHKMp9fCk`{T3{_O8T>~8@3v~3sF3oqQAD?8Jb zQQ#WfhC?Fn4?@>+Qi08SHzLkV1MoIzo%0MZyzbiG{5a}YhP8VQL{^&3Ztd&K_b6Jv zLEqTSz}|T68&tcgIFt<$Z?tI+!T4ONZ4L9cKeX9ht~S^1{_VHw><7#$V!RjU^Fte>e5euXG~#v|!~R!z}N zT5yOx%3!t?n2PCeFaU{3_A>T20yLWAi0jqM=vEvCo9xcn5;&Am8ZsfONfbFIJlxF$4jxE5TN_rI13;O{8j z=om|{4@nq_l7NMpq~YB-SPNO9IF>yoLzU}HQO0{MiIcGcE(1*8 zCi1Ir$JqYJzMB%*dmJ~34Cx#i9|BdX7`fI_XLX7{-+&u3>{hJU|t}6NfI$8{N0iBsv!4HLA z({ry`*jaGYBg1hJ>-Zes(MZV5_a)7R`Q<=#EOo{S`my%TvsKy1_0%S}zt?eSpoAub zzHWjTRAG;`#fu#_TO63_E+4sQq_gW+(mYBg{T?nw%}>@O>(tf zAk#KiJ=d!H(`+~DDY=~W^+k#4XK+3iqZa31Brh7HQkWZ)UvhSSoBW6c?)yn%!Z6Bg z;aW{8y%L;1nD55=9VSTrR zh&-BKKD{8$f9V#|K`Y(DsBuM%e*M-dE{2i(7BK(@Yn4>+J$2rU{_Uq|D`8n-4lV$_ zwoGh;K1hKrP*j8I#D}!%iGdbS_L-F72x>V2*na%nomI4Ic>?rio|aQUIIxEKwY>O5 zFsRBs{m!^r{C>F{xf@R7^3I_+Tv&7iC-w^Mtf=u>OzIL%U1F;JrX*LG7#XXq(@Ot|Amzdn<=`kYwMSejFbtVfid=5WNu|*t(pb?`e79BOP`@VMGux2p6Su>JC#u0 zNb5*fq$G%fIonth0*t+cf$`??z6E9C{u_YG^5i-7x5s@}bVYKez#uo7<#}=BMuB`{ zG*}LQB>i+OMG28)Lh9RFYJ5u98(H2Mx;G1*89{vi`XQ`yiCAhI$CAA{S(fexF+{t! zch#!!0cYbfh6ICz%G!bL4`)ZMGxX8=*NysUIM`lRu;CRnZ%1YpWO!rt&q}X*3Uwh| z+KP_iXw?WV`veP)dh=S;7DpBE{CaM0l}#{w@T>3h&KGqS{R+L_nO&I$Zm%=@;nVK6 z8qmPfDTw47nK7rAs_1I#kC^L=;5Lr=AX4&pd-|s=ecwF}k08vx>zF{JAkP7$Z0UCR zf5G|OLmM(C)!M=d?IfNv>b7q4R48%1x#j>9A|pwaM=`Dbqf4#n60AU%ytMvs*!ah7U$n zXPf8G<@KkZT0-4#%P&={H9m^j;uiRRGUQ0C@~m%fL*gTKZx$U+~y!%fEc<4;%LP&!^2-?}Iz)Azs|*Nz0B8l3bR( zo~6`knnZACBwKN=+;qqpLc3=%!eQNaJW-!%)y!8ddquA^+=j$J#Y2*XRT3KaM_a26b(BAR{1w4AX zoYPxhby9D>-M0p+kR6@qLB{50)4IXkkjW&g2@+;>k)?ySpKZkeI=7?KyE@zUYA5%e zgDTX^=QOwwTb|KekuSd`o}`4npvG;Zk=-IEFd{4Z%q1c*G9|pVxHr(2AkN=PlY3TZ ze+Q=hcCa`0a9=Yd&dK&ZV(J(MM zI=dpwGfHDVMbJ}&#I4_az1YK!HClPUP2_x)$ zAoC4qC22pE0;be|A0o`}L(vtcj0cZEvQ)^7>!V1ER@Ac6+?n4wpO_dVTDyv|k}t38 z<(_}ZoB2chgl+3gtmf-cO6w72OKgIi4{05>t113)c6%fol|EdkHMU@F(bubtx{2)- z(noEmv1v#^MEtRTK0&~b&H)@>e=8*dJV(XR75P4uJOjTeA*BYWdf*=}_%r60nZCWT zJ7n5dB2e3=<}SM1e7yYJU7h@b{9XKlXV1P&NY(fK2u^`;jsb*I{AcKk|0pVU!>oCqXr0uJIc4R;@_NaPFF?~OggQ_aNSSu&u(8Dy-Kxu|LR?AeeF?741O5+0zZaR_!U-z zDaZE=UJsLZBhn)=Y$H;itS&U|^(J61Z>j+aY1RjLsvOc=W+XK>^l5{Sl&c$k|1sZr z2Al70+EUpkT7HFWY{xRDv!itge?}Ls&U)&X#LdB8R;*gzS$KU_A`Z?HcR3E!akaHwFd71ciOPdvt##HUw)` za~~e5(&a}+k~jJ=J5ohyd6&3znRpbDK3}-Kq83|%5a1N8&?QpVOFHgG({Q>7P9>Dj z24K?A%}y+`BeTG934~+ZepE3CC*T74L>5rXsu}k(G$WtnPKPH(v+WTVV5+kxB^B7< zR*)<)D|d@QrgeWc9PWaK473OhO1UqV7mm07T% zoC3LIY;FBJYBAP1=q#&K5w^%}fxQw~`@<=sD_WF*=MSG&vrYzi9S>8b!pQ7iOBAfNspf+gpMiv82_i7A9su-ez_##Z%S-z55b zbZJg>DX_@GqKC*JvMI6XxzDtW0U-X^2OvB}3u=X}gowW6PQaQPm3@$n{-IACzY3Td ziZ^0~0%~`8Ts*581YCD1e)0_Kp$;xXJ~XJr+{4AuDH{tx(sg)oRE3ZA=X={#3A zk$1@Y@l#8TJpz9wOlt1)m_jZ71|ykmClNHPIw^L8iUVHB*br<=Wmtb`)@3VDbL$^q zv*W_o5vDl|6oecI&;c9`O|wZ z_9ikK4)mL_d0C4Rdb5$(A)CqlQWLt(In$!QC=1o2T5yua$KZ(iMV8!ewHe-koijTo zY|4T6XH#YMF4nFLZ<7c|FpwC97Z&Hmiy(384m0O;3K!NNmOI&ENMmD}+-SbnH=^Q8 zdb*R+MUJIM*NL~!U6D3CEUy@q<$px+A|F|TIPP^p{@nx;n%oTuj6HDz8_rvPdDIL! zKWbN{g;eG@CkdJp1L_L?l=>BAWIsVirRWtQA1 zyL;Rm?=LID!dUz6)cty5qCd7VRE0*=-CBg z$y+%$_tMWg2gxGJ5Hc3X4W zk*1&@7^^zua|?fN@`(!!9!tG&*qRs}Oo$NLa^Lf`GbHM!2AeC>W8`l^hUZS0k_0xb z=3NVvYM_d0Fj`w0QU4yuiCRU(WKr9n);`TjHyUR}iK8{zcOR5h>EMBT4U*C$66*i# zSxKi#V#PRG&SCrEOc>djAjYq>rA{8@u#;A*Hb(?KLQc9(j$XgXG48akohvc;#iaPu z$1fzn%^<-2i2s`?rULLL7WO1e7hml^vDkgCY0%7>>A3ekOuYKxT14 z4WcU{y*JSZ(QRx0jP?Ys=yY$w*5{@Qw0Ylf(6mKGfCX>>*KH%vaGbLxn5j%3o_;OZ zGhNSKB(NODa+Cxkom!jV_RYHAlk>NHG9uX@-uXhdBlnU?dk7v&y3N1S7P3L*WI65{ z<9>-Mi1kLzsWcZ=)w9bx zk)9g{sB}T%Az@qZdp86+bp@){!7>s)Dba-r@^3UC;rS|JwPu8?ngKh{Id$$;;g_58 z$yozed+leL@sWd*J_E14i{U z!n*hk`h*)#et8gk5h@B1BQe;D1j8ThaJi!8|oCv|DuEqEuA`yh5^BaOvpPIL*Jr)Z1}}qEt%k@D86lYw%1-VY2|TK zyLJ;eFDGYXet+vlGJE>4r88+!*6eH7C7lDca$lT?#dS!*+c6p9d!zp{Wx(IPq87_y z_7&^a#|h$BWmC2rQ|f9sI$8hH@<%QQtHZi&2D+=Vjh1*5O|rr-NN%IxUPO~wWV^}c zQH*)kQe4YWVO)1ZPC3UVnI>YVzai(4dXz>tew4s8wGX$}B z{0a;eomJ#Z1^CveodWt2$EE@PE2}y`EhhVPaDUQUS|+$cp30=t+5B{*E1R4BvHdCB z)e7nbVWtg_0-VlSDma9QQY~u}0uzhV zhyEvHU=U=38Dk(B_8qT>(J0lAS=g@zm89k)`-6f_j+AqUzmGh}GcPZ2N{St=NP z8Ofp`gh4Hpi{tug4$J9^?f7_9%R{FDn^x3QD^9>jT11qCz0mf?d2JAPt~q-57fyK! zZ;g7yE3~q_UG&`w*tYUr+2jltlD>)EB&9yE7IL z1MHWP;ykFlACg}_f|6!ll+y9wf^II#kJhBXSU!@XyBv%@kvyjl$Dv;|AXdo(X$nR3 zN5P89|_6L&%}7@NT;>a|qUnn11%$_6SKcQp!Pg z^+BQuG4eGL8!eBEHA1_DT2P^=ri(N=!B&<6OsJ6Iw6h(y7JI9OdfEV1;*@mA<%w~zIB^|2f{xDZf>z8 zX(lN&S-)s?X=}()zg1>y9x|OgN8mhJ8wE!3{LV95mwm^JCM+#&qCxwM*t<>QT&-L(`kJ<>w`hyVrzg2C zfzmoH>qe=^u#l^#k{J$}+F42e1f^56dH-fqbwORA^R_$dL0<;=?&xr{`nK!O|6uL0 zz>(CWda;PORV|na6_8l1ue0=AJX-d<-yM>1djNW6+qSJv^S5o=ALyF)&(2m(N}ZeO ztF9kko-V-b0mtT!+S+)R&xY;I&B=?v{5oAgPvU9I+(35HlyOiHGVTe#m%y)jep56v zri7T0rj$^>O!;JR!FPKLiG0ULz#h!{JbEPN5Ii`~9-J63FIZkv_-JA(sgtqmB>t-K zF&qPA7&yzq1phPu3@60;ww;c7EUO|zY>ibXsL6j_%3Z!PAJI1YhXW+pY z>kL%vb`3QD3TvJ$EgFKebfo*K&QKo$TAn}IocTprk%7g`NGT;aWobn>`lZ*^)s-5| zLyF)oVni@mm}P-@dgV?VJvz~M+kpYj!!%W6f^m)i%ch^@Jq$a#Yq?s2^xHq?Qd>f1 zoW^50hmkZ2#f?<#wI$o5^jO@xQEh&{+L3&hW|)NqVt3;FYw&nqM|R75NUCL1UJ;IE zdOqx{`7h#bXG;<%c_PA>;-}ZH_EeFRhfhGVsA=-atEL8Xp|z4D;tp4bJSF>o3m zfKUVtbwmj=j;bGo@Ff*fXV}RbRtVa=mG4>87rDCES&Pe4?myvUJ6|M!k)OV1)K;k7 z(DINV>aL&0tcjjj`ltHUnaLJN$7Nt}rRUt0i{FPLBXmjaC-sJPc5bQ5kh6X`EG=TE z5a*N%kQy8IZ=g1@Kr%`jG$XSiYG~Z`dihC=uQPdEYYD%@V<#PAhr_+%6>7MFpZ;pb zsnCNt{`LMmgeLj82hH~XHkY8z23PTndo(B1Rb*1`#C8Y$DYqwF*rD;*msmC8)2!VM5T-` z_F}U`@pGC;J8yn9qZ;I-BIzA1dxpDRY44`s+OQ?*p59)C9 zik9dxApAP+ks3)J?HgNYzeZB~rm43Z@uK-eHNy@JgF2(aRq*w@%(B41j=QD>0|C+>HRir7_)j@pPsi(`W~R z-ErCibwv|K9Fn0#=(g3$1m?=}!1Sh)TV<o$cqt;cv1dbI!DTi$WRC{|%n-CgFP zWEdt*T|dr5_aH(^&X=g2)#fqp+X95nz@dh|f@%^FqFUM|y_k{X0i^NyBS26D^R zT6Zk1?y_s_0fQWrcQOJkMBXb4=ve^J3+>fv-8#tP zvoQ`ZH+fMlaY^WTaG9e?XzCwlBr5zYl4UBFYV4K5iothVpP`!^VF-N^oJ;wHBm!!3 zd^A%>j|yJUm|jq2G9?ifvjJxtDKJ$q2i#tZU#c;FyidlnAGG6eDOQZqjZPxH{F;i{ ztY{pLu~i&RZtJ6zm6|wRERjC1!BkdgO#Ql$n`I&DJFKW|Y*Ov4!F?=t;*UB<(vFC( z+iWa!Tq#a47R#SFAypxx)U9x_@%@>9DnSxm@2shiERYPOqAVOAK}FEJ~2C z`GFaBG>+URE~s%LYW;?(BL$kg3Y?U+0YbqHJQAtL6r|!NBpL5t)q$|NkVeJRfZ)El zg}B}0*)MZ)g|*-S(|7?%d-=Top&z4vOF*J@5s8ah{`~(3kSVaf;&H6x0~wG=kwJ;7 zYzX>6qdGy{Rajh7L1I5O%2l%@?z(7z{P75w$8b$xuQiPtA!sH`5v+%Stm(xtWrv4e zsE}GVG+>}d|0S>D6duyX(L^^2<57Cu0A8A>{5L>E)HoKu?jSAjfAx>!>hdkHXjL*l zJb!f496=w!@xchA_`LL>1lw_IC{BeCzz_h#GtAS?(3}vhrMaaEMXul8Hn)^gja&Co zavj!9P)HKL47meJuv}c(Se8hUD3B0Nc}k* z3fj67Iej+jz6w;C%1t0^NDcc~sN+s(R&^IM^U1jg8Gan=ttPC@E_PT;56Ibofl@J!+96&bneH^E1Yd#2Tb z$!TfQzx7ZAFaHTgI~WPznutY8w|-o*`g4-8q6-aVmY%028bsk}8Dr{lf#0v8)B_v2 zZ2P?FaGqqjnu>xtxi7%s{qhm}`jKcrQQ9p~Oi>w=Fv?4EP%t-^?$7At zWSwwGRz*xWNI_h>X)~l26w)8qz(IxK>XR=ge-@=pJ&U7(oBTu}rI)}rt%;B_gF>*1 zvvmLUOp1SbTltd^v_Ef(9MS+haf$hAGz(5x^v|49&mLxlK@=y#4cSULJNVMCiq>(F zy4niI`BtBQ!$>1quUPjtdiLJ;{}+r5&b9F$tUnT-%r&R{DwKNzNP4U`(m@RT$ZL3 zS-@4@0lfgGm20lW6a;Iq8BN+k%ulcCYjdUAQd%%f16r(G(Uv;Qe@wf$#;ZPM$s#Eu zC?hHA#8+n5$|Zy=K=4*=YitccuL&CJVkb*gzqqqPL09?0t_`+oAs-(!LYCT z93VEZCa){dRVKwcpF6N-*^+%q*2;{lznK1}QWy*{?>u}}!s9w_350*`*Lr7S``DcV z;>S>7*sq2dignt0=3UjBf)(B>w@nVNtYfItyI|J^;qU!NNbl>BZax@y={fQ6B*foC ziQm=gYn5~@qgcO+-UMVx?YgD(0nFf^T1-hd>$DmVuQj6x-*NrE>}Vyq(w(_dcMXav z72^f^vm^V7Z=`{-!d9UBYmHG~H`l$g3xN}8tB(Lsl2ZkrbBaq(@{QN_k#xv=z*khO z&XhT$ulMcpB2~-nsiU4C;pghQ_OO_k#ABcXQBnBY?ppT8T+jQQ-5UTUi7e4(GcXbN z$xUmQQE!TCX07D2;avCS9Fbs@UG zOetcZ6C-6^hkDaLH(~IUStb3#M4__8OoFiXtVU@4Tq(B&h6rx}wdAvKZ~a&AbJq`V zpU);F?qLjbZE0tjZe9ha0V^@D;Rz&!)kP<`7w~{SM!y*9buqCcq9D*m99xh-Q|L01 zN`$4U{5nxirOo&e8DPAXTClEzV zZgrwoCGkLu-#XSE=kLdgTk5E?jA$><>Z!iYVFeGZj~(3x5f}y9#5$=%G+f`c168#( zjg2x?aS7x=Yn7*y5Kr-NLZM$^;r3GL$o!2qtM2e0)`(9trCv#a#+~G!*l3&lYeKNV zSMwE+^VRRyWpoPgLXloTqQ4iP9yLNk#+(Gp@#1cW@3${o{kzR|*-)wLVJkzbm?Vc| zJcAoLrCHe6sR!efs<{DF8}% zgFo!rG@&X}->gHzSfqbDOP@VNcsC^ZOPyC>{Q^Mfohv_e4`$>G71v_A`X{G_@+}6I z37J1g1W7ys+&2N9fR(R@&97&XJ>Wi|a{}eQ&h!~U<45_GhMI>(yF2QDkSIp>r*6Z3 z?pflH@)!GTm2JR!Qr8H&3QNw3+0u`8>Hh!N#8(URxR!%itS6P~b4Z{~?A5ivN+c0V zR;`N8DOJaLV!JEb%V|(R);nj3C7T$;(lX?4=V>asmIoXwApTY8P5BCZ{u}V?>-qRH z=Sv7?{iFc$N(;k_d4DK#xOAq61dX7?Uu7%*n#q5~FA#h5g20jE)JW*5*5m8>*~sb$ zpv7eS3J@_4e-`RJwep$M@&#N{;Z0Z(V#mgLk98SmJrn{ms`c*pOg3WHpr%E!fGwctzh0xeio#nn$@Sx0H+62{;hG_!<{ z;v0(@(n<{P{%%VQ9pOm0u?W-b@gyiy(pUG1Dsie}*{rJuwRL>J&(>%#Pse9pc^R41 zQaz5P`YG)+)mrfPxTU}D)}Dfw-dk`|F$^7ffqkZ>uht3AL(8)eQpzpPe`CuRj&NB7 zLoSfwpyx^b1XFJ7m=a%~ozcwDvyv*yLkmM6$P;yqS%3Ykgl$B%aL&%Yv?`;VTKo7- z-V!L(usLqF&t3QP3Yf3WBB$gxjjZ7#FRpV>SkKIq66b@1tBChZ4Nd9#SHg@aKHW@R zk_QiP5cg{&o=Bm+-M%eZU|{(eKqHx(nQ048@iQ2+g2s$?vRh$LQa7L{rI3bmW=>H- zQ~EYtg)QWpNC&s{zNx9mahtUYCZQk%{By| z|J6;S%Ej;U2g<)Q42PKo?5{I};c{?2J;BM(D%E~#!z`lQ|3L!;Ox-v0=`0j2B$DC2{GYWtzKm688^ySO3V~> zI-H;aKi!Sl=Br#bAC$_l4Q-0fKe3tnoLN??0ljIUefOAjER=0SXnJNchO4={>Odte2H};~+N|OPiI&L}eml)B@un@96BO|!uJ8^8 zKD|GA&f?2#9i&s7E#|%tQNte-jAaEA=>DmgTK>yA>k13_b7bLS=UtE(=-%oA*niybSlg_r177FknT<#q_n83z47ynhdbxfZwr|8}EYT$ovtXO+6MO z$MyWk*ry${ncDzO&*5^Uv`E&y`RPfmb^50z^|JKPlX$lxp_iZAC$|duTwN*{9G|sy zO49aOe;GOQl`f{Ue^%o8;`7+~xnHS4$RIC(pRZ4lw`=;wvvg#pv8gh3cJz4V@9S8L z=a{RH4oZWg8BrUfyOjjEZ{TvDEjFX;vL$;A`S?C+xkQbwQ}K_r{kQv0S09)4KHe_w ze!(7YUPf)WlR?;={vXlhf*!G&ZDIH!$I~p1KC7yc2=1+}19R(oQKr$w9-G_O4cM7d zYeI#2SPK1T4of@6eDHZp&DJSn{h4?cJ0O9IVgBqzznN2$*GP=z` z!5iKu9dk4-gyiX*JjvdEu@NJr?%T+kphsU&J^ey-mpnP$RXg9PouTccN53<}=Wu{` zwM{6!7g%UWT-dRjPh@12?}7bbs5Zhm5TV5BLOJT9WerTb#@k-8dG2=g{&=`Mc7J}k zU%ET~yDxJ(e0MwEZF{Lpvosb$2px;lhGPr_y>|%Pa1SB4DGfmzRg{%Lw~aZclz$1o99u z;``kVEp7&m!>RxK;le~Zj>p7;?#!;jy!=yu|9YQo18a=fc(E3LR-PfUl2XE4L;alM zY{Oha&-T;%Ve?A^*jAwl0D%Q6(mGpg?Q_15Ul6U+&u2lfTTsB;bEA)+cEMf#qMKYg z`FHU+`MkiWKO8M1k(ll?3WqCH|GJym-Td5U|2K&OxSnowkFh$B$BNE#HU3{e5r!nd zEZFlemr`3&O+^~~ZZH+DD*?%*-5<+>9*In&67HE*$Ik`}BlUTE*kNF2`>>|exS0b( z(FTMb^?^Ks*R4uQf`pz8O0x|KOhRo+nOT|vbI+{bJe#)C*vd+I_?5DW=yPHo@$twD zt@z2|trmN2jR*^2UFaBlV-u&0^~!tR*OSH2-Ylq6HdBUU6Hlk6DJ$lxqqd!vBQve# zsm`pf?nZuV?%VU;2>rA(G9oH8@Z-f|_`AZ-Q>$J$HT{oIBqH|=vD{L!m0rk|wCXzI z=DDPP8kCB2r#Z*|IZG8oAr;#Ys9Pp2EIoMD4oN}|WYtR)H==Y23$QjeC>PU9C^ z4nHY*;1cJJU&I6E``)0}Q@6cZ(Eg1fkq3(mTia2i@yb(IqRHyHGX=lB&QO9ro6>0! z8p=m%JambFF61bBhBn`UnZ`|3niKP=hlXbF;zDOjw%NEF7mF9k^vYHo6(4mje@VI9 zy1NQ=#86r#yBsJK8N#o$tg}I0mmMsKRDP!F$r&0+Flx~ASH^}$VJE$qXGfOaDa?z% zh6z3AFA*ITncqP&hjSI4R-!|qVm49zT&ph4GWpckY8E$xk(mW$BCL-#4SF) z=C_k^1=JCc9=yO~S6&gJ2^kWY`+HlfI;Rg%sx?&Id(Lch^81P%AWsKnuFr>L|6VXz z*>aUbY>@KT{>cj~74!1EA1OEun2_-@WN31$sb7zo6NFd(B8rzjyfTFjT0*H~4zBGz zrH&Om(U^VtHS@hFi`xnu6C*Ch1e+&`H3`YuiTd|yRIQUQUA2eKS&YVsm~-d)%mV_>1}&WqG_43X;E}tOxr>PD|r+R z>Wy-~utZ2yJ{g{K^NqSxYWNF9Ki?yGn{$An-kDFdk0BU0sy1S&8b(cRR8prA9CC?S zhYfjPjTK%iCX;^e5cut|wa!2mUjlwGC z9Gqg#?xIhWP+?hv2qq;C8mG5gHq@iOuS!&hIVXubI}3&_?x+fVc;1w2)Bf^P z(GwN9wmd}U&eFs+P4Pd827b+x`=5;pRrgbVVdd|Sz__X&w#WjV;*%;J#G)2`>(?5` zw1uX@$DGDPU~fPZ;6Q@+>v`va7w{fB5GuLL;HO;dg>c@=Oe=rAQBU$xe$B-MQHGn+ zp)0%7hCFC<(jT$F^-RQv{>1DoWOfvAR4lYKyuzT-6`DIIYd0cXW z4FzG)H_U;IfQOpk8v~nT15gPEZ&NW-j8ibU+7At;QuYiWm_PodtwW>CHsqoreEN@5 zWZ1#0Nh`WYC6ISQx}5j>3sI>nkkoSDmgK~Z1H?lFy0pA2gf zwul>wqSKCKE4H}|cN`_VxeUZZ9sjTy=xEFw!O?|AhzY0n?}IN)Ss#BVUME%-dM=-i z-!1r?>X7K}skOd+!S#~MPa(anJ=yHr&f>OTA1Q*5HB-(sGH!aaY+dgk%bZr@j}B{d zUmOr+;1;vE8o8uBl&l`dHCJY)NZ-N$p`uaJ_toQh&s~Kns3LkyAXG&E9EBdjiipvs zvOg{P;ti|Ep(0C$V92e1nXTdBg1U{-}EsMkG2j1TR1DS22# zI?>4I-@CHdntGmxow;=jlY1-6X&F^IZf@ zKjS2M@6_!6>{Q5h=kd{s;*7=bM|b_!ra$&Y(Xk%$B(IW78LFHnXzV<2xm4<5)s#bq zFTUw&(r7+@DV{zGjzPY(P>*e>)@(yns+0L$XB_8v6Y)eEE&NdM!%6?ZN8`{#k_N!5 zz(n*sIZ}}d4y1~GO&w^t#6TD2G-$hj5&_Go-<>Fwc^w=cis|FEc1>hNoS%6qsvKGR zu&7X&N1X16_wLYcBL?2{eo@W- z8nldSAT}$vgt8qO1KOp|1djXKWG_U_ge_&BUKh!Z{@C{TzgxvYoXda7MV{W({{=CU zDj5BnG{OO`B8{Pt$RyGntEH|^nI!k-wOarZA=6|<} zyFjaW@NI=&za@>7b$Zn9m%BDdZMUU_i8|o)S zHSwGk*P>kUfcY&Rxtzv;%UTt?!p@W5d{u#t*MQ3;q;iCMLH(zSFt*PW@6?#f`V7{I zRxO?OAM&9V=#*tpoRWE_Rt|zV1|vD=V41#4C-Vr%Rkq3T7F@JHchC+nhcLchMjHCF!b3r|-|COrBP$71lfBdtXr9T*gVx{ZY z+@>)!N3XlMRnqjUqNpw`huU-QglBQx?&B^ znY+qGtyt94!S{c#BG{-+S%13HX^AYG?;+DFQ+8XWvR&@(QT1l|$Le*F+oa>IVt2&{ zm0V@fwGPMIHV%p!xfz86rPL&))z1W6Q3=kVUVCJ;q9xDyzX`nlE+& z*Zk;;hdkVE9BJS*zFhOP?F$AqpA%AIeH{v4S1I#M$CCW_i~pV5sdg}?YI+>vx{|M> zAvXHRi+%0Cv|?I}0NX!W@v`V*VgY?QJCNA!WEbt|b)l?3fMQPmxFAb&bLA*0V|NCU zNlC7kx30U1$Lt@iNL*$6pmIu6g?+3tTc=7D?qUkkPR3X#%s5lRV6LRetKOZBnXp6- z)QT-54~rty0q-HWV_(YU{(pQ$nNXCCEoGaH&GrPo$pme%=MQkRU=QKZS5& zqakgkx`Ty-F!oIWpu5U>RW7fIdaeIK$Jp)!Y*F1Xe#OgGe!_PMLw=4P0 zZO1e@{2=N*aa$jEtck@aV0{CxC)=pw%FJ&Y1@Huayd zIL1d^MTz__@NeV6#r6an-*-*t&^=W_-lU`OFrw+x$+4M5{pOLoDwC~|+2$*bpeBM@ zSS5{1P=Y~OLHfn3GLhZtP)|Ym);DlX1>xRJ<2?>Ork|vywWHQ&r??sn|8NQCDKta& z8bheb6{hGW~dZKq?~b|$tt zv2EM7XM%}sOfa#XbgVDez25Knch>6e>RMIRUB})Bw&)0|;3)@0Nu>~RpzB_YgcsOP zi5;w00^wP3Q0FXd@TOADPoE|!a-Jl)xT-b2Hd>30M0lvsi4}1LD91!?p4+S&)Z#*P zRQYAdY!YJNe4z5*BOtAW>LKqI6haKXfgkOL+7{ZJl<>L2-qo#Wjz4Yjm7^_)PJ)ZorY^a~Oxh{zO4R^Th!YppI4 zsFy}YC_Upit!}Bc2$FU!K?S44&D?6tY- zv;$Hlw{)8ZC--3-ERXg?8*@psukLIlOOpaQyN%5*N%PTcEBR=1{}{)PbRG?w`F$68 zdkOuzGRsMno=Qlu7BsbSEV-$2G!GpcmZ%7%QoF?E>aD!5oXJ-i?V+#VK3zF`Uxt8y zm+qr4BCzz`3o`D+H`B8PLiLH+GW-BxO$WnOyy%WEEehd)su=DLE!hIHeocWgp&jZH`r7>vmeyp2zi0Ey4BAG=(IV<7}eiEe9+ zy%D_|USNJ4>dcxsbZ-bQX>AirTlkaM=|qGQtz|x<5ZuDo65v|+$JEU!?N{OauY)&q2Q+RcO$pPdM+`4NLPEu(l2ixb*TuloveF6@| zd4wG!4qbqw{4Z=~L!oWoG`_FdC&RwV*>Cz3{a*g>$MvG*zU%wwblDJg4pkwbtuHr zHLl@rYlD7tS;%|fgGDXnVk1EjkVcC(96zZr{Hz>9gxOL9Ng)7}qaM*;i;8F7*gtFDo=kr8-8V9xjBKSA6K3hAXB_p3kB zKi99;)rSH5bNBsTbeanBLi}L!Wds9Jv$W1)xN*Pd6Nj`sKwm?hMraXm0!chqT`U^D z>}_fuJNp=Siu=jcy7Y#y6-KVVs>eg}@`eUK(s%EL$A%~eq+t9$1AjRSfU$0W&jZPV z7cYUZ=ft}Pc2_-sApu2*gA%hggguZ$0*C9iP8<(n+xr8RedoYT7-Gr6Nk+hsG~U*@ zOMWmK*X_Zu%}I?x6R_6*!QVvlDH(D4{5*K)cG`=fG~HNm>Z!79M1(So^t+n)$)6gF zN?fE&#zq~)3jX|ll`-?f1qzhX0X`+KE`4(wNn!yc*CbxMWWIHZso&7n@#{LSJbUbZ z#n8569wJYPq|iJ#Y%aF4D=O|ml*Sy~k?s-v4IB=)qG(VonuASdiM@w%wcJ^PEEU73 z+CAwWI{*(OZ5Pppb>LuB9;&mx*ETx z2LbRT2{WVMdV89t76Fc88PnB)-mvV;bD@91J;S(!M3!qDfN_`F@E$IybH|Mc^|x4R z@pygDVb3)!pOOZqW&uzHyC{n3-BX2Lc^p56p+b);2(i5*>Gz3z+Zg3%4ZI8(>yr%3 z=?1&ljk(qhb=i<26Z~dM^OTPlch#Us%!URMbI@_gBi7lJG~1j?DJx7BNc!@;r74gi z2L%_US)7I0byqu1|3(S&P!mKc@St%{{i%*GlSs9uZ688?LJvgPB%8GjiXTyhAi!}M z-?auO%owvje$AEiD%Nxt7D(8fKr-1Dn-Z;pA%8Oj>*G*pOcXFw{9$75q$~FtH^Oj* zof?G8BRX*^Y3z+?i)hM@38>ZXW3^?1o=k7pMIAKYc3sH~%8y^805>-%Cbh^_^c{wI zGsJ?HO8yN&U5r)Oy?zE=6z&MZK6l@w)wvpTu6M%Dy`#l^HQ$Z5KWAzlOf$@6T9~2c zT~qzCqD;HV|LV77l65yf3SmztTu|u}2S`A_g7uH>D7(wQqVyHOeinu5$6)*1$c1rB zeuaV`lTHmpQXWS+vzl>J^+FhlT7YjyVHHwumK6F_r82Xl5 zcZi}cvcZ!*^g$+|g`{a~f4oQ`u+P1{`y$(QL$KoBL3Gzg2O|Z~-2?Mw&5$1|1NBey zY{mlP0DLUNMbJ8+XCV0gZq6k8+Lh4VRmh`jQ3bUSMh1iA;j)zpaFt5fvzx|y}X;;=win892I;X(pnQg#8}3W`Nx1}Ba-SONoZ*GaqF6zSDTdt2ok z_WMA5mVYv**uA%by)?~H&p@>>JS6FB7NU(WH7c@z|4td;-TfxR?$~9shaXZ-*tL$> z1U=lj@=_Qg3u&Vc<`CSvI2;ZjAQD{=1RddGdr=O2v`6Z-CL-}!mWRqYI^b#G z5}PgMGUHeHMxX;_#XVbQ%M!;VNmQIQ4ytxlgehT4i?KaX2+gQMV6$0Ny)S3_n`Aj6 z{ipVG@z$|?OZBxhVn`x$Vq^PBBl?HcU-c9Rjslf;q|q-nP*p`9$x7C9xDkL>CmnyK z!mX6Dw;rKhk^ODE#SJ$)LjNsc*jiT}fK3+968zXh$fdZITy~&RE?c3ghgL7~9%U}oU z9Vnc&VBZ(1dm=jy$2s9Pz1Y3vD;(=nOwPtQPE>cR|UrpOCK_EJd*as9-%_W6#?;*KHUXx21 zT5<|lR3^UikaI8%h)oA7Dp1ul<(qgzK)Ksyw-_oDzB)DJp0P?6{DyI_SL^|KLCRZk zE?I%6`}ND5;h*XfH5V@Xh#_5CnHzuFufzocG(IlSzwt9=On7fs6Jm8mK9x6jaL{rk z$OtwUI<}RncfsFH1o$SOpx-7N(*M9H&8?h4B2eC9D;lL^?yC>eBD4nuMGv1#Fj!pi za>t(=@u=0U2f<~kOH6-OZ+|htA|brMyljSQR_@*kyPqsZAQ0wdbp2+6-8}+`4pPLi zURNeV?c!+>@v27x);uSRX6JcHz{5zwOLoOif7)m>S7Q0shqwth{UVya_e)+{%4`i+ zhJ8IaILm*ss4m#7)1~(`8te#@&EK>K!u}1;Xvjq|}JePP_JZZUk&BiXO z59b6A0Z?Y9zrR`on-;&0xwycOU%T8$7PWKaVuy)swAnMqsVn)Hl*~|bUS}fF3PLXu zV@G+YCv32tjWJUUCo)4=omJpl1rs*OwD?1a0*P*YH;Q9ecTe!3g1Fm0d&@G(Z#$$2 zPOJk|*>INHg^cxsrVPvbVdL;1F*6r8CyKx&nLn_u`CTd zAS#Y3MAx0$<1xzMtH{^SLbMof-&F|jxq?}fe8N$L6NIsTI=XE--S1i~WG=;2(2aV| zGcgBc5oeF!ZSXbOm*M+|c?(=$AER`ZDOS?4wcOf|eu33}ofb-1s~R;MJQ7xEnV&+AVizx3Pe)V!SfphWs|j zl0f0RGrbK)1rD+nugw>^*WaI0&r_$!Q8$dLdk{9BN+U_`v?;w?{Mw%+QN1L8X6#>o zPm@;8eogi1kuFlI`_R#=%zQOR8#sK(%)qM;Zwrm~CJq8fdDY|bhXDGAzpeSlD-Afd z(Cl-QGJm(hbL7XQq94K$AR^hOc#GpCMLGwZWPk18n-iiR2Ye5) z7zp1K${HF>(;bSF2ZO5ur0OCip0HCfG?Cf zDN3bkKl^b1H;gx1Gp7kukCr8}_(jE>fJ1Q^Sd_zgPNyRj1+cuCEP`tejxsWL^MdNz zapr-_bvnr^WME@)M6`u^0`3v*&(SLC5X^`X@AsSG)gqn|^QwPX&3}!dJLnAN*-qTD3&);9yAM-og0P4rQTv z{K5%vnTyEI=KQS1RSyQ-&6gY|?Lz-~1`{G=0k>a;jE{i47FfW{WW@rGH6GcoK-0nA zqZiEX^2{w2Azk4y#7g=Jwx$Gz@as1e zM9u)|D_s$Y5L-g4)}}=yjkpc=eL@os$;2)9-<-haun)%M704lUFOZe~iCiEzaK5)l z)=D9KKg^@%l&eSIm$3e8s2U%DT`)%_ar)6$e%|RuxhrlN>uB9+I~OgZ|CsZ2u`GSMSjSINy}Ts`9DFX6(Wnd1rsjq zEgIjRk0QLIJ)%CKN+GyuD3I9H3xwnK;!X)GMVtaoYjbgj3zdXVOf8oo&KYcKxo+@? zz^8<-4`Yts=u-+HUY~~~@+4?d<^1KRH6m07JA!1HnX_!bX1Je{nh;A&PjT+L%hDp$ z1_%Ej0DC`|!E+!t_y62r!2)k#+_puKUuSZAoS>42L5Re)$#qD+_q;@>DtDEDO;-ls zGIW!XCUk@SXgv&XeJYByW`$RUC{+AI5i-^iMb0uNSx85vJLn%6U+W`vwjY~_?-O}M zJumZQMOHH*PUVObSskMAM~doqa(hX`;M+Io2!D+oDTu_5pWpNA)Rff!W*~qtYAi|a zl=!Xt#p6i$afig9!)DSIcc6ocLY?F7!V#T&1$aczQ^E<0PCs&%Iq-N(Se=i_QxKA1 zNiwpkF#M>AOmd`JCZ(q;Z`t!O{&eBTgjO~;eR zhwV1jA;&WngBqhMgWTU&O^Vu=A4o!U%*hW(`h)`I)F*4_Rv8oQEh}v zM6ZrcN6LIJ(eyX-Sp(`{8mcbEPZ}nem9s(4km4npvh#}hh_DauG4cY%!QL2J7ao;x zGb}I(X$`Xl-F^fh7uQub9%T?9SD6RH6PZ4`kxo0eo({^qs})IiUllQdh_3Hf;XcX8 zOr+k$HRW6dV+^QDy=4AF819LGulU?YnrS?fA2efD8LgcEO~F0xEyY8ZctB|6Ene6P zx<%pBkzjrDD}xVU8jvTOkf&>5BsHg0QL{R$One|y?xk27SI<0r#auy~pb8RfCd6a8uv z%hq528mdxzfcV5BbT+#Y4WxdJ5*|)Xnfu2dD|LD`14gIc@@}Wzl?TlI_lghXUBAbL zQPbO$cWC0BsPk{od2(4cb6aKG{PJohx*$j1EVTCPNzbu^OsI^A)x zlAd>Auy900g^z6F5Md#>fR^>`+YOA}Et<&EBix*iXKHEL8veE8-5Q6BxF$H;F){A4 zmo=y0I#@e2O!Twavq?p^*clgKPvt6@0vagefY@Ch6*j_iV1?onOyM|UG|kY zs0vWXdko8O!VBQAuT-(jD{=t@6xC`6e@d(Bna%PEFF(6>CqhhD2yvd(VynjpVW3C9 zr~@{zvTSFCrLY%gdvXI4t0MRy@{%wHZ4q?QE03bI_K{!z&egq{82?oX=}3Kh83yz=MHuqZgSmtWFL$8#pctJ;m3(wR^sPwf6@GluT%oVt91l`=f7TNuZ3kIm z?zehmKNg-Gm0i903G$w=?GM_ltSbT6aqmR~WWDhrH*8#aEP2nkT1spMZWA_M$L@0z z<}Ryl*pl(#MgI$|l&DiCwj74`OnHI>DLeM8zgynnDX#WZ*Zw1EN}frayDs6OGRb_Fiwrs6j%7R#o%}NHt9BqTOew(W33?6@@0D}K^&sE#@a`puM6!%#l-2V6L;moI71u&e&OHguOGOZRVJ5(*|kx$K-|Ws z)KC%B*D>OOaTN@{z7>jk`YB;YM^DddhZFRw^d3qFR#$I{wDg`owKfkDkJClPCohmE zDa?K6leS2oON~^@1h8EE39Icwq7i@AWPeU!j*F@cMzgi#Z<0@t3E3Gm8YJyFUf z>L|e6{n+I#c6=qWD~c;reB@WEoFIES3=fecU=^t?n9$|FBE8FX>87&?ZG~6D|9_4Z zY)=gM!Vv90F`iKCI~k1$l?gni!ml1{Q8)7Lj&SO5f;&=(L7)k@n|hll8&N7xYhBb)aBPM6-Nham&IcoCc^IolEXk_5RT)y`P+KQ$`niKOKq z8`Kvh(?C%TGl;g5=+=54T|HHQvq~zSz)@YKVglqwa9&e`gE{$;tWGJjLwNs`x^?C3Mk874$yemk$raR7)d-lgUKX_+M0+JCJmN^YgB4NaBw5v?M?>n}y@YEFH z`|KcQuh6viD$~9aw9CyE;PTiVqZMND;KF#@1{)kWY|#3arl9}Vt#4|w zHZ2t598efi7?ZL>DD=NxCj0mhcF(|mklivch7#u;+^OWT=i)LbhMl)2P-3kKYm!1t zE1bn~j?PQ|^M>HYTS_1-Vm%@X1&=Fi6uN21e^QUHPS%MJ)WN9Ie6r%Lbh`v;pz%^L-9)BS&lf8TuV&%j069d`>8CCO zy;ENvo*YSn18wirS*A<^-Zz|DHWk&)ykLp=140;xs3_Ljl=rG(cMiJt{GY2WuFvP? zWFPgUH-re7xA{CWUI0o260JW)wkZ>;KZ*cUtb_ARM6<0VxC(jAMJ09>h37fNJ&}E2 zOINXKo5?{Zv>b90>qbm-=eB5)38cZ;UcI5&0ccx>0Gt(3_yvvj?$~f&4)h@Z#|)8T zvm}p@SG}E*@0cDXM)~<&E7?y~@8Szn{@a2)LFav_$Sq<9ixW@*4fMafGm;Ls@rrdS z$iRN&ElzRsO8)-dBe=|hvUZ(_zV-CkQY;1Md5~}-Xa*grM)73%w zbBUf|18N3_m)jWZxAJ!2LNjVSctiVEB^urMjrAOK!Y)c14W8-9Y3rQ!a`OQ%R{}b9 zF&&GB7O@f{G93Gy>wh92_>{B)`Nb1-6e{rsKZxuIK-=_g_5cF#HS^6W)^o~#nd3UG zY$5x{e8k}HJNA?5e_X)srcI|OO6|SI+sA|V+l3b<79X_#Hyfeuwq911Pze{zC;GVl zjqeqqjzc|ZOvjjA>a)~@i2YM*6zeNi5!}EJb_SLtaStoh;J44AB<(v-(Ms7Yg;ybY zdYW=Uupx=E$gm-Xe(?23g8AnrIB3|IA1HrWiHwGl zi2x~O8TA)GAT5lu_9)kTd|~oh_{)hJ%3fo<{WGBmWfS84dKf3U16{!xjN zNaP@2`>rQM+7K7Vi5gw^JHnAcha-*S`sVI2Fn&G`BE-YFYY=MQcFx1?xbaUzv6P$ZQaBtw7c z98GBEG4A%WH|*^FZd^9_(G9-nqsp+Rj78k=j0rZ+ zP~VlKH2omC^@J{z|9a{lS`u)QbI^q^ZWlXOZKs$Q={q3|Zx}XpyJ=1K$!)AFhuU?P z^lKPCaui{>QR&83(nZv6k%qtKkslz#O7BM};fYYkKAO~j z>hY6HuXVQv%fA>P)ea7E}!l5of$ z?B_`|sV+fH5S|1v3rrzCiY64mL;45lY9H08!eepJ&76{ES%GWqi3XB;C=m!Mre1ne z22|UP9Ow@-DK9Ol!`$1ma;11s^S1qr6#O>?2)x31(`MTf4c`y-Lf8QfM2{3)ds42M zxAN7O|DK#!z5x;(&_1j9L%7lDg4{lxCv9lK}Lpsr6RV??Yc8M<&gJ6VT;TF1$sZ|#jVdt}PT!qZbZ0MU>Uk*5Ql@6! zs{%_{;-1A9E-1l)(`OQENY!-4lwKyRu6a$I0CO*?vMJTw=QDOHM zC5S%k9H0RDiJK7nX2RR0(?;mp5F?lA!F{R$iIoMy-KuBtF}_kP>EkUKRy6|Xsq$dZ z=B!$~2uP?wZ{{Gp*;>)k8YET7vm54uw)HvsdjZBO%zKd!u*5&0+^T#m&TzV5AR}!? z@!l&4LQYXtQ_tpXG^?CcT``;UGYey=*ARytY~_Q#jog&QFy`dw;h$A3`2bPzm%~M2L8v88G`{Hc2_kRS~=Re*za9 z(6t%`tKhc@M7(*& zMWncI)zS6Jaj9s=8Mx|y5FnXF^T53^UIsFskZz5m-4lxRd$ik0PTr-)JLDZGn5KEZ z>75tUeJ!((;X|atASsfuksoz0F@Plzku@`^jew10MV<~vL$9Dk5MBftdkLP2J!Ev! zXBp#Tkn)5C?G&=8d1m$gmgwN?C>}y}HD1Q;CPYm`9_scHZ`u3lVIWb^cAeXu1-q8G zbyXVPPWmW;g>71=Er6|d;3PUNlm4KfT-LO+p1OmEXejyAtgyViJ19_1`DBEG#%|mq zgH>NC9;oyAhXl^e00la_*_KLcV2_2tJkrwtJ#3O+S$_k|f<|R(7>Qdy2YhslKNP_p zdKyoY1a!@-tH<}zVV_w<1kLP7JlXf8avCj{FzzMlz-w604v~34 z0Y>w2D51O#JDXJ4TwU3sE?yjaNCN_w7e~pJ$~0n$lV0(Q2H7_ApUnUfIx#FDnRKRP zS#Bv(S0T5?^-ogKs&+~?#PV@R^o$AFV9)sN`QieWXV__y_3Ifb4Nn^AGR+jQDTYlX z`|zTSrF+#X7vbPf=TN`|Cnv`Wx6RybvoT0U9nJUnp8 z7`V27Pu*+Z#eY9zux}%dv%r}l=v^Q4u^X@bsy8rx!pQLFccw0#XS*%-Vm?uHD#*cf z$<^Him(>iZ5m;PW?+GEtkMSJ>We`X1y!QH)g_KMp2qmW_THFPzBki4X; zRXQ5};{=KWJm&iLJ*K8je*G;6)1bHF(ei9rBVspgzp?Ni+J}V# zyaZ*u4@bYH()j@Wvma8m*)#lg9&cx@8&=>~uj)ApnW#yXsj?jrJ}$C#&j3fUrzpCHHbj65+a7+o;E!6-Ub7PUH*o zjc!?Z0^02AWKC}!HE<+{^I?@)&oO&PN{ z%@jU-TWFbnm0La8+e)R{@NzuavQ{mvDyMRqp{8`6!nMfJrL2U{jqQ(n`qY0ZW$k)UmFtvk$NAbM!RRtr7R&|>2U z9a>o`xK;2;YQhi+gd8oTJdjctNvfW-cufMSlwmKito#pF4TGX83~Lc{LRz`HY7jPx zw~F3IEA24($;Ks))DO`hscSVb2IT2xgW6WmL2Bh}Ff=rCx|0F9I*Mx|anz z#REJc(H-s}|EWLNUUE_|kq@L68=vWHSc!b4EJW5f0zSzC)^xkZ@Y+9* zQIQN6K!c+Apb|~tmM-OkPpYKYy!p(2Pz|mID&O$N|I$S%beA(&Q?cJp)2CTW)w=#q zjP01UN<7boeo>*SyYsv@1Sh>1Z>&kM=Y3{L`=%XxGmUSN8k;R-;v#*APGp8Gi=+-K z6^wd5$}nN+KmIqV+MVGeG&V)9q*l0fWwcl7mEVjeoc!7OrMVJp@vQe^VLH>Lt=!B} zj@@p)*;a=mwZS75U)>=H`9QN#cq1^(-@sdGA=%#>X1XL+%#WB?mE5Wh z!F&hH+fWsk>~G4iM|nMNK$n8iu*@3>Sm<0sJ(rBmQc2YkGk%py-&_tm?l>#tUZ6I$ zTuHjw-vQM9y}oeV7em`|xVInl2Usx((wm?EidhfR8BYKzn#Ge*J{u2%&crG?`7TYi z3cu~wu(hzn?D$uI3D>1Yhk9fbbWM>J?ssMURO3da5wyHKNDvK zKkX4S&RaKcX{Z+eJ6xc}*Q2S5=nh}8ku{Ht>1uvRYE&yYE08AzEo>N8XlAE;rO+_W zQ$%A1I1oibbVa!rL--CA&A4Y+0|z}IXHSSE|CWB{ttCpr7VXT1c-8UaEk`* zt(dPOQO4?6Ag4PhDT8g}L_{C@26+8KT<`PfIE)-!8x8KW;Y6SYcA@WXT<0j69&CUi z@JiC+o~A6R`tf1hrTU3kxa0(TQR^njLkp5ZSk;Rm5xgzDQ~MMU317&_=e@?K$NF~& zrCl%aAqO4H$T3a*ZQl(!XezWSwA#0f=zO`m`(vQ#cbc>M#tdyW>wgK@mhcCTe867) z78Sbu{qyvym*7|UmC{>-M_xhx_4|@f+kP=1{O5fIp)3q>BO&q=W36Qgbp`X&KMp0M zUca^<7zL%Oz*x z(u+LK$;CDr zd7NwGhUb*eLc>B03>1T~k}b&KA&w{5)$k|O2`}!i*ovZ_=({!iGa~YA5c+m%ckBx#{L=|=`+s==D_YdY)LK&4 z^&1)2J%1eo>HPsY?em!Hn zm~+Dajb$}S9sjM00CClTZCTpjv`GJr?~G`PBZYQJ?z}|n*4g@$(t(LSsy`-HKfj8$ zT|U5Mk-PV^l82JF7q!%ZOn`PD!_@h&v|4!#$jcTgkyFz`aHhDCot%#3m@3R<#?QLg z?{Nc5D=ymLkNL?gkq^!P)Ymm#_%ztHUel`9M5N@Tpm`JU!dTh29sbMhxD3v$jZU@4 zru&;Ryk=Fa-Ji~mhtB;{qxwnXiDKqWm-WJHzAK)TP(aJNqCbLiC1KmqX3H>ZU*kGl zD!$^3T4W&ZryJ)PX)@4WX2|9LZEqayvRGn=Ajn3gv5?vrJ;=F{fnsA*NJ6wSC#DDg z`E6nYyCzW^>D`b(gn3j!8SfRvscCmGTpA{bEo5au?GWB>j!t?q=kuS@6Klh7V%+}c zaIQg43rA@3>LG>jgBm9~0FUdOVRRwLuQX=J=B(aAif_n&BCzwD8>rAtXAAdfM-1;Y zx5r0N8|G4czU+9*uY=Ih5{1x>^r_5U65k8!>J?vMk zWw0r@;C{NXmLuG}46SkYS)H5Q^raa~>0DY1->wqwO_DLNuoG9>{BOxcPwQ_{bGPC+ zb~iTy>-^mi<@Si$h`BW?;U=u$Gm3Y_#s>K~TA%^jV>uQ-{=+g@hE;5-Zk3h(I*(q7 zH*-zZd^!UcKMpT9rM+TemXs)K8AK|;oP7V-l*;y{%RG%}U8`p9_PoVp>+_9c@9w9P z`UL*%#%#uD-eSt&`ZL7Ys9Rr_NpI7aC zBq<+}Refm_e0=H1sgmf4at=d^*1Gqh&SPRL6d_c^MHa&UC6{$@BnX9nQE}`cvMf$D z`#mpcW4;jEVq^Y@s>jlPXOgPo7=2w>LV$cE6a^QJOOn6vU=dD~qb54(mVH)L^RMp= z;Sq>fh?j_Ak~_r(nZmt;O5YMwH*H3aXI9jU8)>oZlZ7W2ywN*d*mFHKH17hZz}oH0 z7eqJJ8pUZjZO|EF)4NX#Uu5YoP|pHq`FkFu(6Voe`>J->MMi%)c`C?l>&Qvru`&m( zsA_*@xsj?-Ag5zj0|^KaUMfy9z1OoVePE{O-)q-+nn4c&W9j!%od%W6@4+<43gP82 zM9cKj7bH1{L;8r7SALJ?QCLbF6;<~ypO>a(tZ=#zWQPID*9X1U&qLT(Jrx%*4|A4% zHS20kE^R=~sRJWj@8xmj%`DC#F|O^E#j@io?{V=UZ4ZWvx%qiz|2AShG8|yuTSQmf zkfZbYqS-J6$6Sz?61yhC7h=a66H72z0|Jf3N5o^b-G0JXBpofL3z-Qd(fC*HuUIir zDRf1NGW{Ne%W4Db&n(h=N;6n-!Guilk1IW*{i{tk#MawN)@aiM!TM!g8_Xhw`l=SB zddtGWM9$sySWf7@zCTe1c0L~ObM z5Cz~83(rO}4^~l=68}0t#$3 zb9U3kpWpy795-T+gFGZz@sR8{OaG#O$JCsi7TCQN5$%x6{@EQW`34T6kjRcGwki*>!kjTf0B7g(+)J180u)X zusBH~B7EQW%T-E{QK6IO?KIOIZfg|4KBpszVPO6CZRKKze8%nYkbn({Ea0ZzhQC3k z%VP-kitFCz{rKb&DKdEqPhqcU%euH7P#pJ>I%sd_^uk6@n@r+IF7B_c>sa@ck<_Oy z8sZp-p^0ggK3Z+@BlJ;-!#n+2`q!D|b0C4)!O6UH61tE^K$fC?5bfzEECeuqM4v^& z74sIG&||!f>8h0S;!`B_=I~|H_*xa3AMcqVgypSezN`zWe*OxYuWps$?@IR$RTq_! zIuW5P78_1z+yL;C6+`Cn5)^+8sS0HbGC+3US@H6wyTetr$!Dy883_7nEtR2s-=oih zfgUR6MFqiZt9P|jcvc*X8A@Leh9r7Mn$)Qst#x^xq|g4jKHj-rU3!@{c#k8JhY``m zWryJ>gyKvGNs$w8{^CXs`Y?i6)Fnmq;LvT+Gubzxv8GsT z7EXc=}^&{84W7d5h#yNCW{M^-eQ&@@ihs zNqxR~|6JmqVl`E1IfxLlDP-ZiH)C~fX7dv+C*aQ0nS>jDi?4ML8!Nv~2xDmCtj`o| z9Xr}8>Y{RX{+vmKrz_XLo?T6y&zi;EKmKiM)_xQ5yYN_#7!}ed3gA1<*U$aBX>wia zILzgMb7_nySbA%f5EuQ4$_d#ft$_n>gBF#M;8GwW3in z42taHj0dUI@sctW1)=d>fYkXBa>mnA0zv#Pe)ZWA6NVIQP*;pfK_6X`25#a8#cf*K z(?q+Gm)_I^6by!tFNBut_0)|dy)%w?h3OEGhq_M9RwX_~-UFr4EHx~mFkC9I>=?1v zD@H26PPx2nOhW}V=$b3WVRDoXO^7o8P3`GzMlK&WPf0|F9vB59=8R_b$YyV5vL4-$ z*Ia*vznd@FD3>3e&hp5%5kWZ>BrYJ1duJ90axe8ZHv^9>=FvMQl5 zO1jnQcbwVx8*+T%-`b3OdUZ}L`(41H!)BUE%)1g@LVWs{&9hvcESrQb=dn6^87Z=d za@MG|*Wdb1m}*puJV{uQhJ*ux$kVKTFhDzcQoPua-3oXgA;$IHdlAg{0?`+|9d0xvKc--_?8J51tbU&}Yu}iJ z20s=2w62Qe319U2I>j!O=abjB&D?`|!x+F9Ps^s@n)j;yR_TDqvvj9%?Po8dYpsM! zh9NS3=-pCIvt}5)DOBxQ2boC=##)KG*K@8gd1!R<)Bg@Nl#Eb*fNCI@k0Sv`ctcW! zqX@D~{!KKAul|o_BIjxd`o2IIr%EWgJ)_JE$LR?i6hQ5luE2^5Xqg7#wTx!^q@ymxrZk0A+G?PpdAYZWTAnoZm#{ z%KI*ejPXW18}#%?x&Kay{sP}g3L&S=%Gr=-{)@AtC;kO(KZeqb!;8!97~puxrp~yGG!*Q?@;m z+O3lubBrI*{e$1v@uyD{x?CtFoFgs!U>GN`Wdp}0x-a#VOvhw0(?iy7*@rh>zr((6 zbjgISR5HO?bQh(nLJkv!MZJ_Q+MTvKOnwXXZh4hB8-6VMoz4kmR7zr^ch>ZnOhdW^|1r(86sd${)RyPu6JryOj>1QO_+7shkp8H|uw>!p zQ*~%dZ>ryoQEUFUe%;P(m=W)cB?>%r6X50`OyB^j@))3pj1(tXOYi+C4@1CFx0sC0 z?DbfSiuq0ffmjL7chWDg*3nit3v&1ErJ}WMt0gLC;jChcz3WP&$%{9qGFnYt52Rmp zxiJ)ctxyCG+9G$S9+|kym;>D?yb2>pGkJVhB@khD^5Y0{JT1cJL?zWe^XdiDPHRQFV!KHX>S zwf0`ygORae<5&xZ7*3K3S$+(G*mh0T;WZy`QF@#S8yN~7zEBz4njvC2_v>xP$USW*_shi!GjT=)ypP=BG{ySR$Q64P; zc3kTn%LC1%&R*fJ<}2ZylYI&QzLOOUTZSU)REK8>KU$Ou`5%-5y$Z6uyaTv>^M6ie zN8dMdVGqtpmCz;~rV%uBWql^vEmx2umP}-KO4Z$3aj7;AWhT!SwEQA{q7$PNtN-AJ z6;P3p2czDAH___eQhm?AOYTKisDdYeuH_hKEToc}tpNP^hRJCltC zlD7w#ccN2Su$}ubY`1Q>c%w|EsN+Nz8i8~XLX#miHCEIYul>)@6t{TT2P?i}=?K5EM!YF9pE(=&HiDBtaIO-6N*c^19D z3WZn2W#Qw0|0-sh08^L=25HFh>E9lZk0>P~M5gpLGI_XU$|-V*ww&-rGx|}$#_CCb z#Vd9cSO+^;IIV6eY;m|UWKzEWx>XkN!SDbgw`S^?_-zdvmm3D}(?WwtL@<0)7-g6Y zuI7L&*?-0ah?sqW^gzS1bNw*CmvrVaiHyAP?rXTju!rv$nH_V9#ILDEHDw4>*X!B> zv_IMQhz`No-YSTreSsrUB`EY8dy@7l^qac)8A#GjmUuEoJtyr6`8Z4ly_lS_z1hsP8gXXgu1ArV>8v_Iw{;<#C&(YG?|vRGD(WbQ{x>i$BlNcT~|v$Yg4-KU=5&rfT<_ zKMnkPeZ6RRI8?#-^XcdhhhO#@ov+(!&c}5BYysTgusK`leOg!Sew29?M*+xG(u6<> z^K58bbQ|pl^u5Yl41FUOiAgih_54RTr|V!2xWq=VguW$(mAafa%xBE_Hjg!;Bi#(n zsU4>CF}_U%91!q!L#R)qffkzMVB51z-wn=Pra_#H5`OBwVW~dUyZOw!Vs8~gwB3zDPTX?8~p1eI7vPHory?;pIOU(DeQ`uF^Q`EhEU3 ztEO_wPe~c}3^_il@maV7eY}0(sjC33ng4nGL*nD}@1MEbqql9S+HC%Rq>BupxTnAq_FYuCr{VUl=kyTsDVfyop%6KirG_hZmJ(xKQIy6PnU8TH?-?^GOz zcza)MP5nY|jq>lRh0(uO@4HY8{=7Ut|HpCs$+)w92m{iNK4jBiDWIrcVjn!>9L`%e zw*`Z1j>~+pFdx*$-5a&!?;on_JaQ>aI5dJ0BZNGo>;5YqecS(lf!FkK%F?d%>98zziNW=gw6ZE9%yj5y z_HR2MDJ$R{`F`m=EWv4%6A{up=$t|KPt=sd(*R+>G~QdJ)9~l{_x;887vQ^^e93t& z$#JrNYk~J3tE0d*^i%QuNNQ^5{lTZLfG81jWX0QliB|C;4%vBz6huge2hUtUU{uO{ z+uY|y%0NWfaiG)Xvtz^4N5|%mKmToiBL3#O=9!s}VklaViL)v6G?@ny@5=<+Sp*pJ z13LaLs(6Q}DJ6M!VZ2v`)b;?+raS~psto^FNQh663o@&roNoI<(F+T*xKxjwF~Q3x z%-Et5jLj1TtP^otm)T4`9{Tci9sa%oLDtQEpb&2z`^k`qu|vD+BOsM~2(iIj&}jGy zKIPvjtgEV3!8}3%rW^%13=M4h#l{M&in$FTsN3w0#qHO!0v1_~BbI6)82lqTfC`?a zp7R{aR5|2FT}In9Ckaoyh2ar6^wvH%)^lh5DPGoMd8z?4G@=a^Yg~(AP^8U-5}U4_ zdW{xK+s`y{>;b+Bi*IJ$ulv`VfkkEnzXIS(HxsgdV&O&rqDvpVJyf$qNMqM;x`_rp zpAXoDLbF;1OYAqpU<7s{=?9_GH~dxrmRq;JeB153WBI81GJGcop;&WJ7REybO7%J7 zV7t5WeBektied{m=2I4-!EHAAEf^FQf)X>Ll@$RIE$|{g>SH#OVCS{-|2oW2=&(~d zI+}`wI~={Zs(xmO7wT5P_L%rbtcaG+X`?%6;p&t&Ya%2?6XH$N|CSc(el%1cho zl1K_NOOkfK*}ZBK)`mS=rjM!JNByRUg@#A`XACE_iW{BU$qEMzQ{dVIgHG+m!o|}T z`OlYk38nBq7%IaJvl2mB{}(mH*f|HYuS1AUPcbnb4T&^A5)R0^US2w8zpb=AWFwO! z011gzVUUqnC`1@>vS#l`r!ZDLm~?PE{87=X^I5&DUO@cj<}Ti9lsR+*O~^juAenWx z>NLxz6OyWuf3Na&zW`oJQa?kKMc-D*gKE>mEacHQ2|SQvjI1u`?nI?UgK<#)}H#8;hE5#hRbJvz&s z>_a}$qyTw%J&HerVy$TIX%uEb#Gv;O-bEP5$5e6z4l&XxJqEaostHGKVgd~GvpcW6 zeaVc0ab~Ia#DV)o$rcP;yiavSUGZd zv?4?cZ|qm!OcGvVp&_&e$zc4+3G39FApOZ5FDfGeZlKTGw;ib{nA=0#gK-g}QM&xb zq!+Dn!9k1BufS8yX6NE->iBSne8Gu(u9jpW_zQh{mwlqunAfRyvY6A3Nw7tJ1D!9= z33`%9^VofQ5i$X3rJ0+AmCF)jS3Q^vgcqC}hzp=yuVYk{h)3aJA?D^z*##K*ZpKJ+ z0N4H^nyO9Yx*g4~Y=>325{87)9gWD`5!kk4ivNqhAo38D^p(yNZ-m3*N*r(RA$0=WKYBDDs)$n5$gqqB=j zoTE`Iwo2M)WhxuQ+-a%jpmNLJpTu~b43!ej$PoBUYWEnv?7l=3VGg0#>{rA^l6O@P z^E7vz5iLlCnn&f!g972Yt#d(w0HcQNuCe&XiiX9YxJt#e49le>^sV1g*P9;?4_Sa` z7o+5g?RJvQfV=BJzY$eeUTN~@^Zm~!YCo*uND@Sf-GTRqO((9dSiDYLP^2KQ&lPXO z#W)o#3>cNDu&=UMEXK>pD+2CKy+A4S1=6V)uydrLrgt2D^q=^oxo{_<`@s&PdG-7f z38yo#Nb+<)anc--(6+t>h0Q?Wj$yil`J}dp2O0iUj0mT`!gpq&BC~kz`HW4R6gZ#L zse%k|+uKWwb*T%YV#8?}Gvt+`>&ypdD&>fbQ?eIsFX=S)e29S2ywRivD;jmHf@PzZMPI4OXb>2Ic0{!uC#nn5S=zzh z8^+CBC}Ti|RG0dylpY9#hlHVWl_#|kqhogtEEK%MF&0VqQ}6a8pOy05UtH1$*KAuQ z7w*XLRhk92Dh4d+h(hED(N2(Lt$VfEF%juIxus!*#-KY}6r4YnQ3#bmMzIwk z;>uf|%6z<=+^X_8zrcIyR-R7ni4~02zP`~wGp!AdgtNRAs{4Ik{UULv4@=l5st#gpb6RS;% z^vhgSuDG@UH9F69r%awAr!mO;gc#u$1t5;?MDVnwa-gg`i&;i+mmA4yZac|I`<;N5 zC~^##h8P)tKEE~i7E#j|B&fp5Gp$?_hJP5HM8daIh0ugN<}K?wambnQ^%Z(pBuOBp zTns8irPAI&SXvor^jR1ns2nx@v&A7nICI?5Ig?k}=GO)8+-siYQ_dc41m`Z43KC(!vG)e$;6SwH= zzbKBa7$j5)NrEh=+|raRy4df~;nJ%`g(Jm=6iCNf8@m~{5@yE334`;>lf|b@kB;$N z6Q-)$r^2y1d-9=&zl|R<{31_J=~5DdY=TX5@@;DSj)56fsl@FO)3m76>kAT^>&{Yw zw*lzC>7*12A8)B|YIQfMOSQN@CQDjs_|Z#0gi2s-1jg zz_@{!z8pKG@I)u2a_+~#N5kN0$)o-Df~{Tv8T+&HcPaP-G39nSGeqKSkQyk_4aTF(L;PnxAAt%l`UzP7`L+J3Un25NY8q9xH>W#J~fXG>~!(4W97uW=% zj?Q<`)lP;j4o3m0J=vWU-Ko(H#9W-&>QZ$QWPaXbJ;ZU7FF;WF5G9@gD2 zw^H~b?M%@kh6qkS&g`88VwNLf+Hm!Wh~D33-!_6%jTdX}W?y{nd_skYPKoK#Bs3%= zovy5SWhkXtqs8#jpulfAuLgHA41crX`zpX=MNTh_^Im;fr-r`#K=KgMMfd|hlu11A zd!pv;?X=S`I(y=FF)oCTwx6UJ&7DBLtA>xYc>Hz+X;4~*!ZB)_r2yfD&=DgjqEmY; zaR(SW8hsBQawwiBk&|UDV=PQ;h}m){MD)X~#POda&oCDy^--h>qp;Zfjb9d?1S)gn z42SL~1Tpx;k3sm!QrgP~1i=c%4!zW$3k@yogS!ZFbeI>w)vtG+jAPjU{Au_+OHwoVRNSOX^Md;B9F>Df%>L_2L0+dNS zlo+S2cWxv^TiCPAqSeZe@3h5A6OshDBv|P0s@sK&!y&$l$5C*Bn9vM`$a1CDC?_VO z@h9ksNT7iR9U0t1{X{tbo0DQ?3RF(4P8-npK^fWGZU$L;k655Ux z9@YVfr7&|@(QpydI3AHq^@NtfY{cJQm6;v^3S_R$q~oLb`FL75`~5lnEfBnmQN;O_ z`x|DqJ9CAGcRUs7H$+%k_fs_MVx61DCs0B8#{wkbY)vQ^UF&}k#(lz7CVS~MViLVG^&^@@d6xH^0I^d} zpa+II!$b>-I^6-Gn=V+sJ}P!$5laFY740Z2*ME~zzAc`_VE-Ci3wdE`uxpwN$Fon? znA=W7B=S=#47k(5H1bGr2gLJ1^#(u9aT-<=Cl{tDVtOLt0Idl(3NsQ**!ihj)uTt^ zxYoV&l;K}shbll+1$m=2MnXp?$L7M`;^e3&@@wMNM{VO@Q2q;$aza!vu8*p!3_{?hK5PD;7nYP z!Rrw=O{NGw%S&yM%Y$2AnD_H-NeU11_x{us7SG++@$4TbNqD31+QmPNCE=BCg4QOc zRsL*KD^31=$pn)1*YD*v13XUBB*bLk8D9=ZGn--^L7Jq70YWBXs~VUmBno*cHwGPo zqHBG{zCeXcQdn3f)gsMXRI^;e$@N99UH=OEAuyPCdq?JJhLV=Exsxi`d?iehJ;G<;s9Od~af<>a#fB4SCn&dYw z+J9E_MSh*Uua1WShK>~(EZ&08&fZ%t>{l9JyT&s42T4qx%3^kI5n!c;ixO5s&!PW0 z(oVubvV7kWM9R^C@Q8T|NLS8yF5a-0e}@b9A`yk(i98B%E)n!IR!+yYIRC;4sFTJx zH-pPItgzHn{pK6aGa`i;Rk-rLC|{9_=WBVDit7m(&N!LJV^lS4P0T3I@+e9g-Dx2r zBZu>4(Ze+St03wgB7F6G-&ks6;2Q-0gwWA)lvmuRdNLtx&sKw=sW+ggyFu_j3Qe5*ZLoV~A$6KZCJo zqf{z17k!ltnb-=O$a#pgt3XEj;;$!m!xaY}~s^#mYN#bF{z;H2@J zaR4Y(;D3yuHg?G2V4awc`b7jlQbMXeEbvGXVz??ie7oXldV^* z$OL>1Sncq7u!MAlpkSYNm{alx6{E%?P{y2@{?%t^QC=7GFX^R2^!fsOa+_mMEB+24 z5c97nC~~1?H2A}%$?BZZIw**IUn{-ixeWP-kQummEhWwo2()5&)@jGJd&}+*YbUQ} z-?CS&tlIkIIj^lc1FvQ-ncUo5d(N;jf{lA>S@StCELeCEDPAi_e`hhi?(lp8y;=Bv zg$@@H2+!%;I=AMOa8CE-C1yIErXJuw1^cuc>s}-vXQckTeUx*7-mr+VSrH(b0*A7Q zbP_Ln;}4_6aQ+riWxCRGg@2hvN;gm}LF%6`^89hd93Xb*LZ@cYR zRucSg{2%ODx5h=9Z>a3Vf{Z<_t^$OR!9!TFV$WyOJM;Hapg{xCzNeP2l&`J;AJj22 z$dVwW$gouDqxV_^rZ(scI?$9*!0t@rtfi;`T+0{Fq5yhbi|p=p6>LPc1qKnZ$X(+*$%)D`H+3%cL5Sao(!zjx*#B43)U(-G~=`d`*U^#+SEGitS1 zOg-@WC+YDz4Jv^>h8FYP^)z;&BFHd~$g$P6x@(-)4httg2N|-U>LzwnELU^HupNau zbp&ub=auCykYt|1B(Jir$;JhFNb;I@;-2W?usZFf`RfCuasEan3A?S96NE@sXPcl! z#5=tAMdU;++&sRDCZ6#haa|D`C)`P1lzhxBTRB+=%AGU5tuQFOsns^5I=uk+-5RA+ z=9hjn^S4g(b^gTIYQhxhrvjD%sO89nRul3U2@MTwqJ35d#yZt)cM#KL(_AG^2y%q~!AFaYaZVt-B3 z)w#FP%~Y-Gn;Q|>#uOL@3m)F|boFNJC_x}Y+IIEQE=K+@rvW?PB~!)pyN7PL1ey>V zC|h;C-kYcf)&{{Fju~k=-(Gcd1EbpAIzSu6Q#b12k^JEhb2{ z<1ZQsZx%H;6A#xo`n^;pFpy6|-0s>b6JmJ+P#Fujg4YBH`jwQ}qRGwDsrbu9W9 zPwT^vl=;%@VQ28;8={{=W%$d%;@2(P<9DxvM!1VMl2<~8C6G~QRh~yIR7##QR;1Y^ zCKyY)XXljweZd79;{9GZf6QGfn0}go#_|w7;d4E=2=>B*gF=WZ0|~y3#D!W=M>v`d?Q z&pjJ>GGhRv(}t}@uyFGip>q$6TBr{vEv-ilFHQYrcnnhpf zpc3xhz`@PEIG5&-+yRt?XMJU-_HmNGzqM0KVilLfT z+T&DOBLNZ?nPS&Eu7Ws#ykAMW(7*4vQj2X${8^U^R|3KaV4K_vchaJNM=Nb;vn6@w8>9?>sU{3OEY>3Pc@Hndnyd*DoR(;i zym^8D>7e}o9T#Cp$wU~PqOz=zBJ;@~5R^Md5Jwx2<62u23)MAzzci(PLUW65EM`Zi2&Di|o|koW z!gnXa1(9~@eIf6v)w>h!%DgTxTRd;)FGw_O0l3gw_4@6WSur*5%b%*Px*bh5#qB#y zO0eTC?~H;*QakTRR<~_cd4JPv9hO-!>I(kYQ`LlVla)wflFBnE0anGLDKD^o&-QcLa9I5!zEsZX2T}%R_JW8FtN#|5AGq07V+ly_exBER-AKo zKn=dN6wUOpb(c8E3i@eic7<~gXlE}S#{k*l6UpZTEQ zu3sC0sZ7}K2Oaj(lCaPiU%bdLIox@P`kkgX<(Zge& zC5n|4!xa)lyg$kIT>e)YDQl`Wo4lP8RK%~Tp3v<3@W$;_%PI*Ne1jhnn5us_*A)k5 z0VsUa$rf1eZ0wPUu)ioUVT&*-_su_A1h0l&nz}6#cgfzZZ=-#kYaPjY4nyeT}+~#a(g;`KT=4%s0i9py% zN~b%cl_o)gzQp?E99#CQ!9qj5+O>2}Oh)IH!yB-lpQc2Nn z!tqCyItPQSQLx>LeHpq$^VW8_`O>*yts50Hg2i_iFdQAUBN-_SkJ|C`pp6 zuj`xxxC`cQiuz+i$}(Qo&An1UR!KW(?qAKT%-0QuYU|^24DprNEJX8?*PKL*4|TQs z0~hKPX=CRgF$_F&nER{!rOMhG#r}6XhD6+_|Kg>f^j*}f=K4@Un7n-)Q!&VU6udV@ zzcqX;163aAkI2*{W0C5*U$~afXG62`8hWcY`Nn~9rZd-J)ES(pl%iaxUc4dF?jn{< zKQC|hHD9hf1c&_6f<~*&D}^X`As3~k@gw|^-v>KAkhW~wUf%onigcuPw~0H*b7pw4 zmIE9}N?)h(EtDEjGUH&F+IBtdKYmZi;+sUnXeVW+>QFHQi)g}P0^|e3Y>DeupRG%GZ&#kN$O8Jr!*-O^NM@N*hImQTjLgOqD0!)Uv*Vi9UTx)Zfwe1t(S1wEHBOx2~?@#A$64_ zWaIPv#{E|_&H_M%b~SY2CIQP#g30z&YGQq9d?u58r13^#BaBCzqtjP4C|xkS zZD)EzvIGm$!rmQ5sR&0VUCY?cqcyC&7%~MV9GN^~ltk&{-bG-6R8?tM>15*TlKo%~Km5Q2?4 zlJ-U{uPFrOI6MUJiU7QS9Jr|IP`nx9J96C5hbSHz_Y?LS4eszRS{)??=0Y`Ga@!8X z@*QUL%phvGU+ZbkiV%A#kY+4E#U5^rpX>rO=W8g)obJlw@%yxe)W%wx#PLE53!E|9 z!iw0LLt-#R##LYgLu?$Ua^cvAZkFYCu-JB+zn0oCx+TSlSVY|6ZL|h4%ZFLch;d?g zva6k#Z&qA1t!pw^3~04s+ITE)tq&4rM*!73rN4El12TE6OrMAEo3GpcvAr%c*?T+RlA&7G%1ltPy`zK;isGSa z*^-%K(-CLXA_*KyyzgxI2Va;xwBSZLtwpb($74c^MYk=E9yGUde#ZonJq(_*x${`^ z5=FV)S6Z&T<3r{M;%)Qzv$26996R8}>}vdj_hf4|V!taZ`b~BUOe$|fYvfSZE5I}U z-684Dw5zU1CQ7$qSPztt{ugvk$b%Sd8;b3rO)h z_;kaQSuEBR?7r-9!;hb2mjufk9@XiqS>@&z`3vY*0)b(j`-1{D&ikMH-z8L%erHiY zxF-7d>BO|`;|L`aHFQVj?;dsnMyCj+{-r1e$s>{b6Ic+vNjM}Q70`+Gs|39PV}(ED5!hr(N! z?NTNub`yJh&S8=1!$XCZAeTZ{%z0%|dDciOn3bMz&D@qx1V;AvXiGsVss zDbzsc@NJ}s!zOe^RF;$Q7hh(}f4`p9wtas-G`p?w60wQM&(;+55*IF7>oL5S?U~PD zY3>?IGPLn+Rs`Mj1{{Ub)9Gk8q?i&^)RPI0_&t?{C>4wc-_>Fph}Kg zLPBL)OA$Olr7QYjoxOo@-7M!QUe%5yz(B(+=(!G3mK5NlDd%M@kiP+dl z<5+Ih7cf2{E<5~tGp+3HpJ}zA3#-ijm)%bC0rd8iRCOH+%G7Wfg26Q{{q>pEl6B>5 z2@OHeE#@)azHRGq^Q-f5%Y3suCNhCtVPz7wwSH5RUZ%7s@I9>y?wlU#d%>nuPLtyR zX_1MB1lRmgfCcZY=zGR+<7J1g(gJcCe3!-Wge?I3DE0K0e+tD1lxgcW_+eQIr)r=f zImF)dLc6&xPI8p<>G5hYnb;!BfEVxS&{?IYk?&@8+VSmD!%8Wfk(tJ7f`r16pL}uM z9c;RZ*7JJX#pQpg70xmA8@*}#ixT+yQ-NJkR7{(gEe^-Dzh;+5SJZC?_+IT|zQQHG z-1?U*C52fG#TvDbBJM>0Od7UCC(`}i=8&kaQn_0qJerlM{fwZ&SW(-yP{aE(L>{ryO*z=0{fz4lA;(2k*k>7`Fr5#&sn{8uPG+RiVK{;l8 zHSX}M8OZS|Wm@H(Q3OU?t6WZD{-NZ}1P^sf{BV1A)zD_v8%s|wNcn4UwHOW-EK6^H zG3hP2t2o6yXG?aYh*=qflBP?xzPAVx&zqG)GFI(h)cxRg+LhZ#)KDeWxNmfz^Q%#nSF=zlF%!(dB`{D=66BAR>YcyC9IYvpfFbH zpScUe=f-$fl~(=tc>#R>1+egFO6Vj@xV!V2y}K%yEdJCcSCZkiB$qpu*j`=KLJu{g zb(?eQZ;TiYgDbE9#cB$#FD1HIG4CK*_#A>~hm=EPxGqh1uvN$V$c zFtHFNcTq6}{7S3@3^L9M?X<+B6gM)BTU#gGxe{VI zr~mg-ew?dMi%h2tcDwtp_}XL%XQnXAkTz%PAkk?dw4tg!in%DmLb0~xM5t4~2I_aw z1HE;aB!H-m)|mC0vLjX*oy(+-sJQr$`r`ehW?-qszM?oIpCu@tX7tN*8XjTot~{Y- zP}m59i7Udhe=Y3?Ml%>vOOzs*U-eI!YucuQJ-l%QLvyi*oXHu)W*iE4nb3R36yn~yW$*;|f*0ABLh`Lzf zZg!SMq7RfLoUpPR)C9{;Owz+XE`IHIgqnS##mC4%`{RVlvr4;=fjlL+>NkXLGeqQq z;M5a+OcXM%h?Pa7a3(pz?G%c!($q$agMs+JW^c^nF9!`((SiPrpym@PwFM@R-g zO}6YQ7RTzA|aFCLUm5w%Xs!L&fvZ=Ai;0%+2p=`DnD=PnIElSL*Fhqaob+2^aS z+dQuU*6=RQ2wz_)Ygcgnx~O4ny4Yi)>+94kjOZR|sS97!!F01d1Y=q?u?Eg9LwwUB z;ceoi?kHcwNO5U47Q`@)W^hZo76Zq@sx!KwUzcLZFyl*1BfHnFOPxuQgfBW_9&s<` z;rDJ(J}%8-W(q)6sK1$mmksuHbY-MhG81!XVZ>(rOmz+5bE&eX3AjI?{DlepHgJ$cYb8g z9&=$s$nD)fY&Qm%&&!3c?oaqI+vogeFWcvifyV-yNE1POmA6}*R`N(+^f(OCYV38% zn$iy@-Ugtcf4dDPkS2L`1C#R3)V@f2Gey`DdoU01rJ59BeWN5MwkE6X1rXvcMa48F zmoMs(u2|YF!V>wDTZSzH2^b_DTuYarNa1Yz z;O@3V09^EF_N%W$t;YfqpF;QZY*LwExE|S8(pyK*&lv9el50NV#o4*{WV7GuIQCx?H1ov8 z#{Bo{->C2-fW*Xgn5|3Y5AYf0nk3e~&T8@N6}6t?rCh{lKb}|S8uq7!0v(p6Nh+S& z`Wik^*$WGV*;%#b>j@jA&>it!eynmu0HDu7u4FU~Kr z6u$Y8AB|KDF^*~eVhoXgoZ`3Z1)Z9UE#J|JVa&DeRA@0rcRhu{P z`#+zEDh8BukF>~xTSmvB12$~eXlC-h`=2Dl-Nz|m*ikb9q8Ikg&4A;@-~9Q(Z$kf6 zL6vgXw$eVQ8R8vb*|zZ(ic+&Tt}EESSz^Afg5aG&$|czFU|4x`iDfLd9SDMY2_Xrj zV={#+IE^HS$qov~*_hTYzbzHGMW`<4<^uWsJs$qP|EgK8`!`>5nJ=V>G&dLEKGm~f0c+ZZ<(snPw!*z=3W^so6@ zv!Oo!Pxi1pRF&$qGFG%MjHe5_MlGIoL8pz0pM@2Q?a1_9v{3RLzw8{7LtxIPh{LJ~ zv*n0~dCAEnGGp`P$H}(>ZfJ5+F|5gR1?tiXRo(W3X@3pmi(6O-WZRZvvPzBYgXv4m zX+(F+wyDibV(T_=BRDXGTr)a1l;P3va1O0;@w+~ZYou9*lsQGs8ZTG zXib}KRogYH%;&$O??+pL34F=cA|F~`_0|`}t2Y=~&lKjn+Np^|+%2p6t0<21XTAn@ zJ{P+Ac9axt337mQ+P(d@eyR}K_PVQPoMbsYo@tH}Aj#E4f-oE3m|*$uFl6knlm#eU z<_WI}o!Dg5ckLE1?b8>QR zdf5y{4QB#&hZ03(Q$~(8MfT%l_e#?i`6l#K+6fBD@(TWz>&fU?{8-WkL#XLr$;&!o z0&CD>2F>+|5p{dGRBvZSpEv&=uO8%s?zd5L315O~ZA9{sa1pb8;>IB|CWf$8+nR27 z)QbohOc4CBp2;(cvl`@Kd1H84;CW@S)&tCcob6Db>_{&qyjw2YwIMi@|DhdR z7|TL$qlGF`xVF4XGvC-;3hXklK2k#@&-I`z#+7|ujKP!DuUY_9NC-!5W#pmMV9l?! z-B&1&3C zmN`!AKSm%Bwj5R_fqZ`M4JXye99c!y68O}&*rt28rc{qNeXMlCF|C@V>$4Jzt&g>{ zwCPs{tt$HwCZU3UULSuyZ|8uw3kS`4-$iScne-kBR+JQ3I|b;YMzcm#^b@te*n)r2 zKdX8xlz!D&YXy8;`|*H8)%Bn+W6_sKr8t5C0ENBh6&Y$7jMc4R>tveL6=SaW|c$z*I|4jlksWJrd5BpoLp z?tuN=pG2qd%-1&Kyls=#v9#(p=8iXe5y|`|wQNY_uuh;g&75U3k6GCYvAo%4cgbGr zxw-^13FmM@-wx3562aQMTNnqzdRdol_$kH3e}s>!Z?(Vt@hMgQHV%@nW-BE};9RD2 z>kJ!%2%a2Uky6%jIdNJ~GjE7$(Kq16sy;;zmDIK28BV>5mMElZgnsGKgdqs}6HA2} zWvBaj*jk@iH4xrdht2xA7tNVfKC}XF{b#cnIxFGiHd`CY?sU|YlTS$2dL8x$(oMAw z{H&UI6(FAvAb>S0fdtEv$U`p79XIYRteV*hYr<}cUM^Y7J229se*1R{h*R)QmMEu_ zBO;bY)v-Kz`d_1@Wy!Zj%ab|(!we67iADEu;wpdH_6)e}IAl#o#q%IkRDn5lln3fP z>vCmUyojF`Xa{S5+94_gYVZdeN1I*vI6T!3ZL2AvvEp_9Ld9q}S6RSVb>G@_zuJgO zMF{z)1^goqardLgC@D{jdZxj(Y3*=JLQwEpnd|#*o)t!2x){EIr#87dAjZ0Wi4*;6=iVGh9(VXXM$Y^JpIiP*fv!63xCMZ~zMoR45~W_-(`vyZUolILe3 zCnsp-w3>Vu9kkZ#AjAhbhBIo*9p{p2q9h(wQR)=ndLH>Aoxmd}X(ktpAcc_3+S7{3_s?#v$Muuid@rX71|YcoE?eD zadl7$mG$n-+_u-|c!`ou!<}WUULpu+8(z2!k!VU8+zj-!C7+YC9Cs}=+OSRl-SBUU z>Ghq(a@6J@Zly2FHxa1mn;6QR-=zFc62Cm;HYDBh#f(?sTzNZ83X$)px^& zv->y>7nnXb-{1wb4Gp91e2e$+;`@i4SvrTN2e13G%KZe`V{Y#s$G@r$0olg;*OL2;kR+eT!#VSf)tXm(iXR-gcJ^KYGS`efM)_K>=L z(bsj{d!av~i4Jj%5Ls^s4B2-TNE+{RiFLqnF|QW>du`{VyiSiAyL2f}*1OQbH>&48OAr#al(xIe%+t)DW~7 zqt6+2_d_uI7_058rPLJY4y^0{@-8*+RG;4PO73$St}6St06&YA@61{XtP==H321G! z$}N&TwMcoU2QlIy^j7Q~n~~70|CLW4tfY{^V291RNJk4!XqaJ)2fA z&gE`D5-31`I_|0~6!3&&lZu45hWnj+2#o3}#JP@gQl6bKSIU`FTuqkor{!;F-_t2u zJauclzuVDFHi;ju zF{R;t1@#pSBEoUSJe2b#EZk6`%~`H{{*zp(7}bl#7;ekz~Jy1`Gw<>7dlNIB~0)3SFj^SA+HRp=? z5q5)%sjo_Nz^+)?1g~ruZP4!~<8vU}6r1_xKi1D2iwYj3PR^-kTIw#ml?2@B*$#m@ z0^+JnF7(b@i9ud4)hyBxbK?oyr$OwnM3P~E_x;PizWfa7i+8^KJ}HuhAk*j;(muk* z4@ej|)ZawiN(J6F{DR)t$(&(&NxI)~Z@&=?&Iz*N_-k`YC_i14Bx1=iF)WsrxxcoeM~nVlb-mcx^CiHnP_l?JRNOt-_Cn-{*>&^-&J4Vfxo;_?BVH z*f0AjrrpBB_7&tCY#-M;mC+WuBqKDs6~Y#P>^BiS7=$unVk-UA8~M;_5&(Utio;>! zZCJcnlMaSR3AEO1KIhanKf{ufO&ug5=>vJkriO3%)%ub%9VAkbbSjVGX3mQH3k9alK11#wrh8zoa_VGh(Xc>*OVbY9VwKGdRZfCV+Q@~>N z;fciONr^EFmKAn>c9s4;EpI{Pavr+=BuC>^BtvF@O`6)!!NBMNelQL}dsFxxR+L9W zyGE9hdHj&0@AsmW&9Av3Yb|oKz1Unm>`x`H1>t%El3+mqqkl7I3^=M8S5UoMMYb0TUS}1NK^`Ex`sO-lKZKR8n~U*r{7E)!-I{ z9NAJp!hx)pmLm6NG1cF@6pKn%#SH;1p;;<$uFoL%Z!|NgiPN4nn?uI3hBIbihG@O4 zeHwp4>P6BTGkW{$->ZZ7EYIuh$!A7F&`J$g7R!3d^ah#vG(Rh5_xvY3#)P5m&Shas zEE=)wtklgPu#Bm1jc+8`>H^nIo3)S?ckCoo`*`(Qc&x!K5~WE?-S)ZXOqbmsK`+BD z@C$jX$o>u9Hfj+Pd_{dO^g4g{9_s=C{cv$eJWQ46PFc7sqwIX3rssAwBtHw>d2d@$ zH-M0P0fyg0qP$xq+1Z~H`R)pz>S?c_bre~Fkexub%tNNZ6P7nE*562~Kg}p&JF}DT zr=Yu6cg(zjvx5QFB*?rg;gaitq(-?Np7Gdfc*v4W*7__T59LSvS^`ulGpRUv(7E>d zJT0rjleDr~5wamFWnCuCEwl}4*u!iZOE`U%kA);ViyDMrFrvz zB^2hpLK9U;!UVdl;vUP}(}-pW0MxY>S7~9a3dMsh6xXbUxZi-~1eJBLQ7=Xa^0c%416e@Ff%bMT*?tsK@;nw; z<0e}1d+3O1D2OXj?XxUc@FRvg_>+OsLwa-M+<{`cvhjxuTyk^d=hYP6Xl2gbL)$|* z-l?{2k%+4^MtfHMc}uou5pfhZr8sg5sHefA!S?OPufxxZ7$^b>=~C0u?I8Q#*opVK zh1=J`oyD)m$L;HEG9l-1dGD7khN-m#PpT?^#=+J@N%xZIkBmPV zh_*)X=N)NV3YOkGVy28#b*cmmu)BJg4P6B<{O6`-UJ;u9oRzhEmC&;688~Oy9B~GD zioDw2RH;;i0!)|U-|iX}6@_o84LjIVf7jxYE>fo5U$aw}c)b@b6t$LE+O2I?X?prO ziaLwqWAju_CDG`;e{uz-Y~qY)`P1)>w7k6Bf-he?lOK2TjSN(`&75Ml^I`x7Q221d z%!0gvXZf8|Oq*k+1GbuAT*kj2^bb+$9^{cdx$T{Dz7QwK!sSU(Xot271-} z7YfivXiWrMx5ZjyFD7kH>#H0z527*^%ghLrg=^DjycxKRu!&p#KGBe9tNF=Na^Jf_ z{7pKVbGUr@lL&tr4Qik*wsMIDORfrFwXk@WYls$rD^p>7yq0cYRaL0!!rI5aQNx-gPWc>LXKi!Z zBbzduV6q+Ftki~599akFLbV>>ka|&|aIJ5hzI|8|RgJiaz%dIpAsd^VyNgR<(N{f<9Z93@3isoX0@G&WvD7PA*N>g-Gu; z31avjP#>^Z|6*JplWpVoI&W2GRHY1-X2XnTQ<^1aV_}~~AXJiK|M^vwP4clZ{{E}#^%etVsTXxNYtWY@r=^47j_7Mo&+}aS$V$#=Q&J+Y* z{BuU2^HfkZ3Y!^|a)9_-#^xs*NM1O1qCtf}r{4qin1tp+>`__$-9>$ovG@lCVQ1+$ z6+NMoM=t!I5VlEk%-09H5Z(ooer9meT6u;eg#w@cx#iU{t9H4jBS93*o$Tnbj!Zex zlGv@bYLsZe=i1u#qt?@(={+c6waCASI@UlH@Rkn0c4*b1Es=BkoO4Pizzg}*#yiN9 z!&vpE!N7c%Qb|YD+MDyn`1GmVf>XYT=-038v&AP%Go+qs2@3uaAvCynd)56hRjnnC z-&N_4di77g?lRe7)ph#|Qa&Agz|yKhc#WQLenAL(J=HgWLSHw%$z2S@+heH1(8A5o!0ZRR{1bJ;P|P~5 zUzsBM5oCs%U?GyhXtuCLk0r)Z5=W5#WE4EwI4|(_$D+f!Wj0I1Rxz2AK|*$sge&M7 zAV<8_VyW_v=Z(xT-XuyAt06YZOpp#Qk!U3~oPO%%ZLmu~Wh(CNO@X7}T3u+VVjD8+ zcVZ!f)XOGl}EA0z1g^uxA>;Chzuct+E9rrC(E)MoW(VR4G5 zr$&V866)UfbR|Ha44+S{3v0c+Bzf0k^LSY-N76dG5T$ZI@+$doX6}>UW9OD$$+}*r zVufPwx-5RMHfqy?gQJnx8a_(6*X2h!)_8`4$K@KtucLQ!wJ5xt6@TO%ciaf?B43C5O~w2yRf;+H5au@ z%8}ED_n-lK@{{zEzsR+Ike>G+!!jj&vInV-=pg6PGOd-KJ~AHeo{d*vZ~U$OZ<_>< z4zg^GJ@fObi#mQw5b^v0B9Mxskg&36rSy5d)h+K;E4=;~hA8X_FW8txOm&=Nzwb6E z;tDnYE$iB^oS)&Kc~nbq-1k8NmPno=hY|qwco4)4dnir7kGrC%dK0T`#P{M*NS2d@ z?mmIc1k~3LsJ$oNIklukp2{EKZ+DQ0VKL}J&J!puD0}-fe1bfgR`?@?U@G4s?!37F4QIcO~9eERxKV z`~P(Y1XxE|p{0FGmZq(nw&3|m-?hN`IY@jpAuQ$EbsK@dg(Q+O(T)P9lnMU~22m<+ zl6*X|l_D6^k7S!zT5a34M6L0vYQOC=WXEz^iD;pf=0~`;Z@RkrFh$n7X_H;(8U}Yc z2g8f7l*|oU-PZTU!;?9dB%P_sxSBY^a^5q6{N3hmauu=MpuT}Y*TUDoKy-<1Gvggy zewel90O53&ro-xW9NX)i`ELJ`lQ@_!m7r*cQ0L@1x|rANE!St0hS+_WEUD~4M*wB6 zs_(oT)@>?Gt8Q*p5hj_qjugKsuWN;?ro@vFlKO;H{i<`f&*yJ{E3r3-G?RPQ&wr|k zi&}IE)yvB6=G**(65;Tpszjd=IX@%NnY->?-ATXMFG>M*tC&V=G*J}h zoY;GC%DAg22!aomh|0Yfg_xAQw#;yB($`DK2nLu;xtSpOr|g$+*s16u>je=S(v_dx z)2@+&6jkxt6xx`*;5g;>+{sG7ce9^ z)ux12djdGhGFPOi-Ls{UoPWkS{TzE|nHgCc>s{qO)nUnoF#$fYPNG4*Pr~wWw z2Cit4E4uaKtZIU&esVq0t}l92;F1ZjYbq8s{yhSLjSvgZi9=ds@$1jO?*p1HNT+VE zy|=N#MR_*f)=X;1rO^|rExNY=n-E;M&`Dr{C%NyhA?*B+6wXMSJm0J zD<|8=WDk3FP-&YYPi6jnmoNiPwpJSHaI3pXC4%lCw`2NgVKOQF&rVV9&`I+)`z|Ht zap2OpOBGd8g_&>owFR+rX^^9~GJZ*#+`pK;`U`CF^m81~QygTO6=^neOJ#3Dj~yGp z)N_xA_XHaV-8JwS{t38ghYmah?9e_DQ3k{z(N&`m3Hw=qM*j`D;O0iq1&<3#*k>OJ zt9a8S--Qa7Wh%?=hq&iTN4c+fo%nF=Z=LjI^TT{Zr;6t6w`5Zlb$93>E^=bt=m?1 zf#!Te8RRZp4I{^mgH#=f)8ba2akTp#TbgqTE|Ko^U-f*dcVZHkrlXTm_o#>ex?kH~ zNaZ9NaYL1}JNED#)GOJF`)bDRkx|(hwBBYw!+rW%M``S5H7Dyc--S&aGHcIe3DO${ zBB>-x`!#FeSt%j>;5FnT;*0s$7)Z$Jv^l1?k7WYhHCJRVjDnD zjF-A(GXOWOA5GQsjFr~Faf4Xt`bD*n{`QJivCMg#SI%U@2?fhw-M>u%D=9n6 zFU-}K^sNC?^e8qR`yHaG$F|_9er3ABXb1$(N+vg_=o~ z$m)QU!#*h3Xj%?Q1_Gf2P>w$j%OOl%82pb}#^vEjHVIOSoARr8h4;r=i$Q|k4Bico zwLBXr_A;UD!{W}AMM_QE)Vqcig`O;2n*mI>fG%rd=KwJ z-BEYf9Y};msTP>#dU`tWbNl{yCjI?e+6VXSSN^rs zVI%p1wiG=CB{vX-wL+^h6X~P9s;u3OV1@ryF`7=PZ@ZX1IUh5D(HT|a8X#D*+>!w?mEVHTiBwEB9UZK#UP zIoPx}p{6u~8uThs=*}yeB5F>BX(G*y6k$zU3vfw)quy#3;EO4M=K==i*N&zgG%eF4 zDAoUJE7r%lwi}?JU+y4n`NwjFCDu8EgYM3(JIik_4bT<*y^6tSR+A~GagatE(GEVP z)(hy#d}o-?f@jr^xcD{bkFP*T=(rQ;Pbkts!r&&N#W-5ILH<%j=2R|h$@p8<_OKRZV&Os@(Lj4aM@wtgAYlTK?;gCIA+8+^OyVdJ01Q?v#*j&t}L== zpHD0erne>8i+aMur~HChz_jx^!KSz#S?pmRBbv8i=3H$R$O*8MMOM9rJtM}G`lDCQ za;`rqD*?p?KIn*1E7k7Mj@y-08q{r0PtHBg^*E7wQpkX?OZ>}-6PLLvN59|{gK!)t ztKZk+6FSzcHU~QuN)y3rYC}UeOcF}muX$Vo)MeRKsZ_vkxeHAV6c_6u=myO~gY9aj<7 zs5LZqD9^uOsHt-j%X~?5BLkU&QF`sM!kZY0OC_a3^HD>3CiX`_5K`z7b~8}+&Y2OP zq=THmmb%>+W!N~VmfXLBf zL)6ikCrW%l$vJ2Ct$XibTGFWWL3Ab#)qtU-G_t-& zY+*=vMTlpHELLbs;n;8Z0s<$z4r*;vTBK=9hdg5pC)Of*)M*AgK;fZ6Ko-{dO-cI! zZS_M%T`)%jjB9gNM|);E2-q{c)iO|K_%=*u>Z@bLtNG?@`viCmQ+)+Id^^cJ{S^O0 zf>m_IjYZ@f#4f3{2j-U4={9|YlGuwn3vh+jSn%^0!ZJ1O{G zLw^vgjWa^Lw13dfjt7#C=(@nuyDH}Hz`wm)7PpR4=R}IU%g~mni^jNA*rf7GPrq?x z2WK2MUB|r}bRFxTPgGlcGc#Ro;AYox*M9<5o!t-X9wNL`4evy;Tz(=Nn)UHc@e+MG zQ1(C^)%`F@r>hkBbQ?JZ3ui zg1||V)KM>Hj$YU+!)jAZ)speA4Wf+V_Yv z%K{!e1EK88JOCB30Q{&~IN0HPa46{isL4ub`db{XwajeNySfH^mxrqeWdq=ipwUwT zPL4-f`UMh!WG^;QT(}e&1y|a!%WMsRsIW_DB;>163YXpsiTz|m)Yi(QT4kztu1dif zt48T*(J=1zbAe8+S?QLSt^wYCbahZK%@bPvYGb}6@}W-!=u(u>H0w~TsMNrM%r}kX zd3o`;nfdD;X2F$qpo?@H(N|s2TUp_&WN6Z^_$Nc>8sDWe)&N11vF-5WSYo`4Z7QnN z_*4Nke*Op$B_;|9bq;3r1O1Jrn-xI`3x=NLgkr6hiDA{?4rlMIjLxTzHF`M zf&-u)fHjBKRpy)0WL;{e@WdK{!$lF*j24Z;|MrL4NO2@l5Bjh?=Mt{w`8z=~u}{*u zs*j28^oeOJF!`VgT(!@Xg~dKFe?0t>G5KOIy3;tqVz9e=%tq;&H_w~eh{z5?f($~f z*~_bz?yy55Y$y6K2iN~Ez-MBKv0$eS1EG8D+06fHS+TzJ+d}*f@quFYjQ!xrlIS-{ z4a~u#vF?qLm-4s$iGm{q-$FhBZoD|nj{Cht+n$%alo${IdtAqoG$BX zeG9)_MgKLzuk)I|mhH(QoNIoc=Iv$05MLf{AFq$65g+IDsUMJ{X!`LWw$#ZRumn$s z6Wwp(Nw0UNPVl&9WYWg^XZ}ClNcb{I0E_HW7#2+Q{HE+0I=1L;{GmI?C;{=J%Hx`a zQ^kGU4ZL7Qn)v-8h{9?9b`pEkC#ib81Fc3Z|ItrBwKAW&PZ`loSvi<(Hg zOjUI|`|5&WAUPT%_>%DW4u*~wev-ftQFn`jwZPr|1nYb1+7eKxCA@V@Or%(7n zbq!N%pg{FktE>WtjB&Df9<2_7YrO(0nWh!XkB*D3Qr1#4FeHIIkzEhwkNrABosP2{ zDEyUL#XJ`gd5)zdOHQ64nkDC0X(dS_4`Ec%QW1-u!-=MJhgx|z*H#iZKd3WXN^VEr|&S)m0q|%1( zzNgY$`_(d#XQ*%IsTG*?0lY7PfAZ`2-Xec}y<;B%x2Y3(-nw0{w)6M8c0Vsg>3IBZ zd^>Pg?B81nvwKXWY6frD-->xMM{k?bzJ#?8=>?CzQl-J#zLs%gl{^0_k&Z0oi{ufC zg{y|Z)$Jy-Xp-~%i;ltfDuX-_dcN{#>n$wRoZ06ti zMvO3Ug=A#1J&U)G_m!8bHyDX$ZPQ)Y42ubl>Q06B7)j{TYBn2RJwI;@JuU=`kv(xd z3U*yx?Y&Lq%Qb zw4;kPVwj2c6~dT}Ispmx`N9DWN?9tYDownn-DQE%wS(aFe;>i`A9c&(r^A{q^;Jku zx7C`RV@Gc*5Y#hWl{!lme)X-?l+RtzmSebK&R zKcVa@zN}OmSY5oDPJ}mZ^Rd<0ZEsg!;}$x=8*hy~t5h0Di?=53V%$a*b)DD9<2c)z z{DoJw-rgzdqs6sT3DpD>X&w2_y9TmwF|gd8CZ%JzT~pywVR2Zj#kFwpbEUniDx=IO z)?S%QxdKI*CrI@S_n2E(As8vi;9ju~IM367c0iH#w5Vdc^SbOQTD z`tPrjaQyaw#732JSlN*E#!fo;8aq`-q$lk-%M-PST^u?3IhLenH7oH$AF=(iyP^s; zGJ32UtUQ_69!jc&A;kl8^W@RhGP=C94mn)jgC-0LT?{UhF(dsYcMF=QswVIjYsp4$ zvuCL`$DdyU!~%$tcv@>Fv81D-;2irpu4N3Q+N5FTBB@9Hm)~t!e-QbeT1>IkP1Ois z@J!I&|II<6%!Y`YEj~rlDx8jM8^0pl5%>mR*TAG}X^o$b2+2p$#DbZdGNAj6sM;L3 zeO8>dsOiV4FSu9Q&9sd@2&*17wt@v>@o9cCDly)z;)vl7{d5^ts;*g^ls6C8&{!Q& z#jn<6IFh~ni{te3@LznWT`7?h*STToD3*ISot+TmwtIwUy5}pf$=sQ4k&Nz5z-LiU zPRO6=3;6GS`KsB`r0@C-Q-imwjt!Mz)noDnaAmh9HS_X7rpLF*^X%$r92QL8NaK&_ z|C?RvspYya0%AL#g3lHCl_XAzA5JwyI8ULJR(=Yq8}f=ELWb5@z`|O!=(m*8#9EPR zY5NF%EO~Xk=TF6Wb+>C4Z1re!ulXr4X9+2Fo2H^Nh6%owmX|lun&0=HF{?$cvJCXf z189zh=^Y=lDpvr!Li=&qHef&=%K0w`hG)N=AN)M@|NNHxp4Y#;l?s+CEFiQwZJde=_PGlVexMCM&G%Eq154=502rTplMmeut}V#HgRZ8IpC=i2Y$e9wAhF+d z%q)Oww7NO|Ewh{ygv=lvAcdAn=T`U<}y3AN<`Ck+8xKrWRM&ekFDA5&0SyL zusvV?+04FkuKer?Rd&Y7xlx6ixh=+)sF&e<;@-itP@s>$FfMJJ+={>9W-Iqxs-Js4 zR(ama-qDd!D0q9{r<-jz3R=qWb>1+b_#Msiw_m>!0SCVX%>>COO0%{glDNFILevhE za(@<^@Zyzq){9{>$vx-ldAMYBJyfojiVn<;mX30CMYXK2b6?sLV%7i}7GRlZ9hEtP zf8Rxb;r_Z9_2C;o)4f`6ld>Q!)lI}$G%-u>AJnY;z|;|K<5pkYtW8IBY3^UNE3J5U zLF2lvAu^aa09u~wW3w5v^#&{So-v-q46V%WH!J~;;ck`hCG8RxIa0jB|9mFSKGK{# z*5b#Pa#{1zq^z2VL^X8z$Tk_@{v{dLDluW~ORT`*5qy_&>PRTgbxGD@G7*rED2ITV zej$*_Corr`oU`=#alhQA%zmoFB__|ge^&icCNLjB*aZT{LfQhC4egpGQ>9l7eZ3l{ zGo5i~cvA0-aAsDKu+T?u+D6Jo9*sVXf_kc1tu7r3E0ro8ts~H+B%d|E$MYCrV6x11 z!@14_*&b$gS@3-Dvu@gI`{sENyu@qF`R1m%aw1RNH^&dJDKCt*!!;EI+ng8pGL;kcT>g1aK!?(*2j9U_)Nc)pxq zlmB|(-pbBibAcCNp_V)VX;jOlBSFh0 zBb&xjfVf{FG7jZVIiFHIQ>fTri&3ecmTCNb4+j3rxJ^{q6#@`;uZ4U+>XER3KZQiM z5`Q7#s_6YrGcisE>=btA#FjA7$pA(9#r%i9l59uoApvoN{?i$`{;z8O3RRBHE`gZj zcuh+f1490v=YUW|m34munyQ0~?aL=m8xIWX0c|ERfEq%7I~$mb-TP%Y$7DHdg3T_-a(vn)wQX z?+!koX}iJz7CuB$ZlSm=uhk6&^lRwXC?cA~6n0+KxOae%`oI?g3}qgKJO8+Rw*28u z^XbXcUomAwl;JwRG+7ifN#ZNx_8c`{urn1d5ydh-i8ZiTGnZ-D1Q#~`4BEh9_WXvW zXC2M_q5Ysldf( z$oY){_=;`RuAO<={7+lMqTdHsPgu0(p^a6__-DZNO&}z5C^`YAt3ShgkNJMk-s{ZE zYr}gs@H(4+{ZjzXH?L2_d}rKa$U^^x{0A9Vez3p>&LQ^Dus&y0UI7$<;62gv#l%* zILTkK_IW9z71AVS5^Gus_Gm1b!RS-cPz2EHYh%9;6Yg^6wWS9C9KwS#RaEzrf?uMS zb5AMzuxJh!hjm)i$om?}56z*}jJdxS$oDLCW!pIH&{fS&^ueW4OCvN0rdV znRPx?i%W|-MAif_$)!>hb0r&JU*Y*7s#_pOJF|ix5rXcp)jM!7aDhB8P&n;o$Bd4t;2t zyAwp6S;ls~{Tr9~zd>B?zK9O92@U!o14(j~+fb7$Bnc6ACa{@>KxMh-8H`ycbSs@E zjKIEpPl(1n(nb3ZcAuG1!{iQ|wTw)p(a}6XSj5u=-5*Y>{?7Ey1~MwbR3Ay++k-$x zo?MVX!^_@~lBh1aKUl~;l7$X!A7pC-+R~)wXK@u>!^x8#ux{RI>scOcy)akA_KvazSS5eBVbJ2{v z3NZu0EE+0EiSVX$++X}iQjVt)e{m8R95_@|9B~5r9cfk&A?iixoYaCOAFptuvY0>( z+Fv@d z%o1UW8QbPD!7=V>LBQvIjDbKonxa4*tL2*)f=$B}9pIaHT&z`9AlFZ>e)B?MlbELo z5qCx9f~Uo?*Qk<^VV#Kh-;&$FP$C+pZ(2yIw^(~_t6Wa8E-NzRQt27mrZ=~P#^R8V zLrU1tMo`s>gO|z($d|-Egj|+cTGzV57pw-l)~4K=eHA(qicbk0mj0c7XD<~Is5DB8 ziA>3xz$pQ+L2`Mw{Gs0ocwer$%>*XKIPN%CL4Sk7?!guanCvsY&E=(GOEdYog0SQQ zu)?-zRVERN>FD2j={)iod#9s6)t#CBb!zXX|HfidDfA0^rz?Js^G0~=i6 z=r}sk!xEx@O_~A*2q2tMMFOZ$=PCVg#HxcvCl=7HSM88^4bw&+_6GfpWC)0jVOjKT z$*Dgt6U*2Ajxt^=EOJIALZsJa5m8s=xFzQmsGAE3JG8Z*5|+0FN&2DBlG>jeWN?Yc zi~|4Zxwgrx-uH!rsB`~47*=GKbT4G=g@qI5S8YLt(C8C`5GEfg3?}7p`(=y_nkdE0 zf@%>eT^y~B<~Vd7`PA@pr}lnjI7aQ3!dkta)KRHxl*gaXbMCjW+97OgPma|fpDCrf z&a(Sb+O1xj$|q>eRc~Hr@)IMS$uA7QglFt)@zsw-4wzr`>%TFDc$NU%H|#WB zN<_;w4QT$ER0#_>l=;OJLm^YPN!ZQx<*wz(WG*;pPKnf1Eh@=d)q4+j)X+zga3R){ zu3p|QR$8|YZ|lQ<4y}-$FVr%(znbn}ZBIeeAw?_&%BBMKHXS=gU03|}**0x~fPXB5ajx#_4mJ?tA3)|Zu z@`%nfoly3-j+dTJ9dFb)^gvDgkD-ErbZV6ZCVSl#Wd(wBS7;MrFFmzs!Lh=SzXNo> z-+I)jIVL&*6pXvyt^adh$5*bw-&RXBF}fQGFf#rjY6#}&C4M4E(#+8**HAtB>yv}s5MQkA)&&_Q9 zVvLhb#ox%+#?8B8UXbg?#_e;ZTYB@NXFn(?C?5EY51)U2?f>-Ptpt|6u0TZ2lXmts z8n+2eI2aExh{e}%ThWOMKSh2d8OcR3VL~!~uA1yHuya7vI59oZ?d4*Mbn{Re_$a6# zy+WC}hli=sp+%>*DP>iAN3*rl8>wSR$0F;Aqjv4R2`4cpm2#eFZnti3qcd(8*r1ho zm5)O}rKrb-q=EjB(5Uo=?9*pXn=e?zvUe|1b}`=SEnTKzXWSF56|%MmVRGak}^&pTZvoDmTkJh)pHR zn1V|%Iaii!3|6Iby_WtcN>iRZV4>%J$B3uV$zO_Lj;<<*-Nz#_^e{}wSzhss1=GDI zo8#TILBDKZaM>$HU?#^Amm&9%d8Ls+=yQMsYZ9~taG0IOw#iyoSn2-F$&At0^JD{mzL^fz^}w!7$3^%6?^a>Ky=#&{jIB&Cp^0FCp{i{ z;XMoBpw4wrhIDwwH5DQ}ftesAQR{>X89H9_b=_VEoNQ_CB5o0Ir+R*8L1OH~U}J2& z7DNlfEdgN@6xmFLQeA*R0Hq`)Vt<1E9ExN|bce?wC(-q%AIr)QAvHIh2WOUT_yJQc z>~*(fB;4fV8&$0AszKIT)$B(-SNU^!S`C;T-{1C)oh0mGjG#(?-%asU#$N$k}Y1h4C)W-Si`q|=suM0ylKBn+BW8|v}aW5J}O^kh=A#9eujTU@!%`i?7`{ZokC!C1-X_g=}OIYA4J z!3I7u4SJ6QPs?<8ZK8Dn$+^_?oP(<#xoqDC+RPD!7t!#!q zZ8i02h5nL1_u6c8b^6l4JWBhP98H0#Z@|ZKV3F}^)Cs1Mf%^DkiX#6XgU*%`;0KK+ zaVR+R7I=pgL5hqICs(t;0hn7`XVv&U$bS4mMTNiF$$pvunmewTph4bK-`4x{HGvJt zwV&5cgU*jugPqg%C~VdRTv-!}-^$T538(DBNeMN)l1i34Xo`Xq5oqp+a%x^UhlvaS zOjmi;9bI_j7*0?I5g1tHGQ(cfm>TfPl}hl@nODV>Q*0Kbd(x#_O)>kTUEQ@Kl!<=r z*!|RQ2Evc;Ah_HEf5hY@O#{8&feb%4ul?HGoToXu`WzuV4qXT)Py*;?{WDr_o@1*mb7=0+?xW_&7J+f*BmQr|g?tn5^lyaVI! zkWHbcF<0qQlP<>3lIH+3*Im!qUWjA5m+NO%kNJ4@YjY2zUspfZlYperlXio;pjrpO zlhqTC+pn43g&@7J?coKfuLKm9Y%>VuXI~{Q>;dtNoznd6-oqGwUo@jWdqS+-7iF6!uaDIBiDkQX2cr@4s{YYympPud3QD$6p zz8G|sW-E7*bPg35PK3QVRbK8*VPg7mp+||15hh78k`5kf8T{3>f0t3AWd@BHit#Z` z6W4zm@+_rk<)bOQ-ST#K7y&I11bc9@iq1?BN}WrxR>7R>ov}j=5k}vK#(G&=hMbo7 z1YujG4~m`co^*<%FdU0W~d@G2q}8n0!~sGn7yC+j{ETW~F{nnY3S z9Mbhqg3%73YrR_a*pAlm3m@G_A<0_#Gi?>qTDy!V3v(5W-_+SKMOLm)ZJgtWX(4p+ zTMdA%V$s1&F}{EWnhy!mhl$Szm?$%I!jrVrPP!%Qn?m#hBNAxIA~MxjGGErUFkMSZ zlson^GK*F~cbO^#VRodD2yiL?WlIO13XE@D`i}zqAW@HCgHEZ%3ic$*!E`J(SQ0$ zp%r!ST{?Zy@!P1nCx7M-Zuf=Y`|vCpOLTV%)A!EezJw;}n6>33IX*(|2mIwB;Gw+U z-|7!)&rxpmbh{lTVJrTdInaC4yyFdsX#$a;X$U`S1ti40?AdqB0p7c2BfSCnLTG?k(|G-US&Fpj2i~UE)l(SpC>O=aurs`bp1rUqP3FST zm<4V=%T$fqhG<~+qgy@5z`Gr`ZwqqCOf)~C>dEFrLk__AZ3LBjLL6C`T!B~t#1dUaLb=~ID zvH{5N_tr=ZM9vXtyMFCyZm;FN5?IG|dHar?hDD$Qj3-$AF-3l!%M>crCJTGl><=We z7_S**IgUd4N@rD8qTBn{)MgutZ*_c=y=k0PgKx6O^XoFs(8oZzRCxfJ2+zW$XZgKi zoNY;-P`M%dq6l}ip*>Nm@ogt*>zeTNcDXw4oOET?2TNz0?uk_szIbfD>93C0Fo%6r zsPn2Y{O*By^gkLADNSvz zt0D6hH_R?@C=l9ixj375h>m?ZQ`dpr!s_>BXtS6*n^Qxcb3qrT-jb+(4o-6xN9oQQ z$T^J>^s@hZCW|6m3m)=0t@2Z`drONtdl%pCM$&_tkfbUoy6@%mjDQ;o13S}nJ?-zK zp2}nGS3^+T(A|ThMxfd!@O9xka@*}Y>CORug+Bs`C?-1JT+i2fOo#Xi-q!<`t-j8l z*3GnfF89rxzu*#G=U;4n76@bqKh~uE@~W(oi0TcZA(g(d9_T2Io(&D^{ae*H)}skG z4N12hz%9x*JMYbu*Q;Ln>ssjDZ1*45^Vrnt@p+%u0U`{cB4I=W#NZI*5Bp1;giJKPeeJ>$hHu$iB=)#QKR$)+x~gR-mkEk@S)r9^%3!fz};-D&Hb zuLQi~WqeaTF|U=?(VErC8Gw#kB z0>Ga*+s_|@erE46CTZ&1SJ{`g+YlzLw^ynD^>xeI0qnE*YXSAqcB2?7;|Q-pc4q%QIo%3vIl2t3P1y#wjkD%v+hTxFx77Ni8W&3w znFZSn_rfXOQ5rr+2h!^CZ@)$!-2fG8-E z;{SM_aPK$IbKqpKGBuOozO#i{&}q$*X~dg9o%OZWYPD+EE6o+6tcwZZQ~}jxW>Hw@ zC?_tmR*yPDJ>d8VWYj}vZ>mpRh#AOES5|?`T-Ks|i?;qZs{C28+On21YKIl`^pu$- zOIFTVA_fh`;5zTisMK}X!1C8Mg5AZStXci?@XtamL*-?G^?){K1dqtYD9Z|4GzWWQ zp3fx3@+Wg#l5=-7dFdR!{VbqC_tWnZbu;W?^zT>Z533d#lp^Gm5;O2^Ft_L-iX;}I z#-?(mHu5sl%XwOr&3!~kGYt~~=!MDAQWIC>%@MvO=hbq% z=Mi3;DBaaaxlPueVtT#Htx~XDEZ&E|YW2U31)Uc2y2$A+eIO(3igHOyQ@o z$W6&cR~!sxFKw@yUCw`Khpl+{`?ktBJBSEn<<` zK)mW`F7{evnte1`cF{@S+?1Qod3oJol;=7CS;PW9uI`qe0NH+QK7Yjc83BnJh~iBb z0rr9889%FpEAFIce<-sOMycqn=KoD8_EMd}@yV zt6s8t8jPLPT81ag^C}jAKf zF%`zp7FebTx)sONHAt@4iNi%3fi(^bd!S#TqZkM#m!*(k%+V?< z0a)H zf<_Rzao|q0n&bMw|Jn{g1jbziN55L|t!Wl$ z{{K?((B9Gcl5L{?kQjXg39H7v3J{Qb>85O6$Wq+@Kq00Y(J!kxQE|-0ZUmpaZ$d@s zeubCQ2!XK}5%)v9f&-Uc|2VacBD(h08S&jr-15M%?1TG-4t2k&2MOL#0gc|z^xusH z)>DB01YhGX%n{`b9MT4@t_PrFynQi|f4ri*^SB>Gi1E8W0HOGHut%BYxVb$Z(~&}B-G#rsiyk!}zHcu&WmB@T)PCO%#mi$3wbp??u-TeTMr!W*zHOYjiOC`oyqoAW zp9mr4VwBZu9D~=GJ-kSAE)$%TcL4O8?1U8dviP5Pei_s@fNy=>5Y9BB9~Qa~HEIM)7w3G9*YNU&tp= z&sYEce~n#tG#pIVU!oHhD^`gfgb*9uu2``|uOY+=URhSuXi-C~PIRI~Zy`FXCw7UN zD62$?5x5td@b#020GhMq2UW8gZC+ij3=gA&3h2AWP->x7VVD z5Weq&qus@PCUb^`#9S*O965`E+Gk#d4?{`PQ!kT`J747K0^{s*u|AFqq8{jUS|e`4 z-d{$gXy?Bc%T%x?OXiCF5a3-O?g2r z_(y^lTWg;>3vaR@Fk?)#@S#%BoY2?_vUSW}LIii?W74U;+zWeQu4_h@Ok}T;X2B7@ zO6uB<8>0Pu^JKTnOmu5;EW;x#qOCD2K;~$`$B?r?su~~@*sL8b;-O-4=X%KPQ*WTpX@tiV!c{+X*U*727xQBG|sUkiY>OL%Q+5~N# zKJfm=qU7%WL+8Xb{ZH(<;nn#PBq&jf`B%S9k#~sIdu=M_^kl+<7Jgi2rhNP^4r#%o zz!LCb6-c~y+a6aMQXPKBlI=qGphXl;yOKf3utoLg>9CoZc8d2v;RBQ)bQXep4Uc5k zZoV8+jgD?(NV@+dY5A(*?CCskhD}@Ur7G=5M#J2ovp-;|kB(jB6O_~XhE%sI$vs>| z6Gk4Bo+ss;j7{Gz?ph6fTCfVQr5Laf$D4A#8>>p6=}_KhBGyZYrsW3@fl)b#^H(}Y zF3LGr?7^d-wZn7AEDco~_5g1Ya^t{tk=-~v5H*ZH?LZ8!vyxT2gUArRg~)ty#qVtif0A)+)UbEbnVi)2F`G z#CA=i%}Q|(Q`Ic*QY{dfsqu{EAV{hsr8L{EUxNu2(7ucBvBNQwcjit%?fkj(_D-B} z-E04|XQW(f{2(>kl_=73mdrgb^Z?YL-J>(sRox@(Gw7Shd&T!fTHqa0A*pLleNr!w z#Gf{|xoj`1FVvfu6bah;D{<3fpu&-mzt@2LhhpQQj=mAoaN1!l{o+!0L z4|p^zkEGJ&4~be0bO}hKr=Q$gUE9>Eh%J$RDcJOptp0;Qs{dxYNk!m2;Y2@ss!wJw zuE$sx!=Ws-i01uRp9?%=+TEw?Ht9Y z`>q1E+Yh`=^P^q4XuDu*GMibV%}GdfQO@0zMB?KoxB*HtffNNs@`18J835IKKzzIp~13PFsCghH5kx)pk!jh6+eNR%wHBA&{c9G zRHj>e)?S1S$s-kiEyc|2I$pEll6-aKj{14r5?2#c`X@!nDmr$2R>53$ytf)x0xe|Y zbXbZ{aS(0-m2V6@u;SRg_HMtdUDhP)Xd8L4==0neGdEXMIf`$_2i@4WDx9PgEgbP3 zBN3d=QS$()gZ#yFvbY%3LhnehFiKDp>?YH#$1i5|~R4hEQ~~(M${i zPpdCq?{V;C`AYjSkd1IhMRu-^6x~X8S+uJ;-@$#o@;Izt_p`DT4_N}e#=x!iK*_bv zP2nS`-Etp%Dwx5`3TrWmvX+dSs%okkosejbIRmMms1Msa+I`V-;gm>gHs0cMHgY1A zZJ*_{1x-ep9BtNZ*XA<}j~>PscMcb}zsLNjY1nf4bqrmbGv9JV_P;m9j(X8OnD)?b zs3FZ)1(eed#hC1cUL}Reru{Z(CEi8rpsiaw{ZooS{Ma`RA%yN;(Rt5!w$#>eC@2od zntNi>O0`)W!G_&<{z6@|#`~gg7t3OI z-(jIbKjIK|xnHIb*Hyw-RUM;yO_#%}_%NOxF49>92Z!3=y+PWd>p2n6GTX~4h+BnG zri?2Ajmel}GS8`k7|cz3q=H%^P@JfX-gy*m|28$V-rnsk$e|?pKT)^Fl6l)ywjU(V zX@k0KVyj|_qx?X}r{`S*HK^sv#_Drl7t%|{2DfQ5)KA&Gnt9@Ne!eT{o zSMQFM{%uQfst^OY)@OmXW(|Go*Q(}L%H*%?1)Q;xllQ01yQH<6!hAaFvFsmjLB+Di z#oL{gbjq2A*X-BX%v=82AkVu>W$6=9pWX(hTbT z7GW_sCHVgKeE5s6w1w_rjWe$fz zX#jjLDE&~?w7Ic2Px*&`E=9YY((bHnauuGC6V_i-EkOLD9RUC5m1{v_o%+bTtQ zVhr8J?>BL;vtka$p0l~}#9@|>_S3#+{i{GL7NwUMx9}K=eesW9bw{Y%2nIcEXHbJ> zV&K`z;?Wv0n^32#a$R6|J6XSvr@g1Ond*YPUr~r3qsZw~vRLPW(qU=T?F0?i=yrqR zzZTkkJ$1OF<=S$&$z4iJDVPbKTNOb6(GOlzH&lDp9-BY=r4tipbH{0MyrwRA5gj|< zcGJr4N=qhdeD~x-D)GBTMqvX#B;IIU#qrVOX!XKcqn)$?WDeT>W%}jp^EnTwq0nzI z4YCMk932LhQAD{K4{dZ7Yv27GH#I>30P120NzTBO89<1X;8c<~w!SAPN@KS5nkSF| zpaU@i;Jix$@uSQ%rV_m4cwB48{Me+$BV&li`sH?$v!vgz6b@lt>MLXpE<;;B6mMFG z;x2ZjgJBE=3bi}j2@yYLmTZ6`Mqb*2+>KooiON=FZ?jeO#7iOaY0vhTK7FUFK2{4U zG}Zzq>USWgqF{;)-J6zZYQ5{S zA?=N$by_#*JB6MaFldG7+Oc}cOl!4{pel2a<{>c4ADS{#KtF1Q2UL<>)KECnJp75| z#xKA|6eJriyyGmM>s)JQ#iKx-`XQDgx(^?+ZL+gMpg#CzBMkGEBR+W^%dZcaxNh~(@i zVGN!UC90xX(=+w)!l(N2+?+K~oT@V!85C{{CwpJSDDuYDBzFkPjBb!ps+U_eSF}jCs^;@ z5f7TU{*Ao-3cLa~cux*_c7#qVG+s8oYEGW6sdX?smt|~p2Dl$)$0nsUq+X)gW_w#o zYow3oiat9H>D-KzbEk~XN|m;-G@MZyzmJEkalfNa5TCCa1Fh3YKmHg2nn`bi^2I7T zxtA<3MRsq2MX1E5nB2+Z+M6Fo*>Klbo2LBMV<2i8a*Ez4>Mb)EX6_*TQo#%~h(u91 zx*y!OrfOA|;N*nV2 zkPO&1hxFk*q!viLv$%HSk?f)GCPD?-tQKJJSh-s9FuD^T&&6p{fR!rxlhWxT_wvpB z7v0*tg^r-0o!Ep&`jn~eoCSKJzyytEt_WY54;p;SvVzRb!r9XbLUn~h0}r%|Z=zlz z6>l0O(CE58^8RWvc+2}8E5F2`O<2Y^#rn)B9c}QZtFp`Fx6Fj=-_rG&^G(u^1R!zi z^dlxPVy&UqkZ(c{BhPgCrK+4!6qyBYpGV>_bRSZx3n*#JBWJO zCk5ZkiHzgIC5A34-eBoqUl6e#ge@+0-_8ZOCl)yv;M~E5ArWXd!|wNdL}F2Tw9sBPH`0sVCXTdhzJfY(K zFJ}|`l?fo$&l{qjtK)`hGelU~y0q`qN6R#IQ-WxD$2JW=6Gjohxd4Wb+@7@|ohIwO z?1q~{z}MY!Te?px>DCiJ1E*9Ay&5G?lw-qD_HSk-X~fhiP!PR~vj&`=359ys6BFCF z7^Teuo~J?DSOJF;qmZ$Uv#HnQygy37wHjyl@HIpPgKT7P1OKiNJr10$>S$f8jHPDeOMW` zot#ZJ>$zV2blsB)Amsh=WrS1jnrw?F$Enm&@CZjvIZf8VmdG}&T1?B21-e^M zE`AFwC3~AEMWe3;_dJKLXXQ$>I4@8<=i#tdwnfKeu$gp@ZGyz1MPk>+_>$VW)v@cX z4Y1={*m*5ZT5tIxXMaO#2@QtFALnM?SZB?2T%Li@(4|KvTfA5&`CWWntI1A}Yn4Co zcpCAm3y5}0EuS$wE%3A!YrkeU|AZ|(7B=kwde^o3?kxF|oNtwzNsr`q=e|ov} z|A+jqL2h9${vHs?D&*WjWgTSpOLfKnSopuj{D0YJAp54^)3V^5Z+pZm005B~pfUUl I5F-HiH-$tjApigX literal 0 HcmV?d00001 diff --git a/charts/jfrog/artifactory-ha/107.104.5/Chart.yaml b/charts/jfrog/artifactory-ha/107.104.5/Chart.yaml index 1cad801f5..2b0a5ee0a 100644 --- a/charts/jfrog/artifactory-ha/107.104.5/Chart.yaml +++ b/charts/jfrog/artifactory-ha/107.104.5/Chart.yaml @@ -2,7 +2,6 @@ annotations: artifactoryServiceVersion: 7.104.13 catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA - catalog.cattle.io/featured: "2" catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-ha metadataVersion: 7.118.1 diff --git a/charts/jfrog/artifactory-ha/107.104.6/.helmignore b/charts/jfrog/artifactory-ha/107.104.6/.helmignore new file mode 100644 index 000000000..b6e97f07f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +OWNERS + +tests/ \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/CHANGELOG.md b/charts/jfrog/artifactory-ha/107.104.6/CHANGELOG.md new file mode 100644 index 000000000..adac1718c --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/CHANGELOG.md @@ -0,0 +1,1511 @@ +# JFrog Artifactory-ha Chart Changelog +All changes to this chart will be documented in this file + +## [107.104.6] - Jan 29, 2025 +* Added new RTFS service +* Added new Topology service +* Added new onemodel service +* Added customVolumeMounts support for frontend,event,evidence,jfconnect,topology,observability containers +* Added ingress and nginx routing support for rtfs service context +* Added recommended sizing extraEnvironmentVariables for access container +* Added default extra javaOpts support in system yaml for topology +* Modified the RTFS chart and the topology probe values +* Fixing secret based annotations for RTFS deployment +* Fixed `shared` block in system.yaml to include all properties + +## [107.102.0] - Nov 26, 2024 +* Remove the Xms and Xmx with InitialRAMPercentage and MaxRAMPercentage if they are available in extra_java_options + +## [107.98.0] - Nov 06, 2024 +* Add support for `extraEnvironmentVariables` on filebeat Sidecar [GH-1377](https://github.com/jfrog/charts/pull/1377) +* Support for SSL offload HTTPS proto override in Nginx service (ClusterIP, LoadBalancer) layer. Introduced `nginx.service.ssloffloadForceHttps` field with boolean type. [GH-1906](https://github.com/jfrog/charts/pull/1906) +* Enable Access workers integration when artifactory.worker.enabled is true +* Added `signedUrlExpirySeconds` option to artifactory.persistence.type of `google-storage`, `google-storage-v2`, and `google-storage-v2-direct` [GH-1858](https://github.com/jfrog/charts/pull/1858) +* Added support to bootstrap jfconnect custom certs to jfconnect trusted directory +* Fixed the type of `.Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds` in binarystore.xml from boolean to integer +* Added support for modifying `pathType` in ingress +* Added fix for database credentials secret in non-unified secret installations + +## [107.96.0] - Sep 18, 2024 +* Merged Artifactory sizing templates to a single file per size +* Added metadata and observability standalone image support + +## [107.95.0] - Aug 26, 2024 +* Adding missing annotations to primary Artifactory Service [GH-1862](https://github.com/jfrog/charts/pull/1862) + +## [107.94.0] - Aug 14, 2024 +* Fixed #Expose rtfs port only when it is enabled + +## [107.93.0] - Aug 9, 2024 +* Added support for worker via `artifactory.worker.enabled` flag +* Fixed creation of duplicate objects in statefulSet + +## [107.92.0] - July 31, 2024 +* Updating the example link for downloading the DB driver +* Adding dedicated ingress and service path for GRPC protocol + +## [107.91.0] - July 18, 2024 +* Remove X-JFrog-Override-Base-Url port when using default `443/80` ports + +## [107.90.0] - July 18, 2024 +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) +* Added new `nginx.hosts` to use Nginx server_name directive instead of `ingress.hosts` +* Added a deprecation notice of ingress.hosts when `ngnix.enabled` is true +* Added new evidence service +* Corrected database connection values based on sizing +* **IMPORTANT** +* Separate access from artifactory tomcat to run on its own dedicated tomcat + * With this change access will be running in its own dedicated container + * This will give the ability to control resources and java options specific to access + Can be done by passing the following, + `access.javaOpts.other` + `access.resources` + `access.extraEnvironmentVariables` +* Added Binary Provider recommendations + +## [107.89.0] - May 30, 2024 +* Fix the indentation of the commented-out sections in the values.yaml file + +## [107.88.0] - May 29, 2024 +* **IMPORTANT** +* Refactored `nginx.artifactoryConf` and `nginx.mainConf` configuration (moved to files/nginx-artifactory-conf.yaml and files/nginx-main-conf.yaml instead of keys in values.yaml) + +## [107.87.0] - May 29, 2024 +* Renamed `.Values.artifactory.openMetrics` to `.Values.artifactory.metrics` +* Align all liveness and readiness probes (Removed hard-coded values) + +## [107.85.0] - May 29, 2024 +* Changed `migration.enabled` to false by default. For 6.x to 7.x migration, this flag needs to be set to `true` + +## [107.84.0] - May 29, 2024 +* Added image section for `initContainers` instead of `initContainerImage` +* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` +* Removed loggers.image section +* Added support for `global.verisons.initContainers` to override `initContainers.image.tag` +* Fixed an issue with extraSystemYaml merge +* **IMPORTANT** +* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` +* Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser` +* Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup` +* Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy` +* Renamed `artifactory.seLinuxOptions` to `artifactory.podSecurityContext.seLinuxOptions` +* Added flag `allowNonPostgresql` defaults to false +* Update postgresql tag version to `15.6.0-debian-12-r5` +* Added a check if `initContainerImage` exists +* Fixed a wrong imagePullPolicy configuration +* Fixed an issue to generate unified secret to support artifactory fullname [GH-1882](https://github.com/jfrog/charts/issues/1882) +* Fixed an issue template render on loggers [GH-1883](https://github.com/jfrog/charts/issues/1883) +* Override metadata and observability image tag with `global.verisons.artifactory` value +* Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) +* Added .Values.artifactory.unifiedSecretsPrependReleaseName` for unified secret to prepend release name +* Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml + +## [107.83.0] - Mar 12, 2024 +* Added image section for `metadata` and `observability` + +## [107.82.0] - Mar 04, 2024 +* Added `disableRouterBypass` flag as experimental feature, to disable the artifactoryPath /artifactory/ and route all traffic through the Router. +* Removed Replicator Service + +## [107.81.0] - Feb 20, 2024 +* **IMPORTANT** +* Refactored systemYaml configuration (moved to files/system.yaml instead of key in values.yaml) +* Added ability to provide `extraSystemYaml` configuration in values.yaml which will merge with the existing system yaml when `systemYamlOverride` is not given [GH-1848](https://github.com/jfrog/charts/pull/1848) +* Added option to modify the new cache configs, maxFileSizeLimit and skipDuringUpload +* Added IPV4/IPV6 Dualstack flag support for Artifactory and nginx service +* Added `singleStackIPv6Cluster` flag, which manages the Nginx configuration to enable listening on IPv6 and proxying +* Fixing broken link for creating additional kubernetes resources. Refer [here](https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-ha-values.yaml) +* Refactored installerInfo configuration (moved to files/installer-info.json instead of key in values.yaml) + +## [107.80.0] - Feb 20, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.79.0] - Feb 20, 2024 +* **IMPORTANT** +* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default +* Added support for azure-blob-storage-v2-direct config +* Added option to set Nginx to write access_log to container STDOUT +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true + +## [107.77.0] - April 22, 2024 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) +* **IMPORTANT** +* setSecurityContext has been renamed to podSecurityContext. +* Moved podSecurityContext to values.yaml +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) +* Added nginx.customCommand to use custom commands for the nginx container + +## [107.76.0] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.70.0] - Nov 30, 2023 +* Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) +* Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml +* Fixed - Artifactory primary service condition +* Fixed - SecurityContext with runAsGroup in artifactory-ha [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift + +## [107.69.0] - Sep 18, 2023 +* Adjust rtfs context +* Fixed - Metadata service does not respect customVolumeMounts for DB CAs [GH-1815](https://github.com/jfrog/charts/issues/1815) + +## [107.68.8] - Sep 18, 2023 +* Reverted - Enabled `unifiedSecretInstallation` by default [GH-1819](https://github.com/jfrog/charts/issues/1819) +* Removed unused `artifactory.javaOpts` from values.yaml +* Removed openshift condition check from NOTES.txt +* Fixed an issue with artifactory node replicaCount [GH-1808](https://github.com/jfrog/charts/issues/1808) + +## [107.68.7] - Aug 28, 2023 +* Enabled `unifiedSecretInstallation` by default +* Removed unused `artifactory.javaOpts` from values.yaml + +## [107.67.0] - Aug 28, 2023 +* Add 'extraJavaOpts' and 'port' values to federation service + +## [107.66.0] - Aug 28, 2023 +* Added federation service container in artifactory +* Add rtfs service to ingress in artifactory + +## [107.64.0] - Aug 28,2023 +* Added support to configure event.webhooks within generated system.yaml +* Fixed an issue to generate ssl certificate should support artifactory-ha fullname +* Added 'multiPartLimit' and 'multipartElementSize' parameters to awsS3V3 binary providers. +* Increased default Artifactory Tomcat acceptCount config to 400 +* Fixed Illegal Strict-Transport-Security header in nginx config + +## [107.63.0] - Aug 28, 2023 +* Added support for Openshift by adding the securityContext in container level. +* **IMPORTANT** +* Disable securityContext in container and pod level to deploy postgres on openshift. +* Fixed support for fsGroup in non openshift environment and runAsGroup in openshift environment. +* Fixed - Helm Template Error when using artifactory.loggers [GH-1791](https://github.com/jfrog/charts/issues/1791) +* Removed the nginx disable condition for openshift +* Fixed jfconnect disabling as micro-service on splitcontainers [GH-1806](https://github.com/jfrog/charts/issues/1806) + +## [107.62.0] - Jun 5, 2023 +* Added support for 'port' and 'useHttp' parameters for s3-storage-v3 binary provider [GH-1767](https://github.com/jfrog/charts/issues/1767) + +## [107.61.0] - May 31, 2023 +* Added new binary provider `google-storage-v2-direct` + +## [107.60.0] - May 31, 2023 +* Enabled `splitServicesToContainers` to true by default +* Updated the recommended values for small, medium and large installations to support the 'splitServicesToContainers' + +## [107.59.0] - May 31, 2023 +* Fixed reference of `terminationGracePeriodSeconds` +* **Breaking change** +* Updated the defaults of replicaCount (Values.artifactory.primary.replicaCount and Values.artifactory.node.replicaCount) to support Cloud-Native High Availability. Refer [Cloud-Native High Availability](https://jfrog.com/help/r/jfrog-installation-setup-documentation/cloud-native-high-availability) +* Updated the values of the recommended resources - values-small, values-medium and values-large according to the Cloud-Native HA support. +* **IMPORTANT** +* In the absence of custom parameters for primary.replicaCount and node.replicaCount on your deployment, it is recommended to specify the current values explicitly to prevent any undesired changes to the deployment structure. +* Please be advised that the configuration for resources allocation (requests, limits, javaOpts, affinity rules, etc) will now be applied solely under Values.artifactory.primary when using the new defaults. +* **Upgrade** +* Upgrade from primary-members to primary-only is recommended, and can be done by deploy the chart with the new values. +* During the upgrade, members pods should be deleted and new primary pods should be created. This might trigger the creation of new PVCs. +* Added Support for Cold Artifact Storage as part of the systemYaml configuration (disabled by default) +* Added new binary provider `s3-storage-v3-archive` +* Fixed jfconnect disabling as micro-service on non-splitcontainers +* Fixed an issue whereby, Artifactory failed to start when using persistence storage type `nfs` due to missing binarystore.xml + + +## [107.58.0] - Mar 23, 2023 +* Updated postgresql multi-arch tag version to `13.10.0-debian-11-r14` +* Removed obselete remove-lost-found initContainer` +* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode + +## [107.57.0] - Mar 02, 2023 +* Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1793` + +## [107.55.0] - Feb 21, 2023 +* Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1760` +* Adding a custom preStop to Artifactory router for allowing graceful termination to complete +* Fixed an invalid reference of node selector on artifactory-ha chart + +## [107.53.0] - Jan 20, 2023 +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.7.1049` + +## [107.50.0] - Jan 20, 2023 +* Updated postgresql tag version to `13.9.0-debian-11-r11` +* Fixed make lint issue on artifactory-ha chart [GH-1714](https://github.com/jfrog/charts/issues/1714) +* Fixed an issue for capabilities check of ingress +* Updated jfrogUrl text path in migrate.sh file +* Added a note that from 107.46.x chart versions, `copyOnEveryStartup` is not needed for binarystore.xml, it is always copied via initContainers. For more Info, Refer [GH-1723](https://github.com/jfrog/charts/issues/1723) + +## [107.49.0] - Jan 16, 2023 +* Changed logic in wait-for-primary container to use /dev/tcp instead of curl +* Added support for setting `seLinuxOptions` in `securityContext` [GH-1700](https://github.com/jfrog/charts/pull/1700) +* Added option to enable/disable proxy_request_buffering and proxy_buffering_off [GH-1686](https://github.com/jfrog/charts/pull/1686) +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.7.1049` + +## [107.48.0] - Oct 27, 2022 +* Updated router version to `7.51.0` + +## [107.47.0] - Sep 29, 2022 +* Updated initContainerImage to `ubi8/ubi-minimal:8.6-941` +* Added support for annotations for artifactory statefulset and nginx deployment [GH-1665](https://github.com/jfrog/charts/pull/1665) +* Updated router version to `7.49.0` + +## [107.46.0] - Sep 14, 2022 +* **IMPORTANT** +* Added support for lifecycle hooks for all containers, changed `artifactory.postStartCommand` to `.Values.artifactory.lifecycle.postStart.exec.command` +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.6-902` +* Update nginx configuration to allow websocket requests when using pipelines +* Fixed an issue to allow artifactory to make direct API calls to store instead via jfconnect service when `splitServicesToContainers=true` +* Refactor binarystore.xml configuration (moved to `files/binarystore.xml` instead of key in values.yaml) +* Added new binary providers `s3-storage-v3-direct`, `azure-blob-storage-direct`, `google-storage-v2` +* Deprecated (removed) `aws-s3` binary provider [JetS3t library](https://www.jfrog.com/confluence/display/JFROG/Configuring+the+Filestore#ConfiguringtheFilestore-BinaryProvider) +* Deprecated (removed) `google-storage` binary provider and force persistence storage type `google-storage` to work with `google-storage-v2` only +* Copy binarystore.xml in init Container to fix existing persistence on file system in clear text +* Removed obselete `.Values.artifactory.binarystore.enabled` key +* Removed `newProbes.enabled`, default to new probes +* Added nginx.customCommand using inotifyd to reload nginx's config upon ssl secret or configmap changes [GH-1640](https://github.com/jfrog/charts/pull/1640) + +## [107.43.0] - Aug 25, 2022 +* Added flag `artifactory.replicator.ingress.enabled` to enable/disable ingress for replicator +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.6-854` +* Updated router version to `7.45.0` +* Added flag `artifactory.schedulerName` to set for the pods the value of schedulerName field [GH-1606](https://github.com/jfrog/charts/issues/1606) +* Enabled TLS based on access or router in values.yaml + +## [107.42.0] - Aug 25, 2022 +* Enabled database creds secret to use from unified secret +* Updated router version to `7.42.0` +* Added support to truncate (> 63 chars) for unifiedCustomSecretVolumeName + +## [107.41.0] - June 27, 2022 +* Added support for nginx.terminationGracePeriodSeconds [GH-1645](https://github.com/jfrog/charts/issues/1645) +* Fix nginx lifecycle values [GH-1646](https://github.com/jfrog/charts/pull/1646) +* Use an alternate command for `find` to copy custom certificates +* Added support for circle of trust using `circleOfTrustCertificatesSecret` secret name [GH-1623](https://github.com/jfrog/charts/pull/1623) + +## [107.40.0] - Jun 16, 2022 +* Deprecated k8s PodDisruptionBudget api policy/v1beta1 [GH-1618](https://github.com/jfrog/charts/issues/1618) +* Disabled node PodDisruptionBudget, statefulset and artifactory-primary service from artifactory-ha chart when member nodes are 0 +* From artifactory 7.38.x, joinKey can be retrived from Admin > User Management > Settings in UI +* Fixed template name for artifactory-ha database creds [GH-1602](https://github.com/jfrog/charts/pull/1602) +* Allow templating for pod annotations [GH-1634](https://github.com/jfrog/charts/pull/1634) +* Added flags to control enable/disable infra services in splitServicesToContainers + +## [107.39.0] - May 16, 2022 +* Fix default `artifactory.async.corePoolSize` [GH-1612](https://github.com/jfrog/charts/issues/1612) +* Added support of nginx annotations +* Reduce startupProbe `initialDelaySeconds` +* Align all liveness and readiness probes failureThreshold to `5` seconds +* Added new flag `unifiedSecretInstallation` to enables single unified secret holding all the artifactory-ha secrets +* Updated router version to `7.38.0` + +## [107.38.0] - May 04, 2022 +* Added support for `global.nodeSelector` to artifactory and nginx pods +* Updated router version to `7.36.1` +* Added support for custom global probes timeout +* Updated frontend container command +* Added topologySpreadConstraints to artifactory and nginx, and add lifecycle hooks to nginx [GH-1596](https://github.com/jfrog/charts/pull/1596) +* Added support of extraEnvironmentVariables for all infra services containers +* Enabled the consumption (jfconnect) flag by default +* Fix jfconnect disabling on non-splitcontainers + +## [107.37.0] - Mar 08, 2022 +* Added support for customPorts in nginx deployment +* Bugfix - Wrong proxy_pass configurations for /artifactory/ in the default artifactory.conf +* Added signedUrlExpirySeconds option to artifactory.persistence.type aws-S3-V3 +* Updated router version to `7.35.0` +* Added useInstanceCredentials,enableSignedUrlRedirect option to google-storage-v2 +* Changed dependency charts repo to `charts.jfrog.io` + +## [107.36.0] - Mar 03, 2022 +* Remove pdn tracker which starts replicator service +* Added silent option for curl probes +* Added readiness health check for the artifactory container for k8s version < 1.20 +* Fix property file migration issue to system.yaml 6.x to 7.x + +## [107.35.0] - Feb 08, 2022 +* Updated router version to `7.32.1` + +## [107.33.0] - Jan 11, 2022 +* Make default value of anti-affinity to soft +* Readme fixes +* Added support for setting `fsGroupChangePolicy` +* Added nginx customInitContainers, customVolumes, customSidecarContainers [GH-1565](https://github.com/jfrog/charts/pull/1565) +* Updated router version to `7.30.0` + +## [107.32.0] - Dec 23, 2021 +* Updated logger image to `jfrog/ubi-minimal:8.5-204` +* Added default `8091` as `artifactory.tomcat.maintenanceConnector.port` for probes check +* Refactored probes to replace httpGet probes with basic exec + curl +* Refactored `database-creds` secret to create only when database values are passed +* Added new endpoints for probes `/artifactory/api/v1/system/liveness` and `/artifactory/api/v1/system/readiness` +* Enabled `newProbes:true` by default to use these endpoints +* Fix filebeat sidecar spool file permissions +* Updated filebeat sidecar container to `7.16.2` + +## [107.31.0] - Dec 17, 2021 +* Remove integration service feature flag to make it mandatory service +* Update postgresql tag version to `13.4.0-debian-10-r39` +* Refactored `router.requiredServiceTypes` to support platform chart + +## [107.30.0] - Nov 30, 2021 +* Fixed incorrect permission for filebeat.yaml +* Updated healthcheck (liveness/readiness) api for integration service +* Disable readiness health check for the artifactory container when running in the container split mode +* Ability to start replicator on enabling pdn tracker + +## [107.29.0] - Nov 30, 2021 +* Added integration service container in artifactory +* Add support for Ingress Class Name in Ingress Spec [GH-1516](https://github.com/jfrog/charts/pull/1516) +* Fixed chart values to use curl instead of wget [GH-1529](https://github.com/jfrog/charts/issues/1529) +* Updated nginx config to allow websockets when pipelines is enabled +* Moved router.topology.local.requireqservicetypes from system.yaml to router as environment variable +* Added jfconnect in system.yaml +* Updated artifactory container’s health probes to use artifactory api on rt-split +* Updated initContainerImage to `jfrog/ubi-minimal:8.5-204` +* Updated router version to `7.28.2` +* Set Jfconnect enabled to `false` in the artifactory container when running in the container split mode + +## [107.28.0] - Nov 11, 2021 +* Added default values cpu and memeory in initContainers +* Updated router version to `7.26.0` +* Bug fix - jmx port not exposed in artifactory service +* Updated (`rbac.create` and `serviceAccount.create` to false by default) for least privileges +* Fixed incorrect data type for `Values.router.serviceRegistry.insecure` in default values.yaml [GH-1514](https://github.com/jfrog/charts/pull/1514/files) +* **IMPORTANT** +* Changed init-container images from `alpine` to `ubi8/ubi-minimal` +* Added support for AWS License Manager using `.Values.aws.licenseConfigSecretName` + +## [107.27.0] - Oct 6, 2021 +* **Breaking change** +* Aligned probe structure (moved probes variables under config block) +* Added support for new probes(set to false by default) +* Bugfix - Invalid format for `multiPartLimit,multipartElementSize,maxCacheSize` in binarystore.xml [GH-1466](https://github.com/jfrog/charts/issues/1466) +* Added missioncontrol container in artifactory +* Dropped NET_RAW capability for the containers +* Added resources to migration-artifactory init container +* Added resources to all rt split containers +* Updated router version to `7.25.1` +* Added support for Ingress networking.k8s.io/v1/Ingress for k8s >=1.22 [GH-1487](https://github.com/jfrog/charts/pull/1487) +* Added min kubeVersion ">= 1.14.0-0" in chart.yaml +* Update alpine tag version to `3.14.2` +* Update busybox tag version to `1.33.1` +* Update postgresql tag version to `13.4.0-debian-10-r39` + +## [107.26.0] - Aug 20, 2021 +* Added Observability container (only when `splitServicesToContainers` is enabled) +* Added min kubeVersion ">= 1.12.0-0" in chart.yaml + +## [107.25.0] - Aug 13, 2021 +* Updated readme of chart to point to wiki. Refer [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory) +* Added startupProbe and livenessProbe for RT-split containers +* Updated router version to 7.24.1 +* Added security hardening fixes +* Enabled startup probes for k8s >= 1.20.x +* Changed network policy to allow all ingress and egress traffic +* Added Observability changes +* Added support for global.versions.router (only when `splitServicesToContainers` is enabled) + +## [107.24.0] - July 27, 2021 +* Support global and product specific tags at the same time +* Added support for artifactory containers split + +## [107.23.0] - July 8, 2021 +* Bug fix - logger sideCar picks up Wrong File in helm +* Allow filebeat metrics configuration in values.yaml + +## [107.22.0] - July 6, 2021 +* Update alpine tag version to `3.14.0` +* Added `nodePort` support to artifactory-service and nginx-service templates +* Removed redundant `terminationGracePeriodSeconds` in statefulset +* Increased `startupProbe.failureThreshold` time + +## [107.21.3] - July 2, 2021 +* Added ability to change sendreasonphrase value in server.xml via system yaml + +## [107.19.3] - May 20, 2021 +* Fix broken support for startupProbe for k8s < 1.18.x +* Removed an extraneous resources block from the prepare-custom-persistent-volume container in the primary statefulset +* Added support for `nameOverride` and `fullnameOverride` in values.yaml + +## [107.18.6] - May 4, 2021 +* Removed `JF_SHARED_NODE_PRIMARY` env to support for Cloud Native HA +* Bumping chart version to align with app version +* Add `securityContext` option on nginx container + +## [5.0.0] - April 22, 2021 +* **Breaking change:** +* Increased default postgresql persistence size to `200Gi` +* Update postgresql tag version to `13.2.0-debian-10-r55` +* Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000) +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* **IMPORTANT** +* This chart is only helm v3 compatible +* Fix support for Cloud Native HA +* Fixed filebeat-configmap naming +* Explicitly set ServiceAccount `automountServiceAccountToken` to 'true' +* Update alpine tag version to `3.13.5` + +## [4.13.2] - April 15, 2021 +* Updated Artifactory version to 7.17.9 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.9) + +## [4.13.1] - April 6, 2021 +* Updated Artifactory version to 7.17.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.6) +* Update alpine tag version to `3.13.4` + +## [4.13.0] - April 5, 2021 +* **IMPORTANT** +* Added `charts.jfrog.io` as default JFrog Helm repository +* Updated Artifactory version to 7.17.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.5) + +## [4.12.2] - Mar 31, 2021 +* Updated Artifactory version to 7.17.4 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.4) + +## [4.12.1] - Mar 30, 2021 +* Updated Artifactory version to 7.17.3 +* Add `timeoutSeconds` to all exec probes - Please refer [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) + +## [4.12.0] - Mar 24, 2021 +* Updated Artifactory version to 7.17.2 +* Optimized startupProbe time + +## [4.11.0] - Mar 18, 2021 +* Add support to startupProbe + +## [4.10.0] - Mar 15, 2021 +* Updated Artifactory version to 7.16.3 + +## [4.9.5] - Mar 09, 2021 +* Added HSTS header to nginx conf + +## [4.9.4] - Mar 9, 2021 +* Removed bintray URL references in the chart + +## [4.9.3] - Mar 04, 2021 +* Updated Artifactory version to 7.15.4 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.15.4) + +## [4.9.2] - Mar 04, 2021 +* Fixed creation of nginx-certificate-secret when Nginx is disabled + +## [4.9.1] - Feb 19, 2021 +* Update busybox tag version to `1.32.1` + +## [4.9.0] - Feb 18, 2021 +* Updated Artifactory version to 7.15.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.15.3) +* Add option to specify update strategy for Artifactory statefulset + +## [4.8.1] - Feb 11, 2021 +* Exposed "multiPartLimit" and "multipartElementSize" for the Azure Blob Storage Binary Provider + +## [4.8.0] - Feb 08, 2021 +* Updated Artifactory version to 7.12.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.8) +* Support for custom certificates using secrets +* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io` +* Update alpine tag version to `3.13.1` + +## [4.7.9] - Feb 3, 2021 +* Fix copyOnEveryStartup for HA cluster license + +## [4.7.8] - Jan 25, 2021 +* Add support for hostAliases + +## [4.7.7] - Jan 11, 2021 +* Fix failures when using creds file for configurating google storage + +## [4.7.6] - Jan 11, 2021 +* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6) + +## [4.7.5] - Jan 07, 2021 +* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false) + +## [4.7.4] - Jan 04, 2021 +* Fixed gid support for statefulset + +## [4.7.3] - Dec 31, 2020 +* Added gid support for statefulset +* Add setSecurityContext flag to allow securityContext block to be removed from artifactory statefulset + +## [4.7.2] - Dec 29, 2020 +* **Important:** Removed `.Values.metrics` and `.Values.fluentd` (Fluentd and Prometheus integrations) +* Add support for creating additional kubernetes resources - [refer here](https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml) +* Updated Artifactory version to 7.12.5 + +## [4.7.1] - Dec 21, 2020 +* Updated Artifactory version to 7.12.3 + +## [4.7.0] - Dec 18, 2020 +* Updated Artifactory version to 7.12.2 +* Added `.Values.artifactory.openMetrics.enabled` + +## [4.6.1] - Dec 11, 2020 +* Added configurable `.Values.global.versions.artifactory` in values.yaml + +## [4.6.0] - Dec 10, 2020 +* Update postgresql tag version to `12.5.0-debian-10-r25` +* Fixed `artifactory.persistence.googleStorage.endpoint` from `storage.googleapis.com` to `commondatastorage.googleapis.com` +* Updated chart maintainers email + +## [4.5.5] - Dec 4, 2020 +* **Important:** Renamed `.Values.systemYaml` to `.Values.systemYamlOverride` + +## [4.5.4] - Dec 1, 2020 +* Improve error message returned when attempting helm upgrade command + +## [4.5.3] - Nov 30, 2020 +* Updated Artifactory version to 7.11.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11) + +# [4.5.2] - Nov 23, 2020 +* Updated Artifactory version to 7.11.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11) +* Updated port namings on services and pods to allow for istio protocol discovery +* Change semverCompare checks to support hosted Kubernetes +* Add flag to disable creation of ServiceMonitor when enabling prometheus metrics +* Prevent the PostHook command to be executed if the user did not specify a command in the values file +* Fix issue with tls file generation when nginx.https.enabled is false + +## [4.5.1] - Nov 19, 2020 +* Updated Artifactory version to 7.11.2 +* Bugfix - access.config.import.xml override Access Federation configurations + +## [4.5.0] - Nov 17, 2020 +* Updated Artifactory version to 7.11.1 +* Update alpine tag version to `3.12.1` + +## [4.4.6] - Nov 10, 2020 +* Pass system.yaml via external secret for advanced usecases +* Added support for custom ingress +* Bugfix - stateful set not picking up changes to database secrets + +## [4.4.5] - Nov 9, 2020 +* Updated Artifactory version to 7.10.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.6) + +## [4.4.4] - Nov 2, 2020 +* Add enablePathStyleAccess property for aws-s3-v3 binary provider template + +## [4.4.3] - Nov 2, 2020 +* Updated Artifactory version to 7.10.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.5) + +## [4.4.2] - Oct 22, 2020 +* Chown bug fix where Linux capability cannot chown all files causing log line warnings +* Fix Frontend timeout linting issue + +## [4.4.1] - Oct 20, 2020 +* Add flag to disable prepare-custom-persistent-volume init container + +## [4.4.0] - Oct 19, 2020 +* Updated Artifactory version to 7.10.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.2) + +## [4.3.4] - Oct 19, 2020 +* Add support to specify priorityClassName for nginx deployment + +## [4.3.3] - Oct 15, 2020 +* Fixed issue with node PodDisruptionBudget which also getting applied on the primary +* Fix mandatory masterKey check issue when upgrading from 6.x to 7.x + +## [4.3.2] - Oct 14, 2020 +* Add support to allow more than 1 Primary in Artifactory-ha STS + +## [4.3.1] - Oct 9, 2020 +* Add global support for customInitContainersBegin + +## [4.3.0] - Oct 07, 2020 +* Updated Artifactory version to 7.9.1 +* **Breaking change:** Fix `storageClass` to correct `storageClassName` in values.yaml + +## [4.2.0] - Oct 5, 2020 +* Expose Prometheus metrics via a ServiceMonitor +* Parse log files for metric data with Fluentd + +## [4.1.0] - Sep 30, 2020 +* Updated Artifactory version to 7.9.0 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.9) + +## [4.0.12] - Sep 25, 2020 +* Update to use linux capability CAP_CHOWN instead of root base init container to avoid any use of root containers to pass Redhat security requirements + +## [4.0.11] - Sep 28, 2020 +* Setting chart coordinates in migitation yaml + +## [4.0.10] - Sep 25, 2020 +* Update filebeat version to `7.9.2` + +## [4.0.9] - Sep 24, 2020 +* Fixed broken issue - when setting `waitForDatabase:false` container startup still waits for DB + +## [4.0.8] - Sep 22, 2020 +* Updated readme + +## [4.0.7] - Sep 22, 2020 +* Fix lint issue in migitation yaml + +## [4.0.6] - Sep 22, 2020 +* Fix broken migitation yaml + +## [4.0.5] - Sep 21, 2020 +* Added mitigation yaml for Artifactory - [More info](https://github.com/jfrog/chartcenter/blob/master/docs/securitymitigationspec.md) + +## [4.0.4] - Sep 17, 2020 +* Added configurable session(UI) timeout in frontend microservice + +## [4.0.3] - Sep 17, 2020 +* Fix small typo in README and added proper required text to be shown while postgres upgrades + +## [4.0.2] - Sep 14, 2020 +* Updated Artifactory version to 7.7.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7.8) + +## [4.0.1] - Sep 8, 2020 +* Added support for artifactory pro license (single node) installation. + +## [4.0.0] - Sep 2, 2020 +* **Breaking change:** Changed `imagePullSecrets` value from string to list +* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images +* Added support for global values +* Updated maintainers in chart.yaml +* Update postgresql tag version to `12.3.0-debian-10-r71` +* Update postgresqlsub chart version to `9.3.4` - [9.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900) +* **IMPORTANT** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x's postgresql.image.tag and databaseUpgradeReady=true. + +## [3.1.0] - Aug 13, 2020 +* Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7) + +## [3.0.15] - Aug 10, 2020 +* Added enableSignedUrlRedirect for persistent storage type aws-s3-v3. + +## [3.0.14] - Jul 31, 2020 +* Update the README section on Nginx SSL termination to reflect the actual YAML structure. + +## [3.0.13] - Jul 30, 2020 +* Added condition to disable the migration scripts. + +## [3.0.12] - Jul 29, 2020 +* Document Artifactory node affinity. + +## [3.0.11] - Jul 28, 2020 +* Added maxConnections for persistent storage type aws-s3-v3. + +## [3.0.10] - Jul 28, 2020 +Bugfix / support for userPluginSecrets with Artifactory 7 + +## [3.0.9] - Jul 27, 2020 +* Add tpl to external database secrets. +* Modified `scheme` to `artifactory-ha.scheme` + +## [3.0.8] - Jul 23, 2020 +* Added condition to disable the migration init container. + +## [3.0.7] - Jul 21, 2020 +* Updated Artifactory-ha Chart to add node and primary labels to pods and service objects. + +## [3.0.6] - Jul 20, 2020 +* Support custom CA and certificates + +## [3.0.5] - Jul 13, 2020 +* Updated Artifactory version to 7.6.3 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.6.3 +* Fixed Mysql database jar path in `preStartCommand` in README + +## [3.0.4] - Jul 8, 2020 +* Move some postgresql values to where they should be according to the subchart + +## [3.0.3] - Jul 8, 2020 +* Set Artifactory access client connections to the same value as the access threads. + +## [3.0.2] - Jul 6, 2020 +* Updated Artifactory version to 7.6.2 +* **IMPORTANT** +* Added ChartCenter Helm repository in README + +## [3.0.1] - Jul 01, 2020 +* Add dedicated ingress object for Replicator service when enabled + +## [3.0.0] - Jun 30, 2020 +* Update postgresql tag version to `10.13.0-debian-10-r38` +* Update alpine tag version to `3.12` +* Update busybox tag version to `1.31.1` +* **IMPORTANT** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass postgresql.image.tag=9.6.18-debian-10-r7 and databaseUpgradeReady=true + +## [2.6.0] - Jun 29, 2020 +* Updated Artifactory version to 7.6.1 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.6.1 +* Add tpl for external database secrets + +## [2.5.8] - Jun 25, 2020 +* Stop loading the Nginx stream module because it is now a core module + +## [2.5.7] - Jun 18, 2020 +* Fixes bootstrap configMap issue on member node + +## [2.5.6] - Jun 11, 2020 +* Support list of custom secrets + +## [2.5.5] - Jun 11, 2020 +* NOTES.txt fixed incorrect information + +## [2.5.4] - Jun 12, 2020 +* Updated Artifactory version to 7.5.7 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.5.7 + +## [2.5.3] - Jun 8, 2020 +* Statically setting primary service type to ClusterIP. +* Prevents primary service from being exposed publicly when using LoadBalancer type on cloud providers. + +## [2.5.2] - Jun 8, 2020 +* Readme update - configuring Artifactory with oracledb + +## [2.5.1] - Jun 5, 2020 +* Fixes broken PDB issue upgrading from 6.x to 7.x + +## [2.5.0] - Jun 1, 2020 +* Updated Artifactory version to 7.5.5 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.5 +* Fixes bootstrap configMap permission issue +* Update postgresql tag version to `9.6.18-debian-10-r7` + +## [2.4.10] - May 27, 2020 +* Added Tomcat maxThreads & acceptCount + +## [2.4.9] - May 25, 2020 +* Fixed postgresql README `image` Parameters + +## [2.4.8] - May 24, 2020 +* Fixed typo in README regarding migration timeout + +## [2.4.7] - May 19, 2020 +* Added metadata maxOpenConnections + +## [2.4.6] - May 07, 2020 +* Fix `installerInfo` string format + +## [2.4.5] - Apr 27, 2020 +* Updated Artifactory version to 7.4.3 + +## [2.4.4] - Apr 27, 2020 +* Change customInitContainers order to run before the "migration-ha-artifactory" initContainer + +## [2.4.3] - Apr 24, 2020 +* Fix `artifactory.persistence.awsS3V3.useInstanceCredentials` incorrect conditional logic +* Bump postgresql tag version to `9.6.17-debian-10-r72` in values.yaml + +## [2.4.2] - Apr 16, 2020 +* Custom volume mounts in migration init container. + +## [2.4.1] - Apr 16, 2020 +* Fix broken support for gcpServiceAccount for googleStorage + +## [2.4.0] - Apr 14, 2020 +* Updated Artifactory version to 7.4.1 + +## [2.3.1] - April 13, 2020 +* Update README with helm v3 commands + +## [2.3.0] - April 10, 2020 +* Use dependency charts from `https://charts.bitnami.com/bitnami` +* Bump postgresql chart version to `8.7.3` in requirements.yaml +* Bump postgresql tag version to `9.6.17-debian-10-r21` in values.yaml + +## [2.2.11] - Apr 8, 2020 +* Added recommended ingress annotation to avoid 413 errors + +## [2.2.10] - Apr 8, 2020 +* Moved migration scripts under `files` directory +* Support preStartCommand in migration Init container as `artifactory.migration.preStartCommand` + +## [2.2.9] - Apr 01, 2020 +* Support masterKey and joinKey as secrets + +## [2.2.8] - Apr 01, 2020 +* Ensure that the join key is also copied when provided by an external secret +* Migration container in primary and node statefulset now respects custom versions and the specified node/primary resources + +## [2.2.7] - Apr 01, 2020 +* Added cache-layer in chain definition of Google Cloud Storage template +* Fix readme use to `-hex 32` instead of `-hex 16` + +## [2.2.6] - Mar 31, 2020 +* Change the way the artifactory `command:` is set so it will properly pass a SIGTERM to java + +## [2.2.5] - Mar 31, 2020 +* Removed duplicate `artifactory-license` volume from primary node + +## [2.2.4] - Mar 31, 2020 +* Restore `artifactory-license` volume for the primary node + +## [2.2.3] - Mar 29, 2020 +* Add Nginx log options: stderr as logfile and log level + +## [2.2.2] - Mar 30, 2020 +* Apply initContainers.resources to `copy-system-yaml`, `prepare-custom-persistent-volume`, and `migration-artifactory-ha` containers +* Use the same defaulting mechanism used for the artifactory version used elsewhere in the chart +* Removed duplicate `artifactory-license` volume that prevented using an external secret + +## [2.2.1] - Mar 29, 2020 +* Fix loggers sidecars configurations to support new file system layout and new log names + +## [2.2.0] - Mar 29, 2020 +* Fix broken admin user bootstrap configuration +* **Breaking change:** renamed `artifactory.accessAdmin` to `artifactory.admin` + +## [2.1.3] - Mar 24, 2020 +* Use `postgresqlExtendedConf` for setting custom PostgreSQL configuration (instead of `postgresqlConfiguration`) + +## [2.1.2] - Mar 21, 2020 +* Support for SSL offload in Nginx service(LoadBalancer) layer. Introduced `nginx.service.ssloffload` field with boolean type. + +## [2.1.1] - Mar 23, 2020 +* Moved installer info to values.yaml so it is fully customizable + +## [2.1.0] - Mar 23, 2020 +* Updated Artifactory version to 7.3.2 + +## [2.0.36] - Mar 20, 2020 +* Add support GCP credentials.json authentication + +## [2.0.35] - Mar 20, 2020 +* Add support for masterKey trim during 6.x to 7.x migration if 6.x masterKey is 32 hex (64 characters) + +## [2.0.34] - Mar 19, 2020 +* Add support for NFS directories `haBackupDir` and `haDataDir` + +## [2.0.33] - Mar 18, 2020 +* Increased Nginx proxy_buffers size + +## [2.0.32] - Mar 17, 2020 +* Changed all single quotes to double quotes in values files +* useInstanceCredentials variable was declared in S3 settings but not used in chart. Now it is being used. + +## [2.0.31] - Mar 17, 2020 +* Fix rendering of Service Account annotations + +## [2.0.30] - Mar 16, 2020 +* Add Unsupported message from 6.18 to 7.2.x (migration) + +## [2.0.29] - Mar 11, 2020 +* Upgrade Docs update + +## [2.0.28] - Mar 11, 2020 +* Unified charts public release + +## [2.0.27] - Mar 8, 2020 +* Add an optional wait for primary node to be ready with a proper test for http status + +## [2.0.23] - Mar 6, 2020 +* Fix path to `/artifactory_bootstrap` +* Add support for controlling the name of the ingress and allow to set more than one cname + +## [2.0.22] - Mar 4, 2020 +* Add support for disabling `consoleLog` in `system.yaml` file + +## [2.0.21] - Feb 28, 2020 +* Add support to process `valueFrom` for extraEnvironmentVariables + +## [2.0.20] - Feb 26, 2020 +* Store join key to secret + +## [2.0.19] - Feb 26, 2020 +* Updated Artifactory version to 7.2.1 + +## [2.0.12] - Feb 07, 2020 +* Remove protection flag `databaseUpgradeReady` which was added to check internal postgres upgrade + +## [2.0.0] - Feb 07, 2020 +* Updated Artifactory version to 7.0.0 + +## [1.4.10] - Feb 13, 2020 +* Add support for SSH authentication to Artifactory + +## [1.4.9] - Feb 10, 2020 +* Fix custom DB password indention + +## [1.4.8] - Feb 9, 2020 +* Add support for `tpl` in the `postStartCommand` + +## [1.4.7] - Feb 4, 2020 +* Support customisable Nginx kind + +## [1.4.6] - Feb 2, 2020 +* Add a comment stating that it is recommended to use an external PostgreSQL with a static password for production installations + +## [1.4.5] - Feb 2, 2020 +* Add support for primary or member node specific preStartCommand + +## [1.4.4] - Jan 30, 2020 +* Add the option to configure resources for the logger containers + +## [1.4.3] - Jan 26, 2020 +* Improve `database.user` and `database.password` logic in order to support more use cases and make the configuration less repetitive + +## [1.4.2] - Jan 22, 2020 +* Refined pod disruption budgets to separate nginx and Artifactory pods + +## [1.4.1] - Jan 19, 2020 +* Fix replicator port config in nginx replicator configmap + +## [1.4.0] - Jan 19, 2020 +* Updated Artifactory version to 6.17.0 + +## [1.3.8] - Jan 16, 2020 +* Added example for external nginx-ingress + +## [1.3.7] - Jan 07, 2020 +* Add support for customizable `mountOptions` of NFS PVs + +## [1.3.6] - Dec 30, 2019 +* Fix for nginx probes failing when launched with http disabled + +## [1.3.5] - Dec 24, 2019 +* Better support for custom `artifactory.internalPort` + +## [1.3.4] - Dec 23, 2019 +* Mark empty map values with `{}` + +## [1.3.3] - Dec 16, 2019 +* Another fix for toggling nginx service ports + +## [1.3.2] - Dec 12, 2019 +* Fix for toggling nginx service ports + +## [1.3.1] - Dec 10, 2019 +* Add support for toggling nginx service ports + +## [1.3.0] - Dec 1, 2019 +* Updated Artifactory version to 6.16.0 + +## [1.2.4] - Nov 28, 2019 +* Add support for using existing PriorityClass + +## [1.2.3] - Nov 27, 2019 +* Add support for PriorityClass + +## [1.2.2] - Nov 20, 2019 +* Update Artifactory logo + +## [1.2.1] - Nov 18, 2019 +* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) + +## [1.2.0] - Nov 18, 2019 +* Updated Artifactory version to 6.15.0 + +## [1.1.12] - Nov 17, 2019 +* Fix `README.md` format (broken table) + +## [1.1.11] - Nov 17, 2019 +* Update comment on Artifactory master key + +## [1.1.10] - Nov 17, 2019 +* Fix creation of double slash in nginx artifactory configuration + +## [1.1.9] - Nov 14, 2019 +* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error + +## [1.1.8] - Nov 12, 2019 +* Updated Artifactory version to 6.14.1 + +## [1.1.7] - Nov 11, 2019 +* Additional documentation for masterKey + +## [1.1.6] - Nov 10, 2019 +* Update PostgreSQL chart version to 7.0.1 +* Use formal PostgreSQL configuration format + +## [1.1.5] - Nov 8, 2019 +* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` + +## [1.1.4] - Nov 6, 2019 +* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is + +## [1.1.3] - Nov 6, 2019 +* Add nodeselector support for Postgresql + +## [1.1.2] - Nov 5, 2019 +* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles + +## [1.1.1] - Nov 4, 2019 +* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files + +## [1.1.0] - Nov 3, 2019 +* Updated Artifactory version to 6.14.0 + +## [1.0.1] - Nov 3, 2019 +* Make sure the artifactory pod exits when one of the pre-start stages fail + +## [1.0.0] - Oct 27, 2019 +**IMPORTANT - BREAKING CHANGES!**
+**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations + +## [0.17.3] - Oct 24, 2019 +* Change the preStartCommand to support templating + +## [0.17.2] - Oct 21, 2019 +* Add support for setting `artifactory.primary.labels` +* Add support for setting `artifactory.node.labels` +* Add support for setting `nginx.labels` + +## [0.17.1] - Oct 10, 2019 +* Updated Artifactory version to 6.13.1 + +## [0.17.0] - Oct 7, 2019 +* Updated Artifactory version to 6.13.0 + +## [0.16.7] - Sep 24, 2019 +* Option to skip wait-for-db init container with '--set waitForDatabase=false' + +## [0.16.6] - Sep 24, 2019 +* Add support for setting `nginx.service.labels` + +## [0.16.5] - Sep 23, 2019 +* Add support for setting `artifactory.customInitContainersBegin` + +## [0.16.4] - Sep 20, 2019 +* Add support for setting `initContainers.resources` + +## [0.16.3] - Sep 11, 2019 +* Updated Artifactory version to 6.12.2 + +## [0.16.2] - Sep 9, 2019 +* Updated Artifactory version to 6.12.1 + +## [0.16.1] - Aug 22, 2019 +* Fix the nginx server_name directive used with ingress.hosts + +## [0.16.0] - Aug 21, 2019 +* Updated Artifactory version to 6.12.0 + +## [0.15.15] - Aug 18, 2019 +* Fix existingSharedClaim permissions issue and example + +## [0.15.14] - Aug 14, 2019 +* Updated Artifactory version to 6.11.6 + +## [0.15.13] - Aug 11, 2019 +* Fix Ingress routing and add an example + +## [0.15.12] - Aug 6, 2019 +* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) +* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist + +## [0.15.11] - Aug 5, 2019 +* Improve binarystore config + 1. Convert to a secret + 2. Move config to values.yaml + 3. Support an external secret + +## [0.15.10] - Aug 5, 2019 +* Don't create the nginx configmaps when nginx.enabled is false + +## [0.15.9] - Aug 1, 2019 +* Fix masterkey/masterKeySecretName not specified warning render logic in NOTES.txt + +## [0.15.8] - Jul 28, 2019 +* Simplify nginx setup and shorten initial wait for probes + +## [0.15.7] - Jul 25, 2019 +* Updated README about how to apply Artifactory licenses + +## [0.15.6] - Jul 22, 2019 +* Change Ingress API to be compatible with recent kubernetes versions + +## [0.15.5] - Jul 22, 2019 +* Updated Artifactory version to 6.11.3 + +## [0.15.4] - Jul 11, 2019 +* Add `artifactory.customVolumeMounts` support to member node statefulset template + +## [0.15.3] - Jul 11, 2019 +* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration + +## [0.15.2] - Jul 3, 2019 +* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation + +## [0.15.1] - Jul 1, 2019 +* Updated Artifactory version to 6.11.1 + +## [0.15.0] - Jun 27, 2019 +* Updated Artifactory version to 6.11.0 and Restart Primary node when bootstrap.creds file has been modified in artifactory-ha + +## [0.14.4] - Jun 24, 2019 +* Add the option to provide an IP for the access-admin endpoints + +## [0.14.3] - Jun 24, 2019 +* Update chart maintainers + +## [0.14.2] - Jun 24, 2019 +* Change Nginx to point to the artifactory externalPort + +## [0.14.1] - Jun 23, 2019 +* Add values files for small, medium and large installations + +## [0.14.0] - Jun 20, 2019 +* Use ConfigMaps for nginx configuration and remove nginx postStart command + +## [0.13.10] - Jun 19, 2019 +* Updated Artifactory version to 6.10.4 + +## [0.13.9] - Jun 18, 2019 +* Add the option to provide additional ingress rules + +## [0.13.8] - Jun 14, 2019 +* Updated readme with improved external database setup example + +## [0.13.7] - Jun 6, 2019 +* Updated Artifactory version to 6.10.3 +* Updated installer-info template + +## [0.13.6] - Jun 6, 2019 +* Updated Google Cloud Storage API URL and https settings + +## [0.13.5] - Jun 5, 2019 +* Delete the db.properties file on Artifactory startup + +## [0.13.4] - Jun 3, 2019 +* Updated Artifactory version to 6.10.2 + +## [0.13.3] - May 21, 2019 +* Updated Artifactory version to 6.10.1 + +## [0.13.2] - May 19, 2019 +* Fix missing logger image tag + +## [0.13.1] - May 15, 2019 +* Support `artifactory.persistence.cacheProviderDir` for on-premise cluster + +## [0.13.0] - May 7, 2019 +* Updated Artifactory version to 6.10.0 + +## [0.12.23] - May 5, 2019 +* Add support for setting `artifactory.async.corePoolSize` + +## [0.12.22] - May 2, 2019 +* Remove unused property `artifactory.releasebundle.feature.enabled` + +## [0.12.21] - Apr 30, 2019 +* Add support for JMX monitoring + +## [0.12.20] - Apr29, 2019 +* Added support for headless services + +## [0.12.19] - Apr 28, 2019 +* Added support for `cacheProviderDir` + +## [0.12.18] - Apr 18, 2019 +* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx + +## [0.12.17] - Apr 16, 2019 +* Updated documentation for Reverse Proxy Configuration + +## [0.12.16] - Apr 12, 2019 +* Added support for `customVolumeMounts` + +## [0.12.15] - Aprl 12, 2019 +* Added support for `bucketExists` flag for googleStorage + +## [0.12.14] - Apr 11, 2019 +* Replace `curl` examples with `wget` due to the new base image + +## [0.12.13] - Aprl 07, 2019 +* Add support for providing the Artifactory license as a parameter + +## [0.12.12] - Apr 10, 2019 +* Updated Artifactory version to 6.9.1 + +## [0.12.11] - Aprl 04, 2019 +* Add support for templated extraEnvironmentVariables + +## [0.12.10] - Aprl 07, 2019 +* Change network policy API group + +## [0.12.9] - Aprl 04, 2019 +* Apply the existing PVC for members (in addition to primary) + +## [0.12.8] - Aprl 03, 2019 +* Bugfix for userPluginSecrets + +## [0.12.7] - Apr 4, 2019 +* Add information about upgrading Artifactory with auto-generated postgres password + +## [0.12.6] - Aprl 03, 2019 +* Added installer info + +## [0.12.5] - Aprl 03, 2019 +* Allow secret names for user plugins to contain template language + +## [0.12.4] - Apr 02, 2019 +* Fix issue #253 (use existing PVC for data and backup storage) + +## [0.12.3] - Apr 02, 2019 +* Allow NetworkPolicy configurations (defaults to allow all) + +## [0.12.2] - Aprl 01, 2019 +* Add support for user plugin secret + +## [0.12.1] - Mar 26, 2019 +* Add the option to copy a list of files to ARTIFACTORY_HOME on startup + +## [0.12.0] - Mar 26, 2019 +* Updated Artifactory version to 6.9.0 + +## [0.11.18] - Mar 25, 2019 +* Add CI tests for persistence, ingress support and nginx + +## [0.11.17] - Mar 22, 2019 +* Add the option to change the default access-admin password + +## [0.11.16] - Mar 22, 2019 +* Added support for `.Probe.path` to customise the paths used for health probes + +## [0.11.15] - Mar 21, 2019 +* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers +* Added support for `artifactory.customVolumes` to create custom volumes + +## [0.11.14] - Mar 21, 2019 +* Make ingress path configurable + +## [0.11.13] - Mar 19, 2019 +* Move the copy of bootstrap config from postStart to preStart for Primary + +## [0.11.12] - Mar 19, 2019 +* Fix existingClaim example + +## [0.11.11] - Mar 18, 2019 +* Disable the option to use nginx PVC with more than one replica + +## [0.11.10] - Mar 15, 2019 +* Wait for nginx configuration file before using it + +## [0.11.9] - Mar 15, 2019 +* Revert securityContext changes since they were causing issues + +## [0.11.8] - Mar 15, 2019 +* Fix issue #247 (init container failing to run) + +## [0.11.7] - Mar 14, 2019 +* Updated Artifactory version to 6.8.7 + +## [0.11.6] - Mar 13, 2019 +* Move securityContext to container level + +## [0.11.5] - Mar 11, 2019 +* Add the option to use existing volume claims for Artifactory storage + +## [0.11.4] - Mar 11, 2019 +* Updated Artifactory version to 6.8.6 + +## [0.11.3] - Mar 5, 2019 +* Updated Artifactory version to 6.8.4 + +## [0.11.2] - Mar 4, 2019 +* Add support for catalina logs sidecars + +## [0.11.1] - Feb 27, 2019 +* Updated Artifactory version to 6.8.3 + +## [0.11.0] - Feb 25, 2019 +* Add nginx support for tail sidecars + +## [0.10.3] - Feb 21, 2019 +* Add s3AwsVersion option to awsS3 configuration for use with IAM roles + +## [0.10.2] - Feb 19, 2019 +* Updated Artifactory version to 6.8.2 + +## [0.10.1] - Feb 17, 2019 +* Updated Artifactory version to 6.8.1 +* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage + +## [0.10.0] - Feb 15, 2019 +* Updated Artifactory version to 6.8.0 + +## [0.9.7] - Feb 13, 2019 +* Updated Artifactory version to 6.7.3 + +## [0.9.6] - Feb 7, 2019 +* Add support for tail sidecars to view logs from k8s api + +## [0.9.5] - Feb 6, 2019 +* Fix support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.4] - Feb 5, 2019 +* Add support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.3] - Feb 5, 2019 +* Remove the inactive server remove plugin + +## [0.9.2] - Feb 3, 2019 +* Updated Artifactory version to 6.7.2 + +## [0.9.1] - Jan 27, 2019 +* Fix support for Azure Blob Storage Binary provider + +## [0.9.0] - Jan 23, 2019 +* Updated Artifactory version to 6.7.0 + +## [0.8.10] - Jan 22, 2019 +* Added support for `artifactory.customInitContainers` to create custom init containers + +## [0.8.9] - Jan 18, 2019 +* Added support of values ingress.labels + +## [0.8.8] - Jan 16, 2019 +* Mount replicator.yaml (config) directly to /replicator_extra_conf + +## [0.8.7] - Jan 15, 2018 +* Add support for Azure Blob Storage Binary provider + +## [0.8.6] - Jan 13, 2019 +* Fix documentation about nginx group id + +## [0.8.5] - Jan 13, 2019 +* Updated Artifactory version to 6.6.5 + +## [0.8.4] - Jan 8, 2019 +* Make artifactory.replicator.publicUrl required when the replicator is enabled + +## [0.8.3] - Jan 1, 2019 +* Updated Artifactory version to 6.6.3 +* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory + +## [0.8.2] - Dec 28, 2018 +* Fix location `replicator.yaml` is copied to + +## [0.8.1] - Dec 27, 2018 +* Updated Artifactory version to 6.6.1 + +## [0.8.0] - Dec 20, 2018 +* Updated Artifactory version to 6.6.0 + +## [0.7.17] - Dec 17, 2018 +* Updated Artifactory version to 6.5.13 + +## [0.7.16] - Dec 12, 2018 +* Fix documentation about Artifactory license setup using secret + +## [0.7.15] - Dec 9, 2018 +* AWS S3 add `roleName` for using IAM role + +## [0.7.14] - Dec 6, 2018 +* AWS S3 `identity` and `credential` are now added only if have a value to allow using IAM role + +## [0.7.13] - Dec 5, 2018 +* Remove Distribution certificates creation. + +## [0.7.12] - Dec 2, 2018 +* Remove Java option "-Dartifactory.locking.provider.type=db". This is already the default setting. + +## [0.7.11] - Nov 30, 2018 +* Updated Artifactory version to 6.5.9 + +## [0.7.10] - Nov 29, 2018 +* Fixed the volumeMount for the replicator.yaml + +## [0.7.9] - Nov 29, 2018 +* Optionally include primary node into poddisruptionbudget + +## [0.7.8] - Nov 29, 2018 +* Updated postgresql version to 9.6.11 + +## [0.7.7] - Nov 27, 2018 +* Updated Artifactory version to 6.5.8 + +## [0.7.6] - Nov 18, 2018 +* Added support for configMap to use custom Reverse Proxy Configuration with Nginx + +## [0.7.5] - Nov 14, 2018 +* Updated Artifactory version to 6.5.3 + +## [0.7.4] - Nov 13, 2018 +* Allow pod anti-affinity settings to include primary node + +## [0.7.3] - Nov 12, 2018 +* Support artifactory.preStartCommand for running command before entrypoint starts + +## [0.7.2] - Nov 7, 2018 +* Support database.url parameter (DB_URL) + +## [0.7.1] - Oct 29, 2018 +* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) + +## [0.7.0] - Oct 28, 2018 +* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options + +## [0.6.9] - Oct 23, 2018 +* Fix providing external secret for database credentials + +## [0.6.8] - Oct 22, 2018 +* Allow user to configure externalTrafficPolicy for Loadbalancer + +## [0.6.7] - Oct 22, 2018 +* Updated ingress annotation support (with examples) to support docker registry v2 + +## [0.6.6] - Oct 21, 2018 +* Updated Artifactory version to 6.5.2 + +## [0.6.5] - Oct 19, 2018 +* Allow providing pre-existing secret containing master key +* Allow arbitrary annotations on primary and member node pods +* Enforce size limits when using local storage with `emptyDir` +* Allow `soft` or `hard` specification of member node anti-affinity +* Allow providing pre-existing secrets containing external database credentials +* Fix `s3` binary store provider to properly use the `cache-fs` provider +* Allow arbitrary properties when using the `s3` binary store provider + +## [0.6.4] - Oct 18, 2018 +* Updated Artifactory version to 6.5.1 + +## [0.6.3] - Oct 17, 2018 +* Add Apache 2.0 license + +## [0.6.2] - Oct 14, 2018 +* Make S3 endpoint configurable (was hardcoded with `s3.amazonaws.com`) + +## [0.6.1] - Oct 11, 2018 +* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) + +## [0.6.0] - Oct 11, 2018 +* Updated Artifactory version to 6.5.0 + +## [0.5.3] - Oct 9, 2018 +* Quote ingress hosts to support wildcard names + +## [0.5.2] - Oct 2, 2018 +* Add `helm repo add jfrog https://charts.jfrog.io` to README + +## [0.5.1] - Oct 2, 2018 +* Set Artifactory to 6.4.1 + +## [0.5.0] - Sep 27, 2018 +* Set Artifactory to 6.4.0 + +## [0.4.7] - Sep 26, 2018 +* Add ci/test-values.yaml + +## [0.4.6] - Sep 25, 2018 +* Add PodDisruptionBudget for member nodes, defaulting to minAvailable of 1 + +## [0.4.4] - Sep 2, 2018 +* Updated Artifactory version to 6.3.2 + +## [0.4.0] - Aug 22, 2018 +* Added support to run as non root +* Updated Artifactory version to 6.2.0 + +## [0.3.0] - Aug 22, 2018 +* Enabled RBAC Support +* Added support for PostStartCommand (To download Database JDBC connector) +* Increased postgresql max_connections +* Added support for `nginx.conf` ConfigMap +* Updated Artifactory version to 6.1.0 diff --git a/charts/jfrog/artifactory-ha/107.104.6/Chart.lock b/charts/jfrog/artifactory-ha/107.104.6/Chart.lock new file mode 100644 index 000000000..eb9409971 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://charts.jfrog.io/ + version: 10.3.18 +digest: sha256:404ce007353baaf92a6c5f24b249d5b336c232e5fd2c29f8a0e4d0095a09fd53 +generated: "2022-03-08T08:54:51.805126+05:30" diff --git a/charts/jfrog/artifactory-ha/107.104.6/Chart.yaml b/charts/jfrog/artifactory-ha/107.104.6/Chart.yaml new file mode 100644 index 000000000..405f7af4b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/Chart.yaml @@ -0,0 +1,33 @@ +annotations: + artifactoryServiceVersion: 7.104.14 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/featured: "2" + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + metadataVersion: 7.118.1 + observabilityVersion: 1.31.11 +apiVersion: v2 +appVersion: 7.104.6 +dependencies: +- condition: postgresql.enabled + name: postgresql + repository: https://charts.jfrog.io/ + version: 10.3.18 +description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. +home: https://www.jfrog.com/artifactory/ +icon: file://assets/icons/artifactory-ha.png +keywords: +- artifactory +- jfrog +- devops +kubeVersion: '>= 1.19.0-0' +maintainers: +- email: installers@jfrog.com + name: Chart Maintainers at JFrog +name: artifactory-ha +sources: +- https://github.com/jfrog/charts +type: application +version: 107.104.6 diff --git a/charts/jfrog/artifactory-ha/107.104.6/LICENSE b/charts/jfrog/artifactory-ha/107.104.6/LICENSE new file mode 100644 index 000000000..8dada3eda --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/jfrog/artifactory-ha/107.104.6/README.md b/charts/jfrog/artifactory-ha/107.104.6/README.md new file mode 100644 index 000000000..e0ef54016 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/README.md @@ -0,0 +1,69 @@ +# JFrog Artifactory High Availability Helm Chart + +**IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing, uninstalling, and deleting Artifactory. For all other information, refer to [Installing Artifactory - Helm HA Installation](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory#InstallingArtifactory-HelmHAInstallation). + +**Note:** From Artifactory 7.17.4 and above, the Helm HA installation can be installed so that each node you install can run all tasks in the cluster. + +Below you will find the basic instructions for installing, uninstalling, and deleting Artifactory. For all other information, refer to the documentation site. + +## Prerequisites Details + +* Kubernetes 1.19+ +* Artifactory HA license + +## Chart Details +This chart will do the following: + +* Deploy Artifactory highly available cluster. 3 primary nodes. +* Deploy a PostgreSQL database **NOTE:** For production grade installations it is recommended to use an external PostgreSQL +* Deploy an Nginx server + +## Installing the Chart + +### Add JFrog Helm repository + +Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io) to your helm client + +```bash +helm repo add jfrog https://charts.jfrog.io +``` +2. Next, create a unique Master Key (Artifactory requires a unique master key) and pass it to the template during installation. +3. Now, update the repository. + +```bash +helm repo update +``` + +### Install Chart +To install the chart with the release name `artifactory`: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha --namespace artifactory-ha --create-namespace +``` + +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f sizing/artifactory-small.yaml --namespace artifactory-ha --create-namespace +``` + +## Uninstalling Artifactory + +Uninstall is supported only on Helm v3 and on. + +Uninstall Artifactory using the following command. + +```bash +helm uninstall artifactory-ha && sleep 90 && kubectl delete pvc -l app=artifactory-ha +``` + +## Deleting Artifactory + +**IMPORTANT:** Deleting Artifactory will also delete your data volumes and you will lose all of your data. You must back up all this information before deletion. You do not need to uninstall Artifactory before deleting it. + +To delete Artifactory use the following command. + +```bash +helm delete artifactory-ha --namespace artifactory-ha +``` + diff --git a/charts/jfrog/artifactory-ha/107.104.6/app-readme.md b/charts/jfrog/artifactory-ha/107.104.6/app-readme.md new file mode 100644 index 000000000..a5aa5fd47 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/app-readme.md @@ -0,0 +1,16 @@ +# JFrog Artifactory High Availability Helm Chart + +Universal Repository Manager supporting all major packaging formats, build tools and CI servers. + +## Chart Details +This chart will do the following: + +* Deploy Artifactory highly available cluster. 1 primary node and 2 member nodes. +* Deploy a PostgreSQL database +* Deploy an Nginx server(optional) + +## Useful links +Blog: [Herd Trust Into Your Rancher Labs Multi-Cloud Strategy with Artifactory](https://jfrog.com/blog/herd-trust-into-your-rancher-labs-multi-cloud-strategy-with-artifactory/) + +## Activate Your Artifactory Instance +Don't have a license? Please send an email to [rancher-jfrog-licenses@jfrog.com](mailto:rancher-jfrog-licenses@jfrog.com) to get it. diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/.helmignore b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.lock b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.lock new file mode 100644 index 000000000..3687f52df --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.4.2 +digest: sha256:dce0349883107e3ff103f4f17d3af4ad1ea3c7993551b1c28865867d3e53d37c +generated: "2021-03-30T09:13:28.360322819Z" diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.yaml new file mode 100644 index 000000000..4b197b207 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 11.11.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.x.x +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +- https://www.postgresql.org/ +version: 10.3.18 diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/README.md b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/README.md new file mode 100644 index 000000000..63d3605bb --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/README.md @@ -0,0 +1,770 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```console +$ kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override common.names.fullname template with a string | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `"10"` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` | +| `ldap.server` | IP address or name of the LDAP server. | `nil` | +| `ldap.port` | Port number on the LDAP server to connect to | `nil` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` | +| `ldap.tls` | Set to `1` to use TLS encryption | `nil` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` | +| `ldap.search_attr` | Attribute to match against the user name in the search | `nil` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` | +| `ldap.bindDN` | DN of user to bind to LDAP | `nil` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.readReplicas` | Number of read replicas replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be used to authenticate on LDAP. The value is evaluated as a template. | `nil` | +| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ | +| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` | +| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` | +| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `postgresqlMaxConnections` | Maximum total connections | `nil` | +| `postgresqlPostgresConnectionLimit` | Maximum total connections for the postgres user | `nil` | +| `postgresqlDbUserConnectionLimit` | Maximum total connections for the non-admin user | `nil` | +| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `nil` | +| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `nil` | +| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `nil` | +| `postgresqlStatementTimeout` | Statement timeout | `nil` | +| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `nil` | +| `customStartupProbe` | Override default startup probe | `nil` | +| `customLivenessProbe` | Override default liveness probe | `nil` | +| `customReadinessProbe` | Override default readiness probe | `nil` | +| `audit.logHostname` | Add client hostnames to the log file | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `nil` | +| `audit.clientMinMessages` | Message log level to share with the user | `nil` | +| `audit.logLinePrefix` | Template string for the log line prefix | `nil` | +| `audit.logTimezone` | Timezone for the log timestamps | `nil` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) | `true` | +| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` (evaluated as a template) | +| `primary.anotations` | Map of annotations to add to the statefulset (postgresql primary) | `{}` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `nil` | +| `primary.extraInitContainers` | Additional init containers to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumes` | Additional volumes to add to the pods (postgresql primary) | `[]` | +| `primary.sidecars` | Add additional containers to the pod | `[]` | +| `primary.service.type` | Allows using a different service type for primary | `nil` | +| `primary.service.nodePort` | Allows using a different nodePort for primary | `nil` | +| `primary.service.clusterIP` | Allows using a different clusterIP for primary | `nil` | +| `primaryAsStandBy.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not. | `false` | +| `primaryAsStandBy.primaryHost` | The Host of replication primary in the other cluster. | `nil` | +| `primaryAsStandBy.primaryPort ` | The Port of replication primary in the other cluster. | `nil` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.anotations` | Map of annotations to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.resources` | CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. | `{}` | +| `readReplicas.labels` | Map of labels to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (postgresql readReplicas) | `nil` | +| `readReplicas.extraInitContainers` | Additional init containers to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumes` | Additional volumes to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.sidecars` | Add additional containers to the pod | `[]` | +| `readReplicas.service.type` | Allows using a different service type for readReplicas | `nil` | +| `readReplicas.service.nodePort` | Allows using a different nodePort for readReplicas | `nil` | +| `readReplicas.service.clusterIP` | Allows using a different clusterIP for readReplicas | `nil` | +| `readReplicas.persistence.enabled` | Whether to enable readReplicas replicas persistence | `true` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the pod | `1001` | +| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAccount.name` | Name of existing service account | `nil` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `startupProbe.periodSeconds` | How often to perform the probe | 15 | +| `startupProbe.timeoutSeconds` | When the probe times | 5 | +| `startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. | `nil` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `nil` | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.customMetrics` | Additional custom metrics | `nil` | +| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) | +| `metrics.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | +| `psp.create` | Create Pod Security Policy | `false` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can add additional PostgreSQL configuration parameters using the `postgresqlExtendedConf` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. Alternatively, to replace the entire default configuration use `postgresqlConfiguration`. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +* First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +* Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +image.repository=postgres +image.tag=10.6 +postgresqlDataDir=/data/pgdata +persistence.mountPath=/data/ +``` + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` paremeter(s). Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/postgresql \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +#### Breaking changes + +- The term `master` has been replaced with `primary` and `slave` with `readReplicas` throughout the chart. Role names have changed from `master` and `slave` to `primary` and `read`. + +To upgrade to `10.0.0`, it should be done reusing the PVCs used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `postgresql`): + +> NOTE: Please, create a backup of your database before running any of those actions. + +Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +Delete the PostgreSQL statefulset. Notice the option `--cascade=false`: + +```console +$ kubectl delete statefulsets.apps postgresql-postgresql --cascade=false +``` + +Now the upgrade works: + +```console +$ helm upgrade postgresql bitnami/postgresql --set postgresqlPassword=$POSTGRESQL_PASSWORD --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +$ kubectl delete pod postgresql-postgresql-0 +``` + +Finally, you should see the lines below in PostgreSQL container logs: + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version. + +As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow: + +- Deploy an old version (8.X.X) + +```console +$ helm install postgresql bitnami/postgresql --version 8.10.14 +``` + +- Old version is up and running + +```console +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0 + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 76s +``` + +- The upgrade to the latest one (9.X.X) is going to fail + +```console +$ helm upgrade postgresql bitnami/postgresql +Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden +``` + +- Delete the statefulset + +```console +$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql +statefulset.apps "postgresql-postgresql" deleted +``` + +- Now the upgrade works + +```console +$ helm upgrade postgresql bitnami/postgresql +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0 +``` + +- We can kill the existing pod and the new statefulset is going to create a new one: + +```console +$ kubectl delete pod postgresql-postgresql-0 +pod "postgresql-postgresql-0" deleted + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 19s +``` + +Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command + +### To 8.0.0 + +Prefixes the port names with their protocols to comply with Istio conventions. + +If you depend on the port names in your setup, make sure to update them to reflect this change. + +### To 7.1.0 + +Adds support for LDAP configuration. + +### To 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +### To 6.5.7 + +In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: + +- protobuf +- protobuf-c +- json-c +- geos +- proj + +### To 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```console +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` + +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### To 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### To 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### To 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + +- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + +```console +$ kubectl get svc +``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install my-release bitnami/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/.helmignore b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/Chart.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 000000000..bcc3808d0 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.4.2 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- http://www.bitnami.com/ +type: library +version: 1.4.2 diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/README.md b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/README.md new file mode 100644 index 000000000..7287cbb5f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/README.md @@ -0,0 +1,322 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|----------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|--------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Inpput | +|-------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for RedisTM are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets. + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..493a6dc7e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,94 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..4dde56a38 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,95 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_errors.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_images.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 000000000..60f04fd6e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,47 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..622ef50e3 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,42 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if typeIs "int" .servicePort }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_labels.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_names.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 000000000..adf2a74f4 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..60b84a701 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- if index $secret.data .key }} + {{- $password = index $secret.data .key }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_storage.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_utils.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..ea083a249 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..8679ddffb --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..bb5ed7253 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..7d5ecbccb --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB(R) required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB(R) values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..992bcd390 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,131 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..3e2a47c03 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,72 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis(TM) required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $existingSecret := include "common.redis.values.existingSecret" . -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} + {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} + {{- if eq $usePassword "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Redis Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.redis.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Redis(TM) is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.redis.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/values.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/values.yaml new file mode 100644 index 000000000..9ecdc93f5 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,3 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +exampleValue: common-chart diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/commonAnnotations.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/commonAnnotations.yaml new file mode 100644 index 000000000..97e18a4cc --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/commonAnnotations.yaml @@ -0,0 +1,3 @@ +commonAnnotations: + helm.sh/hook: "\"pre-install, pre-upgrade\"" + helm.sh/hook-weight: "-1" diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/default-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/default-values.yaml new file mode 100644 index 000000000..fc2ba605a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/shmvolume-disabled-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/shmvolume-disabled-values.yaml new file mode 100644 index 000000000..347d3b40a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/ci/shmvolume-disabled-values.yaml @@ -0,0 +1,2 @@ +shmVolume: + enabled: false diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/README.md b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/README.md new file mode 100644 index 000000000..1813a2fea --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/conf.d/README.md b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/conf.d/README.md new file mode 100644 index 000000000..184c1875d --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100644 index 000000000..cba38091e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/NOTES.txt b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/NOTES.txt new file mode 100644 index 000000000..4e98958c1 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,59 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "common.names.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} + +{{- if not (eq (include "postgresql.username" .) "postgres") }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) +{{- end }} + +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "common.names.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "common.names.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- include "postgresql.validateValues" . -}} + +{{- include "common.warnings.rollingTag" .Values.image -}} + +{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} + +{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/_helpers.tpl b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 000000000..1f98efe78 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,337 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "primary" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return PostgreSQL postgres user password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.postgresql.postgresqlPostgresPassword }} + {{- .Values.global.postgresql.postgresqlPostgresPassword -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" (tpl .Values.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if we should use an existingSecret. +*/}} +{{- define "postgresql.useExistingSecret" -}} +{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (include "postgresql.useExistingSecret" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Get the metrics ConfigMap name. +*/}} +{{- define "postgresql.metricsCM" -}} +{{- printf "%s-metrics" (include "common.names.fullname" .) -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "podsecuritypolicy.apiVersion" -}} +{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions +*/}} +{{- define "postgresql.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} +postgresql: tls.enabled, volumePermissions.enabled + When TLS is enabled you must enable volumePermissions as well to ensure certificates files have + the right permissions. +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/configmap.yaml new file mode 100644 index 000000000..3a5ea18ae --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extended-config-configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100644 index 000000000..b0dad253b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,26 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-extended-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extra-list.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/initialization-configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/initialization-configmap.yaml new file mode 100644 index 000000000..7796c67a9 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,25 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-init-scripts + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-configmap.yaml new file mode 100644 index 000000000..fa539582b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-configmap.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.metricsCM" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-svc.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-svc.yaml new file mode 100644 index 000000000..af8b67e2f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-metrics + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- toYaml .Values.metrics.service.annotations | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: http-metrics + port: 9187 + targetPort: http-metrics + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/networkpolicy.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/networkpolicy.yaml new file mode 100644 index 000000000..4f2740ea0 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: +{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 14 }} + role: read + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes + - ports: + - port: 9187 + {{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/podsecuritypolicy.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..0c49694fa --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.psp.create }} +apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/prometheusrule.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 000000000..d0f408c78 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} +{{- with .Values.metrics.prometheusRule.namespace }} + namespace: {{ . }} +{{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- with .Values.metrics.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "postgresql.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/role.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/role.yaml new file mode 100644 index 000000000..017a5716b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/role.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +rules: + {{- if .Values.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ template "common.names.fullname" . }} + {{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/rolebinding.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 000000000..189775a15 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ template "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/secrets.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/secrets.yaml new file mode 100644 index 000000000..d492cd593 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,24 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + {{- if not (eq (include "postgresql.username" .) "postgres") }} + postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} + {{- end }} + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} + {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} + postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/serviceaccount.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 000000000..03f0f50e7 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "common.labels.standard" . | nindent 4 }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/servicemonitor.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/servicemonitor.yaml new file mode 100644 index 000000000..587ce85b8 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset-readreplicas.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset-readreplicas.yaml new file mode 100644 index 000000000..b038299bf --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset-readreplicas.yaml @@ -0,0 +1,411 @@ +{{- if .Values.replication.enabled }} +{{- $readReplicasResources := coalesce .Values.readReplicas.resources .Values.resources -}} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "common.names.fullname" . }}-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read +{{- with .Values.readReplicas.labels }} +{{ toYaml . | indent 4 }} +{{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.readReplicas.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: {{ .Values.replication.readReplicas }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: read + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + role: read +{{- with .Values.readReplicas.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.readReplicas.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if or .Values.readReplicas.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if $readReplicasResources }} + resources: {{- toYaml $readReplicasResources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "common.names.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- toYaml .Values.readReplicas.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.readReplicas.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} +{{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} + {{- if or (not .Values.persistence.enabled) (not .Values.readReplicas.persistence.enabled) }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- toYaml .Values.readReplicas.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if and .Values.persistence.enabled .Values.readReplicas.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset.yaml new file mode 100644 index 000000000..f8163fd99 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,609 @@ +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- with .Values.primary.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.primary.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: primary + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + role: primary + app.kubernetes.io/component: primary + {{- with .Values.primary.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.primary.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.primary.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.initdbPassword }} + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primaryAsStandBy.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primaryAsStandBy.primaryPort | quote }} + {{- end }} + {{- if or .Values.replication.enabled .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_REPLICATION_MODE + {{- if .Values.primaryAsStandBy.enabled }} + value: "slave" + {{- else }} + value: "master" + {{- end }} + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if (not (empty .Values.ldap.bind_password)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-ldap-password + {{- end}} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end}} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + envFrom: + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- toYaml .Values.primary.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.primary.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} +{{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- omit .Values.metrics.securityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} + {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} + - name: DATA_SOURCE_NAME + value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} + {{- else }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + ports: + - name: http-metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- toYaml .Values.primary.extraVolumes | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ template "postgresql.metricsCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-headless.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-headless.yaml new file mode 100644 index 000000000..6f5f3b9ee --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-headless + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-read.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-read.yaml new file mode 100644 index 000000000..56195ea1e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,43 @@ +{{- if .Values.replication.enabled }} +{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-read + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: read +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc.yaml new file mode 100644 index 000000000..a29431b6a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/templates/svc.yaml @@ -0,0 +1,41 @@ +{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.schema.json b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.schema.json new file mode 100644 index 000000000..66a2a9dd0 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": false, + "path": "replication/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.yaml b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.yaml new file mode 100644 index 000000000..82ce09234 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/charts/postgresql/values.yaml @@ -0,0 +1,824 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.11.0-debian-10-r71 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false + +## String to partially override common.names.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.names.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +psp: + create: false + +## Creates role for ServiceAccount +## Required for PSP +## +rbac: + create: false + +replication: + enabled: false + user: repl_user + password: repl_password + readReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: 'off' + ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > readReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + ## + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret +## + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## Configure current cluster's primary server to be the standby server in other cluster. +## This will allow cross cluster replication and provide cross cluster high availability. +## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. +## +primaryAsStandBy: + enabled: false + # primaryHost: + # primaryPort: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## +audit: + ## Log client hostnames + ## + logHostname: false + ## Log connections to the server + ## + logConnections: false + ## Log disconnections + ## + logDisconnections: false + ## Operation to audit using pgAudit (default if not set) + ## + pgAuditLog: "" + ## Log catalog using pgAudit + ## + pgAuditLogCatalog: "off" + ## Log level for clients + ## + clientMinMessages: error + ## Template for log line prefix (default if not set) + ## + logLinePrefix: "" + ## Log timezone + ## + logTimezone: "" + +## Shared preload libraries +## +postgresqlSharedPreloadLibraries: "pgaudit" + +## Maximum total connections +## +postgresqlMaxConnections: + +## Maximum connections for the postgres user +## +postgresqlPostgresConnectionLimit: + +## Maximum connections for the created user +## +postgresqlDbUserConnectionLimit: + +## TCP keepalives interval +## +postgresqlTcpKeepalivesInterval: + +## TCP keepalives idle +## +postgresqlTcpKeepalivesIdle: + +## TCP keepalives count +## +postgresqlTcpKeepalivesCount: + +## Statement timeout +## +postgresqlStatementTimeout: + +## Remove pg_hba.conf lines with the following comma-separated patterns +## (cannot be used with custom pg_hba.conf) +## +postgresqlPghbaRemoveFilters: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: '' + server: '' + port: '' + prefix: '' + suffix: '' + baseDN: '' + bindDN: '' + bind_password: + search_attr: '' + search_filter: '' + scheme: '' + tls: {} + +## PostgreSQL service configuration +## +service: + ## PosgresSQL service type + ## + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start primary and read(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ignored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: '' + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + +## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Primary parameters +## +primary: + ## PostgreSQL Primary pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL Primary pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL primary Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL primary Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for primary + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL read only replica parameters +## +readReplicas: + ## PostgreSQL read only pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL read only pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL read replicas Volume mounts + ## + extraVolumeMounts: [] + + ## Additional PostgreSQL read replicas Volumes + ## + extraVolumes: [] + + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for read + ## + service: {} + # type: + # nodePort: + # clusterIP: + + ## Whether to enable PostgreSQL read replicas data Persistent + ## + persistence: + enabled: true + + # Override the resource configuration for read replicas + resources: {} + # requests: + # memory: 256Mi + # cpu: 250m + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +## Configure extra options for startup, liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Custom Startup probe +## +customStartupProbe: {} + +## Custom Liveness probe +## +customLivenessProbe: {} + +## Custom Rediness probe +## +customReadinessProbe: {} + +## +## TLS configuration +## +tls: + # Enable TLS traffic + enabled: false + # + # Whether to use the server's TLS cipher preferences rather than the client's. + preferServerCiphers: true + # + # Name of the Secret that contains the certificates + certificatesSecret: '' + # + # Certificate filename + certFilename: '' + # + # Certificate Key filename + certKeyFilename: '' + # + # CA Certificate filename + # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + # ref: https://www.postgresql.org/docs/9.6/auth-methods.html + certCAFilename: + # + # File containing a Certificate Revocation List + crlFilename: + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '9187' + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.9.0-debian-10-r43 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + # + ## An array to add extra env vars to configure postgres-exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + # extraEnvVars: + # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + # value: "true" + extraEnvVars: {} + + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Array with extra yaml to deploy with the chart. Evaluated as a template +## +extraDeploy: [] diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/access-tls-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/access-tls-values.yaml new file mode 100644 index 000000000..27e24d346 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/access-tls-values.yaml @@ -0,0 +1,34 @@ +databaseUpgradeReady: true +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +access: + accessConfig: + security: + tls: true + resetAccessCAKeys: true diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/default-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/default-values.yaml new file mode 100644 index 000000000..020f52335 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/default-values.yaml @@ -0,0 +1,32 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true +## This is an exception here because HA needs masterKey to connect with other node members and it is commented in values to support 6.x to 7.x Migration +## Please refer https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#special-upgrade-notes-1 +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/global-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/global-values.yaml new file mode 100644 index 000000000..0987e17ca --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/global-values.yaml @@ -0,0 +1,255 @@ +databaseUpgradeReady: true +artifactory: + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + customInitContainersBegin: | + - name: "custom-init-begin-local" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in local" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + customInitContainers: | + - name: "custom-init-local" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in local" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + # Add custom volumes + customVolumes: | + - name: custom-script-local + emptyDir: + sizeLimit: 100Mi + # Add custom volumesMounts + customVolumeMounts: | + - name: custom-script-local + mountPath: "/scriptslocal" + # Add custom sidecar containers + customSidecarContainers: | + - name: "sidecar-list-local" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecarlocal.txt; cat /scriptslocal/sidecarlocal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scriptslocal" + name: custom-script-local + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +global: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + customInitContainersBegin: | + - name: "custom-init-begin-global" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in global" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + customInitContainers: | + - name: "custom-init-global" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in global" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + # Add custom volumes + customVolumes: | + - name: custom-script-global + emptyDir: + sizeLimit: 100Mi + # Add custom volumesMounts + customVolumeMounts: | + - name: custom-script-global + mountPath: "/scripts" + # Add custom sidecar containers + customSidecarContainers: | + - name: "sidecar-list-global" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in global' >> /scripts/sidecarglobal.txt; cat /scripts/sidecarglobal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scripts" + name: custom-script-global + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + +nginx: + customInitContainers: | + - name: "custom-init-begin-nginx" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in nginx" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: custom-script-local + customSidecarContainers: | + - name: "sidecar-list-nginx" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecarlocal.txt; cat /scriptslocal/sidecarlocal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scriptslocal" + name: custom-script-local + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + # Add custom volumes + customVolumes: | + - name: custom-script-local + emptyDir: + sizeLimit: 100Mi + + artifactoryConf: | + {{- if .Values.nginx.https.enabled }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + {{- end }} + ## server configuration + server { + listen 8088; + {{- if .Values.nginx.internalPortHttps }} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + {{- if .Values.nginx.https.enabled }} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + listen {{ .Values.nginx.internalPortHttp }}; + {{- else -}} + {{- if .Values.nginx.http.enabled }} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} + {{- end -}}; + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + {{- end }} + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + } + } + + ## A list of custom ports to expose on the NGINX pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: + - containerPort: 8088 + name: http2 + service: + ## A list of custom ports to expose through the Ingress controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: + - port: 8088 + targetPort: 8088 + protocol: TCP + name: http2 diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/large-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/large-values.yaml new file mode 100644 index 000000000..153307aa2 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/large-values.yaml @@ -0,0 +1,85 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + database: + maxOpenConnections: 150 + tomcat: + connector: + maxThreads: 300 + primary: + replicaCount: 4 + resources: + requests: + memory: "6Gi" + cpu: "2" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "8g" + xmx: "10g" +access: + database: + maxOpenConnections: 150 + tomcat: + connector: + maxThreads: 100 +router: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 150 + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/loggers-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/loggers-values.yaml new file mode 100644 index 000000000..03c94be95 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/loggers-values.yaml @@ -0,0 +1,43 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + + loggers: + - access-audit.log + - access-request.log + - access-security-audit.log + - access-service.log + - artifactory-access.log + - artifactory-event.log + - artifactory-import-export.log + - artifactory-request.log + - artifactory-service.log + - frontend-request.log + - frontend-service.log + - metadata-request.log + - metadata-service.log + - router-request.log + - router-service.log + - router-traefik.log + + catalinaLoggers: + - tomcat-catalina.log + - tomcat-localhost.log diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/medium-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/medium-values.yaml new file mode 100644 index 000000000..115e7d460 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/medium-values.yaml @@ -0,0 +1,85 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + database: + maxOpenConnections: 100 + tomcat: + connector: + maxThreads: 200 + primary: + replicaCount: 3 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "6g" + xmx: "8g" +access: + database: + maxOpenConnections: 100 + tomcat: + connector: + maxThreads: 50 +router: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 100 + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/migration-disabled-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/migration-disabled-values.yaml new file mode 100644 index 000000000..44895a373 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/migration-disabled-values.yaml @@ -0,0 +1,31 @@ +databaseUpgradeReady: true +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + migration: + enabled: false + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/nginx-autoreload-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/nginx-autoreload-values.yaml new file mode 100644 index 000000000..a6f4e8001 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/nginx-autoreload-values.yaml @@ -0,0 +1,53 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true +## This is an exception here because HA needs masterKey to connect with other node members and it is commented in values to support 6.x to 7.x Migration +## Please refer https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#special-upgrade-notes-1 +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false + +nginx: + customVolumes: | + - name: scripts + configMap: + name: {{ template "artifactory-ha.fullname" . }}-nginx-scripts + defaultMode: 0550 + customVolumeMounts: | + - name: scripts + mountPath: /var/opt/jfrog/nginx/scripts/ + customCommand: + - /bin/sh + - -c + - | + # watch for configmap changes + /sbin/inotifyd /var/opt/jfrog/nginx/scripts/configreloader.sh {{ .Values.nginx.persistence.mountPath -}}/conf.d:n & + {{ if .Values.nginx.https.enabled -}} + # watch for tls secret changes + /sbin/inotifyd /var/opt/jfrog/nginx/scripts/configreloader.sh {{ .Values.nginx.persistence.mountPath -}}/ssl:n & + {{ end -}} + nginx -g 'daemon off;' diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-access-tls-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-access-tls-values.yaml new file mode 100644 index 000000000..6f3b13cb1 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-access-tls-values.yaml @@ -0,0 +1,106 @@ +databaseUpgradeReady: true +artifactory: + replicaCount: 3 + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + +access: + accessConfig: + security: + tls: true + resetAccessCAKeys: true + +postgresql: + postgresqlPassword: password + postgresqlExtendedConf: + maxConnections: 102 + persistence: + enabled: false + +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true + +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false +jfconnect: + enabled: true + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +mc: + enabled: true +splitServicesToContainers: true + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-values.yaml new file mode 100644 index 000000000..87832a505 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/rtsplit-values.yaml @@ -0,0 +1,155 @@ +databaseUpgradeReady: true +artifactory: + replicaCount: 3 + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + + # Add lifecycle hooks for artifactory container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the artifactory postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the artifactory postStart handler >> /tmp/message"] + +postgresql: + postgresqlPassword: password + postgresqlExtendedConf: + maxConnections: 102 + persistence: + enabled: false + +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true + +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false +jfconnect: + enabled: true + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for jfconect container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the jfconnect postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the jfconnect postStart handler >> /tmp/message"] + +mc: + enabled: true +splitServicesToContainers: true + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for router container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the router postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the router postStart handler >> /tmp/message"] +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for frontend container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the frontend postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the frontend postStart handler >> /tmp/message"] +metadata: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the metadata postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the metadata postStart handler >> /tmp/message"] +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the observability postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the observability postStart handler >> /tmp/message"] diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/small-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/small-values.yaml new file mode 100644 index 000000000..9da2419d8 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/small-values.yaml @@ -0,0 +1,90 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 200 + primary: + replicaCount: 1 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "6g" + node: + replicaCount: 2 +access: + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 50 +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 80 + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + +rtfs: + enabled: true diff --git a/charts/jfrog/artifactory-ha/107.104.6/ci/test-values.yaml b/charts/jfrog/artifactory-ha/107.104.6/ci/test-values.yaml new file mode 100644 index 000000000..8bbbb5b3e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/ci/test-values.yaml @@ -0,0 +1,85 @@ +databaseUpgradeReady: true +artifactory: + metrics: + enabled: true + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + unifiedSecretInstallation: false + persistence: + enabled: false + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + statefulset: + annotations: + artifactory: test + +postgresql: + postgresqlPassword: "password" + postgresqlExtendedConf: + maxConnections: "102" + persistence: + enabled: false +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false + +jfconnect: + enabled: false + +## filebeat sidecar +filebeat: + enabled: true + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: + file: + permissions: 0760 + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output.file: + path: "/tmp/filebeat" + filename: filebeat + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 diff --git a/charts/jfrog/artifactory-ha/107.104.6/files/binarystore.xml b/charts/jfrog/artifactory-ha/107.104.6/files/binarystore.xml new file mode 100644 index 000000000..d807bf2e4 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/files/binarystore.xml @@ -0,0 +1,442 @@ +{{- if and (eq .Values.artifactory.persistence.type "nfs") (.Values.artifactory.haDataDir.enabled) }} + + + + + + + +{{- end }} +{{- if and (eq .Values.artifactory.persistence.type "nfs") (not .Values.artifactory.haDataDir.enabled) }} + + {{- if (.Values.artifactory.persistence.maxCacheSize) }} + + + + + + {{- else }} + + + + {{- end }} + + {{- if .Values.artifactory.persistence.maxCacheSize }} + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + + + {{ .Values.artifactory.persistence.nfs.dataDir }}/filestore + + + +{{- end }} + +{{- if eq .Values.artifactory.persistence.type "file-system" }} + +{{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + + + + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + + {{- end }} + + + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + // Specify the read and write strategy and redundancy for the sharding binary provider + + roundRobin + percentageFreeSpace + 2 + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + //For each sub-provider (mount), specify the filestore location + + filestore{{ $sharedClaimNumber }} + + {{- end }} + +{{- else }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + 2 + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + + + shard-fs-1 + local + + + + + 30 + tester-remote1 + 10000 + remote + + + +{{- end }} +{{- end }} +{{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") (eq .Values.artifactory.persistence.type "google-storage-v2-direct") }} + + + {{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") }} + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "google-storage-v2-direct" }} + + + + + + {{- end }} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") }} + + local + + + + + 30 + 10000 + remote + + {{- end }} + + + + {{- if .Values.artifactory.persistence.googleStorage.useInstanceCredentials }} + true + {{- else }} + false + {{- end }} + {{ .Values.artifactory.persistence.googleStorage.enableSignedUrlRedirect }} + google-cloud-storage + {{ .Values.artifactory.persistence.googleStorage.endpoint }} + {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} + {{ .Values.artifactory.persistence.googleStorage.bucketName }} + {{ .Values.artifactory.persistence.googleStorage.path }} + {{ .Values.artifactory.persistence.googleStorage.bucketExists }} + {{- if .Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds }} + {{ .Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds | int64 }} + {{- end }} + + +{{- end }} +{{- if or (eq .Values.artifactory.persistence.type "aws-s3-v3") (eq .Values.artifactory.persistence.type "s3-storage-v3-direct") (eq .Values.artifactory.persistence.type "s3-storage-v3-archive") }} + + + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + + + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "s3-storage-v3-direct" }} + + + + + + {{- else if eq .Values.artifactory.persistence.type "s3-storage-v3-archive" }} + + + + + + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "s3-storage-v3-direct" }} + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + + {{- with .Values.artifactory.persistence.awsS3V3 }} + + {{ .testConnection }} + {{- if .identity }} + {{ .identity }} + {{- end }} + {{- if .credential }} + {{ .credential }} + {{- end }} + {{ .region }} + {{ .bucketName }} + {{ .path }} + {{ .endpoint }} + {{- with .port }} + {{ . }} + {{- end }} + {{- with .useHttp }} + {{ . }} + {{- end }} + {{- with .maxConnections }} + {{ . }} + {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} + {{- with .kmsServerSideEncryptionKeyId }} + {{ . }} + {{- end }} + {{- with .kmsKeyRegion }} + {{ . }} + {{- end }} + {{- with .kmsCryptoMode }} + {{ . }} + {{- end }} + {{- if .useInstanceCredentials }} + true + {{- else }} + false + {{- end }} + {{ .usePresigning }} + {{ .signatureExpirySeconds }} + {{ .signedUrlExpirySeconds }} + {{- with .cloudFrontDomainName }} + {{ . }} + {{- end }} + {{- with .cloudFrontKeyPairId }} + {{ . }} + {{- end }} + {{- with .cloudFrontPrivateKey }} + {{ . }} + {{- end }} + {{- with .enableSignedUrlRedirect }} + {{ . }} + {{- end }} + {{- with .enablePathStyleAccess }} + {{ . }} + {{- end }} + {{- with .multiPartLimit }} + {{ . | int64 }} + {{- end }} + {{- with .multipartElementSize }} + {{ . | int64 }} + {{- end }} + + {{- end }} + +{{- end }} + +{{- if or (eq .Values.artifactory.persistence.type "azure-blob") (eq .Values.artifactory.persistence.type "azure-blob-storage-direct") }} + + + {{- if eq .Values.artifactory.persistence.type "azure-blob" }} + + + + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "azure-blob-storage-direct" }} + + + + + + {{- end }} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{- if eq .Values.artifactory.persistence.type "azure-blob" }} + + + crossNetworkStrategy + crossNetworkStrategy + 2 + 1 + + + + + remote + + + + local + + {{- end }} + + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + +{{- end }} +{{- if eq .Values.artifactory.persistence.type "azure-blob-storage-v2-direct" -}} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/files/installer-info.json b/charts/jfrog/artifactory-ha/107.104.6/files/installer-info.json new file mode 100644 index 000000000..cf6b020fb --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/files/installer-info.json @@ -0,0 +1,32 @@ +{ + "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", + "features": [ + { + "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}" + }, + { + "featureId": "Database/{{ .Values.database.type }}" + }, + { + "featureId": "PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}" + }, + { + "featureId": "Nginx_Enabled/{{ .Values.nginx.enabled }}" + }, + { + "featureId": "ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}" + }, + { + "featureId": "SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}" + }, + { + "featureId": "UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}" + }, + { + "featureId": "Filebeat_Enabled/{{ .Values.filebeat.enabled }}" + }, + { + "featureId": "ReplicaCount/{{ add .Values.artifactory.primary.replicaCount .Values.artifactory.node.replicaCount }}" + } + ] +} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/files/migrate.sh b/charts/jfrog/artifactory-ha/107.104.6/files/migrate.sh new file mode 100644 index 000000000..ba44160f4 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/files/migrate.sh @@ -0,0 +1,4311 @@ +#!/bin/bash + +# Flags +FLAG_Y="y" +FLAG_N="n" +FLAGS_Y_N="$FLAG_Y $FLAG_N" +FLAG_NOT_APPLICABLE="_NA_" + +CURRENT_VERSION=$1 + +WRAPPER_SCRIPT_TYPE_RPMDEB="RPMDEB" +WRAPPER_SCRIPT_TYPE_DOCKER_COMPOSE="DOCKERCOMPOSE" + +SENSITIVE_KEY_VALUE="__sensitive_key_hidden___" + +# Shared system keys +SYS_KEY_SHARED_JFROGURL="shared.jfrogUrl" +SYS_KEY_SHARED_SECURITY_JOINKEY="shared.security.joinKey" +SYS_KEY_SHARED_SECURITY_MASTERKEY="shared.security.masterKey" + +SYS_KEY_SHARED_NODE_ID="shared.node.id" +SYS_KEY_SHARED_JAVAHOME="shared.javaHome" + +SYS_KEY_SHARED_DATABASE_TYPE="shared.database.type" +SYS_KEY_SHARED_DATABASE_TYPE_VALUE_POSTGRES="postgresql" +SYS_KEY_SHARED_DATABASE_DRIVER="shared.database.driver" +SYS_KEY_SHARED_DATABASE_URL="shared.database.url" +SYS_KEY_SHARED_DATABASE_USERNAME="shared.database.username" +SYS_KEY_SHARED_DATABASE_PASSWORD="shared.database.password" + +SYS_KEY_SHARED_ELASTICSEARCH_URL="shared.elasticsearch.url" +SYS_KEY_SHARED_ELASTICSEARCH_USERNAME="shared.elasticsearch.username" +SYS_KEY_SHARED_ELASTICSEARCH_PASSWORD="shared.elasticsearch.password" +SYS_KEY_SHARED_ELASTICSEARCH_CLUSTERSETUP="shared.elasticsearch.clusterSetup" +SYS_KEY_SHARED_ELASTICSEARCH_UNICASTFILE="shared.elasticsearch.unicastFile" +SYS_KEY_SHARED_ELASTICSEARCH_CLUSTERSETUP_VALUE="YES" + +# Define this in product specific script. Should contain the path to unitcast file +# File used by insight server to write cluster active nodes info. This will be read by elasticsearch +#SYS_KEY_SHARED_ELASTICSEARCH_UNICASTFILE_VALUE="" + +SYS_KEY_RABBITMQ_ACTIVE_NODE_NAME="shared.rabbitMq.active.node.name" +SYS_KEY_RABBITMQ_ACTIVE_NODE_IP="shared.rabbitMq.active.node.ip" + +# Filenames +FILE_NAME_SYSTEM_YAML="system.yaml" +FILE_NAME_JOIN_KEY="join.key" +FILE_NAME_MASTER_KEY="master.key" +FILE_NAME_INSTALLER_YAML="installer.yaml" + +# Global constants used in business logic +NODE_TYPE_STANDALONE="standalone" +NODE_TYPE_CLUSTER_NODE="node" +NODE_TYPE_DATABASE="database" + +# External(isable) databases +DATABASE_POSTGRES="POSTGRES" +DATABASE_ELASTICSEARCH="ELASTICSEARCH" +DATABASE_RABBITMQ="RABBITMQ" + +POSTGRES_LABEL="PostgreSQL" +ELASTICSEARCH_LABEL="Elasticsearch" +RABBITMQ_LABEL="Rabbitmq" + +ARTIFACTORY_LABEL="Artifactory" +JFMC_LABEL="Mission Control" +DISTRIBUTION_LABEL="Distribution" +XRAY_LABEL="Xray" + +POSTGRES_CONTAINER="postgres" +ELASTICSEARCH_CONTAINER="elasticsearch" +RABBITMQ_CONTAINER="rabbitmq" +REDIS_CONTAINER="redis" + +#Adding a small timeout before a read ensures it is positioned correctly in the screen +read_timeout=0.5 + +# Options related to data directory location +PROMPT_DATA_DIR_LOCATION="Installation Directory" +KEY_DATA_DIR_LOCATION="installer.data_dir" + +SYS_KEY_SHARED_NODE_HAENABLED="shared.node.haEnabled" +PROMPT_ADD_TO_CLUSTER="Are you adding an additional node to an existing product cluster?" +KEY_ADD_TO_CLUSTER="installer.ha" +VALID_VALUES_ADD_TO_CLUSTER="$FLAGS_Y_N" + +MESSAGE_POSTGRES_INSTALL="The installer can install a $POSTGRES_LABEL database, or you can connect to an existing compatible $POSTGRES_LABEL database\n(compatible databases: https://www.jfrog.com/confluence/display/JFROG/System+Requirements#SystemRequirements-RequirementsMatrix)" +PROMPT_POSTGRES_INSTALL="Do you want to install $POSTGRES_LABEL?" +KEY_POSTGRES_INSTALL="installer.install_postgresql" +VALID_VALUES_POSTGRES_INSTALL="$FLAGS_Y_N" + +# Postgres connection details +RPM_DEB_POSTGRES_HOME_DEFAULT="/var/opt/jfrog/postgres" +RPM_DEB_MESSAGE_STANDALONE_POSTGRES_DATA="$POSTGRES_LABEL home will have data and its configuration" +RPM_DEB_PROMPT_STANDALONE_POSTGRES_DATA="Type desired $POSTGRES_LABEL home location" +RPM_DEB_KEY_STANDALONE_POSTGRES_DATA="installer.postgresql.home" + +MESSAGE_DATABASE_URL="Provide the database connection details" +PROMPT_DATABASE_URL(){ + local databaseURlExample= + case "$PRODUCT_NAME" in + $ARTIFACTORY_LABEL) + databaseURlExample="jdbc:postgresql://:/artifactory" + ;; + $JFMC_LABEL) + databaseURlExample="postgresql://:/mission_control?sslmode=disable" + ;; + $DISTRIBUTION_LABEL) + databaseURlExample="jdbc:postgresql://:/distribution?sslmode=disable" + ;; + $XRAY_LABEL) + databaseURlExample="postgres://:/xraydb?sslmode=disable" + ;; + esac + if [ -z "$databaseURlExample" ]; then + echo -n "$POSTGRES_LABEL URL" # For consistency with username and password + return + fi + echo -n "$POSTGRES_LABEL url. Example: [$databaseURlExample]" +} +REGEX_DATABASE_URL(){ + local databaseURlExample= + case "$PRODUCT_NAME" in + $ARTIFACTORY_LABEL) + databaseURlExample="jdbc:postgresql://.*/artifactory.*" + ;; + $JFMC_LABEL) + databaseURlExample="postgresql://.*/mission_control.*" + ;; + $DISTRIBUTION_LABEL) + databaseURlExample="jdbc:postgresql://.*/distribution.*" + ;; + $XRAY_LABEL) + databaseURlExample="postgres://.*/xraydb.*" + ;; + esac + echo -n "^$databaseURlExample\$" +} +ERROR_MESSAGE_DATABASE_URL="Invalid $POSTGRES_LABEL URL" +KEY_DATABASE_URL="$SYS_KEY_SHARED_DATABASE_URL" +#NOTE: It is important to display the label. Since the message may be hidden if URL is known +PROMPT_DATABASE_USERNAME="$POSTGRES_LABEL username" +KEY_DATABASE_USERNAME="$SYS_KEY_SHARED_DATABASE_USERNAME" +#NOTE: It is important to display the label. Since the message may be hidden if URL is known +PROMPT_DATABASE_PASSWORD="$POSTGRES_LABEL password" +KEY_DATABASE_PASSWORD="$SYS_KEY_SHARED_DATABASE_PASSWORD" +IS_SENSITIVE_DATABASE_PASSWORD="$FLAG_Y" + +MESSAGE_STANDALONE_ELASTICSEARCH_INSTALL="The installer can install a $ELASTICSEARCH_LABEL database or you can connect to an existing compatible $ELASTICSEARCH_LABEL database" +PROMPT_STANDALONE_ELASTICSEARCH_INSTALL="Do you want to install $ELASTICSEARCH_LABEL?" +KEY_STANDALONE_ELASTICSEARCH_INSTALL="installer.install_elasticsearch" +VALID_VALUES_STANDALONE_ELASTICSEARCH_INSTALL="$FLAGS_Y_N" + +# Elasticsearch connection details +MESSAGE_ELASTICSEARCH_DETAILS="Provide the $ELASTICSEARCH_LABEL connection details" +PROMPT_ELASTICSEARCH_URL="$ELASTICSEARCH_LABEL URL" +KEY_ELASTICSEARCH_URL="$SYS_KEY_SHARED_ELASTICSEARCH_URL" + +PROMPT_ELASTICSEARCH_USERNAME="$ELASTICSEARCH_LABEL username" +KEY_ELASTICSEARCH_USERNAME="$SYS_KEY_SHARED_ELASTICSEARCH_USERNAME" + +PROMPT_ELASTICSEARCH_PASSWORD="$ELASTICSEARCH_LABEL password" +KEY_ELASTICSEARCH_PASSWORD="$SYS_KEY_SHARED_ELASTICSEARCH_PASSWORD" +IS_SENSITIVE_ELASTICSEARCH_PASSWORD="$FLAG_Y" + +# Cluster related questions +MESSAGE_CLUSTER_MASTER_KEY="Provide the cluster's master key. It can be found in the data directory of the first node under /etc/security/master.key" +PROMPT_CLUSTER_MASTER_KEY="Master Key" +KEY_CLUSTER_MASTER_KEY="$SYS_KEY_SHARED_SECURITY_MASTERKEY" +IS_SENSITIVE_CLUSTER_MASTER_KEY="$FLAG_Y" + +MESSAGE_JOIN_KEY="The Join key is the secret key used to establish trust between services in the JFrog Platform.\n(You can copy the Join Key from Admin > User Management > Settings)" +PROMPT_JOIN_KEY="Join Key" +KEY_JOIN_KEY="$SYS_KEY_SHARED_SECURITY_JOINKEY" +IS_SENSITIVE_JOIN_KEY="$FLAG_Y" +REGEX_JOIN_KEY="^[a-zA-Z0-9]{16,}\$" +ERROR_MESSAGE_JOIN_KEY="Invalid Join Key" + +# Rabbitmq related cluster information +MESSAGE_RABBITMQ_ACTIVE_NODE_NAME="Provide an active ${RABBITMQ_LABEL} node name. Run the command [ hostname -s ] on any of the existing nodes in the product cluster to get this" +PROMPT_RABBITMQ_ACTIVE_NODE_NAME="${RABBITMQ_LABEL} active node name" +KEY_RABBITMQ_ACTIVE_NODE_NAME="$SYS_KEY_RABBITMQ_ACTIVE_NODE_NAME" + +# Rabbitmq related cluster information (necessary only for docker-compose) +PROMPT_RABBITMQ_ACTIVE_NODE_IP="${RABBITMQ_LABEL} active node ip" +KEY_RABBITMQ_ACTIVE_NODE_IP="$SYS_KEY_RABBITMQ_ACTIVE_NODE_IP" + +MESSAGE_JFROGURL(){ + echo -e "The JFrog URL allows ${PRODUCT_NAME} to connect to a JFrog Platform Instance.\n(You can copy the JFrog URL from Administration > User Management > Settings > Connection details)" +} +PROMPT_JFROGURL="JFrog URL" +KEY_JFROGURL="$SYS_KEY_SHARED_JFROGURL" +REGEX_JFROGURL="^https?://.*:{0,}[0-9]{0,4}\$" +ERROR_MESSAGE_JFROGURL="Invalid JFrog URL" + + +# Set this to FLAG_Y on upgrade +IS_UPGRADE="${FLAG_N}" + +# This belongs in JFMC but is the ONLY one that needs it so keeping it here for now. Can be made into a method and overridden if necessary +MESSAGE_MULTIPLE_PG_SCHEME="Please setup $POSTGRES_LABEL with schema as described in https://www.jfrog.com/confluence/display/JFROG/Installing+Mission+Control" + +_getMethodOutputOrVariableValue() { + unset EFFECTIVE_MESSAGE + local keyToSearch=$1 + local effectiveMessage= + local result="0" + # logSilly "Searching for method: [$keyToSearch]" + LC_ALL=C type "$keyToSearch" > /dev/null 2>&1 || result="$?" + if [[ "$result" == "0" ]]; then + # logSilly "Found method for [$keyToSearch]" + EFFECTIVE_MESSAGE="$($keyToSearch)" + return + fi + eval EFFECTIVE_MESSAGE=\${$keyToSearch} + if [ ! -z "$EFFECTIVE_MESSAGE" ]; then + return + fi + # logSilly "Didn't find method or variable for [$keyToSearch]" +} + + +# REF https://misc.flogisoft.com/bash/tip_colors_and_formatting +cClear="\e[0m" +cBlue="\e[38;5;69m" +cRedDull="\e[1;31m" +cYellow="\e[1;33m" +cRedBright="\e[38;5;197m" +cBold="\e[1m" + + +_loggerGetModeRaw() { + local MODE="$1" + case $MODE in + INFO) + printf "" + ;; + DEBUG) + printf "%s" "[${MODE}] " + ;; + WARN) + printf "${cRedDull}%s%s${cClear}" "[" "${MODE}" "] " + ;; + ERROR) + printf "${cRedBright}%s%s${cClear}" "[" "${MODE}" "] " + ;; + esac +} + + +_loggerGetMode() { + local MODE="$1" + case $MODE in + INFO) + printf "${cBlue}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + DEBUG) + printf "%-7s" "[${MODE}]" + ;; + WARN) + printf "${cRedDull}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + ERROR) + printf "${cRedBright}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + esac +} + +# Capitalises the first letter of the message +_loggerGetMessage() { + local originalMessage="$*" + local firstChar=$(echo "${originalMessage:0:1}" | awk '{ print toupper($0) }') + local resetOfMessage="${originalMessage:1}" + echo "$firstChar$resetOfMessage" +} + +# The spec also says content should be left-trimmed but this is not necessary in our case. We don't reach the limit. +_loggerGetStackTrace() { + printf "%s%-30s%s" "[" "$1:$2" "]" +} + +_loggerGetThread() { + printf "%s" "[main]" +} + +_loggerGetServiceType() { + printf "%s%-5s%s" "[" "shell" "]" +} + +#Trace ID is not applicable to scripts +_loggerGetTraceID() { + printf "%s" "[]" +} + +logRaw() { + echo "" + printf "$1" + echo "" +} + +logBold(){ + echo "" + printf "${cBold}$1${cClear}" + echo "" +} + +# The date binary works differently based on whether it is GNU/BSD +is_date_supported=0 +date --version > /dev/null 2>&1 || is_date_supported=1 +IS_GNU=$(echo $is_date_supported) + +_loggerGetTimestamp() { + if [ "${IS_GNU}" == "0" ]; then + echo -n $(date -u +%FT%T.%3NZ) + else + echo -n $(date -u +%FT%T.000Z) + fi +} + +# https://www.shellscript.sh/tips/spinner/ +_spin() +{ + spinner="/|\\-/|\\-" + while : + do + for i in `seq 0 7` + do + echo -n "${spinner:$i:1}" + echo -en "\010" + sleep 1 + done + done +} + +showSpinner() { + # Start the Spinner: + _spin & + # Make a note of its Process ID (PID): + SPIN_PID=$! + # Kill the spinner on any signal, including our own exit. + trap "kill -9 $SPIN_PID" `seq 0 15` &> /dev/null || return 0 +} + +stopSpinner() { + local occurrences=$(ps -ef | grep -wc "${SPIN_PID}") + let "occurrences+=0" + # validate that it is present (2 since this search itself will show up in the results) + if [ $occurrences -gt 1 ]; then + kill -9 $SPIN_PID &>/dev/null || return 0 + wait $SPIN_ID &>/dev/null + fi +} + +_getEffectiveMessage(){ + local MESSAGE="$1" + local MODE=${2-"INFO"} + + if [ -z "$CONTEXT" ]; then + CONTEXT=$(caller) + fi + + _EFFECTIVE_MESSAGE= + if [ -z "$LOG_BEHAVIOR_ADD_META" ]; then + _EFFECTIVE_MESSAGE="$(_loggerGetModeRaw $MODE)$(_loggerGetMessage $MESSAGE)" + else + local SERVICE_TYPE="script" + local TRACE_ID="" + local THREAD="main" + + local CONTEXT_LINE=$(echo "$CONTEXT" | awk '{print $1}') + local CONTEXT_FILE=$(echo "$CONTEXT" | awk -F"/" '{print $NF}') + + _EFFECTIVE_MESSAGE="$(_loggerGetTimestamp) $(_loggerGetServiceType) $(_loggerGetMode $MODE) $(_loggerGetTraceID) $(_loggerGetStackTrace $CONTEXT_FILE $CONTEXT_LINE) $(_loggerGetThread) - $(_loggerGetMessage $MESSAGE)" + fi + CONTEXT= +} + +# Important - don't call any log method from this method. Will become an infinite loop. Use echo to debug +_logToFile() { + local MODE=${1-"INFO"} + local targetFile="$LOG_BEHAVIOR_ADD_REDIRECTION" + # IF the file isn't passed, abort + if [ -z "$targetFile" ]; then + return + fi + # IF this is not being run in verbose mode and mode is debug or lower, abort + if [ "${VERBOSE_MODE}" != "$FLAG_Y" ] && [ "${VERBOSE_MODE}" != "true" ] && [ "${VERBOSE_MODE}" != "debug" ]; then + if [ "$MODE" == "DEBUG" ] || [ "$MODE" == "SILLY" ]; then + return + fi + fi + + # Create the file if it doesn't exist + if [ ! -f "${targetFile}" ]; then + return + # touch $targetFile > /dev/null 2>&1 || true + fi + # # Make it readable + # chmod 640 $targetFile > /dev/null 2>&1 || true + + # Log contents + printf "%s\n" "$_EFFECTIVE_MESSAGE" >> "$targetFile" || true +} + +logger() { + if [ "$LOG_BEHAVIOR_ADD_NEW_LINE" == "$FLAG_Y" ]; then + echo "" + fi + _getEffectiveMessage "$@" + local MODE=${2-"INFO"} + printf "%s\n" "$_EFFECTIVE_MESSAGE" + _logToFile "$MODE" +} + +logDebug(){ + VERBOSE_MODE=${VERBOSE_MODE-"false"} + CONTEXT=$(caller) + if [ "${VERBOSE_MODE}" == "$FLAG_Y" ] || [ "${VERBOSE_MODE}" == "true" ] || [ "${VERBOSE_MODE}" == "debug" ];then + logger "$1" "DEBUG" + else + logger "$1" "DEBUG" >&6 + fi + CONTEXT= +} + +logSilly(){ + VERBOSE_MODE=${VERBOSE_MODE-"false"} + CONTEXT=$(caller) + if [ "${VERBOSE_MODE}" == "silly" ];then + logger "$1" "DEBUG" + else + logger "$1" "DEBUG" >&6 + fi + CONTEXT= +} + +logError() { + CONTEXT=$(caller) + logger "$1" "ERROR" + CONTEXT= +} + +errorExit () { + CONTEXT=$(caller) + logger "$1" "ERROR" + CONTEXT= + exit 1 +} + +warn () { + CONTEXT=$(caller) + logger "$1" "WARN" + CONTEXT= +} + +note () { + CONTEXT=$(caller) + logger "$1" "NOTE" + CONTEXT= +} + +bannerStart() { + title=$1 + echo + echo -e "\033[1m${title}\033[0m" + echo +} + +bannerSection() { + title=$1 + echo + echo -e "******************************** ${title} ********************************" + echo +} + +bannerSubSection() { + title=$1 + echo + echo -e "************** ${title} *******************" + echo +} + +bannerMessge() { + title=$1 + echo + echo -e "********************************" + echo -e "${title}" + echo -e "********************************" + echo +} + +setRed () { + local input="$1" + echo -e \\033[31m${input}\\033[0m +} +setGreen () { + local input="$1" + echo -e \\033[32m${input}\\033[0m +} +setYellow () { + local input="$1" + echo -e \\033[33m${input}\\033[0m +} + +logger_addLinebreak () { + echo -e "---\n" +} + +bannerImportant() { + title=$1 + local bold="\033[1m" + local noColour="\033[0m" + echo + echo -e "${bold}######################################## IMPORTANT ########################################${noColour}" + echo -e "${bold}${title}${noColour}" + echo -e "${bold}###########################################################################################${noColour}" + echo +} + +bannerEnd() { + #TODO pass a title and calculate length dynamically so that start and end look alike + echo + echo "*****************************************************************************" + echo +} + +banner() { + title=$1 + content=$2 + bannerStart "${title}" + echo -e "$content" +} + +# The logic below helps us redirect content we'd normally hide to the log file. + # + # We have several commands which clutter the console with output and so use + # `cmd > /dev/null` - this redirects the command's output to null. + # + # However, the information we just hid maybe useful for support. Using the code pattern + # `cmd >&6` (instead of `cmd> >/dev/null` ), the command's output is hidden from the console + # but redirected to the installation log file + # + +#Default value of 6 is just null +exec 6>>/dev/null +redirectLogsToFile() { + echo "" + # local file=$1 + + # [ ! -z "${file}" ] || return 0 + + # local logDir=$(dirname "$file") + + # if [ ! -f "${file}" ]; then + # [ -d "${logDir}" ] || mkdir -p ${logDir} || \ + # ( echo "WARNING : Could not create parent directory (${logDir}) to redirect console log : ${file}" ; return 0 ) + # fi + + # #6 now points to the log file + # exec 6>>${file} + # #reference https://unix.stackexchange.com/questions/145651/using-exec-and-tee-to-redirect-logs-to-stdout-and-a-log-file-in-the-same-time + # exec 2>&1 > >(tee -a "${file}") +} + +# Check if a give key contains any sensitive string as part of it +# Based on the result, the caller can decide its value can be displayed or not +# Sample usage : isKeySensitive "${key}" && displayValue="******" || displayValue=${value} +isKeySensitive(){ + local key=$1 + local sensitiveKeys="password|secret|key|token" + + if [ -z "${key}" ]; then + return 1 + else + local lowercaseKey=$(echo "${key}" | tr '[:upper:]' '[:lower:]' 2>/dev/null) + [[ "${lowercaseKey}" =~ ${sensitiveKeys} ]] && return 0 || return 1 + fi +} + +getPrintableValueOfKey(){ + local displayValue= + local key="$1" + if [ -z "$key" ]; then + # This is actually an incorrect usage of this method but any logging will cause unexpected content in the caller + echo -n "" + return + fi + + local value="$2" + isKeySensitive "${key}" && displayValue="$SENSITIVE_KEY_VALUE" || displayValue="${value}" + echo -n $displayValue +} + +_createConsoleLog(){ + if [ -z "${JF_PRODUCT_HOME}" ]; then + return + fi + local targetFile="${JF_PRODUCT_HOME}/var/log/console.log" + mkdir -p "${JF_PRODUCT_HOME}/var/log" || true + if [ ! -f ${targetFile} ]; then + touch $targetFile > /dev/null 2>&1 || true + fi + chmod 640 $targetFile > /dev/null 2>&1 || true +} + +# Output from application's logs are piped to this method. It checks a configuration variable to determine if content should be logged to +# the common console.log file +redirectServiceLogsToFile() { + + local result="0" + # check if the function getSystemValue exists + LC_ALL=C type getSystemValue > /dev/null 2>&1 || result="$?" + if [[ "$result" != "0" ]]; then + warn "Couldn't find the systemYamlHelper. Skipping log redirection" + return 0 + fi + + getSystemValue "shared.consoleLog" "NOT_SET" + if [[ "${YAML_VALUE}" == "false" ]]; then + logger "Redirection is set to false. Skipping log redirection" + return 0; + fi + + if [ -z "${JF_PRODUCT_HOME}" ] || [ "${JF_PRODUCT_HOME}" == "" ]; then + warn "JF_PRODUCT_HOME is unavailable. Skipping log redirection" + return 0 + fi + + local targetFile="${JF_PRODUCT_HOME}/var/log/console.log" + + _createConsoleLog + + while read -r line; do + printf '%s\n' "${line}" >> $targetFile || return 0 # Don't want to log anything - might clutter the screen + done +} + +## Display environment variables starting with JF_ along with its value +## Value of sensitive keys will be displayed as "******" +## +## Sample Display : +## +## ======================== +## JF Environment variables +## ======================== +## +## JF_SHARED_NODE_ID : locahost +## JF_SHARED_JOINKEY : ****** +## +## +displayEnv() { + local JFEnv=$(printenv | grep ^JF_ 2>/dev/null) + local key= + local value= + + if [ -z "${JFEnv}" ]; then + return + fi + + cat << ENV_START_MESSAGE + +======================== +JF Environment variables +======================== +ENV_START_MESSAGE + + for entry in ${JFEnv}; do + key=$(echo "${entry}" | awk -F'=' '{print $1}') + value=$(echo "${entry}" | awk -F'=' '{print $2}') + + isKeySensitive "${key}" && value="******" || value=${value} + + printf "\n%-35s%s" "${key}" " : ${value}" + done + echo; +} + +_addLogRotateConfiguration() { + logDebug "Method ${FUNCNAME[0]}" + # mandatory inputs + local confFile="$1" + local logFile="$2" + + # Method available in _ioOperations.sh + LC_ALL=C type io_setYQPath > /dev/null 2>&1 || return 1 + + io_setYQPath + + # Method available in _systemYamlHelper.sh + LC_ALL=C type getSystemValue > /dev/null 2>&1 || return 1 + + local frequency="daily" + local archiveFolder="archived" + + local compressLogFiles= + getSystemValue "shared.logging.rotation.compress" "true" + if [[ "${YAML_VALUE}" == "true" ]]; then + compressLogFiles="compress" + fi + + getSystemValue "shared.logging.rotation.maxFiles" "10" + local noOfBackupFiles="${YAML_VALUE}" + + getSystemValue "shared.logging.rotation.maxSizeMb" "25" + local sizeOfFile="${YAML_VALUE}M" + + logDebug "Adding logrotate configuration for [$logFile] to [$confFile]" + + # Add configuration to file + local confContent=$(cat << LOGROTATECONF +$logFile { + $frequency + missingok + rotate $noOfBackupFiles + $compressLogFiles + notifempty + olddir $archiveFolder + dateext + extension .log + dateformat -%Y-%m-%d + size ${sizeOfFile} +} +LOGROTATECONF +) + echo "${confContent}" > ${confFile} || return 1 +} + +_operationIsBySameUser() { + local targetUser="$1" + local currentUserID=$(id -u) + local currentUserName=$(id -un) + + if [ $currentUserID == $targetUser ] || [ $currentUserName == $targetUser ]; then + echo -n "yes" + else + echo -n "no" + fi +} + +_addCronJobForLogrotate() { + logDebug "Method ${FUNCNAME[0]}" + + # Abort if logrotate is not available + [ "$(io_commandExists 'crontab')" != "yes" ] && warn "cron is not available" && return 1 + + # mandatory inputs + local productHome="$1" + local confFile="$2" + local cronJobOwner="$3" + + # We want to use our binary if possible. It may be more recent than the one in the OS + local logrotateBinary="$productHome/app/third-party/logrotate/logrotate" + + if [ ! -f "$logrotateBinary" ]; then + logrotateBinary="logrotate" + [ "$(io_commandExists 'logrotate')" != "yes" ] && warn "logrotate is not available" && return 1 + fi + local cmd="$logrotateBinary ${confFile} --state $productHome/var/etc/logrotate/logrotate-state" #--verbose + + id -u $cronJobOwner > /dev/null 2>&1 || { warn "User $cronJobOwner does not exist. Aborting logrotate configuration" && return 1; } + + # Remove the existing line + removeLogRotation "$productHome" "$cronJobOwner" || true + + # Run logrotate daily at 23:55 hours + local cronInterval="55 23 * * * $cmd" + + local standaloneMode=$(_operationIsBySameUser "$cronJobOwner") + + # If this is standalone mode, we cannot use -u - the user running this process may not have the necessary privileges + if [ "$standaloneMode" == "no" ]; then + (crontab -l -u $cronJobOwner 2>/dev/null; echo "$cronInterval") | crontab -u $cronJobOwner - + else + (crontab -l 2>/dev/null; echo "$cronInterval") | crontab - + fi +} + +## Configure logrotate for a product +## Failure conditions: +## If logrotation could not be setup for some reason +## Parameters: +## $1: The product name +## $2: The product home +## Depends on global: none +## Updates global: none +## Returns: NA + +configureLogRotation() { + logDebug "Method ${FUNCNAME[0]}" + + # mandatory inputs + local productName="$1" + if [ -z $productName ]; then + warn "Incorrect usage. A product name is necessary for configuring log rotation" && return 1 + fi + + local productHome="$2" + if [ -z $productHome ]; then + warn "Incorrect usage. A product home folder is necessary for configuring log rotation" && return 1 + fi + + local logFile="${productHome}/var/log/console.log" + if [[ $(uname) == "Darwin" ]]; then + logger "Log rotation for [$logFile] has not been configured. Please setup manually" + return 0 + fi + + local userID="$3" + if [ -z $userID ]; then + warn "Incorrect usage. A userID is necessary for configuring log rotation" && return 1 + fi + + local groupID=${4:-$userID} + local logConfigOwner=${5:-$userID} + + logDebug "Configuring log rotation as user [$userID], group [$groupID], effective cron User [$logConfigOwner]" + + local errorMessage="Could not configure logrotate. Please configure log rotation of the file: [$logFile] manually" + + local confFile="${productHome}/var/etc/logrotate/logrotate.conf" + + # TODO move to recursive method + createDir "${productHome}" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/log" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/log/archived" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + + # TODO move to recursive method + createDir "${productHome}/var/etc" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/etc/logrotate" "$logConfigOwner" || { warn "${errorMessage}" && return 1; } + + # conf file should be owned by the user running the script + createFile "${confFile}" "${logConfigOwner}" || { warn "Could not create configuration file [$confFile]" return 1; } + + _addLogRotateConfiguration "${confFile}" "${logFile}" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + _addCronJobForLogrotate "${productHome}" "${confFile}" "${logConfigOwner}" || { warn "${errorMessage}" && return 1; } +} + +_pauseExecution() { + if [ "${VERBOSE_MODE}" == "debug" ]; then + + local breakPoint="$1" + if [ ! -z "$breakPoint" ]; then + printf "${cBlue}Breakpoint${cClear} [$breakPoint] " + echo "" + fi + printf "${cBlue}Press enter once you are ready to continue${cClear}" + read -s choice + echo "" + fi +} + +# removeLogRotation "$productHome" "$cronJobOwner" || true +removeLogRotation() { + logDebug "Method ${FUNCNAME[0]}" + if [[ $(uname) == "Darwin" ]]; then + logDebug "Not implemented for Darwin." + return 0 + fi + local productHome="$1" + local cronJobOwner="$2" + local standaloneMode=$(_operationIsBySameUser "$cronJobOwner") + + local confFile="${productHome}/var/etc/logrotate/logrotate.conf" + + if [ "$standaloneMode" == "no" ]; then + crontab -l -u $cronJobOwner 2>/dev/null | grep -v "$confFile" | crontab -u $cronJobOwner - + else + crontab -l 2>/dev/null | grep -v "$confFile" | crontab - + fi +} + +# NOTE: This method does not check the configuration to see if redirection is necessary. +# This is intentional. If we don't redirect, tomcat logs might get redirected to a folder/file +# that does not exist, causing the service itself to not start +setupTomcatRedirection() { + logDebug "Method ${FUNCNAME[0]}" + local consoleLog="${JF_PRODUCT_HOME}/var/log/console.log" + _createConsoleLog + export CATALINA_OUT="${consoleLog}" +} + +setupScriptLogsRedirection() { + logDebug "Method ${FUNCNAME[0]}" + if [ -z "${JF_PRODUCT_HOME}" ]; then + logDebug "No JF_PRODUCT_HOME. Returning" + return + fi + # Create the console.log file if it is not already present + # _createConsoleLog || true + # # Ensure any logs (logger/logError/warn) also get redirected to the console.log + # # Using installer.log as a temparory fix. Please change this to console.log once INST-291 is fixed + export LOG_BEHAVIOR_ADD_REDIRECTION="${JF_PRODUCT_HOME}/var/log/console.log" + export LOG_BEHAVIOR_ADD_META="$FLAG_Y" +} + +# Returns Y if this method is run inside a container +isRunningInsideAContainer() { + local check1=$(grep -sq 'docker\|kubepods' /proc/1/cgroup; echo $?) + local check2=$(grep -sq 'containers' /proc/self/mountinfo; echo $?) + if [[ $check1 == 0 || $check2 == 0 || -f "/.dockerenv" ]]; then + echo -n "$FLAG_Y" + else + echo -n "$FLAG_N" + fi +} + +POSTGRES_USER=999 +NGINX_USER=104 +NGINX_GROUP=107 +ES_USER=1000 +REDIS_USER=999 +MONGO_USER=999 +RABBITMQ_USER=999 +LOG_FILE_PERMISSION=640 +PID_FILE_PERMISSION=644 + +# Copy file +copyFile(){ + local source=$1 + local target=$2 + local mode=${3:-overwrite} + local enableVerbose=${4:-"${FLAG_N}"} + local verboseFlag="" + + if [ ! -z "${enableVerbose}" ] && [ "${enableVerbose}" == "${FLAG_Y}" ]; then + verboseFlag="-v" + fi + + if [[ ! ( $source && $target ) ]]; then + warn "Source and target is mandatory to copy file" + return 1 + fi + + if [[ -f "${target}" ]]; then + [[ "$mode" = "overwrite" ]] && ( cp ${verboseFlag} -f "$source" "$target" || errorExit "Unable to copy file, command : cp -f ${source} ${target}") || true + else + cp ${verboseFlag} -f "$source" "$target" || errorExit "Unable to copy file, command : cp -f ${source} ${target}" + fi +} + +# Copy files recursively from given source directory to destination directory +# This method wil copy but will NOT overwrite +# Destination will be created if its not available +copyFilesNoOverwrite(){ + local src=$1 + local dest=$2 + local enableVerboseCopy="${3:-${FLAG_Y}}" + + if [[ -z "${src}" || -z "${dest}" ]]; then + return + fi + + if [ -d "${src}" ] && [ "$(ls -A ${src})" ]; then + local relativeFilePath="" + local targetFilePath="" + + for file in $(find ${src} -type f 2>/dev/null) ; do + # Derive relative path and attach it to destination + # Example : + # src=/extra_config + # dest=/var/opt/jfrog/artifactory/etc + # file=/extra_config/config.xml + # relativeFilePath=config.xml + # targetFilePath=/var/opt/jfrog/artifactory/etc/config.xml + relativeFilePath=${file/${src}/} + targetFilePath=${dest}${relativeFilePath} + + createDir "$(dirname "$targetFilePath")" + copyFile "${file}" "${targetFilePath}" "no_overwrite" "${enableVerboseCopy}" + done + fi +} + +# TODO : WINDOWS ? +# Check the max open files and open processes set on the system +checkULimits () { + local minMaxOpenFiles=${1:-32000} + local minMaxOpenProcesses=${2:-1024} + local setValue=${3:-true} + local warningMsgForFiles=${4} + local warningMsgForProcesses=${5} + + logger "Checking open files and processes limits" + + local currentMaxOpenFiles=$(ulimit -n) + logger "Current max open files is $currentMaxOpenFiles" + if [ ${currentMaxOpenFiles} != "unlimited" ] && [ "$currentMaxOpenFiles" -lt "$minMaxOpenFiles" ]; then + if [ "${setValue}" ]; then + ulimit -n "${minMaxOpenFiles}" >/dev/null 2>&1 || warn "Max number of open files $currentMaxOpenFiles is low!" + [ -z "${warningMsgForFiles}" ] || warn "${warningMsgForFiles}" + else + errorExit "Max number of open files $currentMaxOpenFiles, is too low. Cannot run the application!" + fi + fi + + local currentMaxOpenProcesses=$(ulimit -u) + logger "Current max open processes is $currentMaxOpenProcesses" + if [ "$currentMaxOpenProcesses" != "unlimited" ] && [ "$currentMaxOpenProcesses" -lt "$minMaxOpenProcesses" ]; then + if [ "${setValue}" ]; then + ulimit -u "${minMaxOpenProcesses}" >/dev/null 2>&1 || warn "Max number of open files $currentMaxOpenFiles is low!" + [ -z "${warningMsgForProcesses}" ] || warn "${warningMsgForProcesses}" + else + errorExit "Max number of open files $currentMaxOpenProcesses, is too low. Cannot run the application!" + fi + fi +} + +createDirs() { + local appDataDir=$1 + local serviceName=$2 + local folders="backup bootstrap data etc logs work" + + [ -z "${appDataDir}" ] && errorExit "An application directory is mandatory to create its data structure" || true + [ -z "${serviceName}" ] && errorExit "A service name is mandatory to create service data structure" || true + + for folder in ${folders} + do + folder=${appDataDir}/${folder}/${serviceName} + if [ ! -d "${folder}" ]; then + logger "Creating folder : ${folder}" + mkdir -p "${folder}" || errorExit "Failed to create ${folder}" + fi + done +} + + +testReadWritePermissions () { + local dir_to_check=$1 + local error=false + + [ -d ${dir_to_check} ] || errorExit "'${dir_to_check}' is not a directory" + + local test_file=${dir_to_check}/test-permissions + + # Write file + if echo test > ${test_file} 1> /dev/null 2>&1; then + # Write succeeded. Testing read... + if cat ${test_file} > /dev/null; then + rm -f ${test_file} + else + error=true + fi + else + error=true + fi + + if [ ${error} == true ]; then + return 1 + else + return 0 + fi +} + +# Test directory has read/write permissions for current user +testDirectoryPermissions () { + local dir_to_check=$1 + local error=false + + [ -d ${dir_to_check} ] || errorExit "'${dir_to_check}' is not a directory" + + local u_id=$(id -u) + local id_str="id ${u_id}" + + logger "Testing directory ${dir_to_check} has read/write permissions for user ${id_str}" + + if ! testReadWritePermissions ${dir_to_check}; then + error=true + fi + + if [ "${error}" == true ]; then + local stat_data=$(stat -Lc "Directory: %n, permissions: %a, owner: %U, group: %G" ${dir_to_check}) + logger "###########################################################" + logger "${dir_to_check} DOES NOT have proper permissions for user ${id_str}" + logger "${stat_data}" + logger "Mounted directory must have read/write permissions for user ${id_str}" + logger "###########################################################" + errorExit "Directory ${dir_to_check} has bad permissions for user ${id_str}" + fi + logger "Permissions for ${dir_to_check} are good" +} + +# Utility method to create a directory path recursively with chown feature as +# Failure conditions: +## Exits if unable to create a directory +# Parameters: +## $1: Root directory from where the path can be created +## $2: List of recursive child directories separated by space +## $3: user who should own the directory. Optional +## $4: group who should own the directory. Optional +# Depends on global: none +# Updates global: none +# Returns: NA +# +# Usage: +# createRecursiveDir "/opt/jfrog/product/var" "bootstrap tomcat lib" "user_name" "group_name" +createRecursiveDir(){ + local rootDir=$1 + local pathDirs=$2 + local user=$3 + local group=${4:-${user}} + local fullPath= + + [ ! -z "${rootDir}" ] || return 0 + + createDir "${rootDir}" "${user}" "${group}" + + [ ! -z "${pathDirs}" ] || return 0 + + fullPath=${rootDir} + + for dir in ${pathDirs}; do + fullPath=${fullPath}/${dir} + createDir "${fullPath}" "${user}" "${group}" + done +} + +# Utility method to create a directory +# Failure conditions: +## Exits if unable to create a directory +# Parameters: +## $1: directory to create +## $2: user who should own the directory. Optional +## $3: group who should own the directory. Optional +# Depends on global: none +# Updates global: none +# Returns: NA + +createDir(){ + local dirName="$1" + local printMessage=no + logSilly "Method ${FUNCNAME[0]} invoked with [$dirName]" + [ -z "${dirName}" ] && return + + logDebug "Attempting to create ${dirName}" + mkdir -p "${dirName}" || errorExit "Unable to create directory: [${dirName}]" + local userID="$2" + local groupID=${3:-$userID} + + # If UID/GID is passed, chown the folder + if [ ! -z "$userID" ] && [ ! -z "$groupID" ]; then + # Earlier, this line would have returned 1 if it failed. Now it just warns. + # This is intentional. Earlier, this line would NOT be reached if the folder already existed. + # Since it will always come to this line and the script may be running as a non-root user, this method will just warn if + # setting permissions fails (so as to not affect any existing flows) + io_setOwnershipNonRecursive "$dirName" "$userID" "$groupID" || warn "Could not set owner of [$dirName] to [$userID:$groupID]" + fi + # logging message to print created dir with user and group + local logMessage=${4:-$printMessage} + if [[ "${logMessage}" == "yes" ]]; then + logger "Successfully created directory [${dirName}]. Owner: [${userID}:${groupID}]" + fi +} + +removeSoftLinkAndCreateDir () { + local dirName="$1" + local userID="$2" + local groupID="$3" + local logMessage="$4" + removeSoftLink "${dirName}" + createDir "${dirName}" "${userID}" "${groupID}" "${logMessage}" +} + +# Utility method to remove a soft link +removeSoftLink () { + local dirName="$1" + if [[ -L "${dirName}" ]]; then + targetLink=$(readlink -f "${dirName}") + logger "Removing the symlink [${dirName}] pointing to [${targetLink}]" + rm -f "${dirName}" + fi +} + +# Check Directory exist in the path +checkDirExists () { + local directoryPath="$1" + + [[ -d "${directoryPath}" ]] && echo -n "true" || echo -n "false" +} + + +# Utility method to create a file +# Failure conditions: +# Parameters: +## $1: file to create +# Depends on global: none +# Updates global: none +# Returns: NA + +createFile(){ + local fileName="$1" + logSilly "Method ${FUNCNAME[0]} [$fileName]" + [ -f "${fileName}" ] && return 0 + touch "${fileName}" || return 1 + + local userID="$2" + local groupID=${3:-$userID} + + # If UID/GID is passed, chown the folder + if [ ! -z "$userID" ] && [ ! -z "$groupID" ]; then + io_setOwnership "$fileName" "$userID" "$groupID" || return 1 + fi +} + +# Check File exist in the filePath +# IMPORTANT- DON'T ADD LOGGING to this method +checkFileExists () { + local filePath="$1" + + [[ -f "${filePath}" ]] && echo -n "true" || echo -n "false" +} + +# Check for directories contains any (files or sub directories) +# IMPORTANT- DON'T ADD LOGGING to this method +checkDirContents () { + local directoryPath="$1" + if [[ "$(ls -1 "${directoryPath}" | wc -l)" -gt 0 ]]; then + echo -n "true" + else + echo -n "false" + fi +} + +# Check contents exist in directory +# IMPORTANT- DON'T ADD LOGGING to this method +checkContentExists () { + local source="$1" + + if [[ "$(checkDirContents "${source}")" != "true" ]]; then + echo -n "false" + else + echo -n "true" + fi +} + +# Resolve the variable +# IMPORTANT- DON'T ADD LOGGING to this method +evalVariable () { + local output="$1" + local input="$2" + + eval "${output}"=\${"${input}"} + eval echo \${"${output}"} +} + +# Usage: if [ "$(io_commandExists 'curl')" == "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_commandExists() { + local commandToExecute="$1" + hash "${commandToExecute}" 2>/dev/null + local rt=$? + if [ "$rt" == 0 ]; then echo -n "yes"; else echo -n "no"; fi +} + +# Usage: if [ "$(io_curlExists)" != "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_curlExists() { + io_commandExists "curl" +} + + +io_hasMatch() { + logSilly "Method ${FUNCNAME[0]}" + local result=0 + logDebug "Executing [echo \"$1\" | grep \"$2\" >/dev/null 2>&1]" + echo "$1" | grep "$2" >/dev/null 2>&1 || result=1 + return $result +} + +# Utility method to check if the string passed (usually a connection url) corresponds to this machine itself +# Failure conditions: None +# Parameters: +## $1: string to check against +# Depends on global: none +# Updates global: IS_LOCALHOST with value "yes/no" +# Returns: NA + +io_getIsLocalhost() { + logSilly "Method ${FUNCNAME[0]}" + IS_LOCALHOST="$FLAG_N" + local inputString="$1" + logDebug "Parsing [$inputString] to check if we are dealing with this machine itself" + + io_hasMatch "$inputString" "localhost" && { + logDebug "Found localhost. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for localhost" + + local hostIP=$(io_getPublicHostIP) + io_hasMatch "$inputString" "$hostIP" && { + logDebug "Found $hostIP. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostIP" + + local hostID=$(io_getPublicHostID) + io_hasMatch "$inputString" "$hostID" && { + logDebug "Found $hostID. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostID" + + local hostName=$(io_getPublicHostName) + io_hasMatch "$inputString" "$hostName" && { + logDebug "Found $hostName. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostName" + +} + +# Usage: if [ "$(io_tarExists)" != "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_tarExists() { + io_commandExists "tar" +} + +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostIP() { + local OS_TYPE=$(uname) + local publicHostIP= + if [ "${OS_TYPE}" == "Darwin" ]; then + ipStatus=$(ifconfig en0 | grep "status" | awk '{print$2}') + if [ "${ipStatus}" == "active" ]; then + publicHostIP=$(ifconfig en0 | grep inet | grep -v inet6 | awk '{print $2}') + else + errorExit "Host IP could not be resolved!" + fi + elif [ "${OS_TYPE}" == "Linux" ]; then + publicHostIP=$(hostname -i 2>/dev/null || echo "127.0.0.1") + fi + publicHostIP=$(echo "${publicHostIP}" | awk '{print $1}') + echo -n "${publicHostIP}" +} + +# Will return the short host name (up to the first dot) +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostName() { + echo -n "$(hostname -s)" +} + +# Will return the full host name (use this as much as possible) +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostID() { + echo -n "$(hostname)" +} + +# Utility method to backup a file +# Failure conditions: NA +# Parameters: filePath +# Depends on global: none, +# Updates global: none +# Returns: NA +io_backupFile() { + logSilly "Method ${FUNCNAME[0]}" + fileName="$1" + if [ ! -f "${filePath}" ]; then + logDebug "No file: [${filePath}] to backup" + return + fi + dateTime=$(date +"%Y-%m-%d-%H-%M-%S") + targetFileName="${fileName}.backup.${dateTime}" + yes | \cp -f "$fileName" "${targetFileName}" + logger "File [${fileName}] backedup as [${targetFileName}]" +} + +# Reference https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash/4025065#4025065 +is_number() { + case "$BASH_VERSION" in + 3.1.*) + PATTERN='\^\[0-9\]+\$' + ;; + *) + PATTERN='^[0-9]+$' + ;; + esac + + [[ "$1" =~ $PATTERN ]] +} + +io_compareVersions() { + if [[ $# != 2 ]] + then + echo "Usage: min_version current minimum" + return + fi + + A="${1%%.*}" + B="${2%%.*}" + + if [[ "$A" != "$1" && "$B" != "$2" && "$A" == "$B" ]] + then + io_compareVersions "${1#*.}" "${2#*.}" + else + if is_number "$A" && is_number "$B" + then + if [[ "$A" -eq "$B" ]]; then + echo "0" + elif [[ "$A" -gt "$B" ]]; then + echo "1" + elif [[ "$A" -lt "$B" ]]; then + echo "-1" + fi + fi + fi +} + +# Reference https://stackoverflow.com/questions/369758/how-to-trim-whitespace-from-a-bash-variable +# Strip all leading and trailing spaces +# IMPORTANT- DON'T ADD LOGGING to this method +io_trim() { + local var="$1" + # remove leading whitespace characters + var="${var#"${var%%[![:space:]]*}"}" + # remove trailing whitespace characters + var="${var%"${var##*[![:space:]]}"}" + echo -n "$var" +} + +# temporary function will be removing it ASAP +# search for string and replace text in file +replaceText_migration_hook () { + local regexString="$1" + local replaceText="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e "s/${regexString}/${replaceText}/" "${file}" || warn "Failed to replace the text in ${file}" + else + sed -i -e "s/${regexString}/${replaceText}/" "${file}" || warn "Failed to replace the text in ${file}" + fi +} + +# search for string and replace text in file +replaceText () { + local regexString="$1" + local replaceText="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e "s#${regexString}#${replaceText}#" "${file}" || warn "Failed to replace the text in ${file}" + else + sed -i -e "s#${regexString}#${replaceText}#" "${file}" || warn "Failed to replace the text in ${file}" + logDebug "Replaced [$regexString] with [$replaceText] in [$file]" + fi +} + +# search for string and prepend text in file +prependText () { + local regexString="$1" + local text="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e '/'"${regexString}"'/i\'$'\n\\'"${text}"''$'\n' "${file}" || warn "Failed to prepend the text in ${file}" + else + sed -i -e '/'"${regexString}"'/i\'$'\n\\'"${text}"''$'\n' "${file}" || warn "Failed to prepend the text in ${file}" + fi +} + +# add text to beginning of the file +addText () { + local text="$1" + local file="$2" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e '1s/^/'"${text}"'\'$'\n/' "${file}" || warn "Failed to add the text in ${file}" + else + sed -i -e '1s/^/'"${text}"'\'$'\n/' "${file}" || warn "Failed to add the text in ${file}" + fi +} + +io_replaceString () { + local value="$1" + local firstString="$2" + local secondString="$3" + local separator=${4:-"/"} + local updateValue= + if [[ $(uname) == "Darwin" ]]; then + updateValue=$(echo "${value}" | sed "s${separator}${firstString}${separator}${secondString}${separator}") + else + updateValue=$(echo "${value}" | sed "s${separator}${firstString}${separator}${secondString}${separator}") + fi + echo -n "${updateValue}" +} + +_findYQ() { + # logSilly "Method ${FUNCNAME[0]}" (Intentionally not logging. Does not add value) + local parentDir="$1" + if [ -z "$parentDir" ]; then + return + fi + logDebug "Executing command [find "${parentDir}" -name third-party -type d]" + local yq=$(find "${parentDir}" -name third-party -type d) + if [ -d "${yq}/yq" ]; then + export YQ_PATH="${yq}/yq" + fi +} + + +io_setYQPath() { + # logSilly "Method ${FUNCNAME[0]}" (Intentionally not logging. Does not add value) + if [ "$(io_commandExists 'yq')" == "yes" ]; then + return + fi + + if [ ! -z "${JF_PRODUCT_HOME}" ] && [ -d "${JF_PRODUCT_HOME}" ]; then + _findYQ "${JF_PRODUCT_HOME}" + fi + + if [ -z "${YQ_PATH}" ] && [ ! -z "${COMPOSE_HOME}" ] && [ -d "${COMPOSE_HOME}" ]; then + _findYQ "${COMPOSE_HOME}" + fi + # TODO We can remove this block after all the code is restructured. + if [ -z "${YQ_PATH}" ] && [ ! -z "${SCRIPT_HOME}" ] && [ -d "${SCRIPT_HOME}" ]; then + _findYQ "${SCRIPT_HOME}" + fi + +} + +io_getLinuxDistribution() { + LINUX_DISTRIBUTION= + + # Make sure running on Linux + [ $(uname -s) != "Linux" ] && return + + # Find out what Linux distribution we are on + + cat /etc/*-release | grep -i Red >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat || true + + # OS 6.x + cat /etc/issue.net | grep Red >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat || true + + # OS 7.x + cat /etc/*-release | grep -i centos >/dev/null 2>&1 && LINUX_DISTRIBUTION=CentOS && LINUX_DISTRIBUTION_VER="7" || true + + # OS 8.x + grep -q -i "release 8" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="8" || true + + # OS 7.x + grep -q -i "release 7" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="7" || true + + # OS 6.x + grep -q -i "release 6" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="6" || true + + cat /etc/*-release | grep -i Red | grep -i 'VERSION=7' >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat && LINUX_DISTRIBUTION_VER="7" || true + + cat /etc/*-release | grep -i debian >/dev/null 2>&1 && LINUX_DISTRIBUTION=Debian || true + + cat /etc/*-release | grep -i ubuntu >/dev/null 2>&1 && LINUX_DISTRIBUTION=Ubuntu || true +} + +## Utility method to check ownership of folders/files +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If file is not owned by the user & group +## Parameters: + ## user + ## group + ## folder to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac +io_checkOwner () { + logSilly "Method ${FUNCNAME[0]}" + local osType=$(uname) + + if [ "${osType}" != "Linux" ]; then + logDebug "Unsupported OS. Skipping check" + return 0 + fi + + local file_to_check=$1 + local user_id_to_check=$2 + + + if [ -z "$user_id_to_check" ] || [ -z "$file_to_check" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group_id_to_check=${3:-$user_id_to_check} + local check_user_name=${4:-"no"} + + logDebug "Checking permissions on [$file_to_check] for user [$user_id_to_check] & group [$group_id_to_check]" + + local stat= + + if [ "${check_user_name}" == "yes" ]; then + stat=( $(stat -Lc "%U %G" ${file_to_check}) ) + else + stat=( $(stat -Lc "%u %g" ${file_to_check}) ) + fi + + local user_id=${stat[0]} + local group_id=${stat[1]} + + if [[ "${user_id}" != "${user_id_to_check}" ]] || [[ "${group_id}" != "${group_id_to_check}" ]] ; then + logDebug "Ownership mismatch. [${file_to_check}] is not owned by [${user_id_to_check}:${group_id_to_check}]" + return 1 + else + return 0 + fi +} + +## Utility method to change ownership of a file/folder - NON recursive +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If chown operation fails - returns 1 +## Parameters: + ## user + ## group + ## file to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac + +io_setOwnershipNonRecursive() { + + local osType=$(uname) + if [ "${osType}" != "Linux" ]; then + return + fi + + local targetFile=$1 + local user=$2 + + if [ -z "$user" ] || [ -z "$targetFile" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group=${3:-$user} + logDebug "Method ${FUNCNAME[0]}. Executing [chown ${user}:${group} ${targetFile}]" + chown ${user}:${group} ${targetFile} || return 1 +} + +## Utility method to change ownership of a file. +## IMPORTANT +## If being called on a folder, should ONLY be called for fresh folders or may cause performance issues +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If chown operation fails - returns 1 +## Parameters: + ## user + ## group + ## file to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac + +io_setOwnership() { + + local osType=$(uname) + if [ "${osType}" != "Linux" ]; then + return + fi + + local targetFile=$1 + local user=$2 + + if [ -z "$user" ] || [ -z "$targetFile" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group=${3:-$user} + logDebug "Method ${FUNCNAME[0]}. Executing [chown -R ${user}:${group} ${targetFile}]" + chown -R ${user}:${group} ${targetFile} || return 1 +} + +## Utility method to create third party folder structure necessary for Postgres +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## POSTGRESQL_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createPostgresDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${POSTGRESQL_DATA_ROOT}" ] && return 0 + + logDebug "Property [${POSTGRESQL_DATA_ROOT}] exists. Proceeding" + + createDir "${POSTGRESQL_DATA_ROOT}/data" + io_setOwnership "${POSTGRESQL_DATA_ROOT}" "${POSTGRES_USER}" "${POSTGRES_USER}" || errorExit "Setting ownership of [${POSTGRESQL_DATA_ROOT}] to [${POSTGRES_USER}:${POSTGRES_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Nginx +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## NGINX_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createNginxDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${NGINX_DATA_ROOT}" ] && return 0 + + logDebug "Property [${NGINX_DATA_ROOT}] exists. Proceeding" + + createDir "${NGINX_DATA_ROOT}" + io_setOwnership "${NGINX_DATA_ROOT}" "${NGINX_USER}" "${NGINX_GROUP}" || errorExit "Setting ownership of [${NGINX_DATA_ROOT}] to [${NGINX_USER}:${NGINX_GROUP}] failed" +} + +## Utility method to create third party folder structure necessary for ElasticSearch +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## ELASTIC_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createElasticSearchDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${ELASTIC_DATA_ROOT}" ] && return 0 + + logDebug "Property [${ELASTIC_DATA_ROOT}] exists. Proceeding" + + createDir "${ELASTIC_DATA_ROOT}/data" + io_setOwnership "${ELASTIC_DATA_ROOT}" "${ES_USER}" "${ES_USER}" || errorExit "Setting ownership of [${ELASTIC_DATA_ROOT}] to [${ES_USER}:${ES_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Redis +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## REDIS_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createRedisDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${REDIS_DATA_ROOT}" ] && return 0 + + logDebug "Property [${REDIS_DATA_ROOT}] exists. Proceeding" + + createDir "${REDIS_DATA_ROOT}" + io_setOwnership "${REDIS_DATA_ROOT}" "${REDIS_USER}" "${REDIS_USER}" || errorExit "Setting ownership of [${REDIS_DATA_ROOT}] to [${REDIS_USER}:${REDIS_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Mongo +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## MONGODB_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createMongoDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${MONGODB_DATA_ROOT}" ] && return 0 + + logDebug "Property [${MONGODB_DATA_ROOT}] exists. Proceeding" + + createDir "${MONGODB_DATA_ROOT}/logs" + createDir "${MONGODB_DATA_ROOT}/configdb" + createDir "${MONGODB_DATA_ROOT}/db" + io_setOwnership "${MONGODB_DATA_ROOT}" "${MONGO_USER}" "${MONGO_USER}" || errorExit "Setting ownership of [${MONGODB_DATA_ROOT}] to [${MONGO_USER}:${MONGO_USER}] failed" +} + +## Utility method to create third party folder structure necessary for RabbitMQ +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## RABBITMQ_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createRabbitMQDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${RABBITMQ_DATA_ROOT}" ] && return 0 + + logDebug "Property [${RABBITMQ_DATA_ROOT}] exists. Proceeding" + + createDir "${RABBITMQ_DATA_ROOT}" + io_setOwnership "${RABBITMQ_DATA_ROOT}" "${RABBITMQ_USER}" "${RABBITMQ_USER}" || errorExit "Setting ownership of [${RABBITMQ_DATA_ROOT}] to [${RABBITMQ_USER}:${RABBITMQ_USER}] failed" +} + +# Add or replace a property in provided properties file +addOrReplaceProperty() { + local propertyName=$1 + local propertyValue=$2 + local propertiesPath=$3 + local delimiter=${4:-"="} + + # Return if any of the inputs are empty + [[ -z "$propertyName" || "$propertyName" == "" ]] && return + [[ -z "$propertyValue" || "$propertyValue" == "" ]] && return + [[ -z "$propertiesPath" || "$propertiesPath" == "" ]] && return + + grep "^${propertyName}\s*${delimiter}.*$" ${propertiesPath} > /dev/null 2>&1 + [ $? -ne 0 ] && echo -e "\n${propertyName}${delimiter}${propertyValue}" >> ${propertiesPath} + sed -i -e "s|^${propertyName}\s*${delimiter}.*$|${propertyName}${delimiter}${propertyValue}|g;" ${propertiesPath} +} + +# Set property only if its not set +io_setPropertyNoOverride(){ + local propertyName=$1 + local propertyValue=$2 + local propertiesPath=$3 + + # Return if any of the inputs are empty + [[ -z "$propertyName" || "$propertyName" == "" ]] && return + [[ -z "$propertyValue" || "$propertyValue" == "" ]] && return + [[ -z "$propertiesPath" || "$propertiesPath" == "" ]] && return + + grep "^${propertyName}:" ${propertiesPath} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo -e "${propertyName}: ${propertyValue}" >> ${propertiesPath} || warn "Setting property ${propertyName}: ${propertyValue} in [ ${propertiesPath} ] failed" + else + logger "Skipping update of property : ${propertyName}" >&6 + fi +} + +# Add a line to a file if it doesn't already exist +addLine() { + local line_to_add=$1 + local target_file=$2 + logger "Trying to add line $1 to $2" >&6 2>&1 + cat "$target_file" | grep -F "$line_to_add" -wq >&6 2>&1 + if [ $? != 0 ]; then + logger "Line does not exist and will be added" >&6 2>&1 + echo $line_to_add >> $target_file || errorExit "Could not update $target_file" + fi +} + +# Utility method to check if a value (first parameter) exists in an array (2nd parameter) +# 1st parameter "value to find" +# 2nd parameter "The array to search in. Please pass a string with each value separated by space" +# Example: containsElement "y" "y Y n N" +containsElement () { + local searchElement=$1 + local searchArray=($2) + local found=1 + for elementInIndex in "${searchArray[@]}";do + if [[ $elementInIndex == $searchElement ]]; then + found=0 + fi + done + return $found +} + +# Utility method to get user's choice +# 1st parameter "what to ask the user" +# 2nd parameter "what choices to accept, separated by spaces" +# 3rd parameter "what is the default choice (to use if the user simply presses Enter)" +# Example 'getUserChoice "Are you feeling lucky? Punk!" "y n Y N" "y"' +getUserChoice(){ + configureLogOutput + read_timeout=${read_timeout:-0.5} + local choice="na" + local text_to_display=$1 + local choices=$2 + local default_choice=$3 + users_choice= + + until containsElement "$choice" "$choices"; do + echo "";echo ""; + sleep $read_timeout #This ensures correct placement of the question. + read -p "$text_to_display :" choice + : ${choice:=$default_choice} + done + users_choice=$choice + echo -e "\n$text_to_display: $users_choice" >&6 + sleep $read_timeout #This ensures correct logging +} + +setFilePermission () { + local permission=$1 + local file=$2 + chmod "${permission}" "${file}" || warn "Setting permission ${permission} to file [ ${file} ] failed" +} + + +#setting required paths +setAppDir (){ + SCRIPT_DIR=$(dirname $0) + SCRIPT_HOME="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + APP_DIR="`cd "${SCRIPT_HOME}";pwd`" +} + +ZIP_TYPE="zip" +COMPOSE_TYPE="compose" +HELM_TYPE="helm" +RPM_TYPE="rpm" +DEB_TYPE="debian" + +sourceScript () { + local file="$1" + + [ ! -z "${file}" ] || errorExit "target file is not passed to source a file" + + if [ ! -f "${file}" ]; then + errorExit "${file} file is not found" + else + source "${file}" || errorExit "Unable to source ${file}, please check if the user ${USER} has permissions to perform this action" + fi +} +# Source required helpers +initHelpers () { + local systemYamlHelper="${APP_DIR}/systemYamlHelper.sh" + local thirdPartyDir=$(find ${APP_DIR}/.. -name third-party -type d) + export YQ_PATH="${thirdPartyDir}/yq" + LIBXML2_PATH="${thirdPartyDir}/libxml2/bin/xmllint" + export LD_LIBRARY_PATH="${thirdPartyDir}/libxml2/lib" + sourceScript "${systemYamlHelper}" +} +# Check migration info yaml file available in the path +checkMigrationInfoYaml () { + + if [[ -f "${APP_DIR}/migrationHelmInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationHelmInfo.yaml" + INSTALLER="${HELM_TYPE}" + elif [[ -f "${APP_DIR}/migrationZipInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationZipInfo.yaml" + INSTALLER="${ZIP_TYPE}" + elif [[ -f "${APP_DIR}/migrationRpmInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationRpmInfo.yaml" + INSTALLER="${RPM_TYPE}" + elif [[ -f "${APP_DIR}/migrationDebInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationDebInfo.yaml" + INSTALLER="${DEB_TYPE}" + elif [[ -f "${APP_DIR}/migrationComposeInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationComposeInfo.yaml" + INSTALLER="${COMPOSE_TYPE}" + else + errorExit "File migration Info yaml does not exist in [${APP_DIR}]" + fi +} + +retrieveYamlValue () { + local yamlPath="$1" + local value="$2" + local output="$3" + local message="$4" + + [[ -z "${yamlPath}" ]] && errorExit "yamlPath is mandatory to get value from ${MIGRATION_SYSTEM_YAML_INFO}" + + getYamlValue "${yamlPath}" "${MIGRATION_SYSTEM_YAML_INFO}" "false" + value="${YAML_VALUE}" + if [[ -z "${value}" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "Empty value for ${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + elif [[ "${output}" == "Skip" ]]; then + return + else + errorExit "${message}" + fi + fi +} + +checkEnv () { + + if [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + # check Environment JF_PRODUCT_HOME is set before migration + NEW_DATA_DIR="$(evalVariable "NEW_DATA_DIR" "JF_PRODUCT_HOME")" + if [[ -z "${NEW_DATA_DIR}" ]]; then + errorExit "Environment variable JF_PRODUCT_HOME is not set, this is required to perform Migration" + fi + # appending var directory to $JF_PRODUCT_HOME + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + elif [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + getCustomDataDir_hook + NEW_DATA_DIR="${OLD_DATA_DIR}" + if [[ -z "${NEW_DATA_DIR}" ]] && [[ -z "${OLD_DATA_DIR}" ]]; then + errorExit "Could not find ${PROMPT_DATA_DIR_LOCATION} to perform Migration" + fi + else + # check Environment JF_ROOT_DATA_DIR is set before migration + OLD_DATA_DIR="$(evalVariable "OLD_DATA_DIR" "JF_ROOT_DATA_DIR")" + # check Environment JF_ROOT_DATA_DIR is set before migration + NEW_DATA_DIR="$(evalVariable "NEW_DATA_DIR" "JF_ROOT_DATA_DIR")" + if [[ -z "${NEW_DATA_DIR}" ]] && [[ -z "${OLD_DATA_DIR}" ]]; then + errorExit "Could not find ${PROMPT_DATA_DIR_LOCATION} to perform Migration" + fi + # appending var directory to $JF_PRODUCT_HOME + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + fi + +} + +getDataDir () { + + if [[ "${INSTALLER}" == "${ZIP_TYPE}" || "${INSTALLER}" == "${COMPOSE_TYPE}"|| "${INSTALLER}" == "${HELM_TYPE}" ]]; then + checkEnv + else + getCustomDataDir_hook + NEW_DATA_DIR="`cd "${APP_DIR}"/../../;pwd`" + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + fi +} + +# Retrieve Product name from MIGRATION_SYSTEM_YAML_INFO +getProduct () { + retrieveYamlValue "migration.product" "${YAML_VALUE}" "Fail" "Empty value under ${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + PRODUCT="${YAML_VALUE}" + PRODUCT=$(echo "${PRODUCT}" | tr '[:upper:]' '[:lower:]' 2>/dev/null) + if [[ "${PRODUCT}" != "artifactory" && "${PRODUCT}" != "distribution" && "${PRODUCT}" != "xray" ]]; then + errorExit "migration.product in [${MIGRATION_SYSTEM_YAML_INFO}] is not correct, please set based on product as ARTIFACTORY or DISTRIBUTION" + fi + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + JF_USER="${PRODUCT}" + fi +} +# Compare product version with minProductVersion and maxProductVersion +migrateCheckVersion () { + local productVersion="$1" + local minProductVersion="$2" + local maxProductVersion="$3" + local productVersion618="6.18.0" + local unSupportedProductVersions7=("7.2.0 7.2.1") + + if [[ "$(io_compareVersions "${productVersion}" "${maxProductVersion}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${maxProductVersion}")" -eq 1 ]]; then + logger "Migration not necessary. ${PRODUCT} is already ${productVersion}" + exit 11 + elif [[ "$(io_compareVersions "${productVersion}" "${minProductVersion}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${minProductVersion}")" -eq 1 ]]; then + if [[ ("$(io_compareVersions "${productVersion}" "${productVersion618}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${productVersion618}")" -eq 1) && " ${unSupportedProductVersions7[@]} " =~ " ${CURRENT_VERSION} " ]]; then + touch /tmp/error; + errorExit "Current ${PRODUCT} version (${productVersion}) does not support migration to ${CURRENT_VERSION}" + else + bannerStart "Detected ${PRODUCT} ${productVersion}, initiating migration" + fi + else + logger "Current ${PRODUCT} ${productVersion} version is not supported for migration" + exit 1 + fi +} + +getProductVersion () { + local minProductVersion="$1" + local maxProductVersion="$2" + local newfilePath="$3" + local oldfilePath="$4" + local propertyInDocker="$5" + local property="$6" + local productVersion= + local status= + + if [[ "$INSTALLER" == "${COMPOSE_TYPE}" ]]; then + if [[ -f "${oldfilePath}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + else + productVersion="$(cat "${oldfilePath}")" + fi + status="success" + elif [[ -f "${newfilePath}" ]]; then + productVersion="$(readKey "${propertyInDocker}" "${newfilePath}")" + status="fail" + else + logger "File [${oldfilePath}] or [${newfilePath}] not found to get current version." + exit 0 + fi + elif [[ "$INSTALLER" == "${HELM_TYPE}" ]]; then + if [[ -f "${oldfilePath}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + else + productVersion="$(cat "${oldfilePath}")" + fi + status="success" + else + productVersion="${CURRENT_VERSION}" + [[ -z "${productVersion}" || "${productVersion}" == "" ]] && logger "${PRODUCT} CURRENT_VERSION is not set" && exit 0 + fi + else + if [[ -f "${newfilePath}" ]]; then + productVersion="$(readKey "${property}" "${newfilePath}")" + status="fail" + elif [[ -f "${oldfilePath}" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + status="success" + else + if [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + logger "File [${newfilePath}] not found to get current version." + else + logger "File [${oldfilePath}] or [${newfilePath}] not found to get current version." + fi + exit 0 + fi + fi + if [[ -z "${productVersion}" || "${productVersion}" == "" ]]; then + [[ "${status}" == "success" ]] && logger "No version found in file [${oldfilePath}]." + [[ "${status}" == "fail" ]] && logger "No version found in file [${newfilePath}]." + exit 0 + fi + + migrateCheckVersion "${productVersion}" "${minProductVersion}" "${maxProductVersion}" +} + +readKey () { + local property="$1" + local file="$2" + local version= + + while IFS='=' read -r key value || [ -n "${key}" ]; + do + [[ ! "${key}" =~ \#.* && ! -z "${key}" && ! -z "${value}" ]] + key="$(io_trim "${key}")" + if [[ "${key}" == "${property}" ]]; then + version="${value}" && check=true && break + else + check=false + fi + done < "${file}" + if [[ "${check}" == "false" ]]; then + return + fi + echo "${version}" +} + +# create Log directory +createLogDir () { + if [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" + fi +} + +# Creating migration log file +creationMigrateLog () { + local LOG_FILE_NAME="migration.log" + createLogDir + local MIGRATION_LOG_FILE="${NEW_DATA_DIR}/log/${LOG_FILE_NAME}" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + MIGRATION_LOG_FILE="${SCRIPT_HOME}/${LOG_FILE_NAME}" + fi + touch "${MIGRATION_LOG_FILE}" + setFilePermission "${LOG_FILE_PERMISSION}" "${MIGRATION_LOG_FILE}" + exec &> >(tee -a "${MIGRATION_LOG_FILE}") +} +# Set path where system.yaml should create +setSystemYamlPath () { + SYSTEM_YAML_PATH="${NEW_DATA_DIR}/etc/system.yaml" + if [[ "${INSTALLER}" != "${HELM_TYPE}" ]]; then + logger "system.yaml will be created in path [${SYSTEM_YAML_PATH}]" + fi +} +# Create directory +createDirectory () { + local directory="$1" + local output="$2" + local check=false + local message="Could not create directory ${directory}, please check if the user ${USER} has permissions to perform this action" + removeSoftLink "${directory}" + mkdir -p "${directory}" && check=true || check=false + if [[ "${check}" == "false" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "${message}" + else + errorExit "${message}" + fi + fi + setOwnershipBasedOnInstaller "${directory}" +} + +setOwnershipBasedOnInstaller () { + local directory="$1" + if [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + chown -R ${USER_TO_CHECK}:${GROUP_TO_CHECK} "${directory}" || warn "Setting ownership on $directory failed" + elif [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + io_setOwnership "${directory}" "${JF_USER}" "${JF_USER}" + fi +} + +getUserAndGroup () { + local file="$1" + read uid gid <<<$(stat -c '%U %G' ${file}) + USER_TO_CHECK="${uid}" + GROUP_TO_CHECK="${gid}" +} + +# set ownership +getUserAndGroupFromFile () { + case $PRODUCT in + artifactory) + getUserAndGroup "/etc/opt/jfrog/artifactory/artifactory.properties" + ;; + distribution) + getUserAndGroup "${OLD_DATA_DIR}/etc/versions.properties" + ;; + xray) + getUserAndGroup "${OLD_DATA_DIR}/security/master.key" + ;; + esac +} + +# creating required directories +createRequiredDirs () { + bannerSubSection "CREATING REQUIRED DIRECTORIES" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc/security" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log/archived" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/work" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/backup" "${JF_USER}" "${JF_USER}" "yes" + io_setOwnership "${NEW_DATA_DIR}" "${JF_USER}" "${JF_USER}" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data/postgres" "${POSTGRES_USER}" "${POSTGRES_USER}" "yes" + fi + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc/security" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log/archived" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/work" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/backup" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + fi +} + +# Check entry in map is format +checkMapEntry () { + local entry="$1" + + [[ "${entry}" != *"="* ]] && echo -n "false" || echo -n "true" +} +# Check value Empty and warn +warnIfEmpty () { + local filePath="$1" + local yamlPath="$2" + local check= + + if [[ -z "${filePath}" ]]; then + warn "Empty value in yamlpath [${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + check=false + else + check=true + fi + echo "${check}" +} + +logCopyStatus () { + local status="$1" + local logMessage="$2" + local warnMessage="$3" + + [[ "${status}" == "success" ]] && logger "${logMessage}" + [[ "${status}" == "fail" ]] && warn "${warnMessage}" +} +# copy contents from source to destination +copyCmd () { + local source="$1" + local target="$2" + local mode="$3" + local status= + + case $mode in + unique) + cp -up "${source}"/* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied directory contents from [${source}] to [${target}]" "Failed to copy directory contents from [${source}] to [${target}]" + ;; + specific) + cp -pf "${source}" "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied file [${source}] to [${target}]" "Failed to copy file [${source}] to [${target}]" + ;; + patternFiles) + cp -pf "${source}"* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied files matching [${source}*] to [${target}]" "Failed to copy files matching [${source}*] to [${target}]" + ;; + full) + cp -prf "${source}"/* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied directory contents from [${source}] to [${target}]" "Failed to copy directory contents from [${source}] to [${target}]" + ;; + esac +} +# Check contents exist in source before copying +copyOnContentExist () { + local source="$1" + local target="$2" + local mode="$3" + + if [[ "$(checkContentExists "${source}")" == "true" ]]; then + copyCmd "${source}" "${target}" "${mode}" + else + logger "No contents to copy from [${source}]" + fi +} + +# move source to destination +moveCmd () { + local source="$1" + local target="$2" + local status= + + mv -f "${source}" "${target}" && status="success" || status="fail" + [[ "${status}" == "success" ]] && logger "Successfully moved directory [${source}] to [${target}]" + [[ "${status}" == "fail" ]] && warn "Failed to move directory [${source}] to [${target}]" +} + +# symlink target to source +symlinkCmd () { + local source="$1" + local target="$2" + local symlinkSubDir="$3" + local check=false + + if [[ "${symlinkSubDir}" == "subDir" ]]; then + ln -sf "${source}"/* "${target}" && check=true || check=false + else + ln -sf "${source}" "${target}" && check=true || check=false + fi + + [[ "${check}" == "true" ]] && logger "Successfully symlinked directory [${target}] to old [${source}]" + [[ "${check}" == "false" ]] && warn "Symlink operation failed" +} +# Check contents exist in source before symlinking +symlinkOnExist () { + local source="$1" + local target="$2" + local symlinkSubDir="$3" + + if [[ "$(checkContentExists "${source}")" == "true" ]]; then + if [[ "${symlinkSubDir}" == "subDir" ]]; then + symlinkCmd "${source}" "${target}" "subDir" + else + symlinkCmd "${source}" "${target}" + fi + else + logger "No contents to symlink from [${source}]" + fi +} + +prependDir () { + local absolutePath="$1" + local fullPath="$2" + local sourcePath= + + if [[ "${absolutePath}" = \/* ]]; then + sourcePath="${absolutePath}" + else + sourcePath="${fullPath}" + fi + echo "${sourcePath}" +} + +getFirstEntry (){ + local entry="$1" + + [[ -z "${entry}" ]] && return + echo "${entry}" | awk -F"=" '{print $1}' +} + +getSecondEntry () { + local entry="$1" + + [[ -z "${entry}" ]] && return + echo "${entry}" | awk -F"=" '{print $2}' +} +# To get absolutePath +pathResolver () { + local directoryPath="$1" + local dataDir= + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + retrieveYamlValue "migration.oldDataDir" "oldDataDir" "Warning" + dataDir="${YAML_VALUE}" + cd "${dataDir}" + else + cd "${OLD_DATA_DIR}" + fi + absoluteDir="`cd "${directoryPath}";pwd`" + echo "${absoluteDir}" +} + +checkPathResolver () { + local value="$1" + + if [[ "${value}" == \/* ]]; then + value="${value}" + else + value="$(pathResolver "${value}")" + fi + echo "${value}" +} + +propertyMigrate () { + local entry="$1" + local filePath="$2" + local fileName="$3" + local check=false + + local yamlPath="$(getFirstEntry "${entry}")" + local property="$(getSecondEntry "${entry}")" + if [[ -z "${property}" ]]; then + warn "Property is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${property}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + local keyValues=$(cat "${NEW_DATA_DIR}/${filePath}/${fileName}" | grep "^[^#]" | grep "[*=*]") + for i in ${keyValues}; do + key=$(echo "${i}" | awk -F"=" '{print $1}') + value=$(echo "${i}" | cut -f 2- -d '=') + [ -z "${key}" ] && continue + [ -z "${value}" ] && continue + if [[ "${key}" == "${property}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + value="$(migrateResolveDerbyPath "${key}" "${value}")" + value="$(migrateResolveHaDirPath "${key}" "${value}")" + if [[ "${INSTALLER}" != "${DOCKER_TYPE}" ]]; then + value="$(updatePostgresUrlString_Hook "${yamlPath}" "${value}")" + fi + fi + if [[ "${key}" == "context.url" ]]; then + local ip=$(echo "${value}" | awk -F/ '{print $3}' | sed 's/:.*//') + setSystemValue "shared.node.ip" "${ip}" "${SYSTEM_YAML_PATH}" + logger "Setting [shared.node.ip] with [${ip}] in system.yaml" + fi + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" && logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" && check=true && break || check=false + fi + done + [[ "${check}" == "false" ]] && logger "Property [${property}] not found in file [${fileName}]" +} + +setHaEnabled_hook () { + echo "" +} + +migratePropertiesFiles () { + local fileList= + local filePath= + local fileName= + local map= + + retrieveYamlValue "migration.propertyFiles.files" "fileList" "Skip" + fileList="${YAML_VALUE}" + if [[ -z "${fileList}" ]]; then + return + fi + bannerSection "PROCESSING MIGRATION OF PROPERTY FILES" + for file in ${fileList}; + do + bannerSubSection "Processing Migration of $file" + retrieveYamlValue "migration.propertyFiles.$file.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + retrieveYamlValue "migration.propertyFiles.$file.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + [[ -z "${filePath}" && -z "${fileName}" ]] && continue + if [[ "$(checkFileExists "${NEW_DATA_DIR}/${filePath}/${fileName}")" == "true" ]]; then + logger "File [${fileName}] found in path [${NEW_DATA_DIR}/${filePath}]" + # setting haEnabled with true only if ha-node.properties is present + setHaEnabled_hook "${filePath}" + retrieveYamlValue "migration.propertyFiles.$file.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + propertyMigrate "${entry}" "${filePath}" "${fileName}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=property" + fi + done + else + logger "File [${fileName}] was not found in path [${NEW_DATA_DIR}/${filePath}] to migrate" + fi + done +} + +createTargetDir () { + local mountDir="$1" + local target="$2" + + logger "Target directory not found [${mountDir}/${target}], creating it" + createDirectoryRecursive "${mountDir}" "${target}" "Warning" +} + +createDirectoryRecursive () { + local mountDir="$1" + local target="$2" + local output="$3" + local check=false + local message="Could not create directory ${directory}, please check if the user ${USER} has permissions to perform this action" + removeSoftLink "${mountDir}/${target}" + local directory=$(echo "${target}" | tr '/' ' ' ) + local targetDir="${mountDir}" + for dir in ${directory}; + do + targetDir="${targetDir}/${dir}" + mkdir -p "${targetDir}" && check=true || check=false + setOwnershipBasedOnInstaller "${targetDir}" + done + if [[ "${check}" == "false" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "${message}" + else + errorExit "${message}" + fi + fi +} + +copyOperation () { + local source="$1" + local target="$2" + local mode="$3" + local check=false + local targetDataDir= + local targetLink= + local date= + + # prepend OLD_DATA_DIR only if source is relative path + source="$(prependDir "${source}" "${OLD_DATA_DIR}/${source}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + #remove source if it is a symlink + if [[ -L "${source}" ]]; then + targetLink=$(readlink -f "${source}") + logger "Removing the symlink [${source}] pointing to [${targetLink}]" + rm -f "${source}" + source=${targetLink} + fi + if [[ "$(checkDirExists "${source}")" != "true" ]]; then + logger "Source [${source}] directory not found in path" + return + fi + if [[ "$(checkDirContents "${source}")" != "true" ]]; then + logger "No contents to copy from [${source}]" + return + fi + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyOnContentExist "${source}" "${targetDataDir}/${target}" "${mode}" +} + +copySpecificFiles () { + local source="$1" + local target="$2" + local mode="$3" + + # prepend OLD_DATA_DIR only if source is relative path + source="$(prependDir "${source}" "${OLD_DATA_DIR}/${source}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + if [[ "$(checkFileExists "${source}")" != "true" ]]; then + logger "Source file [${source}] does not exist in path" + return + fi + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyCmd "${source}" "${targetDataDir}/${target}" "${mode}" +} + +copyPatternMatchingFiles () { + local source="$1" + local target="$2" + local mode="$3" + local sourcePath="${4}" + + # prepend OLD_DATA_DIR only if source is relative path + sourcePath="$(prependDir "${sourcePath}" "${OLD_DATA_DIR}/${sourcePath}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + if [[ "$(checkDirExists "${sourcePath}")" != "true" ]]; then + logger "Source [${sourcePath}] directory not found in path" + return + fi + if ls "${sourcePath}/${source}"* 1> /dev/null 2>&1; then + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyCmd "${sourcePath}/${source}" "${targetDataDir}/${target}" "${mode}" + else + logger "Source file [${sourcePath}/${source}*] does not exist in path" + fi +} + +copyLogMessage () { + local mode="$1" + case $mode in + specific) + logger "Copy file [${source}] to target [${targetDataDir}/${target}]" + ;; + patternFiles) + logger "Copy files matching [${sourcePath}/${source}*] to target [${targetDataDir}/${target}]" + ;; + full) + logger "Copy directory contents from source [${source}] to target [${targetDataDir}/${target}]" + ;; + unique) + logger "Copy directory contents from source [${source}] to target [${targetDataDir}/${target}]" + ;; + esac +} + +copyBannerMessages () { + local mode="$1" + local textMode="$2" + case $mode in + specific) + bannerSection "COPY ${textMode} FILES" + ;; + patternFiles) + bannerSection "COPY MATCHING ${textMode}" + ;; + full) + bannerSection "COPY ${textMode} DIRECTORIES CONTENTS" + ;; + unique) + bannerSection "COPY ${textMode} DIRECTORIES CONTENTS" + ;; + esac +} + +invokeCopyFunctions () { + local mode="$1" + local source="$2" + local target="$3" + + case $mode in + specific) + copySpecificFiles "${source}" "${target}" "${mode}" + ;; + patternFiles) + retrieveYamlValue "migration.${copyFormat}.sourcePath" "map" "Warning" + local sourcePath="${YAML_VALUE}" + copyPatternMatchingFiles "${source}" "${target}" "${mode}" "${sourcePath}" + ;; + full) + copyOperation "${source}" "${target}" "${mode}" + ;; + unique) + copyOperation "${source}" "${target}" "${mode}" + ;; + esac +} +# Copies contents from source directory and target directory +copyDataDirectories () { + local copyFormat="$1" + local mode="$2" + local map= + local source= + local target= + local textMode= + local targetDataDir= + local copyFormatValue= + + retrieveYamlValue "migration.${copyFormat}" "${copyFormat}" "Skip" + copyFormatValue="${YAML_VALUE}" + if [[ -z "${copyFormatValue}" ]]; then + return + fi + textMode=$(echo "${mode}" | tr '[:lower:]' '[:upper:]' 2>/dev/null) + copyBannerMessages "${mode}" "${textMode}" + retrieveYamlValue "migration.${copyFormat}.map" "map" "Warning" + map="${YAML_VALUE}" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + invokeCopyFunctions "${mode}" "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +invokeMoveFunctions () { + local source="$1" + local target="$2" + local sourceDataDir= + local targetBasename= + # prepend OLD_DATA_DIR only if source is relative path + sourceDataDir=$(prependDir "${source}" "${OLD_DATA_DIR}/${source}") + targetBasename=$(dirname "${target}") + logger "Moving directory source [${sourceDataDir}] to target [${NEW_DATA_DIR}/${target}]" + if [[ "$(checkDirExists "${sourceDataDir}")" != "true" ]]; then + logger "Directory [${sourceDataDir}] not found in path to move" + return + fi + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${targetBasename}")" != "true" ]]; then + createTargetDir "${NEW_DATA_DIR}" "${targetBasename}" + moveCmd "${sourceDataDir}" "${NEW_DATA_DIR}/${target}" + else + moveCmd "${sourceDataDir}" "${NEW_DATA_DIR}/tempDir" + moveCmd "${NEW_DATA_DIR}/tempDir" "${NEW_DATA_DIR}/${target}" + fi +} + +# Move source directory and target directory +moveDirectories () { + local moveDataDirectories= + local map= + local source= + local target= + + retrieveYamlValue "migration.moveDirectories" "moveDirectories" "Skip" + moveDirectories="${YAML_VALUE}" + if [[ -z "${moveDirectories}" ]]; then + return + fi + bannerSection "MOVE DIRECTORIES" + retrieveYamlValue "migration.moveDirectories.map" "map" "Warning" + map="${YAML_VALUE}" + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + invokeMoveFunctions "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +# Trim masterKey if its generated using hex 32 +trimMasterKey () { + local masterKeyDir=/opt/jfrog/artifactory/var/etc/security + local oldMasterKey=$(<${masterKeyDir}/master.key) + local oldMasterKey_Length=$(echo ${#oldMasterKey}) + local newMasterKey= + if [[ ${oldMasterKey_Length} -gt 32 ]]; then + bannerSection "TRIM MASTERKEY" + newMasterKey=$(echo ${oldMasterKey:0:32}) + cp ${masterKeyDir}/master.key ${masterKeyDir}/backup_master.key + logger "Original masterKey is backed up : ${masterKeyDir}/backup_master.key" + rm -rf ${masterKeyDir}/master.key + echo ${newMasterKey} > ${masterKeyDir}/master.key + logger "masterKey is trimmed : ${masterKeyDir}/master.key" + fi +} + +copyDirectories () { + + copyDataDirectories "copyFiles" "full" + copyDataDirectories "copyUniqueFiles" "unique" + copyDataDirectories "copySpecificFiles" "specific" + copyDataDirectories "copyPatternMatchingFiles" "patternFiles" +} + +symlinkDir () { + local source="$1" + local target="$2" + local targetDir= + local basename= + local targetParentDir= + + targetDir="$(dirname "${target}")" + if [[ "${targetDir}" == "${source}" ]]; then + # symlink the sub directories + createDirectory "${NEW_DATA_DIR}/${target}" "Warning" + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${target}")" == "true" ]]; then + symlinkOnExist "${OLD_DATA_DIR}/${source}" "${NEW_DATA_DIR}/${target}" "subDir" + basename="$(basename "${target}")" + cd "${NEW_DATA_DIR}/${target}" && rm -f "${basename}" + fi + else + targetParentDir="$(dirname "${NEW_DATA_DIR}/${target}")" + createDirectory "${targetParentDir}" "Warning" + if [[ "$(checkDirExists "${targetParentDir}")" == "true" ]]; then + symlinkOnExist "${OLD_DATA_DIR}/${source}" "${NEW_DATA_DIR}/${target}" + fi + fi +} + +symlinkOperation () { + local source="$1" + local target="$2" + local check=false + local targetLink= + local date= + + # Check if source is a link and do symlink + if [[ -L "${OLD_DATA_DIR}/${source}" ]]; then + targetLink=$(readlink -f "${OLD_DATA_DIR}/${source}") + symlinkOnExist "${targetLink}" "${NEW_DATA_DIR}/${target}" + else + # check if source is directory and do symlink + if [[ "$(checkDirExists "${OLD_DATA_DIR}/${source}")" != "true" ]]; then + logger "Source [${source}] directory not found in path to symlink" + return + fi + if [[ "$(checkDirContents "${OLD_DATA_DIR}/${source}")" != "true" ]]; then + logger "No contents found in [${OLD_DATA_DIR}/${source}] to symlink" + return + fi + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${target}")" != "true" ]]; then + logger "Target directory [${NEW_DATA_DIR}/${target}] does not exist to create symlink, creating it" + symlinkDir "${source}" "${target}" + else + rm -rf "${NEW_DATA_DIR}/${target}" && check=true || check=false + [[ "${check}" == "false" ]] && warn "Failed to remove contents in [${NEW_DATA_DIR}/${target}/]" + symlinkDir "${source}" "${target}" + fi + fi +} +# Creates a symlink path - Source directory to which the symbolic link should point. +symlinkDirectories () { + local linkFiles= + local map= + local source= + local target= + + retrieveYamlValue "migration.linkFiles" "linkFiles" "Skip" + linkFiles="${YAML_VALUE}" + if [[ -z "${linkFiles}" ]]; then + return + fi + bannerSection "SYMLINK DIRECTORIES" + retrieveYamlValue "migration.linkFiles.map" "map" "Warning" + map="${YAML_VALUE}" + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + logger "Symlink directory [${NEW_DATA_DIR}/${target}] to old [${OLD_DATA_DIR}/${source}]" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + symlinkOperation "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +updateConnectionString () { + local yamlPath="$1" + local value="$2" + local mongoPath="shared.mongo.url" + local rabbitmqPath="shared.rabbitMq.url" + local postgresPath="shared.database.url" + local redisPath="shared.redis.connectionString" + local mongoConnectionString="mongo.connectionString" + local sourceKey= + local hostIp=$(io_getPublicHostIP) + local hostKey= + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + # Replace @postgres:,@mongodb:,@rabbitmq:,@redis: to @{hostIp}: (Compose Installer) + hostKey="@${hostIp}:" + case $yamlPath in + ${postgresPath}) + sourceKey="@postgres:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${mongoPath}) + sourceKey="@mongodb:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${rabbitmqPath}) + sourceKey="@rabbitmq:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${redisPath}) + sourceKey="@redis:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${mongoConnectionString}) + sourceKey="@mongodb:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + esac + fi + echo -n "${value}" +} + +yamlMigrate () { + local entry="$1" + local sourceFile="$2" + local value= + local yamlPath= + local key= + yamlPath="$(getFirstEntry "${entry}")" + key="$(getSecondEntry "${entry}")" + if [[ -z "${key}" ]]; then + warn "key is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${key}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + getYamlValue "${key}" "${sourceFile}" "false" + value="${YAML_VALUE}" + if [[ ! -z "${value}" ]]; then + value=$(updateConnectionString "${yamlPath}" "${value}") + fi + if [[ -z "${value}" ]]; then + logger "No value for [${key}] in [${sourceFile}]" + else + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the key [${key}] in system.yaml" + fi +} + +migrateYamlFile () { + local files= + local filePath= + local fileName= + local sourceFile= + local map= + retrieveYamlValue "migration.yaml.files" "files" "Skip" + files="${YAML_VALUE}" + if [[ -z "${files}" ]]; then + return + fi + bannerSection "MIGRATION OF YAML FILES" + for file in $files; + do + bannerSubSection "Processing Migration of $file" + retrieveYamlValue "migration.yaml.$file.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + retrieveYamlValue "migration.yaml.$file.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + [[ -z "${filePath}" && -z "${fileName}" ]] && continue + sourceFile="${NEW_DATA_DIR}/${filePath}/${fileName}" + if [[ "$(checkFileExists "${sourceFile}")" == "true" ]]; then + logger "File [${fileName}] found in path [${NEW_DATA_DIR}/${filePath}]" + retrieveYamlValue "migration.yaml.$file.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + yamlMigrate "${entry}" "${sourceFile}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=key" + fi + done + else + logger "File [${fileName}] is not found in path [${NEW_DATA_DIR}/${filePath}] to migrate" + fi + done +} +# updates the key and value in system.yaml +updateYamlKeyValue () { + local entry="$1" + local value= + local yamlPath= + local key= + + yamlPath="$(getFirstEntry "${entry}")" + value="$(getSecondEntry "${entry}")" + if [[ -z "${value}" ]]; then + warn "value is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${key}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value [${value}] in system.yaml" +} + +updateSystemYamlFile () { + local updateYaml= + local map= + + retrieveYamlValue "migration.updateSystemYaml" "updateYaml" "Skip" + updateSystemYaml="${YAML_VALUE}" + if [[ -z "${updateSystemYaml}" ]]; then + return + fi + bannerSection "UPDATE SYSTEM YAML FILE WITH KEY AND VALUES" + retrieveYamlValue "migration.updateSystemYaml.map" "map" "Warning" + map="${YAML_VALUE}" + if [[ -z "${map}" ]]; then + return + fi + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + updateYamlKeyValue "${entry}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=key" + fi + done +} + +backupFiles_hook () { + logSilly "Method ${FUNCNAME[0]}" +} + +backupDirectory () { + local backupDir="$1" + local dir="$2" + local targetDir="$3" + local effectiveUser= + local effectiveGroup= + + if [[ "${dir}" = \/* ]]; then + dir=$(echo "${dir/\//}") + fi + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + effectiveUser="${JF_USER}" + effectiveGroup="${JF_USER}" + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + effectiveUser="${USER_TO_CHECK}" + effectiveGroup="${GROUP_TO_CHECK}" + fi + + removeSoftLinkAndCreateDir "${backupDir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local backupDirectory="${backupDir}/${PRODUCT}" + removeSoftLinkAndCreateDir "${backupDirectory}" "${effectiveUser}" "${effectiveGroup}" "yes" + removeSoftLinkAndCreateDir "${backupDirectory}/${dir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local outputCheckDirExists="$(checkDirExists "${backupDirectory}/${dir}")" + if [[ "${outputCheckDirExists}" == "true" ]]; then + copyOnContentExist "${targetDir}" "${backupDirectory}/${dir}" "full" + fi +} + +removeOldDirectory () { + local backupDir="$1" + local entry="$2" + local check=false + + # prepend OLD_DATA_DIR only if entry is relative path + local targetDir="$(prependDir "${entry}" "${OLD_DATA_DIR}/${entry}")" + local outputCheckDirExists="$(checkDirExists "${targetDir}")" + if [[ "${outputCheckDirExists}" != "true" ]]; then + logger "No [${targetDir}] directory found to delete" + echo ""; + return + fi + backupDirectory "${backupDir}" "${entry}" "${targetDir}" + rm -rf "${targetDir}" && check=true || check=false + [[ "${check}" == "true" ]] && logger "Successfully removed directory [${targetDir}]" + [[ "${check}" == "false" ]] && warn "Failed to remove directory [${targetDir}]" + echo ""; +} + +cleanUpOldDataDirectories () { + local cleanUpOldDataDir= + local map= + local entry= + + retrieveYamlValue "migration.cleanUpOldDataDir" "cleanUpOldDataDir" "Skip" + cleanUpOldDataDir="${YAML_VALUE}" + if [[ -z "${cleanUpOldDataDir}" ]]; then + return + fi + bannerSection "CLEAN UP OLD DATA DIRECTORIES" + retrieveYamlValue "migration.cleanUpOldDataDir.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + date="$(date +%Y%m%d%H%M)" + backupDir="${NEW_DATA_DIR}/backup/backup-${date}" + bannerImportant "****** Old data configurations are backedup in [${backupDir}] directory ******" + backupFiles_hook "${backupDir}/${PRODUCT}" + for entry in $map; + do + removeOldDirectory "${backupDir}" "${entry}" + done +} + +backupFiles () { + local backupDir="$1" + local dir="$2" + local targetDir="$3" + local fileName="$4" + local effectiveUser= + local effectiveGroup= + + if [[ "${dir}" = \/* ]]; then + dir=$(echo "${dir/\//}") + fi + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + effectiveUser="${JF_USER}" + effectiveGroup="${JF_USER}" + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + effectiveUser="${USER_TO_CHECK}" + effectiveGroup="${GROUP_TO_CHECK}" + fi + + removeSoftLinkAndCreateDir "${backupDir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local backupDirectory="${backupDir}/${PRODUCT}" + removeSoftLinkAndCreateDir "${backupDirectory}" "${effectiveUser}" "${effectiveGroup}" "yes" + removeSoftLinkAndCreateDir "${backupDirectory}/${dir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local outputCheckDirExists="$(checkDirExists "${backupDirectory}/${dir}")" + if [[ "${outputCheckDirExists}" == "true" ]]; then + copyCmd "${targetDir}/${fileName}" "${backupDirectory}/${dir}" "specific" + fi +} + +removeOldFiles () { + local backupDir="$1" + local directoryName="$2" + local fileName="$3" + local check=false + + # prepend OLD_DATA_DIR only if entry is relative path + local targetDir="$(prependDir "${directoryName}" "${OLD_DATA_DIR}/${directoryName}")" + local outputCheckFileExists="$(checkFileExists "${targetDir}/${fileName}")" + if [[ "${outputCheckFileExists}" != "true" ]]; then + logger "No [${targetDir}/${fileName}] file found to delete" + return + fi + backupFiles "${backupDir}" "${directoryName}" "${targetDir}" "${fileName}" + rm -f "${targetDir}/${fileName}" && check=true || check=false + [[ "${check}" == "true" ]] && logger "Successfully removed file [${targetDir}/${fileName}]" + [[ "${check}" == "false" ]] && warn "Failed to remove file [${targetDir}/${fileName}]" + echo ""; +} + +cleanUpOldFiles () { + local cleanUpFiles= + local map= + local entry= + + retrieveYamlValue "migration.cleanUpOldFiles" "cleanUpOldFiles" "Skip" + cleanUpOldFiles="${YAML_VALUE}" + if [[ -z "${cleanUpOldFiles}" ]]; then + return + fi + bannerSection "CLEAN UP OLD FILES" + retrieveYamlValue "migration.cleanUpOldFiles.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + date="$(date +%Y%m%d%H%M)" + backupDir="${NEW_DATA_DIR}/backup/backup-${date}" + bannerImportant "****** Old files are backedup in [${backupDir}] directory ******" + for entry in $map; + do + local outputCheckMapEntry="$(checkMapEntry "${entry}")" + if [[ "${outputCheckMapEntry}" != "true" ]]; then + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e directoryName=fileName" + fi + local fileName="$(getSecondEntry "${entry}")" + local directoryName="$(getFirstEntry "${entry}")" + [[ -z "${fileName}" ]] && warn "File name value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${directoryName}" ]] && warn "Directory name value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + removeOldFiles "${backupDir}" "${directoryName}" "${fileName}" + echo ""; + done +} + +startMigration () { + bannerSection "STARTING MIGRATION" +} + +endMigration () { + bannerSection "MIGRATION COMPLETED SUCCESSFULLY" +} + +initialize () { + setAppDir + _pauseExecution "setAppDir" + initHelpers + _pauseExecution "initHelpers" + checkMigrationInfoYaml + _pauseExecution "checkMigrationInfoYaml" + getProduct + _pauseExecution "getProduct" + getDataDir + _pauseExecution "getDataDir" +} + +main () { + case $PRODUCT in + artifactory) + migrateArtifactory + ;; + distribution) + migrateDistribution + ;; + xray) + migrationXray + ;; + esac + exit 0 +} + +# Ensures meta data is logged +LOG_BEHAVIOR_ADD_META="$FLAG_Y" + + +migrateResolveDerbyPath () { + local key="$1" + local value="$2" + + if [[ "${key}" == "url" && "${value}" == *"db.home"* ]]; then + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + derbyPath="/opt/jfrog/artifactory/var/data/artifactory/derby" + value=$(echo "${value}" | sed "s|{db.home}|$derbyPath|") + else + derbyPath="${NEW_DATA_DIR}/data/artifactory/derby" + value=$(echo "${value}" | sed "s|{db.home}|$derbyPath|") + fi + fi + echo "${value}" +} + +migrateResolveHaDirPath () { + local key="$1" + local value="$2" + + if [[ "${INSTALLER}" == "${RPM_TYPE}" || "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" || "${INSTALLER}" == "${DEB_TYPE}" ]]; then + if [[ "${key}" == "artifactory.ha.data.dir" || "${key}" == "artifactory.ha.backup.dir" ]]; then + value=$(checkPathResolver "${value}") + fi + fi + echo "${value}" +} +updatePostgresUrlString_Hook () { + local yamlPath="$1" + local value="$2" + local hostIp=$(io_getPublicHostIP) + local sourceKey="//postgresql:" + if [[ "${yamlPath}" == "shared.database.url" ]]; then + value=$(io_replaceString "${value}" "${sourceKey}" "//${hostIp}:" "#") + fi + echo "${value}" +} +# Check Artifactory product version +checkArtifactoryVersion () { + local minProductVersion="6.0.0" + local maxProductVersion="7.0.0" + local propertyInDocker="ARTIFACTORY_VERSION" + local property="artifactory.version" + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + local newfilePath="${APP_DIR}/../.env" + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + elif [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + elif [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + local newfilePath="${NEW_DATA_DIR}/etc/artifactory/artifactory.properties" + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + else + local newfilePath="${NEW_DATA_DIR}/etc/artifactory/artifactory.properties" + local oldfilePath="/etc/opt/jfrog/artifactory/artifactory.properties" + fi + + getProductVersion "${minProductVersion}" "${maxProductVersion}" "${newfilePath}" "${oldfilePath}" "${propertyInDocker}" "${property}" +} + +getCustomDataDir_hook () { + retrieveYamlValue "migration.oldDataDir" "oldDataDir" "Fail" + OLD_DATA_DIR="${YAML_VALUE}" +} + +# Get protocol value of connector +getXmlConnectorProtocol () { + local i="$1" + local filePath="$2" + local fileName="$3" + local protocolValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@protocol' ${filePath}/${fileName} 2>/dev/null |awk -F"=" '{print $2}' | tr -d '"') + echo -e "${protocolValue}" +} + +# Get all attributes of connector +getXmlConnectorAttributes () { + local i="$1" + local filePath="$2" + local fileName="$3" + local connectorAttributes=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@*' ${filePath}/${fileName} 2>/dev/null) + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + echo "${connectorAttributes}" +} + +# Get port value of connector +getXmlConnectorPort () { + local i="$1" + local filePath="$2" + local fileName="$3" + local portValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@port' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${portValue}" +} + +# Get maxThreads value of connector +getXmlConnectorMaxThreads () { + local i="$1" + local filePath="$2" + local fileName="$3" + local maxThreadValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@maxThreads' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${maxThreadValue}" +} +# Get sendReasonPhrase value of connector +getXmlConnectorSendReasonPhrase () { + local i="$1" + local filePath="$2" + local fileName="$3" + local sendReasonPhraseValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@sendReasonPhrase' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${sendReasonPhraseValue}" +} +# Get relaxedPathChars value of connector +getXmlConnectorRelaxedPathChars () { + local i="$1" + local filePath="$2" + local fileName="$3" + local relaxedPathCharsValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@relaxedPathChars' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + # strip leading and trailing spaces + relaxedPathCharsValue=$(io_trim "${relaxedPathCharsValue}") + echo -e "${relaxedPathCharsValue}" +} +# Get relaxedQueryChars value of connector +getXmlConnectorRelaxedQueryChars () { + local i="$1" + local filePath="$2" + local fileName="$3" + local relaxedQueryCharsValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@relaxedQueryChars' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + # strip leading and trailing spaces + relaxedQueryCharsValue=$(io_trim "${relaxedQueryCharsValue}") + echo -e "${relaxedQueryCharsValue}" +} + +# Updating system.yaml with Connector port +setConnectorPort () { + local yamlPath="$1" + local valuePort="$2" + local portYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${valuePort}" ]]; then + warn "port value is empty, could not migrate to system.yaml" + return + fi + ## Getting port yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" portYamlPath "Warning" + portYamlPath="${YAML_VALUE}" + if [[ -z "${portYamlPath}" ]]; then + return + fi + setSystemValue "${portYamlPath}" "${valuePort}" "${SYSTEM_YAML_PATH}" + logger "Setting [${portYamlPath}] with value [${valuePort}] in system.yaml" +} + +# Updating system.yaml with Connector maxThreads +setConnectorMaxThread () { + local yamlPath="$1" + local threadValue="$2" + local maxThreadYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${threadValue}" ]]; then + return + fi + ## Getting max Threads yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" maxThreadYamlPath "Warning" + maxThreadYamlPath="${YAML_VALUE}" + if [[ -z "${maxThreadYamlPath}" ]]; then + return + fi + setSystemValue "${maxThreadYamlPath}" "${threadValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${maxThreadYamlPath}] with value [${threadValue}] in system.yaml" +} + +# Updating system.yaml with Connector sendReasonPhrase +setConnectorSendReasonPhrase () { + local yamlPath="$1" + local sendReasonPhraseValue="$2" + local sendReasonPhraseYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${sendReasonPhraseValue}" ]]; then + return + fi + ## Getting sendReasonPhrase yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" sendReasonPhraseYamlPath "Warning" + sendReasonPhraseYamlPath="${YAML_VALUE}" + if [[ -z "${sendReasonPhraseYamlPath}" ]]; then + return + fi + setSystemValue "${sendReasonPhraseYamlPath}" "${sendReasonPhraseValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${sendReasonPhraseYamlPath}] with value [${sendReasonPhraseValue}] in system.yaml" +} + +# Updating system.yaml with Connector relaxedPathChars +setConnectorRelaxedPathChars () { + local yamlPath="$1" + local relaxedPathCharsValue="$2" + local relaxedPathCharsYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${relaxedPathCharsValue}" ]]; then + return + fi + ## Getting relaxedPathChars yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" relaxedPathCharsYamlPath "Warning" + relaxedPathCharsYamlPath="${YAML_VALUE}" + if [[ -z "${relaxedPathCharsYamlPath}" ]]; then + return + fi + setSystemValue "${relaxedPathCharsYamlPath}" "${relaxedPathCharsValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${relaxedPathCharsYamlPath}] with value [${relaxedPathCharsValue}] in system.yaml" +} + +# Updating system.yaml with Connector relaxedQueryChars +setConnectorRelaxedQueryChars () { + local yamlPath="$1" + local relaxedQueryCharsValue="$2" + local relaxedQueryCharsYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${relaxedQueryCharsValue}" ]]; then + return + fi + ## Getting relaxedQueryChars yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" relaxedQueryCharsYamlPath "Warning" + relaxedQueryCharsYamlPath="${YAML_VALUE}" + if [[ -z "${relaxedQueryCharsYamlPath}" ]]; then + return + fi + setSystemValue "${relaxedQueryCharsYamlPath}" "${relaxedQueryCharsValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${relaxedQueryCharsYamlPath}] with value [${relaxedQueryCharsValue}] in system.yaml" +} + +# Updating system.yaml with Connectors configurations +setConnectorExtraConfig () { + local yamlPath="$1" + local connectorAttributes="$2" + local extraConfigPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${connectorAttributes}" ]]; then + return + fi + ## Getting extraConfig yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" extraConfig "Warning" + extraConfigPath="${YAML_VALUE}" + if [[ -z "${extraConfigPath}" ]]; then + return + fi + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + setSystemValue "${extraConfigPath}" "${connectorAttributes}" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConfigPath}] with connector attributes in system.yaml" +} + +# Updating system.yaml with extra Connectors +setExtraConnector () { + local yamlPath="$1" + local extraConnector="$2" + local extraConnectorYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${extraConnector}" ]]; then + return + fi + ## Getting extraConnecotr yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" extraConnectorYamlPath "Warning" + extraConnectorYamlPath="${YAML_VALUE}" + if [[ -z "${extraConnectorYamlPath}" ]]; then + return + fi + getYamlValue "${extraConnectorYamlPath}" "${SYSTEM_YAML_PATH}" "false" + local connectorExtra="${YAML_VALUE}" + if [[ -z "${connectorExtra}" ]]; then + setSystemValue "${extraConnectorYamlPath}" "${extraConnector}" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConnectorYamlPath}] with extra connectors in system.yaml" + else + setSystemValue "${extraConnectorYamlPath}" "\"${connectorExtra} ${extraConnector}\"" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConnectorYamlPath}] with extra connectors in system.yaml" + fi +} + +# Migrate extra connectors to system.yaml +migrateExtraConnectors () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local excludeDefaultPort="$4" + local i="$5" + local extraConfig= + local extraConnector= + if [[ "${excludeDefaultPort}" == "yes" ]]; then + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + [[ "${portValue}" != "${DEFAULT_ACCESS_PORT}" && "${portValue}" != "${DEFAULT_RT_PORT}" ]] || continue + extraConnector=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']' ${filePath}/${fileName} 2>/dev/null) + setExtraConnector "${EXTRA_CONFIG_YAMLPATH}" "${extraConnector}" + done + else + extraConnector=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']' ${filePath}/${fileName} 2>/dev/null) + setExtraConnector "${EXTRA_CONFIG_YAMLPATH}" "${extraConnector}" + fi +} + +# Migrate connector configurations +migrateConnectorConfig () { + local i="$1" + local protocolType="$2" + local portValue="$3" + local connectorPortYamlPath="$4" + local connectorMaxThreadYamlPath="$5" + local connectorAttributesYamlPath="$6" + local filePath="$7" + local fileName="$8" + local connectorSendReasonPhraseYamlPath="$9" + local connectorRelaxedPathCharsYamlPath="${10}" + local connectorRelaxedQueryCharsYamlPath="${11}" + + # migrate port + setConnectorPort "${connectorPortYamlPath}" "${portValue}" + + # migrate maxThreads + local maxThreadValue=$(getXmlConnectorMaxThreads "$i" "${filePath}" "${fileName}") + setConnectorMaxThread "${connectorMaxThreadYamlPath}" "${maxThreadValue}" + + # migrate sendReasonPhrase + local sendReasonPhraseValue=$(getXmlConnectorSendReasonPhrase "$i" "${filePath}" "${fileName}") + setConnectorSendReasonPhrase "${connectorSendReasonPhraseYamlPath}" "${sendReasonPhraseValue}" + + # migrate relaxedPathChars + local relaxedPathCharsValue=$(getXmlConnectorRelaxedPathChars "$i" "${filePath}" "${fileName}") + setConnectorRelaxedPathChars "${connectorRelaxedPathCharsYamlPath}" "\"${relaxedPathCharsValue}\"" + # migrate relaxedQueryChars + local relaxedQueryCharsValue=$(getXmlConnectorRelaxedQueryChars "$i" "${filePath}" "${fileName}") + setConnectorRelaxedQueryChars "${connectorRelaxedQueryCharsYamlPath}" "\"${relaxedQueryCharsValue}\"" + + # migrate all attributes to extra config except port , maxThread , sendReasonPhrase ,relaxedPathChars and relaxedQueryChars + local connectorAttributes=$(getXmlConnectorAttributes "$i" "${filePath}" "${fileName}") + connectorAttributes=$(echo "${connectorAttributes}" | sed 's/port="'${portValue}'"//g' | sed 's/maxThreads="'${maxThreadValue}'"//g' | sed 's/sendReasonPhrase="'${sendReasonPhraseValue}'"//g' | sed 's/relaxedPathChars="\'${relaxedPathCharsValue}'\"//g' | sed 's/relaxedQueryChars="\'${relaxedQueryCharsValue}'\"//g') + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + setConnectorExtraConfig "${connectorAttributesYamlPath}" "${connectorAttributes}" +} + +# Check for default port 8040 and 8081 in connectors and migrate +migrateConnectorPort () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local defaultPort="$4" + local connectorPortYamlPath="$5" + local connectorMaxThreadYamlPath="$6" + local connectorAttributesYamlPath="$7" + local connectorSendReasonPhraseYamlPath="$8" + local connectorRelaxedPathCharsYamlPath="$9" + local connectorRelaxedQueryCharsYamlPath="${10}" + local portYamlPath= + local maxThreadYamlPath= + local status= + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" == *AJP* ]] && continue + [[ "${portValue}" != "${defaultPort}" ]] && continue + if [[ "${portValue}" == "${DEFAULT_RT_PORT}" ]]; then + RT_DEFAULTPORT_STATUS=success + else + AC_DEFAULTPORT_STATUS=success + fi + migrateConnectorConfig "${i}" "${protocolType}" "${portValue}" "${connectorPortYamlPath}" "${connectorMaxThreadYamlPath}" "${connectorAttributesYamlPath}" "${filePath}" "${fileName}" "${connectorSendReasonPhraseYamlPath}" "${connectorRelaxedPathCharsYamlPath}" "${connectorRelaxedQueryCharsYamlPath}" + done +} + +# migrate to extra, connector having default port and protocol is AJP +migrateDefaultPortIfAjp () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local defaultPort="$4" + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" != *AJP* ]] && continue + [[ "${portValue}" != "${defaultPort}" ]] && continue + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + done + +} + +# Comparing max threads in connectors +compareMaxThreads () { + local firstConnectorMaxThread="$1" + local firstConnectorNode="$2" + local secondConnectorMaxThread="$3" + local secondConnectorNode="$4" + local filePath="$5" + local fileName="$6" + + # choose higher maxThreads connector as Artifactory. + if [[ "${firstConnectorMaxThread}" -gt ${secondConnectorMaxThread} || "${firstConnectorMaxThread}" -eq ${secondConnectorMaxThread} ]]; then + # maxThread is higher in firstConnector, + # Taking firstConnector as Artifactory and SecondConnector as Access + # maxThread is equal in both connector,considering firstConnector as Artifactory and SecondConnector as Access + local rtPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + else + # maxThread is higher in SecondConnector, + # Taking SecondConnector as Artifactory and firstConnector as Access + local rtPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi +} + +# Check max threads exist to compare +maxThreadsExistToCompare () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local firstConnectorMaxThread= + local secondConnectorMaxThread= + local firstConnectorNode= + local secondConnectorNode= + local status=success + local firstnode=fail + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + if [[ ${protocolType} == *AJP* ]]; then + # Migrate Connectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + continue + fi + # store maxthreads value of each connector + if [[ ${firstnode} == "fail" ]]; then + firstConnectorMaxThread=$(getXmlConnectorMaxThreads "${i}" "${filePath}" "${fileName}") + firstConnectorNode="${i}" + firstnode=success + else + secondConnectorMaxThread=$(getXmlConnectorMaxThreads "${i}" "${filePath}" "${fileName}") + secondConnectorNode="${i}" + fi + done + [[ -z "${firstConnectorMaxThread}" ]] && status=fail + [[ -z "${secondConnectorMaxThread}" ]] && status=fail + # maxThreads is set, now compare MaxThreads + if [[ "${status}" == "success" ]]; then + compareMaxThreads "${firstConnectorMaxThread}" "${firstConnectorNode}" "${secondConnectorMaxThread}" "${secondConnectorNode}" "${filePath}" "${fileName}" + else + # Assume first connector is RT, maxThreads is not set in both connectors + local rtPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi +} + +migrateExtraBasedOnNonAjpCount () { + local nonAjpCount="$1" + local filePath="$2" + local fileName="$3" + local connectorCount="$4" + local i="$5" + + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + if [[ "${protocolType}" == *AJP* ]]; then + if [[ "${nonAjpCount}" -eq 1 ]]; then + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + continue + else + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + continue + fi + fi +} + +# find RT and AC Connector +findRtAndAcConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local initialAjpCount=0 + local nonAjpCount=0 + + # get the count of non AJP + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" != *AJP* ]] || continue + nonAjpCount=$((initialAjpCount+1)) + initialAjpCount="${nonAjpCount}" + done + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as access and artifactory connectors + # Mark port as 8040 for access + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + done + elif [[ "${nonAjpCount}" -eq 2 ]]; then + # compare maxThreads in both connectors + maxThreadsExistToCompare "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${nonAjpCount}" -gt 2 ]]; then + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # setting with default port in system.yaml + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +# get the count of non AJP +getCountOfNonAjp () { + local port="$1" + local connectorCount="$2" + local filePath=$3 + local fileName=$4 + local initialNonAjpCount=0 + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${portValue}" != "${port}" ]] || continue + [[ "${protocolType}" != *AJP* ]] || continue + local nonAjpCount=$((initialNonAjpCount+1)) + initialNonAjpCount="${nonAjpCount}" + done + echo -e "${nonAjpCount}" +} + +# Find for access connector +findAcConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + + # get the count of non AJP + local nonAjpCount=$(getCountOfNonAjp "${DEFAULT_RT_PORT}" "${connectorCount}" "${filePath}" "${fileName}") + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as access connector and mark port as that of connector + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" != "${DEFAULT_RT_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi + done + elif [[ "${nonAjpCount}" -gt 1 ]]; then + # Take RT properties into access with 8040 + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" == "${DEFAULT_RT_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + fi + done + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # Add RT connector details as access connector and mark port as 8040 + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +# Find for artifactory connector +findRtConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + + # get the count of non AJP + local nonAjpCount=$(getCountOfNonAjp "${DEFAULT_ACCESS_PORT}" "${connectorCount}" "${filePath}" "${fileName}") + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as RT connector + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" != "${DEFAULT_ACCESS_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + fi + done + elif [[ "${nonAjpCount}" -gt 1 ]]; then + # Take access properties into artifactory with 8081 + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" == "${DEFAULT_ACCESS_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + fi + done + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # Add access connector details as RT connector and mark as ${DEFAULT_RT_PORT} + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +checkForTlsConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + local sslProtocolValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@sslProtocol' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + if [[ "${sslProtocolValue}" == "TLS" ]]; then + bannerImportant "NOTE: Ignoring TLS connector during migration, modify the system yaml to enable TLS. Original server.xml is saved in path [${filePath}/${fileName}]" + TLS_CONNECTOR_EXISTS=${FLAG_Y} + continue + fi + done +} + +# set custom tomcat server Listeners to system.yaml +setListenerConnector () { + local filePath="$1" + local fileName="$2" + local listenerCount="$3" + for ((i = 1 ; i <= "${listenerCount}" ; i++)) + do + local listenerConnector=$($LIBXML2_PATH --xpath '//Server/Listener['$i']' ${filePath}/${fileName} 2>/dev/null) + local listenerClassName=$($LIBXML2_PATH --xpath '//Server/Listener['$i']/@className' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + if [[ "${listenerClassName}" == *Apr* ]]; then + setExtraConnector "${EXTRA_LISTENER_CONFIG_YAMLPATH}" "${listenerConnector}" + fi + done +} +# add custom tomcat server Listeners +addTomcatServerListeners () { + local filePath="$1" + local fileName="$2" + local listenerCount="$3" + if [[ "${listenerCount}" == "0" ]]; then + logger "No listener connectors found in the [${filePath}/${fileName}],skipping migration of listener connectors" + else + setListenerConnector "${filePath}" "${fileName}" "${listenerCount}" + setSystemValue "${RT_TOMCAT_HTTPSCONNECTOR_ENABLED}" "true" "${SYSTEM_YAML_PATH}" + logger "Setting [${RT_TOMCAT_HTTPSCONNECTOR_ENABLED}] with value [true] in system.yaml" + fi +} + +# server.xml migration operations +xmlMigrateOperation () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local listenerCount="$4" + RT_DEFAULTPORT_STATUS=fail + AC_DEFAULTPORT_STATUS=fail + TLS_CONNECTOR_EXISTS=${FLAG_N} + + # Check for connector with TLS , if found ignore migrating it + checkForTlsConnector "${filePath}" "${fileName}" "${connectorCount}" + if [[ "${TLS_CONNECTOR_EXISTS}" == "${FLAG_Y}" ]]; then + return + fi + addTomcatServerListeners "${filePath}" "${fileName}" "${listenerCount}" + # Migrate RT default port from connectors + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + # Migrate to extra if RT default ports are AJP + migrateDefaultPortIfAjp "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" + # Migrate AC default port from connectors + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${AC_SENDREASONPHRASE_YAMLPATH}" + # Migrate to extra if access default ports are AJP + migrateDefaultPortIfAjp "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" + + if [[ "${AC_DEFAULTPORT_STATUS}" == "success" && "${RT_DEFAULTPORT_STATUS}" == "success" ]]; then + # RT and AC default port found + logger "Artifactory 8081 and Access 8040 default port are found" + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "success" && "${RT_DEFAULTPORT_STATUS}" == "fail" ]]; then + # Only AC default port found,find RT connector + logger "Found Access default 8040 port" + findRtConnector "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "fail" && "${RT_DEFAULTPORT_STATUS}" == "success" ]]; then + # Only RT default port found,find AC connector + logger "Found Artifactory default 8081 port" + findAcConnector "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "fail" && "${RT_DEFAULTPORT_STATUS}" == "fail" ]]; then + # RT and AC default port not found, find connector + logger "Artifactory 8081 and Access 8040 default port are not found" + findRtAndAcConnector "${filePath}" "${fileName}" "${connectorCount}" + fi +} + +# get count of connectors +getXmlConnectorCount () { + local filePath="$1" + local fileName="$2" + local count=$($LIBXML2_PATH --xpath 'count(/Server/Service/Connector)' ${filePath}/${fileName}) + echo -e "${count}" +} + +# get count of listener connectors +getTomcatServerListenersCount () { + local filePath="$1" + local fileName="$2" + local count=$($LIBXML2_PATH --xpath 'count(/Server/Listener)' ${filePath}/${fileName}) + echo -e "${count}" +} + +# Migrate server.xml configuration to system.yaml +migrateXmlFile () { + local xmlFiles= + local fileName= + local filePath= + local sourceFilePath= + DEFAULT_ACCESS_PORT="8040" + DEFAULT_RT_PORT="8081" + AC_PORT_YAMLPATH="migration.xmlFiles.serverXml.access.port" + AC_MAXTHREADS_YAMLPATH="migration.xmlFiles.serverXml.access.maxThreads" + AC_SENDREASONPHRASE_YAMLPATH="migration.xmlFiles.serverXml.access.sendReasonPhrase" + AC_EXTRACONFIG_YAMLPATH="migration.xmlFiles.serverXml.access.extraConfig" + RT_PORT_YAMLPATH="migration.xmlFiles.serverXml.artifactory.port" + RT_MAXTHREADS_YAMLPATH="migration.xmlFiles.serverXml.artifactory.maxThreads" + RT_SENDREASONPHRASE_YAMLPATH='migration.xmlFiles.serverXml.artifactory.sendReasonPhrase' + RT_RELAXEDPATHCHARS_YAMLPATH='migration.xmlFiles.serverXml.artifactory.relaxedPathChars' + RT_RELAXEDQUERYCHARS_YAMLPATH='migration.xmlFiles.serverXml.artifactory.relaxedQueryChars' + RT_EXTRACONFIG_YAMLPATH="migration.xmlFiles.serverXml.artifactory.extraConfig" + ROUTER_PORT_YAMLPATH="migration.xmlFiles.serverXml.router.port" + EXTRA_CONFIG_YAMLPATH="migration.xmlFiles.serverXml.extra.config" + EXTRA_LISTENER_CONFIG_YAMLPATH="migration.xmlFiles.serverXml.extra.listener" + RT_TOMCAT_HTTPSCONNECTOR_ENABLED="artifactory.tomcat.httpsConnector.enabled" + + retrieveYamlValue "migration.xmlFiles" "xmlFiles" "Skip" + xmlFiles="${YAML_VALUE}" + if [[ -z "${xmlFiles}" ]]; then + return + fi + bannerSection "PROCESSING MIGRATION OF XML FILES" + retrieveYamlValue "migration.xmlFiles.serverXml.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + if [[ -z "${fileName}" ]]; then + return + fi + bannerSubSection "Processing Migration of $fileName" + retrieveYamlValue "migration.xmlFiles.serverXml.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + if [[ -z "${filePath}" ]]; then + return + fi + # prepend NEW_DATA_DIR only if filePath is relative path + sourceFilePath=$(prependDir "${filePath}" "${NEW_DATA_DIR}/${filePath}") + if [[ "$(checkFileExists "${sourceFilePath}/${fileName}")" == "true" ]]; then + logger "File [${fileName}] is found in path [${sourceFilePath}]" + local connectorCount=$(getXmlConnectorCount "${sourceFilePath}" "${fileName}") + if [[ "${connectorCount}" == "0" ]]; then + logger "No connectors found in the [${filePath}/${fileName}],skipping migration of xml configuration" + return + fi + local listenerCount=$(getTomcatServerListenersCount "${sourceFilePath}" "${fileName}") + xmlMigrateOperation "${sourceFilePath}" "${fileName}" "${connectorCount}" "${listenerCount}" + else + logger "File [${fileName}] is not found in path [${sourceFilePath}] to migrate" + fi +} + +compareArtifactoryUser () { + local property="$1" + local oldPropertyValue="$2" + local newPropertyValue="$3" + local yamlPath="$4" + local sourceFile="$5" + + if [[ "${oldPropertyValue}" != "${newPropertyValue}" ]]; then + setSystemValue "${yamlPath}" "${oldPropertyValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" + else + logger "No change in property [${property}] value in [${sourceFile}] to migrate" + fi +} + +migrateReplicator () { + local property="$1" + local oldPropertyValue="$2" + local yamlPath="$3" + + setSystemValue "${yamlPath}" "${oldPropertyValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" +} + +compareJavaOptions () { + local property="$1" + local oldPropertyValue="$2" + local newPropertyValue="$3" + local yamlPath="$4" + local sourceFile="$5" + local oldJavaOption= + local newJavaOption= + local extraJavaOption= + local check=false + local success=true + local status=true + + oldJavaOption=$(echo "${oldPropertyValue}" | awk 'BEGIN{FS=OFS="\""}{for(i=2;i.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} +{{ tpl (include "artifactory.nginx.hosts" .) . }}; + +if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; +} +set $host_port {{ .Values.nginx.https.externalPort }}; +if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; +} +## Application specific logs +## access_log /var/log/nginx/artifactory-access.log timing; +## error_log /var/log/nginx/artifactory-error.log; +rewrite ^/artifactory/?$ / redirect; +if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; +} +chunked_transfer_encoding on; +client_max_body_size 0; + +location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + {{- if .Values.nginx.service.ssloffloadForceHttps}} + proxy_set_header X-JFrog-Override-Base-Url https://$host; + proxy_set_header X-Forwarded-Proto https; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + {{- else if or (eq (int .Values.nginx.https.internalPort) 80) (eq (int .Values.nginx.https.externalPort) 443)}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {{- if .Values.nginx.disableProxyBuffering}} + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + {{- end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + location /artifactory/ { + {{- if .Values.rtfs.enabled }} + if ($request_uri ~ ^/artifactory/service/rtfs/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/service/rtfs/$1; + break; + } + {{- end }} + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + location /pipelines/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + {{- if .Values.router.tlsEnabled }} + proxy_pass https://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; + {{- else }} + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; + {{- end }} + } +} +} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/files/nginx-main-conf.yaml b/charts/jfrog/artifactory-ha/107.104.6/files/nginx-main-conf.yaml new file mode 100644 index 000000000..78cecea6a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/files/nginx-main-conf.yaml @@ -0,0 +1,83 @@ +# Main Nginx configuration file +worker_processes 4; + +{{- if .Values.nginx.logs.stderr }} +error_log stderr {{ .Values.nginx.logs.level }}; +{{- else -}} +error_log {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }}; +{{- end }} +pid /var/run/nginx.pid; + +{{- if .Values.artifactory.ssh.enabled }} +## SSH Server Configuration +stream { + server { + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.ssh.internalPort }}; + {{- else -}} + listen {{ .Values.nginx.ssh.internalPort }}; + {{- end }} + proxy_pass {{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }}; + } +} +{{- end }} + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 128k; + proxy_buffers 40 128k; + proxy_busy_buffers_size 128k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + + {{- if .Values.nginx.logs.stdout }} + access_log /dev/stdout timing; + {{- else -}} + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + {{- end }} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/charts/jfrog/artifactory-ha/107.104.6/files/system.yaml b/charts/jfrog/artifactory-ha/107.104.6/files/system.yaml new file mode 100644 index 000000000..900306ebc --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/files/system.yaml @@ -0,0 +1,192 @@ +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: +{{- if .Values.artifactory.coldStorage.enabled }} + jfrogColdStorage: + coldInstanceEnabled: true +{{- end }} +{{- if .Values.artifactory.worker.enabled }} + featureToggler: + worker: true +{{- end }} +{{- with include "artifactory.metrics" . }} + {{- . | nindent 2 }} +{{- end }} + logging: + consoleLog: + enabled: {{ .Values.artifactory.consoleLog }} + extraJavaOpts: > + -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} + -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} +{{- if .Values.artifactory.worker.enabled }} + -Dartifactory.workers.addon.support=true +{{- end }} + {{- with .Values.artifactory.primary.javaOpts }} + {{- if .corePoolSize }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- end }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + database: + allowNonPostgresql: {{ .Values.database.allowNonPostgresql }} + {{- if .Values.postgresql.enabled }} + type: postgresql + url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" + host: "" + driver: org.postgresql.Driver + username: "{{ .Values.postgresql.postgresqlUsername }}" + {{ else }} + type: "{{ .Values.database.type }}" + driver: "{{ .Values.database.driver }}" + {{- end }} +artifactory: +{{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} + node: + {{- if .Values.artifactory.haDataDir.path }} + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + {{- if .Values.artifactory.haBackupDir.path }} + haBackupDir: {{ .Values.artifactory.haBackupDir.path }} + {{- end }} +{{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + tomcat: + maintenanceConnector: + port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} + connector: + maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} +frontend: + session: + timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} +access: + runOnArtifactoryTomcat: {{ .Values.access.runOnArtifactoryTomcat | default false }} + database: + maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.access.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- end }} + tomcat: + connector: + maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} + {{- if .Values.access.database.enabled }} + type: "{{ .Values.access.database.type }}" + url: "{{ .Values.access.database.url }}" + driver: "{{ .Values.access.database.driver }}" + username: "{{ .Values.access.database.user }}" + password: "{{ .Values.access.database.password }}" + {{- end }} +{{- if .Values.artifactory.worker.enabled }} + worker: + enabled: true +{{- end }} +{{- if .Values.mc.enabled }} +mc: + enabled: true + database: + maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} + idgenerator: + maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} + tomcat: + connector: + maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} +{{- end }} +metadata: + database: + maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} +{{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +jfconnect: + enabled: true +{{- else }} +jfconnect: + enabled: false +jfconnect_service: + enabled: false +{{- end }} + +onemodel: + enabled: {{ .Values.onemodel.enabled | default true }} + {{- if .Values.onemodel.apolloYaml }} + apolloYaml: +{{ toYaml .Values.onemodel.apolloYaml | nindent 6 }} + {{- end}} +{{- if and .Values.rtfs.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +rtfs: + enabled: true +{{- else }} +rtfs: + enabled: false +{{- end }} +{{- if .Values.topology.enabled }} +topology: + enabled: {{ .Values.topology.enabled }} + database: + maxOpenConnections: {{ .Values.topology.database.maxOpenConnections }} + port: {{ .Values.topology.internalPort }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.topology.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} +{{- else }} +topology: + enabled: {{ .Values.topology.enabled }} +{{- end }} +{{- if .Values.event.webhooks }} +event: + webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} +{{- end }} +{{- if .Values.evidence.enabled }} +evidence: + enabled: true +{{- else }} +evidence: + enabled: false +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/logo/artifactory-logo.png b/charts/jfrog/artifactory-ha/107.104.6/logo/artifactory-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..fe6c23c5a7f87edaf49f883ffa99d875073e2285 GIT binary patch literal 82419 zcmeEu_ghri(zUjr(D-PRRRmf@LCGSLp;Zu&EGjt&2qIB(#vYX@K~O<57!VPVoP&~8 za#C_oa#AEp_-Z%Ky>q|&{t5Sod1eMU=j>CvcGap?t4@HLiX8R`cGs?5SOs~RE4y~> z{R{m=fq|cdkh!+QzbNhGwH7qG?EbRjWh(35t}4ga+$_{AeC&MH|I?!WK*&sE$M5&b`&jJMx?v#>sZ{GTuP=jz1$9Q*!{C(H0A z?q?Lu+V%fg1YPua_}l;SWMVz}<6$-qhJP;Rk3H|6i9Py%JQ-JX_l(}RYRvy(5;fn5 zJ^#m(*%;M)gJQLI{r~#}%lT+$|9?FBf1B}N?(@IR_z!RY-^uu|v;4m>^&g?B#(!j>|0VGMf*k)#;Qx_$|A(gj3;+EO+Wtr4{ZD9%Prz_QhqAsNELo{;y5`4_ zuw}cRaYw`D`u*)%tMxjL=|SvvS;6`f%}9x*C7+7z+Y_TX`wS;4-qZTnuUB}S+?=`4 zd%rs&{&!j?(|&2scVl_&Ss#VB7af0Tm(=<6zw~k{xyUgct@_O&LC}j>q;G zQ}1lmB*QHmORQ{~liX9j0b%jSxwY1tXRj6x=x;`<&ANNPuSz02XSL3gbfwE@#>M8) zVsOW%uulwsZ_7jVR8*{#_psMK@K?UEPVjrr`*pk1_j%ff1>GK@3R@dppcchtQ7xl_LCaX-Q;UdQu#U0QJd zomQWIOq-8iZEx=^R{tbN_Bx<h$H%tUZMh6q zyI-w*=r-zRF>p>S7i$V&2>N5Ru(MEDy=e5``cuTn(o(Qm>v|g*tg75x9heBBV)Zf| zo2`gicz%?jhDPXH$w`ClFQ3o*82tM3JIyfe-R7q!`xsfoiYjhtWE}gGR0w}TB}F44 zT6}58NRCQ)&r0j&0A|JI=G4BQ4TG9nqMpUGni}p)ycOK)-#Oxn{415eYxW5*y&4}o z=waSj|0X?wr(e3D*haJN=MeoRc+31$~)278*# zd0jl&-{SE31mme6tJf}*+i*_{IQ|Sydc8h36`3-}J?QADd{MEi>~A~}W&kh$t0^v? z7P$;jkK%r^t}DTOb$Mhmxi|5Lw33CoLO~E4zw5|Sb5n`5=O@>XA=zqC;$N>s2K86s zDM>aXD#5C58Xv*_MOu}qY+`y#ewo?muQ-!IgQYe>hk53+TgAy8HfO_c5bbh`+8-2Y zmvGETl%L=#`RmRfvmd5Y^ZhjR;s_0Chvgp;zyns5Gzyu&7)DC3EIi!pbvom--TV3$ zW88%9k90Y+{rgpKVGVT$?5*@2bTtB<_v!!fz-*qx{gJb4LSm%N2ooVLoM?wFdSbh^ zz!${oV>Hz$`N_RnEt;CG08{pn*UL_)0uJG|qVJ=5evxZ5mLnk)VlpHH{bYwbrF=bi zopdKPEOFsbyR{Hgt?h5N#~0?}+QbW%@OxDMBDhA^?P*^x&zkw#AYN-FU7kuOem`nw z%Lv}!2|vYGE~$|2m`p3u@pZOx~-_9clb$?Uk!ttFm)N+{kG=I!4C%sv?bhAVAqSrT`HKCJ| zGmixFIZL(qpP$-wm0BGz{frcy<92mbpUeH zLy#i-5S(?6S)aDt?#Sr_!cPoaH%A^YP?)OXAAkEm%kqIyvnuEA;vFOY%R8%1)CI1g ze`L{YX9)ttJxiStE)Ulhlk4_A{B5utc=D1AUX0kAmf_|0V-!O6Q45i%tg63;|Jc8V z27=Mk7tW;MM9?8u$?xEK9si>%aNJL2?y&x&3!lh-9=99ph#4>tvTxYRJfh3g=C0Rb zyYqBB296wsnvep?A=>co(wwIwnFcre-->%g8a_=}_kTp=uYvbW`W+y;^4NOoU9pY% zkr3><{LYz`;R04CJ+o`))sx9|dZHs)qlDeRQ@N;aSj5&)WKrNK63%(KEPYBlz+=Oc zdvfYsqTnCfTfvKGsZ;HE_vMpn?XIR%O+UvOH(uF(zxL)B8O7u4iQ8XnD{?1X+FgRv ztlymadj7o8AFI*9#V^$uBS?q5nhh5}u=>@vHMFVp`FND#WnC9s+%BR6DdKo8>kpR< zmsl3m*vsSY?}RGOER-fV2(F~NsW}oMEBVcrW8+sN9Qb~hUARj)L+&lQ=6kTaJZtSs zPckd+?4LJgmjiN5)FFw3^b(2FmUV~wC7E`&9f2kWtf8ClCj3`K6)Om z+TI8M`V%6q0Bslfld{7L8LHloP_)geGW)gR>U?)9Ok~meYpOCTL+tMHz zf9JX@a9u?EZ8g$$HpJ&xztj1izhVv-+)Onv;wGbz;aDiqb_p3=uKDrGWKwE*Qj!!v z>WjfXUFKg_k#X^o80GZf9OqDPWGxH>*BL8F(Db0E(R+@58g7!Jq#jz#_UNe-(G$bncr=tG;?0HZf6Ij zP%sspzod-LLICcyg~XNowJJN8lqkN|2geC`4$ML2ioDy?<^a7oM#55dLLYtwJhw=7 zH;D3~&b=OKhD9bDPA5w7jM2M@eb_$H;fk#y=Z>v)Np;rg+&|DLR+Dge zu9Vw=orH{P=qL&l6UsbB7QWtd@c3anL`K0bmk38E9x&coXM2yQNJf;LyEO^C5trdj zdxW#eNo$zMt|YEcLCSFU=*(*1L2EfiwA=Ga_P3d&`21G6X^UOMfmEhD(cy}c%PuGTFv|F9 z?(Ly->4rKPSxe|7F;lym)>evooXlg;S#(ko)*-zU?j`un zsc3mL?bZwD?FvzxV`J4YW?)gdQz@Zwe+b&S5n3Rgn|0Vpr|My4el#|d$7}u7Pp&KO z`sux}?1{&fjr4<_4r{C~-8P>--{>Rkm{S34a`^)M>UVZ(p1_ZNw#++D(g3MNvCDG;i=M`=jPKhuSCwbmC$?OoUv98;34UmL#mK00 zMS5^yg|@LS!nv=Db?1p%@Wg7B;1J|KgaGp8?s+%MnneVfzAfdPho2^LVm41_dIPjP zj@_r|S>7U~)5LKncopQ(QFR%|T2Y@QL# zk{o!RcZ;;g_?vL3PQ~!|Bh*EdC%?|BLt{gTU!yYH1Fu4$!vM&Vs2Cbnmg|;rPwWyQ zIkJ2v?40|!N;5k3iMKEhG#-$5wzI~$$_OKJkbR(iDXErsD}@tFdKF(V|CzJT zd|@S!_Ze?-sCihjYxC!wkPMY6iAL%jmZ{aa!DP5Il2Zu&5 zNxOu-x(kycY#**)xcVEGU!PM6fUT)t{DkMk>PVew#SV0I!vO}Z;$|Wtqzyjew#MCF zQRj(o@owe(=bXXL)u%`yv`0`|V9qBlc;g=Ote+eZuq#A`jo}ZzY2oRHUd_JU`2LM) zq;!>zRAi`7^-1S7$4W-fjoN#%oO48frw>-2KWwyt788IX(o|F6u?V`M@}#54o^4oE z3Vbc$V8B|7itavqlJs7yIuKASvC<^3I!AtCx6Q|pGvtMB22Mc$FNry1A9C)P&BiAl zifq)#R7d8kBnR{H?i#&`oJ78YusYEGwttj;R?4ZZXQ0iz- z9mXY~HxuJVP!g&w<9C|=TnZ}>wc&vF;o{=^U(A7sfi)W|MTN7Bw$7Y_<*?eNIsfjs9dM74K zMXYDlh*!>{Ysgs=9+yu7D_}X4BjNX9dx&;Sg%E2af)!<+!zQ599v`=Im#Ox z+JG|n^Qn}UU9it#0>t&F#ZU*&=zD8-bX)b1{E?fo@2Yo=ba%*YE9?3%7Oi$9Pf>(r zX-6xY9D`*QlVek`0Q36{oUEVnQU#-YMK(fLXgRVp?7MeTig}8JcuXOk^OiVRnxe-( zsRVaMfh#uhHi>T`Tqlo@a&RduI{!xHo)`qC-IyX2PHN6FvBT}cxz&0dtva%)0UXs& zbtc{+x!ne4cx>-5!#<}*j&RSt9m2?^>SN%I2F&_gkpb|;3rXp>d&d#t-1;O)O)}a+ z%pS%Z}l6-^hS?JjR)-X)|=ps z#P?L~ z>Ng^k8z)5>P25QleT~i)KtWwh2>s^Sl=GxZS~9=@B{Jto`#p!fFDLM@f4u>Y+4!P+ z^J~)TEWpw91>NMdT~uuccF>mCsl@%=3j8r7zvm#A2s~!Nn6Q2kEh~jwqBtoc#c}6% zE`Y3xxh6JAt2;(~)paS<*e;#4VG0Z)n-jiI^Pf`1eJb54*aJD?gvlr=lY*%aS=Uhm zG05Ty<-giUn}xU28QMzqg5q;A!67OExz=66S@5ma!rSPTMHz10O5N@aWORSJWaqSF z#5T5;w3#+Qb6tI1k4I?>lSoVcx8{JTNBLHy&}gAL;l=l4MQQZHcPk-;Mz>jRKB6xY zyTind_OKdWm@y?^3*MtXo8YC`|N7?frqZY%f}{dn2_A1PP7;nOhkjAiYN~)Cdv;?{l`(^M)_4XuGcFI2^xk>Q$4R^jQC|}U; z_4M$43y$C4%bpUKoaQB6aSg6W6?|@puE-~>I#x1$iZ5Gz88nEn;V$BSiu>k1ekCbC5G|zz>fQ# zImQ2O>i1$=iqmh?w4KKW!RazE>k$FJYSAV}@Hp}Dxv@oPD(@xbU9v#Vg|VN~=km@u zFH2aGa$G%%$Okz3!_XDwDDL?w6({*eaz-PFup4uj!4){Q;q#Yf6AZ1-qo1rXK;T>1 zU_xQDiJC&ygtK?!1~5B`_l=rM5uBdqD^@L`#+Sv1of83}R<6tHvB4BjN*0colE zb6Mtu=E)=MVdlj1qdp?8BdRPhLK8o}-ZM1VSWQ!mN33$fTc7D)KEU2QE6!otD7ZEF z7PxkwO+%;tj6F*p;!A@AwBi-s9;-J1w72v4jf;9S&jFOZf1ngNjwHd*&!v)%Gs|x* z7bV1NRbW+o+@3Eoin;=KsLX#T-FWcul%~O5zA3F_{WMg7xEEZP~x4IgmyEam3|c14vxDCzQFwJ+1yrks3=QpNIVC z0{K*Grmye8M-L7@elXJU@g7wH>!9O{VWSH!WBw&h6W_|yg_vOB!VoNXQL?`Eux|=W zitt!YEj-gno4yDk83iM?Xg<0gwt-VZq*!_iN+rdw_b1WG4CKX0VQ9-^uK(h~!80Eb zDn6$9DOa5Ee8S!Fybg#^&!bizjkQpV1eKTEEPOwzT$j(H%UVt;ZZn-SpYHvAjr^cA zf4c2ppzTXetm6|xD@v29HfhU;rTPvZfhQCnhrrD&IS;UhFhxE#7uVx6QxN1moOB)& zKws!I#4QEw9xacIjcujH$TCu_ zc&@tk$CM{VkKc>Wf&)Bc2>~hd)CP(OM=9^m*WXthOg6N*6-KZi|G?3Iq1F1=$88Nq zU9Ver(vx-FLvAPW7mN)31!Qe3@8|w2ZcY{s3XbT;F3)~N-u-nn;uoU%)gflfo=DRN ze_+3k*PC{qxY3%Kc~*;txbU`(dXZ&gyhnX;S%u0)RB1*f#Y7+X#lv{KuT0}Z|9X6! zi_hv+69pP2HB1eCp~D9sYmw}1s*-yJq&#JYN-M!9dr^_Mj4)7w?dtE~cz>}mrkb+s zHXSR>iqg8aYuJa1b7cjl+eZ_)EPN80TNs8}9DoSJ%Dr1y@Plp$tL{finZ!Z_7^n>E znp!d}I8pp<5d~{BxqU^=sY&|R)^FCTN`D7=h$aa^K)i1rB_(PuUs&SfN|sWr>mDjC zJHPhG_aa292Xfg561*bEvo4h}-L9Cx4Bt7yp*s~=Zg`6XV8i(!;%$hwT?Bj3oi}Q4 z6}so;UF|n?g$XZ>rMqW5;%sj@%=0XV&! zWWFlpcj|sLY7dGBhobP)1Tjlox4Hs?T$m&gI$ncUy=Cb%se9Pf=!gb4Bc;xm7_FMN z1LT?Zy1?#Hm*^_z2>AG~sY%<+BWu%>n^m-@gTj-K9K$^ztm4O^_c7WpEwht#LF@O# z6>}fpDB%U-$%aRdsq0CA;|Y^run>{RSb-X!8+fOrCDRw;f7Lp0;ocMntu%W3ETy3U z)fbT#qcA;7mW*2kB%wo0>Wy7;oZk+lcE&Cca^M4Gzb9s@TztYPo4qH;LT zQ^s}KCMEo9Eg2gPMe}yQyVa(4z*GYAhcHR-hndDyYB-ET9rvvb*VnJfXkLz;!S2s#HV{%lINC3%<^ z+;NWSHcB6qG`B1)-5?>T>#=}g<;XrT7fR_%i%C2aKJW1$12+)`9mD*s`aslA`0`6v zEPOT}wyLru&G5j%?OCm+o0<8$t{jFI!8&&o|OM zuD75C2E-WO<5&ZZFkYgaZ6jrGg{Skt=J1}&j0)ZrY;fE8iX%F`S0gg?FWDme22kXq z9rOL{!|;f3-gnTjGgMktr|aI+!)|9lgqAPO+$ux7Lk|GLU;P)iDIBliB@|6t%fCK< z8Vtuaw7KNC>mw+yhBF@YhT2Zu?r~>@J5jKsiloTlxj9&4qOh_f?z>brb^Dj!}n?pXP?Ced)09wy!6lTbrpL* z=5QGVNLj;8%P_RTuWYw_ei;-#^E$mk8+TIeDp8Un-_JN#w?5A4@j`Pl)vu!t4Jp&x z*E_y-l8WcYTEGcZ)8Y{zEItlB;h#loRe|Mm-FRXxGVzaHBFnf)vRYM;fuk2ETYGmUFFjOQBa#_jiK$p9{|S@ zd0Ye74e}9ycfng52aoIjvXt<{B)wyj>Y+VdD%-4urKt}9;OgDY_|9g`UeCl#J5S@{_2nNk>B$`flE9nkKfUiZXC}r?ErtM_l32c z8*7EFt$zSWcM;+r>k^IO?`Mn?`rc~^3=+8jmbxxj@-82}#~!weXtyh&#APaHaqi&F z$DdhE_w(N-wsIK)-*y6@=|njtO~Se*IEecDHvvIZKqg!`j%v z{_zs_l6Q$@Dpb%i`}Mun#ZRSNpjVFRd63S~v!azatJEA_QZAl?)N@7nrkD~U1>Q_M zZ`%LFs%K8-C0rxw)_Jcq()(aTm+D8GOg@u^pME!2|8v`5+0XllrukC6i5{eninm9l z-0-QC8K_|Rk0P^ynxZqp?qKF?&BdPPctW!P=qox~px=BJN(YXFrTe>xg5=PV1Cs97 zjqw>~;^<*@*S-FADe*-Y*Pemt8$fEHxOH^$7!>dfTBWwm09|Twq8U#JlKM6MoqT== z)yLe&1za(yG!&tyS;~IaKvyT?*`7zl>f<>3lM;K`uQg=kpgqWgJ;+EI9HPX@7goNQ z-F6n7cjYxXL;F4J**&wFBi(S`7y7y+A^ULQq)NnqB=R%gU;p`h1Hl+qn7R=N%y*pd z^HNeHOaY;?o`(~tklB(O8g;U*edo-`1_yijiY@QHzy)U?!`a9!thbp%KjT@j z$zydHo|c@qa$m;|<~-WC1n`__1?lLfhj(zuF5*>eE`tu_OvesI=UMZM_`c*4ARB<^ zO8x8f#IU?dqEPgRhr9GZV;Hi!|}bdH2)9)|ma zoQ_=qVL}DJ@xVQ<1H2+!J{u80)ML4OgvBN9oamI}i3^n*0=QPpcmCu-3=|%Oe?t)h z1KI5(p@k>ZBp6Rm2Dd@Ttw?vhF&_}8UGHiFkyH>f{45H>;(~JLFP6&D$u(%FRE=|r zM`-7hh_hAjtdSfB)U9D;e4WuNYTDL3s{K4D{1U|3OxB!9R^ANWa@I8-;I)t1iY>4C z7VLxK^hl`5`q9uzFAZBUM|+>K6><`beFV6IHWABpaMQiy9~zhD5Bcazq&cWx;lRcF ztarvYSkJ9Syw@KLqi|GDe3^c8EaNn5qDub{iTne8&}i#(WL)931q=Y>;YU05soOEI zDrQ!EL=zg7? zW1$`o1OQ{=-@~0KnpR<(a!c!8Cb!NB5Y#}rl%347lU5z z78w+_k*d7ao*+bWyfv>VS9(Hu5DaUI`Ro?^A=7o3jm|8!~|x#b&!8t- z#0A&BpN-pAx2->~9Jm4OnaqinmMhy3w`?^YGA#yI$5V{VXvzD&zM@=$?$ROvcL@>w zilBll4JTdCB_3Al@o3$*rr7;QeDrIchSCiM=9*ae?ji!R~3H5WQPpL#5 zL#>QeW|X#NxPiG5c!yGvoi9N*X%?!RAcs7j>lpIA;ELa$h63re1 zH`c>6Qwg}7+7Nwb_Xg+ofs#~wk3&=tPYCRW)!~SU&;Zp|fLkh$UNYI1?d~~R@c!pVe`3%%V#^k#hx6QZ}=3%dXTj(RA`or zgm^Vl9uJ!$tri<2MNK3k_P6Ns{S`pDf8TBN?3sjBfM84e?q%^b|scDdk6wZ1?C?hf^V9cj5_O*I5>8 zVFfExcF|xV@rXcP9QYpjWaC}xo*z`G31!#*kmglF3*7D>?5h7Yyyx^ds8;GK-Y{h4 zVt|=-b!yPqH{o5&xw0304(!7VY^BTjBNfQ9k>o08Sr5`bTkURPdwO{& zBcQwai%^E$o0jjfKTso){c@t(t(a1i&xt>}pG*~=w%NdhHnSYHdG+YEM8{$H15@w^ zUJr-cGO#MG#Ehclq{)KX3U`Jqc7$9uA#i#{rc`^xEr3TK$IWFdv=&zk=>2F6KWaoC zY-j`k&+{a2beuvOEc{=5Gtn5^QP3d?#ni^M8TBaR#5L#1*WZsr$fpw|<^lyp{6-0> zeF!*}dF`&_TgTJ=!B_(0EIzuI2Mk`z!Lt6Xb9k(W_k1#%rG0P2P$1|~MP<8#&v()N zCk96y;XWedBqAdB(Dsk()vM(3>$hKfX1VFmUfJkL8)V~+P!F|lI;?XMogokUF zHZ-XO!V=F6=t^W^Plg zH!VJllen-H%rU+{z~>3KF@&=@`2_1jvwJWBJxh)d5LU@QB*aPS{jLR>U$q+<1D7`u zl!?W8Ek}I*3V;Ov&$KK;c0qp(@KSAs6oY^Yk&!{l{$06Ph$ju|H(KBzt1Zox?i-Of z5JX==5LwBi?`aDQMFOFJ=mUwS*xcN_!UF-@AMj27D=L#^KZib;zDh6v{FRuCfdZZd zv|=Km4aPOx{PsWWo)ost-Asn}Kr!y2@@o(~;nE1J*|mTa=@$ReD*QsW9=hoaIKt}$ zM_1fsekhhs;^y#>Kr2?#SFc;`Gbb7|P&7C2tSagCI4fu=eMr4<#$K5Z+1Lga z)ub zyA}pEGa?j>LJCE%_|QU;@ZfZcatbAmGrbZdyn$}RTzdO4P)nQq{-OL*nFlpb!mvbW zdhd_%R^0DrbIh3G^_QRO=dN_18cXdoyvvn_An-dK^3w&LM;F623ty9iVO2WwoBMsl z(tp1|z9dhy+t<19IHvrGrmWZgZtqwOM4&TH=CW*pDk;b&sDN?&9AQ9%55o~H#JN1y zlN+OKtBXcL#kwE^h)${Rr~LZf@gDHml=tO?B|!Y~I`msls79jZ*Ox%D+~mE6MRmr% z8vw!bvNpEjYWEd z11`Hh-^xG2fN}+tctJSLb~xgf@Z4vs>;;=T)3sVD_k;9l;eG9A_7udn<7F`b6OL*v zZBB$N=!9q(RTf%0ciJecuTP$an}p+`fWNQZvJXQ>!-IPo1rn>1O-|@GrTM=mi^qCo zIAWXN2;kc>&~(}a)}fVoJnv{qCEv-73Bu-p635&3=!DdR>&ou!JPPF|Eyc>yawx(_ z^;!ezA60@F#xQ$3?cw(nqzA;m!~pqL0%9O)<^>_96lkCbgCIr0f@SI)EN29bI}Yl} zV92fOHs){}GP{ZhFh``z>z2hj+a==*@Bi_^iC2 z09H>$=R2QImQ&YYbX0u4}OOd?S<>H11%3rLT6qdT#kM?!zVE z%!yQ3&MN(|T8LNmF_p`sF%oZinr^z^F)1ru{Q)f&H$|OM#BX0GpNh6jFkG;^(@dum zqzp=)gHZh56cP<+f29d>c%c1Ui~MH{sE4EnAG-&`L)Pelw3+W?5=A}O z3#T~7PNdrPGXetjI%u3jg{m1%4A6#msJiD82&1;cKvsS~t&V*Pmomb^DJcwv_Fvc? zB4uy+Lm$c0#=_*@fUiKlBp4sFrv3*Ct-3RML#NFu4S!eyrd#0|bFo zpnS6z`{Ap6mw?mqHuBEQRx~kqi0xJ;x@cDP>D+pPFcm&bm1xKJmvH2ER!j1CS`4P@)lynU zuhSU&I-(!Qev)Jy5GY(0zm3e^!Gd;3)k{%7KBDUj>@E)NEgxUAm5hmHH)b4L zn*FUoL^Iad2~fVW8E~5p9IZPtzMN z2wS2Ku|~TEKWYXWwU%omNq$iaUD_v%YSZB>y^b>@v{R@{3+|j-+3I^SwDCyC_lOW- zC}B%BvSCI<5j8}p_rXq=}p;vu$kFt!t$rjRAZ^@nJjT|eqU>Qdqg-&KNueJSi$Q+%|^fOlo# z{A^mU*Rbd>rvKdO*i$G4g2Euw?bIo~6f&FCQuoQNBJ-x`1mrJw33tfHX5+dFMs(xE zB)^K75%;|s=xcG$E?mqIf;+LJ&3?9+tO<3OCTOabVQ9g`KnB}=ide$2r$5eO z9+C%m_$;NBXueI$Dy#Dp`_0iPas#bZ`QfWcWzT-0mi7w+xYLrxEf569Y7PMatS$AV z%h14tHXi*(+&`|Y&j&dfX&8r-uvM=H+fp^21e-7*PghqeL&BvnPQYI>%6?4%>5dXX zyeska*w{;lln=pr5~W4ysUi{S^rU@i5g;z))k!z`yw>30W~w`dW9fbeI6Or86;M6@ zEFVCL1u`vY-g7ivd#=UINb$W@wR?N^g2T8I=|;Fz=wB=kOlgXF_hjGvj49C6_kb?% z3(-WRNqCF|c)42u-_=Y((NcS(eZ8jClrG~Q2BskdELT?9REx&YVL}D>$@xRH@$LQZ zBO)7(8CGZC8UhC>F8cBuO1rlqyj&5yCU*HQv``?ZD18o+9Tww+u4v&@%Seb)GD&B5 zm(YQMKKCTJ#6Hy<=Yq6{`a69B#C9X$Gw}-2m|QjhL>|b;?_}=w`I8LX!EXFM>%2&L z(W*wqj&h{s8bZnUGYQTMGG;j<&v;9A{bMHD6WFEY3JIAy~)UrRbZz?@@hbD ze;TR7ka)SNGf9h?&K0K7ipOZxl}nv>?z2J`BFyXovtG;+sb9HOi2G8Os8%*+2Y$H= z!^xyUouR^0t;gVG;ukjl@*CA-4D38ljAYo%f0WK5ZCljYNOd5 zEP|b1+6Z`fscPtSGlu3scT|Q`4Rq@wn)i*J)bM?VML_5bS6l9k@zE(Dz2NON{{!(u zRtzbX-RGccF$e84$HM4kFqoq<5JIom=du^I1TPxLiMw*UH8x|*l*qYLdNn;;N8pg z6H{*8Qs5tKfOUc%YmUO^vhl<2ePQs#`@HES7B16G(vLsZG18pv0$f+vuaN|6 zSv6|3e5r!{0S?&mZ<^}|)n_QZ@?XXiX0d(ZFIS*1{v(CxzvEskFsuEFoijx3A4+AY>Hd$+eS$^?pqC;X?-b8Di!Fi-UIOFtuwqVYblCKTuK{dbVmr86+{wkgpdLKYqI1j3sw>g;x@&SS7e7plLgn=2 z^xXnGItjC+H9c z2U**Q_Ll(rJ4lCY(CwLgzX5+1HURt}fUtUK^_|5gulLhmy{=^Lk%r}fM-z*FoI6m4NRW0(D3o$*?3-S+&#jooiWT8 zexQ+Yf#0@-00SUS@CHOlLyC|4gG7(P`#>xKnpQ!c(hIr$Zp=%X*OnPxFuUNa8hy_H zJc^H}t{w45di4y5k4}w^C9qqnMlgpWz&(2ZmgZ1{=*4IqrqLMJM`#gu30KHJ?5jco z(~=YwCQ=Wl?#;!Zi0G5+h$LGCd0E`P8bw4bCcgSn4`B0BnQyyy3AFMDJHPaV#a6eV zAraUC9im;#)j<_&mrY#N-g_JdhV#ycU-loC;XnWlOxv2xvm28|B_X`sEx_=;#N=APZ*$@#_rH!i&%QqPgFiiJK_~u397-=Yc+N8T&MT$-( zqh>uU(+#t4I&GioM#F=qbc4|IiMBNb%bl|-2Dc}u;TcqE6L&f0jeu>a zTO#&>o5>rw%;rNDzEmdCzV!fcfy-Sc)3lFq#Uvds*%eOIrd^n=r;4*KW6480v4b6& zDg1XFpP{*8&Z_Um(b#apX|fOP>a5S)JUX}pXAR|t#sY0KL`%=orzS`2*ku?swVa;! zQt^lyyKaKE?WDv-Aemsu3U1*%g^eYQkbOMobEqm?$$t?G#fjCA@~;7(D4BP}h^h2Z zIp%E;Bbq#VmW=mfKvSY%JvRa4C)!Aq_;cn66Oj%yEJyrQO={kqq#e;CLWYB(iLhj= z)@!5_1N@yr?{+^7QIE&FmC@WIK&2<@`IB(^rwj+c{3ocV`>NN7lKm=PqUAQw+{RjA zly?k>KYGjMZ<$RXDhn91qDmN`^%;oBWHiCKf;i-qDr-Ln0gr?rhhwi^WD64`X6Z@? z+&Fcz+KpVQmtV|@@;PZ-5HVaxI9Hlt#8->w_Zt5~_cAa8>fn74N+mvL3(&~tBCQ0B z4hP;~K3QFafx<@K(S8EBD)e9&^61!x!H8x_DvuL;i69Vgfm5;`QBMKn1PWiyV{P&j zFVykeN(r%o?7p&5xN$7BHH>tVc!DjSH}7nNK2%JNs-KI-`y8?~jd82(fBCgN;c!aTN>m9@OP_XJ6qf~yZC=r0EBd$lCF@^Iz}9QoO} zr%xo#8~`E=3Aolzo!y00VHOf%Mtwp8Z_DnBC=NwN*oq7|a+f`OKEAVvV3;nB1Awyi zHX_@n7LPDwf>o-bNz(*0gT5m1(?IMIY9PH)4SR^e;6m&Pkh|`K?4EK`@z0FBsk{+X z1_dFTbJ{6p+Yis9B3AIRoG&oJf$%0*B;1Ns@SPa0gS<1MW8sIc>tBdH)dD353?wQz zjZKjB%sBbH%BhQr&{20A`}(z6fC6fzDjLpC@sK9k`iEdrvsY~diWdrrMd=nWEhNBQ zbYFzTw1S9BMI(8FG~|M-Pp*U+AP|C!EFPU5KSbs&Sythvar2JPnUk1*NiK<26rQzt*#oCLe(KXGGsHXcANYZN4A#Jw{r|V{Aei{TOrszxPi`6Ms?8Wb`|0 ztkDa+&4mRF&2w$Xmg}`5Efdrl`o!)?DX+0-J+S^?>7`RfUQW&qAM3$m{x#@os*q^+ z24)3@4n5TdGc3%M{`R6euK4>=7AYm|g<)eImIBTri@}1L+yWaLeH%9p%d=dBXjTSp zJsBr1$pPHrDe;fST1J$2UZEMQc-XI-#S=RTx;~d+tr1-EJ-+Bx!1%bEN6JmHbePT~ z$^fl+!rk35giwo`{|64aC`(XrtHa!sz?PU{dHok}QxVcToB-94^Zr9ClG9H`$me1g zOnj0)x2c$N|D$f6WIzK2cQUf7r!?+-hYwb?#hv~0t%_`3sJ)VbB-AYcBEGvC9U^|Q=G8~?G$Z#h12nxB^OFZFy!;Eg(p+hI6%D;u1A1 zu9nyUWu74Gvzw3MTBJzVUQ7}u%Ra4^x0DkVc^xhUCO9Wrv33V{o;jt)nJX!{QXb1^ zWX!VlS^wIz&nNCdLDK;1R)}ZzIvz$%?0ID}CwX){`;5eqJdhDy%C6%_Y344$h72f2 z9~i6_>E16IDg;6&CY>pV2t(j=32cCUX#}uh=kdKLh}5sK@ih(mnYYem4o1vAJoD!R z3fG9BV)}i}fO-7mvGFX_tG({fPzZkW3OxVJxNIi0=j zZf^-oN>hoQ$PtMdKKQJ;aXT+h*$R{e{zXb>@4*Af&;tpK;RF>V7_iAKK9|3w(X>bM z>}D5K&9N_@-q=ArpQ&Q4QcD18#PZo1Gi?E}b({Ign%Bo&lE&vgl z#S?GOatnCe16`Wt{C@j)ri8y~8G&L2RrBLPv0r?*8`cZ#V=aAE?h-s<1wXWdWPte` z7BvLPY>@T$$K!kbDk4teFyW_GmF+5>dnDYQc>0ifBSd<%-zKJ2;ipafT6Y4he6 z8{Z?TY4NxO@HfvcHtPC&1o(zYMOSUkrMErn+AL>2BCa1@+Kw@_@f401y43W%PjJ#4 zQdl+`lb}WtYO*wKj41sosHNcy)(CDu;m(_K*zC)W!(?KHZQdOplRVUX`S`dxe4z)Q zscqH=#oXT?(foPb4p@g6uJUJ#PP+T6D!@4wQmZz;J$XcO8N_fyzrDg^MAbyg>YIcN z0u2L>N?nMML$i*YSMwC`DHt?tF&>nE$afH0Xv}rO<7cb(BUKP^nFjd2!}%b;5#ScJ zXEBB}WuIUPV{QJ(<7lo2)6^%S*$a%#K?;gE5DTw0KJ2wGR|<4r9TsOD zj$!?YIu`%x2YtJm2wzuuZm{{SbQ2XCFt--_D)Po3V>8l258eqr*dl7kEi1W^D*lO2 zj1p>?T|^Z?x=xr+uaIp(OC$}`H|l&|_5)jRoXxX-?+~UyYFiS4SpM#rMYpuD4@T%b zw?{4Q&|Gh#IGnNm)CE;U_;dlA ze(bl>JE7_G@+>`|ad3ux>p77P?TK+}kfZxR|IeZPNRZsz;3i8+HEhz>;`VF(nS zfsS{=7i+5u2p>`o@EOgc5oJdR5E;*}EEeIk>l&?;4|SxH`%k??awlFkD2J(!ROpb-gXjLU5ane@3y>|yZgBhL#Z{h{ zX|wX+Tbatv3*aXFE1O1jKS=W0m%k0PS@qH1(vvfLe-5@u1SakK+_XVD3RSIhw@pc_ z+;FYu@#F_crPee*w^QnXz0Ao_@sa#J(ClKsVoQTp+%s%1M6@Aku)%iL0xf#ehk6oy zJ{NSe)r_Z4GnY3n)zj1V=C&e`8%fznQ<3|25V2;YH$&jbnmfa%n6 zMv8;-OX`LGU2((jbv;yOL@G)&cfvKA=l`OUlLWd&Y94+2ftl@1Laf{?XQ@+VAYAxc zL&i++3SZ$7HMEx%-te(?uXx^W1RJyCh;?LAI>M)mI~ALBy=7+|6ylR&eEs5OuHq~|p}vfs^tfm$^wkH_28eOKo1BP-;gCxO;SCO-d~|NqANqxKXNJLi5r6-g2xmkE)^RGE?(u^GZ(L{bFNFal59gbKut19#I!e{hO zrlQs!6gK^jnfPI>5EVADd^v1Kwt&`x$q)S~YTLihv7=gIYTg~FH>i2cz<3i+q;TEu z&*s96!8Wi59P|{pTXG=SOqo9;lT|&V-DNV`+BrM%TL{Gf6lr?@E_yh-1VwEHJ@Iq$ zRqt(@L-zvI{nyu79F>QHZ#Iv466sqP`c+?8Qcmjsu{|T1XVI}_`hHM0PJVDiLybkK z-8c z+=7iMMP$LvSHTg4ZZd>6WfY&r3jYSNt$qyk{NEwOQP~Jum9c!4U>X=hpX+((`p+o= zVhFZFD1pLfFz8lU__$dDsJ7(BE1h?i4#Sm{Fp=ro%n~~;q$OigQ8v}HaP%QtW4IZ- zdLcy7T8=LZKo}0e7^qCHR)a$h96hH*Z(EnK8qzF2+I@Xm)D7Oel&s}{-THT_rQiry z<{KiVZ3S&g$;3|MwqCiw+)T38t8b-^puC)zIQoS&v3W4ki*T67*$wo&}OdsOIqL?G1oycW(KINaPLSx(hH z3@wO%tbiT26)g+|^mDDmZ$*tTr>pH_D(iQ$^3vaCs3(KTz{v3v+A=0+p2Ae{)eTT@ zfb&Gg6`iHQ$kIiXc^J!3J(duLsoz1yJ0WLxDiUzr>`KsuJs!UXmm)O`Z?ivi9>Qqh z+{7y7-k_O?t$a6GAd@TBV4XAkET`_sK^L1NR;17Nz{CA7;U)Orz%);hew6Ilg*x+t zA!fz7P>?u7L6R*PdFeu;7NUWIZ&|?ReFAm#Tgo=lw+WEn{>H%2Cs(s&j(=_WaQ(+Q z)nEqLws){?z8u{xpu|R8Dw|H^xBRajDZgwiEGI`iU77ya4Ua+nF-VGM3qIxe@7)3@ zbUca+1hQewu=bhHFCXDJ1JOrNh7~Z>>5BHfGcZyabVmHh-=~gF-3UIH(Z}1&c4QT3 zCZH@&jU2TI+(mo{LFcB`1*{*zh18Ch2@3B!_xr;KxngmyKQrp+%}HgS1N%1C-3pKf+fMs;qj9BbK z99+ZG;t`dIE-=8qcnG@lL+wk?9m=gvuP;dV@)uLkKBxRUV47m)GrjXB6cb~Gwcvwy z^{*6xb9#Z~r~Qj5D=_>E@mvCCTty89>0MTVYh<ztlj@LAl>aT%OdxGqHJhG~A8XH5C>J|?%Jq);f)-ifYv2}9UKk0WEQ<+^*&w(Zk<%P7?|djKTOvE8yDEQLb@6-eiJr}npOJc{h_ zvpQSUE%Xw4d*AL+Ltse%{UJ?Gbv96cP$I>SBrY`87FJbf`*?>TftuhMZT64YA1 zRCldi!!^oIyxtikKCbmS^j%diQpZHj5=%$6JGxE8=tE(}=R#ED+Ul=AV#Q+5w6MXf z*w|52i;YP}$UMbK9ixtcIm|)fgTk)wbpxS#PZBuD#G$78Xc3CcbaZcP!L`$nCGJC~ z{d~k5d5@BwZ=&~01cRsW5b4=)@-pF0Yx3FGb$cY67@n?{o=CU4 zHX{xIcCvYJW%usy_okRcjZ^Y zQMDR2NM)P@nfnS+KEl36TNu7JXuALNx$aSehQ`LuB-PUq#Ap#tnGe_YIZ|I_tXt7R zhO#7k)Ymk;)(+}U#rK5ue(lC0gP-;miALYcR!BiMgcx^#+p%BS9CBax!c;YLVP34BhEZN-+gAX z*tFyo`sht_YmFgssHv$UJ1!FUWUCj&fkxjt=yCP3m$%)M-_N>4&) zKic^(VZ2d>XO)RbgcchPKEDu(ljn_wx(a13G1NL44P2^8iZmnL)hJ$@!KSlEOJAW| zn00=13_Ah1&xAhn0q=G757M!e02eQPofOJCe>&H?yv^o@I-SA*4M{hTQt@?*NX-K# zcd=Z1TIF%|AS3|7RNywJ)k-$nw!y`smvs*E-jgoSATQsZdq~UW?cuJ8hDS* zt-hD?DCyPmulkh*<7HqxUpO^6&Jaz0J;^M4k+cO(Z zBDNWD_eC62C4eZ-6^ya6KQ0lo4aW$=&Mnw>SUGk9&=0lTHcubAh8cQWy3aYYZVI|h z@Po|Z1;3io2S1iE$lv$VfWVabrO(A)Kq=QStBxL{nSIMS(AgXp5*@{-vZVL@;)9qgmAhz`smn2~eJwKx!8DJglSc9t2+v66Qfj^owS{G>U6H5ce}Ik`9IZz zzN8b@piDbmz&AAyGMe+Sxt{9xs}N1`Ru4|7pM!cEZh-QpSWy-p248k(NO#g7xv(** zIr{K(C%Zn%%%l!Wk62(wPH#|CXF*e(REMF-9fxIOb5R)r9w|vfM_}GB=GCDyZ}{UA zH*b+(<|6)4<#{7qVR_DC|3E|?9iXwjKveruSazansDBL)Ep{bkFp5gtml)1E?e*;P zvAPZaNfD+@DBE*uml&Gy>HJLZYU$wX=&5i`Na3DD*8TItVI;?8clVNj&7Fs?O+{Y3 z3aVGGZe9nz%sb;9m3A<*V7o~9m)t*a1XV0X7|jPf4{_KN00>y=MGZd4lcXW~D2loHHL-ef}h^hPYKdB^QTmtw_HK1$=`BBPCDwV12HIwfWr zPE|a#Bt!d$%yjHI^<8?tW0S~bc=g9|{S@A6z>;%Uqm@9h-nW!%6Y8mFlbDsu(k_tw z*-IL%P3G)eWDREFI}Rr2ylF0I8Tt`y&TBBW`#DDRpin*GK#tk>6s)jjN;ZZF{D5WG z)8Zy|+c5jmJ(+F0$wl7AxgLh_j0!B3&cpF<=qUEgKi^vjY)VIl45h|A$D+rMHh;ZN z+AasQNHiXWo3J&~7BMxI_1uxMjJfR$i4KxX*VWVGO4|3v_4ChXgJ96pCm{8v5yANMW6d zGcF=R(qL_xVflW%%ixo;S`>Ir12|A;vQFjL=ZHb4bqz{Bu>$ArMri7?Wz$z#ddBv5XrR)?ThXPXWofb2%61FH; zAHKvCo|%0PG!P35MjbyS6U&FH6L5`PJ;E|Y33sUd&t+xpDsCvru3sGtN?$@>GjKt+ zZ(sImhoSbYG$x)AsxS*6rK$G9$JoZH*IVu$RswW+=2u|^z)CC()2B->8@^eaVP3c|Odb)Qo{l2r5!hJ? z)}~FTyfIfP)c2nDSaCkBN5cXRhYv{=A!3W`WFt+3N25c`DD~ zF#Ck^p^2y|CY}56_@>KzP(3&xfZ~9p)ljc}*^F1Wr0JjfM^7}gNO~cSZfhw$>>8JL zVkKWgB1S&h8?Y~?a715?Z?UMD;w*u{sW#ueuN^TmUut_z(la)W7J>;TQP)MI@~bhv z;_5AtOID9}hLu;b0`4RRjFhB^0}a<}d<)xwVb^~0@|8%kxrnUvYowjV9VPhhAC632 zg1~pYZ>-5ezyO7I<^X5Udz6Vr{+tn5!x5+MVuyt?vJ3P&A*A&_qWan{QFBu}82{^% z2miWoC1JU)x5ijiWO2m_E3wfLZWAt+h6?IS(m#b-)D=lXn~?iX9w;d_@2IW3h=f$R zQT`Fza0ZlG?`QnJ$e^nPZKl7zq-tMk`jfrKecZ5RxolaT@yN!lXJNp#YKR|jElJ~C zf#AokXhe-Cml0CvrJz(JrQy7kfTx?v3!Nz$^6J)YHyRULxSCAGw-FctgbLLjd@IH6 zllH`soapJnvFIqZ3Nk=2WPtN?{@BL~;+$_T5gT!;Aupf9MT&%%e*jsoYgHTv68l#8 ze06T{aQ{}<$diAAlKNL5h}k+!?>xM4UUa^QC|whrDH-tU7IRzrp53bD`gh--tlS0X zLtxWVd;i$S=snk|_K(0z!LpYIWz$(y+;Lz|n*RjBp7EiE!@nf2tn&D;^D{!F{s|tA zeZ|K^ay|)u;lS=U3aLG>IIx5mc%7|WVP&G0#}f8bN2d*vF)w#TJQ06_4fG~b1i<|A zDuh-lcShGHkeP$Vnm|Pq6}+sJ!NM-FA6g5<@*v(*w~k73zSMFz-=+Bap1(UrE-2x( zsl?EpXrW_oZ2g~X!+G!+Vdj*5^^iB6Sddln;P1oBT_c}YTz*jTAvj&cbz-woof4hh z%x>-zxDyVGxfxLsjuwX5ADIAj!^{Tbk8`au;NGGiSUd90rFI5dr@KlLe|`O!VY}lI zt5shkb&Yyju9}DIzC{Cg^`3AC=hA!znwHwpv4y{|d*oKf-8U4dc4o+z1p9O>pg;hKHSC zvp-k^h2)ppu(#vPm&_5$r{!9>bteq`iXlF z)Rqq1ooFhny5lKLAY5ZLe6NVPA!HiNhy*^Hzgt(h;2`+o`;7uPb%U zi`70Ww#KwV;G3K$2W#g+nAn4+rFAr(4Yn))=+!L>X#`4!zh_%Tu}go+V&d#chsAP( ziJYppxWDsp^3^vsO4#&8*p`1}>(*NGOW)xhFZHvFwB3+Qe0r}g+n!f5eeN~itvU1@ zff91U5O%x9@zaBnog)(*jB{5{=y<7R+nz@}xkjW=ESz@!Tio_gvv1C}-FDZ^;&sjn zq0fPp@a8LyYh>D+_4Bv0!Ozg~LwTz;(<6dANGF}U z!78p^e78m`uRw^f^U$f|6(23l6^v|ixu&Ta&$y0DfKUvqY7ji3{97XD?WmZO)OewN zR~{r3ViIv@5v3WlsPMvi@@f8>aTUW5li^O1WZ#nAin6)qIXuB%0aI}cv&?)}XkSs-z3>6CT604@+*aZv(fWq?=utKNeL{4qn zv!pjH52wmfb$FpqQ6-oOv5|=(uW(CpN*W4wBMej0chxr!@bmn?Lpg&x3OyX=2W#)V zNSEDHNeW6sitt%MY)rW^FI?XGyY_y4L8qEgHcv@XZcgrrubxY+!G{X%))vy3Ikc_+ zPRnCcH*IMfd^gnE)oDnOw~eNOl^V%>Nk?*MbKpikt?2e;u{n%gKegwL>Ve9206v(! zB5Zq6D{)wf)l__PguybJ6>=dm>17>_bP$kW`yydf?w)VoJ#3YoXBdxfSf1D-!~s`H zbjp-v%|L^?~@!oHRMV^Qjrl3xGfS>6V zsFWbcl-*t^TWG$qO`Dp63xt#TOI1mWFvCzMb6C`NaJ9|Pj4r*Xo^%@+7#weZd0j|e zQYo?Qh*P;<2fr>5|sVsqeoHIgxX>$p|oY@_;*ZTC2aS}%Vb zZBPBS4Pac5sS+^y7XLg2>!3V$k7iKzu;^6(YUj_GkzbOJEt)@)N*PJ%_{pH_xyom% zMS5k*EbD*$No}VWVpF*dH^Pre%UPZFyQ`yBpE(Fd1;%ffGf=xo4UHBO`S^NEX`l~}n z_)!c z9u=H;@5>~2Sa_;m^2T)QBf*l**_s(3ol-QqA~^7Dnzh>=LZW6XOe9Sb_-DQFRNj0Z z$|lM3Jb2_(zLqWPK$08k7CQvln{5R4(2=6*1lhZ1LvSoe$c71 zGQy=hF9*`ln(?PXp#Df)b*wY0ILNw2WR$Gj^1}lu&5V7<(y>!uOTz`T(7db@f3&4A zl4gDKYXg)kJgV-0XXLkOernyfch<9eYI^xd_$|yAnxq8Srtk<)>M-TrOSS>pf_(0A z&M#QlNGCXhj*gOI|D4IR{G^SkKs|$Q%T%c>HuKXJg!8gx(}`BhSG=dH*I7=X_Gb@m z&prds=0Kp}y&w^+St{Ho7i$5FR8LKE<>Ah(oICN>jpuWKJ-jIuX1(Hwju>7$40PY! z?_3GGTE}m>TOd`7Q{D&Lk6b3hYm^#ikpLdEPn#?q%qxS1AOij&`tM!1@xVok7N@!y z#A3=iR6fGmgRM`waxqd(i=g>u?4+?VgX68AUJSP=lZp5-5GBviiTMt(>{^#}B>d%V z+1YSJ#R+t}DniRsox0$*tKoTB4crA?IklIwwxsmh2Wm%;-gfOliB=?n{C6gGg7M&F z*>AU9utLCPXg5Czfr2gR$esnKRi7CzT!jGT&deQk;-S3*c`yj1H}SA$+ODzE!E}(X zO=azm*ts!|qjA8Jb_CSyxto8L;UU5xdIR)_%%zL z43a?7Pj`lL;dmhaQGe-Yo0Nx#hnTV3zGC-3KXaSMFh58_OyMNF*RlCoZ!d#e~&_u13>|@wV-5U{yH_ zhlgQQS5T*YT4bdbByxK~*FbmjX1Fs}V0{!Yrl14`oKDVjJ!3;0*5@JWNLqP)u!A!g zzw#cGb=tBOaoE6Ul-^`s2s96`pWZ9f-Y+!lzb|~u)}b6$(kz53{0S5-3P6E zD)aTkX2lrBDThch<>5bO)8`bL_~T$y8hbB+ zSi#w=XPpABjP-@GgyGNU-0~H#8K^9UWYK(flZq7Eqe~m*wz3}7vppF#llx(%6Bujt z68<>3jRZr|Tf7+1L`v2V$a_F!xo#Q|OKoq#{dkyC5rT}*Vxsf>seAa64LB>;KdS?+ z+HywUqO~i?+YS!Z&6yAjf%>7QuaLqkKUCRK;m;Hed1Es?vs-8C(wR9Ibotm6{|?#bBh{+c zS3)XJX@iOxU*w!fp_-3sI_TBZP->Uj#WY2#+o>5E&8A;CEn7jz2iXs=8C7P|!luHx zUbClg9lQRyfbdwl1u~p3?9+PX8C=dPk;I{e$_-R)xm-U(CG~t?>P6#=ESF%WlOsom zx1l`rm&o5sA4N=q7}ijJy`cqUf6jV1H_A5(>Td z>^&+(DSl>fb~w-L>tFe~pXyyyd>!i#$uHwH#!!CTNwBUBY0r{&P;{JFu|Ot5Tu-cE z9O=DHab#k6D)9tNlfWJMIIFp%sjsNaZ~S-gFmTBs4!nYjoZXLD)Z$xmcdy zo2*_Viz|Z@)Z%B=MVZ5WiPsjntf`OGUE7#;BkP;DO-fnQBApZkduD$nadm>=OO=%! zVi`kuHW!#Gkhw6S^B5MmovrrwLQ>+e+mZDzZNLMa9jJI3Hdv7UVc*iCPV%^pZQJf`yC4ny zpLK$Zg)k{%R8!h_3z2k0n%>c}`A_7|b4+Wu7c$sR`8|i{59qL3A^LzUp=)0&GU?ZD z2?<39`HgQNB4@ogn}v*#f&(R4 zhIF4v_NX@qJ%zgiF0mmwT>d=;q`rsRyFTyz=7IymOt4gazwAny>>;blGe5Xo<8nQ1 z;gF)~QajlH`F!*jI6e;DGdN96c$n5i8srNchJufM`&k4FhImI@0ji8ocqGY#&{S6N zo7E1*4bCH8h2!{6IxVR8w6t1HjJRF0$YiD&+9)VoMjw85LUca%neYnaIpoZDJJHHt z0a4Zz`4%;xdh_3!xpnR=U$q`t)fx&4S?~P;)k?xY<8{*>P814UJmH{3(Z<_wG~^)| z9ae8zQ+A}}5;mki(xWZLDPuuhNUB}DqEPHO(~{Z;k9S)EYv5cBf7`J(qK$F5D(k;fbsiub6SPVJp}7(jXtTt?q|c9NyhX7BPf z59vew$v)MI8j9#>+XDg8AAh zAv{$d!Zx>0?2~%#zCIF;ishL5MP1^c>N);;0B(jMRlT?IG+HXS%Llpx#ZUHCy1jp? ze%3{%jkLgRsOs68y5p>}WhPa5q1zYF`Jq)|eHU|Wd(uU^u-=8!|@Zk%T3f=IiL}dscd-<*DDyeD#KPGuP-x7dz$n_eMd3v+GIDGS!cSR z#>;TI=aJm|J3i8sah#wR1~t-pR=Aj&0?GM~5bl-sqlP-a-2p$fAwqb&tx7aL+`HWK zd0&;{2n*kPucqyTaI0|wKxM(P0y@f&X{DF8@3;=rOtj6hxv(@Kj z$lj#i+#D-qN!C<;r0fR*li``34*AX_nkZk$Npol%`>CNzASAn0_&i8MYT`w0{6|P= z(`^v8KQMhk>t*PXF!C0@90&!V7MuPw|0GY$P05l|^B+QlSD@-b_M5@{uNVV+%u;1dWlh9(k=#lEJVjqeCP*{YfwmzA5_=66=*ys3(9C#4cdqE= z%Q+NM-^pD%OF}|!M|m(Mx&6kDCrWEV4lcU(pIt4RFPwPrpbOftW|qz#_^W|ND5>X; zw~;ZcCN;bj`=yJ}kKiqNF+mL#$bzIFc411H9B zs=v|`7yV;;{`@$Zf!?xzY#^%@$(tO*L9jBk685Xgu%`HgmX~}4RtR?VB}^ff2JJ4s zAcPEBEgAm!&pc89ctYm!Q7o6Og8)YfZlP_9jM`bU^nFYG$Pihp#f$Z_e+Bmx4+=8t zu5hRS4PE(xw6k#+S@yvoV`zP+K$UIhY5aQ9Zt%lDllbcTnCz$bGIWJU<1nx#Zl2I9 zNEkT4v(ytgB*Q|F%O7Mz*FVVu);SvQxyQ^H87B_NsYz$)Pv{27;$D2M^eTV_N+CZ9 zz2{n{9S*nee|fx*6k@PsuGUwjs}n*RH=fZ(rq# z^x$M{=~m&naY}tXE+AXhUkSF(84l_1T!i3xp_&U3yQDbJX;zYgCT#4{`X8M?|L6)` zsxA&%@@I3uLlJfv>`{O^%@swYWMS%@v$MQl_D%NjCFvHDJ$j1TA?MCLzwJ5q3RKoV zjM8b-aTUVyzEH83U{T_J%p)>)-41kspI46*qS4oAa_Tck7*~Z>$cjk)qeD8(Ho ztTEj}+qS9)^QHYE#3KWn^%+_IMpob&hVO?MCs93$6ZIL8Eywo3L30R(OrR(`j;(qU zk8E5tk3+>yo>XU{HZba}U?9pK$tCdGjQ@Oz*vcp{};<&@Ly^gcQp@SjdKb9}@#z~x&oQSF08`-i|xyL*IoeAFR zp=N}%LT1riO~mw`g4JcKON*Z+0|a5@OfIZWEWuss#%uZYo;P@?X%T$r1cStPnANzo zPQJlClNm-UK+#dN;T;8U6h3Ol#T?=S#{))Q**|n8MO$d3OtZc|!H)lJs%pibxT&>? zG+nQMHZ>OMZr`^L4hzyvR2_V(Tg3pqnqR%o zaLH&gT3g#NH8jJ+c{Sw5Ay&gp4=HEbO%(c4lvnjM0Aox5PQa@x^MOvysKV#O`li6U z{<|sUnJ~5Mx$vAiIV1Tk#$-CKWH101sMykOp#I!du3pp$bX|c;O+d?$DU#WsPIANA z5GBDoE7*jDXqVu0Z!*v*tKd!-A2lPM?t+Zeo-H97n$huEmp<`$0sbaslOz8EdjYYA zI(x6m&^;}*yVlZb(KliUKK!3efeZH~9`Bc~)6UQ&mJNYc_#4(9N*?6RpO(>F*}8V? zi{QVTiq^IyDoOBMEb^`=3SH7;?vBLy zd)OcFrmNDRnM5-@EwM6QU!MM|+E&+}iMM8wIEZM{Qb*^N9skpG@bc@j09=XhR{1$z zon#}5qOME$!oQmS$=bY*DDx5C=&d0x$PYZm`k;=}NB$?jiFTXF1WY-G={LD_8Of7G z-Rpi(ee%STm8g_3S^;rb?_N=Gzq(fkf2%rwv*4i=yX}UvdPfC+Ry>hY_ke1RZpWr4 zMPcR>niSc*tralyCs>gdJLEZf&sw1del|f(N@&Z^;sXx#3YA`gXup`FJm5PA>8B|^ zFglu6xK(@xKPb3tV>;>{DuEM%7jJkL&ovC!F$j$m$D0UDt8d3$f^L}Yd20IxzkL+iILm#%DD!# zqh>Y}$H5V%?&b^X6aShh9Jsk~p}B@;kdKDK0=WK^fSJxWo*Az&gH{ zkAd$;!%fhlKO#e~RpfAMeTh#U96kvA4gT`*?{jWZ5|_C0GCXTZX7+Co5{sX5`*Q*j zzTT2n$h}LOM}@V)At8_}B1LE|_`ek4xnV-w7}y)xe>MjBs$s%)hzmrRwV8?yjg`0P zM4DtKd!rb{AV`2<^jMzAI|-UWt!Fe5h9hpwTCC{!|2CH7W^c2r64Cj+5b)@K&i^#V^n-3Q2)T#Kl}f3aR)PR9_$Y?rA1M~x9d+;wu83@qvazt9 zcn~TH^zEQknOx`m5H`njqE>Z7fbj2RPL|CX8O_$mkH3T zQ8R5C=z81Am*T8opYwdK zk1@#|R*>y}-p1s#SQE7*e7*co$<;Unow)uuWyLHTeQnJt(_=FWb_3caa3nxx?daj)KL`+2oF>v3%`jr4K4dl_(Pou|$L-1L| zBWu+ZXG)P^C&d*M0!BKuCzs2!rbPa?t9w%2)hD$|GUr48JuA+^?#JeOyWA(C%0mCY zExmo?A~Bx^$rz}4F#I#iM17jBP@sQ>V7l9Dng4AGNj^v#+h&wTT1A0cc_SzVgLpFO4_dcY9Z4Z92l!$&{&gC3eUT?jji7C3bK)`TyJAKu8j8um7j08D76rv>(o31^Sbe}r_6De=%6 z5IxL0iSp;NnfY!_7PD6ku5Xpov2Akdvpm`38dt@- z58$x(+tZp*h3QT%9h{M)QYQ~94UQ&56H1B5OoLcGUX7KH?g^f4dbq7qKG624b>)J1P_%-OaP2>T z{wNOIwaheGm-M6ie5V z6bjP+wFP;|AS9Km>QEWJnTHH#n*R|n5(t9|07(>XO-cDzF`C>Y8+XMZ63a=kq%`0jr>YJd-0-l=4_$^PS*t9y== z^u$%70MYmb7;5G-EZ3+Dul6ZzW+dKG26W5^eLM0P|LJ_{dwbveB)MNj`afgLMej^P z2KN8C@YBT!dk;Zj3II7<62@3#q=`ld<0FvHFTf@e&_Nl7v>El0(He;20)1MMA@gsR zY^2y}H$qEDOqcZ(D!zZ|FD0JErt0;N=tP|dLXd?as5@6pc@kWhS_5gCFy6o0%djKA zR2fMt+zJ)NO(Ex0F3Y-$a{^FHRFV>4d83C~?_1Jrn!3)0JyCTsC%shk-shxYWN!1u>#sY|?A|JdbFd-fwv{+^gfZTA0SNHoKdyaQw z?x1#ct_*XBB&d?Z3rs5qX?GN8YEfuWP54s(F}P;o!o9K(R@{9!WLkmf`c!D2$vm+G z>X$WgEn6!j5BZ?Z)T4O)C9x>m_aIbk>(&O<1^2Un;Jbvm^&;e-k{mhKsG)@>^3yq{ zJ-TbM|Cnlsj$o zS+8!qqp;g>ZJaMm_EYJX3=p!nxgC)~QG(bx^u%9ksv9kRyR`G6BC3o!B}IyAY6FH3 z2Jqz1SIBnuK*UyJ27wwW8ODkMY;I?MY4E;Rb129PA^jO23^v~nfTnxVc?iG_olBAR z;oXN;PhYuh@4;fMft20+=vDVK&=o-AMF7pZY05hM7x=JlnlSeT%Itd_yylRH7-?(L zI2SWLvw%wWOv3wp#3C>8g}4njj8W{CJcU$p4ZoI^7X4;9fntChf2#bE_{+y}-2%?v z_l90TEHA^z_Mr{4iT0!_$sP7q+yRHBzj}vg1W9@rz%`L??{N}Jv5t3t?)Z16W!o|3 z6R^C)Ip#NrMN=MDP^Zvy3a_sr`D0|z{7@J#Z_ADb5}pmsQ~(J+WTprRD~WPkMgrc9 zPzpAr8q)%+!$-u+E}td|P(>ft)*3f^V0H)@F^LhLvn$Z>k;*J`1aR|FaixgKr=TP zHWQyIoQUm4-~^T)KKag8fE#Ougifl#B@;Co9OObxo>sC?j73H8s=AnyB>0YM84BMB zp1|F)<;~CHo$v{w&54@I78{R+ULZhMCtQ2Cv4q@%1;R(vt|@LncC4Z++3U+z1D|$6&UW3E zV8hW}1}mxwN9sSW$hp1*m_E$)ZoO|%Gp2ALK45S@*f9KqM)T=2HhO@e>PNIwEAxWT_Mjm%Q zHU%_F{Y_d)3JVhA@8=exY+Btv4t`fXsr2CbJ%R5tlLb9L9cGTYbNdpZ)ZW9dO>pXH z$Wz$eH8Q$eT)5iBCDJCzr=}SQumtQXK&em<6I%IG?u9D~2 zwf8ZpDlVJbdPQt{PNR!OpaMEcNY+s5IE!{a-X0O}&NFhuetsIq^83go(t&+M-#yeFWj|}T0zF!(S_c51=nV#* zM^7(V{VX9cy!^P9F%Yy`Ds06kisQK3WldkK=&gZ)2x#SoKr#iyml96rK)v1YN!0ap zXSa`bXWRaUtbUZskTJ9i@Tjn!6i#MX;to;Dg=tds4S#S5W`2u^&of!Qn2aPhw(6j2 z?Cf!~3I~hR4Qmr0fb@nsOuV0dl*54EDN&?urg`hSkA<=m|N;-iQ z(^yb|ZMK@OIrGU-=YX5kaI)-3~rj0c7Klk06Lsi>1IBh}w$AhCS0c=*-&M+kuN zolYy)BkT03RJ=rEMi6mp2-5J~M>=O>j2ts#GP;N$ed8qJfIW;DN+uDJhBbgRbT6OQ z3^(8AOZ^a@eqJ)pCI2%kZ$MEZxfi6JQop!vol%HjJ7f2HgX&l#j`|idPs! ze>jx@t~YJ`dh57E7H{(-|IL)WvJv!TAN`(&f;U-WY9g;e4m@iRv?e8!@~_*7LY-~V z%pT#ib|a$tHk>lx){_Fqql|JeyP%*mQ{*3mJqhx=!4P5n2%!>S8{z#igKz~r`pCFW z7Yb>;xO=`LpSP{G%j{X-mKJR5XAh-B5K^%naO5Q~@BcLEwpHDesa!p#7b-rt9vlj8 zn~rE25pYL+0}J{}U9ao{1~FMd`PsUVE{QNMB_ov;DUN3LerL?F+>H|^f3kCgeu!4y z0A^aCRbcVN|7;|;EeY=wf+jDD-<$Ppz$#uBS*sb1QYXBdl}s#FiZ^hcqJ9Xw1Wxd801v;J9hNV&|!pclv+Pv1Djj>&4V$VIMq{A$U~W z{+Y}1^EZIS*p@_lbx%Pl;tGFZ0m;xDUq>ueMzO8<`?%%h6tl^C0oFJk*`2!57d743 z*&}JEyXq^flihM#!9r3U_GW}PsB4~{P$MeM| zfNA3GU{EE6uk8E;|H`Srk;c5>3q@m|oYa805x6$H<7Sf?bfBcUn@3I|9p3r_p_u}&s zX6a7f1!2Q6q)o0!hUqkp0OKnTU>AKUcR{mPnWp_jG0=9zXvKSzye0+9F|*b%!gZLH z8JGpObwYUA3`xXPQ+*S4b)+@&*|_?l<#b3aX>LJN!-U=Z3nmlCg$);>#vFC)n~V|* zf;*kq8RC8oVK=CqOWEz-`unk(El_;qC6CaastTv+9Y) zwQzbQY$q-eSW}3Y^t}6VB>(4&8HLjAd_a`o3P21co1Iv{y`lnJLF~9WP6TFlQ;E&% z_ns<`*s{B%w^-dD%>)&Bk-|Fjdm!Z-f$d8%YbfkgW}d0x*c(2zi&QoEU~AxrRea_Dz7 zEAEGQBSmqK{C$#vOhSW!4S8;%GYGIZYIA0gwpzthXp7Tn18V=*L; z7DonnwY0*MF$gy7sJ?Rr9XOdpa_GgX|8u!6{B_y$@fuLB7^M}1tt~w|C=umfOs-rt z5vvG+hE5>M0Td1RURDkLT4;s>%#W+!IKiR0Ot*^ph(_#MJgJ|SHxt-)2z2IS(=qz< z*dlu-_$V0Cf!IiienbzQYITL(-4)hp-#E7RNgYvH3JD?f-WZ$aymiRHml4SD>*3zK ztQK6jLw4%0!Q-WsL(89l$YA|c)&(iAPssZcv6ETOE^+Or@1bN(!(}wMwITSpBW8N~ zj^XNR`GC8(T-hYpZ6MxI&K~w8Ns?V4b7_9I((8sqA>@*t`7#;KqbZi9K$qRHEb2gV z-mOvR4_%H(BSmw{rcDpYMqZQjPVfQjxkRRpXSV$xk^V{uF3ibL$(WMzN$A7tgZ4cL z(^cOTZCXrjs^vRX;h~B3&bBcnGb>@df_I?_6>{lHywvjQ2$XcDq;jLjvF@Nk?nDo1 zp>f=q(8Jx<+9DSXp9nIr6SJ`}TyI8QgJYcAb8r=h)j??nuV{=pI87Y*Y;CTb+5$bq z8_mrE$AFHhLax4J2+0(#OK2IO{z{zG@>)n4b-+D>ynGV85j(LNaeW*ueSu4xI&s+A z)gO;38TBfmRW|^7WtnchQkSGeDbl5A))Rnw}HN%yQIalGLC zgjdr6EF8?=X#u5_5ZTfA6>c$QtHG~LMMXb&<8fl{JLB@FwixD^u`}UnxzNRpUjt0s zoJYg_9`qw>gkEK$klkSsiTQkKsgRGHA>&oHZ@*$WmONv2B0U4ULmsycR}SyTX@+6bbc4)KqN9|33FxeHfK*2xIyxstOz%l&^#WR%mGi# zscHu7*Y&($ISh^$KEy_n-D9`(Tx^`2IhaUIfh=S=4wu2Fr|hWaS$gT6^#afcAi(60 ztuW-%5jWmp?I2QCGCgVgM17M>qlpXv0p;c=^6@d6rB64u2t5jOQrKlS96Q5B+ei- z*c_jKs;ayQ2q(k5C?E&fIGG~s?-8=$$a>Fiu^ZD163jDkT|0W9h1mlv%E}(!;v+f-7Zj@RI-1;XK95{!??rwF5ewP2zVgLj*-l0 zdb|qC_vB6NCIJsS57aYOyp9`Yn4O|>ANM-p@$|-!_oaJyPPja7*}-cHEF8GDaXYdY z&0$3ka6R13x@jbJgttHBv|o5>PqfQfx#p+kB73%nBX0gUXbN;g-(8LMC!FGIr=fz6 zO~&wSQWd>Il}V&U7rvd1baqi5Rd_r74w{l5gKLre@!5j|ygO7j_3L=0=1Y;5lM|w} zBaS5R-cJX)(fW_?B@eh}!Zm;rq@ba?jPyNV&}*^zD0;>ldjaj9-xo1cGSw*tHLnW_ z+`CAZ;1$9wb2TMR4tbtlTA%eV(ZU6zA7u-~VUAV!uwnQ_`}#hyU(n8y!-bF{O{j84 zpE|6gpPhn17-hg&V_x5(#tBh0m4yw%WlkP^Gu{Qb$gr1T*EY_EB904~r1bt6OQ2c< zm-6XH1WbX61I$_LMXm@Md09ff|Kaq(kK+c0O(BXIR2zK`TrqgT!PO>lAmV^ddV%!~ zUWE;MUq15?Hpu8MniI`b?ouwcZ1-6#=t*4EJJNjY>^9JM0NrF((P?rOQ%rQ`; zcU*_0f!7H7w=$wz%U!IY!`mr^dy~3~7L~h)y9|<&ijQU}O5jejTky-H(6*pP{Rwt# zxG4k|pNovN1iH^!UTd7pCaFsd9_aG|LhXTsB|p~Hn*qMTAOot;kUYeP;y|A3c0<7E za}ed(y$X$r3aXbjdAc4^JK7A?RFGGmA<`1MI2S!m%4GpA87OT>JgW_a8aI+78F{|L zv)f?l&QGtz+3=!Io}~9dn5@y<PR=B*RgSh- z=@{H5b@J&59y4APo>A7TP@Z3DFwBK=0Q?{~Ncqy$S!xtNZPJRZ%S7Y`>y^E$r9TEC z0VF2*02Fakyd(i(y#n?-LHkHDp!~Uw+;;6VzSsq{MR|w85`)9zOD}+N->t+o7tx>f z70;kn$7EjEnf{&~`K(_L-4oEAV+!_3_+pzK#asECakJ>(V2NXtp@q0c&M*kDrJ z6sAU~A6h|@z!PV)R;Rn62krtDA0G<6AA+vdZEA9~T#vE8H9JO_cRvR#a;}iNI`YM1 zIw4j8D;rgIsl*Xo;~ip5$92Jc_WOH^g`Fjq~d_D zDV{5l1x^+rHOPsR@WGCNoPHg4E#qcif%d@fz;;0aIeGp+m5E4}JI&05x>cSajnTi4a({ z>F?>mCow$6P3=H<>2L8@AsG?E%kmIh)sfX88Gqd$y_9d|K}a$ahcCtsp>hS^76CEY zCGi<5aml%$1kJil>e+arxtdYFqEuiyns3RRrRnDf3}me1)7a;#CBYHh^PBA zc1zM=ob|^K1Orfy z_*@}Z_Nrm+=Li346_w*av51h7GWNKf#66)bDP4?z^}v@fxcpi0gO$1V5eZT$v)%|Q z#TrZM1+R{F0VU2&o5F+20BnVuUuAG)lIF&JJno8%poLU%k`v6ETi0eO9r&D-O6Kxf zha8RqH>iV;NBXRlxk*y;Ubu!x`v}#fL==`6IEhab5LsNo<=s3}k`SId4OB=(tA)Le z*7$9B&=rVSSIn3s>!0$R4&R0g139avJkg@0=K@AC%)ykyQT7*c@wYcQqS;Xn%Ec-8 zQ11E5WzS!->+|nIy+JPDoAN}u8{6?SdnliHf?Ocb z2~}J2Y}?AuX^DV)?m#T;87xhffRtTY=o_w(o~JTY(8isBKMrdKt@_xgpXetL`Um*5 zRKb0J$)=3LUPd9rK7=cmaYJi28t%2l9AHx4Ke(w`9QDnO{f!qf&uO8*sahkv!47Ci zpMjWv@UR|6U1HF3GrEAId+<8J3iNr=X)nngZHG@c?-6cg;HU>IAt38d#VR0sz5sh> zuReMMMTVJg3Vvmp)^-{=s{r$qgC7?4+qlE^#<&yui5}1lLAG1IBDlzGQTS4N>}R0a zMEK-{H05rhqmCRieJu5RSq<0t6Y6{?U*C)-eSY9Z0Fp#!6y1M1WtQ6|kUI>7@prp8 zqzwUD2lVKGd>XKbQ$TY<##nioWGNFUp+_BWtkt9iN;csP_GWI~WB zWVHu_7J=pMfbOwP4p~1&#~UsD2?Z#!XagJTZydH@yS^ZWd&6^ZXwtxk?1T(UaXYaB z4G2`+f#=tq_;%DKYG~JeLX)nAgZI7gOPj-ByL2GzFmJy27QLU#W+ZO)qtanu5VsqS z-KkOijkMn$H1MzndVZ`;2QG-Bf<;kZsIbEmQa$mB&=HkHJcM$7ha{h$0z~{7{~pK! zt=~U7G&uAVg$%sMEC=I`($}(qLV~#xD11cu6gXVZ6xB7Asg{0UV4F9G@@`N@lC@g- znGHNVmpt|qnM|t6~g|<=hsfU4;Ti= z>;2YWZ+;}E56)j40D83sxWpIp@3L~LlpsC4NRsDTVhAB|26)z1IOpgMc{oYwRzGUM z-=$7we0Q=3;>}=(gS@XqYazPx1X(fgrG!y5u_1Ax-y!Mevq&tS{LqCoGcbcgy)q&9 z8kvE?qGRuHzcG9>5LD`7sb>$TN+yEK@rPk8a9#SB2AK3XLEqQoonc0Rheut0qlJSK z1r#DR983;E_qz!gOCDVvUz$pOB;foQ#HLgXI0!dI>#+xS*1s~wQcnTk06TrDF_fK7 z7ApAb>TNc^enp@`0scD8NL7XV*sG{N4$6Xe58l?f1Vy-fs?-oKl2X`HL5+PJWA06r z)>d9HRwWAI9uKIKdSQ_*TZnQj6t0mcsVf(yJHcdptr`kSf7Cy0d`Dv&?i$(bi;hl@ z`9ZH>Gw(!?xwol){Er)fmuRDg&xRtSQ2cQ!d!q0Iu8!X|^IqE~@4QMr0((F9j6nb) z11;k11&han@QY5OE(T*Iap}?N2%Y4_H}-j4Zt$o+q+-ha3j9eSKp4KE^pB^qNuYfB ztTsNk{EDht;ByEp)j?t@I@(S&Nt#A|pB(ldk3~!U0eifZ{=iwcapk}E-ZUKQHvAv1 zX%xeeEmXt^5k*w?Wm*+k+EBKH6k*7|HYJimDU!8SC1l^1P_l%QeI42NeP5pQno+;* z|L=MC9MALOIl5onnVIkRTF&cSKIi8=uQlP^f%qsCG??Gw=t5BXgAXtFSP2mD_dw}A zRw)l6Xd&&Cz%|`{yh7+x6;~cP?n5dOx_(i9A1y?3tk22*GVB7cl;AIs~aKxdM@k6@g$Zy}$gagED5WIwI#a^sS70jG%l?FIRVDLh< zqUhz??o-hrm=an4pAN@A`Mf{=YSphXeKrXz`a8tiA~cq~tzPPK8lA_LVe7!~5!v&X zLb(7O`JJq079w=ic5Bc?#cqGR60RRaFBAYrk1A%l>~GzjF5KQ2)=`oN4X6z`KHY(9 z!azX%+SX49j+G*AS-;fK{!hxW$6t9ud1&N-{CMfy%I^Yrm^kXzCo>@O;Hmkos7B9X z4s*}juii??0De%0#3rwpgo zD#xk8%zav`b+~^WCJ`+A;#=WB0z78J=EW>I6nbspW88;Kka&?);7LA+Gy8Y zBJ_+&krE(6l{|LE6Si(Os&JK;(6PD&S``Hu-nFQHJP&#OC8gHoO~2JzD+YQ%<{dIV zHD3#ZPkTEozy(wmOLYIUMCbu*xmmPerq0H0y;NNOUaK{)|?-_=CFI$7p}9$PVl{ zo8O*s0p7hj9!r$-6M76C(rMAFQ^tPm(hRr>($cq17C?-_cm8Yk0Jxf-7bX|IHw%Aa zT>bXKXQyLG3mwy2L|^kbBFIDw9mdLj0(^?)Dcm07F>L+t=ZfgbjQB_UsEZ8>5}4cO z`SGGrF2+YET{|mwsk)Q0}Tt_)>j)%y_iX^=hAtWFF&$I0^dmoRkI}_ zR}b1rx?0rIKisYo4`H_oO#5_FrGTb0s&qm9O}+i)J~8G)<`zm?welYFuN95|+zsi@ zK4@~d&5dY&bwT^S{3w)%%a(T`*Mgc+L`XDr@o_sM$nBF4(a=)24Ybxpx|!)nN9p|R z(`Va-Q9Y3COh1<;KY;eRUvcqTAQVwNI*{pbfw+^$X5C`XS ze)dfzz)i7D^@cw$>`I4tb*=3uC?M1UxvuZK;M_c_ng#r=_B_ATT13mn_SW5^4$P$L zn9;lM{Q=;~A8S^=2yq&UX=(bnPe!YNuh02mna=2COjJj2I}pm@jGTLC`J1ozQw)4@ z)T{1O$*bcrp1AE|F3IAN+ zz{y}!UCEK$%X-AoT#gG#Sxc>%Ibt>i4UgO^!xda3t4fp_e#j)(yVOPQcMa~XIMpsI z8h3#Yx;qH(iN}v7RCa!Jn$3Ct z%!9@d|3q$CZWnIqf!Cu`+MJ+p>DOCkhzTv-Sx3sFuV|3XYbnP!=Nq+Dg*7qG=ALL< ziwR%tB)%Ok=nz**k`+!bc%h$sHdJB)h&Jr-YaLrXGL0lW6hlT2|g&YmG@inP%XVr1M^!Zq-8RY@5kL8c*l5&tABgkIuEteS34w)-@lK!`5 zF>YsvOzmT7p3PpWO|rVKr?-l&p?8m%u8v$?sGT#sNDpI3%DS;RZAA5Q*$IGJ`d|z% zM0{`3c3td9D327GE&MujyC9jKyJA|NnR){>zIqe1Hfk~DeM~CY6l*Ye#6Ac0$5ddh z_8#mu;cZS=)Ts+rEJ34Wh_ z`BQ@@U;JRvAx~$SVPNA7X*EHF-sjB!TG_Ve5ra)pMwC>lRAdgn!CIWxbphWJGxRJ` zDQ%*Z&>mqfAbAGdtM*oLiKOsgRnB zP<3nTbaTJd#TgU4=6Uyv83P}E?8hZQD5lg1oblFHZO3jFoP=9F#$y?@RK002JnGXu#sn&^;#PVI{dPx*L7#Z~PF7Q&b@u zWSJexd*cJ$wvo(}B5A#>x1Ot=5}7+A7&cX;@922Ivj61i9CT4d%+6?>qp(XGB!hji zE3-8v$rmKInT|c3oJk#0JT1PocG=q3u!72-xZ4By))7Gu2pI$WtXYpjhs&-r1WwTq zQ`Q5}3DYZPlb+1Nrp6E9_a&}RJQ>!v%zV1_cSB)y;p!jGU1`1>J`j_bGvdihb(O(E z?4Rk;nHaz{5o4^b(nB6Rt{?-)W18$Fp~B?kLB5+1=ViF&F=nzjT^?x-mI{Re0a-=u zG@R9<;-sC%Hw+elT zkd%rqFa621Ydticx(bb_j>$0H)x*18kSOmy_o)Oo`>VM%M`2<&ul(AJGcdZ0)?Cs9 z*))a~CZQ{_s*$o*yi2I$z?7xhTZHw)Hx~Su80mK0;vS)7J+p)@v{4 z#y*pKX0?*x8EoNwE5LsG>EtbE?l<0B0b)>wnMYhK^CDDW>@C`N&&i7Ynu>bn=~*#( zXf3H-5Q5DLa8Qz6oVm}zK*M8I_~xPE`&*t6T*5^VO~h{YGA2^dJ?Z6(~=r!3SVw`|6W66 z?v_~jR8f%l73-+2iz!Uh%j=;POW&(+(-%Zp?z07-v|!vLH4U2`m)X*bcrGqsoZZR(6Vy! zlE&(zhwTjQ7=KrTyKuLAF-;0|!}~ZzTfBR$$80rXxv=~$kM#%N8;W|3>$+K`eYM3ctd=5%a1lbyej-b-%$m<%5lTyZj36r8p#9qV1?4#Hqtxw5<1 zqCMQ*2?xTs`IFO?TPLW7ff-v^*1O;xb-~9(Y@btwv)Zta-@X!P{Xe;ELtYWVRT z(flsDb9&K>S7(=Nyw8~&x>60j`QBt_$9CQztfOw4Gil7^rq7kO>%*s+Q92-a2^)l8 zkCA~hUVb{!O9ih+8deKyd7H5__Q$?H5x=MtH?&Hr+g8j!Hgv1~{D6+(n9U~tg^|4A zR`G8%i4ecr!QQ>7S~t&n_fWLMw=fz*KCOMr0b2RYMO;i9D89sr^Bu$8V&}#PhGWl5 ztUsKzHz@U6M+yfK?@l2W?h1TNm^1HcJsU4NCy{ujU;BL2Od^~4nZ+Ozv}pL9q^#7@ za|2A)EzJ9^?_Cw9MTU4)FdApJ6MWY@1;JmYIRfOHT@rUfPMDYE z8#eIXeBpdohgEg?KxHGSz2}YmY#1yHSaQ`@fj^)!0U7vYlMjyz;3V&DIw(iFz)wS6 zZr_4%NWXoM$vva&@XPSct_d!yT>lce*n=Q(0=`xb+`S%7Es*Xwv=CxpfVp5#4Scz}z)TvSbdR{SOHwsW}rWvXY? zNY8b()wQOCLu;nNatb8kilGZ1vJl$v``pe6;0Q~w&}yjdkn9$YEiD7(Rxg>#Q~9>b zo0sBQWwOzR1p3gIin#uiT)4g8+eOygYL=J8DijFoK)Sd0JZ7Gyp)F;%d|%nKq$JGq zZ7#1~?l#=7oI({ORT6Q0E}^w9Evry_+)#1A)iq$KENSEmlz9=_VG|a5dH~=v;oax3 zyy=PM;cW`EUb;Kd?YK){w0)sE^UkbS&8>58{OD$9VB>h2WqQ4>$KMIy=eO|wL-b;n z7-#0WgbV3fZbpJPH@(4K8@^sz9?nb+(Y_v!&U|^Tp-Uu=RakVaD`zq3UB>DE`Xi4| zU-AT3cAzS5ZbE$>*+axKBF^+fiW}m2JR1??jbBrR13-na|{I3H+ry zx(;9JNed9kD`X`wIbH49OYw^KuX#nLY_tj)i!r!F`L`K_^V8S-9KMNK#94;JQGCq? z9ztA99Hb%GNlJU?EI-#fV`wpaSK7LsWh9-l;Y1EOX^A$)?m)ZL^hNsHTY)vPbkt*) z{|S)KF^%<>(v$E7F4_aBJlsEs9t^Px;tWw9w-<}MFGVp^?*DkKjQ?pQjJ^qaFUII|h+>6|Y%Hnj3wo`$+#ZTA zz5M}unW+x~t!Epex-U1;BIaNTD54#)o|fm@_IjOju9y$ z03B%_SZ=b4vI{jO@MA{f+)`h4r;5WFG2sV`%ba2aYQdi5AMf9ODsShb&r$mh?|s(9 zsge63jq2HVa!5C1t%6(0wamvnH$26eot@noCAkv-fC6nWntA4(f>1#s^6}-haxhy* zldxO9>jq(F1PGxsR#Z%f(!JQFH4de0cbfOcLK0-<`WC`haMTX%3UbU7LGXnvOq34@4(L0EsziA2#Vcj)xsTlTxR zGM%~_CtIXtUg#f%=R!bcLF(5nnNCos5myiLL;p7!yY5{@57&mx%qw#S z_tb`VPwW16TbcK%wzO}+VdllEJiH>-7KV&Na`JgDgM3#Pu25f}T?ARBHCdhXh% z)1%7b$FT5l5)0U;C$vA{hU~ZDgxT*_QoepS9;^)A+633Wibx&2PYo8;MXTFtXNp_0 zf5|^$mwzAA$}-Y5SuX-8VJNI&C2kkoD&sFg%vi3T#wkHecd&9wxgzJ?>zDHx=O>R) z1WMC}^wBHBv&r6u`v?qSFRQ3|zxoJBb$h*3g zaN(tzl3r}a^q99;ZMhQFSkur*a_Jp(st9-VQDD_s2L(npv9=F3kEZL zvtU2HH-}r}cFP6rpHbPD+hf?CvU*cdJVR!k9M=(acwMXaI9*EEdHi@ob;fK&Q z1WIWS-7M(E#6|2)SI@}k@TvjCCyim@@i33`YWd)9oem8(qTYA}(M)r>A;2Lt!+CX1l>BBh_8UyQe0!5+ZPL&4)8=5!PJG95nU+?Ny$|oLG)>gI=d|QFmA({mP zrbDALTWaEn$-^T0Rqb?QZ-vS!oH1Biyc`JT(1!;=zX(Q$Kj|xd*-k6iDz!;c8~|8^ceGsSjh6h(8_Ex!azS zU+qK02jShY87JM1S@D6Sf}eYh`3&80VzfDFQ~mKH@eDn;d6A}z#$(7A2x5C&iVsQJ zlE!qr0d!$AQCA59qjQMBS$O~!)SV<1tjIaP{hZUGj!)Z;D5UT%=brY4z503-FCR#5 zdsi==^F?f|txS7=DDy_}We9sfyCt4G479Ar8qwL=7R41|orb>m#=LEm+KE@~=daw_ zONmaIv09^s4#N#m((mB`a7O+1@pc1VOfm**<6k@Gh`~N$lWy_o`(l%S-%~-j5WLsO zM0>X+*3*~KnS#6Nz=#fBfWJ?#mZOK?v)__|LE;BHr+14{?Q zl%;Iy;+;hjw+Zcl!ABs@!?Xy~|gyfx2K}rrwD4<~O zL9NxskdPvmyOVb`xOZ0_{fL^4b{&E9#ADAQupT3@1p-%aKHqcg)w#1U5fflH-X*%B~GUK!0>>c7O-u9~^gh`CFHW zgOqjEcsMKNmaNC;F1gmcG1SQUIWDe@k#cu4I_qkD(v0)~gdOh*A~7Eu3I%LJz9<1A z7Aq&H?5F+QJLdh~2AP-qwdu@gE54=@oO&MJcFJSlh;&!(wHxtf5go9dnk;avAMI-b z(pKh{r}@SgowT&`v=V6o(!kmw5^dEM@P*I3eF4?deaVE@CP&-!U^Ze#a>b{*Wp~jmDNrE*o6yW~H`wBXuw zLlD_r^_cLFXcV?+6hTdRh)7wT`fHTBtYkzwJ{fzYIL)?%s~x1!zYBKLRy2zbmwi_v zVk;sF+JhB5ai+6cFtAs7f;k=@#(6WH38A#)5kwS)u;7*O(xwAtBtONPZnbXsMdK}ZWH61fyOAV0dFK%;gA z_J-P=;Q{g9Zkq=pJ*1a;a>j#m+#yZ$NZaD2FszafxHM-im9yk=4AR19Q*o8PeUQmqM-{2x4m-rHsRYRJ$0` zDm@b7Zz02$0nQFID8J|a$QK20Y=95MGUXW2G2K0ncU%3e7JVaYgwe?7wde4&^cI|K zU8|}dI?cWWC#xT>B8Jn3m**9j3^i-4>(YD$cPATyK8h}Y$?w?{|2f6EH0=Mer<`=MJ5+n`| zg=d4upoPT^&Ry2=0oO0mQK&+BT9<~r8RZ}Fj{1z|i@J_j&<}B-^FM~p$1Y%1WBvJ< z^0rL&4K+{ZZD(I)y)kNaUCt>Svq)hJALS!P+mAxiz8e)~*#-M2d5CB4UY!vpfx1h8 z-ONd4h8rE8u+avza=|&zN$~xw1kM6jnbVD#CU)q6&B>C8Jc;0#7kn2U#V}URombW_ zsXyNc@i|1xe=;`UhOkTjbhrd|FDK#tXCAD<%2Xnt%wil3`RJR`wwP}_)T%`1B5t3< zVA3^m4xCH2JzM$}-taXDMiTj600cgXqv3l>H^`O1$D_f84}N(h+EpzL#RM`_UKWcX z%XWk7?RZ^`Ex~$Ok-L&wl>xsK7_f;KOhr#M~Er zg8h3u&)2uZ(h=~wq&G8PdfEMnCsdAfy#KzMn0xJP+WxOs(O}YHFnNQ5E-)BoojmLB zHy^gE7=Pa5H?}$h0b<#eo~@Ki#r&ZMfV*vmX$;@#?HKa&u0h6l`Lw(hb>#C1Li8xN z`ymHfpePKzW95*c>y_<;S1w>ltMgstH#0@Mq>$P%;j3a~3~BU?KGkYFX*`JJ034$VOCBFI@6*s=&4tCYK zAo;=PXJtu9<2X~YC$o=Zcj*0Kox4i8+ELa!6~~4$F9tuezy`WhME&=kPZF-TlxPf2y$)5Pt-uoPtAQdMg!-HVX$R z{DogRu0M2*%7thdc6fgJp)koB_2~zMp@ePNLd(Sj>$%V)Cm&(RbiYiWN=O1aODY5> znJvBxy8lF7a29aLEtK=E6bM$Z*0SB*)(9ODTr z)i6eFq3|0(`!fXMfMJ(}AvgP>7T9D{$4_TD&v}kCO!G*OpK#a|4D0)v34F&7`jb5c zry-lb%SWDy3U{;);nv&jz}}4P3uub{IJDg=$dkg(=-m#bisyV3d zoiA=ro5E-?9f!;r{ylKTPWIuLgWu;x(7h1n2%s}Dec;sN#Yxq^oQlidULhT4V&5wc zYtVae=Gi`J`1u4eQ5W`n?EUI5*wZ$=?qOQN%VcZD^p3ts{&5O*W$r!rHri@S=)~o+ zU+tH-ZU1ReW8hal0=Y;?5B7V#s?YY30?`R3WbhU#Y2`^=>PqM0_yJ@^3ixtO&7ct} zg9+G|CkZ5A)1NpJ4UrQVp_tsAA^J=ikOPbwi46Mk>In^u#zkbGb;(Zv*$T;cXYeu@ za2$)X4lYg<23Ghv2<~4UH9$5x5(h|29+<1HkRBEW4B0>iBKm2&D^BQ2hY7KdnKt?v z@@2fyv>3)yoIjcxAFaxWpdh9g5>Xt+=ZnGl_n_IF&VzHD5-Z%U?+>XcH~Z4F&pYQM z;&&qZs)2=EtEbKPmmGEBBSHDJm|6AQT`lG>1zC$MkWPtagekcbCfVVk;U}UKhYKuO zH*GO`En0%#_jYA5)uPR|D1&vF#RG~wtY`}3KD8N6hY-z9@yyXMZw1xMw?i#6;v)vV zYBShsTTOmmNcPB)jv#!->Dr;-p&tyG{Ozmd7n*nVSiQiZs6vqGX_E64O2>ZXQ0|D_ zeLHNrL;a)b92?A8g%_N8+%Y6P1=`r{&70d~`X@R+w3=?mjzl@M4lI}FNpLJ7Z6(91 zljr#TW2yGSC9%f@X|FpzYTei0;1C5<2IBs5qwij)P+ka-pNKD82Doz;RSs+r^g zRV^SGbnYpf^f@Wg-Uov`VUuAm-0jL8=cYL2gUIbO*i|IEjmY;nZczl^lXf}Ka;ZD= z-R-zhzg^Y&GxtN-mpweox#gg^0XwntW480+B)ziJ<|E%X>+rS%Hf}z6{ag7_HUt?? zh=N9(#odF_P)L3K`Z5wF`RZo5%Wgx7i7-#ynH=SJU-JC!1rW$Ih0CYF6Y2u!d%i_9 z8u7<*jGaPD>g&*S8{tTsnpr~b1Si6j*EimA-;j-HBi4;4g2A}c%dn87VdUuP%X$}b z&H<|t-D3I!hu+q<3-zoYoJ}4b>N5{;zIX2dJg6TY^jiDuHfB82OTt`M$&vlmqCLWf zb%#2@emyW)HGly0e)8E<;IL@m_12wF?)e5#<}|au4luIXS{qw0X3-Y8^|g%Klle{mkX^k+7o8wX8QQ1)xz_S_L306TpHx_8pcA6#95 z(2TY>CJ;n0FbA~lgg`KUJ%*XiYo*-y#)$Almf^^u4oJ>CXdZibMenHV8%^3RNAL$a zAW1t5`Sh97dPI^LhkQfaChhyV2El-^paWra+6xXu8HTJBRWy;_A-L`bBj(6yXKO_c%Ocpe|1iyal%<7AMp3Ul41&3=M-Sv%gYDc!Y#3El+kT$+F^^u-*s4 zl>kg03Dh6YJ+lt3e3{GN*dlkkB)pd|1OQssdB1n+_Rh%r7lYH}{O&Q7UY}6w7!_Hm z-@TqxMH6o!?OCxfThwT4o~)+`E2oZ^-+mQRZwEWLt}1f81$dysr|g?D9|{%=DESm& zbT%(z$RdZ&A6yRSWt!8&hwt@FS$NRn|K{Ge6B{7d^&&t%D?h=h8yxVlewB_JBzg<= zsE^l7Sdw*FKxn_Br0IyN5XhkI-hJ0@xa)AqY2e516o9f`9!%N9(uPQRv{qnJ0uMVyGFik|mgX65Q?#YDsml(k6}2p^6eli(uyfX$;NYz4sF25Lk6GJxfQ;+P94?O}~bMUw+U?E$0_Q zu1K=sj-oU1KNJvjNp|e4SoVt*yN~7R#?!bx}+#i9$tLQ1r;zfscNt>IK zn?UJhxc!_pFkFaHPZaNwh6D%fm-dyTKJa3Q&CbkWBVODH8$o8 zjDcgVe?Y$}x2g`#nC3-T^&c)x$nQ|WSAVZv`MIijVuU8U@$YOM$9LvgsA|?0-lP}I=-oHg) z1no9vpt~>y@bAvhfJ-~ zaHGm^u|ASn)GxlT;vn334iP+<*7%q+25?gr=^m|Da2bfPga08&Ox-S7>Vw4Rh(c2A z&Y-$z`063NeEkGaj2}9AhoaLlWbw`5QW;myl#2QfeqQN$jZK1_R{pmJ*_G#^=}t?Bt(7`+6loc_Z?t7? z5J`$iK8}(Gq_Ysb$q6W0qsUegofAgD?$2(EL*{kDjN1FlR0lmX)RTT@t9}~aVmTH%&j=1$I#=>fNjfHJXqDnve=A~t;jNW;0n zY#f)PG6hL4MsPPOLxDMa(t)47IlawsskmZ~Hv?2+$fDj;$-W zEaXqS1sW|aUx9#d->QvWy*O~v+!dyY4@CHuL)~$dO@O+6>v%_nW1p&uRl-&PpLVhC zjvWy{_g>+r11**W$YpMJXEy-&rq^b*bVZU1Zf03mH7b^_P%iz-griw*KM$q+aIk=g zZ3meQ_WA2aN4l9Z%mzB(pxb=3_q1``8_FtukmSDC)x18(zP{^Fcf%3Of)8Cov5-R^2O7t&>)ZQR+TEL_a$|2| zo;xde7*AWrv~SJZuk&U{%@w~r#NJos5DkiUL<*n_0$u^E90ENG!HAKtg?wV30Gm9l zI@M*MMXC;Lh?AVoLfx*iO$O$~J%W*hnL-*PEi; zvkC7mOkSB&w<~jf+(OHxaS4JYo)0d=ziL^iz)VL zipiIpz6dgS^NnQ^=B`X_0CGpdN^{Q_`_C=wO(PspGA%cMK#Uw#&+Rl|9Crpo_DFzA zUg!2F#grtEA#Cuhy@UsvFc-a-tB;}14VTyIy!Tb{w0d$gf+*DowQrAWxjY|l;hP#u zsR7ux(DRZWWa#9?fQh6B5FdC}pBsivP@LBZ=~A}z83`cHTaq*!tG1o0WG>>Sz@hcw8tO{TuqXqP2-itT!z&-6AL5mGNEj@IN19qL4> z6Otl`^>k<@CzySv>;f=t`H@c7Xf%Z3p{f+Vz}-+OcW^|&5W9RlG8Ba`{mj9g_R+2V z#aKiQKuEM9JKV3?E(pSC8NzI9ft*r0e1io}?>f>ike?l!J_n%fxld5-eFzSv{-?9_ zM_2)^0mysv-ppC8yewc{`p3_hILP`Q6<`uA&`UB~Y1dvFMJFe#z)*^FIh;U46KN=2 zXm;sb6z47Exm^H5SypE83+Y8jFH5w?bqYJ(Gwln)>B&zFk!un>9Y2=?|6}rVt&rlu z39h4aqdv#7ujI}*uC_oTTst?yZglb%4(An+m&mF3b+T=j1Jbd5si1ojN^{Wt(au}u zu8#@=am)tzlniRoJ{SnLav*fmW>;e79{mUqF1MqUxS7~T$YhN@y%VD3J~VSOL|?Ne z!6)cjIqf-3>Hq8rQmCF`5BjD+cbX?b4IY#cD`*e2m5!Sxj1#Hv3 zin5C{W39DgUOo_IH4g7Peoq%+prCsT)74fj>f(USX2A0%I2~;xU$RH*&$g|z>bnru z$Ry+kBfp?yi8@%=;Jm^*eZ=$-BVSeaLab3B4@0 zU};Cq##+z(TY|jayEKJK&wq&_BzLT@mPRgy$6QWxA@?)8h#&&>a(0|8x)T`iEprgE zBx1GUi90ZCTQXcKoS%p3W#*P4WDO7ZUBk-M6QD+z>8rsd?a3M9VjM2=-qvSeo`48; zdhUHaz}|G}bhl8Lb^Lyn?+Gir#LF}-5?OG<0i6fBDC8{h;VlDTr%k_8qBm{`E3 zsY%~aoDFXvKwDBvxMprQLgS~@qhH1@1GPD!gU7 z zKRlv8)uyKuJ<|L{cE7kNX^5tf?>5g<$u3VtXX%#6Ye4p>-=WvfeM4aNl8nP`a-yYvuwiFyE@Q*b+AkLI}l zFnuDc1TWeOokNy+W>0Nff^_j}Ugr~Ht6qk4&CHu`*WLMr13mUoJw!P``+4TGKfXb~d z_WuGW>X-k?4XtH+n`HKURH4(;tPzuc*1~aGBM&={+U0IJ1rFUMnh@0VBF_LX|G4_K z$P-zk{Z=DbFeVNe<1GqjHzBqvprTH2!~vyNv@dU{eu2~Qp^eLeOsHXg`scYYV9Oq9 zAO~CW-Wju>2F6lO?$T#7j-?T3v*kV5bT|o)@>l&(>?ydyoNOZwio(xEi38O&(Vn{q zBly9#PZ9ocnWdpV$#rgOP{j7fWlhxIiEBEdx**HF^EKJqj{H8Wy4D4tmgi=(^HFqR z=0)1lMNuICK0VrVtX41CU5rYWS({8sJT4AdH{NIoxx?e_bJ{I0)miS1d*1Rmr$ye@ zDadHi8F`Hu(e|g&g?Np%;3Y~k1>dRAd6g7G;*B`eHUQih8(G``f^Cx8bD!3;R8_p+@5 zp+_7X47B`a>IUFGkvi!Pq)I7D_DVHIm2RcpTiB(Fcl)0G`emk*2+cN%C?=2}RzFty02em=3;T_hN7vea>VVR_4Ce`&PDe~tF(Si#08r+-3bmC%kZ1&*tc~3;=5UupXQhBLm z!o=~f$%A!yHIS+9zn$NOmJ33$CgN+U)MGHISHetIitgoJeq}C~jgiFwWnfE^6V%TG zwC#O~3ku}_V^L11MaLyi*9vH80i$V&>m*Wn@W?Id287{&AJS_9$Z69lB+ z0iwD)V{#I4aNsRoaHXM3%InD!7$581@CQ^>n?e>Iv_@HuF5OEDbvBSd)GeIk0#-Uw zJE!UN_Ro||I-V+@{eE$Z^3n%j3l6+yLVX}6b`w9^qil=+z~htqsITCME1|i*|7?3& z^(*-;iuUoxK{sxVrO=GJ)PagdryU@Zz~3t`c^JI`>RgHXMe~p#sAwhYP)Hw4neYne zu8(e}w?*lJv2Biiu`99rZaCWHI-)DTpza=!#ReUlitU3tfW|l5mAI##GzOp?L1yej!AGgoh~7 zLcM}31WnvN+b1zc5U2eFAjqPmohrzLi{spqEb0JwTqN%7T4O*NQ}{k+u1db+SA{9O zsuQa4i#V4uROcX0=fydg15R_{G|jdswQbb8hAB-{NMi`GJY*T4`bPop7hY}xV|%nW zt{82zZvn8Gt;3|FePWInP#Y^rux^!{FPq+^ecU!<%SKoy+ATmlh=(S|P_qbyNItMW5Gxm+no+A4 zh`{o15#PE(+1+h8C%Yr_m6Dbe?c&ciCgjb)IO`l=P>q*mX6iA3r;LzW*vk7I~u33(y0+HE1j z)S2LkkZ|HqbbggMOt`RFUy?Es>;hz^>IEgODepc5?P9X~z%`Sxr*eg2M2S_8KS8a5 z*!07)88oDu1@FMKj(8tEOIh!CSjb@)YWoy&+*M!3R{S9y>>Mrtz* zA;ea@reKL+R;)VYXGwi`jsGk_P9UoojQRyg5rHAz{=pqcMro+x+g(<3ysocCzI9I*@6^aK}D%aUG(t@-Hzv>QrS2? zjm^&tjv&>-49k8D?s7va7%Gc;u16iPb35N87)rSUgOq@4kt9C?$33Etmh4Cw9o`C- zE@P07;`K^L5&*pht^;se7HfkJC{YgP6t?h}%NOepBLgF{ZQ`G*(4-)n0f)%;tS|{_ z4yby8G=ZV+f*qiiHFD&~lq9s9C=>U0R_>py-1U>MkK9B>Fi26s5W5r2FH~xqwmHrnioHa+DFeh} zp&rH+DjgvCBU6m#4#gWVJQk6+cJO`8t8jY_J7biGJ0>Rj3>v!;%?h~xkh|S8_36|E zdS+leh+bCe6G)3=?+G(SzH|g=f!=kahz%@s*SQYxAonz9e|%daI_GBoZr!>={wI$f zI_FFgZ(gKMPG3O=Hu@$8+|KO&U-UOzM1@f^nk_0FK$JzP+kzucfU^bPxeD@dEH=Xp z{-KE{0W>(y8H>!^9oeuasA-QaKM|W%VQi&q^iwgT)fGj7U`@d5(Sq@3Vc^~9z$ zszEi70@kt-StV=D3)njQL{1`^nsbDe_M9CPqX^hV{DEIzK6tKXAqJZo8pk}!-5*7n&$8ZtIjuB z#PUjhMv+HUORE5Bra|7vArybX9OYS!rM#}RX#A2lWkZ_y2h&#BJo6uKPH!i^+i?`g zFfbo?2nq&S!=xy`5e9C1{YP>U=a*&q2Q~T^V3v4pQkc?+(zP488})=YopPp3oDMcf z<>pmZ%0@eqh{4j};{yNaKxB>fL-eD3Owlew8P~;Ppw2ie$wC`ac>Q0DP59?LyUxcO z3xHU3&HmKxf+xNGPynePgCsMLya4PA1jRzW9IB;6IOA{>v9O}i8Zn$$Y;*)BnO0-+ zg_rPGNN^yhrz^*`o<}dVnb8Ab`XH@)V1!AUk`%Mnb^6kcUs>Rg!$G)Wpnm%^LMnzR z;E!t5iV>7d$a_@!t+||kDJ8ra#?^lar7t%O!#2AwG5Z*1%KZrm_csVjw9nMT+WY_ryW$JU_pM1Ht_NheERD z1)D2lsagaW_``3$@rcIH6ovxDrAg+ut@@dB)$Gt52mK7HEk)tpUJA9v7XK0aH-Ij7 zSe@i<-j?Kqj_78RpLx|n&8>Dsjo!pleVA%mm_g`|>2W=$YRSVtI~@+STYQ0!v3!c0u|CMt$zmivKl8%S}U-mWuu6>vHhNuLjXT zIDm4{G$?02p=5rC0*zuP&_?tQ_#!L<+sTS}Kw(kKv$e*RqB;sY!Ls|+0m`t25$hhv*tjT<<#*vMuBh>X1QR5MJ41h?!EnJlo*^FG43_$1GbQXr7jP$#k369#Z zn;)fAok*_%<_8yz7JxZ#xrp|I&YB68fw?HdY|4TvsUgrDpS!blGt*^?j2=d$i1#hj z$OA|JLE+<4w+0U<0D}?{7n_mdQpXbk5?%r84Ei~4O!+yPDr~30v%7cEnW`ZRx{Zzoi@ z|Kz1lR7v?S9y?i?0xT0mg+>Gdo;VNVe4i+-A>%fRQ~jS*3uw(_*x-@SRS4vfk0=&# zcoBJG3wR>9O=4~nU%}%PnIK)!q`c?vdL(2q>X5+)V8ll^W|sV+Sr>-Fl-CP)c;kX3 z>wQWJO_t|PsXiPbdK1W=0%3xM@}R&tzyOD##$p->8rMWX93eH~cxt;&?t(QcyqQTZ zyNV_T?-&J1aOv%)dJTA0goZ8ydj>H7_Mk~(0wguAQc}afVr+47IuabE`h}`UfxQ9# znVGCL_0TlZ?P*Q!0MCixy;AyB{f*$#jGc#D7{X@(R{)*#sMRd+A?20O1`eX9Cx^dF zQb({0DPhR_xq~g`?is87;uXbo!k`06wj%Y%vcYe#w|6w1cxcQ-U8Cq?n5n?VR2k|_ zNeGez;YEP(dcOQ8Zi9zzVR53!1CPA0&#iLiBzI2WrM7gNkoZ!09&P$7Dsgj^}+{dygKOk zDM^X;3oAc>Yf(0R=u-CDZxJU+{QMDWS54?V3t>lq!E6AK9kPI;NauLq)p0xrhJ3OF zDIBQB9=2%Ik5p*Wq8y=hq!Vz4cETmn)PcxAdP9qHPI#pnw6$XMANmD9zz0DO137o2 z?|k$Q>aztkwr&}XP&N(k|9S`3OSFt1I@qEma3KNsoCgq2_AW-1H{W=fF^O~#_+`76 z)voHymo3~DQO##;h6F46cAyj(_nh;mpza(A?@x?R)8H6#<`OIiS8b!H)?}T{zs9K!zG$1xZjU$lJ-GLX4%v8yY&r>=GRDnpe zvah#Ne6YQ}EhV!{?hTIOEw0C00|9+~S{d1PFoP`g02V+M$!c7c0SX7lK4+<V2W^2m|K1Mj{v^ zfc_UidnUY9NM-&rvz8vMc`hup zjDF!+rWH^rOY8U@XV_Ps6m)qHMuCGiB&SuOdq6ux{-FC{1|+%4Q{)p#(yPrq$;>4M>B{14%!@LOQ>9FG~VHSa)zuJE2ELZJfIqAk1Xng6@drGzx1H zekgq$7+qT#JdvLZPbw2bICsmAvu(Qby<@}qgPa~({)&E7oDu)gPE;O(^r<99ZTJECjV<|NCNPSLP;U?Avpbpzz^TY(qh%ah zo-S660=@RoqTL|PkqpSn^(#rpiJ=VRFE%F{RU@63^+)dnTwTKAB9zDTST!N0>2wRXQ6vR=ElmR?(>P^~O51(Q@(=%!C0RUz{^X-|G;ldOn?%U=0oMs5D@AVRmdvoGFfR=oCDCZSkRTo;@v#hI|H zchw<9u{)&~h|1r=?@tfOXX1W04g&0TJviYZsjKJf9vIdWJx-7zqk6{< z%x_0;ebTb~=T&d^W+>7*+zEM#>r>%g@|F7Hlo$ene^8ajG_kyE0$fUGXO}u^-j)XW zwCb#dC5=84_Z2}sGmZsEa+P7QJlldExeCBiTFV4zzyiv&nnUhW6f~Vs9N{ctTutdn zkFs8!e(ky7Ry;O!yULi>vRDk$40Xj`O|`90^qBdnAT#U=0{r4#?oyo6-^Yit1kelA z5_*9O?_N8hR6Rk_I}Cw~Z5}Qc(W> zd@LA-P^WlmEyMHIAjVF@`UF|n|KC9J=~$DD^cf>cb>x2*h@^r0N{rHrRi!Xi{xkL* z0en$zDr3!GZ&-u#-Odoa7rQR%Q=3-){rSHwLYx0@i_jVPe{hN#!h1rLJXZSCd6xex zmn1n-`|6VYWRz99hcX;eGmh+_rC&;(tIhcyV{5d8-|{$uU0H7T99j7_++$4(N?^#y z6}N3_#-o|y?i0{GsjJ!q8Td2w0wbRgXk>Jf4z$m6?=1cT%2kvndTtvb2~-5&i<~$AuP206F)G|-s2?rBO0-NH|C;^J z7YN=pJhtn%i5imDuRJ2l`}}?^MU@cu;*02@ihv;`p*d_ zieDR-NycQ!7i|i4^p67h`_by&sE+%O0wLX4zwNJ4Rq}8e=Kih42!B6XdaZci_s&() z{5>i;&+Bf}|5eg|KlgDXo86`kz_)W8(kW z;s2jI9xDso0a2a{!^)oj@h}M;>K(I6p3uFJq($(ySdRG3-u&a~;rH?4i_|_e3jD`y zrTBXn*KdoTc3fj`|K$P}c->@>O1u(6C9ePdzN_G?*0uNl{U_>+SRsTiex{FZJNWO1 z(QJX_i=KaOO8y^5@)S7stQHQG@}~b8ER5pcME>o_-(vJnwEmruzqQIgt@U3Gi&Xi) zGxG0@{5vC*75L|(tQ8*or6vCPTK~M?zr=y*|C=+?;rW*Qw)l}Y9cCT;ck-C}(fGrc GZv9`RA2Y%L literal 0 HcmV?d00001 diff --git a/charts/jfrog/artifactory-ha/107.104.6/questions.yml b/charts/jfrog/artifactory-ha/107.104.6/questions.yml new file mode 100644 index 000000000..14e9024e6 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/questions.yml @@ -0,0 +1,424 @@ +questions: +# Advance Settings +- variable: artifactory.masterKey + default: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + description: "Artifactory master key. For security reasons, we strongly recommend you generate your own master key using this command: 'openssl rand -hex 32'" + type: string + label: Artifactory master key + group: "Security Settings" + +# Container Images +- variable: defaultImage + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + show_subquestion_if: false + group: "Container Images" + subquestions: + - variable: initContainerImage + default: "docker.bintray.io/alpine:3.12" + description: "Init image name" + type: string + label: Init image name + - variable: artifactory.image.repository + default: "docker.bintray.io/jfrog/artifactory-pro" + description: "Artifactory image name" + type: string + label: Artifactory Image Name + - variable: artifactory.image.version + default: "7.6.3" + description: "Artifactory image tag" + type: string + label: Artifactory Image Tag + - variable: nginx.image.repository + default: "docker.bintray.io/jfrog/nginx-artifactory-pro" + description: "Nginx image name" + type: string + label: Nginx Image Name + - variable: nginx.image.version + default: "7.6.3" + description: "Nginx image tag" + type: string + label: Nginx Image Tag + - variable: imagePullSecrets + description: "Image Pull Secret" + type: string + label: Image Pull Secret + +# Services and LoadBalancing Settings +- variable: artifactory.node.replicaCount + default: "2" + description: "Number of Secondary Nodes" + type: string + label: Number of Secondary Nodes + show_subquestion_if: true + group: "Services and Load Balancing" +- variable: ingress.enabled + default: false + description: "Expose app using Layer 7 Load Balancer - ingress" + type: boolean + label: Expose app using Layer 7 Load Balancer + show_subquestion_if: true + group: "Services and Load Balancing" + required: true + subquestions: + - variable: ingress.hosts[0] + default: "xip.io" + description: "Hostname to your artifactory installation" + type: hostname + required: true + label: Hostname + +# Nginx Settings +- variable: nginx.enabled + default: true + description: "Enable nginx server" + type: boolean + label: Enable Nginx Server + group: "Services and Load Balancing" + required: true + show_if: "ingress.enabled=false" +- variable: nginx.service.type + default: "LoadBalancer" + description: "Nginx service type" + type: enum + required: true + label: Nginx Service Type + show_if: "nginx.enabled=true&&ingress.enabled=false" + group: "Services and Load Balancing" + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" +- variable: nginx.service.loadBalancerIP + default: "" + description: "Provide Static IP to configure with Nginx" + type: string + label: Config Nginx LoadBalancer IP + show_if: "nginx.enabled=true&&nginx.service.type=LoadBalancer&&ingress.enabled=false" + group: "Services and Load Balancing" +- variable: nginx.tlsSecretName + default: "" + description: "Provide SSL Secret name to configure with Nginx" + type: string + label: Config Nginx SSL Secret + show_if: "nginx.enabled=true&&ingress.enabled=false" + group: "Services and Load Balancing" +- variable: nginx.customArtifactoryConfigMap + default: "" + description: "Provide configMap name to configure Nginx with custom `artifactory.conf`" + type: string + label: ConfigMap for Nginx Artifactory Config + show_if: "nginx.enabled=true&&ingress.enabled=false" + group: "Services and Load Balancing" + +# Artifactory Storage Settings +- variable: artifactory.persistence.size + default: "50Gi" + description: "Artifactory persistent volume size" + type: string + label: Artifactory Persistent Volume Size + required: true + group: "Artifactory Storage" +- variable: artifactory.persistence.type + default: "file-system" + description: "Artifactory persistent volume size" + type: enum + label: Artifactory Persistent Storage Type + required: true + options: + - "file-system" + - "nfs" + - "google-storage" + - "aws-s3" + group: "Artifactory Storage" + +#Storage Type Settings +- variable: artifactory.persistence.nfs.ip + default: "" + type: string + group: "Artifactory Storage" + label: NFS Server IP + description: "NFS server IP" + show_if: "artifactory.persistence.type=nfs" +- variable: artifactory.persistence.nfs.haDataMount + default: "/data" + type: string + label: NFS Data Directory + description: "NFS data directory" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=nfs" +- variable: artifactory.persistence.nfs.haBackupMount + default: "/backup" + type: string + label: NFS Backup Directory + description: "NFS backup directory" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=nfs" +- variable: artifactory.persistence.nfs.dataDir + default: "/var/opt/jfrog/artifactory-ha" + type: string + label: HA Data Directory + description: "HA data directory" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=nfs" +- variable: artifactory.persistence.nfs.backupDir + default: "/var/opt/jfrog/artifactory-backup" + type: string + label: HA Backup Directory + description: "HA backup directory " + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=nfs" +- variable: artifactory.persistence.nfs.capacity + default: "200Gi" + type: string + label: NFS PVC Size + description: "NFS PVC size " + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=nfs" + +#Google storage settings +- variable: artifactory.persistence.googleStorage.bucketName + default: "artifactory-ha-gcp" + type: string + label: Google Storage Bucket Name + description: "Google storage bucket name" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=google-storage" +- variable: artifactory.persistence.googleStorage.identity + default: "" + type: string + label: Google Storage Service Account ID + description: "Google Storage service account id" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=google-storage" +- variable: artifactory.persistence.googleStorage.credential + default: "" + type: string + label: Google Storage Service Account Key + description: "Google Storage service account key" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=google-storage" +- variable: artifactory.persistence.googleStorage.path + default: "artifactory-ha/filestore" + type: string + label: Google Storage Path In Bucket + description: "Google Storage path in bucket" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=google-storage" +# awsS3 storage settings +- variable: artifactory.persistence.awsS3.bucketName + default: "artifactory-ha-aws" + type: string + label: AWS S3 Bucket Name + description: "AWS S3 bucket name" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=aws-s3" +- variable: artifactory.persistence.awsS3.region + default: "" + type: string + label: AWS S3 Bucket Region + description: "AWS S3 bucket region" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=aws-s3" +- variable: artifactory.persistence.awsS3.identity + default: "" + type: string + label: AWS S3 AWS_ACCESS_KEY_ID + description: "AWS S3 AWS_ACCESS_KEY_ID" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=aws-s3" +- variable: artifactory.persistence.awsS3.credential + default: "" + type: string + label: AWS S3 AWS_SECRET_ACCESS_KEY + description: "AWS S3 AWS_SECRET_ACCESS_KEY" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=aws-s3" +- variable: artifactory.persistence.awsS3.path + default: "artifactory-ha/filestore" + type: string + label: AWS S3 Path In Bucket + description: "AWS S3 path in bucket" + group: "Artifactory Storage" + show_if: "artifactory.persistence.type=aws-s3" + +# Database Settings +- variable: postgresql.enabled + default: true + description: "Enable PostgreSQL" + type: boolean + required: true + label: Enable PostgreSQL + group: "Database Settings" + show_subquestion_if: true + subquestions: + - variable: postgresql.postgresqlPassword + default: "" + description: "PostgreSQL password" + type: password + required: true + label: PostgreSQL Password + group: "Database Settings" + show_if: "postgresql.enabled=true" + - variable: postgresql.persistence.size + default: 20Gi + description: "PostgreSQL persistent volume size" + type: string + label: PostgreSQL Persistent Volume Size + show_if: "postgresql.enabled=true" + - variable: postgresql.persistence.storageClass + default: "" + description: "If undefined or null, uses the default StorageClass. Default to null" + type: storageclass + label: Default StorageClass for PostgreSQL + show_if: "postgresql.enabled=true" + - variable: postgresql.resources.requests.cpu + default: "200m" + description: "PostgreSQL initial cpu request" + type: string + label: PostgreSQL Initial CPU Request + show_if: "postgresql.enabled=true" + - variable: postgresql.resources.requests.memory + default: "500Mi" + description: "PostgreSQL initial memory request" + type: string + label: PostgreSQL Initial Memory Request + show_if: "postgresql.enabled=true" + - variable: postgresql.resources.limits.cpu + default: "1" + description: "PostgreSQL cpu limit" + type: string + label: PostgreSQL CPU Limit + show_if: "postgresql.enabled=true" + - variable: postgresql.resources.limits.memory + default: "1Gi" + description: "PostgreSQL memory limit" + type: string + label: PostgreSQL Memory Limit + show_if: "postgresql.enabled=true" +- variable: database.type + default: "postgresql" + description: "xternal database type (postgresql, mysql, oracle or mssql)" + type: enum + required: true + label: External Database Type + group: "Database Settings" + show_if: "postgresql.enabled=false" + options: + - "postgresql" + - "mysql" + - "oracle" + - "mssql" +- variable: database.url + default: "" + description: "External database URL. If you set the url, leave host and port empty" + type: string + label: External Database URL + group: "Database Settings" + show_if: "postgresql.enabled=false" +- variable: database.host + default: "" + description: "External database hostname" + type: string + label: External Database Hostname + group: "Database Settings" + show_if: "postgresql.enabled=false" +- variable: database.port + default: "" + description: "External database port" + type: string + label: External Database Port + group: "Database Settings" + show_if: "postgresql.enabled=false" +- variable: database.user + default: "" + description: "External database username" + type: string + label: External Database Username + group: "Database Settings" + show_if: "postgresql.enabled=false" +- variable: database.password + default: "" + description: "External database password" + type: password + label: External Database Password + group: "Database Settings" + show_if: "postgresql.enabled=false" + +# Advance Settings +- variable: advancedOptions + default: false + description: "Show advanced configurations" + label: Show Advanced Configurations + type: boolean + show_subquestion_if: true + group: "Advanced Options" + subquestions: + - variable: artifactory.primary.resources.requests.cpu + default: "500m" + description: "Artifactory primary node initial cpu request" + type: string + label: Artifactory Primary Node Initial CPU Request + - variable: artifactory.primary.resources.requests.memory + default: "1Gi" + description: "Artifactory primary node initial memory request" + type: string + label: Artifactory Primary Node Initial Memory Request + - variable: artifactory.primary.javaOpts.xms + default: "1g" + description: "Artifactory primary node java Xms size" + type: string + label: Artifactory Primary Node Java Xms Size + - variable: artifactory.primary.resources.limits.cpu + default: "2" + description: "Artifactory primary node cpu limit" + type: string + label: Artifactory Primary Node CPU Limit + - variable: artifactory.primary.resources.limits.memory + default: "4Gi" + description: "Artifactory primary node memory limit" + type: string + label: Artifactory Primary Node Memory Limit + - variable: artifactory.primary.javaOpts.xmx + default: "4g" + description: "Artifactory primary node java Xmx size" + type: string + label: Artifactory Primary Node Java Xmx Size + - variable: artifactory.node.resources.requests.cpu + default: "500m" + description: "Artifactory member node initial cpu request" + type: string + label: Artifactory Member Node Initial CPU Request + - variable: artifactory.node.resources.requests.memory + default: "2Gi" + description: "Artifactory member node initial memory request" + type: string + label: Artifactory Member Node Initial Memory Request + - variable: artifactory.node.javaOpts.xms + default: "1g" + description: "Artifactory member node java Xms size" + type: string + label: Artifactory Member Node Java Xms Size + - variable: artifactory.node.resources.limits.cpu + default: "2" + description: "Artifactory member node cpu limit" + type: string + label: Artifactory Member Node CPU Limit + - variable: artifactory.node.resources.limits.memory + default: "4Gi" + description: "Artifactory member node memory limit" + type: string + label: Artifactory Member Node Memory Limit + - variable: artifactory.node.javaOpts.xmx + default: "4g" + description: "Artifactory member node java Xmx size" + type: string + label: Artifactory Member Node Java Xmx Size + +# Internal Settings +- variable: installerInfo + default: '\{\"productId\": \"RancherHelm_artifactory-ha/7.17.5\", \"features\": \[\{\"featureId\": \"Partner/ACC-007246\"\}\]\}' + type: string + group: "Internal Settings (Do not modify)" diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-2xlarge.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..92953faec --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,185 @@ +############################################################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: "2" + memory: 2Gi + limits: + # cpu: "12" + memory: 4Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 200 + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +onemodel: + resources: + requests: + cpu: 225m + memory: 180Mi + limits: + # cpu: "1" + memory: 250Mi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +access: + tomcat: + connector: + maxThreads: 200 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 200 + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "5000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-large.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-large.yaml new file mode 100644 index 000000000..e61424854 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-large.yaml @@ -0,0 +1,185 @@ +############################################################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the large sizing +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 125 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 100 + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 3Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 400m + memory: 800Mi + limits: + # cpu: "8" + memory: 2Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 100 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 200m + memory: 160Mi + limits: + # cpu: "1" + memory: 250Mi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "600" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-medium.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..2ace23f00 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-medium.yaml @@ -0,0 +1,185 @@ +#################################################################################### +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "2" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 175m + memory: 140Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 1 + memory: 1.5Gi + limits: + # cpu: 1.5 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 600Mi + limits: + memory: 900Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "200" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-small.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-small.yaml new file mode 100644 index 000000000..2900cb080 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-small.yaml @@ -0,0 +1,184 @@ +############################################################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "2" + memory: 1Gi + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 125m + memory: 120Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 50m + memory: 600Mi + limits: + memory: 900Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xlarge.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..140a3903e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xlarge.yaml @@ -0,0 +1,184 @@ +############################################################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + # Require multiple Artifactory pods to run on separate nodes + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 150 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 150 + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 400m + memory: 1Gi + limits: + # cpu: "8" + memory: 2Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 150 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 250m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" diff --git a/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xsmall.yaml b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..f10e78b5d --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/sizing/artifactory-xsmall.yaml @@ -0,0 +1,186 @@ +############################################################################################## + +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 15 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 15 + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 15 + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 125m + memory: 100Mi + limits: + # cpu: "2" + memory: 500Mi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 50m + memory: 500Mi + limits: + memory: 800Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/NOTES.txt b/charts/jfrog/artifactory-ha/107.104.6/templates/NOTES.txt new file mode 100644 index 000000000..30dfab8b8 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/NOTES.txt @@ -0,0 +1,149 @@ +Congratulations. You have just deployed JFrog Artifactory HA! + +{{- if .Values.artifactory.masterKey }} +{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} + + +***************************************** WARNING ****************************************** +* Your Artifactory master key is still set to the provided example: * +* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * +* * +* You should change this to your own generated key: * +* $ export MASTER_KEY=$(openssl rand -hex 32) * +* $ echo ${MASTER_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * +* * +* Alternatively, you can use a pre-existing secret with a key called master-key with * +* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * +******************************************************************************************** +{{- end }} +{{- end }} + +{{- if .Values.artifactory.joinKey }} +{{- if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} + + +***************************************** WARNING ****************************************** +* Your Artifactory join key is still set to the provided example: * +* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * +* * +* You should change this to your own generated key: * +* $ export JOIN_KEY=$(openssl rand -hex 32) * +* $ echo ${JOIN_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * +* * +******************************************************************************************** +{{- end }} +{{- end }} + + +{{- if .Values.artifactory.setSecurityContext }} +****************************************** WARNING ********************************************** +* From chart version 107.84.x, `setSecurityContext` has been renamed to `podSecurityContext`, * + please change your values.yaml before upgrade , For more Info , refer to 107.84.x changelog * +************************************************************************************************* +{{- end }} + +{{- if and (or (or (or (or (or ( or ( or ( or (or (or ( or (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) .Values.systemYamlOverride.existingSecret) (or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled)) .Values.aws.licenseConfigSecretName) .Values.artifactory.persistence.customBinarystoreXmlSecret) .Values.access.customCertificatesSecretName) .Values.systemYamlOverride.existingSecret) .Values.artifactory.license.secret) .Values.artifactory.userPluginSecrets) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey)) (and .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName)) (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName)) .Values.artifactory.unifiedSecretInstallation }} +****************************************** WARNING ************************************************************************************************** +* The unifiedSecretInstallation flag is currently enabled, which creates the unified secret. The existing secrets will continue as separate secrets.* +* Update the values.yaml with the existing secrets to add them to the unified secret. * +***************************************************************************************************************************************************** +{{- end }} + +{{- if .Values.postgresql.enabled }} + +DATABASE: +To extract the database password, run the following +export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) +echo ${DB_PASSWORD} +{{- end }} + +SETUP: +1. Get the Artifactory IP and URL + + {{- if contains "NodePort" .Values.nginx.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory-ha.nginx.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ + + {{- else if contains "LoadBalancer" .Values.nginx.service.type }} + NOTE: It may take a few minutes for the LoadBalancer public IP to be available! + + You can watch the status of the service by running 'kubectl get svc -w {{ template "artifactory-ha.nginx.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP/ + + {{- else if contains "ClusterIP" .Values.nginx.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 + echo http://127.0.0.1:8080 + + {{- end }} + +2. Open Artifactory in your browser + Default credential for Artifactory: + user: admin + password: password + + {{- if .Values.artifactory.license.secret }} + +3. Artifactory license(s) is deployed as a Kubernetes secret. This method is relevant for initial deployment only! + Updating the license should be done via Artifactory UI or REST API. If you want to keep managing the artifactory license using the same method, you can use artifactory.copyOnEveryStartup in values.yaml. + + {{- else }} + +3. Add HA licenses to activate Artifactory HA through the Artifactory UI + NOTE: Each Artifactory node requires a valid license. See https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup for more details. + + {{- end }} + +{{ if or .Values.artifactory.primary.javaOpts.jmx.enabled .Values.artifactory.node.javaOpts.jmx.enabled }} +JMX configuration: +{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} +If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! +{{ end }} + +1. Get the Artifactory service IP: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +export PRIMARY_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.primary.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +export MEMBER_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} + +2. Map the service name to the service IP in /etc/hosts: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${PRIMARY_SERVICE_IP} {{ template "artifactory-ha.primary.name" . }}\" >> /etc/hosts" +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${MEMBER_SERVICE_IP} {{ template "artifactory-ha.fullname" . }}\" >> /etc/hosts" +{{- end }} + +3. Launch jconsole: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.primary.name" . }}:{{ .Values.artifactory.primary.javaOpts.jmx.port }} +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node.javaOpts.jmx.port }} +{{- end }} +{{- end }} + + +{{- if ge (.Values.artifactory.node.replicaCount | int) 1 }} +***************************************** WARNING ***************************************************************************** +* Currently member node(s) are enabled, will be deprecated in upcoming releases * +* It is recommended to upgrade from primary-members to primary-only. * +* It can be done by deploying the chart ( >=107.59.x) with the new values. Also, please refer to changelog of 107.59.x chart * +* More Info: https://jfrog.com/help/r/jfrog-installation-setup-documentation/cloud-native-high-availability * +******************************************************************************************************************************* +{{- end }} + +{{- if and .Values.nginx.enabled .Values.ingress.hosts }} +***************************************** WARNING ***************************************************************************** +* when nginx is enabled , .Values.ingress.hosts will be deprecated in upcoming releases * +* It is recommended to use nginx.hosts instead ingress.hosts +******************************************************************************************************************************* +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/_helpers.tpl b/charts/jfrog/artifactory-ha/107.104.6/templates/_helpers.tpl new file mode 100644 index 000000000..1c89bb541 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/_helpers.tpl @@ -0,0 +1,673 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "artifactory-ha.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The primary node name +*/}} +{{- define "artifactory-ha.primary.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-primary" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-primary" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +The member node name +*/}} +{{- define "artifactory-ha.node.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-member" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-member" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name nginx service. +*/}} +{{- define "artifactory-ha.nginx.name" -}} +{{- default .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.nginx.fullname" -}} +{{- if .Values.nginx.fullnameOverride -}} +{{- .Values.nginx.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nginx.name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "artifactory-ha.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "artifactory-ha.fullname" .) .Values.serviceAccount.name }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "artifactory-ha.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate SSL certificates +*/}} +{{- define "artifactory-ha.gen-certs" -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.fullname" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.fullname" .) .Release.Namespace ) -}} +{{- $ca := genCA "artifactory-ca" 365 -}} +{{- $cert := genSignedCert ( include "artifactory-ha.fullname" . ) nil $altNames 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Scheme (http/https) based on Access or Router TLS enabled/disabled +*/}} +{{- define "artifactory-ha.scheme" -}} +{{- if or .Values.access.accessConfig.security.tls .Values.router.tlsEnabled -}} +{{- printf "%s" "https" -}} +{{- else -}} +{{- printf "%s" "http" -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve joinKey value +*/}} +{{- define "artifactory-ha.joinKey" -}} +{{- if .Values.global.joinKey -}} +{{- .Values.global.joinKey -}} +{{- else if .Values.artifactory.joinKey -}} +{{- .Values.artifactory.joinKey -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve jfConnectToken value +*/}} +{{- define "artifactory-ha.jfConnectToken" -}} +{{- .Values.artifactory.jfConnectToken -}} +{{- end -}} + +{{/* +Resolve masterKey value +*/}} +{{- define "artifactory-ha.masterKey" -}} +{{- if .Values.global.masterKey -}} +{{- .Values.global.masterKey -}} +{{- else if .Values.artifactory.masterKey -}} +{{- .Values.artifactory.masterKey -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve joinKeySecretName value +*/}} +{{- define "artifactory-ha.joinKeySecretName" -}} +{{- if .Values.global.joinKeySecretName -}} +{{- .Values.global.joinKeySecretName -}} +{{- else if .Values.artifactory.joinKeySecretName -}} +{{- .Values.artifactory.joinKeySecretName -}} +{{- else -}} +{{ include "artifactory-ha.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve jfConnectTokenSecretName value +*/}} +{{- define "artifactory-ha.jfConnectTokenSecretName" -}} +{{- if .Values.artifactory.jfConnectTokenSecretName -}} +{{- .Values.artifactory.jfConnectTokenSecretName -}} +{{- else -}} +{{ include "artifactory-ha.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve masterKeySecretName value +*/}} +{{- define "artifactory-ha.masterKeySecretName" -}} +{{- if .Values.global.masterKeySecretName -}} +{{- .Values.global.masterKeySecretName -}} +{{- else if .Values.artifactory.masterKeySecretName -}} +{{- .Values.artifactory.masterKeySecretName -}} +{{- else -}} +{{ include "artifactory-ha.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve imagePullSecrets value +*/}} +{{- define "artifactory-ha.imagePullSecrets" -}} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainersBegin value +*/}} +{{- define "artifactory-ha.customInitContainersBegin" -}} +{{- if .Values.global.customInitContainersBegin -}} +{{- .Values.global.customInitContainersBegin -}} +{{- end -}} +{{- if .Values.artifactory.customInitContainersBegin -}} +{{- .Values.artifactory.customInitContainersBegin -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainers value +*/}} +{{- define "artifactory-ha.customInitContainers" -}} +{{- if .Values.global.customInitContainers -}} +{{- .Values.global.customInitContainers -}} +{{- end -}} +{{- if .Values.artifactory.customInitContainers -}} +{{- .Values.artifactory.customInitContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory-ha.customVolumes" -}} +{{- if .Values.global.customVolumes -}} +{{- .Values.global.customVolumes -}} +{{- end -}} +{{- if .Values.artifactory.customVolumes -}} +{{- .Values.artifactory.customVolumes -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve unifiedCustomSecretVolumeName value +*/}} +{{- define "artifactory-ha.unifiedCustomSecretVolumeName" -}} +{{- printf "%s-%s" (include "artifactory-ha.name" .) ("unified-secret-volume") | trunc 63 -}} +{{- end -}} + +{{/* +Check the Duplication of volume names for secrets. If unifiedSecretInstallation is enabled then the method is checking for volume names, +if the volume exists in customVolume then an extra volume with the same name will not be getting added in unifiedSecretInstallation case.*/}} +{{- define "artifactory-ha.checkDuplicateUnifiedCustomVolume" -}} +{{- if or .Values.global.customVolumes .Values.artifactory.customVolumes -}} +{{- $val := (tpl (include "artifactory-ha.customVolumes" .) .) | toJson -}} +{{- contains (include "artifactory-ha.unifiedCustomSecretVolumeName" .) $val | toString -}} +{{- else -}} +{{- printf "%s" "false" -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumeMounts value +*/}} +{{- define "artifactory-ha.customVolumeMounts" -}} +{{- if .Values.global.customVolumeMounts -}} +{{- .Values.global.customVolumeMounts -}} +{{- end -}} +{{- if .Values.artifactory.customVolumeMounts -}} +{{- .Values.artifactory.customVolumeMounts -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customSidecarContainers value +*/}} +{{- define "artifactory-ha.customSidecarContainers" -}} +{{- if .Values.global.customSidecarContainers -}} +{{- .Values.global.customSidecarContainers -}} +{{- end -}} +{{- if .Values.artifactory.customSidecarContainers -}} +{{- .Values.artifactory.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper artifactory chart image names +*/}} +{{- define "artifactory-ha.getImageInfoByValue" -}} +{{- $dot := index . 0 }} +{{- $indexReference := index . 1 }} +{{- $registryName := index $dot.Values $indexReference "image" "registry" -}} +{{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}} +{{- $tag := "" -}} +{{- if and (eq $indexReference "artifactory") (hasKey $dot.Values "artifactoryService") }} + {{- if default false $dot.Values.artifactoryService.enabled }} + {{- $indexReference = "artifactoryService" -}} + {{- $tag = default $dot.Chart.Annotations.artifactoryServiceVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- $repositoryName = index $dot.Values $indexReference "image" "repository" -}} + {{- else -}} + {{- $tag = default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- end -}} +{{- else -}} + {{- $tag = default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} +{{- end -}} +{{- if and (eq $indexReference "metadata") (hasKey $dot.Values.metadata "standaloneImageEnabled") }} + {{- if default false $dot.Values.metadata.standaloneImageEnabled }} + {{- $tag = default $dot.Chart.Annotations.metadataVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- end -}} +{{- end -}} +{{- if and (eq $indexReference "observability") (hasKey $dot.Values.observability "standaloneImageEnabled") }} + {{- if default false $dot.Values.observability.standaloneImageEnabled }} + {{- $tag = default $dot.Chart.Annotations.observabilityVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- end -}} +{{- end -}} +{{- if $dot.Values.global }} + {{- if and $dot.Values.splitServicesToContainers $dot.Values.global.versions.router (eq $indexReference "router") }} + {{- $tag = $dot.Values.global.versions.router | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.rtfs (eq $indexReference "rtfs") }} + {{- $tag = $dot.Values.global.versions.rtfs | toString -}} + {{- end -}} + {{- if $dot.Values.global.versions.artifactory }} + {{- if or (eq $indexReference "artifactory") (eq $indexReference "metadata") (eq $indexReference "nginx") (eq $indexReference "observability") }} + {{- $tag = $dot.Values.global.versions.artifactory | toString -}} + {{- end -}} + {{- end -}} + {{- if $dot.Values.global.imageRegistry }} + {{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper artifactory app version +*/}} +{{- define "artifactory-ha.app.version" -}} +{{- $tag := (splitList ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} +{{- printf "%s" $tag -}} +{{- end -}} + +{{/* +Custom certificate copy command +*/}} +{{- define "artifactory-ha.copyCustomCerts" -}} +echo "Copy custom certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted"; +mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted; +for file in $(ls -1 /tmp/certs/* | grep -v .key | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted; fi done; +if [ -f {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/tls.crt ]; then mv -v {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/tls.crt {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ca.crt; fi; +{{- end -}} + +{{/* +Circle of trust certificates copy command +*/}} +{{- define "artifactory.copyCircleOfTrustCertsCerts" -}} +echo "Copy circle of trust certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted"; +mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; +for file in $(ls -1 /tmp/circleoftrustcerts/* | grep -v .key | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; fi done; +{{- end -}} + +{{/* +Resolve requiredServiceTypes value +*/}} +{{- define "artifactory-ha.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfrt,jfac" -}} +{{- if not .Values.access.enabled -}} + {{- $requiredTypes = "jfrt" -}} +{{- end -}} +{{- if .Values.observability.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfob" -}} +{{- end -}} +{{- if .Values.metadata.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmd" -}} +{{- end -}} +{{- if .Values.event.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} +{{- end -}} +{{- if .Values.frontend.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} +{{- end -}} +{{- if .Values.jfconnect.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfcon" -}} +{{- end -}} +{{- if .Values.evidence.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevd" -}} +{{- end -}} +{{- if .Values.topology.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jftpl" -}} +{{- end -}} +{{- if .Values.mc.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmc" -}} +{{- end -}} +{{- if .Values.onemodel.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfomr" -}} +{{- end -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +nginx scheme (http/https) +*/}} +{{- define "nginx.scheme" -}} +{{- if .Values.nginx.http.enabled -}} +{{- printf "%s" "http" -}} +{{- else -}} +{{- printf "%s" "https" -}} +{{- end -}} +{{- end -}} + + +{{/* +nginx command +*/}} +{{- define "nginx.command" -}} +{{- if .Values.nginx.customCommand }} +{{ toYaml .Values.nginx.customCommand }} +{{- end }} +{{- end -}} + +{{/* +nginx port (8080/8443) based on http/https enabled +*/}} +{{- define "nginx.port" -}} +{{- if .Values.nginx.http.enabled -}} +{{- .Values.nginx.http.internalPort -}} +{{- else -}} +{{- .Values.nginx.https.internalPort -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainers value +*/}} +{{- define "artifactory.nginx.customInitContainers" -}} +{{- if .Values.nginx.customInitContainers -}} +{{- .Values.nginx.customInitContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory.nginx.customVolumes" -}} +{{- if .Values.nginx.customVolumes -}} +{{- .Values.nginx.customVolumes -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumeMounts nginx value +*/}} +{{- define "artifactory.nginx.customVolumeMounts" -}} +{{- if .Values.nginx.customVolumeMounts -}} +{{- .Values.nginx.customVolumeMounts -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customSidecarContainers value +*/}} +{{- define "artifactory.nginx.customSidecarContainers" -}} +{{- if .Values.nginx.customSidecarContainers -}} +{{- .Values.nginx.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve Artifactory pod primary node selector value +*/}} +{{- define "artifactory.nodeSelector" -}} +nodeSelector: +{{- if .Values.global.nodeSelector }} +{{ toYaml .Values.global.nodeSelector | indent 2 }} +{{- else if .Values.artifactory.primary.nodeSelector }} +{{ toYaml .Values.artifactory.primary.nodeSelector | indent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Resolve Artifactory pod node nodeselector value +*/}} +{{- define "artifactory.node.nodeSelector" -}} +nodeSelector: +{{- if .Values.global.nodeSelector }} +{{ toYaml .Values.global.nodeSelector | indent 2 }} +{{- else if .Values.artifactory.node.nodeSelector }} +{{ toYaml .Values.artifactory.node.nodeSelector | indent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Resolve Nginx pods node selector value +*/}} +{{- define "nginx.nodeSelector" -}} +nodeSelector: +{{- if .Values.global.nodeSelector }} +{{ toYaml .Values.global.nodeSelector | indent 2 }} +{{- else if .Values.nginx.nodeSelector }} +{{ toYaml .Values.nginx.nodeSelector | indent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Calculate the systemYaml from structured and unstructured text input +*/}} +{{- define "artifactory.finalSystemYaml" -}} +{{ tpl (mergeOverwrite (include "artifactory.systemYaml" . | fromYaml) .Values.artifactory.extraSystemYaml | toYaml) . }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "artifactory.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} + +{{/* +Metrics enabled +*/}} +{{- define "metrics.enabled" -}} + metrics: + enabled: true +{{- end }} + +{{/* +Resolve artifactory metrics +*/}} +{{- define "artifactory.metrics" -}} +{{- if .Values.artifactory.openMetrics -}} +{{- if .Values.artifactory.openMetrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.openMetrics.filebeat }} +{{- if .Values.artifactory.openMetrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.openMetrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else if .Values.artifactory.metrics -}} +{{- if .Values.artifactory.metrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.metrics.filebeat }} +{{- if .Values.artifactory.metrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.metrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve unified secret prepend release name +*/}} +{{- define "artifactory.unifiedSecretPrependReleaseName" -}} +{{- if .Values.artifactory.unifiedSecretPrependReleaseName }} +{{- printf "%s" (include "artifactory-ha.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "artifactory-ha.name" .) -}} +{{- end }} +{{- end }} + +{{/* +Resolve nginx hosts value +*/}} +{{- define "artifactory.nginx.hosts" -}} +{{- if .Values.ingress.hosts }} +{{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- else if .Values.nginx.hosts }} +{{- range .Values.nginx.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified grpc ingress name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.ingressGrpc.fullname" -}} +{{- printf "%s-%s" (include "artifactory-ha.fullname" .) .Values.ingressGrpc.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified grpc service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.serviceGrpc.fullname" -}} +{{- printf "%s-%s" (include "artifactory-ha.fullname" .) .Values.artifactory.serviceGrpc.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "rtfs.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" (.Release.Name | trunc 63 | trimSuffix "-") .Values.rtfs.name -}} +{{- else -}} +{{- printf "%s-%s-%s" (.Release.Name | trunc 63 | trimSuffix "-") $name .Values.rtfs.name -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* + Resolve jfrogUrl value +*/}} +{{- define "rtfs.jfrogUrl" -}} +{{- if .Values.global.jfrogUrl -}} +{{- .Values.global.jfrogUrl -}} +{{- else if .Values.rtfs.jfrogUrl -}} +{{- .Values.rtfs.jfrogUrl -}} +{{- else -}} +{{- printf "http://%s:8082" (include "artifactory-ha.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve RTFS customSidecarContainers value +*/}} +{{- define "artifactory.rtfs.customSidecarContainers" -}} +{{- if .Values.rtfs.customSidecarContainers -}} +{{- .Values.rtfs.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve RTFS customInitContainers value +*/}} +{{- define "artifactory.rtfs.customInitContainers" -}} +{{- if .Values.rtfs.customInitContainers -}} +{{- .Values.rtfs.customInitContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory.rtfs.customVolumes" -}} +{{- if .Values.rtfs.customVolumes -}} +{{- .Values.rtfs.customVolumes -}} +{{- end -}} +{{- end -}} + +{{/* +Rtfs command +*/}} +{{- define "rtfs.command" -}} +{{- if .Values.rtfs.customCommand }} +{{ toYaml .Values.rtfs.customCommand }} +{{- end }} +{{- end -}} + +{{/* +Resolve customVolumeMounts rtfs value +*/}} +{{- define "artifactory.rtfs.customVolumeMounts" -}} +{{- if .Values.rtfs.customVolumeMounts -}} +{{- .Values.rtfs.customVolumeMounts -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/_system-yaml-render.tpl b/charts/jfrog/artifactory-ha/107.104.6/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..deaa773ea --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.artifactory.systemYaml -}} +{{- tpl .Values.artifactory.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/additional-resources.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/additional-resources.yaml new file mode 100644 index 000000000..c4d06f08a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/additional-resources.yaml @@ -0,0 +1,3 @@ +{{ if .Values.additionalResources }} +{{ tpl .Values.additionalResources . }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/admin-bootstrap-creds.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/admin-bootstrap-creds.yaml new file mode 100644 index 000000000..40d91f75e --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/admin-bootstrap-creds.yaml @@ -0,0 +1,15 @@ +{{- if not (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} +{{- if and .Values.artifactory.admin.password (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + bootstrap.creds: {{ (printf "%s@%s=%s" .Values.artifactory.admin.username .Values.artifactory.admin.ip .Values.artifactory.admin.password) | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-access-config.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-access-config.yaml new file mode 100644 index 000000000..0b96a337d --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-access-config.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.access.accessConfig (not .Values.artifactory.unifiedSecretInstallation) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" . }}-access-config + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +stringData: + access.config.patch.yml: | +{{ tpl (toYaml .Values.access.accessConfig) . | indent 4 }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-binarystore-secret.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-binarystore-secret.yaml new file mode 100644 index 000000000..6824fe90f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-binarystore-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.artifactory.persistence.customBinarystoreXmlSecret) (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-binarystore + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + binarystore.xml: |- +{{- if .Values.artifactory.persistence.binarystoreXml }} +{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/binarystore.xml" ) . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-configmaps.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-configmaps.yaml new file mode 100644 index 000000000..1385bc578 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-configmaps.yaml @@ -0,0 +1,13 @@ +{{ if .Values.artifactory.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + labels: + app: {{ template "artifactory-ha.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ tpl .Values.artifactory.configMaps . | indent 2 }} +{{ end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-custom-secrets.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-custom-secrets.yaml new file mode 100644 index 000000000..8065fe686 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-custom-secrets.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.artifactory.customSecrets (not .Values.artifactory.unifiedSecretInstallation) }} +{{- range .Values.artifactory.customSecrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }} + labels: + app: "{{ template "artifactory-ha.name" $ }}" + chart: "{{ template "artifactory-ha.chart" $ }}" + component: "{{ $.Values.artifactory.name }}" + heritage: {{ $.Release.Service | quote }} + release: {{ $.Release.Name | quote }} +type: Opaque +stringData: + {{ .key }}: | +{{ .data | indent 4 -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-database-secrets.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-database-secrets.yaml new file mode 100644 index 000000000..6daf5db7b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-database-secrets.yaml @@ -0,0 +1,24 @@ +{{- if and (not .Values.database.secrets) (not .Values.postgresql.enabled) (not .Values.artifactory.unifiedSecretInstallation) }} +{{- if or .Values.database.url .Values.database.user .Values.database.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" . }}-database-creds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + {{- with .Values.database.url }} + db-url: {{ tpl . $ | b64enc | quote }} + {{- end }} + {{- with .Values.database.user }} + db-user: {{ tpl . $ | b64enc | quote }} + {{- end }} + {{- with .Values.database.password }} + db-password: {{ tpl . $ | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-gcp-credentials-secret.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-gcp-credentials-secret.yaml new file mode 100644 index 000000000..d90769595 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-gcp-credentials-secret.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} +{{- if and (.Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled) (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-gcpcreds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + gcp.credentials.json: |- +{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-installer-info.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-installer-info.yaml new file mode 100644 index 000000000..0dff9dc86 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-installer-info.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + installer-info.json: | +{{- if .Values.installerInfo -}} +{{- tpl .Values.installerInfo . | nindent 4 -}} +{{- else -}} +{{ (tpl ( .Files.Get "files/installer-info.json" | nindent 4 ) .) }} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-license-secret.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-license-secret.yaml new file mode 100644 index 000000000..0018fa044 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-license-secret.yaml @@ -0,0 +1,16 @@ +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) }} +{{- with .Values.artifactory.license.licenseKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-license + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +type: Opaque +data: + artifactory.lic: {{ . | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-migration-scripts.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-migration-scripts.yaml new file mode 100644 index 000000000..fe40f980f --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-migration-scripts.yaml @@ -0,0 +1,18 @@ +{{- if .Values.artifactory.migration.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-migration-scripts + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + migrate.sh: | +{{ .Files.Get "files/migrate.sh" | indent 4 }} + migrationHelmInfo.yaml: | +{{ .Files.Get "files/migrationHelmInfo.yaml" | indent 4 }} + migrationStatus.sh: | +{{ .Files.Get "files/migrationStatus.sh" | indent 4 }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-networkpolicy.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-networkpolicy.yaml new file mode 100644 index 000000000..9924448f0 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- range .Values.networkpolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}-networkpolicy + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +spec: +{{- if .podSelector }} + podSelector: +{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} +{{ else }} + podSelector: {} +{{- end }} + policyTypes: + {{- if .ingress }} + - Ingress + {{- end }} + {{- if .egress }} + - Egress + {{- end }} +{{- if .ingress }} + ingress: +{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +{{- if .egress }} + egress: +{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-nfs-pvc.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-nfs-pvc.yaml new file mode 100644 index 000000000..6ed7d82f6 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-nfs-pvc.yaml @@ -0,0 +1,101 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" }} +### Artifactory HA data +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-data-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-data-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +--- +### Artifactory HA backup +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-backup-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-backup-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-node-pdb.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-node-pdb.yaml new file mode 100644 index 000000000..46c6dac21 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/artifactory-node-pdb.yaml @@ -0,0 +1,26 @@ +{{- if gt (.Values.artifactory.node.replicaCount | int) 0 -}} +{{- if .Values.artifactory.node.minAvailable -}} +{{- if semverCompare " + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'bash' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if and .Values.artifactory.node.waitForPrimaryStartup.enabled }} + - name: "wait-for-primary" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - 'bash' + - '-c' + - > + echo "Waiting for primary node to be ready..."; + {{- if and .Values.artifactory.node.waitForPrimaryStartup.enabled .Values.artifactory.node.waitForPrimaryStartup.time }} + echo "Sleeping to allow time for primary node to come up"; + sleep {{ .Values.artifactory.node.waitForPrimaryStartup.time }}; + {{- else }} + ready=false; + while ! $ready; do echo Primary not ready. Waiting...; + timeout 2s bash -c " + if [[ -e "{{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Copy binarystore.xml file"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory; + cp -fv /tmp/etc/artifactory/binarystore.xml {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory/binarystore.xml; + echo "Removing join.key file"; + rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/security/join.key; + {{- if .Values.access.resetAccessCAKeys }} + echo "Resetting Access CA Keys - load from database"; + {{- end }} + {{- if .Values.access.customCertificatesSecretName }} + echo "Load custom certificates from database"; + {{- end }} + {{- if .Values.jfconnect.customCertificatesSecretName }} + echo "Load custom certificates from database"; + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security; + echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key; + env: + - name: ARTIFACTORY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) }} + name: {{ include "artifactory-ha.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## SystemYaml ######################### + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + + ######################## Binarystore ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## CustomCertificates ########################## + {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: copy-custom-certificates + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory-ha.copyCustomCerts" . | indent 10 }} + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + + {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} + - name: copy-circle-of-trust-certificates + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory.copyCircleOfTrustCertsCerts" . | indent 10 }} + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: circle-of-trust-certs + mountPath: "/tmp/circleoftrustcerts" + {{- end }} + + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - /bin/bash + - -c + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- if .Values.artifactory.migration.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.migration.preStartCommand . }}; + {{- end }} + scriptsPath="/opt/jfrog/artifactory/app/bin"; + mkdir -p $scriptsPath; + echo "Copy migration scripts and Run migration"; + cp -fv /tmp/migrate.sh $scriptsPath/migrate.sh; + cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml; + cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log; + bash $scriptsPath/migrationStatus.sh {{ include "artifactory-ha.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1; + resources: +{{ toYaml .Values.artifactory.node.resources | indent 10 }} + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + - name: JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: migration-scripts + mountPath: "/tmp/migrate.sh" + subPath: migrate.sh + - name: migration-scripts + mountPath: "/tmp/migrationHelmInfo.yaml" + subPath: migrationHelmInfo.yaml + - name: migration-scripts + mountPath: "/tmp/migrationStatus.sh" + subPath: migrationStatus.sh + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + {{- end }} + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + +{{- end }} + {{- if .Values.hostAliases }} + hostAliases: +{{ toYaml .Values.hostAliases | indent 6 }} + {{- end }} + containers: + {{- if .Values.splitServicesToContainers }} + - name: {{ .Values.router.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "router") }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/router/app/bin/entrypoint-router.sh + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "artifactory-ha.router.requiredServiceTypes" . }} +{{- with .Values.router.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} + {{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} + {{- end }} +{{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.enabled }} + - name: {{ .Values.frontend.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/third-party/node/bin/node /opt/jfrog/artifactory/app/frontend/bin/server/dist/bundle.js /opt/jfrog/artifactory/app/frontend + {{- with .Values.frontend.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name : JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.frontend.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.frontend.resources | indent 10 }} + {{- if .Values.frontend.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.frontend.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.metadata.enabled }} + - name: {{ .Values.metadata.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "metadata") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/metadata/bin/jf-metadata start + {{- with .Values.metadata.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.metadata.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.metadata.resources | indent 10 }} + {{- if .Values.metadata.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.metadata.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.metadata.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.metadata.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.onemodel.enabled }} + - name: {{ .Values.onemodel.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/onemodel/bin/entrypoint-onemodel.sh start + {{- with .Values.onemodel.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: JF_ONEMODEL_LISTENADDR + value: "0.0.0.0" +{{- with .Values.onemodel.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.onemodel.resources | indent 10 }} + {{- if .Values.onemodel.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.onemodel.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.onemodel.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.onemodel.readinessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.event.enabled }} + - name: {{ .Values.event.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/event/bin/jf-event start + {{- with .Values.event.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.event.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.event.resources | indent 10 }} + {{- if .Values.event.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.event.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.event.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.event.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.jfconnect.enabled }} + - name: {{ .Values.jfconnect.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/jfconnect/bin/jf-connect start + {{- with .Values.jfconnect.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.jfconnect.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.jfconnect.resources | indent 10 }} + {{- if .Values.jfconnect.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.jfconnect.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.jfconnect.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.topology.enabled }} + - name: {{ .Values.topology.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/topology/bin/entrypoint-topology.sh + {{- with .Values.topology.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.topology.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.topology.internalPort }} + name: http-topology + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.topology.resources | indent 10 }} + {{- if .Values.topology.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.topology.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.topology.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.topology.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.observability.enabled }} + - name: {{ .Values.observability.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/observability/bin/jf-observability start + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.observability.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + + ######################## Artifactory ConfigMap ########################## + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare " + set -e; + {{- range .Values.artifactory.copyOnEveryStartup }} + {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} + {{- $baseDirectory := regexFind ".*/" $targetPath }} + mkdir -p {{ $baseDirectory }}; + cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + {{- with .Values.artifactory.node.preStartCommand }} + echo "Running member node specific custom preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /entrypoint-artifactory.sh + {{- with .Values.artifactory.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.aws.license.enabled }} + - name: IS_AWS_LICENSE + value: "true" + - name: AWS_REGION + value: {{ .Values.aws.region | quote }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + {{- end }} + {{- if .Values.splitServicesToContainers }} + - name : JF_ROUTER_ENABLED + value: "true" + - name : JF_ROUTER_SERVICE_ENABLED + value: "false" + - name : JF_EVENT_ENABLED + value: "false" + - name : JF_METADATA_ENABLED + value: "false" + - name : JF_FRONTEND_ENABLED + value: "false" + - name: JF_FEDERATION_ENABLED + value: "false" + - name : JF_OBSERVABILITY_ENABLED + value: "false" + - name : JF_JFCONNECT_SERVICE_ENABLED + value: "false" + - name : JF_EVIDENCE_ENABLED + value: "false" + - name : JF_ONEMODEL_ENABLED + value: "false" + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + - name : JF_ACCESS_ENABLED + value: "false" + {{- end}} + - name: JF_TOPOLOGY_SPLIT_CONTAINER_ENABLED + value: "true" + {{- end }} + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + - name: JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + name: http + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + name: http-internal + {{- if .Values.artifactory.node.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }} + name: tcp-jmx + {{- end }} + {{- if .Values.artifactory.ssh.enabled }} + - containerPort: {{ .Values.artifactory.ssh.internalPort }} + name: tcp-ssh + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + + ######################## Artifactory ConfigMap ########################## + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + {{- end }} + - name: installer-info + mountPath: "/artifactory_bootstrap/info/installer-info.json" + subPath: installer-info.json + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.node.resources | indent 10 }} + {{- if .Values.artifactory.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.artifactory.startupProbe.config . | indent 10 }} + {{- end }} + {{- if and (not .Values.splitServicesToContainers) (semverCompare "= 107.79.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- if .Values.artifactory.postStartCommand }} + {{- fail ".Values.artifactory.postStartCommand is not supported and should be replaced with .Values.artifactory.lifecycle.postStart.exec.command" }} +{{- end }} +{{- if eq .Values.artifactory.persistence.type "aws-s3" }} + {{- fail "\nPersistence storage type 'aws-s3' is deprecated and is not supported and should be replaced with 'aws-s3-v3'" }} +{{- end }} +{{- if or .Values.artifactory.persistence.googleStorage.identity .Values.artifactory.persistence.googleStorage.credential }} + {{- fail "\nGCP Bucket Authentication with Identity and Credential is deprecated" }} +{{- end }} +{{- if (eq (.Values.artifactory.setSecurityContext | toString) "false" ) }} + {{- fail "\n You need to set security context at the pod level. .Values.artifactory.setSecurityContext is no longer supported. Replace it with .Values.artifactory.podSecurityContext" }} +{{- end }} +{{- if or .Values.artifactory.uid .Values.artifactory.gid }} +{{- if or (not (eq (.Values.artifactory.uid | toString) "1030" )) (not (eq (.Values.artifactory.gid | toString) "1030" )) }} + {{- fail "\n .Values.artifactory.uid and .Values.artifactory.gid are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.runAsUser, .Values.artifactory.podSecurityContext.runAsGroup and .Values.artifactory.podSecurityContext.fsGroup" }} +{{- end }} +{{- end }} +{{- if or .Values.artifactory.fsGroupChangePolicy .Values.artifactory.seLinuxOptions }} + {{- fail "\n .Values.artifactory.fsGroupChangePolicy and .Values.artifactory.seLinuxOptions are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.fsGroupChangePolicy and .Values.artifactory.podSecurityContext.seLinuxOptions" }} +{{- end }} +{{- if .Values.initContainerImage }} + {{- fail "\n .Values.initContainerImage is no longer supported. Replace it with .Values.initContainers.image.registry .Values.initContainers.image.repository and .Values.initContainers.image.tag" }} +{{- end }} +{{- if and (eq .Values.rtfs.enabled true) (ne .Values.database.type "postgresql") (not (empty .Values.database.type))}} + {{- fail "\n RTFS supports only PostgreSQL databases and is not compatible with other databases. If you are currently using a different database, disable RTFS." }} +{{- end }} +{{- with .Values.artifactory.primary.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.artifactory.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory-ha.primary.name" . }} + replicas: {{ .Values.artifactory.primary.replicaCount }} + updateStrategy: {{- toYaml .Values.artifactory.primary.updateStrategy | nindent 4}} + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + role: {{ template "artifactory-ha.primary.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + role: {{ template "artifactory-ha.primary.name" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- with .Values.artifactory.primary.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.artifactory.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/artifactory-database-secrets.yaml") . | sha256sum }} + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- if .Values.access.accessConfig }} + checksum/access-config: {{ include (print $.Template.BasePath "/artifactory-access-config.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + checksum/gcpcredentials: {{ include (print $.Template.BasePath "/artifactory-gcp-credentials-secret.yaml") . | sha256sum }} + {{- end }} + {{- if not (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} + checksum/admin-creds: {{ include (print $.Template.BasePath "/admin-bootstrap-creds.yaml") . | sha256sum }} + {{- end }} + {{- else }} + checksum/artifactory-unified-secret: {{ include (print $.Template.BasePath "/artifactory-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.artifactory.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + spec: + {{- if .Values.artifactory.schedulerName }} + schedulerName: {{ .Values.artifactory.schedulerName | quote }} + {{- end }} + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ add .Values.artifactory.terminationGracePeriodSeconds 10 }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "artifactory-ha.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.podSecurityContext.enabled }} + securityContext: {{- omit .Values.artifactory.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.artifactory.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.artifactory.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.artifactory.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "artifactory-ha.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + - name: "create-artifactory-data-dir" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} + - name: "access-bootstrap-creds" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + echo "Preparing {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access; + cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds; + chmod 600 {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds; + volumeMounts: + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} + - name: access-bootstrap-creds + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/access/bootstrap.creds" + {{- if and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey }} + subPath: {{ .Values.artifactory.admin.dataKey }} + {{- else }} + subPath: bootstrap.creds + {{- end }} + {{- end }} + {{- end }} + - name: 'copy-system-configurations' + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - '/bin/bash' + - '-c' + - > + if [[ -e "{{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Copy binarystore.xml file"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory; + cp -fv /tmp/etc/artifactory/binarystore.xml {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory/binarystore.xml; + {{- if .Values.access.accessConfig }} + echo "Copy access.config.patch.yml to {{ .Values.artifactory.persistence.mountPath }}/etc/access"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access; + cp -fv /tmp/etc/access.config.patch.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.patch.yml; + {{- end }} + {{- if .Values.access.resetAccessCAKeys }} + echo "Resetting Access CA Keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys; + touch {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/reset_ca_keys; + {{- end }} + {{- if .Values.access.customCertificatesSecretName }} + echo "Copying custom certificates to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys; + cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.crt; + cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.private.key; + {{- end }} + {{- if .Values.jfconnect.customCertificatesSecretName }} + echo "Copying custom certificates to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys; + cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.cer {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.pem {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security; + echo -n ${ARTIFACTORY_JOIN_KEY} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security/join.key; + {{- end }} + {{- if or .Values.artifactory.jfConnectToken .Values.artifactory.jfConnectTokenSecretName }} + echo "Copy jfConnectToken to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/registration_token"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/; + echo -n ${ARTIFACTORY_JFCONNECT_TOKEN} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/registration_token; + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security; + echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: ARTIFACTORY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory-ha.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.artifactory.jfConnectToken .Values.artifactory.jfConnectTokenSecretName }} + - name: ARTIFACTORY_JFCONNECT_TOKEN + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.jfConnectTokenSecretName }} + name: {{ include "artifactory-ha.jfConnectTokenSecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: jfconnect-token + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: ARTIFACTORY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory-ha.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + + ######################## Volume Mounts For copy-system-configurations ########################## + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## SystemYaml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + + ######################## Binarystore ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Access config ########################## + {{- if .Values.access.accessConfig }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + - name: access-config + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/access.config.patch.yml" + subPath: access.config.patch.yml + {{- end }} + + ######################## Access certs external secret ########################## + {{- if .Values.access.customCertificatesSecretName }} + - name: access-certs + mountPath: "/tmp/etc/tls.crt" + subPath: tls.crt + - name: access-certs + mountPath: "/tmp/etc/tls.key" + subPath: tls.key + {{- end }} + + {{- if .Values.jfconnect.customCertificatesSecretName }} + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.crt" + subPath: tls.crt + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.pem" + subPath: tls.pem + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.cer" + subPath: tls.cer + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.key" + subPath: tls.key + {{- end }} + + {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: copy-custom-certificates + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory-ha.copyCustomCerts" . | indent 10 }} + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + + {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} + - name: copy-circle-of-trust-certificates + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory.copyCircleOfTrustCertsCerts" . | indent 10 }} + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: circle-of-trust-certs + mountPath: "/tmp/circleoftrustcerts" + {{- end }} + + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - /bin/bash + - -c + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- if .Values.artifactory.migration.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.migration.preStartCommand . }}; + {{- end }} + scriptsPath="/opt/jfrog/artifactory/app/bin"; + mkdir -p $scriptsPath; + echo "Copy migration scripts and Run migration"; + cp -fv /tmp/migrate.sh $scriptsPath/migrate.sh; + cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml; + cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log; + bash $scriptsPath/migrationStatus.sh {{ include "artifactory-ha.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1; + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + - name: JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: migration-scripts + mountPath: "/tmp/migrate.sh" + subPath: migrate.sh + - name: migration-scripts + mountPath: "/tmp/migrationHelmInfo.yaml" + subPath: migrationHelmInfo.yaml + - name: migration-scripts + mountPath: "/tmp/migrationStatus.sh" + subPath: migrationStatus.sh + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## CustomVolumeMounts ########################## + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + {{- end }} + +{{- end }} + + {{- if .Values.hostAliases }} + hostAliases: +{{ toYaml .Values.hostAliases | indent 6 }} + {{- end }} + containers: + {{- if .Values.splitServicesToContainers }} + - name: {{ .Values.router.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "router") }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/router/app/bin/entrypoint-router.sh; + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "artifactory-ha.router.requiredServiceTypes" . }} +{{- with .Values.router.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} + {{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.enabled }} + - name: {{ .Values.frontend.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/third-party/node/bin/node /opt/jfrog/artifactory/app/frontend/bin/server/dist/bundle.js /opt/jfrog/artifactory/app/frontend + {{- with .Values.frontend.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name : JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.frontend.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.frontend.resources | indent 10 }} + {{- if .Values.frontend.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.frontend.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.metadata.enabled }} + - name: {{ .Values.metadata.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "metadata") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + {{- if default false .Values.metadata.standaloneImageEnabled }} + - exec /opt/jfrog/metadata/app/metadata/bin/jf-metadata + {{- else }} + - exec /opt/jfrog/artifactory/app/metadata/bin/jf-metadata start + {{- end }} + {{- with .Values.metadata.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.metadata.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + {{- if default false .Values.metadata.standaloneImageEnabled }} + mountPath: {{ .Values.metadata.persistence.mountPath | quote }} + {{- else }} + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + {{- end }} + resources: +{{ toYaml .Values.metadata.resources | indent 10 }} + {{- if .Values.metadata.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.metadata.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.metadata.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.metadata.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.onemodel.enabled }} + - name: {{ .Values.onemodel.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/onemodel/bin/entrypoint-onemodel.sh + {{- with .Values.onemodel.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: JF_ONEMODEL_LISTENADDR + value: "0.0.0.0" +{{- with .Values.onemodel.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.onemodel.resources | indent 10 }} + {{- if .Values.onemodel.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.onemodel.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.onemodel.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.onemodel.readinessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.event.enabled }} + - name: {{ .Values.event.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/event/bin/jf-event start + {{- with .Values.event.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.event.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.event.resources | indent 10 }} + {{- if .Values.event.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.event.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.event.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.event.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.jfconnect.enabled }} + - name: {{ .Values.jfconnect.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/jfconnect/bin/jf-connect start + {{- with .Values.jfconnect.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.jfconnect.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.jfconnect.resources | indent 10 }} + {{- if .Values.jfconnect.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.jfconnect.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.jfconnect.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.topology.enabled }} + - name: {{ .Values.topology.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/topology/bin/entrypoint-topology.sh + {{- with .Values.topology.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.topology.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.topology.internalPort }} + name: http-topology + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.topology.resources | indent 10 }} + {{- if .Values.topology.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.topology.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.topology.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.topology.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.observability.enabled }} + - name: {{ .Values.observability.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + {{- if default false .Values.observability.standaloneImageEnabled }} + - exec /opt/jfrog/observability/app/bin/entrypoint-observability.sh + {{- else }} + - exec /opt/jfrog/artifactory/app/observability/bin/jf-observability start + {{- end }} + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.observability.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: volume + {{- if default false .Values.observability.standaloneImageEnabled }} + mountPath: {{ .Values.observability.persistence.mountPath | quote }} + {{- else }} + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + {{- end }} + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare " + set -e; + if [ -d /artifactory_extra_conf ] && [ -d /artifactory_bootstrap ]; then + echo "Copying bootstrap config from /artifactory_extra_conf to /artifactory_bootstrap"; + cp -Lrfv /artifactory_extra_conf/ /artifactory_bootstrap/; + fi; + {{- if .Values.artifactory.configMapName }} + echo "Copying bootstrap configs"; + cp -Lrf /bootstrap/* /artifactory_bootstrap/; + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /artifactory_bootstrap/plugins; + {{- end }} + {{- range .Values.artifactory.copyOnEveryStartup }} + {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} + {{- $baseDirectory := regexFind ".*/" $targetPath }} + mkdir -p {{ $baseDirectory }}; + cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; + {{- end }} + {{- with .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.artifactory.primary.preStartCommand }} + echo "Running primary specific custom preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /entrypoint-artifactory.sh + {{- with .Values.artifactory.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.aws.license.enabled }} + - name: IS_AWS_LICENSE + value: "true" + - name: AWS_REGION + value: {{ .Values.aws.region | quote }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + {{- end }} + {{- if .Values.splitServicesToContainers }} + - name : JF_ROUTER_ENABLED + value: "true" + - name : JF_ROUTER_SERVICE_ENABLED + value: "false" + - name : JF_EVENT_ENABLED + value: "false" + - name : JF_METADATA_ENABLED + value: "false" + - name : JF_FRONTEND_ENABLED + value: "false" + - name: JF_FEDERATION_ENABLED + value: "false" + - name : JF_OBSERVABILITY_ENABLED + value: "false" + - name : JF_JFCONNECT_SERVICE_ENABLED + value: "false" + - name : JF_EVIDENCE_ENABLED + value: "false" + - name : JF_ONEMODEL_ENABLED + value: "false" + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + - name : JF_ACCESS_ENABLED + value: "false" + {{- end}} + - name: JF_TOPOLOGY_SPLIT_CONTAINER_ENABLED + value: "true" + {{- end }} + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + - name: JF_SHARED_NODE_HAENABLED + value: "true" +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + name: http + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + name: http-internal + {{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }} + name: tcp-jmx + {{- end }} + {{- if .Values.artifactory.ssh.enabled }} + - containerPort: {{ .Values.artifactory.ssh.internalPort }} + name: tcp-ssh + {{- end }} + + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: bootstrap-plugins + mountPath: "/artifactory_bootstrap/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystoreXml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence googleStorage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + {{- end }} + + ######################## Artifactory configMapName ########################## + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + + - name: installer-info + mountPath: "/artifactory_bootstrap/info/installer-info.json" + subPath: installer-info.json + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.primary.resources | indent 10 }} + {{- if .Values.artifactory.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.artifactory.startupProbe.config . | indent 10 }} + {{- end }} + {{- if and (not .Values.splitServicesToContainers) (semverCompare "=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingressGrpc.className }} + {{- end }} + {{- if .Values.ingressGrpc.defaultBackend.enabled }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + rules: +{{- if .Values.ingressGrpc.hosts }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + {{- range $host := .Values.ingressGrpc.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingressGrpc.grpcPath }} + pathType: {{ $.Values.ingressGrpc.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- else }} + {{- range $host := .Values.ingressGrpc.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingressGrpc.grpcPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} +{{- end -}} + {{- with .Values.ingressGrpc.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + + {{- if .Values.ingressGrpc.tls }} + tls: +{{ toYaml .Values.ingressGrpc.tls | indent 4 }} + {{- end -}} + +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/ingress.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/ingress.yaml new file mode 100644 index 000000000..125bbc56b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/ingress.yaml @@ -0,0 +1,107 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +{{- $serviceRTFSName := include "rtfs.fullname" . -}} +{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} +{{- $ingressName := default ( include "artifactory-ha.fullname" . ) .Values.ingress.name -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $ingressName }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.ingress.labels }} +{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} +{{- end}} +{{- if .Values.ingress.annotations }} + annotations: +{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} +{{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.defaultBackend.enabled }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + rules: +{{- if .Values.ingress.hosts }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- if not $.Values.ingress.disableRouterBypass }} + - path: {{ $.Values.ingress.artifactoryPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $artifactoryServicePort }} + {{- end }} + {{- if and $.Values.rtfs.enabled $.Values.ingress.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" $.Values.artifactory.image.repository)) }} + - path: {{ $.Values.ingress.rtfsPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceRTFSName }} + port: + name: http-router + {{- end }} + {{- end }} + {{- else }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + - path: {{ $.Values.ingress.artifactoryPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $artifactoryServicePort }} + {{- end }} + {{- end }} +{{- end -}} + {{- with .Values.ingress.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} + +{{- if .Values.customIngress }} +--- +{{ .Values.customIngress | toYaml | trimSuffix "\n" }} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/logger-configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/logger-configmap.yaml new file mode 100644 index 000000000..d3597905d --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/logger-configmap.yaml @@ -0,0 +1,63 @@ +{{- if or .Values.artifactory.loggers .Values.artifactory.catalinaLoggers }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-logger + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + tail-log.sh: | + #!/bin/sh + + LOG_DIR=$1 + LOG_NAME=$2 + PID= + + # Wait for log dir to appear + while [ ! -d ${LOG_DIR} ]; do + sleep 1 + done + + cd ${LOG_DIR} + + LOG_PREFIX=$(echo ${LOG_NAME} | sed 's/.log$//g') + + # Find the log to tail + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.log 2>/dev/null) + + # Wait for the log file + while [ -z "${LOG_FILE}" ]; do + sleep 1 + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.log 2>/dev/null) + done + + echo "Log file ${LOG_FILE} is ready!" + + # Get inode number + INODE_ID=$(ls -i ${LOG_FILE}) + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + + # Loop forever to see if a new log was created + while true; do + # Check inode number + NEW_INODE_ID=$(ls -i ${LOG_FILE}) + + # If inode number changed, this means log was rotated and need to start a new tail + if [ "${INODE_ID}" != "${NEW_INODE_ID}" ]; then + kill -9 ${PID} 2>/dev/null + INODE_ID="${NEW_INODE_ID}" + + # Start a new tail + tail -F ${LOG_FILE} & + PID=$! + fi + sleep 1 + done + +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-artifactory-conf.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-artifactory-conf.yaml new file mode 100644 index 000000000..97ae5f27b --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-artifactory-conf.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + artifactory.conf: | +{{- if .Values.nginx.artifactoryConf }} +{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-artifactory-conf.yaml" ) . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-certificate-secret.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-certificate-secret.yaml new file mode 100644 index 000000000..29c77ad5a --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-certificate-secret.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled .Values.nginx.https.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-conf.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-conf.yaml new file mode 100644 index 000000000..4f0d65f25 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-conf.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + nginx.conf: | +{{- if .Values.nginx.mainConf }} +{{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-main-conf.yaml" ) . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-deployment.yaml new file mode 100644 index 000000000..d43689b8c --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-deployment.yaml @@ -0,0 +1,221 @@ +{{- if .Values.nginx.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +apiVersion: apps/v1 +kind: {{ .Values.nginx.kind }} +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 4 }} +{{- end }} +{{- with .Values.nginx.deployment.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if ne .Values.nginx.kind "DaemonSet" }} + replicas: {{ .Values.nginx.replicaCount }} +{{- end }} + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + template: + metadata: + annotations: + checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} + checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} + {{- range $key, $value := .Values.nginx.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.nginx.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} + spec: + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "artifactory-ha.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName | quote }} + {{- end }} + {{- if .Values.nginx.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.nginx.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if .Values.nginx.customInitContainers }} +{{ tpl (include "artifactory.nginx.customInitContainers" .) . | indent 6 }} + {{- end }} + - name: "setup" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; + mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + resources: + {{- toYaml .Values.initContainers.resources | nindent 10 }} + volumeMounts: + - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + name: nginx-volume + containers: + - name: {{ .Values.nginx.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "nginx") }} + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.nginx.customCommand }} + command: +{{- tpl (include "nginx.command" .) . | indent 10 }} + {{- end }} + ports: +{{ if .Values.nginx.customPorts }} +{{ toYaml .Values.nginx.customPorts | indent 8 }} +{{ end }} + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and + # will be cleaned up in a later version + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - containerPort: {{ .Values.nginx.http.internalPort }} + name: http + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttp }} + name: http-internal + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - containerPort: {{ .Values.nginx.https.internalPort }} + name: https + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttps }} + name: https-internal + {{- end }} + {{- if .Values.artifactory.ssh.enabled }} + - containerPort: {{ .Values.nginx.ssh.internalPort }} + name: tcp-ssh + {{- end }} + {{- with .Values.nginx.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-artifactory-conf + mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" + - name: nginx-volume + mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + {{- if .Values.nginx.https.enabled }} + - name: ssl-certificates + mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" + {{- end }} + {{- if .Values.nginx.customVolumeMounts }} +{{ tpl (include "artifactory.nginx.customVolumeMounts" .) . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} + {{- if .Values.nginx.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.nginx.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.nginx.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.nginx.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.nginx.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.nginx.livenessProbe.config . | indent 10 }} + {{- end }} + {{- $mountPath := .Values.nginx.persistence.mountPath }} + {{- range .Values.nginx.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: nginx-volume + mountPath: {{ $mountPath }} + resources: +{{ toYaml $.Values.nginx.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.nginx.customSidecarContainers }} +{{ tpl (include "artifactory.nginx.customSidecarContainers" .) . | indent 6 }} + {{- end }} + {{- if or .Values.nginx.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "nginx.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.nginx.customVolumes }} +{{ tpl (include "artifactory.nginx.customVolumes" .) . | indent 6 }} + {{- end }} + - name: nginx-conf + configMap: + {{- if .Values.nginx.customConfigMap }} + name: {{ .Values.nginx.customConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + {{- end }} + - name: nginx-artifactory-conf + configMap: + {{- if .Values.nginx.customArtifactoryConfigMap }} + name: {{ .Values.nginx.customArtifactoryConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + {{- end }} + + - name: nginx-volume + {{- if .Values.nginx.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory-ha.nginx.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.nginx.https.enabled }} + - name: ssl-certificates + secret: + {{- if .Values.nginx.tlsSecretName }} + secretName: {{ .Values.nginx.tlsSecretName }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-pdb.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-pdb.yaml new file mode 100644 index 000000000..0aed99368 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/nginx-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.nginx.enabled -}} +{{- if semverCompare " + echo "Copy system.yaml to {{ .Values.rtfs.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.rtfs.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.rtfs.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.rtfs.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Copying artifactory-federation properties to {{ .Values.rtfs.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.rtfs.persistence.mountPath }}/etc; + echo "Starting to copy files to artifactory-federation.properties"; + found=false; + for file in /tmp/etc/properties/*; do + if [ -f "$file" ]; then + found=true; + key=$(basename "$file"); + value=$(cat "$file"); + echo "Processing file: $file"; + echo "$key=$value" >> {{ .Values.rtfs.persistence.mountPath }}/etc/artifactory-federation.properties; + fi; + done; + if [ "$found" = false ]; then + echo "No matching files found, creating an empty artifactory-federation.properties file"; + touch {{ .Values.rtfs.persistence.mountPath }}/etc/artifactory-federation.properties; + fi + volumeMounts: + - name: data + mountPath: {{ .Values.rtfs.persistence.mountPath | quote }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey }}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: "system.yaml" + {{- end }} + {{- if or .Values.rtfs.persistence.federationProperties .Values.rtfs.persistence.customFederationPropertiesConfig }} + - name: federationproperties + mountPath: /tmp/etc/properties + {{- end }} + containers: + - name: rtfs + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "rtfs") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }} + {{- if .Values.rtfs.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rtfs.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.rtfs.persistence.mountPath | quote }} + {{- if .Values.rtfs.customVolumeMounts }} +{{ tpl (include "artifactory.rtfs.customVolumeMounts" .) . | indent 12 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if .Values.rtfs.javaOpts }} + - name: EXTRA_JAVA_OPTS + value: {{ .Values.rtfs.javaOpts }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: JF_SHARED_SECURITY_MASTERKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory-ha.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: JF_SHARED_SECURITY_JOINKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory-ha.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} +{{- with .Values.rtfs.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} + resources: {{- toYaml .Values.rtfs.resources | nindent 12 }} + {{- if .Values.rtfs.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.rtfs.startupProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.rtfs.livenessProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.rtfs.readinessProbe.config . | indent 12 }} + {{- end }} + {{- with .Values.rtfs.lifecycle }} + lifecycle: +{{ toYaml . | indent 12 }} + {{- end }} + - name: router + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "router") }} + imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} + resources: {{- toYaml .Values.router.resources | nindent 12 }} + {{- if .Values.rtfs.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rtfs.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/router/app/bin/entrypoint-router.sh + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: "jfrtfs" + - name: JF_SHARED_JFROGURL + value: {{ include "rtfs.jfrogUrl" . }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: JF_SHARED_SECURITY_MASTERKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory-ha.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: JF_SHARED_SECURITY_JOINKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory-ha.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} +{{- with .Values.router.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data + mountPath: {{ .Values.router.persistence.mountPath | quote }} + {{- if .Values.router.extraVolumeMounts }} + {{- toYaml .Values.router.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 12 }} + {{- end }} + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.customSidecarContainers }} +{{ tpl (include "artifactory.rtfs.customSidecarContainers" .) . | indent 8 }} + {{- end }} + volumes: + # system yaml + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + + ######### unifiedSecretInstallation ########### + {{- if and .Values.artifactory.unifiedSecretInstallation (eq (include "artifactory-ha.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + secret: + secretName: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- else if not .Values.artifactory.unifiedSecretInstallation }} + {{- if not .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml + {{- end }} + {{- end }} + {{- if .Values.rtfs.customVolumes }} +{{ tpl (include "artifactory.rtfs.customVolumes" .) . | indent 8 }} + {{- end }} + - name: data + emptyDir: {} + {{- if and (.Values.rtfs.persistence.federationProperties) (not .Values.rtfs.persistence.customFederationPropertiesConfig) }} + - name: federationproperties + configMap: + name: {{ include "rtfs.fullname" . }}-properties + {{- end }} + {{- if .Values.rtfs.persistence.customFederationPropertiesConfig }} + - name: federationproperties + configMap: + name: {{ .Values.rtfs.persistence.customFederationPropertiesConfig }} + {{- end }} + {{- if .Values.rtfs.extraVolumes }} + {{- toYaml .Values.rtfs.extraVolumes | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-properties-configmap.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-properties-configmap.yaml new file mode 100644 index 000000000..8cad47550 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-properties-configmap.yaml @@ -0,0 +1,17 @@ +{{- if and (.Values.rtfs.persistence.federationProperties) (not .Values.rtfs.persistence.customFederationPropertiesConfig) .Values.rtfs.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rtfs.fullname" . }}-properties + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.rtfs.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + {{- range $key, $value := .Values.rtfs.persistence.federationProperties }} + {{ $key }}: {{ tpl ($value | default "") . | quote }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-service.yaml b/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-service.yaml new file mode 100644 index 000000000..684c20440 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/templates/rtfs-service.yaml @@ -0,0 +1,41 @@ +{{- if .Values.rtfs.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rtfs.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.rtfs.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.rtfs.service.labels }} +{{ toYaml .Values.rtfs.service.labels | indent 4 }} +{{- end }} +{{- with .Values.rtfs.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.rtfs.service.type }} + {{- if eq .Values.rtfs.service.type "LoadBalancer" }} + {{- if not (empty .Values.rtfs.service.loadBalancerIP) }} + loadBalancerIP: {{ .Values.rtfs.service.loadBalancerIP }} + {{- end }} + {{- if .Values.rtfs.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.rtfs.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + {{- if (or (eq .Values.rtfs.service.type "LoadBalancer") (eq .Values.rtfs.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.rtfs.service.externalTrafficPolicy | quote }} + {{- end }} + ports: + - port: {{ .Values.router.externalPort }} + targetPort: {{ .Values.router.internalPort }} + protocol: TCP + name: http-router + selector: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.rtfs.name }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/107.104.6/values.yaml b/charts/jfrog/artifactory-ha/107.104.6/values.yaml new file mode 100644 index 000000000..d8965aa24 --- /dev/null +++ b/charts/jfrog/artifactory-ha/107.104.6/values.yaml @@ -0,0 +1,2125 @@ +## Default values for artifactory-ha. +## This is a YAML-formatted file. +## Beware when changing values here. You should know what you are doing! +## Access the values with {{ .Values.key.subkey }} +global: + # imageRegistry: releases-docker.jfrog.io + # imagePullSecrets: + # - myRegistryKeySecretName + ## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag + ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion + ## This applies also for nginx images (.Values.nginx.image.tag) + versions: {} + # artifactory: + # initContainers: + # rtfs: + # joinKey: + # masterKey: + # joinKeySecretName: + # masterKeySecretName: + + ## Note: tags customInitContainersBegin,customInitContainers,customVolumes,customVolumeMounts,customSidecarContainers can be used both from global and application level simultaneously + # customInitContainersBegin: | + + # customInitContainers: | + + # customVolumes: | + + # customVolumeMounts: | + + # customSidecarContainers: | + + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + customCertificates: + enabled: false + # certificateSecretName: + ## Applies to artifactory and nginx pods + nodeSelector: {} +## String to partially override artifactory-ha.fullname template (will maintain the release name) +# nameOverride: + +## String to fully override artifactory-ha.fullname template +# fullnameOverride: + +# Init containers +initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.5.1733767867 + pullPolicy: IfNotPresent + resources: + requests: + memory: "50Mi" + cpu: "10m" + limits: + memory: "1Gi" + cpu: "1" +installer: + type: + platform: +## The installerInfo is intentionally commented out and the previous content has been moved under `files/installer-info.json` +## To override the content in `files/installer-info.json`, Uncomment the `installerInfo` and add relevant data +# installerInfo: '{}' + +# For supporting pulling from private registries +# imagePullSecrets: +# - myRegistryKeySecretName + +## Artifactory systemYaml override +## This is for advanced usecases where users wants to provide their own systemYaml for configuring artifactory +## Refer: https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML +## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml +## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example. +## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml +systemYamlOverride: + ## You can use a pre-existing secret by specifying existingSecret + existingSecret: + ## The dataKey should be the name of the secret data key created. + dataKey: +## Role Based Access Control +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +rbac: + create: false + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - watch + - list +## Service Account +## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ +## +serviceAccount: + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + ## Explicitly mounts the API token for the service account to the pods + automountServiceAccountToken: false +ingress: + enabled: false + defaultBackend: + enabled: true + ## Used to create an Ingress record. + hosts: [] + ## Useful in controllers where ImplementationSpecific is considered as a Regex Match and, not a Prefix match + pathType: ImplementationSpecific + routerPath: / + artifactoryPath: /artifactory/ + rtfsPath: /artifactory/service/rtfs/ + className: "" + annotations: {} + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: "0" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + ## Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + ## Additional ingress rules + additionalRules: [] + ## This is an experimental feature, enabling this feature will route all traffic through the Router. + disableRouterBypass: false +## Allows to add custom ingress +customIngress: "" +## There is a need to separate HTTP1.1 traffic from gRPC (HTTP2) to benefit +## 1. Use the Nginx keepalive for HTTP1.1 +## 2. Keep gRPC over the HTTP2 connections only +ingressGrpc: + enabled: false + name: grpc + defaultBackend: + enabled: true + ## Used to create an Ingress record. + hosts: [] + ## Useful in controllers where ImplementationSpecific is considered as a Regex Match and, not a Prefix match + pathType: ImplementationSpecific + grpcPath: /com.jfrog + className: "" + ## For supporting GRPC protocol traffic sent to the backend it is necessary to change the backend protocol + ## Example: nginx.ingress.kubernetes.io/backend-protocol: GRPCS + annotations: {} + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: "0" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + ## Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + ## Additional ingress rules + additionalRules: [] +networkpolicy: [] +# Allows all ingress and egress +# - name: artifactory +# podSelector: +# matchLabels: +# app: artifactory-ha +# egress: +# - {} +# ingress: +# - {} +## Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) +# - name: postgresql +# podSelector: +# matchLabels: +# app: postgresql +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: artifactory-ha + +## Database configurations +## Use the wait-for-db init container. Set to false to skip +waitForDatabase: true +## Configuration values for the postgresql dependency +## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md +## +postgresql: + enabled: true + image: + registry: releases-docker.jfrog.io + repository: bitnami/postgresql + tag: 15.6.0-debian-11-r16 + postgresqlUsername: artifactory + postgresqlPassword: "" + postgresqlDatabase: artifactory + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "1500" + persistence: + enabled: true + size: 200Gi + # existingClaim: + service: + port: 5432 + primary: + nodeSelector: {} + affinity: {} + tolerations: [] + readReplicas: + nodeSelector: {} + affinity: {} + tolerations: [] + resources: {} + securityContext: + enabled: true + containerSecurityContext: + enabled: true + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" +## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), +## you MUST specify custom database details here or Artifactory will NOT start +database: + ## To run Artifactory with any database other than PostgreSQL allowNonPostgresql set to true. + allowNonPostgresql: false + type: + driver: + ## If you set the url, leave host and port empty + url: + ## If you would like this chart to create the secret containing the db + ## password, use these values + user: + password: + ## If you have existing Kubernetes secrets containing db credentials, use + ## these values + secrets: {} + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "rds-artifactory" + # key: "db-password" + # url: + # name: "rds-artifactory" + # key: "db-url" +## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName +## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` +aws: + license: + enabled: false + licenseConfigSecretName: + region: us-east-1 +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL +## The following router settings are to configure only when splitServicesToContainers set to true +router: + name: router + image: + registry: releases-docker.jfrog.io + repository: jfrog/router + tag: 7.149.0 + pullPolicy: IfNotPresent + serviceRegistry: + ## Service registry (Access) TLS verification skipped if enabled + insecure: false + internalPort: 8082 + externalPort: 8082 + tlsEnabled: false + ## Extra environment variables that can be used to tune router to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: MY_ENV_VAR + # value: "" + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + + ## Add lifecycle hooks for router container + lifecycle: + ## From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating + preStop: + exec: + command: ["sh", "-c", "while [[ $(curl --fail --silent --connect-timeout 2 http://localhost:8081/artifactory/api/v1/system/liveness) =~ OK ]]; do echo Artifactory is still alive; sleep 2; done"] + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "artifactory-ha.scheme" . }}://localhost:{{ .Values.router.internalPort }}/router/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " prepended. + unifiedSecretPrependReleaseName: true + image: + registry: releases-docker.jfrog.io + repository: jfrog/artifactory-pro + # tag: + pullPolicy: IfNotPresent + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + schedulerName: + ## Create a priority class for the Artifactory pods or use an existing one + ## NOTE - Maximum allowed value of a user defined priority is 1000000000 + priorityClass: + create: false + value: 1000000000 + ## Override default name + # name: + ## Use an existing priority class + # existingPriorityClass: + ## Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + deleteDBPropertiesOnStartup: true + database: + maxOpenConnections: 80 + tomcat: + maintenanceConnector: + port: 8091 + connector: + maxThreads: 200 + sendReasonPhrase: false + extraConfig: 'acceptCount="400"' + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + customCertificates: + enabled: false + # certificateSecretName: + ## Support for metrics is only available for Artifactory 7.7.x (appVersions) and above. + ## To enable set `.Values.artifactory.metrics.enabled` to `true` + ## Note: Depricated `openMetrics` as part of 7.87.x and renamed to `metrics` + ## Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics + metrics: + enabled: false + ## Settings for pushing metrics to Insight - enable filebeat to true + filebeat: + enabled: false + log: + enabled: false + ## Log level for filebeat. Possible values: debug, info, warning, or error. + level: "info" + ## Elasticsearch details for filebeat to connect + elasticsearch: + url: "Elasticsearch url where JFrog Insight is installed For example, http://:8082" + username: "" + password: "" + ## Support for Cold Artifact Storage + ## set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance + ## Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage + coldStorage: + enabled: false + ## Support for workers + ## set 'worker.enabled' to 'true' to enable artifactory addon that executes workers on artifactory events + worker: + enabled: false + ## This directory is intended for use with NFS eventual configuration for HA + ## When enabling this section, The system.yaml will include haDataDir section. + ## The location of Artifactory Data directory and Artifactory Filestore will be modified accordingly and will be shared among all nodes. + ## It's recommended to leave haDataDir disabled, and the default BinarystoreXml will set the Filestore location as configured in artifactory.persistence.nfs.dataDir. + haDataDir: + enabled: false + path: + haBackupDir: + enabled: false + path: + ## Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + ## Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers + copyOnEveryStartup: + ## Absolute path + # - source: /artifactory_bootstrap/artifactory.cluster.license + ## Relative to ARTIFACTORY_HOME/ + # target: etc/artifactory/ + + ## Sidecar containers for tailing Artifactory logs + loggers: [] + # - access-audit.log + # - access-request.log + # - access-security-audit.log + # - access-service.log + # - artifactory-access.log + # - artifactory-event.log + # - artifactory-import-export.log + # - artifactory-request.log + # - artifactory-service.log + # - frontend-request.log + # - frontend-service.log + # - metadata-request.log + # - metadata-service.log + # - router-request.log + # - router-service.log + # - router-traefik.log + # - derby.log + + ## Loggers containers resources + loggersResources: {} + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Sidecar containers for tailing Tomcat (catalina) logs + catalinaLoggers: [] + # - tomcat-catalina.log + # - tomcat-localhost.log + + ## Tomcat (catalina) loggers resources + catalinaLoggersResources: {} + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Migration support from 6.x to 7.x. + migration: + enabled: false + timeoutSeconds: 3600 + ## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + ## Add custom init containers execution before predefined init containers + customInitContainersBegin: | + # - name: "custom-setup" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + ## Add custom init containers + ## Add custom init containers execution after predefined init containers + customInitContainers: | + # - name: "custom-systemyaml-setup" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + ## Add custom sidecar containers + ## - The provided example uses a custom volume (customVolumes) + ## - The provided example shows running container as root (id 0) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + ## Add custom volumes + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret'. + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + ## Add custom persistent volume mounts - Available to the entire namespace + customPersistentVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! + ## You can generate one with the command: "openssl rand -hex 32" + ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' + ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName + ## IMPORTANT: You should NOT use the example masterKey for a production deployment! + ## IMPORTANT: This is a mandatory for fresh Install of 7.x (App version) + # masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + # masterKeySecretName: + + ## Join Key to connect to other services to Artifactory. + ## IMPORTANT: Setting this value overrides the existing joinKey + ## IMPORTANT: You should NOT use the example joinKey for a production deployment! + # joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + ## Alternatively, you can use a pre-existing secret with a key called join-key by specifying joinKeySecretName + # joinKeySecretName: + + ## Registration Token for JFConnect + # jfConnectToken: + ## Alternatively, you can use a pre-existing secret with a key called jfconnect-token by specifying jfConnectTokenSecretName + # jfConnectTokenSecretName: + + ## Add custom secrets - secret per file + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' common to all secrets + customSecrets: + # - name: custom-secret + # key: custom-secret.yaml + # data: > + # custom_secret_config: + # parameter1: value1 + # parameter2: value2 + # - name: custom-secret2 + # key: custom-secret2.config + # data: | + # here the custom secret 2 config + + ## If false, all service console logs will not redirect to a common console.log + consoleLog: false + ## admin allows to set the password for the default admin user. + ## See: https://www.jfrog.com/confluence/display/JFROG/Users+and+Groups#UsersandGroups-RecreatingtheDefaultAdminUserrecreate + admin: + ip: "127.0.0.1" + username: "admin" + password: + secret: + dataKey: + ## Artifactory license. + license: + ## licenseKey is the license key in plain text. Use either this or the license.secret setting + licenseKey: + ## If artifactory.license.secret is passed, it will be mounted as + ## ARTIFACTORY_HOME/etc/artifactory.cluster.license and loaded at run time. + secret: + ## The dataKey should be the name of the secret data key created. + dataKey: + ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter + configMapName: + ## Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + ## List of secrets for Artifactory user plugins. + ## One Secret per plugin's files. + userPluginSecrets: + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' + + ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + + ## Add lifecycle hooks for artifactory container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + ## Extra environment variables that can be used to tune Artifactory to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: SERVER_XML_ARTIFACTORY_PORT + # value: "8081" + # - name: SERVER_XML_ARTIFACTORY_MAX_THREADS + # value: "200" + # - name: SERVER_XML_ACCESS_MAX_THREADS + # value: "50" + # - name: SERVER_XML_ARTIFACTORY_EXTRA_CONFIG + # value: "" + # - name: SERVER_XML_ACCESS_EXTRA_CONFIG + # value: "" + # - name: SERVER_XML_EXTRA_CONNECTOR + # value: "" + # - name: DB_POOL_MAX_ACTIVE + # value: "100" + # - name: DB_POOL_MAX_IDLE + # value: "10" + # - name: MY_SECRET_ENV_VAR + # valueFrom: + # secretKeyRef: + # name: my-secret-name + # key: my-secret-key + + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'artifactory.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## node: + ## id: my-instance + ## The entries provided under 'artifactory.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'artifactory.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `artifactory.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'artifactory.systemYaml' and files/system.yaml + extraSystemYaml: {} + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: + + ## IMPORTANT: If overriding artifactory.internalPort: + ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! + externalPort: 8082 + internalPort: 8082 + externalArtifactoryPort: 8081 + internalArtifactoryPort: 8081 + terminationGracePeriodSeconds: 30 + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param artifactory.podSecurityContext.enabled Enable security context + ## @param artifactory.podSecurityContext.runAsNonRoot Set pod's Security Context runAsNonRoot + ## @param artifactory.podSecurityContext.runAsUser User ID for the pod + ## @param artifactory.podSecurityContext.runASGroup Group ID for the pod + ## @param artifactory.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} + ## The following settings are to configure the frequency of the liveness and startup probes. + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.artifactory.tomcat.maintenanceConnector.port }}/artifactory/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + + ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config + ## Supported types are: + ## file-system (default) + ## nfs + ## google-storage + ## google-storage-v2 + ## google-storage-v2-direct (Recommended for GCS - Google Cloud Storage) + ## aws-s3-v3 + ## s3-storage-v3-direct (Recommended for AWS S3) + ## s3-storage-v3-archive + ## azure-blob + ## azure-blob-storage-direct + ## azure-blob-storage-v2-direct (Recommended for Azure Blob Storage) + type: file-system + ## Use binarystoreXml to provide a custom binarystore.xml + ## This is intentionally commented and below previous content of binarystoreXml is moved under files/binarystore.xml + ## binarystoreXml: + + ## For artifactory.persistence.type file-system + fileSystem: + ## Need to have the following set + existingSharedClaim: + enabled: false + numberOfExistingClaims: 1 + ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} + dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" + backupDir: "/var/opt/jfrog/artifactory-backup" + ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. + ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) + ## Create PVCs with ReadWriteMany that match the naming convetions: + ## {{ template "artifactory-ha.fullname" . }}-data-pvc- + ## {{ template "artifactory-ha.fullname" . }}-backup-pvc + ## Example (using numberOfExistingClaims: 2) + ## myexample-data-pvc-0 + ## myexample-data-pvc-1 + ## myexample-backup-pvc + ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. + ## For artifactory.persistence.type nfs + ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes + ## cluster nodes. + ## Need to have the following set + nfs: + ## Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' + ip: + haDataMount: "/data" + haBackupMount: "/backup" + dataDir: "/var/opt/jfrog/artifactory-ha" + backupDir: "/var/opt/jfrog/artifactory-backup" + capacity: 200Gi + mountOptions: [] + ## For artifactory.persistence.type google-storage, google-storage-v2, google-storage-v2-direct + googleStorage: + ## When using GCP buckets as your binary store (Available with enterprise license only) + gcpServiceAccount: + enabled: false + ## Use either an existing secret prepared in advance or put the config (replace the content) in the values + ## ref: https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#google-storage + # customSecretName: + # config: | + # { + # "type": "service_account", + # "project_id": "", + # "private_key_id": "?????", + # "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + # "client_email": "???@j.iam.gserviceaccount.com", + # "client_id": "???????", + # "auth_uri": "https://accounts.google.com/o/oauth2/auth", + # "token_uri": "https://oauth2.googleapis.com/token", + # "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + # "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." + # } + endpoint: commondatastorage.googleapis.com + httpsOnly: false + ## Set a unique bucket name + bucketName: "artifactory-ha-gcp" + ## GCP Bucket Authentication with Identity and Credential is deprecated. + ## identity: + ## credential: + path: "artifactory-ha/filestore" + bucketExists: false + useInstanceCredentials: false + enableSignedUrlRedirect: false + # signedUrlExpirySeconds: 30 + ## For artifactory.persistence.type aws-s3-v3, s3-storage-v3-direct, s3-storage-v3-archive + awsS3V3: + testConnection: false + identity: + credential: + region: + bucketName: artifactory-aws + path: artifactory/filestore + endpoint: + port: + useHttp: + maxConnections: 50 + connectionTimeout: + socketTimeout: + kmsServerSideEncryptionKeyId: + kmsKeyRegion: + kmsCryptoMode: + useInstanceCredentials: true + usePresigning: false + signatureExpirySeconds: 300 + signedUrlExpirySeconds: 30 + cloudFrontDomainName: + cloudFrontKeyPairId: + cloudFrontPrivateKey: + enableSignedUrlRedirect: false + enablePathStyleAccess: false + multiPartLimit: + multipartElementSize: + ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct, azure-blob-storage-v2-direct + azureBlob: + accountName: + accountKey: + endpoint: + containerName: + multiPartLimit: 100000000 + multipartElementSize: 50000000 + testConnection: false + service: + name: artifactory + type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) + ## Supported pool values + ## members + ## all + pool: members + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + serviceGrpc: + name: grpc + type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) + ## Supported pool values + ## members + ## all + pool: members + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + statefulset: + annotations: {} + ssh: + enabled: false + internalPort: 1339 + externalPort: 1339 + annotations: {} + ## Spread Artifactory pods evenly across your nodes or some other topology + ## Note this applies to both the primary and replicas + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: '{{ template "artifactory-ha.name" . }}' + # role: '{{ template "artifactory-ha.name" . }}' + # release: "{{ .Release.Name }}" + + ## Type specific configurations. + ## There is a difference between the primary and the member nodes. + ## Customising their resources and java parameters is done here. + primary: + name: artifactory-ha-primary + ## preStartCommand specific to the primary node, to be run after artifactory.preStartCommand + # preStartCommand: + labels: {} + annotations: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` + existingClaim: false + replicaCount: 3 + # minAvailable: 1 + + updateStrategy: + type: RollingUpdate + ## Resources for the primary node + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory primary node. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + # corePoolSize: 24 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + nodeSelector: {} + tolerations: [] + affinity: {} + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "soft" + topologyKey: "kubernetes.io/hostname" + node: + name: artifactory-ha-member + ## preStartCommand specific to the member node, to be run after artifactory.preStartCommand + # preStartCommand: + labels: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` + existingClaim: false + replicaCount: 0 + updateStrategy: + type: RollingUpdate + minAvailable: 1 + ## Resources for the member nodes + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory member nodes. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + # corePoolSize: 24 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + nodeSelector: {} + ## Wait for Artifactory primary + waitForPrimaryStartup: + enabled: true + ## Setting time will override the built in test and will just wait the set time + time: + tolerations: [] + ## Complete specification of the "affinity" of the member nodes; if this is non-empty, + ## "podAntiAffinity" values are not used. + affinity: {} + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "soft" + topologyKey: "kubernetes.io/hostname" +frontend: + name: frontend + enabled: true + internalPort: 8070 + ## Extra environment variables that can be used to tune frontend to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: MY_ENV_VAR + # value: "" + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + ## Session settings + session: + ## Time in minutes after which the frontend token will need to be refreshed + timeoutMinutes: '30' + ## Add lifecycle hooks for frontend container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.frontend.internalPort }}/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " --cert=ca.crt --key=ca.private.key` + # customCertificatesSecretName: + + ## When resetAccessCAKeys is true, Access will regenerate the CA certificate and matching private key + # resetAccessCAKeys: false + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 50 + sendReasonPhrase: false + extraConfig: 'acceptCount="100"' + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8040/access/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " --cert=tls.crt --key=tls.key` + # customCertificatesSecretName: + + ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.jfconnect.internalPort }}/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " /var/opt/jfrog/nginx/message"] + # preStop: + # exec: + # command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] + + ## Sidecar containers for tailing Nginx logs + loggers: [] + # - access.log + # - error.log + + ## Loggers containers resources + loggersResources: {} + # requests: + # memory: "64Mi" + # cpu: "25m" + # limits: + # memory: "128Mi" + # cpu: "50m" + + ## Logs options + logs: + stderr: false + stdout: false + level: warn + ## A list of custom ports to expose on the NGINX pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + # - containerPort: 8066 + # name: docker + + ## The nginx main conf was moved to files/nginx-main-conf.yaml. This key is commented out to keep support for the old configuration + # mainConf: | + + ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration + # artifactoryConf: | + customInitContainers: "" + customSidecarContainers: "" + customVolumes: "" + customVolumeMounts: "" + customCommand: + ## allows overwriting the command for the nginx container. + ## defaults to [ 'nginx', '-g', 'daemon off;' ] + + service: + ## For minikube, set this to NodePort, elsewhere use LoadBalancer + type: LoadBalancer + ssloffload: false + ## @param service.ssloffloadForceHttps Only enabled when service.ssloffload is set to True. + ## Force all requests from NGINX to the upstream server are over HTTPS, even when SSL offloading is enabled. + ## This is useful in environments where internal traffic must remain secure with https only. + ssloffloadForceHttps: false + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Nginx LoadBalancer service + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + ## Provide static ip address + loadBalancerIP: + ## There are two available options: "Cluster" (default) and "Local". + externalTrafficPolicy: Cluster + labels: {} + # label-key: label-value + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + ## A list of custom ports to be exposed on nginx service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + # - port: 8066 + # targetPort: 8066 + # protocol: TCP + # name: docker + + annotations: {} + ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift + http: + enabled: true + externalPort: 80 + internalPort: 8080 + https: + enabled: true + externalPort: 443 + internalPort: 8443 + ## DEPRECATED: The following will be replaced by L1065-L1076 in a future release + # externalPortHttp: 80 + # internalPortHttp: 8080 + # externalPortHttps: 443 + # internalPortHttps: 8443 + + ssh: + internalPort: 1339 + externalPort: 1339 + ## The following settings are to configure the frequency of the liveness and readiness probes. + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/ + initialDelaySeconds: {{ if semverCompare " + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + resources: {} + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" + + nodeSelector: {} + tolerations: [] + affinity: {} +## Filebeat Sidecar container +## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. +filebeat: + enabled: false + name: artifactory-filebeat + image: + repository: "docker.elastic.co/beats/filebeat" + version: 7.16.2 + logstashUrl: "logstash:5044" + terminationGracePeriod: 10 + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "100Mi" + # cpu: "100m" + + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: + file: + permissions: 0760 + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] + extraEnvironmentVariables: {} + # - name: MY_ENV_VAR + # value: "" +## RTFS deployment +rtfs: + name: rtfs + enabled: false + image: + registry: releases-docker.jfrog.io + repository: jfrog/artifactory-federation + pullPolicy: IfNotPresent + tag: 1.4.18 + jfrogUrl: "" + replicaCount: 1 + internalRestPort: 8025 + apiContext: artifactory/service/rtfs + database: + type: "postgresql" + driver: "org.postgresql.Driver" + url: "" + username: "" + password: "" + persistence: + mountPath: "/var/opt/jfrog/federation" + federationProperties: {} + ## @param federationProperties Configuration to be added to the config map, overriding Spring configuration. + ## @param customFederationPropertiesConfig Specifies the name of a custom configMap to use instead of the default one. + ## The name of the custom configMap will be initialized from the value of customFederationPropertiesConfig. + # customFederationPropertiesConfig: + javaOpts: "" + service: + type: ClusterIP + restPort: 8025 + grpcPort: 8026 + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer` + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalIPs Set the ExternalIPs + ## + externalIPs: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.loadBalancerIP Set the LoadBalancerIP + ## + loadBalancerIP: "" + ## @param service.labels Service labels. Evaluated as a template + labels: {} + ## @param service.annotations Service annotations. Evaluated as a template + ## Example: + ## annotations: + ## service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + livenessProbe: + enabled: true + config: | + httpGet: + path: /{{ .Values.rtfs.apiContext }}/api/v1/system/liveness + port: {{ .Values.rtfs.internalRestPort }} + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 5 + successThreshold: 1 + readinessProbe: + enabled: true + config: | + httpGet: + path: /router/api/v1/system/readiness + port: {{ .Values.router.internalPort }} + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 30 + successThreshold: 1 + startupProbe: + enabled: true + config: | + httpGet: + path: /{{ .Values.rtfs.apiContext }}/api/v1/system/readiness + port: {{ .Values.rtfs.internalRestPort }} + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 5 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 30 + successThreshold: 1 + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # Add lifecycle hooks for observability container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + annotations: {} + deployment: + annotations: {} + labels: {} + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + containerSecurityContext: + enabled: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + nodeSelector: {} + tolerations: [] + affinity: {} + customInitContainers: "" + customSidecarContainers: "" + customVolumes: "" + customVolumeMounts: "" + ## @param extraEnvironmentVariables that can be used to tune PDN Server to your needs. + ## Example: + ## extraEnvironmentVariables: + ## - name: MY_ENV_VAR + ## value: "" + extraEnvironmentVariables: [] +## Allows to add additional kubernetes resources +## Use --- as a separator between multiple resources +## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-ha-values.yaml +additionalResources: "" +## Adding entries to a Pod's /etc/hosts file +## For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" +## Toggling this feature is seamless and requires helm upgrade +## will enable all microservices to run in different containers in a single pod (by default it is true) +splitServicesToContainers: true +## Specify common probes parameters +probes: + timeoutSeconds: 5 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/CHANGELOG.md b/charts/jfrog/artifactory-jcr/107.104.6/CHANGELOG.md new file mode 100644 index 000000000..125afd171 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/CHANGELOG.md @@ -0,0 +1,209 @@ +# JFrog Container Registry Chart Changelog +All changes to this chart will be documented in this file. + +## [107.104.6] - Dec 5, 2024 +* Removed obsolete values [GH-1932](https://github.com/jfrog/charts/pull/1932) + +## [107.81.0] - Feb 20, 2024 +* Updated `artifactory.installerInfo` content + +## [107.80.0] - Feb 1, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.74.0] - Nov 23, 2023 +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.66.0] - Jul 20, 2023 +* Disabled federation services when splitServicesToContainers=true + +## [107.45.0] - Aug 25, 2022 +* Included event service as mandatory and remove the flag from values.yaml + +## [107.41.0] - Jul 22, 2022 +* Bumping chart version to align with app version +* Disabled jfconnect and event services when splitServicesToContainers=true + +## [107.19.4] - May 27, 2021 +* Bumping chart version to align with app version +* Update dependency Artifactory chart version to 107.19.4 + +## [4.0.0] - Apr 22, 2021 +* **Breaking change:** +* Increased default postgresql persistence size to `200Gi` +* Update postgresql tag version to `13.2.0-debian-10-r55` +* Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000) +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* **IMPORTANT** +* This chart is only helm v3 compatible. +* Update dependency Artifactory chart version to 12.0.0 (Artifactory 7.18.3) + +## [3.8.0] - Apr 5, 2021 +* **IMPORTANT** +* Added `charts.jfrog.io` as default JFrog Helm repository +* Update dependency Artifactory chart version to 11.13.0 (Artifactory 7.17.5) + +## [3.7.0] - Mar 31, 2021 +* Update dependency Artifactory chart version to 11.12.2 (Artifactory 7.17.4) + +## [3.6.0] - Mar 15, 2021 +* Update dependency Artifactory chart version to 11.10.0 (Artifactory 7.16.3) + +## [3.5.1] - Mar 03, 2021 +* Update dependency Artifactory chart version to 11.9.3 (Artifactory 7.15.4) + +## [3.5.0] - Feb 18, 2021 +* Update dependency Artifactory chart version to 11.9.0 (Artifactory 7.15.3) + +## [3.4.1] - Feb 08, 2021 +* Update dependency Artifactory chart version to 11.8.0 (Artifactory 7.12.8) + +## [3.4.0] - Jan 4, 2020 +* Update dependency Artifactory chart version to 11.7.4 (Artifactory 7.12.5) + +## [3.3.1] - Dec 1, 2020 +* Update dependency Artifactory chart version to 11.5.4 (Artifactory 7.11.5) + +## [3.3.0] - Nov 23, 2020 +* Update dependency Artifactory chart version to 11.5.2 (Artifactory 7.11.2) + +## [3.2.2] - Nov 9, 2020 +* Update dependency Artifactory chart version to 11.4.5 (Artifactory 7.10.6) + +## [3.2.1] - Nov 2, 2020 +* Update dependency Artifactory chart version to 11.4.4 (Artifactory 7.10.5) + +## [3.2.0] - Oct 19, 2020 +* Update dependency Artifactory chart version to 11.4.0 (Artifactory 7.10.2) + +## [3.1.0] - Sep 30, 2020 +* Update dependency Artifactory chart version to 11.1.0 (Artifactory 7.9.0) + +## [3.0.2] - Sep 23, 2020 +* Updates readme + +## [3.0.1] - Sep 15, 2020 +* Update dependency Artifactory chart version to 11.0.1 (Artifactory 7.7.8) + +## [3.0.0] - Sep 14, 2020 +* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images +* Update dependency Artifactory chart version to 11.0.0 (Artifactory 7.7.3) + +## [2.5.1] - Jul 29, 2020 +* Update dependency Artifactory chart version to 10.0.12 (Artifactory 7.6.3) + +## [2.5.0] - Jul 10, 2020 +* Update dependency Artifactory chart version to 10.0.3 (Artifactory 7.6.2) +* **IMPORTANT** +* Added ChartCenter Helm repository in README + +## [2.4.0] - Jun 30, 2020 +* Update dependency Artifactory chart version to 9.6.0 (Artifactory 7.6.1) + +## [2.3.1] - Jun 12, 2020 +* Update dependency Artifactory chart version to 9.5.2 (Artifactory 7.5.7) + +## [2.3.0] - Jun 1, 2020 +* Update dependency Artifactory chart version to 9.5.0 (Artifactory 7.5.5) + +## [2.2.5] - May 27, 2020 +* Update dependency Artifactory chart version to 9.4.9 (Artifactory 7.4.3) + +## [2.2.4] - May 20, 2020 +* Update dependency Artifactory chart version to 9.4.6 (Artifactory 7.4.3) + +## [2.2.3] - May 07, 2020 +* Update dependency Artifactory chart version to 9.4.5 (Artifactory 7.4.3) +* Add `installerInfo` string format + +## [2.2.2] - Apr 28, 2020 +* Update dependency Artifactory chart version to 9.4.4 (Artifactory 7.4.3) + +## [2.2.1] - Apr 27, 2020 +* Update dependency Artifactory chart version to 9.4.3 (Artifactory 7.4.1) + +## [2.2.0] - Apr 14, 2020 +* Update dependency Artifactory chart version to 9.4.0 (Artifactory 7.4.1) + +## [2.2.0] - Apr 14, 2020 +* Update dependency Artifactory chart version to 9.4.0 (Artifactory 7.4.1) + +## [2.1.6] - Apr 13, 2020 +* Update dependency Artifactory chart version to 9.3.1 (Artifactory 7.3.2) + +## [2.1.5] - Apr 8, 2020 +* Update dependency Artifactory chart version to 9.2.8 (Artifactory 7.3.2) + +## [2.1.4] - Mar 30, 2020 +* Update dependency Artifactory chart version to 9.2.3 (Artifactory 7.3.2) + +## [2.1.3] - Mar 30, 2020 +* Update dependency Artifactory chart version to 9.2.1 (Artifactory 7.3.2) + +## [2.1.2] - Mar 26, 2020 +* Update dependency Artifactory chart version to 9.1.5 (Artifactory 7.3.2) + +## [2.1.1] - Mar 25, 2020 +* Update dependency Artifactory chart version to 9.1.4 (Artifactory 7.3.2) + +## [2.1.0] - Mar 23, 2020 +* Update dependency Artifactory chart version to 9.1.3 (Artifactory 7.3.2) + +## [2.0.13] - Mar 19, 2020 +* Update dependency Artifactory chart version to 9.0.28 (Artifactory 7.2.1) + +## [2.0.12] - Mar 17, 2020 +* Update dependency Artifactory chart version to 9.0.26 (Artifactory 7.2.1) + +## [2.0.11] - Mar 11, 2020 +* Unified charts public release + +## [2.0.10] - Mar 8, 2020 +* Update dependency Artifactory chart version to 9.0.20 (Artifactory 7.2.1) + +## [2.0.9] - Feb 26, 2020 +* Update dependency Artifactory chart version to 9.0.15 (Artifactory 7.2.1) + +## [2.0.0] - Feb 12, 2020 +* Update dependency Artifactory chart version to 9.0.0 (Artifactory 7.0.0) + +## [1.1.0] - Jan 19, 2020 +* Update dependency Artifactory chart version to 8.4.1 (Artifactory 6.17.0) + +## [1.1.1] - Feb 3, 2020 +* Update dependency Artifactory chart version to 8.4.4 + +## [1.1.0] - Jan 19, 2020 +* Update dependency Artifactory chart version to 8.4.1 (Artifactory 6.17.0) + +## [1.0.1] - Dec 31, 2019 +* Update dependency Artifactory chart version to 8.3.5 + +## [1.0.0] - Dec 23, 2019 +* Update dependency Artifactory chart version to 8.3.3 + +## [0.2.1] - Dec 12, 2019 +* Update dependency Artifactory chart version to 8.3.1 + +## [0.2.0] - Dec 1, 2019 +* Updated Artifactory version to 6.16.0 + +## [0.1.5] - Nov 28, 2019 +* Update dependency Artifactory chart version to 8.2.6 + +## [0.1.4] - Nov 20, 2019 +* Update Readme + +## [0.1.3] - Nov 20, 2019 +* Fix JCR logo url +* Update dependency to Artifactory 8.2.2 chart + +## [0.1.2] - Nov 20, 2019 +* Update JCR logo + +## [0.1.1] - Nov 20, 2019 +* Add `appVersion` to Chart.yaml + +## [0.1.0] - Nov 20, 2019 +* Initial release of the JFrog Container Registry helm chart diff --git a/charts/jfrog/artifactory-jcr/107.104.6/Chart.yaml b/charts/jfrog/artifactory-jcr/107.104.6/Chart.yaml new file mode 100644 index 000000000..4ee2a6b65 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr +apiVersion: v2 +appVersion: 7.104.6 +dependencies: +- name: artifactory + repository: file://charts/artifactory + version: 107.104.6 +description: JFrog Container Registry +home: https://jfrog.com/container-registry/ +icon: file://assets/icons/artifactory-jcr.png +keywords: +- artifactory +- jfrog +- container +- registry +- devops +- jfrog-container-registry +kubeVersion: '>= 1.19.0-0' +maintainers: +- email: helm@jfrog.com + name: Chart Maintainers at JFrog +name: artifactory-jcr +sources: +- https://github.com/jfrog/charts +type: application +version: 107.104.6 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/LICENSE b/charts/jfrog/artifactory-jcr/107.104.6/LICENSE new file mode 100644 index 000000000..8dada3eda --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/jfrog/artifactory-jcr/107.104.6/README.md b/charts/jfrog/artifactory-jcr/107.104.6/README.md new file mode 100644 index 000000000..c0051e61d --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/README.md @@ -0,0 +1,125 @@ +# JFrog Container Registry Helm Chart + +JFrog Container Registry is a free Artifactory edition with Docker and Helm repositories support. + +**Heads up: Our Helm Chart docs are moving to our main documentation site. For Artifactory installers, see [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory).** + +## Prerequisites Details + +* Kubernetes 1.19+ + +## Chart Details +This chart will do the following: + +* Deploy JFrog Container Registry +* Deploy an optional Nginx server +* Deploy an optional PostgreSQL Database +* Optionally expose Artifactory with Ingress [Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) + +## Installing the Chart + +### Add JFrog Helm repository + +Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io) to your helm client. + +```bash +helm repo add jfrog https://charts.jfrog.io +helm repo update +``` + +### Install Chart +To install the chart with the release name `jfrog-container-registry`: +```bash +helm upgrade --install jfrog-container-registry --set artifactory.postgresql.postgresqlPassword= jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace +``` + +### Accessing JFrog Container Registry +**NOTE:** If using artifactory or nginx service type `LoadBalancer`, it might take a few minutes for JFrog Container Registry's public IP to become available. + +### Updating JFrog Container Registry +Once you have a new chart version, you can upgrade your deployment with +```bash +helm upgrade jfrog-container-registry jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace +``` + +### Special Upgrade Notes +#### Artifactory upgrade from 6.x to 7.x (App Version) +Arifactory 6.x to 7.x upgrade requires a one time migration process. This is done automatically on pod startup if needed. +It's possible to configure the migration timeout with the following configuration in extreme cases. The provided default should be more than enough for completion of the migration. +```yaml +artifactory: + artifactory: + # Migration support from 6.x to 7.x + migration: + enabled: true + timeoutSeconds: 3600 +``` +* Note: If you are upgrading from 1.x to 3.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart. +```bash +kubectl delete statefulsets -postgresql +``` +* For more details about artifactory chart upgrades refer [here](https://github.com/jfrog/charts/blob/master/stable/artifactory/UPGRADE_NOTES.md) + +### Deleting JFrog Container Registry + +```bash +helm delete jfrog-container-registry --namespace artifactory-jcr +``` + +This will delete your JFrog Container Registry deployment.
+**NOTE:** You might have left behind persistent volumes. You should explicitly delete them with +```bash +kubectl delete pvc ... +kubectl delete pv ... +``` + +## Database +The JFrog Container Registry chart comes with PostgreSQL deployed by default.
+For details on the PostgreSQL configuration or customising the database, Look at the options described in the [Artifactory helm chart](https://github.com/jfrog/charts/tree/master/stable/artifactory). + +### Ingress and TLS +To get Helm to create an ingress object with a hostname, add these two lines to your Helm command: +```bash +helm upgrade --install jfrog-container-registry \ + --set artifactory.nginx.enabled=false \ + --set artifactory.ingress.enabled=true \ + --set artifactory.ingress.hosts[0]="artifactory.company.com" \ + --set artifactory.artifactory.service.type=NodePort \ + jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace +``` + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```bash +kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom `values.yaml` file: + +```yaml +artifactory: + artifactory: + ingress: + ## If true, Artifactory Ingress will be created + ## + enabled: true + + ## Artifactory Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - jfrog-container-registry.domain.com + annotations: + kubernetes.io/tls-acme: "true" + ## Artifactory Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: artifactory-tls + hosts: + - jfrog-container-registry.domain.com +``` + +## Useful links +https://www.jfrog.com +https://www.jfrog.com/confluence/ diff --git a/charts/jfrog/artifactory-jcr/107.104.6/app-readme.md b/charts/jfrog/artifactory-jcr/107.104.6/app-readme.md new file mode 100644 index 000000000..9d9b7d85f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/app-readme.md @@ -0,0 +1,18 @@ +# JFrog Container Registry Helm Chart + +Universal Repository Manager supporting all major packaging formats, build tools and CI servers. + +## Chart Details +This chart will do the following: + +* Deploy JFrog Container Registry +* Deploy an optional Nginx server +* Optionally expose Artifactory with Ingress [Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) + + +## Useful links +Blog: [Herd Trust Into Your Rancher Labs Multi-Cloud Strategy with Artifactory](https://jfrog.com/blog/herd-trust-into-your-rancher-labs-multi-cloud-strategy-with-artifactory/) + +## Activate Your Artifactory Instance +Don't have a license? Please send an email to [rancher-jfrog-licenses@jfrog.com](mailto:rancher-jfrog-licenses@jfrog.com) to get it. + diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/.helmignore b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/.helmignore new file mode 100644 index 000000000..b6e97f07f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +OWNERS + +tests/ \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/CHANGELOG.md new file mode 100644 index 000000000..d1e11db8e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/CHANGELOG.md @@ -0,0 +1,1406 @@ +# JFrog Artifactory Chart Changelog +All changes to this chart will be documented in this file. + +## [107.104.6] - Jan 29, 2025 +* Added new RTFS service +* Added new Topology service +* Added new Onemodel service +* Added `artifactory.servicePrependReleaseName` support to prepend release name to fix mismatch between statefulSet and service +* Added customVolumeMounts support for frontend,event,evidence,jfconnect,topology,observability containers +* Added ingress and nginx routing support for rtfs service context +* Added recommended sizing extraEnvironmentVariables for access container +* Added default extra javaOpts support in system yaml for topology +* Modified the RTFS chart and the topology probe values +* Fixing secret based annotations for RTFS deployment +* Fixed `shared` block in system.yaml to include all properties + +## [107.102.0] - Nov 26, 2024 +* Remove the Xms and Xmx with InitialRAMPercentage and MaxRAMPercentage if they are available in extra_java_options + +## [107.98.0] - Nov 06, 2024 +* Add support for `extraEnvironmentVariables` on filebeat Sidecar [GH-1377](https://github.com/jfrog/charts/pull/1377) +* Support for SSL offload HTTPS proto override in Nginx service (ClusterIP, LoadBalancer) layer. Introduced `nginx.service.ssloffloadForceHttps` field with boolean type. [GH-1906](https://github.com/jfrog/charts/pull/1906) +* Enable Access workers integration when artifactory.worker.enabled is true +* Added `signedUrlExpirySeconds` option to artifactory.persistence.type of `google-storage`, `google-storage-v2`, and `google-storage-v2-direct` [GH-1858](https://github.com/jfrog/charts/pull/1858) +* Added support to bootstrap jfconnect custom certs to jfconnect trusted directory +* Fixed the type of `.Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds` in binarystore.xml from boolean to integer +* Added support for modifying `pathType` in ingress + +## [107.96.0] - Sep 10, 2024 +* Merged Artifactory sizing templates to a single file per size + +## [107.94.0] - Aug 14, 2024 +* Fixed #Expose rtfs port only when it is enabled + +## [107.93.0] - Aug 9, 2024 +* Added support for worker via `artifactory.worker.enabled` flag +* Fixed creation of duplicate objects in statefulSet + +## [107.92.0] - July 31, 2024 +* Updating the example link for downloading the DB driver +* Adding dedicated ingress and service path for GRPC protocol + +## [107.91.0] - July 18, 2024 +* Remove X-JFrog-Override-Base-Url port when using default `443/80` ports + +## [107.90.0] - July 18, 2024 +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) +* Added new `nginx.hosts` to use Nginx server_name directive instead of `ingress.hosts` +* Added a deprecation notice of ingress.hosts when `ngnix.enabled` is true +* Added new evidence service +* Corrected database connection values based on sizing +* **IMPORTANT** +* Separate access from artifactory tomcat to run on its own dedicated tomcat + * With this change access will be running in its own dedicated container + * This will give the ability to control resources and java options specific to access + Can be done by passing the following, + `access.javaOpts.other` + `access.resources` + `access.extraEnvironmentVariables` +* Added Binary Provider recommendations + +## [107.89.0] - June 7, 2024 +* Fix the indentation of the commented-out sections in the values.yaml file +* Fixed sizing values by removing `JF_SHARED_NODE_HAENABLED` in xsmall/small configurations + +## [107.88.0] - May 29, 2024 +* **IMPORTANT** +* Refactored `nginx.artifactoryConf` and `nginx.mainConf` configuration (moved to files/nginx-artifactory-conf.yaml and files/nginx-main-conf.yaml instead of keys in values.yaml) + +## [107.87.0] - May 29, 2024 +* Renamed `.Values.artifactory.openMetrics` to `.Values.artifactory.metrics` + +## [107.85.0] - May 29, 2024 +* Changed `migration.enabled` to false by default. For 6.x to 7.x migration, this flag needs to be set to `true` + +## [107.84.0] - May 29, 2024 +* Added image section for `initContainers` instead of `initContainerImage` +* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` +* Removed image section for `loggers` +* Added support for `global.verisons.initContainers` to override `initContainers.image.tag` +* Fixed an issue with extraSystemYaml merge +* **IMPORTANT** +* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` +* Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser` +* Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup` +* Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy` +* Renamed `artifactory.seLinuxOptions` to `artifactory.podSecurityContext.seLinuxOptions` +* Added flag `allowNonPostgresql` defaults to false +* Update postgresql tag version to `15.6.0-debian-12-r5` +* Added a check if `initContainerImage` exists +* Fixed an issue to generate unified secret to support artifactory fullname [GH-1882](https://github.com/jfrog/charts/issues/1882) +* Fixed an issue template render on loggers [GH-1883](https://github.com/jfrog/charts/issues/1883) +* Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) +* Added .Values.artifactory.unifiedSecretPrependReleaseName` for unified secret to prepend release name +* Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml + +## [107.82.0] - Mar 04, 2024 +* Added `disableRouterBypass` flag as experimental feature, to disable the artifactoryPath /artifactory/ and route all traffic through the Router. +* Removed Replicator service + +## [107.81.0] - Feb 20, 2024 +* **IMPORTANT** +* Refactored systemYaml configuration (moved to files/system.yaml instead of key in values.yaml) +* Added ability to provide `extraSystemYaml` configuration in values.yaml which will merge with the existing system yaml when `systemYamlOverride` is not given [GH-1848](https://github.com/jfrog/charts/pull/1848) +* Added option to modify the new cache configs, maxFileSizeLimit and skipDuringUpload +* Added IPV4/IPV6 Dualstack flag support for Artifactory and nginx service +* Added `singleStackIPv6Cluster` flag, which manages the Nginx configuration to enable listening on IPv6 and proxying. +* Fixing broken link for creating additional kubernetes resources. Refer [here](https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml) +* Refactored installerInfo configuration (moved to files/installer-info.json instead of key in values.yaml) + +## [107.80.0] - Feb 20, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.79.0] - Feb 20, 2024 +* **IMPORTANT** +* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default +* Added support for azure-blob-storage-v2-direct config +* Added option to set Nginx to write access_log to container STDOUT +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true + +## [107.77.0] - April 22, 2024 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) +* Fixed - Removed duplicate keys of the sizing yaml file +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) +* Added nginx.customCommand to use custom commands for the nginx container + +## [107.76.0] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.70.0] - Nov 30, 2023 +* Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) +* Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml. +* Fixed - SecurityContext with runAsGroup in artifactory [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift + +## [107.69.0] - Sep 18, 2023 +* Adjust rtfs context +* Fixed - Metadata service does not respect customVolumeMounts for DB CAs [GH-1815](https://github.com/jfrog/charts/issues/1815) + +## [107.68.8] - Sep 18, 2023 +* Reverted - Enabled `unifiedSecretInstallation` by default [GH-1819](https://github.com/jfrog/charts/issues/1819) +* Removed openshift condition check from NOTES.txt + +## [107.68.7] - Aug 28, 2023 +* Enabled `unifiedSecretInstallation` by default + +## [107.67.0] - Aug 28, 2023 +* Add 'extraJavaOpts' and 'port' values to federation service + +## [107.66.0] - Aug 28, 2023 +* Added federation service container in artifactory +* Add rtfs service to ingress in artifactory + +## [107.64.0] - Aug 28, 2023 +* Added support to configure event.webhooks within generated system.yaml +* Fixed an issue to generate ssl certificate should support artifactory fullname +* Added binarystore.xml template to persistence storage type `nfs`. The default Filestore location configured according to artifactory.persistence.nfs.dataDir. +* Added 'multiPartLimit' and 'multipartElementSize' parameters to awsS3V3 binary providers. +* Increased default Artifactory Tomcat acceptCount config to 400 +* Fixed Illegal Strict-Transport-Security header in nginx config + +## [107.63.0] - Aug 28, 2023 +* Added support for Openshift by adding the securityContext in container level. +* **IMPORTANT** +* Disable securityContext in container and pod level to deploy postgres on openshift. +* Fixed support for fsGroup in non openshift environemnt and runAsGroup in openshift environment. +* Fixed - Helm Template Error when using artifactory.loggers [GH-1791](https://github.com/jfrog/charts/issues/1791) +* Removed the nginx disable condition for openshift +* Fixed jfconnect disabling as micro-service on splitcontainers [GH-1806](https://github.com/jfrog/charts/issues/1806) + +## [107.62.0] - Jun 5, 2023 +* Upgraded to autoscaling/v2 +* Added support for 'port' and 'useHttp' parameters for s3-storage-v3 binary provider [GH-1767](https://github.com/jfrog/charts/issues/1767) + +## [107.61.0] - May 31, 2023 +* Added new binary provider `google-storage-v2-direct` +* Added missing parameter 'enableSignedUrlRedirect' to 'googleStorage' + +## [107.60.0] - May 31, 2023 +* Enabled `splitServicesToContainers` to true by default +* Updated the recommended values for small, medium and large installations to support the 'splitServicesToContainers' + +## [107.59.0] - May 31, 2023 +* Fixed reference of `terminationGracePeriodSeconds` +* Added Support for Cold Artifact Storage as part of the systemYaml configuration (disabled by default) +* Added new binary provider `s3-storage-v3-archive` +* Fixed jfconnect disabling as micro-service on non-splitcontainers +* Fixed wrong cache-fs provider ID of cluster-s3-storage-v3 in the binarystore.xml [GH-1772](https://github.com/jfrog/charts/issues/1772) + +## [107.58.0] - Mar 23, 2023 +* Updated postgresql multi-arch tag version to `13.10.0-debian-11-r14` +* Removed obselete remove-lost-found initContainer` +* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode + +## [107.57.0] - Mar 02, 2023 +* Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1793` + +## [107.55.0] - Jan 31, 2023 +* Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1760` +* Adding a custom preStop to Artifactory router for allowing graceful termination to complete + +## [107.53.0] - Jan 20, 2023 +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.7.1049` + +## [107.50.0] - Jan 20, 2023 +* Updated postgresql tag version to `13.9.0-debian-11-11` +* Fixed an issue for capabilities check of ingress +* Updated jfrogUrl text path in migrate.sh file +* Added a note that from 107.46.x chart versions, `copyOnEveryStartup` is not needed for binarystore.xml, it is always copied via initContainers. For more Info, Refer [GH-1723](https://github.com/jfrog/charts/issues/1723) + +## [107.49.0] - Jan 16, 2023 +* Added support for setting `seLinuxOptions` in `securityContext` [GH-1699](https://github.com/jfrog/charts/pull/1699) +* Added option to enable/disable proxy_request_buffering and proxy_buffering_off [GH-1686](https://github.com/jfrog/charts/pull/1686) +* Updated initContainerImage and logger image to `ubi8/ubi-minimal:8.7.1049` + +## [107.48.0] - Oct 27, 2022 +* Updated router version to `7.51.0` + +## [107.47.0] - Sep 29, 2022 +* Updated initContainerImage to `ubi8/ubi-minimal:8.6-941` +* Added support for annotations for artifactory statefulset and nginx deployment [GH-1665](https://github.com/jfrog/charts/pull/1665) +* Updated router version to `7.49.0` + +## [107.46.0] - Sep 14, 2022 +* **IMPORTANT** +* Added support for lifecycle hooks for all containers, changed `artifactory.postStartCommand` to `.Values.artifactory.lifecycle.postStart.exec.command` +* Updated initContainerImage to `ubi8/ubi-minimal:8.6-902` +* Update nginx configuration to allow websocket requests when using pipelines +* Fixed an issue to allow artifactory to make direct API calls to store instead via jfconnect service when `splitServicesToContainers=true` +* Refactor binarystore.xml configuration (moved to `files/binarystore.xml` instead of key in values.yaml) +* Added new binary providers `cluster-s3-storage-v3`, `s3-storage-v3-direct`, `azure-blob-storage-direct`, `google-storage-v2` +* Deprecated (removed) `aws-s3` binary provider [JetS3t library](https://www.jfrog.com/confluence/display/JFROG/Configuring+the+Filestore#ConfiguringtheFilestore-BinaryProvider) +* Deprecated (removed) `google-storage` binary provider and force persistence storage type `google-storage` to work with `google-storage-v2` only +* Copy binarystore.xml in init Container to fix existing persistence on file system in clear text +* Removed obselete `.Values.artifactory.binarystore.enabled` key +* Removed `newProbes.enabled`, default to new probes +* Added nginx.customCommand using inotifyd to reload nginx's config upon ssl secret or configmap changes [GH-1640](https://github.com/jfrog/charts/pull/1640) + +## [107.43.0] - Aug 25, 2022 +* Added flag `artifactory.replicator.ingress.enabled` to enable/disable ingress for replicator +* Updated initContainerImage to `ubi8/ubi-minimal:8.6-854` +* Updated router version to `7.45.0` +* Added flag `artifactory.schedulerName` to set for the pods the value of schedulerName field [GH-1606](https://github.com/jfrog/charts/issues/1606) +* Enabled TLS based on access or router in values.yaml + +## [107.42.0] - Aug 25, 2022 +* Enabled database creds secret to use from unified secret +* Updated router version to `7.42.0` +* Fix duplicate volumes for userPluginSecrets [GH-1650] (https://github.com/jfrog/charts/issues/1650) +* Added support to truncate (> 63 chars) for unifiedCustomSecretVolumeName + +## [107.41.0] - June 27, 2022 +* Added support for nginx.terminationGracePeriodSeconds [GH-1645](https://github.com/jfrog/charts/issues/1645) +* Use an alternate command for `find` to copy custom certificates +* Added support for circle of trust using `circleOfTrustCertificatesSecret` secret name [GH-1623](https://github.com/jfrog/charts/pull/1623) + +## [107.40.0] - June 16, 2022 +* Added support for PodDisruptionBudget [GH-1618](https://github.com/jfrog/charts/issues/1618) +* From artifactory 7.38.x, joinKey can be retrived from Admin > User Management > Settings in UI +* Allow templating for pod annotations [GH-1634](https://github.com/jfrog/charts/pull/1634) +* Fixed `customPersistentPodVolumeClaim` name to `customPersistentVolumeClaim` +* Added flags to control enable/disable infra services in splitServicesToContainers + +## [107.39.0] - May 31, 2022 +* Fix default `artifactory.async.corePoolSize` [GH-1612](https://github.com/jfrog/charts/issues/1612) +* Added support of nginx annotations +* Reduce startupProbe `initialDelaySeconds` +* Align all liveness and readiness probes failureThreshold to `5` seconds +* Added new flag `unifiedSecretInstallation` to enables single unified secret holding all the artifactory secrets +* Updated router version to `7.38.0` +* Add support for NFS config with directories `haBackupDir` and `haDataDir` +* Fixed - disable jfconnect on oss/jcr/cpp flavours [GH-1630](https://github.com/jfrog/charts/issues/1630) + +## [107.38.0] - May 04, 2022 +* Added support for `global.nodeSelector` to artifactory and nginx pods +* Updated router version to `7.36.1` +* Added support for custom global probes timeout +* Updated frontend container command +* Added topologySpreadConstraints to artifactory and nginx, and add lifecycle hooks to nginx [GH-1596](https://github.com/jfrog/charts/pull/1596) +* Added support of extraEnvironmentVariables for all infra services containers +* Enabled the consumption (jfconnect) flag by default +* Fix jfconnect disabling on non-splitcontainers + +## [107.37.0] - Mar 08, 2022 +* Added support for customPorts in nginx deployment +* Bugfix - Wrong proxy_pass configurations for /artifactory/ in the default artifactory.conf +* Added signedUrlExpirySeconds option to artifactory.persistence.type aws-S3-V3 +* Updated router version to `7.35.0` +* Added useInstanceCredentials,enableSignedUrlRedirect option to google-storage-v2 +* Changed dependency charts repo to `charts.jfrog.io` + +## [107.36.0] - Mar 03, 2022 +* Remove pdn tracker which starts replicator service +* Added silent option for curl probes +* Added readiness health check for the artifactory container for k8s version < 1.20 +* Fix property file migration issue to system.yaml 6.x to 7.x + +## [107.35.0] - Feb 08, 2022 +* Updated router version to `7.32.1` + +## [107.33.0] - Jan 11, 2022 +* Add more user friendly support for anti-affinity +* Pod anti-affinity is now enabled by default (soft rule) +* Readme fixes +* Added support for setting `fsGroupChangePolicy` +* Added nginx customInitContainers, customVolumes, customSidecarContainers [GH-1565](https://github.com/jfrog/charts/pull/1565) +* Updated router version to `7.30.0` + +## [107.32.0] - Dec 22, 2021 +* Updated logger image to `jfrog/ubi-minimal:8.5-204` +* Added default `8091` as `artifactory.tomcat.maintenanceConnector.port` for probes check +* Refactored probes to replace httpGet probes with basic exec + curl +* Refactored `database-creds` secret to create only when database values are passed +* Added new endpoints for probes `/artifactory/api/v1/system/liveness` and `/artifactory/api/v1/system/readiness` +* Enabled `newProbes:true` by default to use these endpoints +* Fix filebeat sidecar spool file permissions +* Updated filebeat sidecar container to `7.16.2` + +## [107.31.0] - Dec 17, 2021 +* Added support for HorizontalPodAutoscaler apiVersion `autoscaling/v2beta2` +* Remove integration service feature flag to make it mandatory service +* Update postgresql tag version to `13.4.0-debian-10-r39` +* Fixed `artifactory.resources` indentation in `migration-artifactory` init container [GH-1562](https://github.com/jfrog/charts/issues/1562) +* Refactored `router.requiredServiceTypes` to support platform chart + +## [107.30.0] - Nov 30, 2021 +* Fixed incorrect permission for filebeat.yaml +* Updated healthcheck (liveness/readiness) api for integration service +* Disable readiness health check for the artifactory container when running in the container split mode +* Ability to start replicator on enabling pdn tracker + +## [107.29.0] - Nov 26, 2021 +* Added integration service container in artifactory +* Add support for Ingress Class Name in Ingress Spec [GH-1516](https://github.com/jfrog/charts/pull/1516) +* Fixed chart values to use curl instead of wget [GH-1529](https://github.com/jfrog/charts/issues/1529) +* Updated nginx config to allow websockets when pipelines is enabled +* Moved router.topology.local.requireqservicetypes from system.yaml to router as environment variable +* Added jfconnect in system.yaml +* Updated artifactory container’s health probes to use artifactory api on rt-split +* Updated initContainerImage to `jfrog/ubi-minimal:8.5-204` +* Updated router version to `7.28.2` +* Set Jfconnect enabled to `false` in the artifactory container when running in the container split mode + +## [107.28.0] - Nov 11, 2021 +* Added default values cpu and memeory in initContainers +* Updated router version to `7.26.0` +* Updated (`rbac.create` and `serviceAccount.create` to false by default) for least privileges +* Fixed incorrect data type for `Values.router.serviceRegistry.insecure` in default values.yaml [GH-1514](https://github.com/jfrog/charts/pull/1514/files) +* **IMPORTANT** +* Changed init-container images from `alpine` to `ubi8/ubi-minimal` +* Added support for AWS License Manager using `.Values.aws.licenseConfigSecretName` + +## [107.27.0] - Oct 6, 2021 +* **Breaking change** +* Aligned probe structure (moved probes variables under config block) +* Added support for new probes(set to false by default) +* Bugfix - Invalid format for `multiPartLimit,multipartElementSize,maxCacheSize` in binarystore.xml [GH-1466](https://github.com/jfrog/charts/issues/1466) +* Added missioncontrol container in artifactory +* Dropped NET_RAW capability for the containers +* Added resources to migration-artifactory init container +* Added resources to all rt split containers +* Updated router version to `7.25.1` +* Added support for Ingress networking.k8s.io/v1/Ingress for k8s >=1.22 [GH-1487](https://github.com/jfrog/charts/pull/1487) +* Added min kubeVersion ">= 1.14.0-0" in chart.yaml +* Update alpine tag version to `3.14.2` +* Update busybox tag version to `1.33.1` +* Artifactory chart support for cluster license + +## [107.26.0] - Aug 23, 2021 +* Added Observability container (only when `splitServicesToContainers` is enabled) +* Support for high availability (when replicaCount > 1) +* Added min kubeVersion ">= 1.12.0-0" in chart.yaml + +## [107.25.0] - Aug 13, 2021 +* Updated readme of chart to point to wiki. Refer [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory) +* Added startupProbe and livenessProbe for RT-split containers +* Updated router version to 7.24.1 +* Added security hardening fixes +* Enabled startup probes for k8s >= 1.20.x +* Changed network policy to allow all ingress and egress traffic +* Added Observability changes +* Added support for global.versions.router (only when `splitServicesToContainers` is enabled) + +## [107.24.0] - July 27, 2021 +* Support global and product specific tags at the same time +* Added support for artifactory containers split + +## [107.23.0] - July 8, 2021 +* Bug fix - logger sideCar picks up Wrong File in helm +* Allow filebeat metrics configuration in values.yaml + +## [107.22.0] - July 6, 2021 +* Update alpine tag version to `3.14.0` +* Added `nodePort` support to artifactory-service and nginx-service templates +* Removed redundant `terminationGracePeriodSeconds` in statefulset +* Increased `startupProbe.failureThreshold` time + +## [107.21.3] - July 2, 2021 +* Added ability to change sendreasonphrase value in server.xml via system yaml + +## [107.19.3] - May 20, 2021 +* Fix broken support for startupProbe for k8s < 1.18.x +* Added support for `nameOverride` and `fullnameOverride` in values.yaml + +## [107.18.6] - April 29, 2021 +* Bumping chart version to align with app version +* Add `securityContext` option on nginx container + +## [12.0.0] - April 22, 2021 +* **Breaking change:** +* Increased default postgresql persistence size to `200Gi` +* Update postgresql tag version to `13.2.0-debian-10-r55` +* Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000) +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* **IMPORTANT** +* This chart is only helm v3 compatible. +* Fixed filebeat-configmap naming +* Explicitly set ServiceAccount `automountServiceAccountToken` to 'true' +* Update alpine tag version to `3.13.5` + +## [11.13.2] - April 15, 2021 +* Updated Artifactory version to 7.17.9 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.9) + +## [11.13.1] - April 6, 2021 +* Updated Artifactory version to 7.17.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.6) +* Update alpine tag version to `3.13.4` + +## [11.13.0] - April 5, 2021 +* **IMPORTANT** +* Added `charts.jfrog.io` as default JFrog Helm repository +* Updated Artifactory version to 7.17.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.5) + +## [11.12.2] - Mar 31, 2021 +* Updated Artifactory version to 7.17.4 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.17.4) + +## [11.12.1] - Mar 30, 2021 +* Updated Artifactory version to 7.17.3 +* Add `timeoutSeconds` to all exec probes - Please refer [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) + +## [11.12.0] - Mar 24, 2021 +* Updated Artifactory version to 7.17.2 +* Optimized startupProbe time + +## [11.11.0] - Mar 18, 2021 +* Add support to startupProbe + +## [11.10.0] - Mar 15, 2021 +* Updated Artifactory version to 7.16.3 + +## [11.9.5] - Mar 09, 2021 +* Added HSTS header to nginx conf + +## [11.9.4] - Mar 9, 2021 +* Removed bintray URL references in the chart + +## [11.9.3] - Mar 04, 2021 +* Updated Artifactory version to 7.15.4 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.15.4) + +## [11.9.2] - Mar 04, 2021 +* Fixed creation of nginx-certificate-secret when Nginx is disabled + +## [11.9.1] - Feb 19, 2021 +* Update busybox tag version to `1.32.1` + +## [11.9.0] - Feb 18, 2021 +* Updated Artifactory version to 7.15.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.15.3) +* Add option to specify update strategy for Artifactory statefulset + +## [11.8.1] - Feb 11, 2021 +* Exposed "multiPartLimit" and "multipartElementSize" for the Azure Blob Storage Binary Provider + +## [11.8.0] - Feb 08, 2021 +* Updated Artifactory version to 7.12.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.8) +* Support for custom certificates using secrets +* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io` +* Update alpine tag version to `3.13.1` + +## [11.7.8] - Jan 25, 2021 +* Add support for hostAliases + +## [11.7.7] - Jan 11, 2021 +* Fix failures when using creds file for configurating google storage + +## [11.7.6] - Jan 11, 2021 +* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6) + +## [11.7.5] - Jan 07, 2021 +* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false) + +## [11.7.4] - Jan 04, 2021 +* Fixed gid support for statefulset + +## [11.7.3] - Dec 31, 2020 +* Added gid support for statefulset +* Add setSecurityContext flag to allow securityContext block to be removed from artifactory statefulset + +## [11.7.2] - Dec 29, 2020 +* **Important:** Removed `.Values.metrics` and `.Values.fluentd` (Fluentd and Prometheus integrations) +* Add support for creating additional kubernetes resources - [refer here](https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-values.yaml) +* Updated Artifactory version to 7.12.5 + +## [11.7.1] - Dec 21, 2020 +* Updated Artifactory version to 7.12.3 + +## [11.7.0] - Dec 18, 2020 +* Updated Artifactory version to 7.12.2 +* Added `.Values.artifactory.openMetrics.enabled` + +## [11.6.1] - Dec 11, 2020 +* Added configurable `.Values.global.versions.artifactory` in values.yaml + +## [11.6.0] - Dec 10, 2020 +* Update postgresql tag version to `12.5.0-debian-10-r25` +* Fixed `artifactory.persistence.googleStorage.endpoint` from `storage.googleapis.com` to `commondatastorage.googleapis.com` +* Updated chart maintainers email + +## [11.5.5] - Dec 4, 2020 +* **Important:** Renamed `.Values.systemYaml` to `.Values.systemYamlOverride` + +## [11.5.4] - Dec 1, 2020 +* Improve error message returned when attempting helm upgrade command + +## [11.5.3] - Nov 30, 2020 +* Updated Artifactory version to 7.11.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11) + +## [11.5.2] - Nov 23, 2020 +* Updated Artifactory version to 7.11.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11) +* Updated port namings on services and pods to allow for istio protocol discovery +* Change semverCompare checks to support hosted Kubernetes +* Add flag to disable creation of ServiceMonitor when enabling prometheus metrics +* Prevent the PostHook command to be executed if the user did not specify a command in the values file +* Fix issue with tls file generation when nginx.https.enabled is false + +## [11.5.1] - Nov 19, 2020 +* Updated Artifactory version to 7.11.2 +* Bugfix - access.config.import.xml override Access Federation configurations + +## [11.5.0] - Nov 17, 2020 +* Updated Artifactory version to 7.11.1 +* Update alpine tag version to `3.12.1` + +## [11.4.6] - Nov 10, 2020 +* Pass system.yaml via external secret for advanced usecases +* Added support for custom ingress +* Bugfix - stateful set not picking up changes to database secrets + +## [11.4.5] - Nov 9, 2020 +* Updated Artifactory version to 7.10.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.6) + +## [11.4.4] - Nov 2, 2020 +* Add enablePathStyleAccess property for aws-s3-v3 binary provider template + +## [11.4.3] - Nov 2, 2020 +* Updated Artifactory version to 7.10.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.5) + +## [11.4.2] - Oct 22, 2020 +* Chown bug fix where Linux capability cannot chown all files causing log line warnings +* Fix Frontend timeout linting issue + +## [11.4.1] - Oct 20, 2020 +* Add flag to disable prepare-custom-persistent-volume init container + +## [11.4.0] - Oct 19, 2020 +* Updated Artifactory version to 7.10.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.2) + +## [11.3.2] - Oct 15, 2020 +* Add support to specify priorityClassName for nginx deployment + +## [11.3.1] - Oct 9, 2020 +* Add support for customInitContainersBegin + +## [11.3.0] - Oct 7, 2020 +* Updated Artifactory version to 7.9.1 +* **Breaking change:** Fix `storageClass` to correct `storageClassName` in values.yaml + +## [11.2.0] - Oct 5, 2020 +* Expose Prometheus metrics via a ServiceMonitor +* Parse log files for metric data with Fluentd + +## [11.1.0] - Sep 30, 2020 +* Updated Artifactory version to 7.9.0 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.9) +* Added support for resources in init container + +## [11.0.11] - Sep 25, 2020 +* Update to use linux capability CAP_CHOWN instead of root base init container to avoid any use of root containers to pass Redhat security requirements + +## [11.0.10] - Sep 28, 2020 +* Setting chart coordinates in migitation yaml + +## [11.0.9] - Sep 25, 2020 +* Update filebeat version to `7.9.2` + +## [11.0.8] - Sep 24, 2020 +* Fixed broken issue - when setting `waitForDatabase: false` container startup still waits for DB + +## [11.0.7] - Sep 22, 2020 +* Readme updates + +## [11.0.6] - Sep 22, 2020 +* Fix lint issue in migitation yaml + +## [11.0.5] - Sep 22, 2020 +* Fix broken migitation yaml + +## [11.0.4] - Sep 21, 2020 +* Added mitigation yaml for Artifactory - [More info](https://github.com/jfrog/chartcenter/blob/master/docs/securitymitigationspec.md) + +## [11.0.3] - Sep 17, 2020 +* Added configurable session(UI) timeout in frontend microservice + +## [11.0.2] - Sep 17, 2020 +* Added proper required text to be shown while postgres upgrades + +## [11.0.1] - Sep 14, 2020 +* Updated Artifactory version to 7.7.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7.8) + +## [11.0.0] - Sep 2, 2020 +* **Breaking change:** Changed `imagePullSecrets`values from string to list. +* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images +* Added support for global values +* Updated maintainers in chart.yaml +* Update postgresql tag version to `12.3.0-debian-10-r71` +* Update postgresql chart version to `9.3.4` in requirements.yaml - [9.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900) +* **IMPORTANT** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x's postgresql.image.tag and databaseUpgradeReady=true + +## [10.1.0] - Aug 13, 2020 +* Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7) + +## [10.0.15] - Aug 10, 2020 +* Added enableSignedUrlRedirect for persistent storage type aws-s3-v3. + +## [10.0.14] - Jul 31, 2020 +* Update the README section on Nginx SSL termination to reflect the actual YAML structure. + +## [10.0.13] - Jul 30, 2020 +* Added condition to disable the migration scripts. + +## [10.0.12] - Jul 28, 2020 +* Document Artifactory node affinity. + +## [10.0.11] - Jul 28, 2020 +* Added maxConnections for persistent storage type aws-s3-v3. + +## [10.0.10] - Jul 28, 2020 +* Bugfix / support for userPluginSecrets with Artifactory 7 + +## [10.0.9] - Jul 27, 2020 +* Add tpl to external database secrets +* Modified `scheme` to `artifactory.scheme` + +## [10.0.8] - Jul 23, 2020 +* Added condition to disable the migration init container. + +## [10.0.7] - Jul 21, 2020 +* Updated Artifactory Chart to add node and primary labels to pods and service objects. + +## [10.0.6] - Jul 20, 2020 +* Support custom CA and certificates + +## [10.0.5] - Jul 13, 2020 +* Updated Artifactory version to 7.6.3 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.6.3 +* Fixed Mysql database jar path in `preStartCommand` in README + +## [10.0.4] - Jul 10, 2020 +* Move some postgresql values to where they should be according to the subchart + +## [10.0.3] - Jul 8, 2020 +* Set Artifactory access client connections to the same value as the access threads + +## [10.0.2] - Jul 6, 2020 +* Updated Artifactory version to 7.6.2 +* **IMPORTANT** +* Added ChartCenter Helm repository in README + +## [10.0.1] - Jul 01, 2020 +* Add dedicated ingress object for Replicator service when enabled + +## [10.0.0] - Jun 30, 2020 +* Update postgresql tag version to `10.13.0-debian-10-r38` +* Update alpine tag version to `3.12` +* Update busybox tag version to `1.31.1` +* **IMPORTANT** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass postgresql.image.tag=9.6.18-debian-10-r7 and databaseUpgradeReady=true + +## [9.6.0] - Jun 29, 2020 +* Updated Artifactory version to 7.6.1 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.6.1 +* Add tpl for external database secrets + +## [9.5.5] - Jun 25, 2020 +* Stop loading the Nginx stream module because it is now a core module + +## [9.5.4] - Jun 25, 2020 +* Notes.txt update - add --namespace parameter + +## [9.5.3] - Jun 11, 2020 +* Support list of custom secrets + +## [9.5.2] - Jun 12, 2020 +* Updated Artifactory version to 7.5.7 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.5.7 + +## [9.5.1] - Jun 8, 2020 +* Readme update - configuring Artifactory with oracledb + +## [9.5.0] - Jun 1, 2020 +* Updated Artifactory version to 7.5.5 - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.5 +* Fixes bootstrap configMap permission issue +* Update postgresql tag version to `9.6.18-debian-10-r7` + +## [9.4.9] - May 27, 2020 +* Added Tomcat maxThreads & acceptCount + +## [9.4.8] - May 25, 2020 +* Fixed postgresql README `image` Parameters + +## [9.4.7] - May 24, 2020 +* Fixed typo in README regarding migration timeout + +## [9.4.6] - May 19, 2020 +* Added metadata maxOpenConnections + +## [9.4.5] - May 07, 2020 +* Fix `installerInfo` string format + +## [9.4.4] - Apr 27, 2020 +* Updated Artifactory version to 7.4.3 + +## [9.4.3] - Apr 26, 2020 +* Change order of the customInitContainers to run before the "migration-artifactory" initContainer. + +## [9.4.2] - Apr 24, 2020 +* Fix `artifactory.persistence.awsS3V3.useInstanceCredentials` incorrect conditional logic +* Bump postgresql tag version to `9.6.17-debian-10-r72` in values.yaml + +## [9.4.1] - Apr 16, 2020 +* Custom volumes in migration init container. + +## [9.4.0] - Apr 14, 2020 +* Updated Artifactory version to 7.4.1 + +## [9.3.1] - April 13, 2020 +* Update README with helm v3 commands + +## [9.3.0] - April 10, 2020 +* Use dependency charts from `https://charts.bitnami.com/bitnami` +* Bump postgresql chart version to `8.7.3` in requirements.yaml +* Bump postgresql tag version to `9.6.17-debian-10-r21` in values.yaml + +## [9.2.9] - Apr 8, 2020 +* Added recommended ingress annotation to avoid 413 errors + +## [9.2.8] - Apr 8, 2020 +* Moved migration scripts under `files` directory +* Support preStartCommand in migration Init container as `artifactory.migration.preStartCommand` + +## [9.2.7] - Apr 6, 2020 +* Fix cache size (should be 5gb instead of 50gb since volume claim is only 20gb). + +## [9.2.6] - Apr 1, 2020 +* Support masterKey and joinKey as secrets + +## [9.2.5] - Apr 1, 2020 +* Fix readme use to `-hex 32` instead of `-hex 16` + +## [9.2.4] - Mar 31, 2020 +* Change the way the artifactory `command:` is set so it will properly pass a SIGTERM to java + +## [9.2.3] - Mar 29, 2020 +* Add Nginx log options: stderr as logfile and log level + +## [9.2.2] - Mar 30, 2020 +* Use the same defaulting mechanism used for the artifactory version used elsewhere in the chart + +## [9.2.1] - Mar 29, 2020 +* Fix loggers sidecars configurations to support new file system layout and new log names + +## [9.2.0] - Mar 29, 2020 +* Fix broken admin user bootstrap configuration +* **Breaking change:** renamed `artifactory.accessAdmin` to `artifactory.admin` + +## [9.1.5] - Mar 26, 2020 +* Fix volumeClaimTemplate issue + +## [9.1.4] - Mar 25, 2020 +* Fix volume name used by filebeat container + +## [9.1.3] - Mar 24, 2020 +* Use `postgresqlExtendedConf` for setting custom PostgreSQL configuration (instead of `postgresqlConfiguration`) + +## [9.1.2] - Mar 22, 2020 +* Support for SSL offload in Nginx service(LoadBalancer) layer. Introduced `nginx.service.ssloffload` field with boolean type. + +## [9.1.1] - Mar 23, 2020 +* Moved installer info to values.yaml so it is fully customizable + +## [9.1.0] - Mar 23, 2020 +* Updated Artifactory version to 7.3.2 + +## [9.0.29] - Mar 20, 2020 +* Add support for masterKey trim during 6.x to 7.x migration if 6.x masterKey is 32 hex (64 characters) + +## [9.0.28] - Mar 18, 2020 +* Increased Nginx proxy_buffers size + +## [9.0.27] - Mar 17, 2020 +* Changed all single quotes to double quotes in values files +* useInstanceCredentials variable was declared in S3 settings but not used in chart. Now it is being used. + +## [9.0.26] - Mar 17, 2020 +* Fix rendering of Service Account annotations + +## [9.0.25] - Mar 16, 2020 +* Update Artifactory readme with extra ingress annotations needed for Artifactory to be set as SSO provider + +## [9.0.24] - Mar 16, 2020 +* Add Unsupported message from 6.18 to 7.2.x (migration) + +## [9.0.23] - Mar 12, 2020 +* Fix README.md rendering issue + +## [9.0.22] - Mar 11, 2020 +* Upgrade Docs update + +## [9.0.21] - Mar 11, 2020 +* Unified charts public release + +## [9.0.20] - Mar 6, 2020 +* Fix path to `/artifactory_bootstrap` +* Add support for controlling the name of the ingress and allow to set more than one cname + +## [9.0.19] - Mar 4, 2020 +* Add support for disabling `consoleLog` in `system.yaml` file + +## [9.0.18] - Feb 28, 2020 +* Add support to process `valueFrom` for extraEnvironmentVariables + +## [9.0.17] - Feb 26, 2020 +* Fix join key secret naming + +## [9.0.16] - Feb 26, 2020 +* Store join key to secret + +## [9.0.15] - Feb 26, 2020 +* Updated Artifactory version to 7.2.1 + +## [9.0.10] - Feb 07, 2020 +* Remove protection flag `databaseUpgradeReady` which was added to check internal postgres upgrade + +## [9.0.0] - Feb 07, 2020 +* Updated Artifactory version to 7.0.0 + +## [8.4.8] - Feb 13, 2020 +* Add support for SSH authentication to Artifactory + +## [8.4.7] - Feb 11, 2020 +* Change Artifactory service port name to be hard-coded to `http` instead of using `{{ .Release.Name }}` + +## [8.4.6] - Feb 9, 2020 +* Add support for `tpl` in the `postStartCommand` + +## [8.4.5] - Feb 4, 2020 +* Support customisable Nginx kind + +## [8.4.4] - Feb 2, 2020 +* Add a comment stating that it is recommended to use an external PostgreSQL with a static password for production installations + +## [8.4.3] - Jan 30, 2020 +* Add the option to configure resources for the logger containers + +## [8.4.2] - Jan 26, 2020 +* Improve `database.user` and `database.password` logic in order to support more use cases and make the configuration less repetitive + +## [8.4.1] - Jan 19, 2020 +* Fix replicator port config in nginx replicator configmap + +## [8.4.0] - Jan 19, 2020 +* Updated Artifactory version to 6.17.0 + +## [8.3.6] - Jan 16, 2020 +* Added example for external nginx-ingress + +## [8.3.5] - Dec 30, 2019 +* Fix for nginx probes failing when launched with http disabled + +## [8.3.4] - Dec 24, 2019 +* Better support for custom `artifactory.internalPort` + +## [8.3.3] - Dec 23, 2019 +* Mark empty map values with `{}` + +## [8.3.2] - Dec 16, 2019 +* Fix for toggling nginx service ports + +## [8.3.1] - Dec 12, 2019 +* Add support for toggling nginx service ports + +## [8.3.0] - Dec 1, 2019 +* Updated Artifactory version to 6.16.0 + +## [8.2.6] - Nov 28, 2019 +* Add support for using existing PriorityClass + +## [8.2.5] - Nov 27, 2019 +* Add support for PriorityClass + +## [8.2.4] - Nov 21, 2019 +* Add an option to use a file system cache-fs with the file-system binarystore template + +## [8.2.3] - Nov 20, 2019 +* Update Artifactory Readme + +## [8.2.2] - Nov 20, 2019 +* Update Artfactory logo + +## [8.2.1] - Nov 18, 2019 +* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) + +## [8.2.0] - Nov 18, 2019 +* Updated Artifactory version to 6.15.0 + +## [8.1.11] - Nov 17, 2019 +* Do not provide a default master key. Allow it to be auto generated by Artifactory on first startup + +## [8.1.10] - Nov 17, 2019 +* Fix creation of double slash in nginx artifactory configuration + +## [8.1.9] - Nov 14, 2019 +* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error + +## [8.1.8] - Nov 12, 2019 +* Updated Artifactory version to 6.14.1 + +## [8.1.7] - Nov 9, 2019 +* Additional documentation for masterKey + +## [8.1.6] - Nov 10, 2019 +* Update PostgreSQL chart version to 7.0.1 +* Use formal PostgreSQL configuration format + +## [8.1.5] - Nov 8, 2019 +* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` + +## [8.1.4] - Nov 6, 2019 +* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is + +## [8.1.3] - Nov 6, 2019 +* Add nodeselector support for Postgresql + +## [8.1.2] - Nov 5, 2019 +* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles + +## [8.1.1] - Nov 4, 2019 +* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files + +## [8.1.0] - Nov 3, 2019 +* Updated Artifactory version to 6.14.0 + +## [8.0.1] - Nov 3, 2019 +* Make sure the artifactory pod exits when one of the pre-start stages fail + +## [8.0.0] - Oct 27, 2019 +**IMPORTANT - BREAKING CHANGES!**
+**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations + +## [7.18.3] - Oct 24, 2019 +* Change the preStartCommand to support templating + +## [7.18.2] - Oct 21, 2019 +* Add support for setting `artifactory.labels` +* Add support for setting `nginx.labels` + +## [7.18.1] - Oct 10, 2019 +* Updated Artifactory version to 6.13.1 + +## [7.18.0] - Oct 7, 2019 +* Updated Artifactory version to 6.13.0 + +## [7.17.5] - Sep 24, 2019 +* Option to skip wait-for-db init container with '--set waitForDatabase=false' + +## [7.17.4] - Sep 11, 2019 +* Updated Artifactory version to 6.12.2 + +## [7.17.3] - Sep 9, 2019 +* Updated Artifactory version to 6.12.1 + +## [7.17.2] - Aug 22, 2019 +* Fix the nginx server_name directive used with ingress.hosts + +## [7.17.1] - Aug 21, 2019 +* Enable the Artifactory container's liveness and readiness probes + +## [7.17.0] - Aug 21, 2019 +* Updated Artifactory version to 6.12.0 + +## [7.16.11] - Aug 14, 2019 +* Updated Artifactory version to 6.11.6 + +## [7.16.10] - Aug 11, 2019 +* Fix Ingress routing and add an example + +## [7.16.9] - Aug 5, 2019 +* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) +* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist + +## [7.16.8] - Aug 4, 2019 +* Improve binarystore config + 1. Convert to a secret + 2. Move config to values.yaml + 3. Support an external secret + +## [7.16.7] - Jul 29, 2019 +* Don't create the nginx configmaps when nginx.enabled is false + +## [7.16.6] - Jul 24, 2019 +* Simplify nginx setup and shorten initial wait for probes + +## [7.16.5] - Jul 22, 2019 +* Change Ingress API to be compatible with recent kubernetes versions + +## [7.16.4] - Jul 22, 2019 +* Updated Artifactory version to 6.11.3 + +## [7.16.3] - Jul 11, 2019 +* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration + +## [7.16.2] - Jul 3, 2019 +* Fix values key in reverse proxy example + +## [7.16.1] - Jul 1, 2019 +* Updated Artifactory version to 6.11.1 + +## [7.16.0] - Jun 27, 2019 +* Update Artifactory version to 6.11 and add restart to Artifactory when bootstrap.creds file has been modified + +## [7.15.8] - Jun 27, 2019 +* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation + +## [7.15.6] - Jun 24, 2019 +* Update chart maintainers + +## [7.15.5] - Jun 24, 2019 +* Change Nginx to point to the artifactory externalPort + +## [7.15.4] - Jun 23, 2019 +* Add the option to provide an IP for the access-admin endpoints + +## [7.15.3] - Jun 23, 2019 +* Add values files for small, medium and large installations + +## [7.15.2] - Jun 20, 2019 +* Add missing terminationGracePeriodSeconds to values.yaml + +## [7.15.1] - Jun 19, 2019 +* Updated Artifactory version to 6.10.4 + +## [7.15.0] - Jun 17, 2019 +* Use configmaps for nginx configuration and remove nginx postStart command + +## [7.14.8] - Jun 18, 2019 +* Add the option to provide additional ingress rules + +## [7.14.7] - Jun 14, 2019 +* Updated readme with improved external database setup example + +## [7.14.6] - Jun 11, 2019 +* Updated Artifactory version to 6.10.3 +* Updated installer-info template + +## [7.14.5] - Jun 6, 2019 +* Updated Google Cloud Storage API URL and https settings + +## [7.14.4] - Jun 5, 2019 +* Delete the db.properties file on Artifactory startup + +## [7.14.3] - Jun 3, 2019 +* Updated Artifactory version to 6.10.2 + +## [7.14.2] - May 21, 2019 +* Updated Artifactory version to 6.10.1 + +## [7.14.1] - May 19, 2019 +* Fix missing logger image tag + +## [7.14.0] - May 7, 2019 +* Updated Artifactory version to 6.10.0 + +## [7.13.21] - May 5, 2019 +* Add support for setting `artifactory.async.corePoolSize` + +## [7.13.20] - May 2, 2019 +* Remove unused property `artifactory.releasebundle.feature.enabled` + +## [7.13.19] - May 1, 2019 +* Fix indentation issue with the replicator system property + +## [7.13.18] - Apr 30, 2019 +* Add support for JMX monitoring + +## [7.13.17] - Apr 25, 2019 +* Added support for `cacheProviderDir` + +## [7.13.16] - Apr 18, 2019 +* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx + +## [7.13.15] - Apr 16, 2019 +* Updated documentation for Reverse Proxy Configuration + +## [7.13.14] - Apr 15, 2019 +* Added support for `customVolumeMounts` + +## [7.13.13] - Aprl 12, 2019 +* Added support for `bucketExists` flag for googleStorage + +## [7.13.12] - Apr 11, 2019 +* Replace `curl` examples with `wget` due to the new base image + +## [7.13.11] - Aprl 07, 2019 +* Add support for providing the Artifactory license as a parameter + +## [7.13.10] - Apr 10, 2019 +* Updated Artifactory version to 6.9.1 + +## [7.13.9] - Aprl 04, 2019 +* Add support for templated extraEnvironmentVariables + +## [7.13.8] - Aprl 07, 2019 +* Change network policy API group + +## [7.13.7] - Aprl 04, 2019 +* Bugfix for userPluginSecrets + +## [7.13.6] - Apr 4, 2019 +* Add information about upgrading Artifactory with auto-generated postgres password + +## [7.13.5] - Aprl 03, 2019 +* Added installer info + +## [7.13.4] - Aprl 03, 2019 +* Allow secret names for user plugins to contain template language + +## [7.13.3] - Apr 02, 2019 +* Allow NetworkPolicy configurations (defaults to allow all) + +## [7.13.2] - Aprl 01, 2019 +* Add support for user plugin secret + +## [7.13.1] - Mar 27, 2019 +* Add the option to copy a list of files to ARTIFACTORY_HOME on startup + +## [7.13.0] - Mar 26, 2019 +* Updated Artifactory version to 6.9.0 + +## [7.12.18] - Mar 25, 2019 +* Add CI tests for persistence, ingress support and nginx + +## [7.12.17] - Mar 22, 2019 +* Add the option to change the default access-admin password + +## [7.12.16] - Mar 22, 2019 +* Added support for `.Probe.path` to customise the paths used for health probes + +## [7.12.15] - Mar 21, 2019 +* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers +* Added support for `artifactory.customVolumes` to create custom volumes + +## [7.12.14] - Mar 21, 2019 +* Make ingress path configurable + +## [7.12.13] - Mar 19, 2019 +* Move the copy of bootstrap config from postStart to preStart + +## [7.12.12] - Mar 19, 2019 +* Fix existingClaim example + +## [7.12.11] - Mar 18, 2019 +* Add information about nginx persistence + +## [7.12.10] - Mar 15, 2019 +* Wait for nginx configuration file before using it + +## [7.12.9] - Mar 15, 2019 +* Revert securityContext changes since they were causing issues + +## [7.12.8] - Mar 15, 2019 +* Fix issue #247 (init container failing to run) + +## [7.12.7] - Mar 14, 2019 +* Updated Artifactory version to 6.8.7 +* Add support for Artifactory-CE for C++ + +## [7.12.6] - Mar 13, 2019 +* Move securityContext to container level + +## [7.12.5] - Mar 11, 2019 +* Updated Artifactory version to 6.8.6 + +## [7.12.4] - Mar 8, 2019 +* Fix existingClaim option + +## [7.12.3] - Mar 5, 2019 +* Updated Artifactory version to 6.8.4 + +## [7.12.2] - Mar 4, 2019 +* Add support for catalina logs sidecars + +## [7.12.1] - Feb 27, 2019 +* Updated Artifactory version to 6.8.3 + +## [7.12.0] - Feb 25, 2019 +* Add nginx support for tail sidecars + +## [7.11.1] - Feb 20, 2019 +* Added support for enterprise storage + +## [7.10.2] - Feb 19, 2019 +* Updated Artifactory version to 6.8.2 + +## [7.10.1] - Feb 17, 2019 +* Updated Artifactory version to 6.8.1 +* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage + +## [7.10.0] - Feb 15, 2019 +* Updated Artifactory version to 6.8.0 + +## [7.9.6] - Feb 13, 2019 +* Updated Artifactory version to 6.7.3 + +## [7.9.5] - Feb 12, 2019 +* Add support for tail sidecars to view logs from k8s api + +## [7.9.4] - Feb 6, 2019 +* Fix support for customizing statefulset `terminationGracePeriodSeconds` + +## [7.9.3] - Feb 5, 2019 +* Add instructions on how to deploy Artifactory with embedded Derby database + +## [7.9.2] - Feb 5, 2019 +* Add support for customizing statefulset `terminationGracePeriodSeconds` + +## [7.9.1] - Feb 3, 2019 +* Updated Artifactory version to 6.7.2 + +## [7.9.0] - Jan 23, 2019 +* Updated Artifactory version to 6.7.0 + +## [7.8.9] - Jan 22, 2019 +* Added support for `artifactory.customInitContainers` to create custom init containers + +## [7.8.8] - Jan 17, 2019 +* Added support of values ingress.labels + +## [7.8.7] - Jan 16, 2019 +* Mount replicator.yaml (config) directly to /replicator_extra_conf + +## [7.8.6] - Jan 13, 2019 +* Fix documentation about nginx group id + +## [7.8.5] - Jan 13, 2019 +* Updated Artifactory version to 6.6.5 + +## [7.8.4] - Jan 8, 2019 +* Make artifactory.replicator.publicUrl required when the replicator is enabled + +## [7.8.3] - Jan 1, 2019 +* Updated Artifactory version to 6.6.3 +* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory + +## [7.8.2] - Dec 28, 2018 +* Fix location `replicator.yaml` is copied to + +## [7.8.1] - Dec 27, 2018 +* Updated Artifactory version to 6.6.1 + +## [7.8.0] - Dec 20, 2018 +* Updated Artifactory version to 6.6.0 + +## [7.7.13] - Dec 17, 2018 +* Updated Artifactory version to 6.5.13 + +## [7.7.12] - Dec 12, 2018 +* Fix documentation about Artifactory license setup using secret + +## [7.7.11] - Dec 10, 2018 +* Fix issue when using existing claim + +## [7.7.10] - Dec 5, 2018 +* Remove Distribution certificates creation. + +## [7.7.9] - Nov 30, 2018 +* Updated Artifactory version to 6.5.9 + +## [7.7.8] - Nov 29, 2018 +* Updated postgresql version to 9.6.11 + +## [7.7.7] - Nov 27, 2018 +* Updated Artifactory version to 6.5.8 + +## [7.7.6] - Nov 19, 2018 +* Added support for configMap to use custom Reverse Proxy Configuration with Nginx + +## [7.7.5] - Nov 14, 2018 +* Fix location of `nodeSelector`, `affinity` and `tolerations` + +## [7.7.4] - Nov 14, 2018 +* Updated Artifactory version to 6.5.3 + +## [7.7.3] - Nov 12, 2018 +* Support artifactory.preStartCommand for running command before entrypoint starts + +## [7.7.2] - Nov 7, 2018 +* Support database.url parameter (DB_URL) + +## [7.7.1] - Oct 29, 2018 +* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) + +## [7.7.0] - Oct 28, 2018 +* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options + +## [7.6.8] - Oct 23, 2018 +* Fix providing external secret for database credentials + +## [7.6.7] - Oct 23, 2018 +* Allow user to configure externalTrafficPolicy for Loadbalancer + +## [7.6.6] - Oct 22, 2018 +* Updated ingress annotation support (with examples) to support docker registry v2 + +## [7.6.5] - Oct 21, 2018 +* Updated Artifactory version to 6.5.2 + +## [7.6.4] - Oct 19, 2018 +* Allow providing pre-existing secret containing master key +* Allow arbitrary annotations on primary and member node pods +* Enforce size limits when using local storage with `emptyDir` +* Allow providing pre-existing secrets containing external database credentials + +## [7.6.3] - Oct 18, 2018 +* Updated Artifactory version to 6.5.1 + +## [7.6.2] - Oct 17, 2018 +* Add Apache 2.0 license + +## [7.6.1] - Oct 11, 2018 +* Supports master-key in the secrets and stateful-set +* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) + +## [7.6.0] - Oct 11, 2018 +* Updated Artifactory version to 6.5.0 + +## [7.5.4] - Oct 9, 2018 +* Quote ingress hosts to support wildcard names + +## [7.5.3] - Oct 4, 2018 +* Add PostgreSQL resources template + +## [7.5.2] - Oct 2, 2018 +* Add `helm repo add jfrog https://charts.jfrog.io` to README + +## [7.5.1] - Oct 2, 2018 +* Set Artifactory to 6.4.1 + +## [7.5.0] - Sep 27, 2018 +* Set Artifactory to 6.4.0 + +## [7.4.3] - Sep 26, 2018 +* Add ci/test-values.yaml + +## [7.4.2] - Sep 2, 2018 +* Updated Artifactory version to 6.3.2 +* Removed unused PVC + +## [7.4.0] - Aug 22, 2018 +* Added support to run as non root +* Updated Artifactory version to 6.2.0 + +## [7.3.0] - Aug 22, 2018 +* Enabled RBAC Support +* Added support for PostStartCommand (To download Database JDBC connector) +* Increased postgresql max_connections +* Added support for `nginx.conf` ConfigMap +* Updated Artifactory version to 6.1.0 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.lock b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.lock new file mode 100644 index 000000000..8064c323b --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://charts.jfrog.io/ + version: 10.3.18 +digest: sha256:404ce007353baaf92a6c5f24b249d5b336c232e5fd2c29f8a0e4d0095a09fd53 +generated: "2022-03-08T08:53:16.293311+05:30" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.yaml new file mode 100644 index 000000000..efcdd39c0 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +appVersion: 7.104.6 +dependencies: +- condition: postgresql.enabled + name: postgresql + repository: https://charts.jfrog.io/ + version: 10.3.18 +description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. +home: https://www.jfrog.com/artifactory/ +icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory/logo/artifactory-logo.png +keywords: +- artifactory +- jfrog +- devops +kubeVersion: '>= 1.19.0-0' +maintainers: +- email: installers@jfrog.com + name: Chart Maintainers at JFrog +name: artifactory +sources: +- https://github.com/jfrog/charts +type: application +version: 107.104.6 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/LICENSE b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/LICENSE new file mode 100644 index 000000000..8dada3eda --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/README.md new file mode 100644 index 000000000..783101786 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/README.md @@ -0,0 +1,60 @@ +# JFrog Artifactory Helm Chart + +**IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing, uninstalling, and deleting Artifactory. For all other information, refer to [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory#InstallingArtifactory-HelmInstallation). + +## Prerequisites +* Kubernetes 1.19+ +* Artifactory Pro trial license [get one from here](https://www.jfrog.com/artifactory/free-trial/) + +## Chart Details +This chart will do the following: + +* Deploy Artifactory-Pro/Artifactory-Edge (or OSS/CE if custom image is set) +* Deploy a PostgreSQL database using the stable/postgresql chart (can be changed) **NOTE:** For production grade installations it is recommended to use an external PostgreSQL. +* Deploy an optional Nginx server +* Optionally expose Artifactory with Ingress [Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) + +## Installing the Chart + +### Add JFrog Helm repository + +Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io) to your helm client + +```bash +helm repo add jfrog https://charts.jfrog.io +helm repo update +``` + +### Install Chart +To install the chart with the release name `artifactory`: +```bash +helm upgrade --install artifactory jfrog/artifactory --namespace artifactory --create-namespace +``` + +### Apply Sizing configurations to the Chart +Note that sizings with more than one replica require an enterprise license for HA . Refer [here](https://jfrog.com/help/r/jfrog-installation-setup-documentation/high-availability) +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory jfrog/artifactory -f sizing/artifactory-small.yaml --namespace artifactory --create-namespace +``` + +## Uninstalling Artifactory + +Uninstall is supported only on Helm v3 and on. + +Uninstall Artifactory using the following command. + +```bash +helm uninstall artifactory && sleep 90 && kubectl delete pvc -l app=artifactory +``` + +## Deleting Artifactory + +**IMPORTANT:** Deleting Artifactory will also delete your data volumes and you will lose all of your data. You must back up all this information before deletion. You do not need to uninstall Artifactory before deleting it. + +To delete Artifactory use the following command. + +```bash +helm delete artifactory --namespace artifactory +``` diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/.helmignore b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.lock b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.lock new file mode 100644 index 000000000..3687f52df --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.4.2 +digest: sha256:dce0349883107e3ff103f4f17d3af4ad1ea3c7993551b1c28865867d3e53d37c +generated: "2021-03-30T09:13:28.360322819Z" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.yaml new file mode 100644 index 000000000..4b197b207 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 11.11.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.x.x +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +- https://www.postgresql.org/ +version: 10.3.18 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/README.md new file mode 100644 index 000000000..63d3605bb --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/README.md @@ -0,0 +1,770 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```console +$ kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override common.names.fullname template with a string | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `"10"` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` | +| `ldap.server` | IP address or name of the LDAP server. | `nil` | +| `ldap.port` | Port number on the LDAP server to connect to | `nil` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` | +| `ldap.tls` | Set to `1` to use TLS encryption | `nil` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` | +| `ldap.search_attr` | Attribute to match against the user name in the search | `nil` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` | +| `ldap.bindDN` | DN of user to bind to LDAP | `nil` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.readReplicas` | Number of read replicas replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be used to authenticate on LDAP. The value is evaluated as a template. | `nil` | +| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ | +| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` | +| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` | +| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `postgresqlMaxConnections` | Maximum total connections | `nil` | +| `postgresqlPostgresConnectionLimit` | Maximum total connections for the postgres user | `nil` | +| `postgresqlDbUserConnectionLimit` | Maximum total connections for the non-admin user | `nil` | +| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `nil` | +| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `nil` | +| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `nil` | +| `postgresqlStatementTimeout` | Statement timeout | `nil` | +| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `nil` | +| `customStartupProbe` | Override default startup probe | `nil` | +| `customLivenessProbe` | Override default liveness probe | `nil` | +| `customReadinessProbe` | Override default readiness probe | `nil` | +| `audit.logHostname` | Add client hostnames to the log file | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `nil` | +| `audit.clientMinMessages` | Message log level to share with the user | `nil` | +| `audit.logLinePrefix` | Template string for the log line prefix | `nil` | +| `audit.logTimezone` | Timezone for the log timestamps | `nil` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) | `true` | +| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` (evaluated as a template) | +| `primary.anotations` | Map of annotations to add to the statefulset (postgresql primary) | `{}` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `nil` | +| `primary.extraInitContainers` | Additional init containers to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumes` | Additional volumes to add to the pods (postgresql primary) | `[]` | +| `primary.sidecars` | Add additional containers to the pod | `[]` | +| `primary.service.type` | Allows using a different service type for primary | `nil` | +| `primary.service.nodePort` | Allows using a different nodePort for primary | `nil` | +| `primary.service.clusterIP` | Allows using a different clusterIP for primary | `nil` | +| `primaryAsStandBy.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not. | `false` | +| `primaryAsStandBy.primaryHost` | The Host of replication primary in the other cluster. | `nil` | +| `primaryAsStandBy.primaryPort ` | The Port of replication primary in the other cluster. | `nil` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.anotations` | Map of annotations to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.resources` | CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. | `{}` | +| `readReplicas.labels` | Map of labels to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (postgresql readReplicas) | `nil` | +| `readReplicas.extraInitContainers` | Additional init containers to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumes` | Additional volumes to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.sidecars` | Add additional containers to the pod | `[]` | +| `readReplicas.service.type` | Allows using a different service type for readReplicas | `nil` | +| `readReplicas.service.nodePort` | Allows using a different nodePort for readReplicas | `nil` | +| `readReplicas.service.clusterIP` | Allows using a different clusterIP for readReplicas | `nil` | +| `readReplicas.persistence.enabled` | Whether to enable readReplicas replicas persistence | `true` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the pod | `1001` | +| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAccount.name` | Name of existing service account | `nil` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `startupProbe.periodSeconds` | How often to perform the probe | 15 | +| `startupProbe.timeoutSeconds` | When the probe times | 5 | +| `startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. | `nil` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `nil` | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.customMetrics` | Additional custom metrics | `nil` | +| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) | +| `metrics.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | +| `psp.create` | Create Pod Security Policy | `false` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can add additional PostgreSQL configuration parameters using the `postgresqlExtendedConf` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. Alternatively, to replace the entire default configuration use `postgresqlConfiguration`. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +* First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +* Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +image.repository=postgres +image.tag=10.6 +postgresqlDataDir=/data/pgdata +persistence.mountPath=/data/ +``` + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` paremeter(s). Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/postgresql \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +#### Breaking changes + +- The term `master` has been replaced with `primary` and `slave` with `readReplicas` throughout the chart. Role names have changed from `master` and `slave` to `primary` and `read`. + +To upgrade to `10.0.0`, it should be done reusing the PVCs used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `postgresql`): + +> NOTE: Please, create a backup of your database before running any of those actions. + +Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +Delete the PostgreSQL statefulset. Notice the option `--cascade=false`: + +```console +$ kubectl delete statefulsets.apps postgresql-postgresql --cascade=false +``` + +Now the upgrade works: + +```console +$ helm upgrade postgresql bitnami/postgresql --set postgresqlPassword=$POSTGRESQL_PASSWORD --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +$ kubectl delete pod postgresql-postgresql-0 +``` + +Finally, you should see the lines below in PostgreSQL container logs: + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version. + +As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow: + +- Deploy an old version (8.X.X) + +```console +$ helm install postgresql bitnami/postgresql --version 8.10.14 +``` + +- Old version is up and running + +```console +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0 + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 76s +``` + +- The upgrade to the latest one (9.X.X) is going to fail + +```console +$ helm upgrade postgresql bitnami/postgresql +Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden +``` + +- Delete the statefulset + +```console +$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql +statefulset.apps "postgresql-postgresql" deleted +``` + +- Now the upgrade works + +```console +$ helm upgrade postgresql bitnami/postgresql +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0 +``` + +- We can kill the existing pod and the new statefulset is going to create a new one: + +```console +$ kubectl delete pod postgresql-postgresql-0 +pod "postgresql-postgresql-0" deleted + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 19s +``` + +Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command + +### To 8.0.0 + +Prefixes the port names with their protocols to comply with Istio conventions. + +If you depend on the port names in your setup, make sure to update them to reflect this change. + +### To 7.1.0 + +Adds support for LDAP configuration. + +### To 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +### To 6.5.7 + +In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: + +- protobuf +- protobuf-c +- json-c +- geos +- proj + +### To 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```console +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` + +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### To 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### To 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### To 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + +- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + +```console +$ kubectl get svc +``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install my-release bitnami/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/.helmignore b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/Chart.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 000000000..bcc3808d0 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.4.2 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- http://www.bitnami.com/ +type: library +version: 1.4.2 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/README.md new file mode 100644 index 000000000..7287cbb5f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/README.md @@ -0,0 +1,322 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|----------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|--------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Inpput | +|-------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for RedisTM are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets. + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..493a6dc7e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,94 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..4dde56a38 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,95 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 000000000..60f04fd6e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,47 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..622ef50e3 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,42 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if typeIs "int" .servicePort }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 000000000..adf2a74f4 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..60b84a701 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- if index $secret.data .key }} + {{- $password = index $secret.data .key }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..ea083a249 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..8679ddffb --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..bb5ed7253 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..7d5ecbccb --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB(R) required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB(R) values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..992bcd390 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,131 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..3e2a47c03 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,72 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis(TM) required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $existingSecret := include "common.redis.values.existingSecret" . -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} + {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} + {{- if eq $usePassword "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Redis Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.redis.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Redis(TM) is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.redis.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/values.yaml new file mode 100644 index 000000000..9ecdc93f5 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,3 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +exampleValue: common-chart diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml new file mode 100644 index 000000000..97e18a4cc --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml @@ -0,0 +1,3 @@ +commonAnnotations: + helm.sh/hook: "\"pre-install, pre-upgrade\"" + helm.sh/hook-weight: "-1" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/default-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/default-values.yaml new file mode 100644 index 000000000..fc2ba605a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/shmvolume-disabled-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/shmvolume-disabled-values.yaml new file mode 100644 index 000000000..347d3b40a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/ci/shmvolume-disabled-values.yaml @@ -0,0 +1,2 @@ +shmVolume: + enabled: false diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/README.md new file mode 100644 index 000000000..1813a2fea --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/conf.d/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/conf.d/README.md new file mode 100644 index 000000000..184c1875d --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100644 index 000000000..cba38091e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/NOTES.txt b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/NOTES.txt new file mode 100644 index 000000000..4e98958c1 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,59 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "common.names.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} + +{{- if not (eq (include "postgresql.username" .) "postgres") }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) +{{- end }} + +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "common.names.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "common.names.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- include "postgresql.validateValues" . -}} + +{{- include "common.warnings.rollingTag" .Values.image -}} + +{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} + +{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/_helpers.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 000000000..1f98efe78 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,337 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "primary" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return PostgreSQL postgres user password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.postgresql.postgresqlPostgresPassword }} + {{- .Values.global.postgresql.postgresqlPostgresPassword -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" (tpl .Values.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if we should use an existingSecret. +*/}} +{{- define "postgresql.useExistingSecret" -}} +{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (include "postgresql.useExistingSecret" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Get the metrics ConfigMap name. +*/}} +{{- define "postgresql.metricsCM" -}} +{{- printf "%s-metrics" (include "common.names.fullname" .) -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "podsecuritypolicy.apiVersion" -}} +{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions +*/}} +{{- define "postgresql.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} +postgresql: tls.enabled, volumePermissions.enabled + When TLS is enabled you must enable volumePermissions as well to ensure certificates files have + the right permissions. +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/configmap.yaml new file mode 100644 index 000000000..3a5ea18ae --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100644 index 000000000..b0dad253b --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,26 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-extended-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extra-list.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml new file mode 100644 index 000000000..7796c67a9 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,25 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-init-scripts + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml new file mode 100644 index 000000000..fa539582b --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.metricsCM" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml new file mode 100644 index 000000000..af8b67e2f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-metrics + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- toYaml .Values.metrics.service.annotations | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: http-metrics + port: 9187 + targetPort: http-metrics + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml new file mode 100644 index 000000000..4f2740ea0 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: +{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 14 }} + role: read + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes + - ports: + - port: 9187 + {{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..0c49694fa --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.psp.create }} +apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 000000000..d0f408c78 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} +{{- with .Values.metrics.prometheusRule.namespace }} + namespace: {{ . }} +{{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- with .Values.metrics.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "postgresql.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/role.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/role.yaml new file mode 100644 index 000000000..017a5716b --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/role.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +rules: + {{- if .Values.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ template "common.names.fullname" . }} + {{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/rolebinding.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 000000000..189775a15 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ template "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/secrets.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/secrets.yaml new file mode 100644 index 000000000..d492cd593 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,24 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + {{- if not (eq (include "postgresql.username" .) "postgres") }} + postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} + {{- end }} + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} + {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} + postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 000000000..03f0f50e7 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "common.labels.standard" . | nindent 4 }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml new file mode 100644 index 000000000..587ce85b8 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset-readreplicas.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset-readreplicas.yaml new file mode 100644 index 000000000..b038299bf --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset-readreplicas.yaml @@ -0,0 +1,411 @@ +{{- if .Values.replication.enabled }} +{{- $readReplicasResources := coalesce .Values.readReplicas.resources .Values.resources -}} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "common.names.fullname" . }}-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read +{{- with .Values.readReplicas.labels }} +{{ toYaml . | indent 4 }} +{{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.readReplicas.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: {{ .Values.replication.readReplicas }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: read + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + role: read +{{- with .Values.readReplicas.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.readReplicas.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if or .Values.readReplicas.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if $readReplicasResources }} + resources: {{- toYaml $readReplicasResources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "common.names.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- toYaml .Values.readReplicas.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.readReplicas.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} +{{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} + {{- if or (not .Values.persistence.enabled) (not .Values.readReplicas.persistence.enabled) }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- toYaml .Values.readReplicas.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if and .Values.persistence.enabled .Values.readReplicas.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset.yaml new file mode 100644 index 000000000..f8163fd99 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,609 @@ +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- with .Values.primary.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.primary.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: primary + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + role: primary + app.kubernetes.io/component: primary + {{- with .Values.primary.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.primary.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.primary.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.initdbPassword }} + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primaryAsStandBy.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primaryAsStandBy.primaryPort | quote }} + {{- end }} + {{- if or .Values.replication.enabled .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_REPLICATION_MODE + {{- if .Values.primaryAsStandBy.enabled }} + value: "slave" + {{- else }} + value: "master" + {{- end }} + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if (not (empty .Values.ldap.bind_password)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-ldap-password + {{- end}} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end}} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + envFrom: + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- toYaml .Values.primary.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.primary.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} +{{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- omit .Values.metrics.securityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} + {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} + - name: DATA_SOURCE_NAME + value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} + {{- else }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + ports: + - name: http-metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- toYaml .Values.primary.extraVolumes | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ template "postgresql.metricsCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-headless.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-headless.yaml new file mode 100644 index 000000000..6f5f3b9ee --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-headless + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-read.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-read.yaml new file mode 100644 index 000000000..56195ea1e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,43 @@ +{{- if .Values.replication.enabled }} +{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-read + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: read +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc.yaml new file mode 100644 index 000000000..a29431b6a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/templates/svc.yaml @@ -0,0 +1,41 @@ +{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.schema.json b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.schema.json new file mode 100644 index 000000000..66a2a9dd0 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": false, + "path": "replication/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.yaml new file mode 100644 index 000000000..82ce09234 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/charts/postgresql/values.yaml @@ -0,0 +1,824 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.11.0-debian-10-r71 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false + +## String to partially override common.names.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.names.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +psp: + create: false + +## Creates role for ServiceAccount +## Required for PSP +## +rbac: + create: false + +replication: + enabled: false + user: repl_user + password: repl_password + readReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: 'off' + ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > readReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + ## + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret +## + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## Configure current cluster's primary server to be the standby server in other cluster. +## This will allow cross cluster replication and provide cross cluster high availability. +## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. +## +primaryAsStandBy: + enabled: false + # primaryHost: + # primaryPort: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## +audit: + ## Log client hostnames + ## + logHostname: false + ## Log connections to the server + ## + logConnections: false + ## Log disconnections + ## + logDisconnections: false + ## Operation to audit using pgAudit (default if not set) + ## + pgAuditLog: "" + ## Log catalog using pgAudit + ## + pgAuditLogCatalog: "off" + ## Log level for clients + ## + clientMinMessages: error + ## Template for log line prefix (default if not set) + ## + logLinePrefix: "" + ## Log timezone + ## + logTimezone: "" + +## Shared preload libraries +## +postgresqlSharedPreloadLibraries: "pgaudit" + +## Maximum total connections +## +postgresqlMaxConnections: + +## Maximum connections for the postgres user +## +postgresqlPostgresConnectionLimit: + +## Maximum connections for the created user +## +postgresqlDbUserConnectionLimit: + +## TCP keepalives interval +## +postgresqlTcpKeepalivesInterval: + +## TCP keepalives idle +## +postgresqlTcpKeepalivesIdle: + +## TCP keepalives count +## +postgresqlTcpKeepalivesCount: + +## Statement timeout +## +postgresqlStatementTimeout: + +## Remove pg_hba.conf lines with the following comma-separated patterns +## (cannot be used with custom pg_hba.conf) +## +postgresqlPghbaRemoveFilters: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: '' + server: '' + port: '' + prefix: '' + suffix: '' + baseDN: '' + bindDN: '' + bind_password: + search_attr: '' + search_filter: '' + scheme: '' + tls: {} + +## PostgreSQL service configuration +## +service: + ## PosgresSQL service type + ## + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start primary and read(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ignored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: '' + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + +## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Primary parameters +## +primary: + ## PostgreSQL Primary pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL Primary pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL primary Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL primary Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for primary + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL read only replica parameters +## +readReplicas: + ## PostgreSQL read only pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL read only pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL read replicas Volume mounts + ## + extraVolumeMounts: [] + + ## Additional PostgreSQL read replicas Volumes + ## + extraVolumes: [] + + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for read + ## + service: {} + # type: + # nodePort: + # clusterIP: + + ## Whether to enable PostgreSQL read replicas data Persistent + ## + persistence: + enabled: true + + # Override the resource configuration for read replicas + resources: {} + # requests: + # memory: 256Mi + # cpu: 250m + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +## Configure extra options for startup, liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Custom Startup probe +## +customStartupProbe: {} + +## Custom Liveness probe +## +customLivenessProbe: {} + +## Custom Rediness probe +## +customReadinessProbe: {} + +## +## TLS configuration +## +tls: + # Enable TLS traffic + enabled: false + # + # Whether to use the server's TLS cipher preferences rather than the client's. + preferServerCiphers: true + # + # Name of the Secret that contains the certificates + certificatesSecret: '' + # + # Certificate filename + certFilename: '' + # + # Certificate Key filename + certKeyFilename: '' + # + # CA Certificate filename + # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + # ref: https://www.postgresql.org/docs/9.6/auth-methods.html + certCAFilename: + # + # File containing a Certificate Revocation List + crlFilename: + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '9187' + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.9.0-debian-10-r43 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + # + ## An array to add extra env vars to configure postgres-exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + # extraEnvVars: + # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + # value: "true" + extraEnvVars: {} + + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Array with extra yaml to deploy with the chart. Evaluated as a template +## +extraDeploy: [] diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/access-tls-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/access-tls-values.yaml new file mode 100644 index 000000000..1a8c4698d --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/access-tls-values.yaml @@ -0,0 +1,24 @@ +databaseUpgradeReady: true +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" +access: + accessConfig: + security: + tls: true + resetAccessCAKeys: true diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/default-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/default-values.yaml new file mode 100644 index 000000000..fc3469399 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/default-values.yaml @@ -0,0 +1,21 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/derby-test-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/derby-test-values.yaml new file mode 100644 index 000000000..82ff48545 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/derby-test-values.yaml @@ -0,0 +1,19 @@ +databaseUpgradeReady: true + +postgresql: + enabled: false +artifactory: + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/global-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/global-values.yaml new file mode 100644 index 000000000..33bbf04a2 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/global-values.yaml @@ -0,0 +1,247 @@ +databaseUpgradeReady: true +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + customInitContainersBegin: | + - name: "custom-init-begin-local" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in local" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: artifactory-volume + customInitContainers: | + - name: "custom-init-local" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in local" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: artifactory-volume + # Add custom volumes + customVolumes: | + - name: custom-script-local + emptyDir: + sizeLimit: 100Mi + # Add custom volumesMounts + customVolumeMounts: | + - name: custom-script-local + mountPath: "/scriptslocal" + # Add custom sidecar containers + customSidecarContainers: | + - name: "sidecar-list-local" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecarlocal.txt; cat /scriptslocal/sidecarlocal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scriptslocal" + name: custom-script-local + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + +global: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + customInitContainersBegin: | + - name: "custom-init-begin-global" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in global" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: artifactory-volume + customInitContainers: | + - name: "custom-init-global" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in global" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: artifactory-volume + # Add custom volumes + customVolumes: | + - name: custom-script-global + emptyDir: + sizeLimit: 100Mi + # Add custom volumesMounts + customVolumeMounts: | + - name: custom-script-global + mountPath: "/scripts" + # Add custom sidecar containers + customSidecarContainers: | + - name: "sidecar-list-global" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in global' >> /scripts/sidecarglobal.txt; cat /scripts/sidecarglobal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scripts" + name: custom-script-global + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + +nginx: + customInitContainers: | + - name: "custom-init-begin-nginx" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + command: + - 'sh' + - '-c' + - echo "running in nginx" + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: custom-script-local + customSidecarContainers: | + - name: "sidecar-list-nginx" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecarlocal.txt; cat /scriptslocal/sidecarlocal.txt; while true; do sleep 30; done"] + volumeMounts: + - mountPath: "/scriptslocal" + name: custom-script-local + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + # Add custom volumes + customVolumes: | + - name: custom-script-local + emptyDir: + sizeLimit: 100Mi + + artifactoryConf: | + {{- if .Values.nginx.https.enabled }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + {{- end }} + ## server configuration + server { + listen 8088; + {{- if .Values.nginx.internalPortHttps }} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + {{- if .Values.nginx.https.enabled }} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + listen {{ .Values.nginx.internalPortHttp }}; + {{- else -}} + {{- if .Values.nginx.http.enabled }} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} + {{- end -}}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + {{- end }} + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + } + } + + ## A list of custom ports to expose on the NGINX pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: + - containerPort: 8088 + name: http2 + service: + ## A list of custom ports to expose through the Ingress controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: + - port: 8088 + targetPort: 8088 + protocol: TCP + name: http2 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/large-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/large-values.yaml new file mode 100644 index 000000000..94a485d6f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/large-values.yaml @@ -0,0 +1,82 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + database: + maxOpenConnections: 150 + tomcat: + connector: + maxThreads: 300 + resources: + requests: + memory: "6Gi" + cpu: "2" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "8g" + xmx: "10g" +access: + database: + maxOpenConnections: 150 + tomcat: + connector: + maxThreads: 100 +router: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 150 + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/loggers-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/loggers-values.yaml new file mode 100644 index 000000000..03c94be95 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/loggers-values.yaml @@ -0,0 +1,43 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + + loggers: + - access-audit.log + - access-request.log + - access-security-audit.log + - access-service.log + - artifactory-access.log + - artifactory-event.log + - artifactory-import-export.log + - artifactory-request.log + - artifactory-service.log + - frontend-request.log + - frontend-service.log + - metadata-request.log + - metadata-service.log + - router-request.log + - router-service.log + - router-traefik.log + + catalinaLoggers: + - tomcat-catalina.log + - tomcat-localhost.log diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/medium-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/medium-values.yaml new file mode 100644 index 000000000..35044dc36 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/medium-values.yaml @@ -0,0 +1,82 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + database: + maxOpenConnections: 100 + tomcat: + connector: + maxThreads: 200 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "6g" + xmx: "8g" +access: + database: + maxOpenConnections: 100 + tomcat: + connector: + maxThreads: 50 +router: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 100 + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "200Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/migration-disabled-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/migration-disabled-values.yaml new file mode 100644 index 000000000..092756fb6 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/migration-disabled-values.yaml @@ -0,0 +1,21 @@ +databaseUpgradeReady: true +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + migration: + enabled: false + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/nginx-autoreload-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/nginx-autoreload-values.yaml new file mode 100644 index 000000000..09616c5bf --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/nginx-autoreload-values.yaml @@ -0,0 +1,42 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + +nginx: + customVolumes: | + - name: scripts + configMap: + name: {{ template "artifactory.fullname" . }}-nginx-scripts + defaultMode: 0550 + customVolumeMounts: | + - name: scripts + mountPath: /var/opt/jfrog/nginx/scripts/ + customCommand: + - /bin/sh + - -c + - | + # watch for configmap changes + /sbin/inotifyd /var/opt/jfrog/nginx/scripts/configreloader.sh {{ .Values.nginx.persistence.mountPath -}}/conf.d:n & + {{ if .Values.nginx.https.enabled -}} + # watch for tls secret changes + /sbin/inotifyd /var/opt/jfrog/nginx/scripts/configreloader.sh {{ .Values.nginx.persistence.mountPath -}}/ssl:n & + {{ end -}} + nginx -g 'daemon off;' diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml new file mode 100644 index 000000000..a38969a8f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml @@ -0,0 +1,96 @@ +databaseUpgradeReady: true +artifactory: + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + +access: + accessConfig: + security: + tls: true + resetAccessCAKeys: true + +postgresql: + postgresqlPassword: password + postgresqlExtendedConf: + maxConnections: 102 + persistence: + enabled: false + +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true + +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false +jfconnect: + enabled: true + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +mc: + enabled: true +splitServicesToContainers: true + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values.yaml new file mode 100644 index 000000000..057ae9bf3 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/rtsplit-values.yaml @@ -0,0 +1,151 @@ +databaseUpgradeReady: true +artifactory: + replicaCount: 1 + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + + # Add lifecycle hooks for artifactory container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the artifactory postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the artifactory postStart handler >> /tmp/message"] + +postgresql: + postgresqlPassword: password + postgresqlExtendedConf: + maxConnections: 100 + persistence: + enabled: false + +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true + +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false +jfconnect: + enabled: true + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for jfconect container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the jfconnect postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the jfconnect postStart handler >> /tmp/message"] + + +mc: + enabled: true +splitServicesToContainers: true + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for router container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the router postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the router postStart handler >> /tmp/message"] + +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + # Add lifecycle hooks for frontend container + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the frontend postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the frontend postStart handler >> /tmp/message"] + +metadata: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the metadata postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the metadata postStart handler >> /tmp/message"] + +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] + +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "echo Hello from the observability postStart handler >> /tmp/message"] + preStop: + exec: + command: ["/bin/sh", "-c", "echo Hello from the observability postStart handler >> /tmp/message"] diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/small-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/small-values.yaml new file mode 100644 index 000000000..cd594e59e --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/small-values.yaml @@ -0,0 +1,85 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 200 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "6g" +access: + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 50 +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +frontend: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +metadata: + database: + maxOpenConnections: 80 + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +event: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +jfconnect: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + +rtfs: + enabled: true diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/test-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/test-values.yaml new file mode 100644 index 000000000..d2beb0eff --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/ci/test-values.yaml @@ -0,0 +1,84 @@ +databaseUpgradeReady: true +artifactory: + replicaCount: 3 + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + unifiedSecretInstallation: false + metrics: + enabled: true + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + statefulset: + annotations: + artifactory: test + +postgresql: + postgresqlPassword: password + postgresqlExtendedConf: + maxConnections: 100 + persistence: + enabled: false + +rbac: + create: true +serviceAccount: + create: true + automountServiceAccountToken: true + +ingress: + enabled: true + className: "testclass" + hosts: + - demonow.xyz +nginx: + enabled: false + +jfconnect: + enabled: false + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + +## filebeat sidecar +filebeat: + enabled: true + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: + file: + permissions: 0760 + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output.file: + path: "/tmp/filebeat" + filename: filebeat + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/binarystore.xml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/binarystore.xml new file mode 100644 index 000000000..8d71072e2 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/binarystore.xml @@ -0,0 +1,429 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" -}} + + {{- if (.Values.artifactory.persistence.maxCacheSize) }} + + + + + + {{- else }} + + + + {{- end }} + + {{- if .Values.artifactory.persistence.maxCacheSize }} + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + + + {{ .Values.artifactory.persistence.nfs.dataDir }}/filestore + + +{{- end }} +{{- if eq .Values.artifactory.persistence.type "file-system" -}} + + + + {{- if .Values.artifactory.persistence.fileSystem.cache.enabled }} + + {{- end }} + + {{- if .Values.artifactory.persistence.fileSystem.cache.enabled }} + + {{- end }} + + + {{- if .Values.artifactory.persistence.fileSystem.cache.enabled }} + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + +{{- end }} +{{- if eq .Values.artifactory.persistence.type "cluster-file-system" -}} + + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + {{ .Values.artifactory.persistence.lenientLimit }} + 2 + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + + + shard-fs-1 + local + + + + + 30 + tester-remote1 + 10000 + remote + + + +{{- end }} +{{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") (eq .Values.artifactory.persistence.type "cluster-google-storage-v2") (eq .Values.artifactory.persistence.type "google-storage-v2-direct") }} + + + {{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") }} + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "cluster-google-storage-v2" }} + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + {{ .Values.artifactory.persistence.lenientLimit }} + 2 + + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "google-storage-v2-direct" }} + + + + + + {{- end }} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{- if eq .Values.artifactory.persistence.type "cluster-google-storage-v2" }} + + local + + + + 30 + 10000 + remote + + {{- end }} + + + {{- if .Values.artifactory.persistence.googleStorage.useInstanceCredentials }} + true + {{- else }} + false + {{- end }} + {{ .Values.artifactory.persistence.googleStorage.enableSignedUrlRedirect }} + google-cloud-storage + {{ .Values.artifactory.persistence.googleStorage.endpoint }} + {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} + {{ .Values.artifactory.persistence.googleStorage.bucketName }} + {{ .Values.artifactory.persistence.googleStorage.path }} + {{ .Values.artifactory.persistence.googleStorage.bucketExists }} + {{- if .Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds }} + {{ .Values.artifactory.persistence.googleStorage.signedUrlExpirySeconds | int64 }} + {{- end }} + + +{{- end }} +{{- if or (eq .Values.artifactory.persistence.type "aws-s3-v3") (eq .Values.artifactory.persistence.type "s3-storage-v3-direct") (eq .Values.artifactory.persistence.type "cluster-s3-storage-v3") (eq .Values.artifactory.persistence.type "s3-storage-v3-archive") }} + + + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "s3-storage-v3-direct" }} + + + + + + {{- else if eq .Values.artifactory.persistence.type "cluster-s3-storage-v3" }} + + + + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "s3-storage-v3-archive" }} + + + + + + + {{- end }} + + {{- if or (eq .Values.artifactory.persistence.type "aws-s3-v3") (eq .Values.artifactory.persistence.type "s3-storage-v3-direct") (eq .Values.artifactory.persistence.type "cluster-s3-storage-v3") }} + + + {{ .Values.artifactory.persistence.maxCacheSize | int64}} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "cluster-s3-storage-v3" }} + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + {{ .Values.artifactory.persistence.lenientLimit }} + + + + + remote + + + + local + + {{- end }} + + {{- with .Values.artifactory.persistence.awsS3V3 }} + + {{ .testConnection }} + {{- if .identity }} + {{ .identity }} + {{- end }} + {{- if .credential }} + {{ .credential }} + {{- end }} + {{ .region }} + {{ .bucketName }} + {{ .path }} + {{ .endpoint }} + {{- with .port }} + {{ . }} + {{- end }} + {{- with .useHttp }} + {{ . }} + {{- end }} + {{- with .maxConnections }} + {{ . }} + {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} + {{- with .kmsServerSideEncryptionKeyId }} + {{ . }} + {{- end }} + {{- with .kmsKeyRegion }} + {{ . }} + {{- end }} + {{- with .kmsCryptoMode }} + {{ . }} + {{- end }} + {{- if .useInstanceCredentials }} + true + {{- else }} + false + {{- end }} + {{ .usePresigning }} + {{ .signatureExpirySeconds }} + {{ .signedUrlExpirySeconds }} + {{- with .cloudFrontDomainName }} + {{ . }} + {{- end }} + {{- with .cloudFrontKeyPairId }} + {{ . }} + {{- end }} + {{- with .cloudFrontPrivateKey }} + {{ . }} + {{- end }} + {{- with .enableSignedUrlRedirect }} + {{ . }} + {{- end }} + {{- with .enablePathStyleAccess }} + {{ . }} + {{- end }} + {{- with .multiPartLimit }} + {{ . | int64 }} + {{- end }} + {{- with .multipartElementSize }} + {{ . | int64 }} + {{- end }} + + {{- end }} + +{{- end }} + +{{- if or (eq .Values.artifactory.persistence.type "azure-blob") (eq .Values.artifactory.persistence.type "azure-blob-storage-direct") (eq .Values.artifactory.persistence.type "cluster-azure-blob-storage") }} + + + {{- if or (eq .Values.artifactory.persistence.type "azure-blob") }} + + + + + + + + + + {{- else if eq .Values.artifactory.persistence.type "azure-blob-storage-direct" }} + + + + + + {{- else if eq .Values.artifactory.persistence.type "cluster-azure-blob-storage" }} + + + + + + + + + + + + + {{- end }} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{- if eq .Values.artifactory.persistence.type "cluster-azure-blob-storage" }} + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + {{ .Values.artifactory.persistence.lenientLimit }} + + + + remote + + + local + + {{- end }} + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + +{{- end }} +{{- if eq .Values.artifactory.persistence.type "azure-blob-storage-v2-direct" -}} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/installer-info.json b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/installer-info.json new file mode 100644 index 000000000..79f42ed16 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/installer-info.json @@ -0,0 +1,32 @@ +{ + "productId": "Helm_artifactory/{{ .Chart.Version }}", + "features": [ + { + "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}" + }, + { + "featureId": "Database/{{ .Values.database.type }}" + }, + { + "featureId": "PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}" + }, + { + "featureId": "Nginx_Enabled/{{ .Values.nginx.enabled }}" + }, + { + "featureId": "ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}" + }, + { + "featureId": "SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}" + }, + { + "featureId": "UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}" + }, + { + "featureId": "Filebeat_Enabled/{{ .Values.filebeat.enabled }}" + }, + { + "featureId": "ReplicaCount/{{ .Values.artifactory.replicaCount }}" + } + ] +} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrate.sh b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrate.sh new file mode 100644 index 000000000..ba44160f4 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/migrate.sh @@ -0,0 +1,4311 @@ +#!/bin/bash + +# Flags +FLAG_Y="y" +FLAG_N="n" +FLAGS_Y_N="$FLAG_Y $FLAG_N" +FLAG_NOT_APPLICABLE="_NA_" + +CURRENT_VERSION=$1 + +WRAPPER_SCRIPT_TYPE_RPMDEB="RPMDEB" +WRAPPER_SCRIPT_TYPE_DOCKER_COMPOSE="DOCKERCOMPOSE" + +SENSITIVE_KEY_VALUE="__sensitive_key_hidden___" + +# Shared system keys +SYS_KEY_SHARED_JFROGURL="shared.jfrogUrl" +SYS_KEY_SHARED_SECURITY_JOINKEY="shared.security.joinKey" +SYS_KEY_SHARED_SECURITY_MASTERKEY="shared.security.masterKey" + +SYS_KEY_SHARED_NODE_ID="shared.node.id" +SYS_KEY_SHARED_JAVAHOME="shared.javaHome" + +SYS_KEY_SHARED_DATABASE_TYPE="shared.database.type" +SYS_KEY_SHARED_DATABASE_TYPE_VALUE_POSTGRES="postgresql" +SYS_KEY_SHARED_DATABASE_DRIVER="shared.database.driver" +SYS_KEY_SHARED_DATABASE_URL="shared.database.url" +SYS_KEY_SHARED_DATABASE_USERNAME="shared.database.username" +SYS_KEY_SHARED_DATABASE_PASSWORD="shared.database.password" + +SYS_KEY_SHARED_ELASTICSEARCH_URL="shared.elasticsearch.url" +SYS_KEY_SHARED_ELASTICSEARCH_USERNAME="shared.elasticsearch.username" +SYS_KEY_SHARED_ELASTICSEARCH_PASSWORD="shared.elasticsearch.password" +SYS_KEY_SHARED_ELASTICSEARCH_CLUSTERSETUP="shared.elasticsearch.clusterSetup" +SYS_KEY_SHARED_ELASTICSEARCH_UNICASTFILE="shared.elasticsearch.unicastFile" +SYS_KEY_SHARED_ELASTICSEARCH_CLUSTERSETUP_VALUE="YES" + +# Define this in product specific script. Should contain the path to unitcast file +# File used by insight server to write cluster active nodes info. This will be read by elasticsearch +#SYS_KEY_SHARED_ELASTICSEARCH_UNICASTFILE_VALUE="" + +SYS_KEY_RABBITMQ_ACTIVE_NODE_NAME="shared.rabbitMq.active.node.name" +SYS_KEY_RABBITMQ_ACTIVE_NODE_IP="shared.rabbitMq.active.node.ip" + +# Filenames +FILE_NAME_SYSTEM_YAML="system.yaml" +FILE_NAME_JOIN_KEY="join.key" +FILE_NAME_MASTER_KEY="master.key" +FILE_NAME_INSTALLER_YAML="installer.yaml" + +# Global constants used in business logic +NODE_TYPE_STANDALONE="standalone" +NODE_TYPE_CLUSTER_NODE="node" +NODE_TYPE_DATABASE="database" + +# External(isable) databases +DATABASE_POSTGRES="POSTGRES" +DATABASE_ELASTICSEARCH="ELASTICSEARCH" +DATABASE_RABBITMQ="RABBITMQ" + +POSTGRES_LABEL="PostgreSQL" +ELASTICSEARCH_LABEL="Elasticsearch" +RABBITMQ_LABEL="Rabbitmq" + +ARTIFACTORY_LABEL="Artifactory" +JFMC_LABEL="Mission Control" +DISTRIBUTION_LABEL="Distribution" +XRAY_LABEL="Xray" + +POSTGRES_CONTAINER="postgres" +ELASTICSEARCH_CONTAINER="elasticsearch" +RABBITMQ_CONTAINER="rabbitmq" +REDIS_CONTAINER="redis" + +#Adding a small timeout before a read ensures it is positioned correctly in the screen +read_timeout=0.5 + +# Options related to data directory location +PROMPT_DATA_DIR_LOCATION="Installation Directory" +KEY_DATA_DIR_LOCATION="installer.data_dir" + +SYS_KEY_SHARED_NODE_HAENABLED="shared.node.haEnabled" +PROMPT_ADD_TO_CLUSTER="Are you adding an additional node to an existing product cluster?" +KEY_ADD_TO_CLUSTER="installer.ha" +VALID_VALUES_ADD_TO_CLUSTER="$FLAGS_Y_N" + +MESSAGE_POSTGRES_INSTALL="The installer can install a $POSTGRES_LABEL database, or you can connect to an existing compatible $POSTGRES_LABEL database\n(compatible databases: https://www.jfrog.com/confluence/display/JFROG/System+Requirements#SystemRequirements-RequirementsMatrix)" +PROMPT_POSTGRES_INSTALL="Do you want to install $POSTGRES_LABEL?" +KEY_POSTGRES_INSTALL="installer.install_postgresql" +VALID_VALUES_POSTGRES_INSTALL="$FLAGS_Y_N" + +# Postgres connection details +RPM_DEB_POSTGRES_HOME_DEFAULT="/var/opt/jfrog/postgres" +RPM_DEB_MESSAGE_STANDALONE_POSTGRES_DATA="$POSTGRES_LABEL home will have data and its configuration" +RPM_DEB_PROMPT_STANDALONE_POSTGRES_DATA="Type desired $POSTGRES_LABEL home location" +RPM_DEB_KEY_STANDALONE_POSTGRES_DATA="installer.postgresql.home" + +MESSAGE_DATABASE_URL="Provide the database connection details" +PROMPT_DATABASE_URL(){ + local databaseURlExample= + case "$PRODUCT_NAME" in + $ARTIFACTORY_LABEL) + databaseURlExample="jdbc:postgresql://:/artifactory" + ;; + $JFMC_LABEL) + databaseURlExample="postgresql://:/mission_control?sslmode=disable" + ;; + $DISTRIBUTION_LABEL) + databaseURlExample="jdbc:postgresql://:/distribution?sslmode=disable" + ;; + $XRAY_LABEL) + databaseURlExample="postgres://:/xraydb?sslmode=disable" + ;; + esac + if [ -z "$databaseURlExample" ]; then + echo -n "$POSTGRES_LABEL URL" # For consistency with username and password + return + fi + echo -n "$POSTGRES_LABEL url. Example: [$databaseURlExample]" +} +REGEX_DATABASE_URL(){ + local databaseURlExample= + case "$PRODUCT_NAME" in + $ARTIFACTORY_LABEL) + databaseURlExample="jdbc:postgresql://.*/artifactory.*" + ;; + $JFMC_LABEL) + databaseURlExample="postgresql://.*/mission_control.*" + ;; + $DISTRIBUTION_LABEL) + databaseURlExample="jdbc:postgresql://.*/distribution.*" + ;; + $XRAY_LABEL) + databaseURlExample="postgres://.*/xraydb.*" + ;; + esac + echo -n "^$databaseURlExample\$" +} +ERROR_MESSAGE_DATABASE_URL="Invalid $POSTGRES_LABEL URL" +KEY_DATABASE_URL="$SYS_KEY_SHARED_DATABASE_URL" +#NOTE: It is important to display the label. Since the message may be hidden if URL is known +PROMPT_DATABASE_USERNAME="$POSTGRES_LABEL username" +KEY_DATABASE_USERNAME="$SYS_KEY_SHARED_DATABASE_USERNAME" +#NOTE: It is important to display the label. Since the message may be hidden if URL is known +PROMPT_DATABASE_PASSWORD="$POSTGRES_LABEL password" +KEY_DATABASE_PASSWORD="$SYS_KEY_SHARED_DATABASE_PASSWORD" +IS_SENSITIVE_DATABASE_PASSWORD="$FLAG_Y" + +MESSAGE_STANDALONE_ELASTICSEARCH_INSTALL="The installer can install a $ELASTICSEARCH_LABEL database or you can connect to an existing compatible $ELASTICSEARCH_LABEL database" +PROMPT_STANDALONE_ELASTICSEARCH_INSTALL="Do you want to install $ELASTICSEARCH_LABEL?" +KEY_STANDALONE_ELASTICSEARCH_INSTALL="installer.install_elasticsearch" +VALID_VALUES_STANDALONE_ELASTICSEARCH_INSTALL="$FLAGS_Y_N" + +# Elasticsearch connection details +MESSAGE_ELASTICSEARCH_DETAILS="Provide the $ELASTICSEARCH_LABEL connection details" +PROMPT_ELASTICSEARCH_URL="$ELASTICSEARCH_LABEL URL" +KEY_ELASTICSEARCH_URL="$SYS_KEY_SHARED_ELASTICSEARCH_URL" + +PROMPT_ELASTICSEARCH_USERNAME="$ELASTICSEARCH_LABEL username" +KEY_ELASTICSEARCH_USERNAME="$SYS_KEY_SHARED_ELASTICSEARCH_USERNAME" + +PROMPT_ELASTICSEARCH_PASSWORD="$ELASTICSEARCH_LABEL password" +KEY_ELASTICSEARCH_PASSWORD="$SYS_KEY_SHARED_ELASTICSEARCH_PASSWORD" +IS_SENSITIVE_ELASTICSEARCH_PASSWORD="$FLAG_Y" + +# Cluster related questions +MESSAGE_CLUSTER_MASTER_KEY="Provide the cluster's master key. It can be found in the data directory of the first node under /etc/security/master.key" +PROMPT_CLUSTER_MASTER_KEY="Master Key" +KEY_CLUSTER_MASTER_KEY="$SYS_KEY_SHARED_SECURITY_MASTERKEY" +IS_SENSITIVE_CLUSTER_MASTER_KEY="$FLAG_Y" + +MESSAGE_JOIN_KEY="The Join key is the secret key used to establish trust between services in the JFrog Platform.\n(You can copy the Join Key from Admin > User Management > Settings)" +PROMPT_JOIN_KEY="Join Key" +KEY_JOIN_KEY="$SYS_KEY_SHARED_SECURITY_JOINKEY" +IS_SENSITIVE_JOIN_KEY="$FLAG_Y" +REGEX_JOIN_KEY="^[a-zA-Z0-9]{16,}\$" +ERROR_MESSAGE_JOIN_KEY="Invalid Join Key" + +# Rabbitmq related cluster information +MESSAGE_RABBITMQ_ACTIVE_NODE_NAME="Provide an active ${RABBITMQ_LABEL} node name. Run the command [ hostname -s ] on any of the existing nodes in the product cluster to get this" +PROMPT_RABBITMQ_ACTIVE_NODE_NAME="${RABBITMQ_LABEL} active node name" +KEY_RABBITMQ_ACTIVE_NODE_NAME="$SYS_KEY_RABBITMQ_ACTIVE_NODE_NAME" + +# Rabbitmq related cluster information (necessary only for docker-compose) +PROMPT_RABBITMQ_ACTIVE_NODE_IP="${RABBITMQ_LABEL} active node ip" +KEY_RABBITMQ_ACTIVE_NODE_IP="$SYS_KEY_RABBITMQ_ACTIVE_NODE_IP" + +MESSAGE_JFROGURL(){ + echo -e "The JFrog URL allows ${PRODUCT_NAME} to connect to a JFrog Platform Instance.\n(You can copy the JFrog URL from Administration > User Management > Settings > Connection details)" +} +PROMPT_JFROGURL="JFrog URL" +KEY_JFROGURL="$SYS_KEY_SHARED_JFROGURL" +REGEX_JFROGURL="^https?://.*:{0,}[0-9]{0,4}\$" +ERROR_MESSAGE_JFROGURL="Invalid JFrog URL" + + +# Set this to FLAG_Y on upgrade +IS_UPGRADE="${FLAG_N}" + +# This belongs in JFMC but is the ONLY one that needs it so keeping it here for now. Can be made into a method and overridden if necessary +MESSAGE_MULTIPLE_PG_SCHEME="Please setup $POSTGRES_LABEL with schema as described in https://www.jfrog.com/confluence/display/JFROG/Installing+Mission+Control" + +_getMethodOutputOrVariableValue() { + unset EFFECTIVE_MESSAGE + local keyToSearch=$1 + local effectiveMessage= + local result="0" + # logSilly "Searching for method: [$keyToSearch]" + LC_ALL=C type "$keyToSearch" > /dev/null 2>&1 || result="$?" + if [[ "$result" == "0" ]]; then + # logSilly "Found method for [$keyToSearch]" + EFFECTIVE_MESSAGE="$($keyToSearch)" + return + fi + eval EFFECTIVE_MESSAGE=\${$keyToSearch} + if [ ! -z "$EFFECTIVE_MESSAGE" ]; then + return + fi + # logSilly "Didn't find method or variable for [$keyToSearch]" +} + + +# REF https://misc.flogisoft.com/bash/tip_colors_and_formatting +cClear="\e[0m" +cBlue="\e[38;5;69m" +cRedDull="\e[1;31m" +cYellow="\e[1;33m" +cRedBright="\e[38;5;197m" +cBold="\e[1m" + + +_loggerGetModeRaw() { + local MODE="$1" + case $MODE in + INFO) + printf "" + ;; + DEBUG) + printf "%s" "[${MODE}] " + ;; + WARN) + printf "${cRedDull}%s%s${cClear}" "[" "${MODE}" "] " + ;; + ERROR) + printf "${cRedBright}%s%s${cClear}" "[" "${MODE}" "] " + ;; + esac +} + + +_loggerGetMode() { + local MODE="$1" + case $MODE in + INFO) + printf "${cBlue}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + DEBUG) + printf "%-7s" "[${MODE}]" + ;; + WARN) + printf "${cRedDull}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + ERROR) + printf "${cRedBright}%s%-5s%s${cClear}" "[" "${MODE}" "]" + ;; + esac +} + +# Capitalises the first letter of the message +_loggerGetMessage() { + local originalMessage="$*" + local firstChar=$(echo "${originalMessage:0:1}" | awk '{ print toupper($0) }') + local resetOfMessage="${originalMessage:1}" + echo "$firstChar$resetOfMessage" +} + +# The spec also says content should be left-trimmed but this is not necessary in our case. We don't reach the limit. +_loggerGetStackTrace() { + printf "%s%-30s%s" "[" "$1:$2" "]" +} + +_loggerGetThread() { + printf "%s" "[main]" +} + +_loggerGetServiceType() { + printf "%s%-5s%s" "[" "shell" "]" +} + +#Trace ID is not applicable to scripts +_loggerGetTraceID() { + printf "%s" "[]" +} + +logRaw() { + echo "" + printf "$1" + echo "" +} + +logBold(){ + echo "" + printf "${cBold}$1${cClear}" + echo "" +} + +# The date binary works differently based on whether it is GNU/BSD +is_date_supported=0 +date --version > /dev/null 2>&1 || is_date_supported=1 +IS_GNU=$(echo $is_date_supported) + +_loggerGetTimestamp() { + if [ "${IS_GNU}" == "0" ]; then + echo -n $(date -u +%FT%T.%3NZ) + else + echo -n $(date -u +%FT%T.000Z) + fi +} + +# https://www.shellscript.sh/tips/spinner/ +_spin() +{ + spinner="/|\\-/|\\-" + while : + do + for i in `seq 0 7` + do + echo -n "${spinner:$i:1}" + echo -en "\010" + sleep 1 + done + done +} + +showSpinner() { + # Start the Spinner: + _spin & + # Make a note of its Process ID (PID): + SPIN_PID=$! + # Kill the spinner on any signal, including our own exit. + trap "kill -9 $SPIN_PID" `seq 0 15` &> /dev/null || return 0 +} + +stopSpinner() { + local occurrences=$(ps -ef | grep -wc "${SPIN_PID}") + let "occurrences+=0" + # validate that it is present (2 since this search itself will show up in the results) + if [ $occurrences -gt 1 ]; then + kill -9 $SPIN_PID &>/dev/null || return 0 + wait $SPIN_ID &>/dev/null + fi +} + +_getEffectiveMessage(){ + local MESSAGE="$1" + local MODE=${2-"INFO"} + + if [ -z "$CONTEXT" ]; then + CONTEXT=$(caller) + fi + + _EFFECTIVE_MESSAGE= + if [ -z "$LOG_BEHAVIOR_ADD_META" ]; then + _EFFECTIVE_MESSAGE="$(_loggerGetModeRaw $MODE)$(_loggerGetMessage $MESSAGE)" + else + local SERVICE_TYPE="script" + local TRACE_ID="" + local THREAD="main" + + local CONTEXT_LINE=$(echo "$CONTEXT" | awk '{print $1}') + local CONTEXT_FILE=$(echo "$CONTEXT" | awk -F"/" '{print $NF}') + + _EFFECTIVE_MESSAGE="$(_loggerGetTimestamp) $(_loggerGetServiceType) $(_loggerGetMode $MODE) $(_loggerGetTraceID) $(_loggerGetStackTrace $CONTEXT_FILE $CONTEXT_LINE) $(_loggerGetThread) - $(_loggerGetMessage $MESSAGE)" + fi + CONTEXT= +} + +# Important - don't call any log method from this method. Will become an infinite loop. Use echo to debug +_logToFile() { + local MODE=${1-"INFO"} + local targetFile="$LOG_BEHAVIOR_ADD_REDIRECTION" + # IF the file isn't passed, abort + if [ -z "$targetFile" ]; then + return + fi + # IF this is not being run in verbose mode and mode is debug or lower, abort + if [ "${VERBOSE_MODE}" != "$FLAG_Y" ] && [ "${VERBOSE_MODE}" != "true" ] && [ "${VERBOSE_MODE}" != "debug" ]; then + if [ "$MODE" == "DEBUG" ] || [ "$MODE" == "SILLY" ]; then + return + fi + fi + + # Create the file if it doesn't exist + if [ ! -f "${targetFile}" ]; then + return + # touch $targetFile > /dev/null 2>&1 || true + fi + # # Make it readable + # chmod 640 $targetFile > /dev/null 2>&1 || true + + # Log contents + printf "%s\n" "$_EFFECTIVE_MESSAGE" >> "$targetFile" || true +} + +logger() { + if [ "$LOG_BEHAVIOR_ADD_NEW_LINE" == "$FLAG_Y" ]; then + echo "" + fi + _getEffectiveMessage "$@" + local MODE=${2-"INFO"} + printf "%s\n" "$_EFFECTIVE_MESSAGE" + _logToFile "$MODE" +} + +logDebug(){ + VERBOSE_MODE=${VERBOSE_MODE-"false"} + CONTEXT=$(caller) + if [ "${VERBOSE_MODE}" == "$FLAG_Y" ] || [ "${VERBOSE_MODE}" == "true" ] || [ "${VERBOSE_MODE}" == "debug" ];then + logger "$1" "DEBUG" + else + logger "$1" "DEBUG" >&6 + fi + CONTEXT= +} + +logSilly(){ + VERBOSE_MODE=${VERBOSE_MODE-"false"} + CONTEXT=$(caller) + if [ "${VERBOSE_MODE}" == "silly" ];then + logger "$1" "DEBUG" + else + logger "$1" "DEBUG" >&6 + fi + CONTEXT= +} + +logError() { + CONTEXT=$(caller) + logger "$1" "ERROR" + CONTEXT= +} + +errorExit () { + CONTEXT=$(caller) + logger "$1" "ERROR" + CONTEXT= + exit 1 +} + +warn () { + CONTEXT=$(caller) + logger "$1" "WARN" + CONTEXT= +} + +note () { + CONTEXT=$(caller) + logger "$1" "NOTE" + CONTEXT= +} + +bannerStart() { + title=$1 + echo + echo -e "\033[1m${title}\033[0m" + echo +} + +bannerSection() { + title=$1 + echo + echo -e "******************************** ${title} ********************************" + echo +} + +bannerSubSection() { + title=$1 + echo + echo -e "************** ${title} *******************" + echo +} + +bannerMessge() { + title=$1 + echo + echo -e "********************************" + echo -e "${title}" + echo -e "********************************" + echo +} + +setRed () { + local input="$1" + echo -e \\033[31m${input}\\033[0m +} +setGreen () { + local input="$1" + echo -e \\033[32m${input}\\033[0m +} +setYellow () { + local input="$1" + echo -e \\033[33m${input}\\033[0m +} + +logger_addLinebreak () { + echo -e "---\n" +} + +bannerImportant() { + title=$1 + local bold="\033[1m" + local noColour="\033[0m" + echo + echo -e "${bold}######################################## IMPORTANT ########################################${noColour}" + echo -e "${bold}${title}${noColour}" + echo -e "${bold}###########################################################################################${noColour}" + echo +} + +bannerEnd() { + #TODO pass a title and calculate length dynamically so that start and end look alike + echo + echo "*****************************************************************************" + echo +} + +banner() { + title=$1 + content=$2 + bannerStart "${title}" + echo -e "$content" +} + +# The logic below helps us redirect content we'd normally hide to the log file. + # + # We have several commands which clutter the console with output and so use + # `cmd > /dev/null` - this redirects the command's output to null. + # + # However, the information we just hid maybe useful for support. Using the code pattern + # `cmd >&6` (instead of `cmd> >/dev/null` ), the command's output is hidden from the console + # but redirected to the installation log file + # + +#Default value of 6 is just null +exec 6>>/dev/null +redirectLogsToFile() { + echo "" + # local file=$1 + + # [ ! -z "${file}" ] || return 0 + + # local logDir=$(dirname "$file") + + # if [ ! -f "${file}" ]; then + # [ -d "${logDir}" ] || mkdir -p ${logDir} || \ + # ( echo "WARNING : Could not create parent directory (${logDir}) to redirect console log : ${file}" ; return 0 ) + # fi + + # #6 now points to the log file + # exec 6>>${file} + # #reference https://unix.stackexchange.com/questions/145651/using-exec-and-tee-to-redirect-logs-to-stdout-and-a-log-file-in-the-same-time + # exec 2>&1 > >(tee -a "${file}") +} + +# Check if a give key contains any sensitive string as part of it +# Based on the result, the caller can decide its value can be displayed or not +# Sample usage : isKeySensitive "${key}" && displayValue="******" || displayValue=${value} +isKeySensitive(){ + local key=$1 + local sensitiveKeys="password|secret|key|token" + + if [ -z "${key}" ]; then + return 1 + else + local lowercaseKey=$(echo "${key}" | tr '[:upper:]' '[:lower:]' 2>/dev/null) + [[ "${lowercaseKey}" =~ ${sensitiveKeys} ]] && return 0 || return 1 + fi +} + +getPrintableValueOfKey(){ + local displayValue= + local key="$1" + if [ -z "$key" ]; then + # This is actually an incorrect usage of this method but any logging will cause unexpected content in the caller + echo -n "" + return + fi + + local value="$2" + isKeySensitive "${key}" && displayValue="$SENSITIVE_KEY_VALUE" || displayValue="${value}" + echo -n $displayValue +} + +_createConsoleLog(){ + if [ -z "${JF_PRODUCT_HOME}" ]; then + return + fi + local targetFile="${JF_PRODUCT_HOME}/var/log/console.log" + mkdir -p "${JF_PRODUCT_HOME}/var/log" || true + if [ ! -f ${targetFile} ]; then + touch $targetFile > /dev/null 2>&1 || true + fi + chmod 640 $targetFile > /dev/null 2>&1 || true +} + +# Output from application's logs are piped to this method. It checks a configuration variable to determine if content should be logged to +# the common console.log file +redirectServiceLogsToFile() { + + local result="0" + # check if the function getSystemValue exists + LC_ALL=C type getSystemValue > /dev/null 2>&1 || result="$?" + if [[ "$result" != "0" ]]; then + warn "Couldn't find the systemYamlHelper. Skipping log redirection" + return 0 + fi + + getSystemValue "shared.consoleLog" "NOT_SET" + if [[ "${YAML_VALUE}" == "false" ]]; then + logger "Redirection is set to false. Skipping log redirection" + return 0; + fi + + if [ -z "${JF_PRODUCT_HOME}" ] || [ "${JF_PRODUCT_HOME}" == "" ]; then + warn "JF_PRODUCT_HOME is unavailable. Skipping log redirection" + return 0 + fi + + local targetFile="${JF_PRODUCT_HOME}/var/log/console.log" + + _createConsoleLog + + while read -r line; do + printf '%s\n' "${line}" >> $targetFile || return 0 # Don't want to log anything - might clutter the screen + done +} + +## Display environment variables starting with JF_ along with its value +## Value of sensitive keys will be displayed as "******" +## +## Sample Display : +## +## ======================== +## JF Environment variables +## ======================== +## +## JF_SHARED_NODE_ID : locahost +## JF_SHARED_JOINKEY : ****** +## +## +displayEnv() { + local JFEnv=$(printenv | grep ^JF_ 2>/dev/null) + local key= + local value= + + if [ -z "${JFEnv}" ]; then + return + fi + + cat << ENV_START_MESSAGE + +======================== +JF Environment variables +======================== +ENV_START_MESSAGE + + for entry in ${JFEnv}; do + key=$(echo "${entry}" | awk -F'=' '{print $1}') + value=$(echo "${entry}" | awk -F'=' '{print $2}') + + isKeySensitive "${key}" && value="******" || value=${value} + + printf "\n%-35s%s" "${key}" " : ${value}" + done + echo; +} + +_addLogRotateConfiguration() { + logDebug "Method ${FUNCNAME[0]}" + # mandatory inputs + local confFile="$1" + local logFile="$2" + + # Method available in _ioOperations.sh + LC_ALL=C type io_setYQPath > /dev/null 2>&1 || return 1 + + io_setYQPath + + # Method available in _systemYamlHelper.sh + LC_ALL=C type getSystemValue > /dev/null 2>&1 || return 1 + + local frequency="daily" + local archiveFolder="archived" + + local compressLogFiles= + getSystemValue "shared.logging.rotation.compress" "true" + if [[ "${YAML_VALUE}" == "true" ]]; then + compressLogFiles="compress" + fi + + getSystemValue "shared.logging.rotation.maxFiles" "10" + local noOfBackupFiles="${YAML_VALUE}" + + getSystemValue "shared.logging.rotation.maxSizeMb" "25" + local sizeOfFile="${YAML_VALUE}M" + + logDebug "Adding logrotate configuration for [$logFile] to [$confFile]" + + # Add configuration to file + local confContent=$(cat << LOGROTATECONF +$logFile { + $frequency + missingok + rotate $noOfBackupFiles + $compressLogFiles + notifempty + olddir $archiveFolder + dateext + extension .log + dateformat -%Y-%m-%d + size ${sizeOfFile} +} +LOGROTATECONF +) + echo "${confContent}" > ${confFile} || return 1 +} + +_operationIsBySameUser() { + local targetUser="$1" + local currentUserID=$(id -u) + local currentUserName=$(id -un) + + if [ $currentUserID == $targetUser ] || [ $currentUserName == $targetUser ]; then + echo -n "yes" + else + echo -n "no" + fi +} + +_addCronJobForLogrotate() { + logDebug "Method ${FUNCNAME[0]}" + + # Abort if logrotate is not available + [ "$(io_commandExists 'crontab')" != "yes" ] && warn "cron is not available" && return 1 + + # mandatory inputs + local productHome="$1" + local confFile="$2" + local cronJobOwner="$3" + + # We want to use our binary if possible. It may be more recent than the one in the OS + local logrotateBinary="$productHome/app/third-party/logrotate/logrotate" + + if [ ! -f "$logrotateBinary" ]; then + logrotateBinary="logrotate" + [ "$(io_commandExists 'logrotate')" != "yes" ] && warn "logrotate is not available" && return 1 + fi + local cmd="$logrotateBinary ${confFile} --state $productHome/var/etc/logrotate/logrotate-state" #--verbose + + id -u $cronJobOwner > /dev/null 2>&1 || { warn "User $cronJobOwner does not exist. Aborting logrotate configuration" && return 1; } + + # Remove the existing line + removeLogRotation "$productHome" "$cronJobOwner" || true + + # Run logrotate daily at 23:55 hours + local cronInterval="55 23 * * * $cmd" + + local standaloneMode=$(_operationIsBySameUser "$cronJobOwner") + + # If this is standalone mode, we cannot use -u - the user running this process may not have the necessary privileges + if [ "$standaloneMode" == "no" ]; then + (crontab -l -u $cronJobOwner 2>/dev/null; echo "$cronInterval") | crontab -u $cronJobOwner - + else + (crontab -l 2>/dev/null; echo "$cronInterval") | crontab - + fi +} + +## Configure logrotate for a product +## Failure conditions: +## If logrotation could not be setup for some reason +## Parameters: +## $1: The product name +## $2: The product home +## Depends on global: none +## Updates global: none +## Returns: NA + +configureLogRotation() { + logDebug "Method ${FUNCNAME[0]}" + + # mandatory inputs + local productName="$1" + if [ -z $productName ]; then + warn "Incorrect usage. A product name is necessary for configuring log rotation" && return 1 + fi + + local productHome="$2" + if [ -z $productHome ]; then + warn "Incorrect usage. A product home folder is necessary for configuring log rotation" && return 1 + fi + + local logFile="${productHome}/var/log/console.log" + if [[ $(uname) == "Darwin" ]]; then + logger "Log rotation for [$logFile] has not been configured. Please setup manually" + return 0 + fi + + local userID="$3" + if [ -z $userID ]; then + warn "Incorrect usage. A userID is necessary for configuring log rotation" && return 1 + fi + + local groupID=${4:-$userID} + local logConfigOwner=${5:-$userID} + + logDebug "Configuring log rotation as user [$userID], group [$groupID], effective cron User [$logConfigOwner]" + + local errorMessage="Could not configure logrotate. Please configure log rotation of the file: [$logFile] manually" + + local confFile="${productHome}/var/etc/logrotate/logrotate.conf" + + # TODO move to recursive method + createDir "${productHome}" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/log" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/log/archived" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + + # TODO move to recursive method + createDir "${productHome}/var/etc" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + createDir "${productHome}/var/etc/logrotate" "$logConfigOwner" || { warn "${errorMessage}" && return 1; } + + # conf file should be owned by the user running the script + createFile "${confFile}" "${logConfigOwner}" || { warn "Could not create configuration file [$confFile]" return 1; } + + _addLogRotateConfiguration "${confFile}" "${logFile}" "$userID" "$groupID" || { warn "${errorMessage}" && return 1; } + _addCronJobForLogrotate "${productHome}" "${confFile}" "${logConfigOwner}" || { warn "${errorMessage}" && return 1; } +} + +_pauseExecution() { + if [ "${VERBOSE_MODE}" == "debug" ]; then + + local breakPoint="$1" + if [ ! -z "$breakPoint" ]; then + printf "${cBlue}Breakpoint${cClear} [$breakPoint] " + echo "" + fi + printf "${cBlue}Press enter once you are ready to continue${cClear}" + read -s choice + echo "" + fi +} + +# removeLogRotation "$productHome" "$cronJobOwner" || true +removeLogRotation() { + logDebug "Method ${FUNCNAME[0]}" + if [[ $(uname) == "Darwin" ]]; then + logDebug "Not implemented for Darwin." + return 0 + fi + local productHome="$1" + local cronJobOwner="$2" + local standaloneMode=$(_operationIsBySameUser "$cronJobOwner") + + local confFile="${productHome}/var/etc/logrotate/logrotate.conf" + + if [ "$standaloneMode" == "no" ]; then + crontab -l -u $cronJobOwner 2>/dev/null | grep -v "$confFile" | crontab -u $cronJobOwner - + else + crontab -l 2>/dev/null | grep -v "$confFile" | crontab - + fi +} + +# NOTE: This method does not check the configuration to see if redirection is necessary. +# This is intentional. If we don't redirect, tomcat logs might get redirected to a folder/file +# that does not exist, causing the service itself to not start +setupTomcatRedirection() { + logDebug "Method ${FUNCNAME[0]}" + local consoleLog="${JF_PRODUCT_HOME}/var/log/console.log" + _createConsoleLog + export CATALINA_OUT="${consoleLog}" +} + +setupScriptLogsRedirection() { + logDebug "Method ${FUNCNAME[0]}" + if [ -z "${JF_PRODUCT_HOME}" ]; then + logDebug "No JF_PRODUCT_HOME. Returning" + return + fi + # Create the console.log file if it is not already present + # _createConsoleLog || true + # # Ensure any logs (logger/logError/warn) also get redirected to the console.log + # # Using installer.log as a temparory fix. Please change this to console.log once INST-291 is fixed + export LOG_BEHAVIOR_ADD_REDIRECTION="${JF_PRODUCT_HOME}/var/log/console.log" + export LOG_BEHAVIOR_ADD_META="$FLAG_Y" +} + +# Returns Y if this method is run inside a container +isRunningInsideAContainer() { + local check1=$(grep -sq 'docker\|kubepods' /proc/1/cgroup; echo $?) + local check2=$(grep -sq 'containers' /proc/self/mountinfo; echo $?) + if [[ $check1 == 0 || $check2 == 0 || -f "/.dockerenv" ]]; then + echo -n "$FLAG_Y" + else + echo -n "$FLAG_N" + fi +} + +POSTGRES_USER=999 +NGINX_USER=104 +NGINX_GROUP=107 +ES_USER=1000 +REDIS_USER=999 +MONGO_USER=999 +RABBITMQ_USER=999 +LOG_FILE_PERMISSION=640 +PID_FILE_PERMISSION=644 + +# Copy file +copyFile(){ + local source=$1 + local target=$2 + local mode=${3:-overwrite} + local enableVerbose=${4:-"${FLAG_N}"} + local verboseFlag="" + + if [ ! -z "${enableVerbose}" ] && [ "${enableVerbose}" == "${FLAG_Y}" ]; then + verboseFlag="-v" + fi + + if [[ ! ( $source && $target ) ]]; then + warn "Source and target is mandatory to copy file" + return 1 + fi + + if [[ -f "${target}" ]]; then + [[ "$mode" = "overwrite" ]] && ( cp ${verboseFlag} -f "$source" "$target" || errorExit "Unable to copy file, command : cp -f ${source} ${target}") || true + else + cp ${verboseFlag} -f "$source" "$target" || errorExit "Unable to copy file, command : cp -f ${source} ${target}" + fi +} + +# Copy files recursively from given source directory to destination directory +# This method wil copy but will NOT overwrite +# Destination will be created if its not available +copyFilesNoOverwrite(){ + local src=$1 + local dest=$2 + local enableVerboseCopy="${3:-${FLAG_Y}}" + + if [[ -z "${src}" || -z "${dest}" ]]; then + return + fi + + if [ -d "${src}" ] && [ "$(ls -A ${src})" ]; then + local relativeFilePath="" + local targetFilePath="" + + for file in $(find ${src} -type f 2>/dev/null) ; do + # Derive relative path and attach it to destination + # Example : + # src=/extra_config + # dest=/var/opt/jfrog/artifactory/etc + # file=/extra_config/config.xml + # relativeFilePath=config.xml + # targetFilePath=/var/opt/jfrog/artifactory/etc/config.xml + relativeFilePath=${file/${src}/} + targetFilePath=${dest}${relativeFilePath} + + createDir "$(dirname "$targetFilePath")" + copyFile "${file}" "${targetFilePath}" "no_overwrite" "${enableVerboseCopy}" + done + fi +} + +# TODO : WINDOWS ? +# Check the max open files and open processes set on the system +checkULimits () { + local minMaxOpenFiles=${1:-32000} + local minMaxOpenProcesses=${2:-1024} + local setValue=${3:-true} + local warningMsgForFiles=${4} + local warningMsgForProcesses=${5} + + logger "Checking open files and processes limits" + + local currentMaxOpenFiles=$(ulimit -n) + logger "Current max open files is $currentMaxOpenFiles" + if [ ${currentMaxOpenFiles} != "unlimited" ] && [ "$currentMaxOpenFiles" -lt "$minMaxOpenFiles" ]; then + if [ "${setValue}" ]; then + ulimit -n "${minMaxOpenFiles}" >/dev/null 2>&1 || warn "Max number of open files $currentMaxOpenFiles is low!" + [ -z "${warningMsgForFiles}" ] || warn "${warningMsgForFiles}" + else + errorExit "Max number of open files $currentMaxOpenFiles, is too low. Cannot run the application!" + fi + fi + + local currentMaxOpenProcesses=$(ulimit -u) + logger "Current max open processes is $currentMaxOpenProcesses" + if [ "$currentMaxOpenProcesses" != "unlimited" ] && [ "$currentMaxOpenProcesses" -lt "$minMaxOpenProcesses" ]; then + if [ "${setValue}" ]; then + ulimit -u "${minMaxOpenProcesses}" >/dev/null 2>&1 || warn "Max number of open files $currentMaxOpenFiles is low!" + [ -z "${warningMsgForProcesses}" ] || warn "${warningMsgForProcesses}" + else + errorExit "Max number of open files $currentMaxOpenProcesses, is too low. Cannot run the application!" + fi + fi +} + +createDirs() { + local appDataDir=$1 + local serviceName=$2 + local folders="backup bootstrap data etc logs work" + + [ -z "${appDataDir}" ] && errorExit "An application directory is mandatory to create its data structure" || true + [ -z "${serviceName}" ] && errorExit "A service name is mandatory to create service data structure" || true + + for folder in ${folders} + do + folder=${appDataDir}/${folder}/${serviceName} + if [ ! -d "${folder}" ]; then + logger "Creating folder : ${folder}" + mkdir -p "${folder}" || errorExit "Failed to create ${folder}" + fi + done +} + + +testReadWritePermissions () { + local dir_to_check=$1 + local error=false + + [ -d ${dir_to_check} ] || errorExit "'${dir_to_check}' is not a directory" + + local test_file=${dir_to_check}/test-permissions + + # Write file + if echo test > ${test_file} 1> /dev/null 2>&1; then + # Write succeeded. Testing read... + if cat ${test_file} > /dev/null; then + rm -f ${test_file} + else + error=true + fi + else + error=true + fi + + if [ ${error} == true ]; then + return 1 + else + return 0 + fi +} + +# Test directory has read/write permissions for current user +testDirectoryPermissions () { + local dir_to_check=$1 + local error=false + + [ -d ${dir_to_check} ] || errorExit "'${dir_to_check}' is not a directory" + + local u_id=$(id -u) + local id_str="id ${u_id}" + + logger "Testing directory ${dir_to_check} has read/write permissions for user ${id_str}" + + if ! testReadWritePermissions ${dir_to_check}; then + error=true + fi + + if [ "${error}" == true ]; then + local stat_data=$(stat -Lc "Directory: %n, permissions: %a, owner: %U, group: %G" ${dir_to_check}) + logger "###########################################################" + logger "${dir_to_check} DOES NOT have proper permissions for user ${id_str}" + logger "${stat_data}" + logger "Mounted directory must have read/write permissions for user ${id_str}" + logger "###########################################################" + errorExit "Directory ${dir_to_check} has bad permissions for user ${id_str}" + fi + logger "Permissions for ${dir_to_check} are good" +} + +# Utility method to create a directory path recursively with chown feature as +# Failure conditions: +## Exits if unable to create a directory +# Parameters: +## $1: Root directory from where the path can be created +## $2: List of recursive child directories separated by space +## $3: user who should own the directory. Optional +## $4: group who should own the directory. Optional +# Depends on global: none +# Updates global: none +# Returns: NA +# +# Usage: +# createRecursiveDir "/opt/jfrog/product/var" "bootstrap tomcat lib" "user_name" "group_name" +createRecursiveDir(){ + local rootDir=$1 + local pathDirs=$2 + local user=$3 + local group=${4:-${user}} + local fullPath= + + [ ! -z "${rootDir}" ] || return 0 + + createDir "${rootDir}" "${user}" "${group}" + + [ ! -z "${pathDirs}" ] || return 0 + + fullPath=${rootDir} + + for dir in ${pathDirs}; do + fullPath=${fullPath}/${dir} + createDir "${fullPath}" "${user}" "${group}" + done +} + +# Utility method to create a directory +# Failure conditions: +## Exits if unable to create a directory +# Parameters: +## $1: directory to create +## $2: user who should own the directory. Optional +## $3: group who should own the directory. Optional +# Depends on global: none +# Updates global: none +# Returns: NA + +createDir(){ + local dirName="$1" + local printMessage=no + logSilly "Method ${FUNCNAME[0]} invoked with [$dirName]" + [ -z "${dirName}" ] && return + + logDebug "Attempting to create ${dirName}" + mkdir -p "${dirName}" || errorExit "Unable to create directory: [${dirName}]" + local userID="$2" + local groupID=${3:-$userID} + + # If UID/GID is passed, chown the folder + if [ ! -z "$userID" ] && [ ! -z "$groupID" ]; then + # Earlier, this line would have returned 1 if it failed. Now it just warns. + # This is intentional. Earlier, this line would NOT be reached if the folder already existed. + # Since it will always come to this line and the script may be running as a non-root user, this method will just warn if + # setting permissions fails (so as to not affect any existing flows) + io_setOwnershipNonRecursive "$dirName" "$userID" "$groupID" || warn "Could not set owner of [$dirName] to [$userID:$groupID]" + fi + # logging message to print created dir with user and group + local logMessage=${4:-$printMessage} + if [[ "${logMessage}" == "yes" ]]; then + logger "Successfully created directory [${dirName}]. Owner: [${userID}:${groupID}]" + fi +} + +removeSoftLinkAndCreateDir () { + local dirName="$1" + local userID="$2" + local groupID="$3" + local logMessage="$4" + removeSoftLink "${dirName}" + createDir "${dirName}" "${userID}" "${groupID}" "${logMessage}" +} + +# Utility method to remove a soft link +removeSoftLink () { + local dirName="$1" + if [[ -L "${dirName}" ]]; then + targetLink=$(readlink -f "${dirName}") + logger "Removing the symlink [${dirName}] pointing to [${targetLink}]" + rm -f "${dirName}" + fi +} + +# Check Directory exist in the path +checkDirExists () { + local directoryPath="$1" + + [[ -d "${directoryPath}" ]] && echo -n "true" || echo -n "false" +} + + +# Utility method to create a file +# Failure conditions: +# Parameters: +## $1: file to create +# Depends on global: none +# Updates global: none +# Returns: NA + +createFile(){ + local fileName="$1" + logSilly "Method ${FUNCNAME[0]} [$fileName]" + [ -f "${fileName}" ] && return 0 + touch "${fileName}" || return 1 + + local userID="$2" + local groupID=${3:-$userID} + + # If UID/GID is passed, chown the folder + if [ ! -z "$userID" ] && [ ! -z "$groupID" ]; then + io_setOwnership "$fileName" "$userID" "$groupID" || return 1 + fi +} + +# Check File exist in the filePath +# IMPORTANT- DON'T ADD LOGGING to this method +checkFileExists () { + local filePath="$1" + + [[ -f "${filePath}" ]] && echo -n "true" || echo -n "false" +} + +# Check for directories contains any (files or sub directories) +# IMPORTANT- DON'T ADD LOGGING to this method +checkDirContents () { + local directoryPath="$1" + if [[ "$(ls -1 "${directoryPath}" | wc -l)" -gt 0 ]]; then + echo -n "true" + else + echo -n "false" + fi +} + +# Check contents exist in directory +# IMPORTANT- DON'T ADD LOGGING to this method +checkContentExists () { + local source="$1" + + if [[ "$(checkDirContents "${source}")" != "true" ]]; then + echo -n "false" + else + echo -n "true" + fi +} + +# Resolve the variable +# IMPORTANT- DON'T ADD LOGGING to this method +evalVariable () { + local output="$1" + local input="$2" + + eval "${output}"=\${"${input}"} + eval echo \${"${output}"} +} + +# Usage: if [ "$(io_commandExists 'curl')" == "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_commandExists() { + local commandToExecute="$1" + hash "${commandToExecute}" 2>/dev/null + local rt=$? + if [ "$rt" == 0 ]; then echo -n "yes"; else echo -n "no"; fi +} + +# Usage: if [ "$(io_curlExists)" != "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_curlExists() { + io_commandExists "curl" +} + + +io_hasMatch() { + logSilly "Method ${FUNCNAME[0]}" + local result=0 + logDebug "Executing [echo \"$1\" | grep \"$2\" >/dev/null 2>&1]" + echo "$1" | grep "$2" >/dev/null 2>&1 || result=1 + return $result +} + +# Utility method to check if the string passed (usually a connection url) corresponds to this machine itself +# Failure conditions: None +# Parameters: +## $1: string to check against +# Depends on global: none +# Updates global: IS_LOCALHOST with value "yes/no" +# Returns: NA + +io_getIsLocalhost() { + logSilly "Method ${FUNCNAME[0]}" + IS_LOCALHOST="$FLAG_N" + local inputString="$1" + logDebug "Parsing [$inputString] to check if we are dealing with this machine itself" + + io_hasMatch "$inputString" "localhost" && { + logDebug "Found localhost. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for localhost" + + local hostIP=$(io_getPublicHostIP) + io_hasMatch "$inputString" "$hostIP" && { + logDebug "Found $hostIP. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostIP" + + local hostID=$(io_getPublicHostID) + io_hasMatch "$inputString" "$hostID" && { + logDebug "Found $hostID. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostID" + + local hostName=$(io_getPublicHostName) + io_hasMatch "$inputString" "$hostName" && { + logDebug "Found $hostName. Returning [$FLAG_Y]" + IS_LOCALHOST="$FLAG_Y" && return; + } || logDebug "Did not find match for $hostName" + +} + +# Usage: if [ "$(io_tarExists)" != "yes" ] +# IMPORTANT- DON'T ADD LOGGING to this method +io_tarExists() { + io_commandExists "tar" +} + +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostIP() { + local OS_TYPE=$(uname) + local publicHostIP= + if [ "${OS_TYPE}" == "Darwin" ]; then + ipStatus=$(ifconfig en0 | grep "status" | awk '{print$2}') + if [ "${ipStatus}" == "active" ]; then + publicHostIP=$(ifconfig en0 | grep inet | grep -v inet6 | awk '{print $2}') + else + errorExit "Host IP could not be resolved!" + fi + elif [ "${OS_TYPE}" == "Linux" ]; then + publicHostIP=$(hostname -i 2>/dev/null || echo "127.0.0.1") + fi + publicHostIP=$(echo "${publicHostIP}" | awk '{print $1}') + echo -n "${publicHostIP}" +} + +# Will return the short host name (up to the first dot) +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostName() { + echo -n "$(hostname -s)" +} + +# Will return the full host name (use this as much as possible) +# IMPORTANT- DON'T ADD LOGGING to this method +io_getPublicHostID() { + echo -n "$(hostname)" +} + +# Utility method to backup a file +# Failure conditions: NA +# Parameters: filePath +# Depends on global: none, +# Updates global: none +# Returns: NA +io_backupFile() { + logSilly "Method ${FUNCNAME[0]}" + fileName="$1" + if [ ! -f "${filePath}" ]; then + logDebug "No file: [${filePath}] to backup" + return + fi + dateTime=$(date +"%Y-%m-%d-%H-%M-%S") + targetFileName="${fileName}.backup.${dateTime}" + yes | \cp -f "$fileName" "${targetFileName}" + logger "File [${fileName}] backedup as [${targetFileName}]" +} + +# Reference https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash/4025065#4025065 +is_number() { + case "$BASH_VERSION" in + 3.1.*) + PATTERN='\^\[0-9\]+\$' + ;; + *) + PATTERN='^[0-9]+$' + ;; + esac + + [[ "$1" =~ $PATTERN ]] +} + +io_compareVersions() { + if [[ $# != 2 ]] + then + echo "Usage: min_version current minimum" + return + fi + + A="${1%%.*}" + B="${2%%.*}" + + if [[ "$A" != "$1" && "$B" != "$2" && "$A" == "$B" ]] + then + io_compareVersions "${1#*.}" "${2#*.}" + else + if is_number "$A" && is_number "$B" + then + if [[ "$A" -eq "$B" ]]; then + echo "0" + elif [[ "$A" -gt "$B" ]]; then + echo "1" + elif [[ "$A" -lt "$B" ]]; then + echo "-1" + fi + fi + fi +} + +# Reference https://stackoverflow.com/questions/369758/how-to-trim-whitespace-from-a-bash-variable +# Strip all leading and trailing spaces +# IMPORTANT- DON'T ADD LOGGING to this method +io_trim() { + local var="$1" + # remove leading whitespace characters + var="${var#"${var%%[![:space:]]*}"}" + # remove trailing whitespace characters + var="${var%"${var##*[![:space:]]}"}" + echo -n "$var" +} + +# temporary function will be removing it ASAP +# search for string and replace text in file +replaceText_migration_hook () { + local regexString="$1" + local replaceText="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e "s/${regexString}/${replaceText}/" "${file}" || warn "Failed to replace the text in ${file}" + else + sed -i -e "s/${regexString}/${replaceText}/" "${file}" || warn "Failed to replace the text in ${file}" + fi +} + +# search for string and replace text in file +replaceText () { + local regexString="$1" + local replaceText="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e "s#${regexString}#${replaceText}#" "${file}" || warn "Failed to replace the text in ${file}" + else + sed -i -e "s#${regexString}#${replaceText}#" "${file}" || warn "Failed to replace the text in ${file}" + logDebug "Replaced [$regexString] with [$replaceText] in [$file]" + fi +} + +# search for string and prepend text in file +prependText () { + local regexString="$1" + local text="$2" + local file="$3" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e '/'"${regexString}"'/i\'$'\n\\'"${text}"''$'\n' "${file}" || warn "Failed to prepend the text in ${file}" + else + sed -i -e '/'"${regexString}"'/i\'$'\n\\'"${text}"''$'\n' "${file}" || warn "Failed to prepend the text in ${file}" + fi +} + +# add text to beginning of the file +addText () { + local text="$1" + local file="$2" + + if [[ "$(checkFileExists "${file}")" != "true" ]]; then + return + fi + if [[ $(uname) == "Darwin" ]]; then + sed -i '' -e '1s/^/'"${text}"'\'$'\n/' "${file}" || warn "Failed to add the text in ${file}" + else + sed -i -e '1s/^/'"${text}"'\'$'\n/' "${file}" || warn "Failed to add the text in ${file}" + fi +} + +io_replaceString () { + local value="$1" + local firstString="$2" + local secondString="$3" + local separator=${4:-"/"} + local updateValue= + if [[ $(uname) == "Darwin" ]]; then + updateValue=$(echo "${value}" | sed "s${separator}${firstString}${separator}${secondString}${separator}") + else + updateValue=$(echo "${value}" | sed "s${separator}${firstString}${separator}${secondString}${separator}") + fi + echo -n "${updateValue}" +} + +_findYQ() { + # logSilly "Method ${FUNCNAME[0]}" (Intentionally not logging. Does not add value) + local parentDir="$1" + if [ -z "$parentDir" ]; then + return + fi + logDebug "Executing command [find "${parentDir}" -name third-party -type d]" + local yq=$(find "${parentDir}" -name third-party -type d) + if [ -d "${yq}/yq" ]; then + export YQ_PATH="${yq}/yq" + fi +} + + +io_setYQPath() { + # logSilly "Method ${FUNCNAME[0]}" (Intentionally not logging. Does not add value) + if [ "$(io_commandExists 'yq')" == "yes" ]; then + return + fi + + if [ ! -z "${JF_PRODUCT_HOME}" ] && [ -d "${JF_PRODUCT_HOME}" ]; then + _findYQ "${JF_PRODUCT_HOME}" + fi + + if [ -z "${YQ_PATH}" ] && [ ! -z "${COMPOSE_HOME}" ] && [ -d "${COMPOSE_HOME}" ]; then + _findYQ "${COMPOSE_HOME}" + fi + # TODO We can remove this block after all the code is restructured. + if [ -z "${YQ_PATH}" ] && [ ! -z "${SCRIPT_HOME}" ] && [ -d "${SCRIPT_HOME}" ]; then + _findYQ "${SCRIPT_HOME}" + fi + +} + +io_getLinuxDistribution() { + LINUX_DISTRIBUTION= + + # Make sure running on Linux + [ $(uname -s) != "Linux" ] && return + + # Find out what Linux distribution we are on + + cat /etc/*-release | grep -i Red >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat || true + + # OS 6.x + cat /etc/issue.net | grep Red >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat || true + + # OS 7.x + cat /etc/*-release | grep -i centos >/dev/null 2>&1 && LINUX_DISTRIBUTION=CentOS && LINUX_DISTRIBUTION_VER="7" || true + + # OS 8.x + grep -q -i "release 8" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="8" || true + + # OS 7.x + grep -q -i "release 7" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="7" || true + + # OS 6.x + grep -q -i "release 6" /etc/redhat-release >/dev/null 2>&1 && LINUX_DISTRIBUTION_VER="6" || true + + cat /etc/*-release | grep -i Red | grep -i 'VERSION=7' >/dev/null 2>&1 && LINUX_DISTRIBUTION=RedHat && LINUX_DISTRIBUTION_VER="7" || true + + cat /etc/*-release | grep -i debian >/dev/null 2>&1 && LINUX_DISTRIBUTION=Debian || true + + cat /etc/*-release | grep -i ubuntu >/dev/null 2>&1 && LINUX_DISTRIBUTION=Ubuntu || true +} + +## Utility method to check ownership of folders/files +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If file is not owned by the user & group +## Parameters: + ## user + ## group + ## folder to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac +io_checkOwner () { + logSilly "Method ${FUNCNAME[0]}" + local osType=$(uname) + + if [ "${osType}" != "Linux" ]; then + logDebug "Unsupported OS. Skipping check" + return 0 + fi + + local file_to_check=$1 + local user_id_to_check=$2 + + + if [ -z "$user_id_to_check" ] || [ -z "$file_to_check" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group_id_to_check=${3:-$user_id_to_check} + local check_user_name=${4:-"no"} + + logDebug "Checking permissions on [$file_to_check] for user [$user_id_to_check] & group [$group_id_to_check]" + + local stat= + + if [ "${check_user_name}" == "yes" ]; then + stat=( $(stat -Lc "%U %G" ${file_to_check}) ) + else + stat=( $(stat -Lc "%u %g" ${file_to_check}) ) + fi + + local user_id=${stat[0]} + local group_id=${stat[1]} + + if [[ "${user_id}" != "${user_id_to_check}" ]] || [[ "${group_id}" != "${group_id_to_check}" ]] ; then + logDebug "Ownership mismatch. [${file_to_check}] is not owned by [${user_id_to_check}:${group_id_to_check}]" + return 1 + else + return 0 + fi +} + +## Utility method to change ownership of a file/folder - NON recursive +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If chown operation fails - returns 1 +## Parameters: + ## user + ## group + ## file to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac + +io_setOwnershipNonRecursive() { + + local osType=$(uname) + if [ "${osType}" != "Linux" ]; then + return + fi + + local targetFile=$1 + local user=$2 + + if [ -z "$user" ] || [ -z "$targetFile" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group=${3:-$user} + logDebug "Method ${FUNCNAME[0]}. Executing [chown ${user}:${group} ${targetFile}]" + chown ${user}:${group} ${targetFile} || return 1 +} + +## Utility method to change ownership of a file. +## IMPORTANT +## If being called on a folder, should ONLY be called for fresh folders or may cause performance issues +## Failure conditions: + ## If invoked with incorrect inputs - FATAL + ## If chown operation fails - returns 1 +## Parameters: + ## user + ## group + ## file to chown +## Globals: none +## Returns: none +## NOTE: The method does NOTHING if the OS is Mac + +io_setOwnership() { + + local osType=$(uname) + if [ "${osType}" != "Linux" ]; then + return + fi + + local targetFile=$1 + local user=$2 + + if [ -z "$user" ] || [ -z "$targetFile" ]; then + errorExit "Invalid invocation of method. Missing mandatory inputs" + fi + + local group=${3:-$user} + logDebug "Method ${FUNCNAME[0]}. Executing [chown -R ${user}:${group} ${targetFile}]" + chown -R ${user}:${group} ${targetFile} || return 1 +} + +## Utility method to create third party folder structure necessary for Postgres +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## POSTGRESQL_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createPostgresDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${POSTGRESQL_DATA_ROOT}" ] && return 0 + + logDebug "Property [${POSTGRESQL_DATA_ROOT}] exists. Proceeding" + + createDir "${POSTGRESQL_DATA_ROOT}/data" + io_setOwnership "${POSTGRESQL_DATA_ROOT}" "${POSTGRES_USER}" "${POSTGRES_USER}" || errorExit "Setting ownership of [${POSTGRESQL_DATA_ROOT}] to [${POSTGRES_USER}:${POSTGRES_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Nginx +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## NGINX_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createNginxDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${NGINX_DATA_ROOT}" ] && return 0 + + logDebug "Property [${NGINX_DATA_ROOT}] exists. Proceeding" + + createDir "${NGINX_DATA_ROOT}" + io_setOwnership "${NGINX_DATA_ROOT}" "${NGINX_USER}" "${NGINX_GROUP}" || errorExit "Setting ownership of [${NGINX_DATA_ROOT}] to [${NGINX_USER}:${NGINX_GROUP}] failed" +} + +## Utility method to create third party folder structure necessary for ElasticSearch +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## ELASTIC_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createElasticSearchDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${ELASTIC_DATA_ROOT}" ] && return 0 + + logDebug "Property [${ELASTIC_DATA_ROOT}] exists. Proceeding" + + createDir "${ELASTIC_DATA_ROOT}/data" + io_setOwnership "${ELASTIC_DATA_ROOT}" "${ES_USER}" "${ES_USER}" || errorExit "Setting ownership of [${ELASTIC_DATA_ROOT}] to [${ES_USER}:${ES_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Redis +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## REDIS_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createRedisDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${REDIS_DATA_ROOT}" ] && return 0 + + logDebug "Property [${REDIS_DATA_ROOT}] exists. Proceeding" + + createDir "${REDIS_DATA_ROOT}" + io_setOwnership "${REDIS_DATA_ROOT}" "${REDIS_USER}" "${REDIS_USER}" || errorExit "Setting ownership of [${REDIS_DATA_ROOT}] to [${REDIS_USER}:${REDIS_USER}] failed" +} + +## Utility method to create third party folder structure necessary for Mongo +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## MONGODB_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createMongoDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${MONGODB_DATA_ROOT}" ] && return 0 + + logDebug "Property [${MONGODB_DATA_ROOT}] exists. Proceeding" + + createDir "${MONGODB_DATA_ROOT}/logs" + createDir "${MONGODB_DATA_ROOT}/configdb" + createDir "${MONGODB_DATA_ROOT}/db" + io_setOwnership "${MONGODB_DATA_ROOT}" "${MONGO_USER}" "${MONGO_USER}" || errorExit "Setting ownership of [${MONGODB_DATA_ROOT}] to [${MONGO_USER}:${MONGO_USER}] failed" +} + +## Utility method to create third party folder structure necessary for RabbitMQ +## Failure conditions: +## If creation of directory or assigning permissions fails +## Parameters: none +## Globals: +## RABBITMQ_DATA_ROOT +## Returns: none +## NOTE: The method does NOTHING if the folder already exists +io_createRabbitMQDir() { + logDebug "Method ${FUNCNAME[0]}" + [ -z "${RABBITMQ_DATA_ROOT}" ] && return 0 + + logDebug "Property [${RABBITMQ_DATA_ROOT}] exists. Proceeding" + + createDir "${RABBITMQ_DATA_ROOT}" + io_setOwnership "${RABBITMQ_DATA_ROOT}" "${RABBITMQ_USER}" "${RABBITMQ_USER}" || errorExit "Setting ownership of [${RABBITMQ_DATA_ROOT}] to [${RABBITMQ_USER}:${RABBITMQ_USER}] failed" +} + +# Add or replace a property in provided properties file +addOrReplaceProperty() { + local propertyName=$1 + local propertyValue=$2 + local propertiesPath=$3 + local delimiter=${4:-"="} + + # Return if any of the inputs are empty + [[ -z "$propertyName" || "$propertyName" == "" ]] && return + [[ -z "$propertyValue" || "$propertyValue" == "" ]] && return + [[ -z "$propertiesPath" || "$propertiesPath" == "" ]] && return + + grep "^${propertyName}\s*${delimiter}.*$" ${propertiesPath} > /dev/null 2>&1 + [ $? -ne 0 ] && echo -e "\n${propertyName}${delimiter}${propertyValue}" >> ${propertiesPath} + sed -i -e "s|^${propertyName}\s*${delimiter}.*$|${propertyName}${delimiter}${propertyValue}|g;" ${propertiesPath} +} + +# Set property only if its not set +io_setPropertyNoOverride(){ + local propertyName=$1 + local propertyValue=$2 + local propertiesPath=$3 + + # Return if any of the inputs are empty + [[ -z "$propertyName" || "$propertyName" == "" ]] && return + [[ -z "$propertyValue" || "$propertyValue" == "" ]] && return + [[ -z "$propertiesPath" || "$propertiesPath" == "" ]] && return + + grep "^${propertyName}:" ${propertiesPath} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo -e "${propertyName}: ${propertyValue}" >> ${propertiesPath} || warn "Setting property ${propertyName}: ${propertyValue} in [ ${propertiesPath} ] failed" + else + logger "Skipping update of property : ${propertyName}" >&6 + fi +} + +# Add a line to a file if it doesn't already exist +addLine() { + local line_to_add=$1 + local target_file=$2 + logger "Trying to add line $1 to $2" >&6 2>&1 + cat "$target_file" | grep -F "$line_to_add" -wq >&6 2>&1 + if [ $? != 0 ]; then + logger "Line does not exist and will be added" >&6 2>&1 + echo $line_to_add >> $target_file || errorExit "Could not update $target_file" + fi +} + +# Utility method to check if a value (first parameter) exists in an array (2nd parameter) +# 1st parameter "value to find" +# 2nd parameter "The array to search in. Please pass a string with each value separated by space" +# Example: containsElement "y" "y Y n N" +containsElement () { + local searchElement=$1 + local searchArray=($2) + local found=1 + for elementInIndex in "${searchArray[@]}";do + if [[ $elementInIndex == $searchElement ]]; then + found=0 + fi + done + return $found +} + +# Utility method to get user's choice +# 1st parameter "what to ask the user" +# 2nd parameter "what choices to accept, separated by spaces" +# 3rd parameter "what is the default choice (to use if the user simply presses Enter)" +# Example 'getUserChoice "Are you feeling lucky? Punk!" "y n Y N" "y"' +getUserChoice(){ + configureLogOutput + read_timeout=${read_timeout:-0.5} + local choice="na" + local text_to_display=$1 + local choices=$2 + local default_choice=$3 + users_choice= + + until containsElement "$choice" "$choices"; do + echo "";echo ""; + sleep $read_timeout #This ensures correct placement of the question. + read -p "$text_to_display :" choice + : ${choice:=$default_choice} + done + users_choice=$choice + echo -e "\n$text_to_display: $users_choice" >&6 + sleep $read_timeout #This ensures correct logging +} + +setFilePermission () { + local permission=$1 + local file=$2 + chmod "${permission}" "${file}" || warn "Setting permission ${permission} to file [ ${file} ] failed" +} + + +#setting required paths +setAppDir (){ + SCRIPT_DIR=$(dirname $0) + SCRIPT_HOME="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + APP_DIR="`cd "${SCRIPT_HOME}";pwd`" +} + +ZIP_TYPE="zip" +COMPOSE_TYPE="compose" +HELM_TYPE="helm" +RPM_TYPE="rpm" +DEB_TYPE="debian" + +sourceScript () { + local file="$1" + + [ ! -z "${file}" ] || errorExit "target file is not passed to source a file" + + if [ ! -f "${file}" ]; then + errorExit "${file} file is not found" + else + source "${file}" || errorExit "Unable to source ${file}, please check if the user ${USER} has permissions to perform this action" + fi +} +# Source required helpers +initHelpers () { + local systemYamlHelper="${APP_DIR}/systemYamlHelper.sh" + local thirdPartyDir=$(find ${APP_DIR}/.. -name third-party -type d) + export YQ_PATH="${thirdPartyDir}/yq" + LIBXML2_PATH="${thirdPartyDir}/libxml2/bin/xmllint" + export LD_LIBRARY_PATH="${thirdPartyDir}/libxml2/lib" + sourceScript "${systemYamlHelper}" +} +# Check migration info yaml file available in the path +checkMigrationInfoYaml () { + + if [[ -f "${APP_DIR}/migrationHelmInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationHelmInfo.yaml" + INSTALLER="${HELM_TYPE}" + elif [[ -f "${APP_DIR}/migrationZipInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationZipInfo.yaml" + INSTALLER="${ZIP_TYPE}" + elif [[ -f "${APP_DIR}/migrationRpmInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationRpmInfo.yaml" + INSTALLER="${RPM_TYPE}" + elif [[ -f "${APP_DIR}/migrationDebInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationDebInfo.yaml" + INSTALLER="${DEB_TYPE}" + elif [[ -f "${APP_DIR}/migrationComposeInfo.yaml" ]]; then + MIGRATION_SYSTEM_YAML_INFO="${APP_DIR}/migrationComposeInfo.yaml" + INSTALLER="${COMPOSE_TYPE}" + else + errorExit "File migration Info yaml does not exist in [${APP_DIR}]" + fi +} + +retrieveYamlValue () { + local yamlPath="$1" + local value="$2" + local output="$3" + local message="$4" + + [[ -z "${yamlPath}" ]] && errorExit "yamlPath is mandatory to get value from ${MIGRATION_SYSTEM_YAML_INFO}" + + getYamlValue "${yamlPath}" "${MIGRATION_SYSTEM_YAML_INFO}" "false" + value="${YAML_VALUE}" + if [[ -z "${value}" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "Empty value for ${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + elif [[ "${output}" == "Skip" ]]; then + return + else + errorExit "${message}" + fi + fi +} + +checkEnv () { + + if [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + # check Environment JF_PRODUCT_HOME is set before migration + NEW_DATA_DIR="$(evalVariable "NEW_DATA_DIR" "JF_PRODUCT_HOME")" + if [[ -z "${NEW_DATA_DIR}" ]]; then + errorExit "Environment variable JF_PRODUCT_HOME is not set, this is required to perform Migration" + fi + # appending var directory to $JF_PRODUCT_HOME + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + elif [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + getCustomDataDir_hook + NEW_DATA_DIR="${OLD_DATA_DIR}" + if [[ -z "${NEW_DATA_DIR}" ]] && [[ -z "${OLD_DATA_DIR}" ]]; then + errorExit "Could not find ${PROMPT_DATA_DIR_LOCATION} to perform Migration" + fi + else + # check Environment JF_ROOT_DATA_DIR is set before migration + OLD_DATA_DIR="$(evalVariable "OLD_DATA_DIR" "JF_ROOT_DATA_DIR")" + # check Environment JF_ROOT_DATA_DIR is set before migration + NEW_DATA_DIR="$(evalVariable "NEW_DATA_DIR" "JF_ROOT_DATA_DIR")" + if [[ -z "${NEW_DATA_DIR}" ]] && [[ -z "${OLD_DATA_DIR}" ]]; then + errorExit "Could not find ${PROMPT_DATA_DIR_LOCATION} to perform Migration" + fi + # appending var directory to $JF_PRODUCT_HOME + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + fi + +} + +getDataDir () { + + if [[ "${INSTALLER}" == "${ZIP_TYPE}" || "${INSTALLER}" == "${COMPOSE_TYPE}"|| "${INSTALLER}" == "${HELM_TYPE}" ]]; then + checkEnv + else + getCustomDataDir_hook + NEW_DATA_DIR="`cd "${APP_DIR}"/../../;pwd`" + NEW_DATA_DIR="${NEW_DATA_DIR}/var" + fi +} + +# Retrieve Product name from MIGRATION_SYSTEM_YAML_INFO +getProduct () { + retrieveYamlValue "migration.product" "${YAML_VALUE}" "Fail" "Empty value under ${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + PRODUCT="${YAML_VALUE}" + PRODUCT=$(echo "${PRODUCT}" | tr '[:upper:]' '[:lower:]' 2>/dev/null) + if [[ "${PRODUCT}" != "artifactory" && "${PRODUCT}" != "distribution" && "${PRODUCT}" != "xray" ]]; then + errorExit "migration.product in [${MIGRATION_SYSTEM_YAML_INFO}] is not correct, please set based on product as ARTIFACTORY or DISTRIBUTION" + fi + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + JF_USER="${PRODUCT}" + fi +} +# Compare product version with minProductVersion and maxProductVersion +migrateCheckVersion () { + local productVersion="$1" + local minProductVersion="$2" + local maxProductVersion="$3" + local productVersion618="6.18.0" + local unSupportedProductVersions7=("7.2.0 7.2.1") + + if [[ "$(io_compareVersions "${productVersion}" "${maxProductVersion}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${maxProductVersion}")" -eq 1 ]]; then + logger "Migration not necessary. ${PRODUCT} is already ${productVersion}" + exit 11 + elif [[ "$(io_compareVersions "${productVersion}" "${minProductVersion}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${minProductVersion}")" -eq 1 ]]; then + if [[ ("$(io_compareVersions "${productVersion}" "${productVersion618}")" -eq 0 || "$(io_compareVersions "${productVersion}" "${productVersion618}")" -eq 1) && " ${unSupportedProductVersions7[@]} " =~ " ${CURRENT_VERSION} " ]]; then + touch /tmp/error; + errorExit "Current ${PRODUCT} version (${productVersion}) does not support migration to ${CURRENT_VERSION}" + else + bannerStart "Detected ${PRODUCT} ${productVersion}, initiating migration" + fi + else + logger "Current ${PRODUCT} ${productVersion} version is not supported for migration" + exit 1 + fi +} + +getProductVersion () { + local minProductVersion="$1" + local maxProductVersion="$2" + local newfilePath="$3" + local oldfilePath="$4" + local propertyInDocker="$5" + local property="$6" + local productVersion= + local status= + + if [[ "$INSTALLER" == "${COMPOSE_TYPE}" ]]; then + if [[ -f "${oldfilePath}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + else + productVersion="$(cat "${oldfilePath}")" + fi + status="success" + elif [[ -f "${newfilePath}" ]]; then + productVersion="$(readKey "${propertyInDocker}" "${newfilePath}")" + status="fail" + else + logger "File [${oldfilePath}] or [${newfilePath}] not found to get current version." + exit 0 + fi + elif [[ "$INSTALLER" == "${HELM_TYPE}" ]]; then + if [[ -f "${oldfilePath}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + else + productVersion="$(cat "${oldfilePath}")" + fi + status="success" + else + productVersion="${CURRENT_VERSION}" + [[ -z "${productVersion}" || "${productVersion}" == "" ]] && logger "${PRODUCT} CURRENT_VERSION is not set" && exit 0 + fi + else + if [[ -f "${newfilePath}" ]]; then + productVersion="$(readKey "${property}" "${newfilePath}")" + status="fail" + elif [[ -f "${oldfilePath}" ]]; then + productVersion="$(readKey "${property}" "${oldfilePath}")" + status="success" + else + if [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + logger "File [${newfilePath}] not found to get current version." + else + logger "File [${oldfilePath}] or [${newfilePath}] not found to get current version." + fi + exit 0 + fi + fi + if [[ -z "${productVersion}" || "${productVersion}" == "" ]]; then + [[ "${status}" == "success" ]] && logger "No version found in file [${oldfilePath}]." + [[ "${status}" == "fail" ]] && logger "No version found in file [${newfilePath}]." + exit 0 + fi + + migrateCheckVersion "${productVersion}" "${minProductVersion}" "${maxProductVersion}" +} + +readKey () { + local property="$1" + local file="$2" + local version= + + while IFS='=' read -r key value || [ -n "${key}" ]; + do + [[ ! "${key}" =~ \#.* && ! -z "${key}" && ! -z "${value}" ]] + key="$(io_trim "${key}")" + if [[ "${key}" == "${property}" ]]; then + version="${value}" && check=true && break + else + check=false + fi + done < "${file}" + if [[ "${check}" == "false" ]]; then + return + fi + echo "${version}" +} + +# create Log directory +createLogDir () { + if [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" + fi +} + +# Creating migration log file +creationMigrateLog () { + local LOG_FILE_NAME="migration.log" + createLogDir + local MIGRATION_LOG_FILE="${NEW_DATA_DIR}/log/${LOG_FILE_NAME}" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + MIGRATION_LOG_FILE="${SCRIPT_HOME}/${LOG_FILE_NAME}" + fi + touch "${MIGRATION_LOG_FILE}" + setFilePermission "${LOG_FILE_PERMISSION}" "${MIGRATION_LOG_FILE}" + exec &> >(tee -a "${MIGRATION_LOG_FILE}") +} +# Set path where system.yaml should create +setSystemYamlPath () { + SYSTEM_YAML_PATH="${NEW_DATA_DIR}/etc/system.yaml" + if [[ "${INSTALLER}" != "${HELM_TYPE}" ]]; then + logger "system.yaml will be created in path [${SYSTEM_YAML_PATH}]" + fi +} +# Create directory +createDirectory () { + local directory="$1" + local output="$2" + local check=false + local message="Could not create directory ${directory}, please check if the user ${USER} has permissions to perform this action" + removeSoftLink "${directory}" + mkdir -p "${directory}" && check=true || check=false + if [[ "${check}" == "false" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "${message}" + else + errorExit "${message}" + fi + fi + setOwnershipBasedOnInstaller "${directory}" +} + +setOwnershipBasedOnInstaller () { + local directory="$1" + if [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + chown -R ${USER_TO_CHECK}:${GROUP_TO_CHECK} "${directory}" || warn "Setting ownership on $directory failed" + elif [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + io_setOwnership "${directory}" "${JF_USER}" "${JF_USER}" + fi +} + +getUserAndGroup () { + local file="$1" + read uid gid <<<$(stat -c '%U %G' ${file}) + USER_TO_CHECK="${uid}" + GROUP_TO_CHECK="${gid}" +} + +# set ownership +getUserAndGroupFromFile () { + case $PRODUCT in + artifactory) + getUserAndGroup "/etc/opt/jfrog/artifactory/artifactory.properties" + ;; + distribution) + getUserAndGroup "${OLD_DATA_DIR}/etc/versions.properties" + ;; + xray) + getUserAndGroup "${OLD_DATA_DIR}/security/master.key" + ;; + esac +} + +# creating required directories +createRequiredDirs () { + bannerSubSection "CREATING REQUIRED DIRECTORIES" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc/security" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log/archived" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/work" "${JF_USER}" "${JF_USER}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/backup" "${JF_USER}" "${JF_USER}" "yes" + io_setOwnership "${NEW_DATA_DIR}" "${JF_USER}" "${JF_USER}" + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data/postgres" "${POSTGRES_USER}" "${POSTGRES_USER}" "yes" + fi + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + getUserAndGroupFromFile + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/etc/security" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/data" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/log/archived" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/work" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + removeSoftLinkAndCreateDir "${NEW_DATA_DIR}/backup" "${USER_TO_CHECK}" "${GROUP_TO_CHECK}" "yes" + fi +} + +# Check entry in map is format +checkMapEntry () { + local entry="$1" + + [[ "${entry}" != *"="* ]] && echo -n "false" || echo -n "true" +} +# Check value Empty and warn +warnIfEmpty () { + local filePath="$1" + local yamlPath="$2" + local check= + + if [[ -z "${filePath}" ]]; then + warn "Empty value in yamlpath [${yamlPath} in [${MIGRATION_SYSTEM_YAML_INFO}]" + check=false + else + check=true + fi + echo "${check}" +} + +logCopyStatus () { + local status="$1" + local logMessage="$2" + local warnMessage="$3" + + [[ "${status}" == "success" ]] && logger "${logMessage}" + [[ "${status}" == "fail" ]] && warn "${warnMessage}" +} +# copy contents from source to destination +copyCmd () { + local source="$1" + local target="$2" + local mode="$3" + local status= + + case $mode in + unique) + cp -up "${source}"/* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied directory contents from [${source}] to [${target}]" "Failed to copy directory contents from [${source}] to [${target}]" + ;; + specific) + cp -pf "${source}" "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied file [${source}] to [${target}]" "Failed to copy file [${source}] to [${target}]" + ;; + patternFiles) + cp -pf "${source}"* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied files matching [${source}*] to [${target}]" "Failed to copy files matching [${source}*] to [${target}]" + ;; + full) + cp -prf "${source}"/* "${target}"/ && status="success" || status="fail" + logCopyStatus "${status}" "Successfully copied directory contents from [${source}] to [${target}]" "Failed to copy directory contents from [${source}] to [${target}]" + ;; + esac +} +# Check contents exist in source before copying +copyOnContentExist () { + local source="$1" + local target="$2" + local mode="$3" + + if [[ "$(checkContentExists "${source}")" == "true" ]]; then + copyCmd "${source}" "${target}" "${mode}" + else + logger "No contents to copy from [${source}]" + fi +} + +# move source to destination +moveCmd () { + local source="$1" + local target="$2" + local status= + + mv -f "${source}" "${target}" && status="success" || status="fail" + [[ "${status}" == "success" ]] && logger "Successfully moved directory [${source}] to [${target}]" + [[ "${status}" == "fail" ]] && warn "Failed to move directory [${source}] to [${target}]" +} + +# symlink target to source +symlinkCmd () { + local source="$1" + local target="$2" + local symlinkSubDir="$3" + local check=false + + if [[ "${symlinkSubDir}" == "subDir" ]]; then + ln -sf "${source}"/* "${target}" && check=true || check=false + else + ln -sf "${source}" "${target}" && check=true || check=false + fi + + [[ "${check}" == "true" ]] && logger "Successfully symlinked directory [${target}] to old [${source}]" + [[ "${check}" == "false" ]] && warn "Symlink operation failed" +} +# Check contents exist in source before symlinking +symlinkOnExist () { + local source="$1" + local target="$2" + local symlinkSubDir="$3" + + if [[ "$(checkContentExists "${source}")" == "true" ]]; then + if [[ "${symlinkSubDir}" == "subDir" ]]; then + symlinkCmd "${source}" "${target}" "subDir" + else + symlinkCmd "${source}" "${target}" + fi + else + logger "No contents to symlink from [${source}]" + fi +} + +prependDir () { + local absolutePath="$1" + local fullPath="$2" + local sourcePath= + + if [[ "${absolutePath}" = \/* ]]; then + sourcePath="${absolutePath}" + else + sourcePath="${fullPath}" + fi + echo "${sourcePath}" +} + +getFirstEntry (){ + local entry="$1" + + [[ -z "${entry}" ]] && return + echo "${entry}" | awk -F"=" '{print $1}' +} + +getSecondEntry () { + local entry="$1" + + [[ -z "${entry}" ]] && return + echo "${entry}" | awk -F"=" '{print $2}' +} +# To get absolutePath +pathResolver () { + local directoryPath="$1" + local dataDir= + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + retrieveYamlValue "migration.oldDataDir" "oldDataDir" "Warning" + dataDir="${YAML_VALUE}" + cd "${dataDir}" + else + cd "${OLD_DATA_DIR}" + fi + absoluteDir="`cd "${directoryPath}";pwd`" + echo "${absoluteDir}" +} + +checkPathResolver () { + local value="$1" + + if [[ "${value}" == \/* ]]; then + value="${value}" + else + value="$(pathResolver "${value}")" + fi + echo "${value}" +} + +propertyMigrate () { + local entry="$1" + local filePath="$2" + local fileName="$3" + local check=false + + local yamlPath="$(getFirstEntry "${entry}")" + local property="$(getSecondEntry "${entry}")" + if [[ -z "${property}" ]]; then + warn "Property is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${property}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + local keyValues=$(cat "${NEW_DATA_DIR}/${filePath}/${fileName}" | grep "^[^#]" | grep "[*=*]") + for i in ${keyValues}; do + key=$(echo "${i}" | awk -F"=" '{print $1}') + value=$(echo "${i}" | cut -f 2- -d '=') + [ -z "${key}" ] && continue + [ -z "${value}" ] && continue + if [[ "${key}" == "${property}" ]]; then + if [[ "${PRODUCT}" == "artifactory" ]]; then + value="$(migrateResolveDerbyPath "${key}" "${value}")" + value="$(migrateResolveHaDirPath "${key}" "${value}")" + if [[ "${INSTALLER}" != "${DOCKER_TYPE}" ]]; then + value="$(updatePostgresUrlString_Hook "${yamlPath}" "${value}")" + fi + fi + if [[ "${key}" == "context.url" ]]; then + local ip=$(echo "${value}" | awk -F/ '{print $3}' | sed 's/:.*//') + setSystemValue "shared.node.ip" "${ip}" "${SYSTEM_YAML_PATH}" + logger "Setting [shared.node.ip] with [${ip}] in system.yaml" + fi + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" && logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" && check=true && break || check=false + fi + done + [[ "${check}" == "false" ]] && logger "Property [${property}] not found in file [${fileName}]" +} + +setHaEnabled_hook () { + echo "" +} + +migratePropertiesFiles () { + local fileList= + local filePath= + local fileName= + local map= + + retrieveYamlValue "migration.propertyFiles.files" "fileList" "Skip" + fileList="${YAML_VALUE}" + if [[ -z "${fileList}" ]]; then + return + fi + bannerSection "PROCESSING MIGRATION OF PROPERTY FILES" + for file in ${fileList}; + do + bannerSubSection "Processing Migration of $file" + retrieveYamlValue "migration.propertyFiles.$file.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + retrieveYamlValue "migration.propertyFiles.$file.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + [[ -z "${filePath}" && -z "${fileName}" ]] && continue + if [[ "$(checkFileExists "${NEW_DATA_DIR}/${filePath}/${fileName}")" == "true" ]]; then + logger "File [${fileName}] found in path [${NEW_DATA_DIR}/${filePath}]" + # setting haEnabled with true only if ha-node.properties is present + setHaEnabled_hook "${filePath}" + retrieveYamlValue "migration.propertyFiles.$file.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + propertyMigrate "${entry}" "${filePath}" "${fileName}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=property" + fi + done + else + logger "File [${fileName}] was not found in path [${NEW_DATA_DIR}/${filePath}] to migrate" + fi + done +} + +createTargetDir () { + local mountDir="$1" + local target="$2" + + logger "Target directory not found [${mountDir}/${target}], creating it" + createDirectoryRecursive "${mountDir}" "${target}" "Warning" +} + +createDirectoryRecursive () { + local mountDir="$1" + local target="$2" + local output="$3" + local check=false + local message="Could not create directory ${directory}, please check if the user ${USER} has permissions to perform this action" + removeSoftLink "${mountDir}/${target}" + local directory=$(echo "${target}" | tr '/' ' ' ) + local targetDir="${mountDir}" + for dir in ${directory}; + do + targetDir="${targetDir}/${dir}" + mkdir -p "${targetDir}" && check=true || check=false + setOwnershipBasedOnInstaller "${targetDir}" + done + if [[ "${check}" == "false" ]]; then + if [[ "${output}" == "Warning" ]]; then + warn "${message}" + else + errorExit "${message}" + fi + fi +} + +copyOperation () { + local source="$1" + local target="$2" + local mode="$3" + local check=false + local targetDataDir= + local targetLink= + local date= + + # prepend OLD_DATA_DIR only if source is relative path + source="$(prependDir "${source}" "${OLD_DATA_DIR}/${source}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + #remove source if it is a symlink + if [[ -L "${source}" ]]; then + targetLink=$(readlink -f "${source}") + logger "Removing the symlink [${source}] pointing to [${targetLink}]" + rm -f "${source}" + source=${targetLink} + fi + if [[ "$(checkDirExists "${source}")" != "true" ]]; then + logger "Source [${source}] directory not found in path" + return + fi + if [[ "$(checkDirContents "${source}")" != "true" ]]; then + logger "No contents to copy from [${source}]" + return + fi + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyOnContentExist "${source}" "${targetDataDir}/${target}" "${mode}" +} + +copySpecificFiles () { + local source="$1" + local target="$2" + local mode="$3" + + # prepend OLD_DATA_DIR only if source is relative path + source="$(prependDir "${source}" "${OLD_DATA_DIR}/${source}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + if [[ "$(checkFileExists "${source}")" != "true" ]]; then + logger "Source file [${source}] does not exist in path" + return + fi + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyCmd "${source}" "${targetDataDir}/${target}" "${mode}" +} + +copyPatternMatchingFiles () { + local source="$1" + local target="$2" + local mode="$3" + local sourcePath="${4}" + + # prepend OLD_DATA_DIR only if source is relative path + sourcePath="$(prependDir "${sourcePath}" "${OLD_DATA_DIR}/${sourcePath}")" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + copyLogMessage "${mode}" + if [[ "$(checkDirExists "${sourcePath}")" != "true" ]]; then + logger "Source [${sourcePath}] directory not found in path" + return + fi + if ls "${sourcePath}/${source}"* 1> /dev/null 2>&1; then + if [[ "$(checkDirExists "${targetDataDir}/${target}")" != "true" ]]; then + createTargetDir "${targetDataDir}" "${target}" + fi + copyCmd "${sourcePath}/${source}" "${targetDataDir}/${target}" "${mode}" + else + logger "Source file [${sourcePath}/${source}*] does not exist in path" + fi +} + +copyLogMessage () { + local mode="$1" + case $mode in + specific) + logger "Copy file [${source}] to target [${targetDataDir}/${target}]" + ;; + patternFiles) + logger "Copy files matching [${sourcePath}/${source}*] to target [${targetDataDir}/${target}]" + ;; + full) + logger "Copy directory contents from source [${source}] to target [${targetDataDir}/${target}]" + ;; + unique) + logger "Copy directory contents from source [${source}] to target [${targetDataDir}/${target}]" + ;; + esac +} + +copyBannerMessages () { + local mode="$1" + local textMode="$2" + case $mode in + specific) + bannerSection "COPY ${textMode} FILES" + ;; + patternFiles) + bannerSection "COPY MATCHING ${textMode}" + ;; + full) + bannerSection "COPY ${textMode} DIRECTORIES CONTENTS" + ;; + unique) + bannerSection "COPY ${textMode} DIRECTORIES CONTENTS" + ;; + esac +} + +invokeCopyFunctions () { + local mode="$1" + local source="$2" + local target="$3" + + case $mode in + specific) + copySpecificFiles "${source}" "${target}" "${mode}" + ;; + patternFiles) + retrieveYamlValue "migration.${copyFormat}.sourcePath" "map" "Warning" + local sourcePath="${YAML_VALUE}" + copyPatternMatchingFiles "${source}" "${target}" "${mode}" "${sourcePath}" + ;; + full) + copyOperation "${source}" "${target}" "${mode}" + ;; + unique) + copyOperation "${source}" "${target}" "${mode}" + ;; + esac +} +# Copies contents from source directory and target directory +copyDataDirectories () { + local copyFormat="$1" + local mode="$2" + local map= + local source= + local target= + local textMode= + local targetDataDir= + local copyFormatValue= + + retrieveYamlValue "migration.${copyFormat}" "${copyFormat}" "Skip" + copyFormatValue="${YAML_VALUE}" + if [[ -z "${copyFormatValue}" ]]; then + return + fi + textMode=$(echo "${mode}" | tr '[:lower:]' '[:upper:]' 2>/dev/null) + copyBannerMessages "${mode}" "${textMode}" + retrieveYamlValue "migration.${copyFormat}.map" "map" "Warning" + map="${YAML_VALUE}" + if [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + targetDataDir="${NEW_DATA_DIR}" + else + targetDataDir="`cd "${NEW_DATA_DIR}"/../;pwd`" + fi + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + invokeCopyFunctions "${mode}" "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +invokeMoveFunctions () { + local source="$1" + local target="$2" + local sourceDataDir= + local targetBasename= + # prepend OLD_DATA_DIR only if source is relative path + sourceDataDir=$(prependDir "${source}" "${OLD_DATA_DIR}/${source}") + targetBasename=$(dirname "${target}") + logger "Moving directory source [${sourceDataDir}] to target [${NEW_DATA_DIR}/${target}]" + if [[ "$(checkDirExists "${sourceDataDir}")" != "true" ]]; then + logger "Directory [${sourceDataDir}] not found in path to move" + return + fi + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${targetBasename}")" != "true" ]]; then + createTargetDir "${NEW_DATA_DIR}" "${targetBasename}" + moveCmd "${sourceDataDir}" "${NEW_DATA_DIR}/${target}" + else + moveCmd "${sourceDataDir}" "${NEW_DATA_DIR}/tempDir" + moveCmd "${NEW_DATA_DIR}/tempDir" "${NEW_DATA_DIR}/${target}" + fi +} + +# Move source directory and target directory +moveDirectories () { + local moveDataDirectories= + local map= + local source= + local target= + + retrieveYamlValue "migration.moveDirectories" "moveDirectories" "Skip" + moveDirectories="${YAML_VALUE}" + if [[ -z "${moveDirectories}" ]]; then + return + fi + bannerSection "MOVE DIRECTORIES" + retrieveYamlValue "migration.moveDirectories.map" "map" "Warning" + map="${YAML_VALUE}" + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + invokeMoveFunctions "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +# Trim masterKey if its generated using hex 32 +trimMasterKey () { + local masterKeyDir=/opt/jfrog/artifactory/var/etc/security + local oldMasterKey=$(<${masterKeyDir}/master.key) + local oldMasterKey_Length=$(echo ${#oldMasterKey}) + local newMasterKey= + if [[ ${oldMasterKey_Length} -gt 32 ]]; then + bannerSection "TRIM MASTERKEY" + newMasterKey=$(echo ${oldMasterKey:0:32}) + cp ${masterKeyDir}/master.key ${masterKeyDir}/backup_master.key + logger "Original masterKey is backed up : ${masterKeyDir}/backup_master.key" + rm -rf ${masterKeyDir}/master.key + echo ${newMasterKey} > ${masterKeyDir}/master.key + logger "masterKey is trimmed : ${masterKeyDir}/master.key" + fi +} + +copyDirectories () { + + copyDataDirectories "copyFiles" "full" + copyDataDirectories "copyUniqueFiles" "unique" + copyDataDirectories "copySpecificFiles" "specific" + copyDataDirectories "copyPatternMatchingFiles" "patternFiles" +} + +symlinkDir () { + local source="$1" + local target="$2" + local targetDir= + local basename= + local targetParentDir= + + targetDir="$(dirname "${target}")" + if [[ "${targetDir}" == "${source}" ]]; then + # symlink the sub directories + createDirectory "${NEW_DATA_DIR}/${target}" "Warning" + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${target}")" == "true" ]]; then + symlinkOnExist "${OLD_DATA_DIR}/${source}" "${NEW_DATA_DIR}/${target}" "subDir" + basename="$(basename "${target}")" + cd "${NEW_DATA_DIR}/${target}" && rm -f "${basename}" + fi + else + targetParentDir="$(dirname "${NEW_DATA_DIR}/${target}")" + createDirectory "${targetParentDir}" "Warning" + if [[ "$(checkDirExists "${targetParentDir}")" == "true" ]]; then + symlinkOnExist "${OLD_DATA_DIR}/${source}" "${NEW_DATA_DIR}/${target}" + fi + fi +} + +symlinkOperation () { + local source="$1" + local target="$2" + local check=false + local targetLink= + local date= + + # Check if source is a link and do symlink + if [[ -L "${OLD_DATA_DIR}/${source}" ]]; then + targetLink=$(readlink -f "${OLD_DATA_DIR}/${source}") + symlinkOnExist "${targetLink}" "${NEW_DATA_DIR}/${target}" + else + # check if source is directory and do symlink + if [[ "$(checkDirExists "${OLD_DATA_DIR}/${source}")" != "true" ]]; then + logger "Source [${source}] directory not found in path to symlink" + return + fi + if [[ "$(checkDirContents "${OLD_DATA_DIR}/${source}")" != "true" ]]; then + logger "No contents found in [${OLD_DATA_DIR}/${source}] to symlink" + return + fi + if [[ "$(checkDirExists "${NEW_DATA_DIR}/${target}")" != "true" ]]; then + logger "Target directory [${NEW_DATA_DIR}/${target}] does not exist to create symlink, creating it" + symlinkDir "${source}" "${target}" + else + rm -rf "${NEW_DATA_DIR}/${target}" && check=true || check=false + [[ "${check}" == "false" ]] && warn "Failed to remove contents in [${NEW_DATA_DIR}/${target}/]" + symlinkDir "${source}" "${target}" + fi + fi +} +# Creates a symlink path - Source directory to which the symbolic link should point. +symlinkDirectories () { + local linkFiles= + local map= + local source= + local target= + + retrieveYamlValue "migration.linkFiles" "linkFiles" "Skip" + linkFiles="${YAML_VALUE}" + if [[ -z "${linkFiles}" ]]; then + return + fi + bannerSection "SYMLINK DIRECTORIES" + retrieveYamlValue "migration.linkFiles.map" "map" "Warning" + map="${YAML_VALUE}" + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + source="$(getSecondEntry "${entry}")" + target="$(getFirstEntry "${entry}")" + logger "Symlink directory [${NEW_DATA_DIR}/${target}] to old [${OLD_DATA_DIR}/${source}]" + [[ -z "${source}" ]] && warn "source value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${target}" ]] && warn "target value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + symlinkOperation "${source}" "${target}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e target=source" + fi + echo ""; + done +} + +updateConnectionString () { + local yamlPath="$1" + local value="$2" + local mongoPath="shared.mongo.url" + local rabbitmqPath="shared.rabbitMq.url" + local postgresPath="shared.database.url" + local redisPath="shared.redis.connectionString" + local mongoConnectionString="mongo.connectionString" + local sourceKey= + local hostIp=$(io_getPublicHostIP) + local hostKey= + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + # Replace @postgres:,@mongodb:,@rabbitmq:,@redis: to @{hostIp}: (Compose Installer) + hostKey="@${hostIp}:" + case $yamlPath in + ${postgresPath}) + sourceKey="@postgres:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${mongoPath}) + sourceKey="@mongodb:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${rabbitmqPath}) + sourceKey="@rabbitmq:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${redisPath}) + sourceKey="@redis:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + ${mongoConnectionString}) + sourceKey="@mongodb:" + value=$(io_replaceString "${value}" "${sourceKey}" "${hostKey}") + ;; + esac + fi + echo -n "${value}" +} + +yamlMigrate () { + local entry="$1" + local sourceFile="$2" + local value= + local yamlPath= + local key= + yamlPath="$(getFirstEntry "${entry}")" + key="$(getSecondEntry "${entry}")" + if [[ -z "${key}" ]]; then + warn "key is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${key}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + getYamlValue "${key}" "${sourceFile}" "false" + value="${YAML_VALUE}" + if [[ ! -z "${value}" ]]; then + value=$(updateConnectionString "${yamlPath}" "${value}") + fi + if [[ -z "${value}" ]]; then + logger "No value for [${key}] in [${sourceFile}]" + else + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the key [${key}] in system.yaml" + fi +} + +migrateYamlFile () { + local files= + local filePath= + local fileName= + local sourceFile= + local map= + retrieveYamlValue "migration.yaml.files" "files" "Skip" + files="${YAML_VALUE}" + if [[ -z "${files}" ]]; then + return + fi + bannerSection "MIGRATION OF YAML FILES" + for file in $files; + do + bannerSubSection "Processing Migration of $file" + retrieveYamlValue "migration.yaml.$file.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + retrieveYamlValue "migration.yaml.$file.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + [[ -z "${filePath}" && -z "${fileName}" ]] && continue + sourceFile="${NEW_DATA_DIR}/${filePath}/${fileName}" + if [[ "$(checkFileExists "${sourceFile}")" == "true" ]]; then + logger "File [${fileName}] found in path [${NEW_DATA_DIR}/${filePath}]" + retrieveYamlValue "migration.yaml.$file.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + yamlMigrate "${entry}" "${sourceFile}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=key" + fi + done + else + logger "File [${fileName}] is not found in path [${NEW_DATA_DIR}/${filePath}] to migrate" + fi + done +} +# updates the key and value in system.yaml +updateYamlKeyValue () { + local entry="$1" + local value= + local yamlPath= + local key= + + yamlPath="$(getFirstEntry "${entry}")" + value="$(getSecondEntry "${entry}")" + if [[ -z "${value}" ]]; then + warn "value is empty in map [${entry}] in the file [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + if [[ -z "${yamlPath}" ]]; then + warn "yamlPath is empty for [${key}] in [${MIGRATION_SYSTEM_YAML_INFO}]" + return + fi + setSystemValue "${yamlPath}" "${value}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value [${value}] in system.yaml" +} + +updateSystemYamlFile () { + local updateYaml= + local map= + + retrieveYamlValue "migration.updateSystemYaml" "updateYaml" "Skip" + updateSystemYaml="${YAML_VALUE}" + if [[ -z "${updateSystemYaml}" ]]; then + return + fi + bannerSection "UPDATE SYSTEM YAML FILE WITH KEY AND VALUES" + retrieveYamlValue "migration.updateSystemYaml.map" "map" "Warning" + map="${YAML_VALUE}" + if [[ -z "${map}" ]]; then + return + fi + for entry in $map; + do + if [[ "$(checkMapEntry "${entry}")" == "true" ]]; then + updateYamlKeyValue "${entry}" + else + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e yamlPath=key" + fi + done +} + +backupFiles_hook () { + logSilly "Method ${FUNCNAME[0]}" +} + +backupDirectory () { + local backupDir="$1" + local dir="$2" + local targetDir="$3" + local effectiveUser= + local effectiveGroup= + + if [[ "${dir}" = \/* ]]; then + dir=$(echo "${dir/\//}") + fi + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + effectiveUser="${JF_USER}" + effectiveGroup="${JF_USER}" + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + effectiveUser="${USER_TO_CHECK}" + effectiveGroup="${GROUP_TO_CHECK}" + fi + + removeSoftLinkAndCreateDir "${backupDir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local backupDirectory="${backupDir}/${PRODUCT}" + removeSoftLinkAndCreateDir "${backupDirectory}" "${effectiveUser}" "${effectiveGroup}" "yes" + removeSoftLinkAndCreateDir "${backupDirectory}/${dir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local outputCheckDirExists="$(checkDirExists "${backupDirectory}/${dir}")" + if [[ "${outputCheckDirExists}" == "true" ]]; then + copyOnContentExist "${targetDir}" "${backupDirectory}/${dir}" "full" + fi +} + +removeOldDirectory () { + local backupDir="$1" + local entry="$2" + local check=false + + # prepend OLD_DATA_DIR only if entry is relative path + local targetDir="$(prependDir "${entry}" "${OLD_DATA_DIR}/${entry}")" + local outputCheckDirExists="$(checkDirExists "${targetDir}")" + if [[ "${outputCheckDirExists}" != "true" ]]; then + logger "No [${targetDir}] directory found to delete" + echo ""; + return + fi + backupDirectory "${backupDir}" "${entry}" "${targetDir}" + rm -rf "${targetDir}" && check=true || check=false + [[ "${check}" == "true" ]] && logger "Successfully removed directory [${targetDir}]" + [[ "${check}" == "false" ]] && warn "Failed to remove directory [${targetDir}]" + echo ""; +} + +cleanUpOldDataDirectories () { + local cleanUpOldDataDir= + local map= + local entry= + + retrieveYamlValue "migration.cleanUpOldDataDir" "cleanUpOldDataDir" "Skip" + cleanUpOldDataDir="${YAML_VALUE}" + if [[ -z "${cleanUpOldDataDir}" ]]; then + return + fi + bannerSection "CLEAN UP OLD DATA DIRECTORIES" + retrieveYamlValue "migration.cleanUpOldDataDir.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + date="$(date +%Y%m%d%H%M)" + backupDir="${NEW_DATA_DIR}/backup/backup-${date}" + bannerImportant "****** Old data configurations are backedup in [${backupDir}] directory ******" + backupFiles_hook "${backupDir}/${PRODUCT}" + for entry in $map; + do + removeOldDirectory "${backupDir}" "${entry}" + done +} + +backupFiles () { + local backupDir="$1" + local dir="$2" + local targetDir="$3" + local fileName="$4" + local effectiveUser= + local effectiveGroup= + + if [[ "${dir}" = \/* ]]; then + dir=$(echo "${dir/\//}") + fi + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then + effectiveUser="${JF_USER}" + effectiveGroup="${JF_USER}" + elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then + effectiveUser="${USER_TO_CHECK}" + effectiveGroup="${GROUP_TO_CHECK}" + fi + + removeSoftLinkAndCreateDir "${backupDir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local backupDirectory="${backupDir}/${PRODUCT}" + removeSoftLinkAndCreateDir "${backupDirectory}" "${effectiveUser}" "${effectiveGroup}" "yes" + removeSoftLinkAndCreateDir "${backupDirectory}/${dir}" "${effectiveUser}" "${effectiveGroup}" "yes" + local outputCheckDirExists="$(checkDirExists "${backupDirectory}/${dir}")" + if [[ "${outputCheckDirExists}" == "true" ]]; then + copyCmd "${targetDir}/${fileName}" "${backupDirectory}/${dir}" "specific" + fi +} + +removeOldFiles () { + local backupDir="$1" + local directoryName="$2" + local fileName="$3" + local check=false + + # prepend OLD_DATA_DIR only if entry is relative path + local targetDir="$(prependDir "${directoryName}" "${OLD_DATA_DIR}/${directoryName}")" + local outputCheckFileExists="$(checkFileExists "${targetDir}/${fileName}")" + if [[ "${outputCheckFileExists}" != "true" ]]; then + logger "No [${targetDir}/${fileName}] file found to delete" + return + fi + backupFiles "${backupDir}" "${directoryName}" "${targetDir}" "${fileName}" + rm -f "${targetDir}/${fileName}" && check=true || check=false + [[ "${check}" == "true" ]] && logger "Successfully removed file [${targetDir}/${fileName}]" + [[ "${check}" == "false" ]] && warn "Failed to remove file [${targetDir}/${fileName}]" + echo ""; +} + +cleanUpOldFiles () { + local cleanUpFiles= + local map= + local entry= + + retrieveYamlValue "migration.cleanUpOldFiles" "cleanUpOldFiles" "Skip" + cleanUpOldFiles="${YAML_VALUE}" + if [[ -z "${cleanUpOldFiles}" ]]; then + return + fi + bannerSection "CLEAN UP OLD FILES" + retrieveYamlValue "migration.cleanUpOldFiles.map" "map" "Warning" + map="${YAML_VALUE}" + [[ -z "${map}" ]] && continue + date="$(date +%Y%m%d%H%M)" + backupDir="${NEW_DATA_DIR}/backup/backup-${date}" + bannerImportant "****** Old files are backedup in [${backupDir}] directory ******" + for entry in $map; + do + local outputCheckMapEntry="$(checkMapEntry "${entry}")" + if [[ "${outputCheckMapEntry}" != "true" ]]; then + warn "map entry [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}] is not in correct format, correct format i.e directoryName=fileName" + fi + local fileName="$(getSecondEntry "${entry}")" + local directoryName="$(getFirstEntry "${entry}")" + [[ -z "${fileName}" ]] && warn "File name value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + [[ -z "${directoryName}" ]] && warn "Directory name value is empty for [${entry}] in [${MIGRATION_SYSTEM_YAML_INFO}]" && continue + removeOldFiles "${backupDir}" "${directoryName}" "${fileName}" + echo ""; + done +} + +startMigration () { + bannerSection "STARTING MIGRATION" +} + +endMigration () { + bannerSection "MIGRATION COMPLETED SUCCESSFULLY" +} + +initialize () { + setAppDir + _pauseExecution "setAppDir" + initHelpers + _pauseExecution "initHelpers" + checkMigrationInfoYaml + _pauseExecution "checkMigrationInfoYaml" + getProduct + _pauseExecution "getProduct" + getDataDir + _pauseExecution "getDataDir" +} + +main () { + case $PRODUCT in + artifactory) + migrateArtifactory + ;; + distribution) + migrateDistribution + ;; + xray) + migrationXray + ;; + esac + exit 0 +} + +# Ensures meta data is logged +LOG_BEHAVIOR_ADD_META="$FLAG_Y" + + +migrateResolveDerbyPath () { + local key="$1" + local value="$2" + + if [[ "${key}" == "url" && "${value}" == *"db.home"* ]]; then + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + derbyPath="/opt/jfrog/artifactory/var/data/artifactory/derby" + value=$(echo "${value}" | sed "s|{db.home}|$derbyPath|") + else + derbyPath="${NEW_DATA_DIR}/data/artifactory/derby" + value=$(echo "${value}" | sed "s|{db.home}|$derbyPath|") + fi + fi + echo "${value}" +} + +migrateResolveHaDirPath () { + local key="$1" + local value="$2" + + if [[ "${INSTALLER}" == "${RPM_TYPE}" || "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" || "${INSTALLER}" == "${DEB_TYPE}" ]]; then + if [[ "${key}" == "artifactory.ha.data.dir" || "${key}" == "artifactory.ha.backup.dir" ]]; then + value=$(checkPathResolver "${value}") + fi + fi + echo "${value}" +} +updatePostgresUrlString_Hook () { + local yamlPath="$1" + local value="$2" + local hostIp=$(io_getPublicHostIP) + local sourceKey="//postgresql:" + if [[ "${yamlPath}" == "shared.database.url" ]]; then + value=$(io_replaceString "${value}" "${sourceKey}" "//${hostIp}:" "#") + fi + echo "${value}" +} +# Check Artifactory product version +checkArtifactoryVersion () { + local minProductVersion="6.0.0" + local maxProductVersion="7.0.0" + local propertyInDocker="ARTIFACTORY_VERSION" + local property="artifactory.version" + + if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" ]]; then + local newfilePath="${APP_DIR}/../.env" + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + elif [[ "${INSTALLER}" == "${HELM_TYPE}" ]]; then + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + elif [[ "${INSTALLER}" == "${ZIP_TYPE}" ]]; then + local newfilePath="${NEW_DATA_DIR}/etc/artifactory/artifactory.properties" + local oldfilePath="${OLD_DATA_DIR}/etc/artifactory.properties" + else + local newfilePath="${NEW_DATA_DIR}/etc/artifactory/artifactory.properties" + local oldfilePath="/etc/opt/jfrog/artifactory/artifactory.properties" + fi + + getProductVersion "${minProductVersion}" "${maxProductVersion}" "${newfilePath}" "${oldfilePath}" "${propertyInDocker}" "${property}" +} + +getCustomDataDir_hook () { + retrieveYamlValue "migration.oldDataDir" "oldDataDir" "Fail" + OLD_DATA_DIR="${YAML_VALUE}" +} + +# Get protocol value of connector +getXmlConnectorProtocol () { + local i="$1" + local filePath="$2" + local fileName="$3" + local protocolValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@protocol' ${filePath}/${fileName} 2>/dev/null |awk -F"=" '{print $2}' | tr -d '"') + echo -e "${protocolValue}" +} + +# Get all attributes of connector +getXmlConnectorAttributes () { + local i="$1" + local filePath="$2" + local fileName="$3" + local connectorAttributes=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@*' ${filePath}/${fileName} 2>/dev/null) + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + echo "${connectorAttributes}" +} + +# Get port value of connector +getXmlConnectorPort () { + local i="$1" + local filePath="$2" + local fileName="$3" + local portValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@port' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${portValue}" +} + +# Get maxThreads value of connector +getXmlConnectorMaxThreads () { + local i="$1" + local filePath="$2" + local fileName="$3" + local maxThreadValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@maxThreads' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${maxThreadValue}" +} +# Get sendReasonPhrase value of connector +getXmlConnectorSendReasonPhrase () { + local i="$1" + local filePath="$2" + local fileName="$3" + local sendReasonPhraseValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@sendReasonPhrase' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + echo -e "${sendReasonPhraseValue}" +} +# Get relaxedPathChars value of connector +getXmlConnectorRelaxedPathChars () { + local i="$1" + local filePath="$2" + local fileName="$3" + local relaxedPathCharsValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@relaxedPathChars' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + # strip leading and trailing spaces + relaxedPathCharsValue=$(io_trim "${relaxedPathCharsValue}") + echo -e "${relaxedPathCharsValue}" +} +# Get relaxedQueryChars value of connector +getXmlConnectorRelaxedQueryChars () { + local i="$1" + local filePath="$2" + local fileName="$3" + local relaxedQueryCharsValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@relaxedQueryChars' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + # strip leading and trailing spaces + relaxedQueryCharsValue=$(io_trim "${relaxedQueryCharsValue}") + echo -e "${relaxedQueryCharsValue}" +} + +# Updating system.yaml with Connector port +setConnectorPort () { + local yamlPath="$1" + local valuePort="$2" + local portYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${valuePort}" ]]; then + warn "port value is empty, could not migrate to system.yaml" + return + fi + ## Getting port yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" portYamlPath "Warning" + portYamlPath="${YAML_VALUE}" + if [[ -z "${portYamlPath}" ]]; then + return + fi + setSystemValue "${portYamlPath}" "${valuePort}" "${SYSTEM_YAML_PATH}" + logger "Setting [${portYamlPath}] with value [${valuePort}] in system.yaml" +} + +# Updating system.yaml with Connector maxThreads +setConnectorMaxThread () { + local yamlPath="$1" + local threadValue="$2" + local maxThreadYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${threadValue}" ]]; then + return + fi + ## Getting max Threads yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" maxThreadYamlPath "Warning" + maxThreadYamlPath="${YAML_VALUE}" + if [[ -z "${maxThreadYamlPath}" ]]; then + return + fi + setSystemValue "${maxThreadYamlPath}" "${threadValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${maxThreadYamlPath}] with value [${threadValue}] in system.yaml" +} + +# Updating system.yaml with Connector sendReasonPhrase +setConnectorSendReasonPhrase () { + local yamlPath="$1" + local sendReasonPhraseValue="$2" + local sendReasonPhraseYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${sendReasonPhraseValue}" ]]; then + return + fi + ## Getting sendReasonPhrase yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" sendReasonPhraseYamlPath "Warning" + sendReasonPhraseYamlPath="${YAML_VALUE}" + if [[ -z "${sendReasonPhraseYamlPath}" ]]; then + return + fi + setSystemValue "${sendReasonPhraseYamlPath}" "${sendReasonPhraseValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${sendReasonPhraseYamlPath}] with value [${sendReasonPhraseValue}] in system.yaml" +} + +# Updating system.yaml with Connector relaxedPathChars +setConnectorRelaxedPathChars () { + local yamlPath="$1" + local relaxedPathCharsValue="$2" + local relaxedPathCharsYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${relaxedPathCharsValue}" ]]; then + return + fi + ## Getting relaxedPathChars yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" relaxedPathCharsYamlPath "Warning" + relaxedPathCharsYamlPath="${YAML_VALUE}" + if [[ -z "${relaxedPathCharsYamlPath}" ]]; then + return + fi + setSystemValue "${relaxedPathCharsYamlPath}" "${relaxedPathCharsValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${relaxedPathCharsYamlPath}] with value [${relaxedPathCharsValue}] in system.yaml" +} + +# Updating system.yaml with Connector relaxedQueryChars +setConnectorRelaxedQueryChars () { + local yamlPath="$1" + local relaxedQueryCharsValue="$2" + local relaxedQueryCharsYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${relaxedQueryCharsValue}" ]]; then + return + fi + ## Getting relaxedQueryChars yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" relaxedQueryCharsYamlPath "Warning" + relaxedQueryCharsYamlPath="${YAML_VALUE}" + if [[ -z "${relaxedQueryCharsYamlPath}" ]]; then + return + fi + setSystemValue "${relaxedQueryCharsYamlPath}" "${relaxedQueryCharsValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${relaxedQueryCharsYamlPath}] with value [${relaxedQueryCharsValue}] in system.yaml" +} + +# Updating system.yaml with Connectors configurations +setConnectorExtraConfig () { + local yamlPath="$1" + local connectorAttributes="$2" + local extraConfigPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${connectorAttributes}" ]]; then + return + fi + ## Getting extraConfig yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" extraConfig "Warning" + extraConfigPath="${YAML_VALUE}" + if [[ -z "${extraConfigPath}" ]]; then + return + fi + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + setSystemValue "${extraConfigPath}" "${connectorAttributes}" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConfigPath}] with connector attributes in system.yaml" +} + +# Updating system.yaml with extra Connectors +setExtraConnector () { + local yamlPath="$1" + local extraConnector="$2" + local extraConnectorYamlPath= + if [[ -z "${yamlPath}" ]]; then + return + fi + if [[ -z "${extraConnector}" ]]; then + return + fi + ## Getting extraConnecotr yaml path from migration info yaml + retrieveYamlValue "${yamlPath}" extraConnectorYamlPath "Warning" + extraConnectorYamlPath="${YAML_VALUE}" + if [[ -z "${extraConnectorYamlPath}" ]]; then + return + fi + getYamlValue "${extraConnectorYamlPath}" "${SYSTEM_YAML_PATH}" "false" + local connectorExtra="${YAML_VALUE}" + if [[ -z "${connectorExtra}" ]]; then + setSystemValue "${extraConnectorYamlPath}" "${extraConnector}" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConnectorYamlPath}] with extra connectors in system.yaml" + else + setSystemValue "${extraConnectorYamlPath}" "\"${connectorExtra} ${extraConnector}\"" "${SYSTEM_YAML_PATH}" + logger "Setting [${extraConnectorYamlPath}] with extra connectors in system.yaml" + fi +} + +# Migrate extra connectors to system.yaml +migrateExtraConnectors () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local excludeDefaultPort="$4" + local i="$5" + local extraConfig= + local extraConnector= + if [[ "${excludeDefaultPort}" == "yes" ]]; then + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + [[ "${portValue}" != "${DEFAULT_ACCESS_PORT}" && "${portValue}" != "${DEFAULT_RT_PORT}" ]] || continue + extraConnector=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']' ${filePath}/${fileName} 2>/dev/null) + setExtraConnector "${EXTRA_CONFIG_YAMLPATH}" "${extraConnector}" + done + else + extraConnector=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']' ${filePath}/${fileName} 2>/dev/null) + setExtraConnector "${EXTRA_CONFIG_YAMLPATH}" "${extraConnector}" + fi +} + +# Migrate connector configurations +migrateConnectorConfig () { + local i="$1" + local protocolType="$2" + local portValue="$3" + local connectorPortYamlPath="$4" + local connectorMaxThreadYamlPath="$5" + local connectorAttributesYamlPath="$6" + local filePath="$7" + local fileName="$8" + local connectorSendReasonPhraseYamlPath="$9" + local connectorRelaxedPathCharsYamlPath="${10}" + local connectorRelaxedQueryCharsYamlPath="${11}" + + # migrate port + setConnectorPort "${connectorPortYamlPath}" "${portValue}" + + # migrate maxThreads + local maxThreadValue=$(getXmlConnectorMaxThreads "$i" "${filePath}" "${fileName}") + setConnectorMaxThread "${connectorMaxThreadYamlPath}" "${maxThreadValue}" + + # migrate sendReasonPhrase + local sendReasonPhraseValue=$(getXmlConnectorSendReasonPhrase "$i" "${filePath}" "${fileName}") + setConnectorSendReasonPhrase "${connectorSendReasonPhraseYamlPath}" "${sendReasonPhraseValue}" + + # migrate relaxedPathChars + local relaxedPathCharsValue=$(getXmlConnectorRelaxedPathChars "$i" "${filePath}" "${fileName}") + setConnectorRelaxedPathChars "${connectorRelaxedPathCharsYamlPath}" "\"${relaxedPathCharsValue}\"" + # migrate relaxedQueryChars + local relaxedQueryCharsValue=$(getXmlConnectorRelaxedQueryChars "$i" "${filePath}" "${fileName}") + setConnectorRelaxedQueryChars "${connectorRelaxedQueryCharsYamlPath}" "\"${relaxedQueryCharsValue}\"" + + # migrate all attributes to extra config except port , maxThread , sendReasonPhrase ,relaxedPathChars and relaxedQueryChars + local connectorAttributes=$(getXmlConnectorAttributes "$i" "${filePath}" "${fileName}") + connectorAttributes=$(echo "${connectorAttributes}" | sed 's/port="'${portValue}'"//g' | sed 's/maxThreads="'${maxThreadValue}'"//g' | sed 's/sendReasonPhrase="'${sendReasonPhraseValue}'"//g' | sed 's/relaxedPathChars="\'${relaxedPathCharsValue}'\"//g' | sed 's/relaxedQueryChars="\'${relaxedQueryCharsValue}'\"//g') + # strip leading and trailing spaces + connectorAttributes=$(io_trim "${connectorAttributes}") + setConnectorExtraConfig "${connectorAttributesYamlPath}" "${connectorAttributes}" +} + +# Check for default port 8040 and 8081 in connectors and migrate +migrateConnectorPort () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local defaultPort="$4" + local connectorPortYamlPath="$5" + local connectorMaxThreadYamlPath="$6" + local connectorAttributesYamlPath="$7" + local connectorSendReasonPhraseYamlPath="$8" + local connectorRelaxedPathCharsYamlPath="$9" + local connectorRelaxedQueryCharsYamlPath="${10}" + local portYamlPath= + local maxThreadYamlPath= + local status= + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" == *AJP* ]] && continue + [[ "${portValue}" != "${defaultPort}" ]] && continue + if [[ "${portValue}" == "${DEFAULT_RT_PORT}" ]]; then + RT_DEFAULTPORT_STATUS=success + else + AC_DEFAULTPORT_STATUS=success + fi + migrateConnectorConfig "${i}" "${protocolType}" "${portValue}" "${connectorPortYamlPath}" "${connectorMaxThreadYamlPath}" "${connectorAttributesYamlPath}" "${filePath}" "${fileName}" "${connectorSendReasonPhraseYamlPath}" "${connectorRelaxedPathCharsYamlPath}" "${connectorRelaxedQueryCharsYamlPath}" + done +} + +# migrate to extra, connector having default port and protocol is AJP +migrateDefaultPortIfAjp () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local defaultPort="$4" + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" != *AJP* ]] && continue + [[ "${portValue}" != "${defaultPort}" ]] && continue + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + done + +} + +# Comparing max threads in connectors +compareMaxThreads () { + local firstConnectorMaxThread="$1" + local firstConnectorNode="$2" + local secondConnectorMaxThread="$3" + local secondConnectorNode="$4" + local filePath="$5" + local fileName="$6" + + # choose higher maxThreads connector as Artifactory. + if [[ "${firstConnectorMaxThread}" -gt ${secondConnectorMaxThread} || "${firstConnectorMaxThread}" -eq ${secondConnectorMaxThread} ]]; then + # maxThread is higher in firstConnector, + # Taking firstConnector as Artifactory and SecondConnector as Access + # maxThread is equal in both connector,considering firstConnector as Artifactory and SecondConnector as Access + local rtPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + else + # maxThread is higher in SecondConnector, + # Taking SecondConnector as Artifactory and firstConnector as Access + local rtPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi +} + +# Check max threads exist to compare +maxThreadsExistToCompare () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local firstConnectorMaxThread= + local secondConnectorMaxThread= + local firstConnectorNode= + local secondConnectorNode= + local status=success + local firstnode=fail + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + if [[ ${protocolType} == *AJP* ]]; then + # Migrate Connectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + continue + fi + # store maxthreads value of each connector + if [[ ${firstnode} == "fail" ]]; then + firstConnectorMaxThread=$(getXmlConnectorMaxThreads "${i}" "${filePath}" "${fileName}") + firstConnectorNode="${i}" + firstnode=success + else + secondConnectorMaxThread=$(getXmlConnectorMaxThreads "${i}" "${filePath}" "${fileName}") + secondConnectorNode="${i}" + fi + done + [[ -z "${firstConnectorMaxThread}" ]] && status=fail + [[ -z "${secondConnectorMaxThread}" ]] && status=fail + # maxThreads is set, now compare MaxThreads + if [[ "${status}" == "success" ]]; then + compareMaxThreads "${firstConnectorMaxThread}" "${firstConnectorNode}" "${secondConnectorMaxThread}" "${secondConnectorNode}" "${filePath}" "${fileName}" + else + # Assume first connector is RT, maxThreads is not set in both connectors + local rtPortValue=$(getXmlConnectorPort "${firstConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${firstConnectorNode}" "${protocolType}" "${rtPortValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + local acPortValue=$(getXmlConnectorPort "${secondConnectorNode}" "${filePath}" "${fileName}") + migrateConnectorConfig "${secondConnectorNode}" "${protocolType}" "${acPortValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi +} + +migrateExtraBasedOnNonAjpCount () { + local nonAjpCount="$1" + local filePath="$2" + local fileName="$3" + local connectorCount="$4" + local i="$5" + + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + if [[ "${protocolType}" == *AJP* ]]; then + if [[ "${nonAjpCount}" -eq 1 ]]; then + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "no" "${i}" + continue + else + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + continue + fi + fi +} + +# find RT and AC Connector +findRtAndAcConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local initialAjpCount=0 + local nonAjpCount=0 + + # get the count of non AJP + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${protocolType}" != *AJP* ]] || continue + nonAjpCount=$((initialAjpCount+1)) + initialAjpCount="${nonAjpCount}" + done + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as access and artifactory connectors + # Mark port as 8040 for access + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + done + elif [[ "${nonAjpCount}" -eq 2 ]]; then + # compare maxThreads in both connectors + maxThreadsExistToCompare "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${nonAjpCount}" -gt 2 ]]; then + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # setting with default port in system.yaml + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +# get the count of non AJP +getCountOfNonAjp () { + local port="$1" + local connectorCount="$2" + local filePath=$3 + local fileName=$4 + local initialNonAjpCount=0 + + for ((i = 1 ; i <= "${connectorCount}" ; i++)); + do + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + local protocolType=$(getXmlConnectorProtocol "$i" "${filePath}" "${fileName}") + [[ "${portValue}" != "${port}" ]] || continue + [[ "${protocolType}" != *AJP* ]] || continue + local nonAjpCount=$((initialNonAjpCount+1)) + initialNonAjpCount="${nonAjpCount}" + done + echo -e "${nonAjpCount}" +} + +# Find for access connector +findAcConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + + # get the count of non AJP + local nonAjpCount=$(getCountOfNonAjp "${DEFAULT_RT_PORT}" "${connectorCount}" "${filePath}" "${fileName}") + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as access connector and mark port as that of connector + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" != "${DEFAULT_RT_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + fi + done + elif [[ "${nonAjpCount}" -gt 1 ]]; then + # Take RT properties into access with 8040 + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" == "${DEFAULT_RT_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + fi + done + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # Add RT connector details as access connector and mark port as 8040 + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${AC_SENDREASONPHRASE_YAMLPATH}" + setConnectorPort "${AC_PORT_YAMLPATH}" "${DEFAULT_ACCESS_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +# Find for artifactory connector +findRtConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + + # get the count of non AJP + local nonAjpCount=$(getCountOfNonAjp "${DEFAULT_ACCESS_PORT}" "${connectorCount}" "${filePath}" "${fileName}") + if [[ "${nonAjpCount}" -eq 1 ]]; then + # Add the connector found as RT connector + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" != "${DEFAULT_ACCESS_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + fi + done + elif [[ "${nonAjpCount}" -gt 1 ]]; then + # Take access properties into artifactory with 8081 + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + migrateExtraBasedOnNonAjpCount "${nonAjpCount}" "${filePath}" "${fileName}" "${connectorCount}" "$i" + local portValue=$(getXmlConnectorPort "$i" "${filePath}" "${fileName}") + if [[ "${portValue}" == "${DEFAULT_ACCESS_PORT}" ]]; then + migrateConnectorConfig "$i" "${protocolType}" "${portValue}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${filePath}" "${fileName}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + fi + done + elif [[ "${nonAjpCount}" -eq 0 ]]; then + # Add access connector details as RT connector and mark as ${DEFAULT_RT_PORT} + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + setConnectorPort "${RT_PORT_YAMLPATH}" "${DEFAULT_RT_PORT}" + # migrateExtraConnectors + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + fi +} + +checkForTlsConnector () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + for ((i = 1 ; i <= "${connectorCount}" ; i++)) + do + local sslProtocolValue=$($LIBXML2_PATH --xpath '//Server/Service/Connector['$i']/@sslProtocol' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + if [[ "${sslProtocolValue}" == "TLS" ]]; then + bannerImportant "NOTE: Ignoring TLS connector during migration, modify the system yaml to enable TLS. Original server.xml is saved in path [${filePath}/${fileName}]" + TLS_CONNECTOR_EXISTS=${FLAG_Y} + continue + fi + done +} + +# set custom tomcat server Listeners to system.yaml +setListenerConnector () { + local filePath="$1" + local fileName="$2" + local listenerCount="$3" + for ((i = 1 ; i <= "${listenerCount}" ; i++)) + do + local listenerConnector=$($LIBXML2_PATH --xpath '//Server/Listener['$i']' ${filePath}/${fileName} 2>/dev/null) + local listenerClassName=$($LIBXML2_PATH --xpath '//Server/Listener['$i']/@className' ${filePath}/${fileName} 2>/dev/null | awk -F"=" '{print $2}' | tr -d '"') + if [[ "${listenerClassName}" == *Apr* ]]; then + setExtraConnector "${EXTRA_LISTENER_CONFIG_YAMLPATH}" "${listenerConnector}" + fi + done +} +# add custom tomcat server Listeners +addTomcatServerListeners () { + local filePath="$1" + local fileName="$2" + local listenerCount="$3" + if [[ "${listenerCount}" == "0" ]]; then + logger "No listener connectors found in the [${filePath}/${fileName}],skipping migration of listener connectors" + else + setListenerConnector "${filePath}" "${fileName}" "${listenerCount}" + setSystemValue "${RT_TOMCAT_HTTPSCONNECTOR_ENABLED}" "true" "${SYSTEM_YAML_PATH}" + logger "Setting [${RT_TOMCAT_HTTPSCONNECTOR_ENABLED}] with value [true] in system.yaml" + fi +} + +# server.xml migration operations +xmlMigrateOperation () { + local filePath="$1" + local fileName="$2" + local connectorCount="$3" + local listenerCount="$4" + RT_DEFAULTPORT_STATUS=fail + AC_DEFAULTPORT_STATUS=fail + TLS_CONNECTOR_EXISTS=${FLAG_N} + + # Check for connector with TLS , if found ignore migrating it + checkForTlsConnector "${filePath}" "${fileName}" "${connectorCount}" + if [[ "${TLS_CONNECTOR_EXISTS}" == "${FLAG_Y}" ]]; then + return + fi + addTomcatServerListeners "${filePath}" "${fileName}" "${listenerCount}" + # Migrate RT default port from connectors + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" "${RT_PORT_YAMLPATH}" "${RT_MAXTHREADS_YAMLPATH}" "${RT_EXTRACONFIG_YAMLPATH}" "${RT_SENDREASONPHRASE_YAMLPATH}" "${RT_RELAXEDPATHCHARS_YAMLPATH}" "${RT_RELAXEDQUERYCHARS_YAMLPATH}" + # Migrate to extra if RT default ports are AJP + migrateDefaultPortIfAjp "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_RT_PORT}" + # Migrate AC default port from connectors + migrateConnectorPort "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" "${AC_PORT_YAMLPATH}" "${AC_MAXTHREADS_YAMLPATH}" "${AC_EXTRACONFIG_YAMLPATH}" "${AC_SENDREASONPHRASE_YAMLPATH}" + # Migrate to extra if access default ports are AJP + migrateDefaultPortIfAjp "${filePath}" "${fileName}" "${connectorCount}" "${DEFAULT_ACCESS_PORT}" + + if [[ "${AC_DEFAULTPORT_STATUS}" == "success" && "${RT_DEFAULTPORT_STATUS}" == "success" ]]; then + # RT and AC default port found + logger "Artifactory 8081 and Access 8040 default port are found" + migrateExtraConnectors "${filePath}" "${fileName}" "${connectorCount}" "yes" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "success" && "${RT_DEFAULTPORT_STATUS}" == "fail" ]]; then + # Only AC default port found,find RT connector + logger "Found Access default 8040 port" + findRtConnector "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "fail" && "${RT_DEFAULTPORT_STATUS}" == "success" ]]; then + # Only RT default port found,find AC connector + logger "Found Artifactory default 8081 port" + findAcConnector "${filePath}" "${fileName}" "${connectorCount}" + elif [[ "${AC_DEFAULTPORT_STATUS}" == "fail" && "${RT_DEFAULTPORT_STATUS}" == "fail" ]]; then + # RT and AC default port not found, find connector + logger "Artifactory 8081 and Access 8040 default port are not found" + findRtAndAcConnector "${filePath}" "${fileName}" "${connectorCount}" + fi +} + +# get count of connectors +getXmlConnectorCount () { + local filePath="$1" + local fileName="$2" + local count=$($LIBXML2_PATH --xpath 'count(/Server/Service/Connector)' ${filePath}/${fileName}) + echo -e "${count}" +} + +# get count of listener connectors +getTomcatServerListenersCount () { + local filePath="$1" + local fileName="$2" + local count=$($LIBXML2_PATH --xpath 'count(/Server/Listener)' ${filePath}/${fileName}) + echo -e "${count}" +} + +# Migrate server.xml configuration to system.yaml +migrateXmlFile () { + local xmlFiles= + local fileName= + local filePath= + local sourceFilePath= + DEFAULT_ACCESS_PORT="8040" + DEFAULT_RT_PORT="8081" + AC_PORT_YAMLPATH="migration.xmlFiles.serverXml.access.port" + AC_MAXTHREADS_YAMLPATH="migration.xmlFiles.serverXml.access.maxThreads" + AC_SENDREASONPHRASE_YAMLPATH="migration.xmlFiles.serverXml.access.sendReasonPhrase" + AC_EXTRACONFIG_YAMLPATH="migration.xmlFiles.serverXml.access.extraConfig" + RT_PORT_YAMLPATH="migration.xmlFiles.serverXml.artifactory.port" + RT_MAXTHREADS_YAMLPATH="migration.xmlFiles.serverXml.artifactory.maxThreads" + RT_SENDREASONPHRASE_YAMLPATH='migration.xmlFiles.serverXml.artifactory.sendReasonPhrase' + RT_RELAXEDPATHCHARS_YAMLPATH='migration.xmlFiles.serverXml.artifactory.relaxedPathChars' + RT_RELAXEDQUERYCHARS_YAMLPATH='migration.xmlFiles.serverXml.artifactory.relaxedQueryChars' + RT_EXTRACONFIG_YAMLPATH="migration.xmlFiles.serverXml.artifactory.extraConfig" + ROUTER_PORT_YAMLPATH="migration.xmlFiles.serverXml.router.port" + EXTRA_CONFIG_YAMLPATH="migration.xmlFiles.serverXml.extra.config" + EXTRA_LISTENER_CONFIG_YAMLPATH="migration.xmlFiles.serverXml.extra.listener" + RT_TOMCAT_HTTPSCONNECTOR_ENABLED="artifactory.tomcat.httpsConnector.enabled" + + retrieveYamlValue "migration.xmlFiles" "xmlFiles" "Skip" + xmlFiles="${YAML_VALUE}" + if [[ -z "${xmlFiles}" ]]; then + return + fi + bannerSection "PROCESSING MIGRATION OF XML FILES" + retrieveYamlValue "migration.xmlFiles.serverXml.fileName" "fileName" "Warning" + fileName="${YAML_VALUE}" + if [[ -z "${fileName}" ]]; then + return + fi + bannerSubSection "Processing Migration of $fileName" + retrieveYamlValue "migration.xmlFiles.serverXml.filePath" "filePath" "Warning" + filePath="${YAML_VALUE}" + if [[ -z "${filePath}" ]]; then + return + fi + # prepend NEW_DATA_DIR only if filePath is relative path + sourceFilePath=$(prependDir "${filePath}" "${NEW_DATA_DIR}/${filePath}") + if [[ "$(checkFileExists "${sourceFilePath}/${fileName}")" == "true" ]]; then + logger "File [${fileName}] is found in path [${sourceFilePath}]" + local connectorCount=$(getXmlConnectorCount "${sourceFilePath}" "${fileName}") + if [[ "${connectorCount}" == "0" ]]; then + logger "No connectors found in the [${filePath}/${fileName}],skipping migration of xml configuration" + return + fi + local listenerCount=$(getTomcatServerListenersCount "${sourceFilePath}" "${fileName}") + xmlMigrateOperation "${sourceFilePath}" "${fileName}" "${connectorCount}" "${listenerCount}" + else + logger "File [${fileName}] is not found in path [${sourceFilePath}] to migrate" + fi +} + +compareArtifactoryUser () { + local property="$1" + local oldPropertyValue="$2" + local newPropertyValue="$3" + local yamlPath="$4" + local sourceFile="$5" + + if [[ "${oldPropertyValue}" != "${newPropertyValue}" ]]; then + setSystemValue "${yamlPath}" "${oldPropertyValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" + else + logger "No change in property [${property}] value in [${sourceFile}] to migrate" + fi +} + +migrateReplicator () { + local property="$1" + local oldPropertyValue="$2" + local yamlPath="$3" + + setSystemValue "${yamlPath}" "${oldPropertyValue}" "${SYSTEM_YAML_PATH}" + logger "Setting [${yamlPath}] with value of the property [${property}] in system.yaml" +} + +compareJavaOptions () { + local property="$1" + local oldPropertyValue="$2" + local newPropertyValue="$3" + local yamlPath="$4" + local sourceFile="$5" + local oldJavaOption= + local newJavaOption= + local extraJavaOption= + local check=false + local success=true + local status=true + + oldJavaOption=$(echo "${oldPropertyValue}" | awk 'BEGIN{FS=OFS="\""}{for(i=2;i.+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }} +{{ tpl (include "artifactory.nginx.hosts" .) . }}; + +if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; +} +set $host_port {{ .Values.nginx.https.externalPort }}; +if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; +} +## Application specific logs +## access_log /var/log/nginx/artifactory-access.log timing; +## error_log /var/log/nginx/artifactory-error.log; +rewrite ^/artifactory/?$ / redirect; +if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; +} +chunked_transfer_encoding on; +client_max_body_size 0; + +location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + {{- if .Values.nginx.service.ssloffloadForceHttps}} + proxy_set_header X-JFrog-Override-Base-Url https://$host; + proxy_set_header X-Forwarded-Proto https; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + {{- else if or (eq (int .Values.nginx.https.internalPort) 80) (eq (int .Values.nginx.https.externalPort) 443)}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {{- if .Values.nginx.disableProxyBuffering}} + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + {{- end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + location /artifactory/ { + {{- if .Values.rtfs.enabled }} + if ($request_uri ~ ^/artifactory/service/rtfs/(.*)$ ) { + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/service/rtfs/$1; + break; + } + {{- end }} + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + location /pipelines/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + {{- if .Values.router.tlsEnabled }} + proxy_pass https://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- else }} + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- end }} + } +} +} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/nginx-main-conf.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/nginx-main-conf.yaml new file mode 100644 index 000000000..6ee7f98f9 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/nginx-main-conf.yaml @@ -0,0 +1,83 @@ +# Main Nginx configuration file +worker_processes 4; + +{{- if .Values.nginx.logs.stderr }} +error_log stderr {{ .Values.nginx.logs.level }}; +{{- else -}} +error_log {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }}; +{{- end }} +pid /var/run/nginx.pid; + +{{- if .Values.artifactory.ssh.enabled }} +## SSH Server Configuration +stream { + server { + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.ssh.internalPort }}; + {{- else -}} + listen {{ .Values.nginx.ssh.internalPort }}; + {{- end }} + proxy_pass {{ include "artifactory.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }}; + } +} +{{- end }} + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 128k; + proxy_buffers 40 128k; + proxy_busy_buffers_size 128k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + + {{- if .Values.nginx.logs.stdout }} + access_log /dev/stdout timing; + {{- else -}} + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + {{- end }} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/system.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/system.yaml new file mode 100644 index 000000000..f8efa67dd --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/files/system.yaml @@ -0,0 +1,185 @@ +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: +{{- if .Values.artifactory.coldStorage.enabled }} + jfrogColdStorage: + coldInstanceEnabled: true +{{- end }} +{{- if .Values.artifactory.worker.enabled }} + featureToggler: + worker: true +{{- end }} +{{- with include "artifactory.metrics" . }} + {{- . | nindent 2 }} +{{- end }} + logging: + consoleLog: + enabled: {{ .Values.artifactory.consoleLog }} + extraJavaOpts: > + -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} + -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} +{{- if .Values.artifactory.worker.enabled }} + -Dartifactory.workers.addon.support=true +{{- end }} + {{- with .Values.artifactory.javaOpts }} + {{- if .corePoolSize }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- end }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- if or .Values.database.type .Values.postgresql.enabled }} + database: + allowNonPostgresql: {{ .Values.database.allowNonPostgresql }} + {{- if .Values.postgresql.enabled }} + type: postgresql + url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" + driver: org.postgresql.Driver + username: "{{ .Values.postgresql.postgresqlUsername }}" + {{- else }} + type: "{{ .Values.database.type }}" + driver: "{{ .Values.database.driver }}" + {{- end }} + {{- end }} +artifactory: +{{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} + node: + {{- if .Values.artifactory.haDataDir.path }} + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + {{- if .Values.artifactory.haBackupDir.path }} + haBackupDir: {{ .Values.artifactory.haBackupDir.path }} + {{- end }} +{{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + tomcat: + maintenanceConnector: + port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} + connector: + maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} +frontend: + session: + timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} +access: + runOnArtifactoryTomcat: {{ .Values.access.runOnArtifactoryTomcat | default false }} + database: + maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.access.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- end }} + tomcat: + connector: + maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} +{{- if .Values.artifactory.worker.enabled }} + worker: + enabled: true +{{- end }} +{{- if .Values.mc.enabled }} +mc: + enabled: true + database: + maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} + idgenerator: + maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} + tomcat: + connector: + maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} +{{- end }} +metadata: + database: + maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} +{{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +jfconnect: + enabled: true +{{- else }} +jfconnect: + enabled: false +jfconnect_service: + enabled: false +{{- end }} +onemodel: + enabled: {{ .Values.onemodel.enabled | default true }} + {{- if .Values.onemodel.apolloYaml }} + apolloYaml: +{{ toYaml .Values.onemodel.apolloYaml | nindent 6 }} + {{- end}} +{{- if and .Values.rtfs.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +rtfs: + enabled: true +{{- else }} +rtfs: + enabled: false +{{- end }} +{{- if .Values.topology.enabled }} +topology: + enabled: {{ .Values.topology.enabled }} + database: + maxOpenConnections: {{ .Values.topology.database.maxOpenConnections }} + port: {{ .Values.topology.internalPort }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.topology.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} +{{- else }} +topology: + enabled: {{ .Values.topology.enabled }} +{{- end }} +{{- if .Values.event.webhooks }} +event: + webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} +{{- end }} +{{- if .Values.evidence.enabled }} +evidence: + enabled: true +{{- else }} +evidence: + enabled: false +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/logo/artifactory-logo.png b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/logo/artifactory-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..fe6c23c5a7f87edaf49f883ffa99d875073e2285 GIT binary patch literal 82419 zcmeEu_ghri(zUjr(D-PRRRmf@LCGSLp;Zu&EGjt&2qIB(#vYX@K~O<57!VPVoP&~8 za#C_oa#AEp_-Z%Ky>q|&{t5Sod1eMU=j>CvcGap?t4@HLiX8R`cGs?5SOs~RE4y~> z{R{m=fq|cdkh!+QzbNhGwH7qG?EbRjWh(35t}4ga+$_{AeC&MH|I?!WK*&sE$M5&b`&jJMx?v#>sZ{GTuP=jz1$9Q*!{C(H0A z?q?Lu+V%fg1YPua_}l;SWMVz}<6$-qhJP;Rk3H|6i9Py%JQ-JX_l(}RYRvy(5;fn5 zJ^#m(*%;M)gJQLI{r~#}%lT+$|9?FBf1B}N?(@IR_z!RY-^uu|v;4m>^&g?B#(!j>|0VGMf*k)#;Qx_$|A(gj3;+EO+Wtr4{ZD9%Prz_QhqAsNELo{;y5`4_ zuw}cRaYw`D`u*)%tMxjL=|SvvS;6`f%}9x*C7+7z+Y_TX`wS;4-qZTnuUB}S+?=`4 zd%rs&{&!j?(|&2scVl_&Ss#VB7af0Tm(=<6zw~k{xyUgct@_O&LC}j>q;G zQ}1lmB*QHmORQ{~liX9j0b%jSxwY1tXRj6x=x;`<&ANNPuSz02XSL3gbfwE@#>M8) zVsOW%uulwsZ_7jVR8*{#_psMK@K?UEPVjrr`*pk1_j%ff1>GK@3R@dppcchtQ7xl_LCaX-Q;UdQu#U0QJd zomQWIOq-8iZEx=^R{tbN_Bx<h$H%tUZMh6q zyI-w*=r-zRF>p>S7i$V&2>N5Ru(MEDy=e5``cuTn(o(Qm>v|g*tg75x9heBBV)Zf| zo2`gicz%?jhDPXH$w`ClFQ3o*82tM3JIyfe-R7q!`xsfoiYjhtWE}gGR0w}TB}F44 zT6}58NRCQ)&r0j&0A|JI=G4BQ4TG9nqMpUGni}p)ycOK)-#Oxn{415eYxW5*y&4}o z=waSj|0X?wr(e3D*haJN=MeoRc+31$~)278*# zd0jl&-{SE31mme6tJf}*+i*_{IQ|Sydc8h36`3-}J?QADd{MEi>~A~}W&kh$t0^v? z7P$;jkK%r^t}DTOb$Mhmxi|5Lw33CoLO~E4zw5|Sb5n`5=O@>XA=zqC;$N>s2K86s zDM>aXD#5C58Xv*_MOu}qY+`y#ewo?muQ-!IgQYe>hk53+TgAy8HfO_c5bbh`+8-2Y zmvGETl%L=#`RmRfvmd5Y^ZhjR;s_0Chvgp;zyns5Gzyu&7)DC3EIi!pbvom--TV3$ zW88%9k90Y+{rgpKVGVT$?5*@2bTtB<_v!!fz-*qx{gJb4LSm%N2ooVLoM?wFdSbh^ zz!${oV>Hz$`N_RnEt;CG08{pn*UL_)0uJG|qVJ=5evxZ5mLnk)VlpHH{bYwbrF=bi zopdKPEOFsbyR{Hgt?h5N#~0?}+QbW%@OxDMBDhA^?P*^x&zkw#AYN-FU7kuOem`nw z%Lv}!2|vYGE~$|2m`p3u@pZOx~-_9clb$?Uk!ttFm)N+{kG=I!4C%sv?bhAVAqSrT`HKCJ| zGmixFIZL(qpP$-wm0BGz{frcy<92mbpUeH zLy#i-5S(?6S)aDt?#Sr_!cPoaH%A^YP?)OXAAkEm%kqIyvnuEA;vFOY%R8%1)CI1g ze`L{YX9)ttJxiStE)Ulhlk4_A{B5utc=D1AUX0kAmf_|0V-!O6Q45i%tg63;|Jc8V z27=Mk7tW;MM9?8u$?xEK9si>%aNJL2?y&x&3!lh-9=99ph#4>tvTxYRJfh3g=C0Rb zyYqBB296wsnvep?A=>co(wwIwnFcre-->%g8a_=}_kTp=uYvbW`W+y;^4NOoU9pY% zkr3><{LYz`;R04CJ+o`))sx9|dZHs)qlDeRQ@N;aSj5&)WKrNK63%(KEPYBlz+=Oc zdvfYsqTnCfTfvKGsZ;HE_vMpn?XIR%O+UvOH(uF(zxL)B8O7u4iQ8XnD{?1X+FgRv ztlymadj7o8AFI*9#V^$uBS?q5nhh5}u=>@vHMFVp`FND#WnC9s+%BR6DdKo8>kpR< zmsl3m*vsSY?}RGOER-fV2(F~NsW}oMEBVcrW8+sN9Qb~hUARj)L+&lQ=6kTaJZtSs zPckd+?4LJgmjiN5)FFw3^b(2FmUV~wC7E`&9f2kWtf8ClCj3`K6)Om z+TI8M`V%6q0Bslfld{7L8LHloP_)geGW)gR>U?)9Ok~meYpOCTL+tMHz zf9JX@a9u?EZ8g$$HpJ&xztj1izhVv-+)Onv;wGbz;aDiqb_p3=uKDrGWKwE*Qj!!v z>WjfXUFKg_k#X^o80GZf9OqDPWGxH>*BL8F(Db0E(R+@58g7!Jq#jz#_UNe-(G$bncr=tG;?0HZf6Ij zP%sspzod-LLICcyg~XNowJJN8lqkN|2geC`4$ML2ioDy?<^a7oM#55dLLYtwJhw=7 zH;D3~&b=OKhD9bDPA5w7jM2M@eb_$H;fk#y=Z>v)Np;rg+&|DLR+Dge zu9Vw=orH{P=qL&l6UsbB7QWtd@c3anL`K0bmk38E9x&coXM2yQNJf;LyEO^C5trdj zdxW#eNo$zMt|YEcLCSFU=*(*1L2EfiwA=Ga_P3d&`21G6X^UOMfmEhD(cy}c%PuGTFv|F9 z?(Ly->4rKPSxe|7F;lym)>evooXlg;S#(ko)*-zU?j`un zsc3mL?bZwD?FvzxV`J4YW?)gdQz@Zwe+b&S5n3Rgn|0Vpr|My4el#|d$7}u7Pp&KO z`sux}?1{&fjr4<_4r{C~-8P>--{>Rkm{S34a`^)M>UVZ(p1_ZNw#++D(g3MNvCDG;i=M`=jPKhuSCwbmC$?OoUv98;34UmL#mK00 zMS5^yg|@LS!nv=Db?1p%@Wg7B;1J|KgaGp8?s+%MnneVfzAfdPho2^LVm41_dIPjP zj@_r|S>7U~)5LKncopQ(QFR%|T2Y@QL# zk{o!RcZ;;g_?vL3PQ~!|Bh*EdC%?|BLt{gTU!yYH1Fu4$!vM&Vs2Cbnmg|;rPwWyQ zIkJ2v?40|!N;5k3iMKEhG#-$5wzI~$$_OKJkbR(iDXErsD}@tFdKF(V|CzJT zd|@S!_Ze?-sCihjYxC!wkPMY6iAL%jmZ{aa!DP5Il2Zu&5 zNxOu-x(kycY#**)xcVEGU!PM6fUT)t{DkMk>PVew#SV0I!vO}Z;$|Wtqzyjew#MCF zQRj(o@owe(=bXXL)u%`yv`0`|V9qBlc;g=Ote+eZuq#A`jo}ZzY2oRHUd_JU`2LM) zq;!>zRAi`7^-1S7$4W-fjoN#%oO48frw>-2KWwyt788IX(o|F6u?V`M@}#54o^4oE z3Vbc$V8B|7itavqlJs7yIuKASvC<^3I!AtCx6Q|pGvtMB22Mc$FNry1A9C)P&BiAl zifq)#R7d8kBnR{H?i#&`oJ78YusYEGwttj;R?4ZZXQ0iz- z9mXY~HxuJVP!g&w<9C|=TnZ}>wc&vF;o{=^U(A7sfi)W|MTN7Bw$7Y_<*?eNIsfjs9dM74K zMXYDlh*!>{Ysgs=9+yu7D_}X4BjNX9dx&;Sg%E2af)!<+!zQ599v`=Im#Ox z+JG|n^Qn}UU9it#0>t&F#ZU*&=zD8-bX)b1{E?fo@2Yo=ba%*YE9?3%7Oi$9Pf>(r zX-6xY9D`*QlVek`0Q36{oUEVnQU#-YMK(fLXgRVp?7MeTig}8JcuXOk^OiVRnxe-( zsRVaMfh#uhHi>T`Tqlo@a&RduI{!xHo)`qC-IyX2PHN6FvBT}cxz&0dtva%)0UXs& zbtc{+x!ne4cx>-5!#<}*j&RSt9m2?^>SN%I2F&_gkpb|;3rXp>d&d#t-1;O)O)}a+ z%pS%Z}l6-^hS?JjR)-X)|=ps z#P?L~ z>Ng^k8z)5>P25QleT~i)KtWwh2>s^Sl=GxZS~9=@B{Jto`#p!fFDLM@f4u>Y+4!P+ z^J~)TEWpw91>NMdT~uuccF>mCsl@%=3j8r7zvm#A2s~!Nn6Q2kEh~jwqBtoc#c}6% zE`Y3xxh6JAt2;(~)paS<*e;#4VG0Z)n-jiI^Pf`1eJb54*aJD?gvlr=lY*%aS=Uhm zG05Ty<-giUn}xU28QMzqg5q;A!67OExz=66S@5ma!rSPTMHz10O5N@aWORSJWaqSF z#5T5;w3#+Qb6tI1k4I?>lSoVcx8{JTNBLHy&}gAL;l=l4MQQZHcPk-;Mz>jRKB6xY zyTind_OKdWm@y?^3*MtXo8YC`|N7?frqZY%f}{dn2_A1PP7;nOhkjAiYN~)Cdv;?{l`(^M)_4XuGcFI2^xk>Q$4R^jQC|}U; z_4M$43y$C4%bpUKoaQB6aSg6W6?|@puE-~>I#x1$iZ5Gz88nEn;V$BSiu>k1ekCbC5G|zz>fQ# zImQ2O>i1$=iqmh?w4KKW!RazE>k$FJYSAV}@Hp}Dxv@oPD(@xbU9v#Vg|VN~=km@u zFH2aGa$G%%$Okz3!_XDwDDL?w6({*eaz-PFup4uj!4){Q;q#Yf6AZ1-qo1rXK;T>1 zU_xQDiJC&ygtK?!1~5B`_l=rM5uBdqD^@L`#+Sv1of83}R<6tHvB4BjN*0colE zb6Mtu=E)=MVdlj1qdp?8BdRPhLK8o}-ZM1VSWQ!mN33$fTc7D)KEU2QE6!otD7ZEF z7PxkwO+%;tj6F*p;!A@AwBi-s9;-J1w72v4jf;9S&jFOZf1ngNjwHd*&!v)%Gs|x* z7bV1NRbW+o+@3Eoin;=KsLX#T-FWcul%~O5zA3F_{WMg7xEEZP~x4IgmyEam3|c14vxDCzQFwJ+1yrks3=QpNIVC z0{K*Grmye8M-L7@elXJU@g7wH>!9O{VWSH!WBw&h6W_|yg_vOB!VoNXQL?`Eux|=W zitt!YEj-gno4yDk83iM?Xg<0gwt-VZq*!_iN+rdw_b1WG4CKX0VQ9-^uK(h~!80Eb zDn6$9DOa5Ee8S!Fybg#^&!bizjkQpV1eKTEEPOwzT$j(H%UVt;ZZn-SpYHvAjr^cA zf4c2ppzTXetm6|xD@v29HfhU;rTPvZfhQCnhrrD&IS;UhFhxE#7uVx6QxN1moOB)& zKws!I#4QEw9xacIjcujH$TCu_ zc&@tk$CM{VkKc>Wf&)Bc2>~hd)CP(OM=9^m*WXthOg6N*6-KZi|G?3Iq1F1=$88Nq zU9Ver(vx-FLvAPW7mN)31!Qe3@8|w2ZcY{s3XbT;F3)~N-u-nn;uoU%)gflfo=DRN ze_+3k*PC{qxY3%Kc~*;txbU`(dXZ&gyhnX;S%u0)RB1*f#Y7+X#lv{KuT0}Z|9X6! zi_hv+69pP2HB1eCp~D9sYmw}1s*-yJq&#JYN-M!9dr^_Mj4)7w?dtE~cz>}mrkb+s zHXSR>iqg8aYuJa1b7cjl+eZ_)EPN80TNs8}9DoSJ%Dr1y@Plp$tL{finZ!Z_7^n>E znp!d}I8pp<5d~{BxqU^=sY&|R)^FCTN`D7=h$aa^K)i1rB_(PuUs&SfN|sWr>mDjC zJHPhG_aa292Xfg561*bEvo4h}-L9Cx4Bt7yp*s~=Zg`6XV8i(!;%$hwT?Bj3oi}Q4 z6}so;UF|n?g$XZ>rMqW5;%sj@%=0XV&! zWWFlpcj|sLY7dGBhobP)1Tjlox4Hs?T$m&gI$ncUy=Cb%se9Pf=!gb4Bc;xm7_FMN z1LT?Zy1?#Hm*^_z2>AG~sY%<+BWu%>n^m-@gTj-K9K$^ztm4O^_c7WpEwht#LF@O# z6>}fpDB%U-$%aRdsq0CA;|Y^run>{RSb-X!8+fOrCDRw;f7Lp0;ocMntu%W3ETy3U z)fbT#qcA;7mW*2kB%wo0>Wy7;oZk+lcE&Cca^M4Gzb9s@TztYPo4qH;LT zQ^s}KCMEo9Eg2gPMe}yQyVa(4z*GYAhcHR-hndDyYB-ET9rvvb*VnJfXkLz;!S2s#HV{%lINC3%<^ z+;NWSHcB6qG`B1)-5?>T>#=}g<;XrT7fR_%i%C2aKJW1$12+)`9mD*s`aslA`0`6v zEPOT}wyLru&G5j%?OCm+o0<8$t{jFI!8&&o|OM zuD75C2E-WO<5&ZZFkYgaZ6jrGg{Skt=J1}&j0)ZrY;fE8iX%F`S0gg?FWDme22kXq z9rOL{!|;f3-gnTjGgMktr|aI+!)|9lgqAPO+$ux7Lk|GLU;P)iDIBliB@|6t%fCK< z8Vtuaw7KNC>mw+yhBF@YhT2Zu?r~>@J5jKsiloTlxj9&4qOh_f?z>brb^Dj!}n?pXP?Ced)09wy!6lTbrpL* z=5QGVNLj;8%P_RTuWYw_ei;-#^E$mk8+TIeDp8Un-_JN#w?5A4@j`Pl)vu!t4Jp&x z*E_y-l8WcYTEGcZ)8Y{zEItlB;h#loRe|Mm-FRXxGVzaHBFnf)vRYM;fuk2ETYGmUFFjOQBa#_jiK$p9{|S@ zd0Ye74e}9ycfng52aoIjvXt<{B)wyj>Y+VdD%-4urKt}9;OgDY_|9g`UeCl#J5S@{_2nNk>B$`flE9nkKfUiZXC}r?ErtM_l32c z8*7EFt$zSWcM;+r>k^IO?`Mn?`rc~^3=+8jmbxxj@-82}#~!weXtyh&#APaHaqi&F z$DdhE_w(N-wsIK)-*y6@=|njtO~Se*IEecDHvvIZKqg!`j%v z{_zs_l6Q$@Dpb%i`}Mun#ZRSNpjVFRd63S~v!azatJEA_QZAl?)N@7nrkD~U1>Q_M zZ`%LFs%K8-C0rxw)_Jcq()(aTm+D8GOg@u^pME!2|8v`5+0XllrukC6i5{eninm9l z-0-QC8K_|Rk0P^ynxZqp?qKF?&BdPPctW!P=qox~px=BJN(YXFrTe>xg5=PV1Cs97 zjqw>~;^<*@*S-FADe*-Y*Pemt8$fEHxOH^$7!>dfTBWwm09|Twq8U#JlKM6MoqT== z)yLe&1za(yG!&tyS;~IaKvyT?*`7zl>f<>3lM;K`uQg=kpgqWgJ;+EI9HPX@7goNQ z-F6n7cjYxXL;F4J**&wFBi(S`7y7y+A^ULQq)NnqB=R%gU;p`h1Hl+qn7R=N%y*pd z^HNeHOaY;?o`(~tklB(O8g;U*edo-`1_yijiY@QHzy)U?!`a9!thbp%KjT@j z$zydHo|c@qa$m;|<~-WC1n`__1?lLfhj(zuF5*>eE`tu_OvesI=UMZM_`c*4ARB<^ zO8x8f#IU?dqEPgRhr9GZV;Hi!|}bdH2)9)|ma zoQ_=qVL}DJ@xVQ<1H2+!J{u80)ML4OgvBN9oamI}i3^n*0=QPpcmCu-3=|%Oe?t)h z1KI5(p@k>ZBp6Rm2Dd@Ttw?vhF&_}8UGHiFkyH>f{45H>;(~JLFP6&D$u(%FRE=|r zM`-7hh_hAjtdSfB)U9D;e4WuNYTDL3s{K4D{1U|3OxB!9R^ANWa@I8-;I)t1iY>4C z7VLxK^hl`5`q9uzFAZBUM|+>K6><`beFV6IHWABpaMQiy9~zhD5Bcazq&cWx;lRcF ztarvYSkJ9Syw@KLqi|GDe3^c8EaNn5qDub{iTne8&}i#(WL)931q=Y>;YU05soOEI zDrQ!EL=zg7? zW1$`o1OQ{=-@~0KnpR<(a!c!8Cb!NB5Y#}rl%347lU5z z78w+_k*d7ao*+bWyfv>VS9(Hu5DaUI`Ro?^A=7o3jm|8!~|x#b&!8t- z#0A&BpN-pAx2->~9Jm4OnaqinmMhy3w`?^YGA#yI$5V{VXvzD&zM@=$?$ROvcL@>w zilBll4JTdCB_3Al@o3$*rr7;QeDrIchSCiM=9*ae?ji!R~3H5WQPpL#5 zL#>QeW|X#NxPiG5c!yGvoi9N*X%?!RAcs7j>lpIA;ELa$h63re1 zH`c>6Qwg}7+7Nwb_Xg+ofs#~wk3&=tPYCRW)!~SU&;Zp|fLkh$UNYI1?d~~R@c!pVe`3%%V#^k#hx6QZ}=3%dXTj(RA`or zgm^Vl9uJ!$tri<2MNK3k_P6Ns{S`pDf8TBN?3sjBfM84e?q%^b|scDdk6wZ1?C?hf^V9cj5_O*I5>8 zVFfExcF|xV@rXcP9QYpjWaC}xo*z`G31!#*kmglF3*7D>?5h7Yyyx^ds8;GK-Y{h4 zVt|=-b!yPqH{o5&xw0304(!7VY^BTjBNfQ9k>o08Sr5`bTkURPdwO{& zBcQwai%^E$o0jjfKTso){c@t(t(a1i&xt>}pG*~=w%NdhHnSYHdG+YEM8{$H15@w^ zUJr-cGO#MG#Ehclq{)KX3U`Jqc7$9uA#i#{rc`^xEr3TK$IWFdv=&zk=>2F6KWaoC zY-j`k&+{a2beuvOEc{=5Gtn5^QP3d?#ni^M8TBaR#5L#1*WZsr$fpw|<^lyp{6-0> zeF!*}dF`&_TgTJ=!B_(0EIzuI2Mk`z!Lt6Xb9k(W_k1#%rG0P2P$1|~MP<8#&v()N zCk96y;XWedBqAdB(Dsk()vM(3>$hKfX1VFmUfJkL8)V~+P!F|lI;?XMogokUF zHZ-XO!V=F6=t^W^Plg zH!VJllen-H%rU+{z~>3KF@&=@`2_1jvwJWBJxh)d5LU@QB*aPS{jLR>U$q+<1D7`u zl!?W8Ek}I*3V;Ov&$KK;c0qp(@KSAs6oY^Yk&!{l{$06Ph$ju|H(KBzt1Zox?i-Of z5JX==5LwBi?`aDQMFOFJ=mUwS*xcN_!UF-@AMj27D=L#^KZib;zDh6v{FRuCfdZZd zv|=Km4aPOx{PsWWo)ost-Asn}Kr!y2@@o(~;nE1J*|mTa=@$ReD*QsW9=hoaIKt}$ zM_1fsekhhs;^y#>Kr2?#SFc;`Gbb7|P&7C2tSagCI4fu=eMr4<#$K5Z+1Lga z)ub zyA}pEGa?j>LJCE%_|QU;@ZfZcatbAmGrbZdyn$}RTzdO4P)nQq{-OL*nFlpb!mvbW zdhd_%R^0DrbIh3G^_QRO=dN_18cXdoyvvn_An-dK^3w&LM;F623ty9iVO2WwoBMsl z(tp1|z9dhy+t<19IHvrGrmWZgZtqwOM4&TH=CW*pDk;b&sDN?&9AQ9%55o~H#JN1y zlN+OKtBXcL#kwE^h)${Rr~LZf@gDHml=tO?B|!Y~I`msls79jZ*Ox%D+~mE6MRmr% z8vw!bvNpEjYWEd z11`Hh-^xG2fN}+tctJSLb~xgf@Z4vs>;;=T)3sVD_k;9l;eG9A_7udn<7F`b6OL*v zZBB$N=!9q(RTf%0ciJecuTP$an}p+`fWNQZvJXQ>!-IPo1rn>1O-|@GrTM=mi^qCo zIAWXN2;kc>&~(}a)}fVoJnv{qCEv-73Bu-p635&3=!DdR>&ou!JPPF|Eyc>yawx(_ z^;!ezA60@F#xQ$3?cw(nqzA;m!~pqL0%9O)<^>_96lkCbgCIr0f@SI)EN29bI}Yl} zV92fOHs){}GP{ZhFh``z>z2hj+a==*@Bi_^iC2 z09H>$=R2QImQ&YYbX0u4}OOd?S<>H11%3rLT6qdT#kM?!zVE z%!yQ3&MN(|T8LNmF_p`sF%oZinr^z^F)1ru{Q)f&H$|OM#BX0GpNh6jFkG;^(@dum zqzp=)gHZh56cP<+f29d>c%c1Ui~MH{sE4EnAG-&`L)Pelw3+W?5=A}O z3#T~7PNdrPGXetjI%u3jg{m1%4A6#msJiD82&1;cKvsS~t&V*Pmomb^DJcwv_Fvc? zB4uy+Lm$c0#=_*@fUiKlBp4sFrv3*Ct-3RML#NFu4S!eyrd#0|bFo zpnS6z`{Ap6mw?mqHuBEQRx~kqi0xJ;x@cDP>D+pPFcm&bm1xKJmvH2ER!j1CS`4P@)lynU zuhSU&I-(!Qev)Jy5GY(0zm3e^!Gd;3)k{%7KBDUj>@E)NEgxUAm5hmHH)b4L zn*FUoL^Iad2~fVW8E~5p9IZPtzMN z2wS2Ku|~TEKWYXWwU%omNq$iaUD_v%YSZB>y^b>@v{R@{3+|j-+3I^SwDCyC_lOW- zC}B%BvSCI<5j8}p_rXq=}p;vu$kFt!t$rjRAZ^@nJjT|eqU>Qdqg-&KNueJSi$Q+%|^fOlo# z{A^mU*Rbd>rvKdO*i$G4g2Euw?bIo~6f&FCQuoQNBJ-x`1mrJw33tfHX5+dFMs(xE zB)^K75%;|s=xcG$E?mqIf;+LJ&3?9+tO<3OCTOabVQ9g`KnB}=ide$2r$5eO z9+C%m_$;NBXueI$Dy#Dp`_0iPas#bZ`QfWcWzT-0mi7w+xYLrxEf569Y7PMatS$AV z%h14tHXi*(+&`|Y&j&dfX&8r-uvM=H+fp^21e-7*PghqeL&BvnPQYI>%6?4%>5dXX zyeska*w{;lln=pr5~W4ysUi{S^rU@i5g;z))k!z`yw>30W~w`dW9fbeI6Or86;M6@ zEFVCL1u`vY-g7ivd#=UINb$W@wR?N^g2T8I=|;Fz=wB=kOlgXF_hjGvj49C6_kb?% z3(-WRNqCF|c)42u-_=Y((NcS(eZ8jClrG~Q2BskdELT?9REx&YVL}D>$@xRH@$LQZ zBO)7(8CGZC8UhC>F8cBuO1rlqyj&5yCU*HQv``?ZD18o+9Tww+u4v&@%Seb)GD&B5 zm(YQMKKCTJ#6Hy<=Yq6{`a69B#C9X$Gw}-2m|QjhL>|b;?_}=w`I8LX!EXFM>%2&L z(W*wqj&h{s8bZnUGYQTMGG;j<&v;9A{bMHD6WFEY3JIAy~)UrRbZz?@@hbD ze;TR7ka)SNGf9h?&K0K7ipOZxl}nv>?z2J`BFyXovtG;+sb9HOi2G8Os8%*+2Y$H= z!^xyUouR^0t;gVG;ukjl@*CA-4D38ljAYo%f0WK5ZCljYNOd5 zEP|b1+6Z`fscPtSGlu3scT|Q`4Rq@wn)i*J)bM?VML_5bS6l9k@zE(Dz2NON{{!(u zRtzbX-RGccF$e84$HM4kFqoq<5JIom=du^I1TPxLiMw*UH8x|*l*qYLdNn;;N8pg z6H{*8Qs5tKfOUc%YmUO^vhl<2ePQs#`@HES7B16G(vLsZG18pv0$f+vuaN|6 zSv6|3e5r!{0S?&mZ<^}|)n_QZ@?XXiX0d(ZFIS*1{v(CxzvEskFsuEFoijx3A4+AY>Hd$+eS$^?pqC;X?-b8Di!Fi-UIOFtuwqVYblCKTuK{dbVmr86+{wkgpdLKYqI1j3sw>g;x@&SS7e7plLgn=2 z^xXnGItjC+H9c z2U**Q_Ll(rJ4lCY(CwLgzX5+1HURt}fUtUK^_|5gulLhmy{=^Lk%r}fM-z*FoI6m4NRW0(D3o$*?3-S+&#jooiWT8 zexQ+Yf#0@-00SUS@CHOlLyC|4gG7(P`#>xKnpQ!c(hIr$Zp=%X*OnPxFuUNa8hy_H zJc^H}t{w45di4y5k4}w^C9qqnMlgpWz&(2ZmgZ1{=*4IqrqLMJM`#gu30KHJ?5jco z(~=YwCQ=Wl?#;!Zi0G5+h$LGCd0E`P8bw4bCcgSn4`B0BnQyyy3AFMDJHPaV#a6eV zAraUC9im;#)j<_&mrY#N-g_JdhV#ycU-loC;XnWlOxv2xvm28|B_X`sEx_=;#N=APZ*$@#_rH!i&%QqPgFiiJK_~u397-=Yc+N8T&MT$-( zqh>uU(+#t4I&GioM#F=qbc4|IiMBNb%bl|-2Dc}u;TcqE6L&f0jeu>a zTO#&>o5>rw%;rNDzEmdCzV!fcfy-Sc)3lFq#Uvds*%eOIrd^n=r;4*KW6480v4b6& zDg1XFpP{*8&Z_Um(b#apX|fOP>a5S)JUX}pXAR|t#sY0KL`%=orzS`2*ku?swVa;! zQt^lyyKaKE?WDv-Aemsu3U1*%g^eYQkbOMobEqm?$$t?G#fjCA@~;7(D4BP}h^h2Z zIp%E;Bbq#VmW=mfKvSY%JvRa4C)!Aq_;cn66Oj%yEJyrQO={kqq#e;CLWYB(iLhj= z)@!5_1N@yr?{+^7QIE&FmC@WIK&2<@`IB(^rwj+c{3ocV`>NN7lKm=PqUAQw+{RjA zly?k>KYGjMZ<$RXDhn91qDmN`^%;oBWHiCKf;i-qDr-Ln0gr?rhhwi^WD64`X6Z@? z+&Fcz+KpVQmtV|@@;PZ-5HVaxI9Hlt#8->w_Zt5~_cAa8>fn74N+mvL3(&~tBCQ0B z4hP;~K3QFafx<@K(S8EBD)e9&^61!x!H8x_DvuL;i69Vgfm5;`QBMKn1PWiyV{P&j zFVykeN(r%o?7p&5xN$7BHH>tVc!DjSH}7nNK2%JNs-KI-`y8?~jd82(fBCgN;c!aTN>m9@OP_XJ6qf~yZC=r0EBd$lCF@^Iz}9QoO} zr%xo#8~`E=3Aolzo!y00VHOf%Mtwp8Z_DnBC=NwN*oq7|a+f`OKEAVvV3;nB1Awyi zHX_@n7LPDwf>o-bNz(*0gT5m1(?IMIY9PH)4SR^e;6m&Pkh|`K?4EK`@z0FBsk{+X z1_dFTbJ{6p+Yis9B3AIRoG&oJf$%0*B;1Ns@SPa0gS<1MW8sIc>tBdH)dD353?wQz zjZKjB%sBbH%BhQr&{20A`}(z6fC6fzDjLpC@sK9k`iEdrvsY~diWdrrMd=nWEhNBQ zbYFzTw1S9BMI(8FG~|M-Pp*U+AP|C!EFPU5KSbs&Sythvar2JPnUk1*NiK<26rQzt*#oCLe(KXGGsHXcANYZN4A#Jw{r|V{Aei{TOrszxPi`6Ms?8Wb`|0 ztkDa+&4mRF&2w$Xmg}`5Efdrl`o!)?DX+0-J+S^?>7`RfUQW&qAM3$m{x#@os*q^+ z24)3@4n5TdGc3%M{`R6euK4>=7AYm|g<)eImIBTri@}1L+yWaLeH%9p%d=dBXjTSp zJsBr1$pPHrDe;fST1J$2UZEMQc-XI-#S=RTx;~d+tr1-EJ-+Bx!1%bEN6JmHbePT~ z$^fl+!rk35giwo`{|64aC`(XrtHa!sz?PU{dHok}QxVcToB-94^Zr9ClG9H`$me1g zOnj0)x2c$N|D$f6WIzK2cQUf7r!?+-hYwb?#hv~0t%_`3sJ)VbB-AYcBEGvC9U^|Q=G8~?G$Z#h12nxB^OFZFy!;Eg(p+hI6%D;u1A1 zu9nyUWu74Gvzw3MTBJzVUQ7}u%Ra4^x0DkVc^xhUCO9Wrv33V{o;jt)nJX!{QXb1^ zWX!VlS^wIz&nNCdLDK;1R)}ZzIvz$%?0ID}CwX){`;5eqJdhDy%C6%_Y344$h72f2 z9~i6_>E16IDg;6&CY>pV2t(j=32cCUX#}uh=kdKLh}5sK@ih(mnYYem4o1vAJoD!R z3fG9BV)}i}fO-7mvGFX_tG({fPzZkW3OxVJxNIi0=j zZf^-oN>hoQ$PtMdKKQJ;aXT+h*$R{e{zXb>@4*Af&;tpK;RF>V7_iAKK9|3w(X>bM z>}D5K&9N_@-q=ArpQ&Q4QcD18#PZo1Gi?E}b({Ign%Bo&lE&vgl z#S?GOatnCe16`Wt{C@j)ri8y~8G&L2RrBLPv0r?*8`cZ#V=aAE?h-s<1wXWdWPte` z7BvLPY>@T$$K!kbDk4teFyW_GmF+5>dnDYQc>0ifBSd<%-zKJ2;ipafT6Y4he6 z8{Z?TY4NxO@HfvcHtPC&1o(zYMOSUkrMErn+AL>2BCa1@+Kw@_@f401y43W%PjJ#4 zQdl+`lb}WtYO*wKj41sosHNcy)(CDu;m(_K*zC)W!(?KHZQdOplRVUX`S`dxe4z)Q zscqH=#oXT?(foPb4p@g6uJUJ#PP+T6D!@4wQmZz;J$XcO8N_fyzrDg^MAbyg>YIcN z0u2L>N?nMML$i*YSMwC`DHt?tF&>nE$afH0Xv}rO<7cb(BUKP^nFjd2!}%b;5#ScJ zXEBB}WuIUPV{QJ(<7lo2)6^%S*$a%#K?;gE5DTw0KJ2wGR|<4r9TsOD zj$!?YIu`%x2YtJm2wzuuZm{{SbQ2XCFt--_D)Po3V>8l258eqr*dl7kEi1W^D*lO2 zj1p>?T|^Z?x=xr+uaIp(OC$}`H|l&|_5)jRoXxX-?+~UyYFiS4SpM#rMYpuD4@T%b zw?{4Q&|Gh#IGnNm)CE;U_;dlA ze(bl>JE7_G@+>`|ad3ux>p77P?TK+}kfZxR|IeZPNRZsz;3i8+HEhz>;`VF(nS zfsS{=7i+5u2p>`o@EOgc5oJdR5E;*}EEeIk>l&?;4|SxH`%k??awlFkD2J(!ROpb-gXjLU5ane@3y>|yZgBhL#Z{h{ zX|wX+Tbatv3*aXFE1O1jKS=W0m%k0PS@qH1(vvfLe-5@u1SakK+_XVD3RSIhw@pc_ z+;FYu@#F_crPee*w^QnXz0Ao_@sa#J(ClKsVoQTp+%s%1M6@Aku)%iL0xf#ehk6oy zJ{NSe)r_Z4GnY3n)zj1V=C&e`8%fznQ<3|25V2;YH$&jbnmfa%n6 zMv8;-OX`LGU2((jbv;yOL@G)&cfvKA=l`OUlLWd&Y94+2ftl@1Laf{?XQ@+VAYAxc zL&i++3SZ$7HMEx%-te(?uXx^W1RJyCh;?LAI>M)mI~ALBy=7+|6ylR&eEs5OuHq~|p}vfs^tfm$^wkH_28eOKo1BP-;gCxO;SCO-d~|NqANqxKXNJLi5r6-g2xmkE)^RGE?(u^GZ(L{bFNFal59gbKut19#I!e{hO zrlQs!6gK^jnfPI>5EVADd^v1Kwt&`x$q)S~YTLihv7=gIYTg~FH>i2cz<3i+q;TEu z&*s96!8Wi59P|{pTXG=SOqo9;lT|&V-DNV`+BrM%TL{Gf6lr?@E_yh-1VwEHJ@Iq$ zRqt(@L-zvI{nyu79F>QHZ#Iv466sqP`c+?8Qcmjsu{|T1XVI}_`hHM0PJVDiLybkK z-8c z+=7iMMP$LvSHTg4ZZd>6WfY&r3jYSNt$qyk{NEwOQP~Jum9c!4U>X=hpX+((`p+o= zVhFZFD1pLfFz8lU__$dDsJ7(BE1h?i4#Sm{Fp=ro%n~~;q$OigQ8v}HaP%QtW4IZ- zdLcy7T8=LZKo}0e7^qCHR)a$h96hH*Z(EnK8qzF2+I@Xm)D7Oel&s}{-THT_rQiry z<{KiVZ3S&g$;3|MwqCiw+)T38t8b-^puC)zIQoS&v3W4ki*T67*$wo&}OdsOIqL?G1oycW(KINaPLSx(hH z3@wO%tbiT26)g+|^mDDmZ$*tTr>pH_D(iQ$^3vaCs3(KTz{v3v+A=0+p2Ae{)eTT@ zfb&Gg6`iHQ$kIiXc^J!3J(duLsoz1yJ0WLxDiUzr>`KsuJs!UXmm)O`Z?ivi9>Qqh z+{7y7-k_O?t$a6GAd@TBV4XAkET`_sK^L1NR;17Nz{CA7;U)Orz%);hew6Ilg*x+t zA!fz7P>?u7L6R*PdFeu;7NUWIZ&|?ReFAm#Tgo=lw+WEn{>H%2Cs(s&j(=_WaQ(+Q z)nEqLws){?z8u{xpu|R8Dw|H^xBRajDZgwiEGI`iU77ya4Ua+nF-VGM3qIxe@7)3@ zbUca+1hQewu=bhHFCXDJ1JOrNh7~Z>>5BHfGcZyabVmHh-=~gF-3UIH(Z}1&c4QT3 zCZH@&jU2TI+(mo{LFcB`1*{*zh18Ch2@3B!_xr;KxngmyKQrp+%}HgS1N%1C-3pKf+fMs;qj9BbK z99+ZG;t`dIE-=8qcnG@lL+wk?9m=gvuP;dV@)uLkKBxRUV47m)GrjXB6cb~Gwcvwy z^{*6xb9#Z~r~Qj5D=_>E@mvCCTty89>0MTVYh<ztlj@LAl>aT%OdxGqHJhG~A8XH5C>J|?%Jq);f)-ifYv2}9UKk0WEQ<+^*&w(Zk<%P7?|djKTOvE8yDEQLb@6-eiJr}npOJc{h_ zvpQSUE%Xw4d*AL+Ltse%{UJ?Gbv96cP$I>SBrY`87FJbf`*?>TftuhMZT64YA1 zRCldi!!^oIyxtikKCbmS^j%diQpZHj5=%$6JGxE8=tE(}=R#ED+Ul=AV#Q+5w6MXf z*w|52i;YP}$UMbK9ixtcIm|)fgTk)wbpxS#PZBuD#G$78Xc3CcbaZcP!L`$nCGJC~ z{d~k5d5@BwZ=&~01cRsW5b4=)@-pF0Yx3FGb$cY67@n?{o=CU4 zHX{xIcCvYJW%usy_okRcjZ^Y zQMDR2NM)P@nfnS+KEl36TNu7JXuALNx$aSehQ`LuB-PUq#Ap#tnGe_YIZ|I_tXt7R zhO#7k)Ymk;)(+}U#rK5ue(lC0gP-;miALYcR!BiMgcx^#+p%BS9CBax!c;YLVP34BhEZN-+gAX z*tFyo`sht_YmFgssHv$UJ1!FUWUCj&fkxjt=yCP3m$%)M-_N>4&) zKic^(VZ2d>XO)RbgcchPKEDu(ljn_wx(a13G1NL44P2^8iZmnL)hJ$@!KSlEOJAW| zn00=13_Ah1&xAhn0q=G757M!e02eQPofOJCe>&H?yv^o@I-SA*4M{hTQt@?*NX-K# zcd=Z1TIF%|AS3|7RNywJ)k-$nw!y`smvs*E-jgoSATQsZdq~UW?cuJ8hDS* zt-hD?DCyPmulkh*<7HqxUpO^6&Jaz0J;^M4k+cO(Z zBDNWD_eC62C4eZ-6^ya6KQ0lo4aW$=&Mnw>SUGk9&=0lTHcubAh8cQWy3aYYZVI|h z@Po|Z1;3io2S1iE$lv$VfWVabrO(A)Kq=QStBxL{nSIMS(AgXp5*@{-vZVL@;)9qgmAhz`smn2~eJwKx!8DJglSc9t2+v66Qfj^owS{G>U6H5ce}Ik`9IZz zzN8b@piDbmz&AAyGMe+Sxt{9xs}N1`Ru4|7pM!cEZh-QpSWy-p248k(NO#g7xv(** zIr{K(C%Zn%%%l!Wk62(wPH#|CXF*e(REMF-9fxIOb5R)r9w|vfM_}GB=GCDyZ}{UA zH*b+(<|6)4<#{7qVR_DC|3E|?9iXwjKveruSazansDBL)Ep{bkFp5gtml)1E?e*;P zvAPZaNfD+@DBE*uml&Gy>HJLZYU$wX=&5i`Na3DD*8TItVI;?8clVNj&7Fs?O+{Y3 z3aVGGZe9nz%sb;9m3A<*V7o~9m)t*a1XV0X7|jPf4{_KN00>y=MGZd4lcXW~D2loHHL-ef}h^hPYKdB^QTmtw_HK1$=`BBPCDwV12HIwfWr zPE|a#Bt!d$%yjHI^<8?tW0S~bc=g9|{S@A6z>;%Uqm@9h-nW!%6Y8mFlbDsu(k_tw z*-IL%P3G)eWDREFI}Rr2ylF0I8Tt`y&TBBW`#DDRpin*GK#tk>6s)jjN;ZZF{D5WG z)8Zy|+c5jmJ(+F0$wl7AxgLh_j0!B3&cpF<=qUEgKi^vjY)VIl45h|A$D+rMHh;ZN z+AasQNHiXWo3J&~7BMxI_1uxMjJfR$i4KxX*VWVGO4|3v_4ChXgJ96pCm{8v5yANMW6d zGcF=R(qL_xVflW%%ixo;S`>Ir12|A;vQFjL=ZHb4bqz{Bu>$ArMri7?Wz$z#ddBv5XrR)?ThXPXWofb2%61FH; zAHKvCo|%0PG!P35MjbyS6U&FH6L5`PJ;E|Y33sUd&t+xpDsCvru3sGtN?$@>GjKt+ zZ(sImhoSbYG$x)AsxS*6rK$G9$JoZH*IVu$RswW+=2u|^z)CC()2B->8@^eaVP3c|Odb)Qo{l2r5!hJ? z)}~FTyfIfP)c2nDSaCkBN5cXRhYv{=A!3W`WFt+3N25c`DD~ zF#Ck^p^2y|CY}56_@>KzP(3&xfZ~9p)ljc}*^F1Wr0JjfM^7}gNO~cSZfhw$>>8JL zVkKWgB1S&h8?Y~?a715?Z?UMD;w*u{sW#ueuN^TmUut_z(la)W7J>;TQP)MI@~bhv z;_5AtOID9}hLu;b0`4RRjFhB^0}a<}d<)xwVb^~0@|8%kxrnUvYowjV9VPhhAC632 zg1~pYZ>-5ezyO7I<^X5Udz6Vr{+tn5!x5+MVuyt?vJ3P&A*A&_qWan{QFBu}82{^% z2miWoC1JU)x5ijiWO2m_E3wfLZWAt+h6?IS(m#b-)D=lXn~?iX9w;d_@2IW3h=f$R zQT`Fza0ZlG?`QnJ$e^nPZKl7zq-tMk`jfrKecZ5RxolaT@yN!lXJNp#YKR|jElJ~C zf#AokXhe-Cml0CvrJz(JrQy7kfTx?v3!Nz$^6J)YHyRULxSCAGw-FctgbLLjd@IH6 zllH`soapJnvFIqZ3Nk=2WPtN?{@BL~;+$_T5gT!;Aupf9MT&%%e*jsoYgHTv68l#8 ze06T{aQ{}<$diAAlKNL5h}k+!?>xM4UUa^QC|whrDH-tU7IRzrp53bD`gh--tlS0X zLtxWVd;i$S=snk|_K(0z!LpYIWz$(y+;Lz|n*RjBp7EiE!@nf2tn&D;^D{!F{s|tA zeZ|K^ay|)u;lS=U3aLG>IIx5mc%7|WVP&G0#}f8bN2d*vF)w#TJQ06_4fG~b1i<|A zDuh-lcShGHkeP$Vnm|Pq6}+sJ!NM-FA6g5<@*v(*w~k73zSMFz-=+Bap1(UrE-2x( zsl?EpXrW_oZ2g~X!+G!+Vdj*5^^iB6Sddln;P1oBT_c}YTz*jTAvj&cbz-woof4hh z%x>-zxDyVGxfxLsjuwX5ADIAj!^{Tbk8`au;NGGiSUd90rFI5dr@KlLe|`O!VY}lI zt5shkb&Yyju9}DIzC{Cg^`3AC=hA!znwHwpv4y{|d*oKf-8U4dc4o+z1p9O>pg;hKHSC zvp-k^h2)ppu(#vPm&_5$r{!9>bteq`iXlF z)Rqq1ooFhny5lKLAY5ZLe6NVPA!HiNhy*^Hzgt(h;2`+o`;7uPb%U zi`70Ww#KwV;G3K$2W#g+nAn4+rFAr(4Yn))=+!L>X#`4!zh_%Tu}go+V&d#chsAP( ziJYppxWDsp^3^vsO4#&8*p`1}>(*NGOW)xhFZHvFwB3+Qe0r}g+n!f5eeN~itvU1@ zff91U5O%x9@zaBnog)(*jB{5{=y<7R+nz@}xkjW=ESz@!Tio_gvv1C}-FDZ^;&sjn zq0fPp@a8LyYh>D+_4Bv0!Ozg~LwTz;(<6dANGF}U z!78p^e78m`uRw^f^U$f|6(23l6^v|ixu&Ta&$y0DfKUvqY7ji3{97XD?WmZO)OewN zR~{r3ViIv@5v3WlsPMvi@@f8>aTUW5li^O1WZ#nAin6)qIXuB%0aI}cv&?)}XkSs-z3>6CT604@+*aZv(fWq?=utKNeL{4qn zv!pjH52wmfb$FpqQ6-oOv5|=(uW(CpN*W4wBMej0chxr!@bmn?Lpg&x3OyX=2W#)V zNSEDHNeW6sitt%MY)rW^FI?XGyY_y4L8qEgHcv@XZcgrrubxY+!G{X%))vy3Ikc_+ zPRnCcH*IMfd^gnE)oDnOw~eNOl^V%>Nk?*MbKpikt?2e;u{n%gKegwL>Ve9206v(! zB5Zq6D{)wf)l__PguybJ6>=dm>17>_bP$kW`yydf?w)VoJ#3YoXBdxfSf1D-!~s`H zbjp-v%|L^?~@!oHRMV^Qjrl3xGfS>6V zsFWbcl-*t^TWG$qO`Dp63xt#TOI1mWFvCzMb6C`NaJ9|Pj4r*Xo^%@+7#weZd0j|e zQYo?Qh*P;<2fr>5|sVsqeoHIgxX>$p|oY@_;*ZTC2aS}%Vb zZBPBS4Pac5sS+^y7XLg2>!3V$k7iKzu;^6(YUj_GkzbOJEt)@)N*PJ%_{pH_xyom% zMS5k*EbD*$No}VWVpF*dH^Pre%UPZFyQ`yBpE(Fd1;%ffGf=xo4UHBO`S^NEX`l~}n z_)!c z9u=H;@5>~2Sa_;m^2T)QBf*l**_s(3ol-QqA~^7Dnzh>=LZW6XOe9Sb_-DQFRNj0Z z$|lM3Jb2_(zLqWPK$08k7CQvln{5R4(2=6*1lhZ1LvSoe$c71 zGQy=hF9*`ln(?PXp#Df)b*wY0ILNw2WR$Gj^1}lu&5V7<(y>!uOTz`T(7db@f3&4A zl4gDKYXg)kJgV-0XXLkOernyfch<9eYI^xd_$|yAnxq8Srtk<)>M-TrOSS>pf_(0A z&M#QlNGCXhj*gOI|D4IR{G^SkKs|$Q%T%c>HuKXJg!8gx(}`BhSG=dH*I7=X_Gb@m z&prds=0Kp}y&w^+St{Ho7i$5FR8LKE<>Ah(oICN>jpuWKJ-jIuX1(Hwju>7$40PY! z?_3GGTE}m>TOd`7Q{D&Lk6b3hYm^#ikpLdEPn#?q%qxS1AOij&`tM!1@xVok7N@!y z#A3=iR6fGmgRM`waxqd(i=g>u?4+?VgX68AUJSP=lZp5-5GBviiTMt(>{^#}B>d%V z+1YSJ#R+t}DniRsox0$*tKoTB4crA?IklIwwxsmh2Wm%;-gfOliB=?n{C6gGg7M&F z*>AU9utLCPXg5Czfr2gR$esnKRi7CzT!jGT&deQk;-S3*c`yj1H}SA$+ODzE!E}(X zO=azm*ts!|qjA8Jb_CSyxto8L;UU5xdIR)_%%zL z43a?7Pj`lL;dmhaQGe-Yo0Nx#hnTV3zGC-3KXaSMFh58_OyMNF*RlCoZ!d#e~&_u13>|@wV-5U{yH_ zhlgQQS5T*YT4bdbByxK~*FbmjX1Fs}V0{!Yrl14`oKDVjJ!3;0*5@JWNLqP)u!A!g zzw#cGb=tBOaoE6Ul-^`s2s96`pWZ9f-Y+!lzb|~u)}b6$(kz53{0S5-3P6E zD)aTkX2lrBDThch<>5bO)8`bL_~T$y8hbB+ zSi#w=XPpABjP-@GgyGNU-0~H#8K^9UWYK(flZq7Eqe~m*wz3}7vppF#llx(%6Bujt z68<>3jRZr|Tf7+1L`v2V$a_F!xo#Q|OKoq#{dkyC5rT}*Vxsf>seAa64LB>;KdS?+ z+HywUqO~i?+YS!Z&6yAjf%>7QuaLqkKUCRK;m;Hed1Es?vs-8C(wR9Ibotm6{|?#bBh{+c zS3)XJX@iOxU*w!fp_-3sI_TBZP->Uj#WY2#+o>5E&8A;CEn7jz2iXs=8C7P|!luHx zUbClg9lQRyfbdwl1u~p3?9+PX8C=dPk;I{e$_-R)xm-U(CG~t?>P6#=ESF%WlOsom zx1l`rm&o5sA4N=q7}ijJy`cqUf6jV1H_A5(>Td z>^&+(DSl>fb~w-L>tFe~pXyyyd>!i#$uHwH#!!CTNwBUBY0r{&P;{JFu|Ot5Tu-cE z9O=DHab#k6D)9tNlfWJMIIFp%sjsNaZ~S-gFmTBs4!nYjoZXLD)Z$xmcdy zo2*_Viz|Z@)Z%B=MVZ5WiPsjntf`OGUE7#;BkP;DO-fnQBApZkduD$nadm>=OO=%! zVi`kuHW!#Gkhw6S^B5MmovrrwLQ>+e+mZDzZNLMa9jJI3Hdv7UVc*iCPV%^pZQJf`yC4ny zpLK$Zg)k{%R8!h_3z2k0n%>c}`A_7|b4+Wu7c$sR`8|i{59qL3A^LzUp=)0&GU?ZD z2?<39`HgQNB4@ogn}v*#f&(R4 zhIF4v_NX@qJ%zgiF0mmwT>d=;q`rsRyFTyz=7IymOt4gazwAny>>;blGe5Xo<8nQ1 z;gF)~QajlH`F!*jI6e;DGdN96c$n5i8srNchJufM`&k4FhImI@0ji8ocqGY#&{S6N zo7E1*4bCH8h2!{6IxVR8w6t1HjJRF0$YiD&+9)VoMjw85LUca%neYnaIpoZDJJHHt z0a4Zz`4%;xdh_3!xpnR=U$q`t)fx&4S?~P;)k?xY<8{*>P814UJmH{3(Z<_wG~^)| z9ae8zQ+A}}5;mki(xWZLDPuuhNUB}DqEPHO(~{Z;k9S)EYv5cBf7`J(qK$F5D(k;fbsiub6SPVJp}7(jXtTt?q|c9NyhX7BPf z59vew$v)MI8j9#>+XDg8AAh zAv{$d!Zx>0?2~%#zCIF;ishL5MP1^c>N);;0B(jMRlT?IG+HXS%Llpx#ZUHCy1jp? ze%3{%jkLgRsOs68y5p>}WhPa5q1zYF`Jq)|eHU|Wd(uU^u-=8!|@Zk%T3f=IiL}dscd-<*DDyeD#KPGuP-x7dz$n_eMd3v+GIDGS!cSR z#>;TI=aJm|J3i8sah#wR1~t-pR=Aj&0?GM~5bl-sqlP-a-2p$fAwqb&tx7aL+`HWK zd0&;{2n*kPucqyTaI0|wKxM(P0y@f&X{DF8@3;=rOtj6hxv(@Kj z$lj#i+#D-qN!C<;r0fR*li``34*AX_nkZk$Npol%`>CNzASAn0_&i8MYT`w0{6|P= z(`^v8KQMhk>t*PXF!C0@90&!V7MuPw|0GY$P05l|^B+QlSD@-b_M5@{uNVV+%u;1dWlh9(k=#lEJVjqeCP*{YfwmzA5_=66=*ys3(9C#4cdqE= z%Q+NM-^pD%OF}|!M|m(Mx&6kDCrWEV4lcU(pIt4RFPwPrpbOftW|qz#_^W|ND5>X; zw~;ZcCN;bj`=yJ}kKiqNF+mL#$bzIFc411H9B zs=v|`7yV;;{`@$Zf!?xzY#^%@$(tO*L9jBk685Xgu%`HgmX~}4RtR?VB}^ff2JJ4s zAcPEBEgAm!&pc89ctYm!Q7o6Og8)YfZlP_9jM`bU^nFYG$Pihp#f$Z_e+Bmx4+=8t zu5hRS4PE(xw6k#+S@yvoV`zP+K$UIhY5aQ9Zt%lDllbcTnCz$bGIWJU<1nx#Zl2I9 zNEkT4v(ytgB*Q|F%O7Mz*FVVu);SvQxyQ^H87B_NsYz$)Pv{27;$D2M^eTV_N+CZ9 zz2{n{9S*nee|fx*6k@PsuGUwjs}n*RH=fZ(rq# z^x$M{=~m&naY}tXE+AXhUkSF(84l_1T!i3xp_&U3yQDbJX;zYgCT#4{`X8M?|L6)` zsxA&%@@I3uLlJfv>`{O^%@swYWMS%@v$MQl_D%NjCFvHDJ$j1TA?MCLzwJ5q3RKoV zjM8b-aTUVyzEH83U{T_J%p)>)-41kspI46*qS4oAa_Tck7*~Z>$cjk)qeD8(Ho ztTEj}+qS9)^QHYE#3KWn^%+_IMpob&hVO?MCs93$6ZIL8Eywo3L30R(OrR(`j;(qU zk8E5tk3+>yo>XU{HZba}U?9pK$tCdGjQ@Oz*vcp{};<&@Ly^gcQp@SjdKb9}@#z~x&oQSF08`-i|xyL*IoeAFR zp=N}%LT1riO~mw`g4JcKON*Z+0|a5@OfIZWEWuss#%uZYo;P@?X%T$r1cStPnANzo zPQJlClNm-UK+#dN;T;8U6h3Ol#T?=S#{))Q**|n8MO$d3OtZc|!H)lJs%pibxT&>? zG+nQMHZ>OMZr`^L4hzyvR2_V(Tg3pqnqR%o zaLH&gT3g#NH8jJ+c{Sw5Ay&gp4=HEbO%(c4lvnjM0Aox5PQa@x^MOvysKV#O`li6U z{<|sUnJ~5Mx$vAiIV1Tk#$-CKWH101sMykOp#I!du3pp$bX|c;O+d?$DU#WsPIANA z5GBDoE7*jDXqVu0Z!*v*tKd!-A2lPM?t+Zeo-H97n$huEmp<`$0sbaslOz8EdjYYA zI(x6m&^;}*yVlZb(KliUKK!3efeZH~9`Bc~)6UQ&mJNYc_#4(9N*?6RpO(>F*}8V? zi{QVTiq^IyDoOBMEb^`=3SH7;?vBLy zd)OcFrmNDRnM5-@EwM6QU!MM|+E&+}iMM8wIEZM{Qb*^N9skpG@bc@j09=XhR{1$z zon#}5qOME$!oQmS$=bY*DDx5C=&d0x$PYZm`k;=}NB$?jiFTXF1WY-G={LD_8Of7G z-Rpi(ee%STm8g_3S^;rb?_N=Gzq(fkf2%rwv*4i=yX}UvdPfC+Ry>hY_ke1RZpWr4 zMPcR>niSc*tralyCs>gdJLEZf&sw1del|f(N@&Z^;sXx#3YA`gXup`FJm5PA>8B|^ zFglu6xK(@xKPb3tV>;>{DuEM%7jJkL&ovC!F$j$m$D0UDt8d3$f^L}Yd20IxzkL+iILm#%DD!# zqh>Y}$H5V%?&b^X6aShh9Jsk~p}B@;kdKDK0=WK^fSJxWo*Az&gH{ zkAd$;!%fhlKO#e~RpfAMeTh#U96kvA4gT`*?{jWZ5|_C0GCXTZX7+Co5{sX5`*Q*j zzTT2n$h}LOM}@V)At8_}B1LE|_`ek4xnV-w7}y)xe>MjBs$s%)hzmrRwV8?yjg`0P zM4DtKd!rb{AV`2<^jMzAI|-UWt!Fe5h9hpwTCC{!|2CH7W^c2r64Cj+5b)@K&i^#V^n-3Q2)T#Kl}f3aR)PR9_$Y?rA1M~x9d+;wu83@qvazt9 zcn~TH^zEQknOx`m5H`njqE>Z7fbj2RPL|CX8O_$mkH3T zQ8R5C=z81Am*T8opYwdK zk1@#|R*>y}-p1s#SQE7*e7*co$<;Unow)uuWyLHTeQnJt(_=FWb_3caa3nxx?daj)KL`+2oF>v3%`jr4K4dl_(Pou|$L-1L| zBWu+ZXG)P^C&d*M0!BKuCzs2!rbPa?t9w%2)hD$|GUr48JuA+^?#JeOyWA(C%0mCY zExmo?A~Bx^$rz}4F#I#iM17jBP@sQ>V7l9Dng4AGNj^v#+h&wTT1A0cc_SzVgLpFO4_dcY9Z4Z92l!$&{&gC3eUT?jji7C3bK)`TyJAKu8j8um7j08D76rv>(o31^Sbe}r_6De=%6 z5IxL0iSp;NnfY!_7PD6ku5Xpov2Akdvpm`38dt@- z58$x(+tZp*h3QT%9h{M)QYQ~94UQ&56H1B5OoLcGUX7KH?g^f4dbq7qKG624b>)J1P_%-OaP2>T z{wNOIwaheGm-M6ie5V z6bjP+wFP;|AS9Km>QEWJnTHH#n*R|n5(t9|07(>XO-cDzF`C>Y8+XMZ63a=kq%`0jr>YJd-0-l=4_$^PS*t9y== z^u$%70MYmb7;5G-EZ3+Dul6ZzW+dKG26W5^eLM0P|LJ_{dwbveB)MNj`afgLMej^P z2KN8C@YBT!dk;Zj3II7<62@3#q=`ld<0FvHFTf@e&_Nl7v>El0(He;20)1MMA@gsR zY^2y}H$qEDOqcZ(D!zZ|FD0JErt0;N=tP|dLXd?as5@6pc@kWhS_5gCFy6o0%djKA zR2fMt+zJ)NO(Ex0F3Y-$a{^FHRFV>4d83C~?_1Jrn!3)0JyCTsC%shk-shxYWN!1u>#sY|?A|JdbFd-fwv{+^gfZTA0SNHoKdyaQw z?x1#ct_*XBB&d?Z3rs5qX?GN8YEfuWP54s(F}P;o!o9K(R@{9!WLkmf`c!D2$vm+G z>X$WgEn6!j5BZ?Z)T4O)C9x>m_aIbk>(&O<1^2Un;Jbvm^&;e-k{mhKsG)@>^3yq{ zJ-TbM|Cnlsj$o zS+8!qqp;g>ZJaMm_EYJX3=p!nxgC)~QG(bx^u%9ksv9kRyR`G6BC3o!B}IyAY6FH3 z2Jqz1SIBnuK*UyJ27wwW8ODkMY;I?MY4E;Rb129PA^jO23^v~nfTnxVc?iG_olBAR z;oXN;PhYuh@4;fMft20+=vDVK&=o-AMF7pZY05hM7x=JlnlSeT%Itd_yylRH7-?(L zI2SWLvw%wWOv3wp#3C>8g}4njj8W{CJcU$p4ZoI^7X4;9fntChf2#bE_{+y}-2%?v z_l90TEHA^z_Mr{4iT0!_$sP7q+yRHBzj}vg1W9@rz%`L??{N}Jv5t3t?)Z16W!o|3 z6R^C)Ip#NrMN=MDP^Zvy3a_sr`D0|z{7@J#Z_ADb5}pmsQ~(J+WTprRD~WPkMgrc9 zPzpAr8q)%+!$-u+E}td|P(>ft)*3f^V0H)@F^LhLvn$Z>k;*J`1aR|FaixgKr=TP zHWQyIoQUm4-~^T)KKag8fE#Ougifl#B@;Co9OObxo>sC?j73H8s=AnyB>0YM84BMB zp1|F)<;~CHo$v{w&54@I78{R+ULZhMCtQ2Cv4q@%1;R(vt|@LncC4Z++3U+z1D|$6&UW3E zV8hW}1}mxwN9sSW$hp1*m_E$)ZoO|%Gp2ALK45S@*f9KqM)T=2HhO@e>PNIwEAxWT_Mjm%Q zHU%_F{Y_d)3JVhA@8=exY+Btv4t`fXsr2CbJ%R5tlLb9L9cGTYbNdpZ)ZW9dO>pXH z$Wz$eH8Q$eT)5iBCDJCzr=}SQumtQXK&em<6I%IG?u9D~2 zwf8ZpDlVJbdPQt{PNR!OpaMEcNY+s5IE!{a-X0O}&NFhuetsIq^83go(t&+M-#yeFWj|}T0zF!(S_c51=nV#* zM^7(V{VX9cy!^P9F%Yy`Ds06kisQK3WldkK=&gZ)2x#SoKr#iyml96rK)v1YN!0ap zXSa`bXWRaUtbUZskTJ9i@Tjn!6i#MX;to;Dg=tds4S#S5W`2u^&of!Qn2aPhw(6j2 z?Cf!~3I~hR4Qmr0fb@nsOuV0dl*54EDN&?urg`hSkA<=m|N;-iQ z(^yb|ZMK@OIrGU-=YX5kaI)-3~rj0c7Klk06Lsi>1IBh}w$AhCS0c=*-&M+kuN zolYy)BkT03RJ=rEMi6mp2-5J~M>=O>j2ts#GP;N$ed8qJfIW;DN+uDJhBbgRbT6OQ z3^(8AOZ^a@eqJ)pCI2%kZ$MEZxfi6JQop!vol%HjJ7f2HgX&l#j`|idPs! ze>jx@t~YJ`dh57E7H{(-|IL)WvJv!TAN`(&f;U-WY9g;e4m@iRv?e8!@~_*7LY-~V z%pT#ib|a$tHk>lx){_Fqql|JeyP%*mQ{*3mJqhx=!4P5n2%!>S8{z#igKz~r`pCFW z7Yb>;xO=`LpSP{G%j{X-mKJR5XAh-B5K^%naO5Q~@BcLEwpHDesa!p#7b-rt9vlj8 zn~rE25pYL+0}J{}U9ao{1~FMd`PsUVE{QNMB_ov;DUN3LerL?F+>H|^f3kCgeu!4y z0A^aCRbcVN|7;|;EeY=wf+jDD-<$Ppz$#uBS*sb1QYXBdl}s#FiZ^hcqJ9Xw1Wxd801v;J9hNV&|!pclv+Pv1Djj>&4V$VIMq{A$U~W z{+Y}1^EZIS*p@_lbx%Pl;tGFZ0m;xDUq>ueMzO8<`?%%h6tl^C0oFJk*`2!57d743 z*&}JEyXq^flihM#!9r3U_GW}PsB4~{P$MeM| zfNA3GU{EE6uk8E;|H`Srk;c5>3q@m|oYa805x6$H<7Sf?bfBcUn@3I|9p3r_p_u}&s zX6a7f1!2Q6q)o0!hUqkp0OKnTU>AKUcR{mPnWp_jG0=9zXvKSzye0+9F|*b%!gZLH z8JGpObwYUA3`xXPQ+*S4b)+@&*|_?l<#b3aX>LJN!-U=Z3nmlCg$);>#vFC)n~V|* zf;*kq8RC8oVK=CqOWEz-`unk(El_;qC6CaastTv+9Y) zwQzbQY$q-eSW}3Y^t}6VB>(4&8HLjAd_a`o3P21co1Iv{y`lnJLF~9WP6TFlQ;E&% z_ns<`*s{B%w^-dD%>)&Bk-|Fjdm!Z-f$d8%YbfkgW}d0x*c(2zi&QoEU~AxrRea_Dz7 zEAEGQBSmqK{C$#vOhSW!4S8;%GYGIZYIA0gwpzthXp7Tn18V=*L; z7DonnwY0*MF$gy7sJ?Rr9XOdpa_GgX|8u!6{B_y$@fuLB7^M}1tt~w|C=umfOs-rt z5vvG+hE5>M0Td1RURDkLT4;s>%#W+!IKiR0Ot*^ph(_#MJgJ|SHxt-)2z2IS(=qz< z*dlu-_$V0Cf!IiienbzQYITL(-4)hp-#E7RNgYvH3JD?f-WZ$aymiRHml4SD>*3zK ztQK6jLw4%0!Q-WsL(89l$YA|c)&(iAPssZcv6ETOE^+Or@1bN(!(}wMwITSpBW8N~ zj^XNR`GC8(T-hYpZ6MxI&K~w8Ns?V4b7_9I((8sqA>@*t`7#;KqbZi9K$qRHEb2gV z-mOvR4_%H(BSmw{rcDpYMqZQjPVfQjxkRRpXSV$xk^V{uF3ibL$(WMzN$A7tgZ4cL z(^cOTZCXrjs^vRX;h~B3&bBcnGb>@df_I?_6>{lHywvjQ2$XcDq;jLjvF@Nk?nDo1 zp>f=q(8Jx<+9DSXp9nIr6SJ`}TyI8QgJYcAb8r=h)j??nuV{=pI87Y*Y;CTb+5$bq z8_mrE$AFHhLax4J2+0(#OK2IO{z{zG@>)n4b-+D>ynGV85j(LNaeW*ueSu4xI&s+A z)gO;38TBfmRW|^7WtnchQkSGeDbl5A))Rnw}HN%yQIalGLC zgjdr6EF8?=X#u5_5ZTfA6>c$QtHG~LMMXb&<8fl{JLB@FwixD^u`}UnxzNRpUjt0s zoJYg_9`qw>gkEK$klkSsiTQkKsgRGHA>&oHZ@*$WmONv2B0U4ULmsycR}SyTX@+6bbc4)KqN9|33FxeHfK*2xIyxstOz%l&^#WR%mGi# zscHu7*Y&($ISh^$KEy_n-D9`(Tx^`2IhaUIfh=S=4wu2Fr|hWaS$gT6^#afcAi(60 ztuW-%5jWmp?I2QCGCgVgM17M>qlpXv0p;c=^6@d6rB64u2t5jOQrKlS96Q5B+ei- z*c_jKs;ayQ2q(k5C?E&fIGG~s?-8=$$a>Fiu^ZD163jDkT|0W9h1mlv%E}(!;v+f-7Zj@RI-1;XK95{!??rwF5ewP2zVgLj*-l0 zdb|qC_vB6NCIJsS57aYOyp9`Yn4O|>ANM-p@$|-!_oaJyPPja7*}-cHEF8GDaXYdY z&0$3ka6R13x@jbJgttHBv|o5>PqfQfx#p+kB73%nBX0gUXbN;g-(8LMC!FGIr=fz6 zO~&wSQWd>Il}V&U7rvd1baqi5Rd_r74w{l5gKLre@!5j|ygO7j_3L=0=1Y;5lM|w} zBaS5R-cJX)(fW_?B@eh}!Zm;rq@ba?jPyNV&}*^zD0;>ldjaj9-xo1cGSw*tHLnW_ z+`CAZ;1$9wb2TMR4tbtlTA%eV(ZU6zA7u-~VUAV!uwnQ_`}#hyU(n8y!-bF{O{j84 zpE|6gpPhn17-hg&V_x5(#tBh0m4yw%WlkP^Gu{Qb$gr1T*EY_EB904~r1bt6OQ2c< zm-6XH1WbX61I$_LMXm@Md09ff|Kaq(kK+c0O(BXIR2zK`TrqgT!PO>lAmV^ddV%!~ zUWE;MUq15?Hpu8MniI`b?ouwcZ1-6#=t*4EJJNjY>^9JM0NrF((P?rOQ%rQ`; zcU*_0f!7H7w=$wz%U!IY!`mr^dy~3~7L~h)y9|<&ijQU}O5jejTky-H(6*pP{Rwt# zxG4k|pNovN1iH^!UTd7pCaFsd9_aG|LhXTsB|p~Hn*qMTAOot;kUYeP;y|A3c0<7E za}ed(y$X$r3aXbjdAc4^JK7A?RFGGmA<`1MI2S!m%4GpA87OT>JgW_a8aI+78F{|L zv)f?l&QGtz+3=!Io}~9dn5@y<PR=B*RgSh- z=@{H5b@J&59y4APo>A7TP@Z3DFwBK=0Q?{~Ncqy$S!xtNZPJRZ%S7Y`>y^E$r9TEC z0VF2*02Fakyd(i(y#n?-LHkHDp!~Uw+;;6VzSsq{MR|w85`)9zOD}+N->t+o7tx>f z70;kn$7EjEnf{&~`K(_L-4oEAV+!_3_+pzK#asECakJ>(V2NXtp@q0c&M*kDrJ z6sAU~A6h|@z!PV)R;Rn62krtDA0G<6AA+vdZEA9~T#vE8H9JO_cRvR#a;}iNI`YM1 zIw4j8D;rgIsl*Xo;~ip5$92Jc_WOH^g`Fjq~d_D zDV{5l1x^+rHOPsR@WGCNoPHg4E#qcif%d@fz;;0aIeGp+m5E4}JI&05x>cSajnTi4a({ z>F?>mCow$6P3=H<>2L8@AsG?E%kmIh)sfX88Gqd$y_9d|K}a$ahcCtsp>hS^76CEY zCGi<5aml%$1kJil>e+arxtdYFqEuiyns3RRrRnDf3}me1)7a;#CBYHh^PBA zc1zM=ob|^K1Orfy z_*@}Z_Nrm+=Li346_w*av51h7GWNKf#66)bDP4?z^}v@fxcpi0gO$1V5eZT$v)%|Q z#TrZM1+R{F0VU2&o5F+20BnVuUuAG)lIF&JJno8%poLU%k`v6ETi0eO9r&D-O6Kxf zha8RqH>iV;NBXRlxk*y;Ubu!x`v}#fL==`6IEhab5LsNo<=s3}k`SId4OB=(tA)Le z*7$9B&=rVSSIn3s>!0$R4&R0g139avJkg@0=K@AC%)ykyQT7*c@wYcQqS;Xn%Ec-8 zQ11E5WzS!->+|nIy+JPDoAN}u8{6?SdnliHf?Ocb z2~}J2Y}?AuX^DV)?m#T;87xhffRtTY=o_w(o~JTY(8isBKMrdKt@_xgpXetL`Um*5 zRKb0J$)=3LUPd9rK7=cmaYJi28t%2l9AHx4Ke(w`9QDnO{f!qf&uO8*sahkv!47Ci zpMjWv@UR|6U1HF3GrEAId+<8J3iNr=X)nngZHG@c?-6cg;HU>IAt38d#VR0sz5sh> zuReMMMTVJg3Vvmp)^-{=s{r$qgC7?4+qlE^#<&yui5}1lLAG1IBDlzGQTS4N>}R0a zMEK-{H05rhqmCRieJu5RSq<0t6Y6{?U*C)-eSY9Z0Fp#!6y1M1WtQ6|kUI>7@prp8 zqzwUD2lVKGd>XKbQ$TY<##nioWGNFUp+_BWtkt9iN;csP_GWI~WB zWVHu_7J=pMfbOwP4p~1&#~UsD2?Z#!XagJTZydH@yS^ZWd&6^ZXwtxk?1T(UaXYaB z4G2`+f#=tq_;%DKYG~JeLX)nAgZI7gOPj-ByL2GzFmJy27QLU#W+ZO)qtanu5VsqS z-KkOijkMn$H1MzndVZ`;2QG-Bf<;kZsIbEmQa$mB&=HkHJcM$7ha{h$0z~{7{~pK! zt=~U7G&uAVg$%sMEC=I`($}(qLV~#xD11cu6gXVZ6xB7Asg{0UV4F9G@@`N@lC@g- znGHNVmpt|qnM|t6~g|<=hsfU4;Ti= z>;2YWZ+;}E56)j40D83sxWpIp@3L~LlpsC4NRsDTVhAB|26)z1IOpgMc{oYwRzGUM z-=$7we0Q=3;>}=(gS@XqYazPx1X(fgrG!y5u_1Ax-y!Mevq&tS{LqCoGcbcgy)q&9 z8kvE?qGRuHzcG9>5LD`7sb>$TN+yEK@rPk8a9#SB2AK3XLEqQoonc0Rheut0qlJSK z1r#DR983;E_qz!gOCDVvUz$pOB;foQ#HLgXI0!dI>#+xS*1s~wQcnTk06TrDF_fK7 z7ApAb>TNc^enp@`0scD8NL7XV*sG{N4$6Xe58l?f1Vy-fs?-oKl2X`HL5+PJWA06r z)>d9HRwWAI9uKIKdSQ_*TZnQj6t0mcsVf(yJHcdptr`kSf7Cy0d`Dv&?i$(bi;hl@ z`9ZH>Gw(!?xwol){Er)fmuRDg&xRtSQ2cQ!d!q0Iu8!X|^IqE~@4QMr0((F9j6nb) z11;k11&han@QY5OE(T*Iap}?N2%Y4_H}-j4Zt$o+q+-ha3j9eSKp4KE^pB^qNuYfB ztTsNk{EDht;ByEp)j?t@I@(S&Nt#A|pB(ldk3~!U0eifZ{=iwcapk}E-ZUKQHvAv1 zX%xeeEmXt^5k*w?Wm*+k+EBKH6k*7|HYJimDU!8SC1l^1P_l%QeI42NeP5pQno+;* z|L=MC9MALOIl5onnVIkRTF&cSKIi8=uQlP^f%qsCG??Gw=t5BXgAXtFSP2mD_dw}A zRw)l6Xd&&Cz%|`{yh7+x6;~cP?n5dOx_(i9A1y?3tk22*GVB7cl;AIs~aKxdM@k6@g$Zy}$gagED5WIwI#a^sS70jG%l?FIRVDLh< zqUhz??o-hrm=an4pAN@A`Mf{=YSphXeKrXz`a8tiA~cq~tzPPK8lA_LVe7!~5!v&X zLb(7O`JJq079w=ic5Bc?#cqGR60RRaFBAYrk1A%l>~GzjF5KQ2)=`oN4X6z`KHY(9 z!azX%+SX49j+G*AS-;fK{!hxW$6t9ud1&N-{CMfy%I^Yrm^kXzCo>@O;Hmkos7B9X z4s*}juii??0De%0#3rwpgo zD#xk8%zav`b+~^WCJ`+A;#=WB0z78J=EW>I6nbspW88;Kka&?);7LA+Gy8Y zBJ_+&krE(6l{|LE6Si(Os&JK;(6PD&S``Hu-nFQHJP&#OC8gHoO~2JzD+YQ%<{dIV zHD3#ZPkTEozy(wmOLYIUMCbu*xmmPerq0H0y;NNOUaK{)|?-_=CFI$7p}9$PVl{ zo8O*s0p7hj9!r$-6M76C(rMAFQ^tPm(hRr>($cq17C?-_cm8Yk0Jxf-7bX|IHw%Aa zT>bXKXQyLG3mwy2L|^kbBFIDw9mdLj0(^?)Dcm07F>L+t=ZfgbjQB_UsEZ8>5}4cO z`SGGrF2+YET{|mwsk)Q0}Tt_)>j)%y_iX^=hAtWFF&$I0^dmoRkI}_ zR}b1rx?0rIKisYo4`H_oO#5_FrGTb0s&qm9O}+i)J~8G)<`zm?welYFuN95|+zsi@ zK4@~d&5dY&bwT^S{3w)%%a(T`*Mgc+L`XDr@o_sM$nBF4(a=)24Ybxpx|!)nN9p|R z(`Va-Q9Y3COh1<;KY;eRUvcqTAQVwNI*{pbfw+^$X5C`XS ze)dfzz)i7D^@cw$>`I4tb*=3uC?M1UxvuZK;M_c_ng#r=_B_ATT13mn_SW5^4$P$L zn9;lM{Q=;~A8S^=2yq&UX=(bnPe!YNuh02mna=2COjJj2I}pm@jGTLC`J1ozQw)4@ z)T{1O$*bcrp1AE|F3IAN+ zz{y}!UCEK$%X-AoT#gG#Sxc>%Ibt>i4UgO^!xda3t4fp_e#j)(yVOPQcMa~XIMpsI z8h3#Yx;qH(iN}v7RCa!Jn$3Ct z%!9@d|3q$CZWnIqf!Cu`+MJ+p>DOCkhzTv-Sx3sFuV|3XYbnP!=Nq+Dg*7qG=ALL< ziwR%tB)%Ok=nz**k`+!bc%h$sHdJB)h&Jr-YaLrXGL0lW6hlT2|g&YmG@inP%XVr1M^!Zq-8RY@5kL8c*l5&tABgkIuEteS34w)-@lK!`5 zF>YsvOzmT7p3PpWO|rVKr?-l&p?8m%u8v$?sGT#sNDpI3%DS;RZAA5Q*$IGJ`d|z% zM0{`3c3td9D327GE&MujyC9jKyJA|NnR){>zIqe1Hfk~DeM~CY6l*Ye#6Ac0$5ddh z_8#mu;cZS=)Ts+rEJ34Wh_ z`BQ@@U;JRvAx~$SVPNA7X*EHF-sjB!TG_Ve5ra)pMwC>lRAdgn!CIWxbphWJGxRJ` zDQ%*Z&>mqfAbAGdtM*oLiKOsgRnB zP<3nTbaTJd#TgU4=6Uyv83P}E?8hZQD5lg1oblFHZO3jFoP=9F#$y?@RK002JnGXu#sn&^;#PVI{dPx*L7#Z~PF7Q&b@u zWSJexd*cJ$wvo(}B5A#>x1Ot=5}7+A7&cX;@922Ivj61i9CT4d%+6?>qp(XGB!hji zE3-8v$rmKInT|c3oJk#0JT1PocG=q3u!72-xZ4By))7Gu2pI$WtXYpjhs&-r1WwTq zQ`Q5}3DYZPlb+1Nrp6E9_a&}RJQ>!v%zV1_cSB)y;p!jGU1`1>J`j_bGvdihb(O(E z?4Rk;nHaz{5o4^b(nB6Rt{?-)W18$Fp~B?kLB5+1=ViF&F=nzjT^?x-mI{Re0a-=u zG@R9<;-sC%Hw+elT zkd%rqFa621Ydticx(bb_j>$0H)x*18kSOmy_o)Oo`>VM%M`2<&ul(AJGcdZ0)?Cs9 z*))a~CZQ{_s*$o*yi2I$z?7xhTZHw)Hx~Su80mK0;vS)7J+p)@v{4 z#y*pKX0?*x8EoNwE5LsG>EtbE?l<0B0b)>wnMYhK^CDDW>@C`N&&i7Ynu>bn=~*#( zXf3H-5Q5DLa8Qz6oVm}zK*M8I_~xPE`&*t6T*5^VO~h{YGA2^dJ?Z6(~=r!3SVw`|6W66 z?v_~jR8f%l73-+2iz!Uh%j=;POW&(+(-%Zp?z07-v|!vLH4U2`m)X*bcrGqsoZZR(6Vy! zlE&(zhwTjQ7=KrTyKuLAF-;0|!}~ZzTfBR$$80rXxv=~$kM#%N8;W|3>$+K`eYM3ctd=5%a1lbyej-b-%$m<%5lTyZj36r8p#9qV1?4#Hqtxw5<1 zqCMQ*2?xTs`IFO?TPLW7ff-v^*1O;xb-~9(Y@btwv)Zta-@X!P{Xe;ELtYWVRT z(flsDb9&K>S7(=Nyw8~&x>60j`QBt_$9CQztfOw4Gil7^rq7kO>%*s+Q92-a2^)l8 zkCA~hUVb{!O9ih+8deKyd7H5__Q$?H5x=MtH?&Hr+g8j!Hgv1~{D6+(n9U~tg^|4A zR`G8%i4ecr!QQ>7S~t&n_fWLMw=fz*KCOMr0b2RYMO;i9D89sr^Bu$8V&}#PhGWl5 ztUsKzHz@U6M+yfK?@l2W?h1TNm^1HcJsU4NCy{ujU;BL2Od^~4nZ+Ozv}pL9q^#7@ za|2A)EzJ9^?_Cw9MTU4)FdApJ6MWY@1;JmYIRfOHT@rUfPMDYE z8#eIXeBpdohgEg?KxHGSz2}YmY#1yHSaQ`@fj^)!0U7vYlMjyz;3V&DIw(iFz)wS6 zZr_4%NWXoM$vva&@XPSct_d!yT>lce*n=Q(0=`xb+`S%7Es*Xwv=CxpfVp5#4Scz}z)TvSbdR{SOHwsW}rWvXY? zNY8b()wQOCLu;nNatb8kilGZ1vJl$v``pe6;0Q~w&}yjdkn9$YEiD7(Rxg>#Q~9>b zo0sBQWwOzR1p3gIin#uiT)4g8+eOygYL=J8DijFoK)Sd0JZ7Gyp)F;%d|%nKq$JGq zZ7#1~?l#=7oI({ORT6Q0E}^w9Evry_+)#1A)iq$KENSEmlz9=_VG|a5dH~=v;oax3 zyy=PM;cW`EUb;Kd?YK){w0)sE^UkbS&8>58{OD$9VB>h2WqQ4>$KMIy=eO|wL-b;n z7-#0WgbV3fZbpJPH@(4K8@^sz9?nb+(Y_v!&U|^Tp-Uu=RakVaD`zq3UB>DE`Xi4| zU-AT3cAzS5ZbE$>*+axKBF^+fiW}m2JR1??jbBrR13-na|{I3H+ry zx(;9JNed9kD`X`wIbH49OYw^KuX#nLY_tj)i!r!F`L`K_^V8S-9KMNK#94;JQGCq? z9ztA99Hb%GNlJU?EI-#fV`wpaSK7LsWh9-l;Y1EOX^A$)?m)ZL^hNsHTY)vPbkt*) z{|S)KF^%<>(v$E7F4_aBJlsEs9t^Px;tWw9w-<}MFGVp^?*DkKjQ?pQjJ^qaFUII|h+>6|Y%Hnj3wo`$+#ZTA zz5M}unW+x~t!Epex-U1;BIaNTD54#)o|fm@_IjOju9y$ z03B%_SZ=b4vI{jO@MA{f+)`h4r;5WFG2sV`%ba2aYQdi5AMf9ODsShb&r$mh?|s(9 zsge63jq2HVa!5C1t%6(0wamvnH$26eot@noCAkv-fC6nWntA4(f>1#s^6}-haxhy* zldxO9>jq(F1PGxsR#Z%f(!JQFH4de0cbfOcLK0-<`WC`haMTX%3UbU7LGXnvOq34@4(L0EsziA2#Vcj)xsTlTxR zGM%~_CtIXtUg#f%=R!bcLF(5nnNCos5myiLL;p7!yY5{@57&mx%qw#S z_tb`VPwW16TbcK%wzO}+VdllEJiH>-7KV&Na`JgDgM3#Pu25f}T?ARBHCdhXh% z)1%7b$FT5l5)0U;C$vA{hU~ZDgxT*_QoepS9;^)A+633Wibx&2PYo8;MXTFtXNp_0 zf5|^$mwzAA$}-Y5SuX-8VJNI&C2kkoD&sFg%vi3T#wkHecd&9wxgzJ?>zDHx=O>R) z1WMC}^wBHBv&r6u`v?qSFRQ3|zxoJBb$h*3g zaN(tzl3r}a^q99;ZMhQFSkur*a_Jp(st9-VQDD_s2L(npv9=F3kEZL zvtU2HH-}r}cFP6rpHbPD+hf?CvU*cdJVR!k9M=(acwMXaI9*EEdHi@ob;fK&Q z1WIWS-7M(E#6|2)SI@}k@TvjCCyim@@i33`YWd)9oem8(qTYA}(M)r>A;2Lt!+CX1l>BBh_8UyQe0!5+ZPL&4)8=5!PJG95nU+?Ny$|oLG)>gI=d|QFmA({mP zrbDALTWaEn$-^T0Rqb?QZ-vS!oH1Biyc`JT(1!;=zX(Q$Kj|xd*-k6iDz!;c8~|8^ceGsSjh6h(8_Ex!azS zU+qK02jShY87JM1S@D6Sf}eYh`3&80VzfDFQ~mKH@eDn;d6A}z#$(7A2x5C&iVsQJ zlE!qr0d!$AQCA59qjQMBS$O~!)SV<1tjIaP{hZUGj!)Z;D5UT%=brY4z503-FCR#5 zdsi==^F?f|txS7=DDy_}We9sfyCt4G479Ar8qwL=7R41|orb>m#=LEm+KE@~=daw_ zONmaIv09^s4#N#m((mB`a7O+1@pc1VOfm**<6k@Gh`~N$lWy_o`(l%S-%~-j5WLsO zM0>X+*3*~KnS#6Nz=#fBfWJ?#mZOK?v)__|LE;BHr+14{?Q zl%;Iy;+;hjw+Zcl!ABs@!?Xy~|gyfx2K}rrwD4<~O zL9NxskdPvmyOVb`xOZ0_{fL^4b{&E9#ADAQupT3@1p-%aKHqcg)w#1U5fflH-X*%B~GUK!0>>c7O-u9~^gh`CFHW zgOqjEcsMKNmaNC;F1gmcG1SQUIWDe@k#cu4I_qkD(v0)~gdOh*A~7Eu3I%LJz9<1A z7Aq&H?5F+QJLdh~2AP-qwdu@gE54=@oO&MJcFJSlh;&!(wHxtf5go9dnk;avAMI-b z(pKh{r}@SgowT&`v=V6o(!kmw5^dEM@P*I3eF4?deaVE@CP&-!U^Ze#a>b{*Wp~jmDNrE*o6yW~H`wBXuw zLlD_r^_cLFXcV?+6hTdRh)7wT`fHTBtYkzwJ{fzYIL)?%s~x1!zYBKLRy2zbmwi_v zVk;sF+JhB5ai+6cFtAs7f;k=@#(6WH38A#)5kwS)u;7*O(xwAtBtONPZnbXsMdK}ZWH61fyOAV0dFK%;gA z_J-P=;Q{g9Zkq=pJ*1a;a>j#m+#yZ$NZaD2FszafxHM-im9yk=4AR19Q*o8PeUQmqM-{2x4m-rHsRYRJ$0` zDm@b7Zz02$0nQFID8J|a$QK20Y=95MGUXW2G2K0ncU%3e7JVaYgwe?7wde4&^cI|K zU8|}dI?cWWC#xT>B8Jn3m**9j3^i-4>(YD$cPATyK8h}Y$?w?{|2f6EH0=Mer<`=MJ5+n`| zg=d4upoPT^&Ry2=0oO0mQK&+BT9<~r8RZ}Fj{1z|i@J_j&<}B-^FM~p$1Y%1WBvJ< z^0rL&4K+{ZZD(I)y)kNaUCt>Svq)hJALS!P+mAxiz8e)~*#-M2d5CB4UY!vpfx1h8 z-ONd4h8rE8u+avza=|&zN$~xw1kM6jnbVD#CU)q6&B>C8Jc;0#7kn2U#V}URombW_ zsXyNc@i|1xe=;`UhOkTjbhrd|FDK#tXCAD<%2Xnt%wil3`RJR`wwP}_)T%`1B5t3< zVA3^m4xCH2JzM$}-taXDMiTj600cgXqv3l>H^`O1$D_f84}N(h+EpzL#RM`_UKWcX z%XWk7?RZ^`Ex~$Ok-L&wl>xsK7_f;KOhr#M~Er zg8h3u&)2uZ(h=~wq&G8PdfEMnCsdAfy#KzMn0xJP+WxOs(O}YHFnNQ5E-)BoojmLB zHy^gE7=Pa5H?}$h0b<#eo~@Ki#r&ZMfV*vmX$;@#?HKa&u0h6l`Lw(hb>#C1Li8xN z`ymHfpePKzW95*c>y_<;S1w>ltMgstH#0@Mq>$P%;j3a~3~BU?KGkYFX*`JJ034$VOCBFI@6*s=&4tCYK zAo;=PXJtu9<2X~YC$o=Zcj*0Kox4i8+ELa!6~~4$F9tuezy`WhME&=kPZF-TlxPf2y$)5Pt-uoPtAQdMg!-HVX$R z{DogRu0M2*%7thdc6fgJp)koB_2~zMp@ePNLd(Sj>$%V)Cm&(RbiYiWN=O1aODY5> znJvBxy8lF7a29aLEtK=E6bM$Z*0SB*)(9ODTr z)i6eFq3|0(`!fXMfMJ(}AvgP>7T9D{$4_TD&v}kCO!G*OpK#a|4D0)v34F&7`jb5c zry-lb%SWDy3U{;);nv&jz}}4P3uub{IJDg=$dkg(=-m#bisyV3d zoiA=ro5E-?9f!;r{ylKTPWIuLgWu;x(7h1n2%s}Dec;sN#Yxq^oQlidULhT4V&5wc zYtVae=Gi`J`1u4eQ5W`n?EUI5*wZ$=?qOQN%VcZD^p3ts{&5O*W$r!rHri@S=)~o+ zU+tH-ZU1ReW8hal0=Y;?5B7V#s?YY30?`R3WbhU#Y2`^=>PqM0_yJ@^3ixtO&7ct} zg9+G|CkZ5A)1NpJ4UrQVp_tsAA^J=ikOPbwi46Mk>In^u#zkbGb;(Zv*$T;cXYeu@ za2$)X4lYg<23Ghv2<~4UH9$5x5(h|29+<1HkRBEW4B0>iBKm2&D^BQ2hY7KdnKt?v z@@2fyv>3)yoIjcxAFaxWpdh9g5>Xt+=ZnGl_n_IF&VzHD5-Z%U?+>XcH~Z4F&pYQM z;&&qZs)2=EtEbKPmmGEBBSHDJm|6AQT`lG>1zC$MkWPtagekcbCfVVk;U}UKhYKuO zH*GO`En0%#_jYA5)uPR|D1&vF#RG~wtY`}3KD8N6hY-z9@yyXMZw1xMw?i#6;v)vV zYBShsTTOmmNcPB)jv#!->Dr;-p&tyG{Ozmd7n*nVSiQiZs6vqGX_E64O2>ZXQ0|D_ zeLHNrL;a)b92?A8g%_N8+%Y6P1=`r{&70d~`X@R+w3=?mjzl@M4lI}FNpLJ7Z6(91 zljr#TW2yGSC9%f@X|FpzYTei0;1C5<2IBs5qwij)P+ka-pNKD82Doz;RSs+r^g zRV^SGbnYpf^f@Wg-Uov`VUuAm-0jL8=cYL2gUIbO*i|IEjmY;nZczl^lXf}Ka;ZD= z-R-zhzg^Y&GxtN-mpweox#gg^0XwntW480+B)ziJ<|E%X>+rS%Hf}z6{ag7_HUt?? zh=N9(#odF_P)L3K`Z5wF`RZo5%Wgx7i7-#ynH=SJU-JC!1rW$Ih0CYF6Y2u!d%i_9 z8u7<*jGaPD>g&*S8{tTsnpr~b1Si6j*EimA-;j-HBi4;4g2A}c%dn87VdUuP%X$}b z&H<|t-D3I!hu+q<3-zoYoJ}4b>N5{;zIX2dJg6TY^jiDuHfB82OTt`M$&vlmqCLWf zb%#2@emyW)HGly0e)8E<;IL@m_12wF?)e5#<}|au4luIXS{qw0X3-Y8^|g%Klle{mkX^k+7o8wX8QQ1)xz_S_L306TpHx_8pcA6#95 z(2TY>CJ;n0FbA~lgg`KUJ%*XiYo*-y#)$Almf^^u4oJ>CXdZibMenHV8%^3RNAL$a zAW1t5`Sh97dPI^LhkQfaChhyV2El-^paWra+6xXu8HTJBRWy;_A-L`bBj(6yXKO_c%Ocpe|1iyal%<7AMp3Ul41&3=M-Sv%gYDc!Y#3El+kT$+F^^u-*s4 zl>kg03Dh6YJ+lt3e3{GN*dlkkB)pd|1OQssdB1n+_Rh%r7lYH}{O&Q7UY}6w7!_Hm z-@TqxMH6o!?OCxfThwT4o~)+`E2oZ^-+mQRZwEWLt}1f81$dysr|g?D9|{%=DESm& zbT%(z$RdZ&A6yRSWt!8&hwt@FS$NRn|K{Ge6B{7d^&&t%D?h=h8yxVlewB_JBzg<= zsE^l7Sdw*FKxn_Br0IyN5XhkI-hJ0@xa)AqY2e516o9f`9!%N9(uPQRv{qnJ0uMVyGFik|mgX65Q?#YDsml(k6}2p^6eli(uyfX$;NYz4sF25Lk6GJxfQ;+P94?O}~bMUw+U?E$0_Q zu1K=sj-oU1KNJvjNp|e4SoVt*yN~7R#?!bx}+#i9$tLQ1r;zfscNt>IK zn?UJhxc!_pFkFaHPZaNwh6D%fm-dyTKJa3Q&CbkWBVODH8$o8 zjDcgVe?Y$}x2g`#nC3-T^&c)x$nQ|WSAVZv`MIijVuU8U@$YOM$9LvgsA|?0-lP}I=-oHg) z1no9vpt~>y@bAvhfJ-~ zaHGm^u|ASn)GxlT;vn334iP+<*7%q+25?gr=^m|Da2bfPga08&Ox-S7>Vw4Rh(c2A z&Y-$z`063NeEkGaj2}9AhoaLlWbw`5QW;myl#2QfeqQN$jZK1_R{pmJ*_G#^=}t?Bt(7`+6loc_Z?t7? z5J`$iK8}(Gq_Ysb$q6W0qsUegofAgD?$2(EL*{kDjN1FlR0lmX)RTT@t9}~aVmTH%&j=1$I#=>fNjfHJXqDnve=A~t;jNW;0n zY#f)PG6hL4MsPPOLxDMa(t)47IlawsskmZ~Hv?2+$fDj;$-W zEaXqS1sW|aUx9#d->QvWy*O~v+!dyY4@CHuL)~$dO@O+6>v%_nW1p&uRl-&PpLVhC zjvWy{_g>+r11**W$YpMJXEy-&rq^b*bVZU1Zf03mH7b^_P%iz-griw*KM$q+aIk=g zZ3meQ_WA2aN4l9Z%mzB(pxb=3_q1``8_FtukmSDC)x18(zP{^Fcf%3Of)8Cov5-R^2O7t&>)ZQR+TEL_a$|2| zo;xde7*AWrv~SJZuk&U{%@w~r#NJos5DkiUL<*n_0$u^E90ENG!HAKtg?wV30Gm9l zI@M*MMXC;Lh?AVoLfx*iO$O$~J%W*hnL-*PEi; zvkC7mOkSB&w<~jf+(OHxaS4JYo)0d=ziL^iz)VL zipiIpz6dgS^NnQ^=B`X_0CGpdN^{Q_`_C=wO(PspGA%cMK#Uw#&+Rl|9Crpo_DFzA zUg!2F#grtEA#Cuhy@UsvFc-a-tB;}14VTyIy!Tb{w0d$gf+*DowQrAWxjY|l;hP#u zsR7ux(DRZWWa#9?fQh6B5FdC}pBsivP@LBZ=~A}z83`cHTaq*!tG1o0WG>>Sz@hcw8tO{TuqXqP2-itT!z&-6AL5mGNEj@IN19qL4> z6Otl`^>k<@CzySv>;f=t`H@c7Xf%Z3p{f+Vz}-+OcW^|&5W9RlG8Ba`{mj9g_R+2V z#aKiQKuEM9JKV3?E(pSC8NzI9ft*r0e1io}?>f>ike?l!J_n%fxld5-eFzSv{-?9_ zM_2)^0mysv-ppC8yewc{`p3_hILP`Q6<`uA&`UB~Y1dvFMJFe#z)*^FIh;U46KN=2 zXm;sb6z47Exm^H5SypE83+Y8jFH5w?bqYJ(Gwln)>B&zFk!un>9Y2=?|6}rVt&rlu z39h4aqdv#7ujI}*uC_oTTst?yZglb%4(An+m&mF3b+T=j1Jbd5si1ojN^{Wt(au}u zu8#@=am)tzlniRoJ{SnLav*fmW>;e79{mUqF1MqUxS7~T$YhN@y%VD3J~VSOL|?Ne z!6)cjIqf-3>Hq8rQmCF`5BjD+cbX?b4IY#cD`*e2m5!Sxj1#Hv3 zin5C{W39DgUOo_IH4g7Peoq%+prCsT)74fj>f(USX2A0%I2~;xU$RH*&$g|z>bnru z$Ry+kBfp?yi8@%=;Jm^*eZ=$-BVSeaLab3B4@0 zU};Cq##+z(TY|jayEKJK&wq&_BzLT@mPRgy$6QWxA@?)8h#&&>a(0|8x)T`iEprgE zBx1GUi90ZCTQXcKoS%p3W#*P4WDO7ZUBk-M6QD+z>8rsd?a3M9VjM2=-qvSeo`48; zdhUHaz}|G}bhl8Lb^Lyn?+Gir#LF}-5?OG<0i6fBDC8{h;VlDTr%k_8qBm{`E3 zsY%~aoDFXvKwDBvxMprQLgS~@qhH1@1GPD!gU7 z zKRlv8)uyKuJ<|L{cE7kNX^5tf?>5g<$u3VtXX%#6Ye4p>-=WvfeM4aNl8nP`a-yYvuwiFyE@Q*b+AkLI}l zFnuDc1TWeOokNy+W>0Nff^_j}Ugr~Ht6qk4&CHu`*WLMr13mUoJw!P``+4TGKfXb~d z_WuGW>X-k?4XtH+n`HKURH4(;tPzuc*1~aGBM&={+U0IJ1rFUMnh@0VBF_LX|G4_K z$P-zk{Z=DbFeVNe<1GqjHzBqvprTH2!~vyNv@dU{eu2~Qp^eLeOsHXg`scYYV9Oq9 zAO~CW-Wju>2F6lO?$T#7j-?T3v*kV5bT|o)@>l&(>?ydyoNOZwio(xEi38O&(Vn{q zBly9#PZ9ocnWdpV$#rgOP{j7fWlhxIiEBEdx**HF^EKJqj{H8Wy4D4tmgi=(^HFqR z=0)1lMNuICK0VrVtX41CU5rYWS({8sJT4AdH{NIoxx?e_bJ{I0)miS1d*1Rmr$ye@ zDadHi8F`Hu(e|g&g?Np%;3Y~k1>dRAd6g7G;*B`eHUQih8(G``f^Cx8bD!3;R8_p+@5 zp+_7X47B`a>IUFGkvi!Pq)I7D_DVHIm2RcpTiB(Fcl)0G`emk*2+cN%C?=2}RzFty02em=3;T_hN7vea>VVR_4Ce`&PDe~tF(Si#08r+-3bmC%kZ1&*tc~3;=5UupXQhBLm z!o=~f$%A!yHIS+9zn$NOmJ33$CgN+U)MGHISHetIitgoJeq}C~jgiFwWnfE^6V%TG zwC#O~3ku}_V^L11MaLyi*9vH80i$V&>m*Wn@W?Id287{&AJS_9$Z69lB+ z0iwD)V{#I4aNsRoaHXM3%InD!7$581@CQ^>n?e>Iv_@HuF5OEDbvBSd)GeIk0#-Uw zJE!UN_Ro||I-V+@{eE$Z^3n%j3l6+yLVX}6b`w9^qil=+z~htqsITCME1|i*|7?3& z^(*-;iuUoxK{sxVrO=GJ)PagdryU@Zz~3t`c^JI`>RgHXMe~p#sAwhYP)Hw4neYne zu8(e}w?*lJv2Biiu`99rZaCWHI-)DTpza=!#ReUlitU3tfW|l5mAI##GzOp?L1yej!AGgoh~7 zLcM}31WnvN+b1zc5U2eFAjqPmohrzLi{spqEb0JwTqN%7T4O*NQ}{k+u1db+SA{9O zsuQa4i#V4uROcX0=fydg15R_{G|jdswQbb8hAB-{NMi`GJY*T4`bPop7hY}xV|%nW zt{82zZvn8Gt;3|FePWInP#Y^rux^!{FPq+^ecU!<%SKoy+ATmlh=(S|P_qbyNItMW5Gxm+no+A4 zh`{o15#PE(+1+h8C%Yr_m6Dbe?c&ciCgjb)IO`l=P>q*mX6iA3r;LzW*vk7I~u33(y0+HE1j z)S2LkkZ|HqbbggMOt`RFUy?Es>;hz^>IEgODepc5?P9X~z%`Sxr*eg2M2S_8KS8a5 z*!07)88oDu1@FMKj(8tEOIh!CSjb@)YWoy&+*M!3R{S9y>>Mrtz* zA;ea@reKL+R;)VYXGwi`jsGk_P9UoojQRyg5rHAz{=pqcMro+x+g(<3ysocCzI9I*@6^aK}D%aUG(t@-Hzv>QrS2? zjm^&tjv&>-49k8D?s7va7%Gc;u16iPb35N87)rSUgOq@4kt9C?$33Etmh4Cw9o`C- zE@P07;`K^L5&*pht^;se7HfkJC{YgP6t?h}%NOepBLgF{ZQ`G*(4-)n0f)%;tS|{_ z4yby8G=ZV+f*qiiHFD&~lq9s9C=>U0R_>py-1U>MkK9B>Fi26s5W5r2FH~xqwmHrnioHa+DFeh} zp&rH+DjgvCBU6m#4#gWVJQk6+cJO`8t8jY_J7biGJ0>Rj3>v!;%?h~xkh|S8_36|E zdS+leh+bCe6G)3=?+G(SzH|g=f!=kahz%@s*SQYxAonz9e|%daI_GBoZr!>={wI$f zI_FFgZ(gKMPG3O=Hu@$8+|KO&U-UOzM1@f^nk_0FK$JzP+kzucfU^bPxeD@dEH=Xp z{-KE{0W>(y8H>!^9oeuasA-QaKM|W%VQi&q^iwgT)fGj7U`@d5(Sq@3Vc^~9z$ zszEi70@kt-StV=D3)njQL{1`^nsbDe_M9CPqX^hV{DEIzK6tKXAqJZo8pk}!-5*7n&$8ZtIjuB z#PUjhMv+HUORE5Bra|7vArybX9OYS!rM#}RX#A2lWkZ_y2h&#BJo6uKPH!i^+i?`g zFfbo?2nq&S!=xy`5e9C1{YP>U=a*&q2Q~T^V3v4pQkc?+(zP488})=YopPp3oDMcf z<>pmZ%0@eqh{4j};{yNaKxB>fL-eD3Owlew8P~;Ppw2ie$wC`ac>Q0DP59?LyUxcO z3xHU3&HmKxf+xNGPynePgCsMLya4PA1jRzW9IB;6IOA{>v9O}i8Zn$$Y;*)BnO0-+ zg_rPGNN^yhrz^*`o<}dVnb8Ab`XH@)V1!AUk`%Mnb^6kcUs>Rg!$G)Wpnm%^LMnzR z;E!t5iV>7d$a_@!t+||kDJ8ra#?^lar7t%O!#2AwG5Z*1%KZrm_csVjw9nMT+WY_ryW$JU_pM1Ht_NheERD z1)D2lsagaW_``3$@rcIH6ovxDrAg+ut@@dB)$Gt52mK7HEk)tpUJA9v7XK0aH-Ij7 zSe@i<-j?Kqj_78RpLx|n&8>Dsjo!pleVA%mm_g`|>2W=$YRSVtI~@+STYQ0!v3!c0u|CMt$zmivKl8%S}U-mWuu6>vHhNuLjXT zIDm4{G$?02p=5rC0*zuP&_?tQ_#!L<+sTS}Kw(kKv$e*RqB;sY!Ls|+0m`t25$hhv*tjT<<#*vMuBh>X1QR5MJ41h?!EnJlo*^FG43_$1GbQXr7jP$#k369#Z zn;)fAok*_%<_8yz7JxZ#xrp|I&YB68fw?HdY|4TvsUgrDpS!blGt*^?j2=d$i1#hj z$OA|JLE+<4w+0U<0D}?{7n_mdQpXbk5?%r84Ei~4O!+yPDr~30v%7cEnW`ZRx{Zzoi@ z|Kz1lR7v?S9y?i?0xT0mg+>Gdo;VNVe4i+-A>%fRQ~jS*3uw(_*x-@SRS4vfk0=&# zcoBJG3wR>9O=4~nU%}%PnIK)!q`c?vdL(2q>X5+)V8ll^W|sV+Sr>-Fl-CP)c;kX3 z>wQWJO_t|PsXiPbdK1W=0%3xM@}R&tzyOD##$p->8rMWX93eH~cxt;&?t(QcyqQTZ zyNV_T?-&J1aOv%)dJTA0goZ8ydj>H7_Mk~(0wguAQc}afVr+47IuabE`h}`UfxQ9# znVGCL_0TlZ?P*Q!0MCixy;AyB{f*$#jGc#D7{X@(R{)*#sMRd+A?20O1`eX9Cx^dF zQb({0DPhR_xq~g`?is87;uXbo!k`06wj%Y%vcYe#w|6w1cxcQ-U8Cq?n5n?VR2k|_ zNeGez;YEP(dcOQ8Zi9zzVR53!1CPA0&#iLiBzI2WrM7gNkoZ!09&P$7Dsgj^}+{dygKOk zDM^X;3oAc>Yf(0R=u-CDZxJU+{QMDWS54?V3t>lq!E6AK9kPI;NauLq)p0xrhJ3OF zDIBQB9=2%Ik5p*Wq8y=hq!Vz4cETmn)PcxAdP9qHPI#pnw6$XMANmD9zz0DO137o2 z?|k$Q>aztkwr&}XP&N(k|9S`3OSFt1I@qEma3KNsoCgq2_AW-1H{W=fF^O~#_+`76 z)voHymo3~DQO##;h6F46cAyj(_nh;mpza(A?@x?R)8H6#<`OIiS8b!H)?}T{zs9K!zG$1xZjU$lJ-GLX4%v8yY&r>=GRDnpe zvah#Ne6YQ}EhV!{?hTIOEw0C00|9+~S{d1PFoP`g02V+M$!c7c0SX7lK4+<V2W^2m|K1Mj{v^ zfc_UidnUY9NM-&rvz8vMc`hup zjDF!+rWH^rOY8U@XV_Ps6m)qHMuCGiB&SuOdq6ux{-FC{1|+%4Q{)p#(yPrq$;>4M>B{14%!@LOQ>9FG~VHSa)zuJE2ELZJfIqAk1Xng6@drGzx1H zekgq$7+qT#JdvLZPbw2bICsmAvu(Qby<@}qgPa~({)&E7oDu)gPE;O(^r<99ZTJECjV<|NCNPSLP;U?Avpbpzz^TY(qh%ah zo-S660=@RoqTL|PkqpSn^(#rpiJ=VRFE%F{RU@63^+)dnTwTKAB9zDTST!N0>2wRXQ6vR=ElmR?(>P^~O51(Q@(=%!C0RUz{^X-|G;ldOn?%U=0oMs5D@AVRmdvoGFfR=oCDCZSkRTo;@v#hI|H zchw<9u{)&~h|1r=?@tfOXX1W04g&0TJviYZsjKJf9vIdWJx-7zqk6{< z%x_0;ebTb~=T&d^W+>7*+zEM#>r>%g@|F7Hlo$ene^8ajG_kyE0$fUGXO}u^-j)XW zwCb#dC5=84_Z2}sGmZsEa+P7QJlldExeCBiTFV4zzyiv&nnUhW6f~Vs9N{ctTutdn zkFs8!e(ky7Ry;O!yULi>vRDk$40Xj`O|`90^qBdnAT#U=0{r4#?oyo6-^Yit1kelA z5_*9O?_N8hR6Rk_I}Cw~Z5}Qc(W> zd@LA-P^WlmEyMHIAjVF@`UF|n|KC9J=~$DD^cf>cb>x2*h@^r0N{rHrRi!Xi{xkL* z0en$zDr3!GZ&-u#-Odoa7rQR%Q=3-){rSHwLYx0@i_jVPe{hN#!h1rLJXZSCd6xex zmn1n-`|6VYWRz99hcX;eGmh+_rC&;(tIhcyV{5d8-|{$uU0H7T99j7_++$4(N?^#y z6}N3_#-o|y?i0{GsjJ!q8Td2w0wbRgXk>Jf4z$m6?=1cT%2kvndTtvb2~-5&i<~$AuP206F)G|-s2?rBO0-NH|C;^J z7YN=pJhtn%i5imDuRJ2l`}}?^MU@cu;*02@ihv;`p*d_ zieDR-NycQ!7i|i4^p67h`_by&sE+%O0wLX4zwNJ4Rq}8e=Kih42!B6XdaZci_s&() z{5>i;&+Bf}|5eg|KlgDXo86`kz_)W8(kW z;s2jI9xDso0a2a{!^)oj@h}M;>K(I6p3uFJq($(ySdRG3-u&a~;rH?4i_|_e3jD`y zrTBXn*KdoTc3fj`|K$P}c->@>O1u(6C9ePdzN_G?*0uNl{U_>+SRsTiex{FZJNWO1 z(QJX_i=KaOO8y^5@)S7stQHQG@}~b8ER5pcME>o_-(vJnwEmruzqQIgt@U3Gi&Xi) zGxG0@{5vC*75L|(tQ8*or6vCPTK~M?zr=y*|C=+?;rW*Qw)l}Y9cCT;ck-C}(fGrc GZv9`RA2Y%L literal 0 HcmV?d00001 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-2xlarge.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..9fdf63e54 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,182 @@ +############################################################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + +access: + tomcat: + connector: + maxThreads: 200 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 200 + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: "2" + memory: 2Gi + limits: + # cpu: "12" + memory: 4Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 200 + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" +onemodel: + resources: + requests: + cpu: 225m + memory: 180Mi + limits: + # cpu: "1" + memory: 250Mi + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "5000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-large.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-large.yaml new file mode 100644 index 000000000..ee7a1146f --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-large.yaml @@ -0,0 +1,184 @@ +############################################################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 125 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 100 + resources: + requests: + cpu: 1 + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + + +router: + resources: + requests: + cpu: 400m + memory: 800Mi + limits: + # cpu: "8" + memory: 2Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 100 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 200m + memory: 160Mi + limits: + # cpu: "1" + memory: 250Mi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "600" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-medium.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..686ac9260 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-medium.yaml @@ -0,0 +1,183 @@ +############################################################################################## +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "2" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 175m + memory: 140Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 600Mi + limits: + memory: 900Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "200" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-small.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-small.yaml new file mode 100644 index 000000000..6d681f602 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-small.yaml @@ -0,0 +1,183 @@ +############################################################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "2" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 50 + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 125m + memory: 120Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 50m + memory: 600Mi + limits: + memory: 900Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xlarge.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..7fd2601e2 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xlarge.yaml @@ -0,0 +1,184 @@ +############################################################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 150 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 150 + resources: + requests: + cpu: 500m + memory: 2Gi + limits: + # cpu: 1 + memory: 3Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + + +router: + resources: + requests: + cpu: 400m + memory: 1Gi + limits: + # cpu: "8" + memory: 2Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + database: + maxOpenConnections: 150 + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +onemodel: + resources: + requests: + cpu: 250m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 100m + memory: 1000Mi + limits: + memory: 1500Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xsmall.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..640c06da6 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/sizing/artifactory-xsmall.yaml @@ -0,0 +1,185 @@ +############################################################################################## +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +# [WARNING] Some of the configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +############################################################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + tomcat: + connector: + maxThreads: 15 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 15 + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + database: + maxOpenConnections: 15 + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +onemodel: + resources: + requests: + cpu: 125m + memory: 100Mi + limits: + # cpu: "2" + memory: 500Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +topology: + resources: + requests: + cpu: 50m + memory: 500Mi + limits: + memory: 800Mi + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" + diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/NOTES.txt b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/NOTES.txt new file mode 100644 index 000000000..8ebf821a9 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/NOTES.txt @@ -0,0 +1,106 @@ +Congratulations. You have just deployed JFrog Artifactory! +{{- if .Values.artifactory.masterKey }} +{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} + + +***************************************** WARNING ****************************************** +* Your Artifactory master key is still set to the provided example: * +* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * +* * +* You should change this to your own generated key: * +* $ export MASTER_KEY=$(openssl rand -hex 32) * +* $ echo ${MASTER_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * +* * +* Alternatively, you can use a pre-existing secret with a key called master-key with * +* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * +******************************************************************************************** +{{- end }} +{{- end }} + +{{- if .Values.artifactory.joinKey }} +{{- if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} + + +***************************************** WARNING ****************************************** +* Your Artifactory join key is still set to the provided example: * +* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * +* * +* You should change this to your own generated key: * +* $ export JOIN_KEY=$(openssl rand -hex 32) * +* $ echo ${JOIN_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * +* * +******************************************************************************************** +{{- end }} +{{- end }} + +{{- if .Values.artifactory.setSecurityContext }} +****************************************** WARNING ********************************************** +* From chart version 107.84.x, `setSecurityContext` has been renamed to `podSecurityContext`, * + please change your values.yaml before upgrade , For more Info , refer to 107.84.x changelog * +************************************************************************************************* +{{- end }} + +{{- if and (or (or (or (or (or ( or ( or ( or (or (or ( or (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) .Values.systemYamlOverride.existingSecret) (or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled)) .Values.aws.licenseConfigSecretName) .Values.artifactory.persistence.customBinarystoreXmlSecret) .Values.access.customCertificatesSecretName) .Values.systemYamlOverride.existingSecret) .Values.artifactory.license.secret) .Values.artifactory.userPluginSecrets) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey)) (and .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName)) (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName)) .Values.artifactory.unifiedSecretInstallation }} +****************************************** WARNING ************************************************************************************************** +* The unifiedSecretInstallation flag is currently enabled, which creates the unified secret. The existing secrets will continue as separate secrets.* +* Update the values.yaml with the existing secrets to add them to the unified secret. * +***************************************************************************************************************************************************** +{{- end }} + +1. Get the Artifactory URL by running these commands: + + {{- if .Values.ingress.enabled }} + {{- range .Values.ingress.hosts }} + http://{{ . }} + {{- end }} + + {{- else if contains "NodePort" .Values.nginx.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory.nginx.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ + + {{- else if contains "LoadBalancer" .Values.nginx.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of the service by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "artifactory.nginx.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP/ + + {{- else if contains "ClusterIP" .Values.nginx.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") + echo http://127.0.0.1:{{ .Values.nginx.externalPortHttp }} + kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.nginx.externalPortHttp }}:{{ .Values.nginx.internalPortHttp }} + + {{- end }} + +2. Open Artifactory in your browser + Default credential for Artifactory: + user: admin + password: password + +{{ if .Values.artifactory.javaOpts.jmx.enabled }} +JMX configuration: +{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} +If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! +{{ end }} + +1. Get the Artifactory service IP: +export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + +2. Map the service name to the service IP in /etc/hosts: +sudo sh -c "echo \"${SERVICE_IP} {{ template "artifactory.fullname" . }}\" >> /etc/hosts" + +3. Launch jconsole: +jconsole {{ template "artifactory.fullname" . }}:{{ .Values.artifactory.javaOpts.jmx.port }} +{{- end }} + +{{- if and .Values.nginx.enabled .Values.ingress.hosts }} +***************************************** WARNING ***************************************************************************** +* when nginx is enabled , .Values.ingress.hosts will be deprecated in upcoming releases * +* It is recommended to use nginx.hosts instead ingress.hosts +******************************************************************************************************************************* +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_helpers.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_helpers.tpl new file mode 100644 index 000000000..f71be6eef --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_helpers.tpl @@ -0,0 +1,638 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "artifactory.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name nginx service. +*/}} +{{- define "artifactory.nginx.name" -}} +{{- default .Chart.Name .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified nginx name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.nginx.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.nginx.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "artifactory.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "artifactory.fullname" .) .Values.serviceAccount.name }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "artifactory.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate SSL certificates +*/}} +{{- define "artifactory.gen-certs" -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory.fullname" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory.fullname" .) .Release.Namespace ) -}} +{{- $ca := genCA "artifactory-ca" 365 -}} +{{- $cert := genSignedCert ( include "artifactory.fullname" . ) nil $altNames 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Scheme (http/https) based on Access or Router TLS enabled/disabled +*/}} +{{- define "artifactory.scheme" -}} +{{- if or .Values.access.accessConfig.security.tls .Values.router.tlsEnabled -}} +{{- printf "%s" "https" -}} +{{- else -}} +{{- printf "%s" "http" -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve joinKey value +*/}} +{{- define "artifactory.joinKey" -}} +{{- if .Values.global.joinKey -}} +{{- .Values.global.joinKey -}} +{{- else if .Values.artifactory.joinKey -}} +{{- .Values.artifactory.joinKey -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve jfConnectToken value +*/}} +{{- define "artifactory.jfConnectToken" -}} +{{- .Values.artifactory.jfConnectToken -}} +{{- end -}} + +{{/* +Resolve masterKey value +*/}} +{{- define "artifactory.masterKey" -}} +{{- if .Values.global.masterKey -}} +{{- .Values.global.masterKey -}} +{{- else if .Values.artifactory.masterKey -}} +{{- .Values.artifactory.masterKey -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve joinKeySecretName value +*/}} +{{- define "artifactory.joinKeySecretName" -}} +{{- if .Values.global.joinKeySecretName -}} +{{- .Values.global.joinKeySecretName -}} +{{- else if .Values.artifactory.joinKeySecretName -}} +{{- .Values.artifactory.joinKeySecretName -}} +{{- else -}} +{{ include "artifactory.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve jfConnectTokenSecretName value +*/}} +{{- define "artifactory.jfConnectTokenSecretName" -}} +{{- if .Values.artifactory.jfConnectTokenSecretName -}} +{{- .Values.artifactory.jfConnectTokenSecretName -}} +{{- else -}} +{{ include "artifactory.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve masterKeySecretName value +*/}} +{{- define "artifactory.masterKeySecretName" -}} +{{- if .Values.global.masterKeySecretName -}} +{{- .Values.global.masterKeySecretName -}} +{{- else if .Values.artifactory.masterKeySecretName -}} +{{- .Values.artifactory.masterKeySecretName -}} +{{- else -}} +{{ include "artifactory.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Resolve imagePullSecrets value +*/}} +{{- define "artifactory.imagePullSecrets" -}} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainersBegin value +*/}} +{{- define "artifactory.customInitContainersBegin" -}} +{{- if .Values.global.customInitContainersBegin -}} +{{- .Values.global.customInitContainersBegin -}} +{{- end -}} +{{- if .Values.artifactory.customInitContainersBegin -}} +{{- .Values.artifactory.customInitContainersBegin -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainers value +*/}} +{{- define "artifactory.customInitContainers" -}} +{{- if .Values.global.customInitContainers -}} +{{- .Values.global.customInitContainers -}} +{{- end -}} +{{- if .Values.artifactory.customInitContainers -}} +{{- .Values.artifactory.customInitContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory.customVolumes" -}} +{{- if .Values.global.customVolumes -}} +{{- .Values.global.customVolumes -}} +{{- end -}} +{{- if .Values.artifactory.customVolumes -}} +{{- .Values.artifactory.customVolumes -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumeMounts value +*/}} +{{- define "artifactory.customVolumeMounts" -}} +{{- if .Values.global.customVolumeMounts -}} +{{- .Values.global.customVolumeMounts -}} +{{- end -}} +{{- if .Values.artifactory.customVolumeMounts -}} +{{- .Values.artifactory.customVolumeMounts -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customSidecarContainers value +*/}} +{{- define "artifactory.customSidecarContainers" -}} +{{- if .Values.global.customSidecarContainers -}} +{{- .Values.global.customSidecarContainers -}} +{{- end -}} +{{- if .Values.artifactory.customSidecarContainers -}} +{{- .Values.artifactory.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper artifactory chart image names +*/}} +{{- define "artifactory.getImageInfoByValue" -}} +{{- $dot := index . 0 }} +{{- $indexReference := index . 1 }} +{{- $registryName := index $dot.Values $indexReference "image" "registry" -}} +{{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}} +{{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} +{{- if $dot.Values.global }} + {{- if and $dot.Values.splitServicesToContainers $dot.Values.global.versions.router (eq $indexReference "router") }} + {{- $tag = $dot.Values.global.versions.router | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.artifactory (or (eq $indexReference "artifactory") (eq $indexReference "nginx") ) }} + {{- $tag = $dot.Values.global.versions.artifactory | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.rtfs (eq $indexReference "rtfs") }} + {{- $tag = $dot.Values.global.versions.rtfs | toString -}} + {{- end -}} + {{- if $dot.Values.global.imageRegistry }} + {{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper artifactory app version +*/}} +{{- define "artifactory.app.version" -}} +{{- $tag := (splitList ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} +{{- printf "%s" $tag -}} +{{- end -}} + +{{/* +Custom certificate copy command +*/}} +{{- define "artifactory.copyCustomCerts" -}} +echo "Copy custom certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted"; +mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted; +for file in $(ls -1 /tmp/certs/* | grep -v .key | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted; fi done; +if [ -f {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/tls.crt ]; then mv -v {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/tls.crt {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ca.crt; fi; +{{- end -}} + +{{/* +Circle of trust certificates copy command +*/}} +{{- define "artifactory.copyCircleOfTrustCertsCerts" -}} +echo "Copy circle of trust certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted"; +mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; +for file in $(ls -1 /tmp/circleoftrustcerts/* | grep -v .key | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; fi done; +{{- end -}} + +{{/* +Resolve requiredServiceTypes value +*/}} +{{- define "artifactory.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfrt,jfac" -}} +{{- if not .Values.access.enabled -}} + {{- $requiredTypes = "jfrt" -}} +{{- end -}} +{{- if .Values.observability.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfob" -}} +{{- end -}} +{{- if .Values.metadata.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmd" -}} +{{- end -}} +{{- if .Values.event.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} +{{- end -}} +{{- if .Values.frontend.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} +{{- end -}} +{{- if .Values.jfconnect.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfcon" -}} +{{- end -}} +{{- if .Values.evidence.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevd" -}} +{{- end -}} +{{- if .Values.topology.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jftpl" -}} +{{- end -}} +{{- if .Values.mc.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmc" -}} +{{- end -}} +{{- if .Values.onemodel.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfomr" -}} +{{- end -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Check if the image is artifactory pro or not +*/}} +{{- define "artifactory.isImageProType" -}} +{{- if not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository) -}} +{{ true }} +{{- else -}} +{{ false }} +{{- end -}} +{{- end -}} + +{{/* +Check if the artifactory is using derby database +*/}} +{{- define "artifactory.isUsingDerby" -}} +{{- if and (eq (default "derby" .Values.database.type) "derby") (not .Values.postgresql.enabled) -}} +{{ true }} +{{- else -}} +{{ false }} +{{- end -}} +{{- end -}} + +{{/* +nginx scheme (http/https) +*/}} +{{- define "nginx.scheme" -}} +{{- if .Values.nginx.http.enabled -}} +{{- printf "%s" "http" -}} +{{- else -}} +{{- printf "%s" "https" -}} +{{- end -}} +{{- end -}} + +{{/* +nginx command +*/}} +{{- define "nginx.command" -}} +{{- if .Values.nginx.customCommand }} +{{ toYaml .Values.nginx.customCommand }} +{{- end }} +{{- end -}} + +{{/* +nginx port (8080/8443) based on http/https enabled +*/}} +{{- define "nginx.port" -}} +{{- if .Values.nginx.http.enabled -}} +{{- .Values.nginx.http.internalPort -}} +{{- else -}} +{{- .Values.nginx.https.internalPort -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customInitContainers value +*/}} +{{- define "artifactory.nginx.customInitContainers" -}} +{{- if .Values.nginx.customInitContainers -}} +{{- .Values.nginx.customInitContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory.nginx.customVolumes" -}} +{{- if .Values.nginx.customVolumes -}} +{{- .Values.nginx.customVolumes -}} +{{- end -}} +{{- end -}} + + +{{/* +Resolve customVolumeMounts nginx value +*/}} +{{- define "artifactory.nginx.customVolumeMounts" -}} +{{- if .Values.nginx.customVolumeMounts -}} +{{- .Values.nginx.customVolumeMounts -}} +{{- end -}} +{{- end -}} + + +{{/* +Resolve customSidecarContainers value +*/}} +{{- define "artifactory.nginx.customSidecarContainers" -}} +{{- if .Values.nginx.customSidecarContainers -}} +{{- .Values.nginx.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve Artifactory pod node selector value +*/}} +{{- define "artifactory.nodeSelector" -}} +nodeSelector: +{{- if .Values.global.nodeSelector }} +{{ toYaml .Values.global.nodeSelector | indent 2 }} +{{- else if .Values.artifactory.nodeSelector }} +{{ toYaml .Values.artifactory.nodeSelector | indent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Resolve Nginx pods node selector value +*/}} +{{- define "nginx.nodeSelector" -}} +nodeSelector: +{{- if .Values.global.nodeSelector }} +{{ toYaml .Values.global.nodeSelector | indent 2 }} +{{- else if .Values.nginx.nodeSelector }} +{{ toYaml .Values.nginx.nodeSelector | indent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Resolve unifiedCustomSecretVolumeName value +*/}} +{{- define "artifactory.unifiedCustomSecretVolumeName" -}} +{{- printf "%s-%s" (include "artifactory.name" .) ("unified-secret-volume") | trunc 63 -}} +{{- end -}} + +{{/* +Check the Duplication of volume names for secrets. If unifiedSecretInstallation is enabled then the method is checking for volume names, +if the volume exists in customVolume then an extra volume with the same name will not be getting added in unifiedSecretInstallation case. +*/}} +{{- define "artifactory.checkDuplicateUnifiedCustomVolume" -}} +{{- if or .Values.global.customVolumes .Values.artifactory.customVolumes -}} +{{- $val := (tpl (include "artifactory.customVolumes" .) .) | toJson -}} +{{- contains (include "artifactory.unifiedCustomSecretVolumeName" .) $val | toString -}} +{{- else -}} +{{- printf "%s" "false" -}} +{{- end -}} +{{- end -}} + +{{/* +Calculate the systemYaml from structured and unstructured text input +*/}} +{{- define "artifactory.finalSystemYaml" -}} +{{ tpl (mergeOverwrite (include "artifactory.systemYaml" . | fromYaml) .Values.artifactory.extraSystemYaml | toYaml) . }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "artifactory.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} + +{{/* +Metrics enabled +*/}} +{{- define "metrics.enabled" -}} + metrics: + enabled: true +{{- end }} + +{{/* +Resolve unified secret prepend release name +*/}} +{{- define "artifactory.unifiedSecretPrependReleaseName" -}} +{{- if .Values.artifactory.unifiedSecretPrependReleaseName }} +{{- printf "%s" (include "artifactory.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "artifactory.name" .) -}} +{{- end }} +{{- end }} + +{{/* +Resolve Service prepend release name +*/}} +{{- define "artifactory.servicePrependReleaseName" -}} +{{- if .Values.artifactory.servicePrependReleaseName }} +{{- printf "%s" (include "artifactory.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "artifactory.name" .) -}} +{{- end }} +{{- end }} + +{{/* +Resolve artifactory metrics +*/}} +{{- define "artifactory.metrics" -}} +{{- if .Values.artifactory.openMetrics -}} +{{- if .Values.artifactory.openMetrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.openMetrics.filebeat }} +{{- if .Values.artifactory.openMetrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.openMetrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else if .Values.artifactory.metrics -}} +{{- if .Values.artifactory.metrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.metrics.filebeat }} +{{- if .Values.artifactory.metrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.metrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve nginx hosts value +*/}} +{{- define "artifactory.nginx.hosts" -}} +{{- if .Values.ingress.hosts }} +{{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- else if .Values.nginx.hosts }} +{{- range .Values.nginx.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified grpc ingress name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.ingressGrpc.fullname" -}} +{{- printf "%s-%s" (include "artifactory.fullname" .) .Values.ingressGrpc.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified grpc service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "artifactory.serviceGrpc.fullname" -}} +{{- printf "%s-%s" (include "artifactory.fullname" .) .Values.artifactory.serviceGrpc.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "rtfs.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" (.Release.Name | trunc 63 | trimSuffix "-") .Values.rtfs.name -}} +{{- else -}} +{{- printf "%s-%s-%s" (.Release.Name | trunc 63 | trimSuffix "-") $name .Values.rtfs.name -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumes value +*/}} +{{- define "artifactory.rtfs.customVolumes" -}} +{{- if .Values.rtfs.customVolumes -}} +{{- .Values.rtfs.customVolumes -}} +{{- end -}} +{{- end -}} + +{{/* +Rtfs command +*/}} +{{- define "rtfs.command" -}} +{{- if .Values.rtfs.customCommand }} +{{ toYaml .Values.rtfs.customCommand }} +{{- end }} +{{- end -}} + +{{/* + Resolve jfrogUrl value +*/}} +{{- define "rtfs.jfrogUrl" -}} +{{- if .Values.global.jfrogUrl -}} +{{- .Values.global.jfrogUrl -}} +{{- else if .Values.rtfs.jfrogUrl -}} +{{- .Values.rtfs.jfrogUrl -}} +{{- else -}} +{{- printf "http://%s:8082" (include "artifactory.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve customVolumeMounts rtfs value +*/}} +{{- define "artifactory.rtfs.customVolumeMounts" -}} +{{- if .Values.rtfs.customVolumeMounts -}} +{{- .Values.rtfs.customVolumeMounts -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve RTFS customSidecarContainers value +*/}} +{{- define "artifactory.rtfs.customSidecarContainers" -}} +{{- if .Values.rtfs.customSidecarContainers -}} +{{- .Values.rtfs.customSidecarContainers -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve RTFS customInitContainers value +*/}} +{{- define "artifactory.rtfs.customInitContainers" -}} +{{- if .Values.rtfs.customInitContainers -}} +{{- .Values.rtfs.customInitContainers -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_system-yaml-render.tpl b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..deaa773ea --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.artifactory.systemYaml -}} +{{- tpl .Values.artifactory.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/additional-resources.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/additional-resources.yaml new file mode 100644 index 000000000..c4d06f08a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/additional-resources.yaml @@ -0,0 +1,3 @@ +{{ if .Values.additionalResources }} +{{ tpl .Values.additionalResources . }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/admin-bootstrap-creds.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/admin-bootstrap-creds.yaml new file mode 100644 index 000000000..eb2d613c6 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/admin-bootstrap-creds.yaml @@ -0,0 +1,15 @@ +{{- if not (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} +{{- if and .Values.artifactory.admin.password (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-bootstrap-creds + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + bootstrap.creds: {{ (printf "%s@%s=%s" .Values.artifactory.admin.username .Values.artifactory.admin.ip .Values.artifactory.admin.password) | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-access-config.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-access-config.yaml new file mode 100644 index 000000000..4fcf85d94 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-access-config.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.access.accessConfig (not .Values.artifactory.unifiedSecretInstallation) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory.fullname" . }}-access-config + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +stringData: + access.config.patch.yml: | +{{ tpl (toYaml .Values.access.accessConfig) . | indent 4 }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-binarystore-secret.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-binarystore-secret.yaml new file mode 100644 index 000000000..6b721dd4c --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-binarystore-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.artifactory.persistence.customBinarystoreXmlSecret) (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-binarystore + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + binarystore.xml: |- +{{- if .Values.artifactory.persistence.binarystoreXml }} +{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/binarystore.xml" ) . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-configmaps.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-configmaps.yaml new file mode 100644 index 000000000..359fa07d2 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-configmaps.yaml @@ -0,0 +1,13 @@ +{{ if .Values.artifactory.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory.fullname" . }}-configmaps + labels: + app: {{ template "artifactory.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ tpl .Values.artifactory.configMaps . | indent 2 }} +{{ end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-custom-secrets.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-custom-secrets.yaml new file mode 100644 index 000000000..4b73e79fc --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-custom-secrets.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.artifactory.customSecrets (not .Values.artifactory.unifiedSecretInstallation) }} +{{- range .Values.artifactory.customSecrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory.fullname" $ }}-{{ .name }} + labels: + app: "{{ template "artifactory.name" $ }}" + chart: "{{ template "artifactory.chart" $ }}" + component: "{{ $.Values.artifactory.name }}" + heritage: {{ $.Release.Service | quote }} + release: {{ $.Release.Name | quote }} +type: Opaque +stringData: + {{ .key }}: | +{{ .data | indent 4 -}} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-database-secrets.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-database-secrets.yaml new file mode 100644 index 000000000..f98d422e9 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-database-secrets.yaml @@ -0,0 +1,24 @@ +{{- if and (not .Values.database.secrets) (not .Values.postgresql.enabled) (not .Values.artifactory.unifiedSecretInstallation) }} +{{- if or .Values.database.url .Values.database.user .Values.database.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory.fullname" . }}-database-creds + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + {{- with .Values.database.url }} + db-url: {{ tpl . $ | b64enc | quote }} + {{- end }} + {{- with .Values.database.user }} + db-user: {{ tpl . $ | b64enc | quote }} + {{- end }} + {{- with .Values.database.password }} + db-password: {{ tpl . $ | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml new file mode 100644 index 000000000..72dee6bb8 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} +{{- if and (.Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled) (not .Values.artifactory.unifiedSecretInstallation) }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-gcpcreds + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + gcp.credentials.json: |- +{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-hpa.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-hpa.yaml new file mode 100644 index 000000000..01f8a9fb7 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-hpa.yaml @@ -0,0 +1,29 @@ +{{- if .Values.autoscaling.enabled }} + {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 + {{- else }} +apiVersion: autoscaling/v2beta2 + {{- end }} +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory.fullname" . }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ template "artifactory.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-installer-info.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-installer-info.yaml new file mode 100644 index 000000000..cfb95b67d --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-installer-info.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-installer-info + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + installer-info.json: | +{{- if .Values.installerInfo -}} +{{- tpl .Values.installerInfo . | nindent 4 -}} +{{- else -}} +{{ (tpl ( .Files.Get "files/installer-info.json" | nindent 4 ) .) }} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-license-secret.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-license-secret.yaml new file mode 100644 index 000000000..dda734033 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-license-secret.yaml @@ -0,0 +1,16 @@ +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) }} +{{- with .Values.artifactory.license.licenseKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory.fullname" $ }}-license + labels: + app: {{ template "artifactory.name" $ }} + chart: {{ template "artifactory.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +type: Opaque +data: + artifactory.lic: {{ . | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-migration-scripts.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-migration-scripts.yaml new file mode 100644 index 000000000..4b1ba4027 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-migration-scripts.yaml @@ -0,0 +1,18 @@ +{{- if .Values.artifactory.migration.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory.fullname" . }}-migration-scripts + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + migrate.sh: | +{{ .Files.Get "files/migrate.sh" | indent 4 }} + migrationHelmInfo.yaml: | +{{ .Files.Get "files/migrationHelmInfo.yaml" | indent 4 }} + migrationStatus.sh: | +{{ .Files.Get "files/migrationStatus.sh" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-networkpolicy.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-networkpolicy.yaml new file mode 100644 index 000000000..d24203dc9 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- range .Values.networkpolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "artifactory.fullname" $ }}-{{ .name }}-networkpolicy + labels: + app: {{ template "artifactory.name" $ }} + chart: {{ template "artifactory.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +spec: +{{- if .podSelector }} + podSelector: +{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} +{{ else }} + podSelector: {} +{{- end }} + policyTypes: + {{- if .ingress }} + - Ingress + {{- end }} + {{- if .egress }} + - Egress + {{- end }} +{{- if .ingress }} + ingress: +{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +{{- if .egress }} + egress: +{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-nfs-pvc.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-nfs-pvc.yaml new file mode 100644 index 000000000..75d6d0c53 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-nfs-pvc.yaml @@ -0,0 +1,101 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" }} +### Artifactory HA data +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory.fullname" . }}-data-pv + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory.name" . }}-data-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-data-pvc + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory.name" . }}-data-pv + app: {{ template "artifactory.name" . }} + release: {{ .Release.Name }} +--- +### Artifactory HA backup +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory.fullname" . }}-backup-pv + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory.name" . }}-backup-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory.fullname" . }}-backup-pvc + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory.name" . }}-backup-pv + app: {{ template "artifactory.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-pdb.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-pdb.yaml new file mode 100644 index 000000000..68876d23b --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/artifactory-pdb.yaml @@ -0,0 +1,24 @@ +{{- if .Values.artifactory.minAvailable -}} +{{- if semverCompare "= 107.79.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- if and (eq (include "artifactory.isUsingDerby" .) "true") (gt (.Values.artifactory.replicaCount | int64) 1) }} + {{- fail "Derby database is not supported in HA mode" }} +{{- end }} +{{- if .Values.artifactory.postStartCommand }} + {{- fail ".Values.artifactory.postStartCommand is not supported and should be replaced with .Values.artifactory.lifecycle.postStart.exec.command" }} +{{- end }} +{{- if eq .Values.artifactory.persistence.type "aws-s3" }} + {{- fail "\nPersistence storage type 'aws-s3' is deprecated and is not supported and should be replaced with 'aws-s3-v3'" }} +{{- end }} +{{- if or .Values.artifactory.persistence.googleStorage.identity .Values.artifactory.persistence.googleStorage.credential }} + {{- fail "\nGCP Bucket Authentication with Identity and Credential is deprecated" }} +{{- end }} +{{- if (eq (.Values.artifactory.setSecurityContext | toString) "false" ) }} + {{- fail "\n You need to set security context at the pod level. .Values.artifactory.setSecurityContext is no longer supported. Replace it with .Values.artifactory.podSecurityContext" }} +{{- end }} +{{- if or .Values.artifactory.uid .Values.artifactory.gid }} +{{- if or (not (eq (.Values.artifactory.uid | toString) "1030" )) (not (eq (.Values.artifactory.gid | toString) "1030" )) }} + {{- fail "\n .Values.artifactory.uid and .Values.artifactory.gid are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.runAsUser .Values.artifactory.podSecurityContext.runAsGroup and .Values.artifactory.podSecurityContext.fsGroup" }} +{{- end }} +{{- end }} +{{- if or .Values.artifactory.fsGroupChangePolicy .Values.artifactory.seLinuxOptions }} + {{- fail "\n .Values.artifactory.fsGroupChangePolicy and .Values.artifactory.seLinuxOptions are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.fsGroupChangePolicy and .Values.artifactory.podSecurityContext.seLinuxOptions" }} +{{- end }} +{{- if .Values.initContainerImage }} + {{- fail "\n .Values.initContainerImage is no longer supported. Replace it with .Values.initContainers.image.registry .Values.initContainers.image.repository and .Values.initContainers.image.tag" }} +{{- end }} +{{- if and (eq .Values.rtfs.enabled true) (ne .Values.database.type "postgresql") (not (empty .Values.database.type))}} + {{- fail "\n RTFS supports only PostgreSQL databases and is not compatible with other databases. If you are currently using a different database, disable RTFS." }} +{{- end }} +{{- with .Values.artifactory.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.artifactory.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory.servicePrependReleaseName" . }} + replicas: {{ .Values.artifactory.replicaCount }} + updateStrategy: {{- toYaml .Values.artifactory.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: {{ template "artifactory.name" . }} + role: {{ template "artifactory.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + role: {{ template "artifactory.name" . }} + component: {{ .Values.artifactory.name }} + release: {{ .Release.Name }} + {{- with .Values.artifactory.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.artifactory.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/artifactory-database-secrets.yaml") . | sha256sum }} + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- if .Values.access.accessConfig }} + checksum/access-config: {{ include (print $.Template.BasePath "/artifactory-access-config.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + checksum/gcpcredentials: {{ include (print $.Template.BasePath "/artifactory-gcp-credentials-secret.yaml") . | sha256sum }} + {{- end }} + {{- if not (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} + checksum/admin-creds: {{ include (print $.Template.BasePath "/admin-bootstrap-creds.yaml") . | sha256sum }} + {{- end }} + {{- else }} + checksum/artifactory-unified-secret: {{ include (print $.Template.BasePath "/artifactory-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.artifactory.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + spec: + {{- if .Values.artifactory.schedulerName }} + schedulerName: {{ .Values.artifactory.schedulerName | quote }} + {{- end }} + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ add .Values.artifactory.terminationGracePeriodSeconds 10 }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "artifactory.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.podSecurityContext.enabled }} + securityContext: {{- omit .Values.artifactory.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.artifactory.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.artifactory.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.artifactory.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "artifactory.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - name: artifactory-volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- end }} + {{- end }} + {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} + - name: "access-bootstrap-creds" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + echo "Preparing {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access; + cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds; + chmod 600 {{ .Values.artifactory.persistence.mountPath }}/etc/access/bootstrap.creds; + volumeMounts: + - name: artifactory-volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} + - name: access-bootstrap-creds + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/access/bootstrap.creds" + {{- if and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey }} + subPath: {{ .Values.artifactory.admin.dataKey }} + {{- else }} + subPath: "bootstrap.creds" + {{- end }} + {{- end }} + - name: 'copy-system-configurations' + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - '/bin/bash' + - '-c' + - > + if [[ -e "{{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.artifactory.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Copy binarystore.xml file"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory; + cp -fv /tmp/etc/artifactory/binarystore.xml {{ .Values.artifactory.persistence.mountPath }}/etc/artifactory/binarystore.xml; + {{- if .Values.access.accessConfig }} + echo "Copy access.config.patch.yml to {{ .Values.artifactory.persistence.mountPath }}/etc/access"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access; + cp -fv /tmp/etc/access.config.patch.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.patch.yml; + {{- end }} + {{- if .Values.access.resetAccessCAKeys }} + echo "Resetting Access CA Keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys; + touch {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/reset_ca_keys; + {{- end }} + {{- if .Values.access.customCertificatesSecretName }} + echo "Copying custom certificates to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys; + cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.crt; + cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.private.key; + {{- end }} + {{- if .Values.jfconnect.customCertificatesSecretName }} + echo "Copying custom certificates to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys; + cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.cer {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.pem {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/etc/keys/; + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security; + echo -n ${ARTIFACTORY_JOIN_KEY} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security/join.key; + {{- end }} + {{- if or .Values.artifactory.jfConnectToken .Values.artifactory.jfConnectTokenSecretName }} + echo "Copy jfConnectToken to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/registration_token"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/; + echo -n ${ARTIFACTORY_JFCONNECT_TOKEN} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/jfconnect/registration_token; + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security; + echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: ARTIFACTORY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.artifactory.jfConnectToken .Values.artifactory.jfConnectSecretName }} + - name: ARTIFACTORY_JFCONNECT_TOKEN + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.jfConnectTokenSecretName }} + name: {{ include "artifactory.jfConnectTokenSecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: jfconnect-token + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: ARTIFACTORY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + volumeMounts: + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: "system.yaml" + {{- end }} + + ######################## Binarystore ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Access config ########################## + {{- if .Values.access.accessConfig }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + - name: access-config + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/access.config.patch.yml" + subPath: "access.config.patch.yml" + {{- end }} + + ######################## Access certs external secret ########################## + {{- if .Values.access.customCertificatesSecretName }} + - name: access-certs + mountPath: "/tmp/etc/tls.crt" + subPath: tls.crt + - name: access-certs + mountPath: "/tmp/etc/tls.key" + subPath: tls.key + {{- end }} + + {{- if .Values.jfconnect.customCertificatesSecretName }} + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.crt" + subPath: tls.crt + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.pem" + subPath: tls.pem + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.cer" + subPath: tls.cer + - name: jfconnect-certs + mountPath: "/tmp/etc/tls.key" + subPath: tls.key + {{- end }} + + {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: copy-custom-certificates + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory.copyCustomCerts" . | indent 10 }} + volumeMounts: + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + + {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} + - name: copy-circle-of-trust-certificates + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "artifactory.copyCircleOfTrustCertsCerts" . | indent 10 }} + volumeMounts: + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath }} + - name: circle-of-trust-certs + mountPath: "/tmp/circleoftrustcerts" + {{- end }} + + {{- if .Values.waitForDatabase }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - /bin/bash + - -c + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- if .Values.artifactory.migration.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.migration.preStartCommand . }}; + {{- end }} + scriptsPath="/opt/jfrog/artifactory/app/bin"; + mkdir -p $scriptsPath; + echo "Copy migration scripts and Run migration"; + cp -fv /tmp/migrate.sh $scriptsPath/migrate.sh; + cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml; + cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log; + bash $scriptsPath/migrationStatus.sh {{ include "artifactory.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1; + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: migration-scripts + mountPath: "/tmp/migrate.sh" + subPath: migrate.sh + - name: migration-scripts + mountPath: "/tmp/migrationHelmInfo.yaml" + subPath: migrationHelmInfo.yaml + - name: migration-scripts + mountPath: "/tmp/migrationStatus.sh" + subPath: migrationStatus.sh + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: "binarystore.xml" + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + {{- end }} + + ######################## CustomVolumeMounts ########################## + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} +{{- end }} + {{- if .Values.hostAliases }} + hostAliases: +{{ toYaml .Values.hostAliases | indent 6 }} + {{- end }} + containers: + {{- if .Values.splitServicesToContainers }} + - name: {{ .Values.router.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "router") }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/router/app/bin/entrypoint-router.sh + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "artifactory.router.requiredServiceTypes" . }} +{{- with .Values.router.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + - name: artifactory-volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} + {{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.enabled }} + - name: {{ .Values.frontend.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/third-party/node/bin/node /opt/jfrog/artifactory/app/frontend/bin/server/dist/bundle.js /opt/jfrog/artifactory/app/frontend + {{- with .Values.frontend.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if and (gt (.Values.artifactory.replicaCount | int64) 1) (eq (include "artifactory.isImageProType" .) "true") (eq (include "artifactory.isUsingDerby" .) "false") }} + - name : JF_SHARED_NODE_HAENABLED + value: "true" + {{- end }} +{{- with .Values.frontend.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.frontend.resources | indent 10 }} + {{- if .Values.frontend.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.frontend.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.frontend.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.metadata.enabled }} + - name: {{ .Values.metadata.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/metadata/bin/jf-metadata start + {{- with .Values.metadata.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.metadata.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.metadata.resources | indent 10 }} + {{- if .Values.metadata.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.metadata.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.metadata.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.metadata.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.onemodel.enabled }} + - name: {{ .Values.onemodel.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/onemodel/bin/entrypoint-onemodel.sh + {{- with .Values.onemodel.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: JF_ONEMODEL_LISTENADDR + value: "0.0.0.0" +{{- with .Values.onemodel.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.onemodel.resources | indent 10 }} + {{- if .Values.onemodel.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.onemodel.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.onemodel.livenessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.onemodel.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.onemodel.readinessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.event.enabled }} + - name: {{ .Values.event.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/event/bin/jf-event start + {{- with .Values.event.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.event.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.event.resources | indent 10 }} + {{- if .Values.event.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.event.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.event.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.event.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} + - name: {{ .Values.jfconnect.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/jfconnect/bin/jf-connect start + {{- with .Values.jfconnect.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.jfconnect.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.jfconnect.resources | indent 10 }} + {{- if .Values.jfconnect.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.jfconnect.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.jfconnect.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (gt (.Values.artifactory.replicaCount | int64) 1) (eq (include "artifactory.isImageProType" .) "true") (eq (include "artifactory.isUsingDerby" .) "false") }} + - name : JF_SHARED_NODE_HAENABLED + value: "true" + {{- end }} + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence googleStorage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare " + exec /opt/jfrog/artifactory/app/topology/bin/entrypoint-topology.sh + {{- with .Values.topology.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.topology.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.topology.internalPort }} + name: http-topology + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.topology.resources | indent 10 }} + {{- if .Values.topology.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.topology.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.topology.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.topology.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.topology.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.observability.enabled }} + - name: {{ .Values.observability.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/observability/bin/jf-observability start + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- with .Values.observability.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- end }} + + - name: {{ .Values.artifactory.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.artifactory.resources }} + resources: +{{ toYaml .Values.artifactory.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + if [ -d /artifactory_extra_conf ] && [ -d /artifactory_bootstrap ]; then + echo "Copying bootstrap config from /artifactory_extra_conf to /artifactory_bootstrap"; + cp -Lrfv /artifactory_extra_conf/ /artifactory_bootstrap/; + fi; + {{- if .Values.artifactory.configMapName }} + echo "Copying bootstrap configs"; + cp -Lrf /bootstrap/* /artifactory_bootstrap/; + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /artifactory_bootstrap/plugins; + {{- end }} + {{- range .Values.artifactory.copyOnEveryStartup }} + {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} + {{- $baseDirectory := regexFind ".*/" $targetPath }} + mkdir -p {{ $baseDirectory }}; + cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + exec /entrypoint-artifactory.sh + {{- with .Values.artifactory.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (gt (.Values.artifactory.replicaCount | int64) 1) (eq (include "artifactory.isImageProType" .) "true") (eq (include "artifactory.isUsingDerby" .) "false") }} + - name : JF_SHARED_NODE_HAENABLED + value: "true" + {{- end }} + {{- if .Values.aws.license.enabled }} + - name: IS_AWS_LICENSE + value: "true" + - name: AWS_REGION + value: {{ .Values.aws.region | quote }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + {{- end }} + {{- if .Values.splitServicesToContainers }} + - name : JF_ROUTER_ENABLED + value: "true" + - name : JF_ROUTER_SERVICE_ENABLED + value: "false" + - name : JF_EVENT_ENABLED + value: "false" + - name : JF_METADATA_ENABLED + value: "false" + - name : JF_FRONTEND_ENABLED + value: "false" + - name: JF_FEDERATION_ENABLED + value: "false" + - name : JF_OBSERVABILITY_ENABLED + value: "false" + - name : JF_JFCONNECT_SERVICE_ENABLED + value: "false" + - name : JF_EVIDENCE_ENABLED + value: "false" + - name : JF_ONEMODEL_ENABLED + value: "false" + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + - name : JF_ACCESS_ENABLED + value: "false" + {{- end}} + - name: JF_TOPOLOGY_SPLIT_CONTAINER_ENABLED + value: "true" + {{- end}} + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.artifactory.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + name: http + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + name: http-internal + {{- if .Values.artifactory.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.javaOpts.jmx.port }} + name: tcp-jmx + {{- end }} + {{- if .Values.artifactory.ssh.enabled }} + - containerPort: {{ .Values.artifactory.ssh.internalPort }} + name: tcp-ssh + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: bootstrap-plugins + mountPath: "/artifactory_bootstrap/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## Artifactory config map ########################## + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystoreXml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence googleStorage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + {{- end }} + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + + - name: installer-info + mountPath: "/artifactory_bootstrap/info/installer-info.json" + subPath: installer-info.json + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.artifactory.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.artifactory.startupProbe.config . | indent 10 }} + {{- end }} + {{- if and (not .Values.splitServicesToContainers) (semverCompare "=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingressGrpc.className }} + {{- end }} + {{- if .Values.ingressGrpc.defaultBackend.enabled }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + rules: +{{- if .Values.ingressGrpc.hosts }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + {{- range $host := .Values.ingressGrpc.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingressGrpc.grpcPath }} + pathType: {{ $.Values.ingressGrpc.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- else }} + {{- range $host := .Values.ingressGrpc.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingressGrpc.grpcPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} +{{- end -}} + {{- with .Values.ingressGrpc.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + + {{- if .Values.ingressGrpc.tls }} + tls: +{{ toYaml .Values.ingressGrpc.tls | indent 4 }} + {{- end -}} + +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/ingress.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/ingress.yaml new file mode 100644 index 000000000..7a3669161 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/ingress.yaml @@ -0,0 +1,110 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "artifactory.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +{{- $serviceRTFSName := include "rtfs.fullname" . -}} +{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} +{{- $ingressName := default ( include "artifactory.fullname" . ) .Values.ingress.name -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $ingressName }} + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.ingress.labels }} +{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} +{{- end}} +{{- if .Values.ingress.annotations }} + annotations: +{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} +{{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.defaultBackend.enabled }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + rules: +{{- if .Values.ingress.hosts }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- if not $.Values.ingress.disableRouterBypass }} + - path: {{ $.Values.ingress.artifactoryPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $artifactoryServicePort }} + {{- end }} + {{- if and $.Values.rtfs.enabled $.Values.ingress.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" $.Values.artifactory.image.repository)) }} + - path: {{ $.Values.ingress.rtfsPath }} + pathType: {{ $.Values.ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + name: {{ $serviceRTFSName }} + port: + name: http-router + {{- end }} + {{- end }} + {{- else }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- if not $.Values.ingress.disableRouterBypass }} + - path: {{ $.Values.ingress.artifactoryPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $artifactoryServicePort }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} + {{- with .Values.ingress.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} + +{{- if .Values.customIngress }} +--- +{{ .Values.customIngress | toYaml | trimSuffix "\n" }} +{{- end -}} +{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/logger-configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/logger-configmap.yaml new file mode 100644 index 000000000..41a078b02 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/logger-configmap.yaml @@ -0,0 +1,63 @@ +{{- if or .Values.artifactory.loggers .Values.artifactory.catalinaLoggers }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory.fullname" . }}-logger + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + tail-log.sh: | + #!/bin/sh + + LOG_DIR=$1 + LOG_NAME=$2 + PID= + + # Wait for log dir to appear + while [ ! -d ${LOG_DIR} ]; do + sleep 1 + done + + cd ${LOG_DIR} + + LOG_PREFIX=$(echo ${LOG_NAME} | sed 's/.log$//g') + + # Find the log to tail + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.log 2>/dev/null) + + # Wait for the log file + while [ -z "${LOG_FILE}" ]; do + sleep 1 + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.log 2>/dev/null) + done + + echo "Log file ${LOG_FILE} is ready!" + + # Get inode number + INODE_ID=$(ls -i ${LOG_FILE}) + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + + # Loop forever to see if a new log was created + while true; do + # Check inode number + NEW_INODE_ID=$(ls -i ${LOG_FILE}) + + # If inode number changed, this means log was rotated and need to start a new tail + if [ "${INODE_ID}" != "${NEW_INODE_ID}" ]; then + kill -9 ${PID} 2>/dev/null + INODE_ID="${NEW_INODE_ID}" + + # Start a new tail + tail -F ${LOG_FILE} & + PID=$! + fi + sleep 1 + done + +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-artifactory-conf.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-artifactory-conf.yaml new file mode 100644 index 000000000..343448994 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-artifactory-conf.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory.fullname" . }}-nginx-artifactory-conf + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + artifactory.conf: | +{{- if .Values.nginx.artifactoryConf }} +{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-artifactory-conf.yaml" ) . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-certificate-secret.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-certificate-secret.yaml new file mode 100644 index 000000000..f13d40174 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-certificate-secret.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled .Values.nginx.https.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "artifactory.fullname" . }}-nginx-certificate + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ ( include "artifactory.gen-certs" . ) | indent 2 }} +{{- end }} diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-conf.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-conf.yaml new file mode 100644 index 000000000..31219d58a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-conf.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory.fullname" . }}-nginx-conf + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + nginx.conf: | +{{- if .Values.nginx.mainConf }} +{{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-main-conf.yaml" ) . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-deployment.yaml new file mode 100644 index 000000000..774bedcca --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-deployment.yaml @@ -0,0 +1,223 @@ +{{- if .Values.nginx.enabled -}} +{{- $serviceName := include "artifactory.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +apiVersion: apps/v1 +kind: {{ .Values.nginx.kind }} +metadata: + name: {{ template "artifactory.nginx.fullname" . }} + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 4 }} +{{- end }} +{{- with .Values.nginx.deployment.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if eq .Values.nginx.kind "StatefulSet" }} + serviceName: {{ template "artifactory.nginx.fullname" . }} +{{- end }} +{{- if ne .Values.nginx.kind "DaemonSet" }} + replicas: {{ .Values.nginx.replicaCount }} +{{- end }} + selector: + matchLabels: + app: {{ template "artifactory.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + template: + metadata: + annotations: + checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} + checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} + {{- range $key, $value := .Values.nginx.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + component: {{ .Values.nginx.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} + spec: + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "artifactory.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "artifactory.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName | quote }} + {{- end }} + {{- if .Values.nginx.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.nginx.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if .Values.nginx.customInitContainers }} +{{ tpl (include "artifactory.nginx.customInitContainers" .) . | indent 6 }} + {{- end }} + - name: "setup" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; + mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + resources: + {{- toYaml .Values.initContainers.resources | nindent 10 }} + volumeMounts: + - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + name: nginx-volume + containers: + - name: {{ .Values.nginx.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "nginx") }} + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.nginx.customCommand }} + command: +{{- tpl (include "nginx.command" .) . | indent 10 }} + {{- end }} + ports: +{{ if .Values.nginx.customPorts }} +{{ toYaml .Values.nginx.customPorts | indent 8 }} +{{ end }} + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and + # will be cleaned up in a later version + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - containerPort: {{ .Values.nginx.http.internalPort }} + name: http + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttp }} + name: http-internal + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - containerPort: {{ .Values.nginx.https.internalPort }} + name: https + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttps }} + name: https-internal + {{- end }} + {{- if .Values.artifactory.ssh.enabled }} + - containerPort: {{ .Values.nginx.ssh.internalPort }} + name: tcp-ssh + {{- end }} + {{- with .Values.nginx.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-artifactory-conf + mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" + - name: nginx-volume + mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + {{- if .Values.nginx.https.enabled }} + - name: ssl-certificates + mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" + {{- end }} + {{- if .Values.nginx.customVolumeMounts }} +{{ tpl (include "artifactory.nginx.customVolumeMounts" .) . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} + {{- if .Values.nginx.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.nginx.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.nginx.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.nginx.readinessProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.nginx.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.nginx.livenessProbe.config . | indent 10 }} + {{- end }} + {{- $mountPath := .Values.nginx.persistence.mountPath }} + {{- range .Values.nginx.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "artifactory.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: nginx-volume + mountPath: {{ $mountPath }} + resources: +{{ toYaml $.Values.nginx.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.nginx.customSidecarContainers }} +{{ tpl (include "artifactory.nginx.customSidecarContainers" .) . | indent 6 }} + {{- end }} + {{- if or .Values.nginx.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "nginx.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.nginx.customVolumes }} +{{ tpl (include "artifactory.nginx.customVolumes" .) . | indent 6 }} + {{- end }} + - name: nginx-conf + configMap: + {{- if .Values.nginx.customConfigMap }} + name: {{ .Values.nginx.customConfigMap }} + {{- else }} + name: {{ template "artifactory.fullname" . }}-nginx-conf + {{- end }} + - name: nginx-artifactory-conf + configMap: + {{- if .Values.nginx.customArtifactoryConfigMap }} + name: {{ .Values.nginx.customArtifactoryConfigMap }} + {{- else }} + name: {{ template "artifactory.fullname" . }}-nginx-artifactory-conf + {{- end }} + - name: nginx-volume + {{- if .Values.nginx.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory.nginx.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.nginx.https.enabled }} + - name: ssl-certificates + secret: + {{- if .Values.nginx.tlsSecretName }} + secretName: {{ .Values.nginx.tlsSecretName }} + {{- else }} + secretName: {{ template "artifactory.fullname" . }}-nginx-certificate + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-pdb.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-pdb.yaml new file mode 100644 index 000000000..dff0c23a3 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/nginx-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.nginx.enabled -}} +{{- if semverCompare " + echo "Copy system.yaml to {{ .Values.rtfs.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.rtfs.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.rtfs.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.rtfs.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Copying artifactory-federation properties to {{ .Values.rtfs.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.rtfs.persistence.mountPath }}/etc; + echo "Starting to copy files to artifactory-federation.properties"; + found=false; + for file in /tmp/etc/properties/*; do + if [ -f "$file" ]; then + found=true; + key=$(basename "$file"); + value=$(cat "$file"); + echo "Processing file: $file"; + echo "$key=$value" >> {{ .Values.rtfs.persistence.mountPath }}/etc/artifactory-federation.properties; + fi; + done; + if [ "$found" = false ]; then + echo "No matching files found, creating an empty artifactory-federation.properties file"; + touch {{ .Values.rtfs.persistence.mountPath }}/etc/artifactory-federation.properties; + fi + volumeMounts: + - name: data + mountPath: {{ .Values.rtfs.persistence.mountPath | quote }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey }}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: "system.yaml" + {{- end }} + {{- if or .Values.rtfs.persistence.federationProperties .Values.rtfs.persistence.customFederationPropertiesConfig }} + - name: federationproperties + mountPath: /tmp/etc/properties + {{- end }} + containers: + - name: rtfs + image: {{ include "artifactory.getImageInfoByValue" (list . "rtfs") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }} + {{- if .Values.rtfs.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rtfs.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.rtfs.persistence.mountPath | quote }} + {{- if .Values.rtfs.customVolumeMounts }} +{{ tpl (include "artifactory.rtfs.customVolumeMounts" .) . | indent 12 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if .Values.rtfs.javaOpts }} + - name: EXTRA_JAVA_OPTS + value: {{ .Values.rtfs.javaOpts }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: JF_SHARED_SECURITY_MASTERKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: JF_SHARED_SECURITY_JOINKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} +{{- with .Values.rtfs.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} + resources: {{- toYaml .Values.rtfs.resources | nindent 12 }} + {{- if .Values.rtfs.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.rtfs.startupProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.rtfs.readinessProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.rtfs.livenessProbe.config . | indent 12 }} + {{- end }} + {{- with .Values.rtfs.lifecycle }} + lifecycle: +{{ toYaml . | indent 12 }} + {{- end }} + - name: router + image: {{ include "artifactory.getImageInfoByValue" (list . "router") }} + imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} + resources: {{- toYaml .Values.router.resources | nindent 12 }} + {{- if .Values.rtfs.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rtfs.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/router/app/bin/entrypoint-router.sh + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: "jfrtfs" + - name: JF_SHARED_JFROGURL + value: {{ include "rtfs.jfrogUrl" . }} + {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + - name: JF_SHARED_SECURITY_MASTERKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} + name: {{ include "artifactory.masterKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + - name: JF_SHARED_SECURITY_JOINKEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} + name: {{ include "artifactory.joinKeySecretName" . }} + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} +{{- with .Values.router.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data + mountPath: {{ .Values.router.persistence.mountPath | quote }} + {{- if .Values.router.extraVolumeMounts }} + {{- toYaml .Values.router.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 12 }} + {{- end }} + {{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 12 }} + {{- end }} + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 12 }} + {{- end }} + {{- if .Values.rtfs.customSidecarContainers }} +{{ tpl (include "artifactory.rtfs.customSidecarContainers" .) . | indent 8 }} + {{- end }} + volumes: + # system yaml + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + + ######### unifiedSecretInstallation ########### + {{- if and .Values.artifactory.unifiedSecretInstallation (eq (include "artifactory.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + secret: + secretName: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- else if not .Values.artifactory.unifiedSecretInstallation }} + {{- if not .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ printf "%s-%s" (include "artifactory.fullname" .) "systemyaml" }} + {{- end }} + {{- end }} + + {{- if .Values.rtfs.customVolumes }} +{{ tpl (include "artifactory.rtfs.customVolumes" .) . | indent 8 }} + {{- end }} + - name: data + emptyDir: {} + {{- if and (.Values.rtfs.persistence.federationProperties) (not .Values.rtfs.persistence.customFederationPropertiesConfig) }} + - name: federationproperties + configMap: + name: {{ include "rtfs.fullname" . }}-properties + {{- end }} + {{- if .Values.rtfs.persistence.customFederationPropertiesConfig }} + - name: federationproperties + configMap: + name: {{ .Values.rtfs.persistence.customFederationPropertiesConfig }} + {{- end }} + {{- if .Values.rtfs.extraVolumes }} + {{- toYaml .Values.rtfs.extraVolumes | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.rtfs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-properties-configmap.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-properties-configmap.yaml new file mode 100644 index 000000000..c75bec9f2 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-properties-configmap.yaml @@ -0,0 +1,17 @@ +{{- if and (.Values.rtfs.persistence.federationProperties) (not .Values.rtfs.persistence.customFederationPropertiesConfig) .Values.rtfs.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rtfs.fullname" . }}-properties + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + component: {{ .Values.rtfs.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + {{- range $key, $value := .Values.rtfs.persistence.federationProperties }} + {{ $key }}: {{ tpl ($value | default "") . | quote }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-service.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-service.yaml new file mode 100644 index 000000000..3d16053a6 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/templates/rtfs-service.yaml @@ -0,0 +1,42 @@ +{{- if .Values.rtfs.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rtfs.fullname" . }} + labels: + app: {{ template "artifactory.name" . }} + chart: {{ template "artifactory.chart" . }} + component: {{ .Values.rtfs.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.rtfs.service.labels }} +{{ toYaml .Values.rtfs.service.labels | indent 4 }} +{{- end }} +{{- with .Values.rtfs.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.rtfs.service.type }} + {{- if eq .Values.rtfs.service.type "LoadBalancer" }} + {{- if .Values.rtfs.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.rtfs.service.loadBalancerIP }} + {{- end }} + {{- if .Values.rtfs.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.rtfs.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + {{- if (or (eq .Values.rtfs.service.type "LoadBalancer") (eq .Values.rtfs.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.rtfs.service.externalTrafficPolicy | quote }} + {{- end }} + ports: + - port: {{ .Values.router.externalPort }} + targetPort: {{ .Values.router.internalPort }} + protocol: TCP + name: http-router + selector: + app: {{ template "artifactory.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.rtfs.name }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/values.yaml new file mode 100644 index 000000000..dea030591 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/charts/artifactory/values.yaml @@ -0,0 +1,2041 @@ +## Default values for artifactory. +## This is a YAML-formatted file. +## Beware when changing values here. You should know what you are doing! +## Access the values with {{ .Values.key.subkey }} +global: + # imageRegistry: releases-docker.jfrog.io + # imagePullSecrets: + # - myRegistryKeySecretName + ## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag + ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion + ## This applies also for nginx images (.Values.nginx.image.tag) + versions: {} + # artifactory: + # initContainers: + # rtfs: + # joinKey: + # masterKey: + # joinKeySecretName: + # masterKeySecretName: + + ## Note: tags customInitContainersBegin,customInitContainers,customVolumes,customVolumeMounts,customSidecarContainers can be used both from global and application level simultaneously + # customInitContainersBegin: | + + # customInitContainers: | + + # customVolumes: | + + # customVolumeMounts: | + + # customSidecarContainers: | + + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + customCertificates: + enabled: false + # certificateSecretName: + ## Applies to artifactory and nginx pods + nodeSelector: {} +## String to partially override artifactory.fullname template (will maintain the release name) +# nameOverride: + +## String to fully override artifactory.fullname template +# fullnameOverride: + +## Init containers +initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.5.1733767867 + pullPolicy: IfNotPresent + resources: + requests: + memory: "50Mi" + cpu: "10m" + limits: + memory: "1Gi" + cpu: "1" +installer: + type: + platform: +## The installerInfo is intentionally commented out and the previous content has been moved under `files/installer-info.json` +## To override the content in `files/installer-info.json`, Uncomment the `installerInfo` and add relevant data +# installerInfo: '{}' + +## For supporting pulling from private registries +# imagePullSecrets: +# - myRegistryKeySecretName + +## Artifactory systemYaml override +## This is for advanced usecases where users wants to provide their own systemYaml for configuring artifactory +## Refer: https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML +## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml +## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example. +## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml +systemYamlOverride: + ## You can use a pre-existing secret by specifying existingSecret + existingSecret: + ## The dataKey should be the name of the secret data key created. + dataKey: +## Role Based Access Control +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +rbac: + create: false + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - watch + - list +## Service Account +## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ +serviceAccount: + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + ## Service Account annotations + annotations: {} + ## Explicitly mounts the API credentials for the Service Account + automountServiceAccountToken: false +ingress: + enabled: false + defaultBackend: + enabled: true + ## Used to create an Ingress record. + hosts: [] + ## Useful in controllers where ImplementationSpecific is considered as a Regex Match and, not a Prefix match + pathType: ImplementationSpecific + routerPath: / + artifactoryPath: /artifactory/ + rtfsPath: /artifactory/service/rtfs/ + className: "" + annotations: {} + # nginx.ingress.kubernetes.io/configuration-snippet: | + # proxy_pass_header Server; + # proxy_set_header X-JFrog-Override-Base-Url https://; + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: "0" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + ## Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + ## Additional ingress rules + additionalRules: [] + ## This is an experimental feature, enabling this feature will route all traffic through the Router. + disableRouterBypass: false +## Allows to add custom ingress +customIngress: "" +## There is a need to separate HTTP1.1 traffic from gRPC (HTTP2) to benefit +## 1. Use the Nginx keepalive for HTTP1.1 +## 2. Keep gRPC over the HTTP2 connections only +ingressGrpc: + enabled: false + name: grpc + defaultBackend: + enabled: true + ## Used to create an Ingress record. + hosts: [] + ## Useful in controllers where ImplementationSpecific is considered as a Regex Match and, not a Prefix match + pathType: ImplementationSpecific + grpcPath: /com.jfrog + className: "" + ## For supporting GRPC protocol traffic sent to the backend it is necessary to change the backend protocol + ## Example: nginx.ingress.kubernetes.io/backend-protocol: GRPCS + annotations: {} + # nginx.ingress.kubernetes.io/configuration-snippet: | + # proxy_pass_header Server; + # proxy_set_header X-JFrog-Override-Base-Url https://; + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: "0" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + ## Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + ## Additional ingress rules + additionalRules: [] +networkpolicy: [] +## Allows all ingress and egress +# - name: artifactory +# podSelector: +# matchLabels: +# app: artifactory +# egress: +# - {} +# ingress: +# - {} +## Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) +# - name: postgresql +# podSelector: +# matchLabels: +# app: postgresql +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: artifactory + +## Apply horizontal pod auto scaling on artifactory pods +## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 +## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName +## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` +aws: + license: + enabled: false + licenseConfigSecretName: + region: us-east-1 +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL +## The following router settings are to configure only when splitServicesToContainers set to true +router: + name: router + image: + registry: releases-docker.jfrog.io + repository: jfrog/router + tag: 7.149.0 + pullPolicy: IfNotPresent + serviceRegistry: + ## Service registry (Access) TLS verification skipped if enabled + insecure: false + internalPort: 8082 + externalPort: 8082 + tlsEnabled: false + ## Extra environment variables that can be used to tune router to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: MY_ENV_VAR + # value: "" + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + + ## Add lifecycle hooks for router container + lifecycle: + ## From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating + preStop: + exec: + command: ["sh", "-c", "while [[ $(curl --fail --silent --connect-timeout 2 http://localhost:8081/artifactory/api/v1/system/liveness) =~ OK ]]; do echo Artifactory is still alive; sleep 2; done"] + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "artifactory.scheme" . }}://localhost:{{ .Values.router.internalPort }}/router/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " prepended. + unifiedSecretPrependReleaseName: true + ## For HA installation, set this value > 1. This is only supported in Artifactory 7.25.x (appVersions) and above. + replicaCount: 1 + # minAvailable: 1 + + ## Note that by default we use appVersion to get image tag/version + image: + registry: releases-docker.jfrog.io + repository: jfrog/artifactory-pro + # tag: + pullPolicy: IfNotPresent + labels: {} + updateStrategy: + type: RollingUpdate + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + schedulerName: + ## Create a priority class for the Artifactory pod or use an existing one + ## NOTE - Maximum allowed value of a user defined priority is 1000000000 + priorityClass: + create: false + value: 1000000000 + ## Override default name + # name: + ## Use an existing priority class + # existingPriorityClass: + ## Spread Artifactory pods evenly across your nodes or some other topology + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: '{{ template "artifactory.name" . }}' + # role: '{{ template "artifactory.name" . }}' + # release: "{{ .Release.Name }}" + + ## Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + deleteDBPropertiesOnStartup: true + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + customCertificates: + enabled: false + # certificateSecretName: + database: + maxOpenConnections: 80 + tomcat: + maintenanceConnector: + port: 8091 + connector: + maxThreads: 200 + sendReasonPhrase: false + extraConfig: 'acceptCount="400"' + ## Support for metrics is only available for Artifactory 7.7.x (appVersions) and above. + ## To enable set `.Values.artifactory.metrics.enabled` to `true` + ## Note : Depricated openMetrics as part of 7.87.x and renamed to `metrics` + ## Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics + metrics: + enabled: false + ## Settings for pushing metrics to Insight - enable filebeat to true + filebeat: + enabled: false + log: + enabled: false + ## Log level for filebeat. Possible values: debug, info, warning, or error. + level: "info" + ## Elasticsearch details for filebeat to connect + elasticsearch: + url: "Elasticsearch url where JFrog Insight is installed For example, http://:8082" + username: "" + password: "" + ## Support for Cold Artifact Storage + ## set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance + ## Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage + coldStorage: + enabled: false + ## Support for workers + ## set 'worker.enabled' to 'true' to enable artifactory addon that executes workers on artifactory events + worker: + enabled: false + ## Set servicePrependReleaseName to true to prepend service release name in statefulset + servicePrependReleaseName: false + ## This directory is intended for use with NFS eventual configuration for HA + haDataDir: + enabled: false + path: + haBackupDir: + enabled: false + path: + ## Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + ## Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers + copyOnEveryStartup: + ## Absolute path + # - source: /artifactory_bootstrap/artifactory.lic + ## Relative to ARTIFACTORY_HOME/ + # target: etc/artifactory/ + + ## Sidecar containers for tailing Artifactory logs + loggers: [] + # - access-audit.log + # - access-request.log + # - access-security-audit.log + # - access-service.log + # - artifactory-access.log + # - artifactory-event.log + # - artifactory-import-export.log + # - artifactory-request.log + # - artifactory-service.log + # - frontend-request.log + # - frontend-service.log + # - metadata-request.log + # - metadata-service.log + # - router-request.log + # - router-service.log + # - router-traefik.log + # - derby.log + + ## Loggers containers resources + loggersResources: {} + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Sidecar containers for tailing Tomcat (catalina) logs + catalinaLoggers: [] + # - tomcat-catalina.log + # - tomcat-localhost.log + + ## Tomcat (catalina) loggers resources + catalinaLoggersResources: {} + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Migration support from 6.x to 7.x + migration: + enabled: false + timeoutSeconds: 3600 + ## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + ## Add custom init containers execution before predefined init containers + customInitContainersBegin: | + # - name: "custom-setup" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume + ## Add custom init containers execution after predefined init containers + customInitContainers: | + # - name: "custom-systemyaml-setup" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume + ## Add custom sidecar containers + ## - The provided example uses a custom volume (customVolumes) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + ## Add custom volumes + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + ## Add custom persistent volume mounts - Available to the entire namespace + customPersistentVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + ## Artifactory license. + license: + ## licenseKey is the license key in plain text. Use either this or the license.secret setting + licenseKey: + ## If artifactory.license.secret is passed, it will be mounted as + ## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time. + secret: + ## The dataKey should be the name of the secret data key created. + dataKey: + ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter + configMapName: + ## Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + ## List of secrets for Artifactory user plugins. + ## One Secret per plugin's files. + userPluginSecrets: + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' + + ## Artifactory requires a unique master key. + ## You can generate one with the command: "openssl rand -hex 32" + ## An initial one is auto generated by Artifactory on first startup. + # masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName + # masterKeySecretName: + + ## Join Key to connect other services to Artifactory + ## IMPORTANT: Setting this value overrides the existing joinKey + ## IMPORTANT: You should NOT use the example joinKey for a production deployment! + # joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + ## Alternatively, you can use a pre-existing secret with a key called join-key by specifying joinKeySecretName + # joinKeySecretName: + + ## Registration Token for JFConnect + # jfConnectToken: + ## Alternatively, you can use a pre-existing secret with a key called jfconnect-token by specifying jfConnectTokenSecretName + # jfConnectTokenSecretName: + + ## Add custom secrets - secret per file + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' common to all secrets + customSecrets: + # - name: custom-secret + # key: custom-secret.yaml + # data: > + # custom_secret_config: + # parameter1: value1 + # parameter2: value2 + # - name: custom-secret2 + # key: custom-secret2.config + # data: | + # here the custom secret 2 config + + ## If false, all service console logs will not redirect to a common console.log + consoleLog: false + ## admin allows to set the password for the default admin user. + ## See: https://www.jfrog.com/confluence/display/JFROG/Users+and+Groups#UsersandGroups-RecreatingtheDefaultAdminUserrecreate + admin: + ip: "127.0.0.1" + username: "admin" + password: + secret: + dataKey: + ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + + ## Add lifecycle hooks for artifactory container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + ## Extra environment variables that can be used to tune Artifactory to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: SERVER_XML_ARTIFACTORY_PORT + # value: "8081" + # - name: SERVER_XML_ARTIFACTORY_MAX_THREADS + # value: "200" + # - name: SERVER_XML_ACCESS_MAX_THREADS + # value: "50" + # - name: SERVER_XML_ARTIFACTORY_EXTRA_CONFIG + # value: "" + # - name: SERVER_XML_ACCESS_EXTRA_CONFIG + # value: "" + # - name: SERVER_XML_EXTRA_CONNECTOR + # value: "" + # - name: DB_POOL_MAX_ACTIVE + # value: "100" + # - name: DB_POOL_MAX_IDLE + # value: "10" + # - name: MY_SECRET_ENV_VAR + # valueFrom: + # secretKeyRef: + # name: my-secret-name + # key: my-secret-key + + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'artifactory.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## node: + ## id: my-instance + ## The entries provided under 'artifactory.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'artifactory.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `artifactory.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'artifactory.systemYaml' and files/system.yaml + extraSystemYaml: {} + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: + annotations: {} + service: + name: artifactory + type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + serviceGrpc: + name: grpc + type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + statefulset: + annotations: {} + ## IMPORTANT: If overriding artifactory.internalPort: + ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! + externalPort: 8082 + internalPort: 8082 + externalArtifactoryPort: 8081 + internalArtifactoryPort: 8081 + terminationGracePeriodSeconds: 30 + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param artifactory.podSecurityContext.enabled Enable security context + ## @param artifactory.podSecurityContext.runAsNonRoot Set pod's Security Context runAsNonRoot + ## @param artifactory.podSecurityContext.runAsUser User ID for the pod + ## @param artifactory.podSecurityContext.runASGroup Group ID for the pod + ## @param artifactory.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.artifactory.tomcat.maintenanceConnector.port }}/artifactory/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare "", + # "private_key_id": "?????", + # "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + # "client_email": "???@j.iam.gserviceaccount.com", + # "client_id": "???????", + # "auth_uri": "https://accounts.google.com/o/oauth2/auth", + # "token_uri": "https://oauth2.googleapis.com/token", + # "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + # "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." + # } + endpoint: commondatastorage.googleapis.com + httpsOnly: false + ## Set a unique bucket name + bucketName: "artifactory-gcp" + ## GCP Bucket Authentication with Identity and Credential is deprecated. + ## identity: + ## credential: + path: "artifactory/filestore" + bucketExists: false + useInstanceCredentials: false + enableSignedUrlRedirect: false + # signedUrlExpirySeconds: 30 + ## For artifactory.persistence.type aws-s3-v3, s3-storage-v3-direct, cluster-s3-storage-v3, s3-storage-v3-archive + awsS3V3: + testConnection: false + identity: + credential: + region: + bucketName: artifactory-aws + path: artifactory/filestore + endpoint: + port: + useHttp: + maxConnections: 50 + connectionTimeout: + socketTimeout: + kmsServerSideEncryptionKeyId: + kmsKeyRegion: + kmsCryptoMode: + useInstanceCredentials: true + usePresigning: false + signatureExpirySeconds: 300 + signedUrlExpirySeconds: 30 + cloudFrontDomainName: + cloudFrontKeyPairId: + cloudFrontPrivateKey: + enableSignedUrlRedirect: false + enablePathStyleAccess: false + multiPartLimit: + multipartElementSize: + ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct, cluster-azure-blob-storage, azure-blob-storage-v2-direct + azureBlob: + accountName: + accountKey: + endpoint: + containerName: + multiPartLimit: 100000000 + multipartElementSize: 50000000 + testConnection: false + ## artifactory data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + ## Annotations for the Persistent Volume Claim + annotations: {} + ## Uncomment the following resources definitions or pass them from command line + ## to control the cpu and memory resources allocated by the Kubernetes cluster + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + jmx: + enabled: false + port: 9010 + host: + ssl: false + ## When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # corePoolSize: 24 + # other: "" + nodeSelector: {} + tolerations: [] + affinity: {} + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "soft" + topologyKey: "kubernetes.io/hostname" + ssh: + enabled: false + internalPort: 1339 + externalPort: 1339 +frontend: + name: frontend + enabled: true + internalPort: 8070 + ## Extra environment variables that can be used to tune frontend to your needs. + ## Uncomment and set value as needed + extraEnvironmentVariables: + # - name: MY_ENV_VAR + # value: "" + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + + ## Add lifecycle hooks for frontend container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + ## Session settings + session: + ## Time in minutes after which the frontend token will need to be refreshed + timeoutMinutes: '30' + ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.frontend.internalPort }}/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " --cert=ca.crt --key=ca.private.key` + # customCertificatesSecretName: + + ## When resetAccessCAKeys is true, Access will regenerate the CA certificate and matching private key + # resetAccessCAKeys: false + database: + maxOpenConnections: 80 + tomcat: + connector: + maxThreads: 50 + sendReasonPhrase: false + extraConfig: 'acceptCount="100"' + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8040/access/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " --cert=tls.crt --key=tls.key` + # customCertificatesSecretName: + + ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.jfconnect.internalPort }}/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare " /var/opt/jfrog/nginx/message"] + # preStop: + # exec: + # command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] + + ## Sidecar containers for tailing Nginx logs + loggers: [] + # - access.log + # - error.log + + ## Loggers containers resources + loggersResources: {} + # requests: + # memory: "64Mi" + # cpu: "25m" + # limits: + # memory: "128Mi" + # cpu: "50m" + + ## Logs options + logs: + stderr: false + stdout: false + level: warn + ## A list of custom ports to expose on the NGINX pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + # - containerPort: 8066 + # name: docker + + ## The nginx main conf was moved to files/nginx-main-conf.yaml. This key is commented out to keep support for the old configuration + # mainConf: | + + ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration + # artifactoryConf: | + customInitContainers: "" + customSidecarContainers: "" + customVolumes: "" + customVolumeMounts: "" + customCommand: + ## allows overwriting the command for the nginx container. + ## defaults to [ 'nginx', '-g', 'daemon off;' ] + + service: + ## For minikube, set this to NodePort, elsewhere use LoadBalancer + type: LoadBalancer + ssloffload: false + ## @param service.ssloffloadForceHttps Only enabled when service.ssloffload is set to True. + ## Force all requests from NGINX to the upstream server are over HTTPS, even when SSL offloading is enabled. + ## This is useful in environments where internal traffic must remain secure with https only. + ssloffloadForceHttps: false + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] + ## For supporting whitelist on the Nginx LoadBalancer service + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## Provide static ip address + loadBalancerIP: + ## There are two available options: "Cluster" (default) and "Local". + externalTrafficPolicy: Cluster + ## If the type is NodePort you can set a fixed port + # nodePort: 32082 + ## A list of custom ports to be exposed on nginx service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + # - port: 8066 + # targetPort: 8066 + # protocol: TCP + # name: docker + ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift + http: + enabled: true + externalPort: 80 + internalPort: 8080 + https: + enabled: true + externalPort: 443 + internalPort: 8443 + ssh: + internalPort: 1339 + externalPort: 1339 + ## DEPRECATED: The following will be removed in a future release + # externalPortHttp: 8080 + # internalPortHttp: 8080 + # externalPortHttps: 8443 + # internalPortHttps: 8443 + + ## The following settings are to configure the frequency of the liveness and readiness probes. + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/ + initialDelaySeconds: {{ if semverCompare " + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + resources: {} + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" + nodeSelector: {} + tolerations: [] + affinity: {} +## Database configurations +## Use the wait-for-db init container. Set to false to skip +waitForDatabase: true +## Configuration values for the PostgreSQL dependency sub-chart +## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md +postgresql: + enabled: true + image: + registry: releases-docker.jfrog.io + repository: bitnami/postgresql + tag: 15.6.0-debian-11-r16 + postgresqlUsername: artifactory + postgresqlPassword: "" + postgresqlDatabase: artifactory + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "1500" + persistence: + enabled: true + size: 200Gi + # existingClaim: + service: + port: 5432 + primary: + nodeSelector: {} + affinity: {} + tolerations: [] + readReplicas: + nodeSelector: {} + affinity: {} + tolerations: [] + resources: {} + securityContext: + enabled: true + containerSecurityContext: + enabled: true + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" +## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), +## specify custom database details here or leave empty and Artifactory will use embedded derby +database: + ## To run Artifactory with any database other than PostgreSQL allowNonPostgresql set to true. + allowNonPostgresql: false + type: + driver: + ## If you set the url, leave host and port empty + url: + ## If you would like this chart to create the secret containing the db + ## password, use these values + user: + password: + ## If you have existing Kubernetes secrets containing db credentials, use + ## these values + secrets: {} + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "rds-artifactory" + # key: "db-password" + # url: + # name: "rds-artifactory" + # key: "db-url" +## Filebeat Sidecar container +## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. +filebeat: + enabled: false + name: artifactory-filebeat + image: + repository: "docker.elastic.co/beats/filebeat" + version: 7.16.2 + logstashUrl: "logstash:5044" + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: {} + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "100Mi" + # cpu: "100m" + + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: + file: + permissions: 0760 + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] + extraEnvironmentVariables: {} + # - name: MY_ENV_VAR + # value: "s" +## RTFS deployment +rtfs: + name: rtfs + enabled: false + image: + registry: releases-docker.jfrog.io + repository: jfrog/artifactory-federation + pullPolicy: IfNotPresent + tag: 1.4.18 + jfrogUrl: "" + replicaCount: 1 + internalRestPort: 8025 + apiContext: artifactory/service/rtfs + database: + type: "postgresql" + driver: "org.postgresql.Driver" + url: "" + username: "" + password: "" + persistence: + mountPath: "/var/opt/jfrog/federation" + federationProperties: {} + ## @param federationProperties Configuration to be added to the config map, overriding Spring configuration. + ## @param customFederationPropertiesConfig Specifies the name of a custom configMap to use instead of the default one. + ## The name of the custom configMap will be initialized from the value of customFederationPropertiesConfig. + # customFederationPropertiesConfig: + javaOpts: "" + service: + type: ClusterIP + restPort: 8025 + grpcPort: 8026 + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer` + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalIPs Set the ExternalIPs + ## + externalIPs: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.loadBalancerIP Set the LoadBalancerIP + ## + loadBalancerIP: "" + ## @param service.labels Service labels. Evaluated as a template + labels: {} + ## @param service.annotations Service annotations. Evaluated as a template + ## Example: + ## annotations: + ## service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + livenessProbe: + enabled: true + config: | + httpGet: + path: /{{ .Values.rtfs.apiContext }}/api/v1/system/liveness + port: {{ .Values.rtfs.internalRestPort }} + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 5 + successThreshold: 1 + readinessProbe: + enabled: true + config: | + httpGet: + path: /router/api/v1/system/readiness + port: {{ .Values.router.internalPort }} + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 30 + successThreshold: 1 + startupProbe: + enabled: true + config: | + httpGet: + path: /{{ .Values.rtfs.apiContext }}/api/v1/system/readiness + port: {{ .Values.rtfs.internalRestPort }} + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 5 + timeoutSeconds: {{ .Values.probes.timeoutSeconds }} + failureThreshold: 30 + successThreshold: 1 + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # Add lifecycle hooks for observability container + lifecycle: {} + # postStart: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] + # preStop: + # exec: + # command: ["/bin/sh","-c","echo Hello from the preStop handler"] + + fullnameOverride: "" + annotations: {} + deployment: + annotations: {} + labels: {} + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + containerSecurityContext: + enabled: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + nodeSelector: {} + tolerations: [] + affinity: {} + customInitContainers: "" + customSidecarContainers: "" + customVolumes: "" + customVolumeMounts: "" + ## @param extraEnvironmentVariables that can be used to tune PDN Server to your needs. + ## Example: + ## extraEnvironmentVariables: + ## - name: MY_ENV_VAR + ## value: "" + extraEnvironmentVariables: [] +## Allows to add additional kubernetes resources +## Use --- as a separator between multiple resources +## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml +additionalResources: "" +## Adding entries to a Pod's /etc/hosts file +## For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" + +## Toggling this feature is seamless and requires helm upgrade +## will enable all microservices to run in different containers in a single pod (by default it is true) +splitServicesToContainers: true +## Specify common probes parameters +probes: + timeoutSeconds: 5 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/ci/default-values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/ci/default-values.yaml new file mode 100644 index 000000000..86355d3b3 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/ci/default-values.yaml @@ -0,0 +1,7 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +artifactory: + databaseUpgradeReady: true + + # To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release + postgresql: + postgresqlPassword: password diff --git a/charts/jfrog/artifactory-jcr/107.104.6/logo/jcr-logo.png b/charts/jfrog/artifactory-jcr/107.104.6/logo/jcr-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..b1e312e3219a8e0bb1831976646260683f6d447f GIT binary patch literal 77047 zcmeEu_dk~X`+r?gTzW)GLWLyCDzdV!$V%CftRh(%8QFA|C@Lx=TSl^FD=V`1i0r-h z-h7Yqy67IC_YdDc;Qrx$+~ho8<2a7jF`mcsb-t39l|)mc_wCzL zs`565gP#7J>&Y8Lu3FJ6p9={MZ@eR6rhE4C!NbP$dGEU&>Y}ow18#oyFE-O$^Ej#a zIoPST+d*ihWFoLSIITrr$areGmfvB=MSEQYMLNV#bdH_QO(yuxq5tvDPxF?443B>s`;+je`Kx0S|C}24x2Gp-ssFtu_=9)$ z)06Cvbx!}E^%9Yh6{{WiA2X9vk`*(`CLH+N-u9NR!)N?IX2$fRbh3ZGvi_Gqke4ur z_0j)hW+@HKVSm1_NA|}3+bUl6CH!5gdr!O~dD%zK)UyA7{Oxiu_y3rg?(zQ18vQ@7 z{tuDRxuqT48~1NB|EG-qBdhn+7?qAF~AJ`dvxwKNe^mp3t3HJu{1{d1oBcne#Ph{(@7VP>lflE&Rc zb1gESXO0A@mKTV!Ke@G3mrv!VH&<62$3b);$E@_1Tx|~b>*?ZO1*8n<0nKk_wd-Om zV)rOTOQm9ZQjlSB8EYjQog2%_;n6Uhe2zu|n6Oc&+%()xJs152CU*Uve^~(mqlB72V6w zFZW+D(1r4+uz_jsb5abtM$OHX5GgU|4bPdt0WV;2DrXcUpWcn)@hl_Cu6peeSI zD!x^}{k2annZs_qPpy?Se%tQRr#o?_G^w@Twr&FbTaVi;BYC#08@ko{YOUTS$rhjA zOU*{}pPo$Gc-VanCmRnoGV-i9?y7a|{C!Q&s;W{}cO-pk`l~qKUE}qB4ImDc zY9cvqFc)G+if^~t@6L5s_6Tv0wDb*dR2!s6O?DG4#`A4uUO1qwvD#aXre*CG=wKS& z&Tv}Q-doglu&$TqJLC~F2)}|_O0@3#yiIRn=e(WQcOg2j!Zeq+3?){!Jy^k?T#-u6K?t9F(bxlxRb)My&B|?7Lw};vI zvHNf9ckx@#8hg?vw=Xt$w7+;Wg*3dH2kiDC#CaNvXsNN01W~r5GMr z|8;COP$5WoyQ|3E^rP+L>NfAM{^IxQzgV6L;O>8ZJGrJqC^2bB{$dun_|e_NKol&B zIc$TbD?khaYd~lewCtv@k^jBFWaFX6>HJG~{AR^t2;Q=oZ@Fscr}S>mF8!J<*Q~qu z<_WD{FW&QFhC$x}L7argU`)(2)OVUpxz4+Dl@XH3G&`OHrL@jcbS5Z&l~B97^iM8# z*XASg(u#ELj&%xNxwTh9)(Ze;HM5x;gh(WnBPGw-a>=hw>&|Q;_b(9{^`eL~s4ntR z)yMWP2fMYG#{2Wqf&>Cn3#_U4U@-CEFqDKvLNmp0xgvCaShEbz z>Y&t)j%wSLIyEJ4n=j4yPX~20HguNUDz5sIVZ1*E@SlFX9-?h2|3d6%Cooz!eb&RL zH$EhsyD)xE{y28qwSnWjH)1Z-Js9UTzxfrz4!C7n`@?I4en$hCg2EuZ6mOV z7TFJ72MTQ>sXuvgrLoA}?KMAd&Tr8w0*eb|rspViChA%WvZl&EKbj#@mfKyr)K@rX zB_ATMAe$e3R#+RUE@^5ja*n8v>RnE?~ih$&<15L7}3#V?Cg(4KMA1bh+Jo^L^zGFzs#{Y-R1Y*M4M{w z<(uHpIE9=%m_TtFuPl9hd-x4<4fw!N`+J2^=pTM%oa`C)I)V3^ZF z_=lS$82u#r)T5-+--nvq^)+3j#ly;EpqRh?PT=UH!A$d_dIjyfOyDKZ^ zXmFW6?dxZeBcntzY1XNkGsi(%eX_-7(D1_RGd|a!7G6fFzTFy|@fXao>IpV)DpfM; z)55!0BC?lvz)a=_X|BSm8_&siq>n71UGnwY>vfZ6w|w_u6NnC<*(&y@6yh{nNnftb zyfUTPEV`#BPtX$^*QX<(r=J((d+w@gF0?)8a^IL#SBW@bP0klx=zUqlS$B*po|N^K zW!A&yy)7RD*Cl&yU<9Y5aE!5J)$7y0jS^EQI0ZOv9@oNKp;MIXDM&;Jjq2SO!#+{jT{a6^qTFL9G;Eu zml^iF%Ob$tt(F2axL}n;k|2^kpQu-N1P;`+R-S{39ky*Z#Pa>Esi%X# z;UZp87*?>UI}h9WU={Mz*r}zU9`!ZF?DSe=qk9?zMCa&dXA>qKPM&OSX}cRJ()AfFQBif>tJuR-Ft24IP@Zj zkg4lguxNLcJUH7BJ;ce6ojkuE#YmP7X$^Rxj3?=fMk|9g_%-gs`hYSOdFU(Y;mk-7 z6b;S&Ok|h|<%uGo9Q+2SUl#i#(uFKEB{#=ZQ)1b(5)nV*BL3m*bqR`AO15p*b`Wdh zv)mtf9uvNZqMxJHUho=TF4cV^xqV~T>dO7V>eLsa@4^^9x5D$%oLXv$No!7Nt+SX5 zfdir=I!tX{+ffzP)7ASmPEUYr^doLQvQgxy_&@E2ql4WfIc3nk(l_3t%{}dS4f%T| zdwo_!U6ZA$_BS)xZJT@vDg1ncvJlz6U*M*L>5j|Y+xq0Ylh&KR?W^yzRiwTjWWXnZ zc!akd^EO_OnY-DwW$<$O8-ReVCbl|$wP;0dCct^K{3VXB1zkwnLwOhdWh z<#hCJ7IYSrAkH`D2Cf%-41LN(V1CU_gfu>%&P26+97J3wO|X7DczZHeJ6Sko(A9yr zV9&mzp#JiICM}PG-6+zfEEv=TRXIDT{c2;%sb6A&22aY z4eCNWtIT6n0AAENb|>FuTglRNN?<y82rX zUwD7y2E*@dlm;`8g0ig#-yGwpXrah30%NZ~fCRU#t@libgWd|sI=Y)_1VC3z&l!zI z=GUY&Ffu!t)Au~SY)h4tT`%tiG8#p8R7Bmv!c3Q=tx2oRM=j}Hvtj-Q+8>Rg2J^#E z6OP|K;+(xss``3c;Yo7DZNwzHNd$#AK2v0nG-U^=9D^OfIUvJ=tv!?GxsIIN->umb zh{O1DHGaiE`7VeZvdd{uX>OO&fH2=l@F2)L@&{pWRQ1*{F}9It(xj7W`ek#${A))I z9vVV;#Dm4WYEUM|l%`8zl(|M&jbm2}`|$uA_7r;3@b_GMKNEp@NuEwCHTb3DCxy2o zUa7OVKIRuZK~0XEM=A`K=42Uh7A9R3?G4-CIe^O6a3ee@{uE<@VmPmHN|>ruZFI8a z$Zz#MCl&+E#t>9_GW_mMf$c(fXlriT7I-v$_GN1KW?V*s1Vq=* z%C}mKhEQ;5+_ifs=>Jm!IWdhSoA&L=CuTxUSG+5^gx?c33QSj;#2Bfc#7`JJGFzPp zj|d0ydM=nVKDJ1@%L(9a%nKl zh+c{U#F_A16lvWzQ>YUHgxr{S7sp%x``NS%N5M*ik^J^DR7DV#eOAboXJGL!HNt1g zn~)^2yEG)G)68Kn8SL!<;h6=k62l%F87~=+xY96bk*`H3_rX+jLa4s{;F(0nF@uhG zR;SsNceA%BEjU=~7ZmCCqmGg!@MkZEj;VegsZ_!xIkOo^SUtjvhI8Y&dP#2-Z$Ow8 zNPW8&=8a&5J`(rjirF4A(X*!xO~D4CvlY)_R5a^6}w>qs{`qZ2U{FcVJ#{n?ssw6%iWf2 zynM!SgS=G^PJp*FR)4rVXTji>94V?B(i&v8L2cO54nL15ihz^;lG)0Yy8BW)+?i;^ zrYx||6fp%~7X!Zei3RX2GQY>`i5c?1q@TUt7{Kd&MFo*2I~feme$Z}R!{uBLqX0=u58l4Vbr7eVwULOG}h#=yjW465v_=rOt>csGT;Kooz2uU z`c}JHRFn*?Eon_2y&v_C$m+z^GLy9p5b<<>MzB9poM0pfi*%D$c&FbEjz0W|7k6O= zSRT{LoI337xc0poY&2N3U}WouN?i3ajn+`HUhZkh>*{V(*<|oIv1_k4Ay{&9YkDwZ z=mt>kfyPj8O7*;pv0fpsoj@L;n?TNP?!CI|*R*9myBYD~4ai(rgw0@NC@0zlIwVb3 z={nN|Cj8%xL#7J8i%5`rBohwiciYKX#PcE}>4V_~-}=%A3X#A@Zwz-|iPbh^@5seD zVG9Ox!=V7E^6X_KEvdck7$FJ=J-vtU!x$TH0!0HQQIDt-c&xZTl)M zxofF*AiANYR){xi$A8;D7=Svcwr42fC{ET5ga=ieI64K>)9M527$OvQtHU1fT}}sz zX+cQ!#@Lp(ek-bZ?ci1;v||jtk(FDpnzuHy@SN6anuzq?WfowS!B`cAggh7!C+4~A z{J3jXdvNt)Lp@GH{5ZSInrHMfEpPdxoq=0kIO6S0AKQU6s3 z5b5)mS*hXQ{!uEotIyX+!61ySWWvx9q6Un&`xFiYF(6lcg0F#?9P*w3#A5T3tflOo!KFGi>@xOiwQ{*=Q0b8yyFTlHP6oGRJEM zlel%;W1$Ami@7gpL#nQ|YnD-9mi}>L@`v}MVo&^5C>ZJj^LjZw)-`F;D%0OJVoz8X zYi(d4*jFr42)YPOsSf3hHiGTIE30?!&5qK_w(-P8m5GMzT1p963Wb;g4fq_@dy~Tj zFC27ToQ4KS@vCA)A-T6^)sM|H*f+Rhjc8CF_E9X&eGY>2S@RUT9RSv3D>D2zaiS^A zB6NEzWCm!VIRCieE^5LIi9r%UIg;NxptL80`2amCaQZR8grCF&RiM5qFQ)Fa{5Inv zKCzpFgWn%y$#5Ri8->)v+ILsw+u6T1<2}CY*-HuQBc3a@!eeta9J{tP54Ke)a_AyV zB7~}1sVjK0`GP5@b`Htq;85Si^7;ukH8uo?M#kO1Ep;DO7h*u!(^VF5Wa#uK>A7kB zFY+mz6dfK%U&6g)eghlCw3HmHPCNFs6AwdT#=%-*!_E?t(|P9>F0a=hNRLk|j}~5K zjU1Q4#}mNpq_=xx58<^E-hmvE4|WIkqxg@VgcKcWAK4u}U&NV%PiQ3sTvp%7ShMy> zn;U+AsX(!+T0a~YwhtRh;u>>VP-Le&NxRXO5vRs-Z;Y*Jab^1pA(5N*OuHxL5uB8- z;u(@iQPFZngU4}Goa$Sk;zg_lWX_hRzwbFEWs*ETra+yiCUmD0Td$Dto zcUx~hGj6u$_2~hXW_H2hf?Mvblg6Fa5j#bv6W-cwsk(%GbE;M~aZX+K(q5Xs9h1yz zf2Emh`@8P=(5G`@x@@iQ>&@H<*keZ*8UlH*l7vw4^Raxu#g{=O<6R);5kwK>v&l1C zA(#lnF8$G~H)09ilbsY?cV{@ixuV+F9wg&(43+#!U9z@Ii1ERFfRA5HCVb87>rj_( zcUJ63*S9IolwWuz#3gFW3#H_JI+r{1&1S>h)^&?4Vs~4idY2wG{D5&Im=1efvt8O{ z*kSt%FUvm_0-X^S@@m=u?z3X8vNss(Ww6F&+O|EfTA+70VfNA1;cZ4SG<5R3{z(#fsJw(sX9oetic z#oIC===%80XXN1jeG7|(xZK|gaj^K`96wjjhK(-^*(rQ|zd(C_P=BI_q=!_~>0X5} zt@Bt>espXe{W+_JCvr3yW63iKw)Bo})5{m0LvXm3HJkSlrs}@4e$!Y|hBEUo2h=r) zc*&t|Wh{zQfK2Ipy}~FFE#Z7udV&UX+`=GA)oUYJvLKsYL)NQvb~{*8$>{APgE0fy z4hjDy`yz((yr=GRTX&3_Q|9*6exHDfY<QU~r*73(^hqiNXEqUXQBRPsBOn&yE5Z zmjsh+8v&7(SnoZ{spnkDH9vp7J4@`SPA51q3%F~3T7L;KcbNOkhll;nCSAXU(-s=R z|At5!7mW;yu2TtH+s-V;7u77~3u!xx(ruv*#OL#xYMP4>3)A`c z`%C;TV-FL%2A#{a$&4|2t_W@xG*X@iS@Md~qo)M@6hyR|Ya8n}LPxp9T3sLeUA3B& z3k|gFfQ|r(jU1`m=4%_znv(M3kl~io8p013nEEQx`i_$M-wruF62~*1K;#-j+{!am zQ&Or=hSxO>==xFhhl@xQC~U}Npl>g)eBpgHlANfH<*+B0V6r8o?0v+cU78(QVf5Hp zzV;gHiBiax09`IHnb%WDw0vIUfm!u`s<$zsXOO0dU>>mMbXap!Q;aPVQB&q-#{ny^ ztYq}QYRN$+{N8S)`Gb)f_ zBfz8L+9TA}SOiN=dm>A;Hff@CaM)VxQqo~!L9Ufrx6DZX->HZ3ICzvAob%x}1qh*C z$B6Ei0m4*U&+VmXc^*M(gu#0?1c@Z^r+#uUZjFzmG%$!K^|H4$8=5IPJyaz5!6MV} zq^t^o#LevN&!$d`K@9uwW)}`}xTXPMmi!IqDGBvCxTxhcE9jdNxZU2_v>~C5OImv* zx#g$GZtFC3Cp;(b@mzNsZPIq}0WPT%j{^nNmZlO}40`%fy`hF;q&zcT`Wu{zxc$ph z!?80AUJ`wZIg2t0Nla#Q78FzEzEKm5S*;yI;M_c8MO_E6vz~V%3GC0M^wr1B{`>_{ z=m;%6XO?P({13znq%_*6i{`z;`C~FZXcC3<)iobfl*K{O4xCHoshDVNEH|;w(neXec2e`=vOl zqy%}D?7gWUda7OmA}s!w$E#fn3l(}?o^*Hh$+)#776?BeTPpm1x| zYA6_(V=$}PlD0bcRM_t}2RuY@;?0@)9pXCm*`r<-rj6^ecfyl~>RkitAWTGPmy8*9 zpZVoSjO~ay+}@Kd(8nEbhqp{i&`d4U?^&Wj>G0URzE^Eo5Bl$lzl){Fb}r)B$({GL zKIA`Q*mUUxD&{y~+kB31R~tA?z00DX%=o-2N;_Ms|TCG z`>N4qYvb#|09P&Q`Vj{kfLwY0-JJ64ePh z=`}?5#ggDxL_b6L&=XIP3tcvB8~^@E(*qwsUFaktuB|LuWVj*ZNO zr{H`SpO_8QMzD&!!JCN`Z1mmD^!w!Hp%``jiJ23^KE5(Xt^HK#1PhXlnk4(qFSegG<|bcS9wZ192rMeT4cMd}Rn}uoeNnp3L-+bZ11i|W z*>I>kRuEFx`71%CqI66s0H|p$_x0b@a9~blMLDsoBcNG;K&iXe&EW?PGzYQANt#c! z%`VT6h>dIdO=-pikU^_#9Sl$@*TYu=7v>w!!qTd4etEtRn@rGh`tD_`NxOjTarp;h zgoq#fkYNT9dzRld}Ajj<4eL=*XZ}Dvr&EfEpJ3jP$bDvOt=G7fig`lXQ`){ z90I7qi^Rx=vb5>>MN0}S?YrcPO%JW zl1|=%@mVyVjf%%7sEO_YY95YCZ zOtlG86>&O8han(7=#7qx#=b(kdakve5IJf}+~Zp^zzz8B_3-?RY3Sda5#BDkzCub} z=ZzHXomvI_j1x-u9v8TCo$STx7dME0GS_!@ul}42;g&2%yWDq4O_&P0mlVVjL zjCzR15)*eq%emPkvO}Qb+jrO8Q1AliM*^v1OVM&0pN&K}st2HSeK z*mElKQS}D>>R~yHoFcRbE-owr7T$W`iWxm7JPXz5e7RM5hgD4V=nb|c%|DuXQam91$?ojd3wr`FX zbu#)?u0d#ag5fU57ikldm1kkHO*B?5bXE`AA6;Pztn@2{96WeN+|&x6sIY+KlbG!Q zWD-X}_8;L2BM&AjuVsiI&9?7cW8ihHZ|;^)FNvZDgp4@_5GtmJJ&Hbg9uk~Pv+M6; zpz(K@U7ZnsBqQKRdPu~=qp}ysLc>Sib_IMl8h84^D?2IhY1mTk9^cTxenNu&qlkUA z*%eHKSL~j-pYF|ur99EuqcHkXKbGbKPV9WpD7HEL5@L(DPvM}+?X8QlbuGW1897`q z@9@DwZ9AGqDs7_N&glIZJB#^6R_Pj(v1p+>Fx5tGYgB6jc@>p*F5n-?(H4UExkOgm z0c~49%&*U0j^p&|{?d5~%aHj$oC)kq6z?xVdW9*G&Q*|7EzexZ>zsHvF-2N?YWfV} zW78Q4To)ckRtCWf-(8T%WG7Ybpuq}!J{*{4e4{`9#v!QdW$r=sq)I8$4FFL0q)RTZ z7}E1o?6K$5j{j|dFWX}w?8flSqfrF*470T!l$=(#!<)N_T=%heZYT4`mpBjuXnPM_ zusP)pG#jRB^2;64&LY@6lCwD0&q`FWns&C{gxjX!3L0IhwZ`|k21750P8ZODqW zgrO(en8+q{l+N22OIDhfJ9>2G^+b&+Kg&!Wgw2&JljTbmJbbtaJ4*}d-|3wN{)Pu5 z*>okXaD%sR)jsRxJ9L7C*28b-O78NsBmJFLRL2Cbh``MBnVFE>%PhFU=TfV7-FF<0 zyASIKsKC5XfrMnZAd3FEgIIvbQG-_IsM}8JS%4&IUSjMp_^FznXP`e z(5cV4EG!74xAbXXPV*0h=(zfxr{Xk zZk!{VKD1KZDbVC1np~7b;yPpJl)Ieh_jZ^(k-iJki11bv$#QkJp<+SO%xEs>7N|T_ z6{thW{%&|g6!Q%{_E;e4FS2q!jQ*#EoVAsx9c8T-nv|=c{-TxK)Qlsyp}U8rBRlg; z2=IgFk~=9A4uZ)ybDo~7{fs-EYd}pIGLwDt67z~c^x#U-vqOr`2a|J?NIHe}>f;W0 z%B0&{K@Ng_Ku~lbWM{_hF@xO1dUqX56D!>-nTKKxxSG)C7Ur-jkNxRm<>{Dgz28-y zXQUTieQ*E9ZeB7<`=)JEy8Jd*-gyc@8nMZQP`)}NZN(n6ykL6Qu}+y;$}i>1XDf)qpNQvni_5;Y|*tOXh&ZZwBRvLtw- z#7Z}9;fVGry&2MwUPs{kSOP$-k8SsT@^p~mkV!0jb8O>`DZhN&?MPZg_jKMbLHS2j z-jJ8a7jDFB-I{94Df-4t7W(3DtHq^cndWSG##{qCOG>Jn<#^S0k@Q=3{9>vV8cO@q zCIS|n7nX5{l+K$NlHc>6rQZ=K($9LKU2cp>=fr(uzNAxB0)Wu15*E@nh&$`ej#U$2 z$}X@rN|umS`wfiEHb_}CWo|%DL&hABQF17TcD|*7z|hfi8636`r$YcaPGvtEf{%rv zU}P8l_OS;9-_rO|WlJ1By0>?zyzmFCG`KTL{m zU93TIusMFAdo{6cv2p_uwUj$Z`t(9L8f8dv$I^TZ;P03Ta~64H??`wcMhT7S6HuN7RFV+?WJ-xP?V^Zu@flt) z%Q&q{SKaPo64|ewB7t=G&!B-)X#qU6vaZPW`;~-6T%8Vl6W#b6xso1IQTK1c#1F0^ zu`a$eBy9eJ*^rYuT_^j^`6`>51w%dG(J25p6|+7b$G3&^!Od@+ctuP0QawB|Z3)2JCYPebqGUoq z1^X7KbO*FDC6E(;mIQLein9KE;ra*tq&uwGIX1;f@jzFNM0Y13@aQ{A%i~ z2+4HS&$i671>}f@LDis0iL&juv>FZM@2T{7e8R#akpq+3@-L8jL0E2FaHP&9Mm4ZIr2jx2}G|yntxTl za@>KT9^pI?9ajP`cJr3WQSf3zrKD*V?-OeUVvZbHIa;@9uOtYMq@D%9WpTYR=Cpn4 zS#wY}WSeSgn&UVU(r<9aUu&}G$ocXM6GD!yt1MPjQa!1*UIqdwa+qcwiELkA$E9iK z7~nKD&tk?ul47W+H=w>G@@kiQNN<2Ar~c^>dXr*-Bv#COip$FWv`K7nnRfbeZ>nR$ zRfGWx>_{jrgrQ8>_FTA|OYuPdkR+M!NJ`(BNwwBRhorWBjAsgUNsux**!nZ}t z(O~fxo^A$Wvn-ypdq}0~3gYI!Yq&v__ zeiWNhcp8gSBYkv>b1C2Ncbrz@@LI$8&41l7>FVIWYwCvM_yvG6^eozs-wM|U zlCrzx&D9y7u(Oit-E1E?(Da6N4_m&2HZXLII53aH?rOWPTIHc`;86h^T`5)B2gfpe z41T^p*e3F=0OJY548uldaL05hjEe>R8s>-1PZs15zWyGpo>} zG+FL#7Bsag1>XTQM34rj5;Psuu|P(AKit%BU`*0#2tlvCqiqSNG^qe2-*vmKO*YlQ zR&xO9mH|{3^(c?o9f`?0pp6pFrc$b$Lg-bf3Ly5a z0;euQs5IKHcSW|~qN5XEGD#g0WifO$5d5yxy=_Ne)`o5l0HZ$)r}gm}e+OP1wDLW< z%I+eK46HI50tDhwg57g`yw;<|Nn#-Yg9-yCHm8B1@CwzgSS&K)@6{X&5*_!XoPWD zjw*uzEvInLsfQ1jy8+i#wuAn{ynWGgrID#nzv&l|R}qW&i(`|2g4t1RwWjm?S&?Gd zj@e{to9*!fGWnql_{_?d;BDq z$2dFJo^@6v3x+^Af0>46iVKOFI7g9($-dnQ6ttksVx_?);BzWKOK`mPEeaU|pd?@? z+>E*p{JDGG)3JT=C*FnKi7{H`V0TQ(h#dN8IIoI~@>2dD6!yS)3ypiOJXivl&amhw zuA*pza`+>iygg(!V>L@sbdM2sBnK^==a}X(DrcZnypTJ8UU=dvE>D~!V(sF!fmZS7 z5&7u%UM;zyAw!WkOu9S;PI~c&7%M1o0L3qOtfM{Bbm8bpz+-GN-H-JvNpY)vh=sBrGe=pN~cxvP%u_kM&1T;`C{Me1IldA;nrF_1usVuZ#{ERrr<;E%jr>Z|MWZMt`! zye7{SXFtZMzE5bN7IpV=GNOQb)&O{tn)>x|q+Nu4jSxe4?pHFJTkQAJld6byWFBa# zIIzq;ExhK4XS`fzCp*(VTiU4KXgTYV`yNVS3x?KmUTFlp#x#OFqh4glgfD70Kz5M zX#YD9?{me0AV?9S{G8wh8(Dto`}dYDAFHw*oB5%A&au=vfv_0~ESSu{&j00}^eK#tIjnnlsgr*CO##>e_F6QC6 zMvjaCpq)IkbZkn2Tj;sbM$a@Bsd0g%2LL| zTC-Z5jPGvZux27FAp5lnaU`FYe}V-x(`W9~mHDLNE;|X6b>p_yrzo7^$s#!(DcJpB zSwH6ykY<2nTAcdosxy8Z5%qAqw{!HQweOlUSoy{SaEg;u#x%+_@a~;G% zAhBnmFFRM4Hg9d*p|*a1HM`2i#I zb6kKrL9}z;X5eRj!ONxWyA{P%ggW?k-Px8?Q<_N~cgQi}#wf|Vq&=7Q z?f^Mw>yUc^nN&<6w7F%Asq`OlYY2}AL;L8nrSum(d`o}@qVf07T1PwfUqug`7F<8% zK>g&7D{dRW@7Kwm_OKJeDw4pxKwr0}n%_nU@nYggBJlSzCKnc@q05hs%#5oqV5QgHk1l^4`qmM3%9e6L@0L zqAc`q=OE)LwM>z%klIiU{kk^W-hC^?2B}>CaOct(FIg0CT;Q*I9rKz+VyAq~DwF5f zFQiB=R7D&J+~zn@M=!w0fUb)-nRt{zgoGr73HZ}o({-K`6@B6he`;T2C6|(g2bDBc z-;*kuBZ(K6ZtjW#ZWTgD4;Z8p7R|DCmv++UhtA##e~2^u9gyW_-PfZJak&|ww2hX| zRAP+KH%^1Hfi>v_H@?PBCM-HeBPfvZbA%1plye44$*SQvJn}CZMjt8mi zY=8@qHD1_1e=}1Hzg7jXmrz@Q8?>q_J)8Qbc-a5Q-XTweg zQdjA*sl=||ziIGpQ$~x}yv{81{=wG98}n!(Q5R>#-meQk4Y$*r*E%&dm$!IeMqvJm z{_%*i~pL<(_m|jwu(2HBIbkl`^MxqO`p8pPy8=Pfi6>M-zW@VkY;Po=I_BvJ@ zQb=>Nd^0)MF#Ksx2DNA_tscP6lR(nJyQyR}R!2QB`PEE34A{3-A``&pLI!$;v_-9_ zR!If~>;3hb0gYh(TG5QF#RjhddgQKl#m$lEN*3?>Rig`aAAytVAguCM0YAwHqDjHK zT+la*7A%tJZiRGPmh-eTpc6p+0&jCxd!Jj_S!|Y{5Y3vQ@dfuCsMJ0iO#9+*?z}(# z+uYz6v>$xt`DiS)=@$h%E$AxNnt70z@Bl6Z`S(>Q*@qGU@fY3m?)6%5hL5g`*^rFg zUBOcP2(lND{sdqStV0bv!}-o!D@jVVFDY?m84QZx8|nJe#8}_hAgJ?9Kfo#G%E$zQ z&1p6zQ{%KCPmTqWk#>L2ri9<9qb^+FU<|k&f_uFbYGSIOOGCqoy};QNA&+Lz2_TLXXZIzf(mU}sOu4o1x>j&D< z*Ss_~YZlBkya#bbL1#Dlio0gs>ON=U){G=L3*J=V-5!3v@hRsxP{Q*J6-7p3;mQk8 z!fs8Wb2P+(SC44_8({bE?mlBkW-mHKs@lvx+0tx_Fh!xp1G#Nn;3-rl$t@Va%>*wa ztbMVXj94x7F8?u_9CB`3Kcu0?(*-@4e4QRV?t;;0|dQ zl~E%ghQZ(A3Y3=WJEUxdU~&dQpU!ObmqwBPXeUL{CfFw)IyQ*waC@u57PRzRvK!ff zn$|63^0KKZiV&h|#&BU{dh)>~{0Q$!TphSO!96z~(wSNT^OouQ_FgXe2rki$2Ko8O zzD~8^xCH30?9C4+i0bk`Lg!_=_5FT4ZWl@ncV~DL)}KX@mbF9aOufC8p>H{;iOAL) zi4nEuo6S?{$!hH(AAg(H7)4n6X!{%uiKs7L`ZrPBl00zF=XsP@d3$o_>ivL+cW}tP zH#@xiZCH%^9g(2GjOj?EG>L1O_Vv`@!+7%DqQpJ87~SXjL7LW|!OR7&mdqG;{t7aj z*FvnK9Kr8s7YvT8k$)`Ew;$AxU_7}E;04+XTh*8<50prFh&c>taWV2;mFzA7mM449 z;RzgIyVsItAjiUWBcRcpTr)IiEZ$j4*M{p(*Ha^QmvCIX7dVEDPET95)2DPjIMt|e z72hP3xTyj*7we)5zq4pr9SQt`k>V%iZhdI+m>GYk(&u*Xo9H?yg5K@CKSoq%WH4=T zapD~Q>O&8i@(jK3BOo z$j&I!ZWCXb|H#_Vr>)qa4~{B8oB1H#Q6bMFHp>reks&J`G>a1|lGi2JfGB#d@{Nmh zPkQ{zy&-X?O|*%?1<@El!2#3*NbXYl@LcuZGn~sD)%e1~;MFgDZJ9oVb^bTA`4gr*YcYeIg zkY+lZ=l8GVC4>nfS=F$hR~}>&;U8&%>N9Mj^vgfw0pNvBwqR}C!Wnj9^g7J)O^~=1%-WB6RW+ za4x9ktV8s%R05^qXZ#qiY|h?s0}nc4H+B*zYIvpKlsTvj%Witbosf#~e-FdGu}`Ni z&Oht{G(v4eW#n&9!cxNBVclnn>}aqbh@k21!a!O@PQC5Km1GLYLF#4$fzNb1Qx%q=*AB$66OP%3P zE1+2v4oT^|_d<3hLU04%Lza+?P#rS35ui)-n%pBo$8_0jqWkUrt&=zeWba9$K_o;C zRB)$r5+Upp+`!v|!RjR1Cn_(6e8Z<`e|A~|?J9~oMVST?xQQ|#i6(g__N`k6@JFLM783EWSHdi`l!MLEHC_GC`KoBUk|xDNV`?QAi=Y}5TkcmGEqQHZ|#D-`aI zFJWe zICErqH+z3xUMld`X_Q6eR7adPq z0|T-o;AG+-Mc^&78OBx=5l7$rPzW?^og=j#0?RfkxgS60+$Q<60^AQ$DxkQ8@&gO1Gb^s+*B{{!>Tx9c;vhj6W! zKZ_NXg>FpuH%#*5@}J6cqhR6`w->1Oj3l7-pO>)s%}#|S|)6#ep~K*p~GL>LUe&)2mh1vQR2CjB0@i7);UgL zq67dVdxcsfE}8#Jb5aP|V~Q&(e;)nlYVP@Vu!sW)00F2)rGT&fzYg*qqu7uVY4M5Q zjEpcDhrB1+>GQ9DxovW2#xWjFSYyTYLf(4_H$2oYp0JLOUDyzU(TnVgV<~(9DP@_q9}C;&a?TZ(x%UGd3OaeN2pe76CBX^f|S!2e;=V zB>V63O6=Z3-rJ-sbg%^WzowPsm>uy=KF;Fdkr`4Y8Da^a0a%YF_@|vGi`Qt!=7S zt9R{Hdy>W5J=}!D*KBgk2;Q>x#nPTuT)aaRF#JT3^m*5O=e>_r?2g_K!YC2ik=Q|F zA(4H>bB(345c${+FW=U?e;jA%fRTbnaWP+&Nk_d9)wj*WC^UZIqoD$1A-}Y%A&K_D zztk54NJPl{a*_zLkKY|`1cS9nY{AEcBJVIC#KWq8mTnL5>_lwv%8*Pi^szlDq{M&M z)_)ZtwrQzq^|*vDbN>ih{sCy@-8F81aimRAJV1E%HF%4`$LiamC3dP@{}l7yCp~V& z76R>oMTL&yz5ws7@mAp4k2PQP{O1m%fW7A*7%MLofbe*c+cmDRXg5KKC!DuJO#hxO zgTL?tf1wu0mT{i`(x>4C9YV#UnU+AT0qTr&wI|QN9C$Pli$GmG`x! z0(MuvGJgrzqx#E+_P|%)%h*U0N%r`w-2o25|H*_aZ5A)s#co8ny{PXl7_xp6RKg_S{ITONtaEtyK+A%KQ%sInR>@)4d-x-N}DS1z`%-^H_Q$|VXuyGHb8xwPdNRepS_3fO#L%zebnM0%&a~>U)i=4S5?H4k)2olD=sq!ztEhIXIe2_9>I)sp;~Dx4*)E#H!6tb6M6Hi;kYtq!{kk*!@s_w=@S zZvpMjuc*i`fjz4wjFj6Y^?07=-_-d5DwtcfHQzmsXPa-Q2R5ZkujJcrc$^(cG(g6a zVokZfGC;y}WF6PkA$!SMzjoQ_RhYXU)2033{s>ZX(+#k-wDG}KM{Y0BaC~2I60g&o zLpJU$+v`{6tgyhKID`Bu?^>AuDR1n|3zhSip!?H#y(BkZ8LOSNrgfC`m4SHockBDH z463}y($0Yo7I!d;$FAZj;B&Ke}c<6wlF^~N+=;ISsSv@qUv&Xqw+V3Ho&EF z^j(9fdlF6pQt&*@#^rI`ePxgyeCt5)-WD-bJm-H7l|-Wx+Vam99SF~+9u^UjA20uf zqaBVx{#zo{MuAYL(D3t^9Kn;1PoJJNMcvW5n^b5`>KI)#a?6V?OkiYZz2jz8-Z1X7 z9tUAbLc&J)o*gxqB)9pw6!8_Xw&}#&RAua^cg6ZO+hqrZd(<;aXlZx!_I7v$ZYdbI zMQRIxWDJl`$Gj86-ui~zykQx#9zwHr*h{j|GD!zrb(*zyI5NX-GkOsTCRk)b>9CR$ zxL@)i9iZkT{~h4~cDSOVr50D1<*(iC?==&5Vyz-B+4rg$u4u+6!Ghvy4+cX0h4}5CDHBZ&y%mdpSyc#RC=0@NJ5gFb_P#0^)eOdT1L zneX;`%CNuQx%X0~FK)#DgpgGUQZQh+U|9xo=1YhlD2)I2M2fx9V&7${Y-{30UOMR= z#(J^awt~v{jMM-e5^w23a~9%H=z!Fi)YgRUDg{o)n*)O#;w04$_H^ZvF4y#`yJpKG z+>_v{AS@ETDyLe%pcxB4e}Ms7fBz_y=mL>`QR*!$p(llMM>M&%lPc;~PE0PvbGP~lJod%yu^9GvLU26; zQDh4oQEK5czfIvLa_4X1eD##Vh+ApuJJ-j|o+};tEcksT;F)BS6>g!(;(88!{e{~d zWIq4c-4NPws#`|M@nx26O|6_Sn@uO)Qief>Y{C=cYPC#jg&z#6I46Gv+V#f6`%QpJ4m^8tn0a;o4>w&nJ*ACvc@~7z z-Hr|%Va*izE1mpir>Ra~u<8G6K8iCZ(~%R@4^~qXMmEXk21-ACs^{XJ-i|5`j_En? ztlpp&E$!J{UtHUfAD*)d>w1E-W>ffuzm{lOFbU#C_LY2vq{2^q&tvKwop{5_wHBDL zhFn_T2MU)hn38bWU^yHiOK&8eV^?8YtnLIsXP_Fh5v0=QxD&o$6I|kQ(lu^2Xhls9AzxlRzgW1WgJ=NR zWRN-Vkx&WQN>U+}l@S`USN85!G^|Q!SSbk^WoAo}WbeJQ$8EdK`}exu zcjKJCozL(1<2=q?z2EQax?b07U9a)Hq*dX!3nzsbyA0~T*rK~nv-87zO{~-F>BbSp zAeWZ|R;0lW0TG;BsGPBb)L}T|lsc#+%^>+p6q*S1pa^SQR9G9{W7gcAV9>`PZV`ns zvKr`{XMW^P5T2ISf@d{osD-37VWgBhx{SOBrb>v$!-czKbwk7TtsK6ct)f>))ryo? z!T*hN5Y@sWFbmK^_S;|y+5Lsf%b(5XjHO)1Stw|<27v+`_W^XJVa(cN41QN`f|19j zJeGCA({rY{t-FO6X|EJ!_ZB}nS%Hh-9SEp1U27B&}vJa_GRM5^iU>A{RFT>EiYpk2ZhszE~-`gQKW?{QN>(hox+Z8rt(b zN^Fnc0TZ9UP12NiU>$KwN1nR^dA7iBZ!6=opTdEpe4as+Z(1hK(pB8xkhOCQl9gYV z2;C;Y5fI9xp1h#G4pGzxUMaOdpEPw4mQ^f05w)4ZEqylnip%6e{W-F!a5gThFUDAv z!&zX67i@`c*g<0r4Dfst%{{up_v$?m(9t;nS3@BFQ(7eEa zCP@z3heG^Vt@cBvgucP_=sA5YMvD16{E!-qtx!tlv=d383tIxSVL)#WqKB`qllrjjcj z%8R8#Pr+VYqSgH#}wWv>Kd%HW0v zDZz_jImsXC;;=N>2cX46$qZgh^}7O7cuJhC)p*R5Q2svs<#0LsTXEOE;l;_S)&<#i zi7Beva+^}GjyGcp9`Rg#IQwCM&BHMO883%yQ<*S;gp&MoJ)EtWdU|I}r2@4&KT)9| zKn=5Fw?NkjPSK`gLBna#qSTIeUZ-;%)Xqt^INI;-vJ{--vR!?qeUDaOx?Z;?HVTrF z*z(Ok-K4X(*MGXxrM;Gd+Qo5D)>CrBHoip=5t>cxTn^PFoqHc%@nRoH!%D7B!OV`a z?HuAgy-^)MB9C{0t@^5A5%MwG($iw_TVRyG7Jy*^#lbyN?|Oc$6#l>kO{R?Fl;^BZ zUCwwKt!sx@8goj?STCL6Vc|SPqfetXgS~Mc+}Pm~a}17m0FuFsleFh7&Rx!MGSGGE z7YHLL&V^?S=3O6}rccAWr%hYMVVFNi42>oA29V*3g2|Dw?J(v$wNZU)x^!&WWKKu( zOTSyYD8GioiKYNG0JQ>aG?dPB{n&z;x=h$3SqV86&0wa4>Vn|*S#Y_MujR!&tI$rI zFWc1+C}~bofPgy`as^XJA3;le5|>rc3S>%Xt_p4=)MSO-L8GCE`w$rnJaTwT*?>fb;;Z9ho$V@UYZW}s7ayOeS}S2 z?!^t0kYC>b-}P}vHphOntn%m=8O2md5oH=2#*t ziu2zr7zDy(HN-nGztqy<_*LnGuJ~!ak{}9RrgR3_A8C$PAfc~|6Le7!Kw26m_*MCM zs_NaYSXS2p-#iD1-wtw;FS+=uRdcURocPR5IEHyoAHb=Llvp4^sU$Lt+%&|K$dKVOAu{?ngYV~Hbu_xVm>M*M={}CWV;r}+P*rTfgM~P= zOX}Wi30rblNBpu;!Ikga&B!I;m8I8SYoe~xiyDwP4tV9yskuq^<&D_r1~Tz2;UW{r zK3Uq9WwExot&B}&5x>UI2l|g)sPnr!>;ddRewpeKTjBBmj=%U8)*{SJ%$y^O}8FV4xWwR!u7Q+k$Sx^#Duyt?el#-wQ|X zXS+kvdpAFxo1SL4dX*~0a#&fo|LFsgP2CJTu;*qy;DibSg^j~<+m+$f^RG1pp6AoB z6V9(?R-;a9%(TDq;ot>QMtr--PA}`N$R5wYeCqu#+@wMd_qz0piDZoYN8%}%HHH`@ zkIb>=9COB4i72N-W+SFQ8`_)VYg}@c+qcYSy1j(h?1io~W0m_6~m^-#2_5I|o++ zsS=nCvJjuW02bbr8?OcHH|f2g)l%!j=~g4{Rp-I0(@1nN;V1J&F&b$m7~}CdE@V++ zfaWn*b{Jr`R|dERozm+gtMm>NejzqD4F4>o!)c=XRQp4ihe0T7*V zkRM)_ete2K^X|BtC6O_b>Wl=ojMMM}PjM_aEGipdh~}D<&62mv;*JIov^S76u2y@QFcaUkRM}S4?ZTd7HX~5hd@Hq=6!6 zKNg*6)-c4)Sm7fm5lH$T_)a# z+Il@>oLOI=8@n}WBonRRTrhd5k(4Z0atEb}0i(x*&P;XtxXlzYkqrkjM)z_j8P<$E zol50%CU!rh<{TV0!>FLw4OF=M%yB&oMTPRtLI--i;9XDl2V}&&eExdv8vQLmI^+Q+ zVCOfE%EvIfgT^dCY>r^ywcu>m7I1z{hOf5NH!udfr1ZJOm$u{G%}=$gOT>BtDWP11 zT6}vH+8!wwZ{>)lXFd_^$cp+0Vll%Ji?NnWpU7C(CI}QjV8T!0L>*epv2J zffu|)b+g6%5Sjnz_Z1~vbga8-nS+IcC>79QUqb{BCRh3(%<%GwsLEq7y648&u|tfe zA?K`f>-F*0VVO~5rN@CW;nU!7B^X&PqBWr_1AD#+nF4-7Lho90IcGNoW8qV+3yck^ zS6VYMH{d*cEK1>YD7^X@-ZZbaX+PQd7)HACj&ONDj-NN@^|S4J8~eU!v7Sj@ZCiS<**i41S2lJA&v5P`!t48 zMIpK|;49abYNQ_J*EMwuv31OkXY6>yh{7BUx@$EtuLRBfvGq9wgRlV3?(nWxQIsU@ zK0t;RzvBw$8z0G&GuSo`qitk~@j~19-A&zF3DBtt!czD%{Nts99m9KX$Ic7ZT+5yX zoiP0(X)Rg_tpkK5#)zUQdtox&thwr^yVA^^@*KJb+fF(G zN&&nxkO<$+3sXZIiEM2CbFLUe_hw{Esp$-M zsgpZ_pEI*>VEGgU_)7_}os$g^7d$k$Wk2SflKX*17TfF14`hx|1Of^vD)Z9;ZRlP_ zc=ezVV&voLK@Cp1dLzuLoO3$l)E{5vb_*I#rk3y0zsi_CUlVs?NIWb$}Qb`T6B3q-iL{aNH% z7>al-B2*nHo;OE}dQPrEU6fbVZ)*fbojsw_I z*xKI4cCO*U+{M!nwG9-PNJSQu2Uex7pmRLJ1b#HA=rm^JC*0&$VSDS_lFJ^@Oi(q# zI)@3MJ;xFmR!}_)FKkJwO;Yn0lsq|M(PKry=6b0vLqw&QpO7Eo&Kz7tjTR5+PVmW{ z7fO)?_yM`g_p4N+uz*-!V>us#S%|9R7a{XS^@W2mquH~zaCXHVf{oMvdJ0tt4nRD( zVQpCYW)zx2L6|MaJNs;feV)mvu6Tq?OpkIDp2r+nbS|V8n-1PIs+nYUpodtG*L+6Z z-#L!+@wHEbI8=dljz1f7SC2?;HR=Nc;XQkgp+jPp4AfXuFVCSX_`Q|)EE2_ z6W)v=K@*g!AL}ddEt>fpffztJ+7eIJH%xpzN6*0dBNy^X4;c&hc%+)90!J9j=}Pw) zlrJp$$h{_Lg^N0L4-A}Kb5ms}wm2viW3)@UoZ+)x1fnC0$2JC^)Y%wJS^usM*bn^Z z>7qHB(J}|OeV2!+`<1*UWl0JMg`O@I^FU}Qh`z8llOL|a{r1W7t{$&eJP@Jv?As<7(Lm&2>+Zznu#UZ6!%xN=fzAC!yW@UZ z^*sz1=36D0E0knST|q|ZX$mGW;nhQS>w>689_NqIXJO>uM<4T&x+X5Q_3g~ajIeBY z&Nw~^|0M;*gRxQ{9e5$U(ju2wimi4rTx+xIy&+6D ztHInp_^HFj?1w@B@5cDI6H<8+zhLjhJFjZI_gPYpCYH9i4};$(ATGLn6+?PXMeB=8 zed<`~=+EU{pd?jgm?2LiGzoY?hrjd-PKN_i=sU)SZ#G+iv#=zz>3wb-SD z+C|ABkl=US;U&MD-%Fm{q{$ezy3SA1rU!x%%F*HXvDwB2yNga!Zp8{gwjx`&N#kFs zL(@i}UJS2rZ~z`cd87fleHe1nK1jrPvc7|A$5>F?_RX)}y*Aw~v?|4W4 zxEnCum;SL5Y&?izd9pq4#&(|!gs5?cch@1de#n-LQGpmT)6ZFSkq+sK zxf3szcj>??hC?Z%qC#alEjV);tYUe(Z|2S6y`^}F@gJOC+JceO7Ll_Yk@H`dC&-iV z*}>sn-puX(9D!B57dWSVe_|Y%t)hJf|GYmML#25Qv1dlRauCSkKdXR&B7PkQCv2X1 zjve}|c(22~Me7h-ShvM;&H6k#CpWAF9w!QV{!;&bklv6#>W*?ZNsTYpV zk^HX<^lu>)bggApIwNZ;VNl2mK%0k0i+N8qX3%s@Py^? z^ppU5(rg^{7Ly9Z91}sL(_S!uPOJK(PU{hJ>wl#s5EjyH;kwW{+`Z}hG*LKkB;|ii z6GeD{niJ_ObMGy@#l%VDAvY_j=6{Yil^L!tE&__F+cUbDHS7x}edt)%Xav$1Htg`iq*n7m0=N7A2VBS)>HEDrasZzeHAZSUXy#XSq(|Aco(SIjso?d$iwt+gJ z*T%+Gu)-5T&=!R z(|w5T8OVMyZuIEwXber{HA*k7Nz6eg|OiugG2w{hjW2g2D85+Xtu+L zRxwML<%CptZ6aM#zf~ZO$D`3!&=Jz;rMg!A`2pnwWE2tV8+dpc=2;W2~_Q1wt4_WkE#dtL4 zT0s+yAo%U(pb@*4j8;JwbxC`BY{c<&Ea8qYjGCo*an6BnkFbQ|4AK|n+MqAa{!w4hG!xL73R|85LpY1g zb&?1zAQ3Y7Un1lJRVk$9btg=%W_gWAc45mydUzGg0(sWY*fhZnqFu!_yNaG*(_Cq7 zV_yZ6xfQ=^BE9z}kA-g_Fb=7RTI{@P`@dw!JN!uiX%`s7>HqsQm%_@XKp_E7H-+M< z|2vcA+LV6qDSk!Ja_{y_Ud=8*?Gq*oQn>?PSFsDF;o!s|)xyXxF0l$GTdv?O!FErM zF`H)<@5T1x%Si9_g>PO3IiH)Al2pXXD1PHA$a!t?3r0>TL5p97YGHT1q>7QV;_33M zRglvk?{WkqXY{5prd2EtjO0~uA#f=m7kR?pXWjoXm~2CTbkmNqxZB|cfUn_HZb^`? z>>??_eMkwiX8bQD7`i^qKwJn;?5`b+`O4+~ zNvrUcCC5J|lFnoW*)gk_XTOBReQda73s>vbt{4ns!We3pJVVn!`0oDM14*BN5+0Is z{0+yw>&32BoQ>I=?R2rjDqfUutaY9=Vk{~PVTG9HzmJH8ZqS*UMaN}7+}Dg9KI%|x z!%y>n9X^ts!%G~lL#Rl#g5USQA97c!pECkM?=>#?DJHMtEbi~;r@;F7Ar=+Eak{bo z-_!rU1}PxT{uPVDB-U%QtRlFv)I#LNf*TD9+57%$a07x`z4l=N*gX09<_!ntxv?PH z5DKD&Cc{qrYY;7wKkG0y9=op1wN<<~tme80dk>#A6E0JsWQ95NsKb6F1T?n4^&g%2 zN?+n^6}y4BILWqb^50G+aqJW3m{TCfTn2>>%Kzw?%Luy-FLc1GU?l2uo*nZ)OBxbg zz&LXMe+`LwyeM$T-kc`BiohKdc7|i|MQY*ljsJa`xsDYz%rq!44WW)z#1}i99h9&* zp@DdpXRZw?-Uo5^Z6CuL)!;l<{NCqw3ZxQH@?vGO+MClZYIdd$a_ZMtY!4o6)#Y8H z$GL$BEj%~$B_{)m|9Fmx&Sehq1DUNns)G3ow*mfr?~S?lKKh;_rUM3(x@PsjFGJn3I!;`I!qK+W#6OZwS8lbYclq0za$M!G$fPfOR~iqdZv?fr0-uU_H#fpaubJh?k{V zD^7Eh0@j+)KR_*}1D^E11gxEUYS@VtKK;=<({z@;npH)=mPFw|L)5@F;sDgC0P6f9 zJ~!aokuyJwy_ah=IYfbl1d z2lYm)7|-9wPvO}_GnUuM!`Hj}{om}&{Xd2;7%K^m)*Ylo(&Ft|h65+}Am)*lM_HZq zD68|Y??p4ZbM(-~-idF(Yig|`0fmbGigu~cX>}w!>ip;I(;8poHwdsj2ff~BE5)OC z|1@f!#07!SeAqM#PHc$q+$b|q7|f}4*NAwM#Fd`Vc;ZwS`?sN-DSMv&(dG4X?mJLM zPAYBO$7j@irrqCQL}IWWfby~#60r)uN^c{_*@b8KK7TmGFdw=#ocHhfI8EX6RG_>% zA>-XzwbM;8LKwEw!mT~@ydKnv3GCGdB~bD~;QX2VX0+SV-?LM>sJuW8L{anL2}NkN zFQnM!b>44t<8<}H&UZ;ZvSFeQm;062xA*o1W3NRZ~kUikJd-ut>z$qE|iYz(C5stZh>{e?qOH9-^vz&Jv>cTvGtMZ1M;T^1(BM0ZUVip~cPXgiiq0o$%>-f#a_MVKx1)qCd7H7~I32*ZbKZKFAKr^F zgZI)DRixen55MQsBOas>8gUc9@jjw-FLrXK&#meb9!m?I*JPZ zN=V`DCyDLbB@fsxY>4`J>HSdl@RRqvx$9CezvU7V47nHR{=8`@&uZX5HB3u@2zq%S z?ZwWu)+>9|vsJ(33QI064=Af(iOv+LN^dBN8A2)ZM6l609)*$*P{-iS#o^B_Pmf6ZglXLXZd;BI4#bwYTv9%W~?S<|%TRCv3b*fFvQC|p$*i`oFB}Z@Vm62{!`gaGh91WD4#9beG z3Kx?jn4*hQ^=7CX%IS*O^!}t)8u`!_;ht+Qd5+&Q!=iXWPr*BTp#=NcUqQh@#t0Bi z?I+gCwg?)swdwT;KbhNwp$um2ehL)H%DXd9x>~Uk8rl-pT-5@u=78E8zQnw?76`qX zbSP*wRuPwyY6}`{>1FGdo(dS`SlQUT^z3Os41*N~%ZB=7A{rts)xpJkypsr0q)n+$ zNw^f#w%dorUP`0r2nnz=9x=&fpQo_D`AF#A+PL`Ve*^;13s3oNCj;m79aeAyU0F_k zU5!{b$Uc<95_K?x%gccK6J8k&ry@*w`Y*Es7xjSG)Y#tI)~ujfPkgN!az_9N9X2Er zA=JTrT99YuvA5gj4`lQfVN_-19q&xjZ~JyOFt4whBAS(|zX378|0>UMW(VKF3St)f zl$wgnh;W)&^qNgu)~v*Y?l`K1esW6`K5`#I@xeaz9|B=`s8_yg77h&4(|1-UX=pxb z&n9*3=K8adu!xT_F{tjH9+b4=9f0%mfmyNyL;E)+>ez}h?V(y)c)%{p{1|;!I${(^ zm8Nt7Rr6wg)X(}Tc`nPEW+IdDtx1oH{gT368~0-^i{v^`DC5lR<&HWg#DKh`A#n+) zWn;3b#nFRoPQp3*k(oBmzKoD1Q@Eb<w@2tcCgKnWy9JA*! zL@soV>*@N;R3MjesLK;qUE2zZ9o_ppFh!;s+~1-8SS-pa*6s2S$CVT4%nt zTFG$n4^WCjTJ*)ux1?<7ze}2uUTK)``80F#mGQ=k#c1@SVU$$E z$C?|U)|L9;I$0a;15Q_`-!xeaK~db2AQCpdQ#mAfMg>pbCZ*8o8&+wDyLmThPpkVatM{JQo>7=%4cPsAr<-b+SZ&U^HHU& zlIPidEB!$#R!0r7i>$wIIASy^AmTQUG)3fS8=q(kIw3ar@J>7n4iy7vT}z-r%b|qo zPij#nl+TE8hv!x_H1FmU!BA_j_uMcdlI=W{|H%A0RF7Fte5j#jiAOsk9dQ^$(THA| zAE_O%G|vt^5vFAVbb8^v{uW+X-|!cx?rRQ*3Qq{e-QFG%iE;EE7$9ilc~lxlx=Bwc zSLO%%De2%qfz~N*>J{`BDk~S`&cZqavM5gbcO~eo41(sLkU}$Nl0n-NMf9$N?%`3l z?ZXLBrlYMfb$*mc`PFeKs5+dytd^J)7;cZ1_`_XLWKqSIW#WFLSo@445OnYinOfK_ z@MAU`wm;P9jA3l(UEa>GKWA<3EZ=vo3G2E;UO!Lo$%r#BW-YAIWaiS#>^`_jx=i5{ z#5JO6aufR2pPI|DXk5;q#_ByOcLO)r5|7Vf7d(6ht154^F=^x*Y*&EwRKiy>^;TP* z1eyuBCUA-R{Eu;(k*XS2iO@vj056*0PrdwH4t4Z?idD$Wi?Z*aA6=OI)Ssb=Xoyw2 zwH^;IC0&bL21<7`>)QQdBEXd2TC;hQ^P%F*c%>)nBP;4GTdYj@TJsL;dOOLhlyoJhRmyD~h3yIK@6vwJYF2YM3 zsJE4`>R|r6A1&gO)GjVnPZZtkg0mXZ#}-vqjAAfT)C{=?o;inz>u61=zQ2e0WoH;T zax{sP)fN|AZ6%cabVMbr>sfA}@YCLYh8R z<9Ov7&N-dWv`;yUB1=4FH23GKkoV&u=p3J!|7-CjHn4uQcCs<{Y-M3oB$ zCv>-EUz)N1$5^h83R+lC)$b@xY$qY1UPnli#xhNq!w=BpG z5O9kKPDSyKNg4$T>?Kq=slmAhp}$6)f#2SKY-WbC8ymd1>st%`*$CG|D;}P*X`2s@ zddj~w2NTE+ke>jD?ao*q)nVjjF0RS<$N`PvR5jJUL}o7`klsZzaXo$U8!Ns{>HzAw zxFPKg3+@f0Lbop9oZvUFs8h=Gtp~MPUR|)J$)Xv3DtaI)OztFqsND)%j@e>by-O3t{2R#w6vF)uYze!GvJ=o zPSXeqAbJWooDD(Na`FrCcUSKVrd#zCc33P2ywIg`bDCIhoU1a8mG~}$$1yX!#*7th z^+|AphVeBW#uC6APUO?GOJp==T47_mvh;cESN_8Lt!%-!S3< zoZRXiLkFUVBWvV&L_9pJzE}LSP%HTf0 zGE_s^52GW~G5GDtF5Ik^%amY7ADHXQ@c zQvhAlP%M`hML0S6xTUlxUS8lA&qTgxmEbVI5i!6KVzi=QzMjqKRf4P&~-V(t~|9ofe)$_8~s;qcuHiL zX@oZ1O~7oOF1&N2!hR15EasnsKe$QE#n*gq=-7O$lg58}={1dZ-gcRYsq{h5A1k{6 zx`e4hqXVn*;DFaI(`*~vuf4IM{C#~>omZRx`uPaxc&%Blo9=FC5gL4tG#WoVxigIL zv+Ffie44kKA1ITzJD&a+I%y{^F$+AOh48$@$HpxfR*^pN=-%nZUk&0sQ;({eV?SBO zvzmqaE>9O&T%EtlZ&Op=@k+hlHqr!R1*91&*WP#sYdjkWzxiogy?>lIZ_#Ezl1NqJ zoRg^?c)&uC*t&e3#2IA34HA-fegRx;b@*s#T>{5irSuQ&5Q7zko=p}4mqi%^vR+h) z^w_nY(z+n@@gg*aNa6BAAa17jxy1uFa8MTZ7=;4ALqh8xaE1;&e)iFg^<&4`Gk#g{d!pJYc^3|9FB)iH zx~(;9YPwRGGr%eZ-Doe|&dPYE-wT2-V_g>m(Rtlyl)ErWdUTHc8~{Bw7@RGopv!Fdg}Oc{N!@fvOdn%-A{c*bLxzk@)Es1TlgG0Gd&OCsV-re38IABIYc+?2r=8E==x%T=|a-lJ|cltE`wWA^80L7mh zf3zriBSyVr;Mgw=nxf8i+5rGPSO54tGHmB3%bBm4nP;R95g)Zny^GWAf;^Ubn`-1G z>@ldmSFaN}nhdXSA)Qh9qFrkda50DTVz%C-M8~163n73)B9fk?4|&$l1kxoh2t?#P zThlKTk_n|Ps;badY20cnnB~^cJSO!tXHtpG-Xb?AA?|oOwoA~gP(F{{V$%&q*~y{S z*@Ot+Sr$&cyd6i=wvspzPW61>64YM!2uKEE(6wf+!vysuC6UA~M`}F3=SO+vf`X|Dob1~Iu1#}N^EqB&MZ5o@^yw}lPNVm2P zQ6iq-H(#){e$O4d;)-5uO;WAgE0Nr^SM~lC>*KFQlS_A0eu zJ##qLXUp*pc!+|=l^52AHAQ|lxJzY1kGcjjHQk0j*~YskOy?AUPh490xhs=zOB)K% zVCQyMcXBPPm1Y685)$a!#WsTq+T5)vdM6)>CgSkyz45x1P|fm#Hz<)6T6UDa2^(RE zC0UL}mVbaw!SbAh1PdK|8EQ5*s&q@JK5VcJ96&uOSeK#+VbB!22I?_#*1MG)@F&6W z%il2>_oA<^Tfc~`_>N;+ z=V$bT>wgY~N@Zp`)ixr9vmG5{3W~FWqrp5x&7?Zf;+lpnMEf}3@%!yKV5|3~PlClm z;VgE)E$Z7AF1qpyW`?hmF0$_-L_3x8BHKYlOg+LikUMVNqEdw524vOms)6uI>v@1w zdV~$0Mxnt}_`N~0Jx3hc8TjH8>v||%tV-nKT*nnMCyWGEW<8fHikTx%BM#(v1XQS2 zx`2+5f8mONtA1cM7}H%yF|xbDK5f=Kz-W@IRk|lq3CY)ExB@;wQON~vH3yaKR3Hu$ zViK_vhfm1Zc~QHrJJ3CEY~fzQW&~=Fx&LUc@WNpj?{I<|6*r2#@NO!tPPGFt1RFzw z-scCT-e1y#i0WJ5l)!UMg=+Mo9`r=^3(H4)$7yCyLQBQWm<96Uuuq~VLHVIbV&7mx z2)ghKh;?&Xc8Ec8){SDFErb#6G+fy`GBs z-66Cazosnxz3r4cCcl4d<*aw%JDd1W_r<(5MVyI!TsjL>$7opMnBNZ6 zoN1$>nxziKuSEx?U4O&kr5ymp*g)|xI7L2UN=6FRZ`k$g-^~;w&e|_fS&e40p!+L- zd>4L{f&P7(oTj`TH_S#j9T^cjQ_9zPgvr2fA1Ng8lNc26Al0^@^NV|v%=?Gx;iKD@ z#Ih} zVq)@)qekR9{>Q>~7I#c~6`!Mq;9pcb3E>0zFD4TiWXSKb9shXzsOoU=3`=*nP7_vA z`}5nl*T4?11J0>C0jiF6)k60Eb2m{9CLm%B%3USJBY)Bt?z=<&b4v|4(Ccoj0(+;3C$DT*Qsmh)8 z(dK99&Z)lZD;qX9?AQN(ncL6d?*r&d@LzQgdnrfQo1Kfk3adPPI+If-V6eO#R+v@# zB<=KXjDyZjXI!1-XbBUsiL(;nu?7V!>?>}!cEn=#<`=;*IE3&AR5euMGu@d^=aX~o zoj?M`Hkrzc?TGsahyBXxOz*Xv5AC1EK3i_VIpW)q_1pMcfwudK-juwhK>cn?#`SY& zqRSjc`y`b7c}KGTzG1+_Uk8In)~-v-^;IZQlo90r|XjwOA(D)QHRyF&M`Bj)Es?n2kUFozL0n%t zUH<}h{^kmgz1mb`kn7fu8@<#YhjK5!IGp1?95{mMI_kT~z2t6J0Lt9yoyo_|R>pDs zp3mYu{{AFr^S^)*ZtURN@h~5C>O{K4KGX+S)A4e{t_LS#f5RW91--y{dE>o1yOR3H z$KW8Kj?K7S_pPwg)x+fqs-)X5evYscBzUL7QL4A(Zj+r2^u4feS$aJ_7i3gP?Xy4k z<1>V=N+s4T7SlIo8_4u4snydzi5i%8O<$RUklDnwI8yrK7rR3=DA>2X=mACUyXh<3 zA7WzbAy`uPK<?|nUgSj?=*L>N3mAICT>{P=UWl%xi{ zG?^!4;TkUH_bg*$1*PogZhzUHiy;#HQhCxpyf88HAgQd3*w6dVB_qd;wc#d)hw-;3 z{ejQf*5u@*qNENgjgGX84bw-PvQ}nM(>c(P6l(psdp1Cc;iq4yhv|`hlyKC@JhS}9 zYr&kA^&g^^e-Labpe5}gbKlIw#wrOt?KQp1fp1&@P>a(}qC4_8$p{4habMnFDN=s< zUpd{?PhAK~DU)Z+F}P}Tb-PIiN=*KZ-BH;=s#EsUVU14UT2xI{eJA$eC)AN#QIqud zCxPv_pygkEeEd4)hQ}W! zIW==?SL|s9VslP#(YAQwUt59bA$=2Qx9+W(>Kgwkfv#BG;@3=4(5a}sY3NNNnVXDu-sVh{D>H1F%-vLc`EOHz2}dANS|fA* zGA)i}$tz>fy(aj;m`plx7}vFYv?vxka{T0YQe+4)G*XW0fe=HzN@MW$FFPBgrsIXQ z>79N(hY{~0Y+vT9$zx=4eyvFh#v3$s$zOqxe)C+ft^C_0kR6gpt~X*Qwf*n@_OeWXxjKX&~7^~z~bD}e|02%gwXXp-p|E45gkd{VBH(InySVXf4kOo{!# zAq3J}8A0Yz`4CH5qOw~4LW=^nV93>UIG_H;aB`pp{m3Td$$F@5+_I(fu5%6BtQZbK z6I#y;XNrI99xWH3b*K~m3JiyM1WWfB7V%Ra_58SSal*{@D=D1+eAW=1xwz8HG{Lj!woE`z#S?)YfAf(Ywau7bOF2!-P<9^lx)90v0lIjc>nHpkYj?6F6)KVeJJr8EHs?1BjaovJ5;stYYyNlf=PI4l_p;plv#z{8T@l`s7o!*sM$%8d%SFsk3IyxIbF~oF;%V1efyf(-{l`d z4I!ZCMNGs}we*JD6>F|7nYmkY#km439>U;S{8GjGV>htLr~u4K+||lv(_@|eae2Fr z3}@xLixbNBdKq9TreD%`A6>1$)Ho@KGE0jnP3F8wzW_quIyJU0|9M@3VKhu3)VfZU z4_CnH&LarlM0(J%!b@8q73H0Nu^H_E3f1uYFzgsN0D#r!(4jMmz6*#EPL_ll-)~3z zNr)f0VVZrG(DiaYc?(&?nJj#XR>{0@Xp)s`a+`3pLB9% z|E4g1B!ioG!-aivph_M*ow?Wvz+hr&W|=C}{}iJc*s`G~sb^TW65791%t_pOrzh8W z)4HQ-{%(qIdG)owFATIGJE#daF3p?yapZQ}8&}4jSkQ(<(Gs9!PfkuwM|O<*pU-mu zMhD-t!xr@v@ZBvG=#FV5?;3w5m%y{od=`UT{7D9cXAoyOplN!pioz2hZ$UVRsc+i}5I%~4!K$BrG8=Qkt zYpH8`&#FoGr=y#|r@2<^7O4HWmZyvrkSAtcL=fQWPYY$p=C4zV`k&Ao#n2aXRk_gR= zyUU*MmxMm%gVBlmFly7PA-RXzpKH-~UXpcW;*~G)|K*9o02nOqwUE(corz>pE}inH zlpGksg?dte@i1Mjb0YK{+QArdB)h z6}e8x5Gb?Hym4=DO~;RSgtU=v!q5YFE`OngKG$Fop_dF9(DMbS5I+&B4lHi64}3jU zAB})D6bN24hQ_5n?`jt_6eq3=$$f}v6=_=Z{&l^Ryp}_qcOf3T@sJfMwuFE^b=@KMdeTS&%CWzP;a*`sQi33r{PICrt|YBD6Yj5Lth+QOXlt{(qGK(fk)dWeGw!% zvoF5oELonez3W;|DJ|{fN$VA+ldpMn52B5sJ*wAKFUv`zV0Gps@Az9!0|LJX9iM|B zyp14?`95#JQm}z>Py&+ZTtOm5mSX9JH!?h{nk@a zf@>tkyxt7U7Eq!H*^w=K>h_ESezA}xRf=rClw1cObYE-;GAAuNjy!F&#c3=gU6koC zN9FwU(e++)dB$Y9m{w2)A&X_p>)S=SeVe2M_j(51UHU`(K_JkLS3TkFEo(grA9pjePUdCnhwM7pzr?DCOdG8`?L@SEJ`C#lT1@(!=5 zukuQsk2A4!)C~Z}1`Fp3_;}A8Yn!928&MtCt7|405*8PPlGLkHYMU?PZWgWwbhS{w z_%ceHl`|orxy&YdU!t@el&xLILH+{N-cb-Ytl*@t z;RIXM2`^%NL)%b}nV+rof#bI{l3V0Uxdg{c!P#4>RduCOZJ$-lFdOm%r>AA#c)4Mn^1TK3wwkxQf;pf znaAY=!i{36o5xLfUA@g3w>u%;J|GuXe)c_f>b+8-4DX7%6VfN;&tS>v1AyRcuDz2V zfVc8zXk1G*(oP}NEJMR@mNi$>*f9lrk{g2wp1fq7NK@`w47tJh6rVdO1W01 zlw34VWEf1=4)8Qa%tdgaRLgt8e$w%wvq`f*dqX|Xx&q}*g1 za`@9HPeW);{O#}qz^HBcHc_R6y7FPG`mULBlKB6GUO^GF+pJUJ`e!U^?wn-@;xXtr zGiW(WHH%y@^3BIL%!>sQUv&vg!^Z5oYf{Ggk`CUj<+cRq1MuIg$JeGzj*7b9Dd-T; z>K}cDq(=eH`NA6xTkNR3CCy2bIZ{5S>Xu-ZyNr)tT6*0<-|&&b9P^U~^70?@PAM@v zC{8I=JhdOWAq7TgrK0*C+P}*4pnBxj$Hl8rnl>d*fa_N0l2TT^2yx|ZK;cx=K8nig z{=(fO4>G&>%_7Bc<=c3RoV#|F>?>8YxB-+X5_nEQ`EpCfXpGch_lT4psGfV+K_5Js znTB28Gp*4Hot;-L%h>fKa|aZpx??JW-}R!g?O^N{&Nq3J6bRJ4&p*&E+pafoB`jkS z&&CRZ6+wmjRMFa35h>(uBLYD{0D64WO;xiSZR|AkfHz3V^U$5#l{A$z6c?&|a)R?&u1g14U5nuI?BFJ3haj%O} zjYYeC)A)d8NrPWA(mN4lWC%v9u0l4necE3Qzx_UnVVLD6O=D)h1eAS=A+JINm@Azb z)#n!&aEWcsgP=rnH`QFm1S5imEHqDAZC!A$={Qb=h)QN8eJVGje>;l`%5t9!XDHyH zVvb+a(l{vjm117@bR-l?f62B~!D`h;w>+Nzh6mTFKp@i*Za!F}ljABYmbeeQ5m5Sj z*(U8kK>n-Xdi#|_oqhh#>_#ZHq3kVmcZyO#3YK=D9XO@ec~{q2w0|>U^hLwWVQ~wr z!1)KBV$_DOO_uTrGSRM5$%Ix{8E5&dtF>72$BdrP)*SA{1usr_(-0;U&9YuhBS5rk z-~p96wfIU`kcF~uyFWZ&)FIE1vj~YJr!ZgyAl{AqtK?uBb%>Se;(pc}vJL8`Ok2`z z4+TtNP=*}ic|d+*;5d<-imuU_5H;18%iFM~Hka|MSQB0LeP`JxKqbRK>3&XoXosVs z>GlB-?fr&zd!n#9!OsYc`nkChWE7#|t`3k4%$L$ zP(8@)&1Ant`>gxBArpG0$EcDOmhlr5^fGm8_LzYq&5J<1+ibjr+x3PQZxiY2Fg}ro zF9-}8;6)QBIpGUpQt|Cd#>OS1FR6e9zd;11H|)mp28GjlfWQmKKQ8=(l*zUZz%hl) zQAq7{HYsLr!!zDp5Q>_Ydg12j(QqM$^Zn6v_F@MTQB}SaR@X& zoYT{sAA@*ycim;tUIg!(h14o9XN)0AEru$ z)J*=+C=aT(Uv|*6Uc*WhQ4$GN8vihZil!iEfPf;!+*ypuXqqT<+=p|OY!CAAla7CF zFpbQ>Nl~(c6sR(B*Y@)~i72hgI5l||3+8XxS2@pbhLE_vuqQUP;Fr`smg|01AK3HK z6r02Ms#v-KHORIM1PAMcEQiG2fbu&*anaV%#%!$L3(yGlCIr%ROo}=j)B3g^fxNz0 z-i`@^@+78jISxQ0LF?7p?Ay{@IEmZ#Q1v?M=pSo`r*yegBDZPdD7CE_7giT{k3OUK zt*!!CjP)jVpeVj_k9D6rfONx;X!r&nespqLGMF0apE);U61*t)R4Se^AM=lim*B=$a`BoI7a`OV$atjVZIu$Bi z-GOH_Y9l%ZDR9#0KXXRC*s zc8)`y)6OmU@>DR66{$;(+&`x^e}+WJNr?zn+HE{8FKs4X;Js*#h@1DaCsnn8)DF#4LlUZ1s&L{MbAsab?b7xd3;3#2+COqdO>E z)g%3|75am#?4NaU12~}~1B+VWGRrNW;E;oA3Feg@xA_xjo&VIV;lV(7e?I|x&%( zF7wyFW99uCwK8mlIN!c)X=-s>3H7ew_w2@1E3yo7yP!eh&Fs_KBOo(FbPjGE^`OUF zZbBV2)LPHayJ`)+-$c4w@FZ_#8L~DphSN7#gH>aczoP ziOpyplUv>lH7NPK{>$A^7|&+6hN4eG;%tfRYYYSV4it@e3(?Kcp4>A&;HL`Ok!hUk z%}bgJ=YB6nc6mVu1Xg-Ox(E58u2-5kB|0xtq0@%1E}al!#WiH^pt0X?p;Up35npKm zrsj^mCmEBm5X&?I2W{&`Z%ssMX9_4xLdncPsfG_}#7}$J;rbCHd|k8vrsSYB!CP|2 z4BbFtz6JZTRb#;04+!8`OiD2^k3Jo%$2`n!IoH=BCUvWrp7)hBCtDl1(g6)Ob4a!k z)q1^d$B4$;uNr@CMw#W`*frf+u+j>C=4e z!@}U7&LXtkBpi3JG@dN9!@?HfWjLQ!YlLpb4AbGr_Vs31YTHl&j@!P$`<>F|E?hvj znk-hP_4;0<5h6u_i^2V5RVr%OkfNd2P{3IJY%wj#K;P4Lg(?p!xyRt_`7H5R4w%6R zUQ~VAzZ{ruBDOSI>-)y7YuHR+z5K!3{}b-J$2e~;1W(_*uCF} zO}Dc-P@R>jS-5M^39HB3O@9HpCk+U9U)K=#5(K7eyrnwj?sH~s*pHPZ1%PT$JW=LM znR2RA-6Vm^%}Y&3uG7PjGqEEzO_4E72NC==x>Bm)O~!|0?%aI2zHoE^qR#pH2y@iT zAR3%%`)*-pWqdyP%=kA1)1|@`st&;({5r_Sq+8F3BF;I}3WwY@oW?aq5P!~`4~ zd~)@nLYIC0k`0~0OTzl4yIg+z81N5#duF9hQEUkxs+m`N=v-@s%lHwuCC7Z6fV-8OX{G!Q$ zTq@dnOMTCmy>!1-2i(fnmyr^(lDGae$5n$BB0mHlbdSC6D7hq8(#&|#@ClcFcf*t6 zBO95VOD5|n*heCzFyj$QzA603_{Ub~i&mRAGrj8z6cy}f0p0^b>cB*1sN#h8+)v2A zSMRA#m381bdj@s*kiMd;j@HCTNdo=g*!62rYK1eV`fB!MN%sXYXFN_pvzO>H;UD{+ z{|V+4(GuWN(lPuNH<=sxM8?N&U9~Cgs~1YL#+x>U5bAu_H#FbG4itQ3a%b3_>WM{inTi2!<%$omPI9E2A~7A!7&Mc#)C=Fx4;Mq~5r3$Fmod z2~pni{}kVm_pUKitqU0O2qP{n;C8qcAt~X{Z(LJMj5ys^c6I zIQ1Zjz}AZHy)Lpf#qQ~o24f7t?Gx9E$SDu2=&h6w3j3{Od!M{c)@39cUu-92({T`) z5*UCQTsRFqM{Zm-d1lA(?E4$v7W{Q$M1m*~}KF1CP~m&`OfeEq!3$?Ucsv z(%i+oP0Y_U=J}uy$s6?r$re1_o5965 zJbdWzF%I#-&!L^0bH2{7&kx$uB$#~ExuSq(!f_ThC&5lkYctnzj&Db9zM?rfZD3QA zYu2hBG!mx#IX4zPHm$8!Q57U-Kx6adq)J4`xOe@SZu^v-^B!z9uhBhUJADsOkp(gw zsjp%PI~p{gH1vv6AAjd<;olFXeRO<-`~=~t$#O^agQbm%iTq%FWDaFVZI-2C}G5?9|B zQsHC%_-kzB3qs+RL+r8hMdvsN?_JyU)-aPtED($u`o5LIf6$leM5RP zOlEiU)raK!b|;OFzhXJz$~P0 zCVpgBJ1Ow|5xD+Sve0InDY+24Q~$!b@UqVJPJ6_K7863vTHZAYY=sCFZjSnv|8j0> zU$3Q@yTRf{avk0I4~x%+G0b&o4!Gk_JJMIcjEst*(Z8H2Y4?$H ziZHLU6|~dUzS)Twd_W&+v*e&Pzq0W8jaX=7GM$6bAU)gEXeD->HU$T%DdqeQ@@*VR zcEm{&FWrzbnguFHhobnf7tJ@;mfQz^KgHpaBrNW+*X47=yg17mX6?{Tn=G(^y(*|8 z)hPPDqa5dObMKy|3$yF|hDARGX2N7rTpAMo)IwBXQH>@&DJ}SB6Eoeeo*7Ul@D@2~m+y52B=^ zfJlvjs3@S6NU4ByNeqpnpkjbQNMq0f0@5j1v_Z(w2-4ks*M0{*o^$5Q{c=Cthi?qC z=Y7{+d&O_X-dj<2I)SHYCV4ijm0)N8?mO{5av!$L7qSUo+*IZy?TvP~xm$NTT=7q5c^z8_vQ^G+c!~jlFzm> zaX-w*&lI@M)VaRk zOM`d2OL&$0^1eBuj?ak;mp)9{w9k)ehU>GkQX4?eIZGbaa(W(|coa!ue7CYDF?~Kj zN3!Ed0CP6Z^XHPuU@}S4SIvRp;C?FVRHz=C)k!}|uAHoiPvYjjSw8kj4Rtirxep^|#l9!43X#m^IKog!4#rpu$0 z!fb>`$cbcbX5i!Q2de)g#?zTgWlfpwlGWFFlvz~&(cR>0Kznnuj#}el#qBjjDQYne z?fISot1h>lYC4RLhCv&Ie2=NKA`>z41(ecP48?V(%->ym!bXDj(%&DT847jm3Jo}w zKKNG#;J+eS*6%h3<=@7+Xsd6RF0sTH)oT=tC{3^Rz-lQlPv~T7P?y^jd$%Z~B*b$2 z;&9y-9=L{eHaJ`GNkVFO5VX;k;s#_$W8?2-bDsD9;0cweoe7*QJmsJvY6JWL+l%U_ zn?=Fhezql!c;8y9FP!pq&+)dQQySGR?N4l^Wo7anuOTioe{aYTq_%bospjwW)N~9A z6rJ3f);qXtR@jP?Fe~S(PiXp6Z{z#yY+gUeoV3R^|D5V9;cSj`osT!Jxp#x&b^K|n zMqhJx_x5Qws-#eUxt_^47B5st@|9#uQ-iYXyeC25inh{h*wP$`f0;_ruomlt5CHsT`v*OV|BRBFvzlW16_6q zZfOaij5JMp5&dznbDD)7hBhvFH!x#dG!HgtxMV~NEUq56D_>s&%}t!P%N_|@ZP~uG zV|97gX5PJRY5j5^>^3XS&%w~Swl^VR4CO4eN{X%5jE}KSE7+0)gH51Ln^JIc*NgOM ziYtqCb>|F%?lG#ZC%TsiJKN75aPb{~~0LSx-g z2S-D4itPZ@q^qv~h=9D498p|@LC8V$`3U!CumIg`OP9XAP0!DI;smMeZGxX2#zq?Z zb?LcoUTfjk$kolV z+;3LWjuW7Vs&%5%O>v6v_yXwHZS?eDGQnE(g#H^($;eh zn_IoJG+qG~$nD6n>tCcU+jOBNr;W5J;*I(aM(QMvQLFYJ2XcLf_82W|>;=bG{Nmw9 zD^BO>mkD8&w4qE}@;Xz5BJ8Su(rVBmyYYu$O3<3iOjK3sFO}qY740RKhs;SyOc(Iv z8by@I7^+ZFchDhy3t^QVlpQ;uc!gS#PFrk3-{a!EX`asKlNdhW<^Zw|=ZmONY0|&p zY@AH=*3c|sbSx|q|DZ>jsA9jZw7tT)RbxBRlO|v&Xuj2U2=`@n-dDR&Sex6G%W16c z5#4YdLYhFDGqkMNhvc-tQ5$KSj3u26K+wICb^Vqv6BBOf%zX1|)ynmlZ5TMKt8g7J zjPtaXYN{Bm^44&lxjrfGMX!Bep@Xq%s-vnqk&G5Pz%adIH=d&&W9sQSJUg+l9;a8b zXW5RbJzPa!EWf$MNgz32SCslZ6D?uf_3GPWJGRR<+w=`9Y|b*NU~7@i5{lv=X_KFY zZnLnvwvLJ0`UG)kI!8}y)V#EOOL~N6TVFd{Vb;tS(fNRI8`&{X=Ngr^qS1U0&E=30 z>CppR;Y;ZTL~A2&YY%VdA%_-ncSa`^BFj?}Om{vkD0+>v%4tw8Er;u9-2t&46?&bV zFS@v>LqpBS_qn+_-MYSlx7%H^X)u9TKB}IDe`Mr-@@+{4RXbTRL9*TB0pk2~E<;;g zp3Ir#d!!ks!x*7^q`Ep!u28vx`9KfU6r*rt+u+HV(>jK z3>x67B+;bO5$bS=9fdJ#h*v^atxu!%um#GeuA$H z^Ct`TF4F6D?pc0C4Z2MD6s+OE(X2c5?1eLx(GFyk?hpRp3~>t-jtH-9h#p~^wvh2y z_!*t{y*iJ4!3?A0u=M`We4sO)-gC0ux7#gdq}FH5jB%!_W_epdd!n`3Z2WM?Px(k2 zD*lUXd9QmOnaM9`;ch=YdwMf17hX4;aPG&H_Ac^VRl)wmIaKA*vG6b!jEn&oRnQ%Y z&A&>t9?#;c%5ei%ILIM?@31K}C~lxim=>bb>wp~q!Ab&NR)?%RGzeVHHn%t`WHINl zmMR7?W|-oKRyguOg81+y;KC#A_qe+11*~gd({n}G629LfDRL$?RaqRReop&}lsi+~ zrPM0*Q`S_*$NVIB=*dNm2YWsy96`95TM3pn+)a&@s7+I>aj5`8U-cu@RdU=-)q7lJ zEFofTx17l4+}pQv#GUxCV9~Te>7`ZowU*a|dx_v+L3}2c^2^ES8MF#QoG{ivHfHY6 zj>LeBM1o@8*SmL$vgx&3YP#FEX8MpOV%!E3AGD@bLY<%HaL(a?!Jy@`)ELWc<6gG1 z7xLB-M~EGJwdCvUc_+yoK9Ojzfwzvv0l@0T^_Rn+x+KeOB06J+qTOkuhxU9~^i4Ar z*~1lu*2Iyp{)cdp%JLBxAW9QcKPLb(qcKiY?dFnVY(0XV9~!2-+|}Oz&je3 zJQOX=dllzP!$h3JHHl0;))R1YZBGhn-;|$1F#EA7Rt*IcpC^+Uf@Qd+p1drO_ayAH zuI@C`@*Rw~Z+)}U;5CA>>mF?*(4PO5>1n2IpJ<72#tAsofl7~K%G;WE%w~A0x?oD$ zgoEv>)*bu|srPOjO`*={g7`Rg+T$+DGkT-Yj|I*OfC%*8!rDZ(dqm-(> zan35yNy2q1&qy*_V?}nPVTC5|l-`33c`ClKbeC-KV&Y>q1ykSM*5EqY<2G6)yI3qP z`K!t7sSrFsEaBa#*eW*VCFkoYd{(}(5vQ7p&&q6T3MdWYkS`<0wQA7JsRqqtfWfkH zb_7CxO5gjDh#>`C(KzYUqWTl=KYM2xJgpKfWm9Lhr!O@!&pgD>^mKidwr#yIIX)jf zLAZ9$)s9W33Gy$+&Hs~qqcBI0nH_{XuVfwOc7~69JNMbnJGOr1bDjJiJ657k?IE(9 z`$BBVru-R>Rbu;@U2?=192VmQMTSh5T#r5+U@x0$ZI{ygf-$dbK@|XMT(cMUX^YYn2lgC0E_wA^W4o>u;Y^QKSaa=})0?xLD%k3W z^mHqaeRxHVYZZY9p*eBT6ThT%Y35d@Yg9rfkD;hpp?y8gSKRqOS10@y)Ukbub0<&5Bt_HGLGEBu^h5?waO}QjHq9n z8wv2n`<^O{f;yQnOIS4mkxgNvEu=649<3lDU$t(pi>eb&uM|EoGn1R*tYVdrnEK z2&yAA5}IjiS|%T!O}42MK!5LK#eF))L;MiKMQ7IKxjLytTw%M2Q&Me<-mm9qP!|TV z=GB2*4?3V;D&{&;RwB%o4LGt%tICtJ(gEV?{Q6{y?tP| z@|~YL+LA@EtpwQ55HiC~MJ>W|A3Jr%lzzC6))w1!x5+{s z%Kt}D>SKL$v+7um!r&~Or<8HqOLwJ;{AqE1_id@!Jh|PTN+uF5W}9hSX<8gFRSs}G z32t%v;cuw4Xgrl!ATy;fJ1EA-r^ziL5xjR)T5dah3l-FDFRA#cTwh2U=@d(ZR^+9!MUdO68RFTdT_ z?Xp{s{k)jCrKFDSqFV};`2D%2=Q?T5*0D}l4-f>1{UA5GykY=5{aI;S<>~cW`5i7t zTT|I@>H!nY=+k2k6gn`moBH(T znYR^ISEn@V%a)WcUm=4XUU+sm9FDb?ssZP@p1Vb+{qAE8V^dUPB?{0$zH3^x-=lF+ zmyi)?jddfgAyNYbp%bh0qhpLsz|UAV)8BJ{+O_Qrq{F}fMB``d`sNn-`<>G#R{Co3 z9H3wJ_z6g77;x`%YrIf>O29TH9%W_>c8?6)IP&o@NhIqaKY80$C!7LNo*cus6CZg3 z=~s!{D-o^xd$DT=%Qn$Yn{H4NjvM7OCg-M5G7paRuri0V_*eM$GaZ9h9;6q$UNxv< zrDi8+M$iZgDs# zH@C{wew>_HypAt{*Wj#(0I-$ihyYJPm-b}mPYz!VmEzd8Q8O1J; zZP)>+-rFY^(1VwDzrNb~6%t0l6Jr&f2&Z#vp#1;hh z(@>TcMAZq#j}0aF0XirwO7Y16Ftm{RjH~>T99F_$JbAS3=YG8n%N(&wfd_}No6ev) z0TNB`C&i#pm`y9tcwo8CMo;m|=+(!Fo8&~T?!~!xUwksOlOp;MS#XgayyvbZ+My4r z`;p2>jex~N0uR6HGzUqbRZs;xw$XmFfT#OfT&f^>U6f(#oOTrHvIv|G!~5EK__5Xf z!Z&3JhitL(Nhiwk${JJ(gGualAx2+qluHuYu=N!V25`K=$|AmqTP0n_2|Mu%tNdM!AFvN+u9hv49vwcc5SX z$%LOPUDD|2qlBQUTQKXHNc@FE58S4O>mSUh^7TuPV{HR{v?%s<8+4IzG#SO92#C`z znAC|%RnX*G#zT&-tq15ik9cY(rH_FO8k*uvWsiax`P+)y@7N6P$1Vs2ZQKvj ze!uO?VMz1xe{QjvAn<$CK@tTgM1K}*FxpAmB-=GNIj`~4B`sv_~=9RU418ZqAS#D0p`04m1$gOC7 zbjv>6f9wFlu0&lX6u%}5xWo^3wx1EYR7Mt0>MA&Hfw0k04C+Tk611TMhxdbMC2w=M zEG)Q?hY93C?Y3vVnRzbO%@W%D=9tw2%Lp#0JU;9$#1<07W_hjfV1h>p+g&mqnqmWWH2dX_dnaz9JQa$!>T0^Py%>fiNax!V9>lGH z{|D&kne(mRk&Iq1@~-*;nHChO$V}Hp60j#jt9x~p{STrj*P(>@Uz>i~7J>8AW;4=A zXm(hS%oM!6$3@Rje=qy`LGm>;yREz5@dKzj=iPt%6hxM(yrihSqEW0#B?GuSpu@4P=h z&qT69j}0jbV@?juc5~ep6=vnOH=F`T|hY=|F_ zSwB;e+Q{Rpr_rqN+~{Z@-9=<6kz1ZOE^mA9OZUUMVB<8{Asoxh&zbTMR-B}U=Gjc! zn3Z-jD32i6z-EP0N>^t#))TsT0=9U@(tq$GcE0K@~dO$TO4)(nUAj#$jtmtpU^ zjz0$i|D2R~0iMkIy}o6RbhkTctNZ9y^_SR%t6sDlf@P3D_0nY^cTAuHGUOJO-ERVi zxt~L1UE-lT-4FG{q=)_)==cOkpOoKnAAqpwRdbW`CV&>9uPk-uDdOZX6Zs? z4*Mu?vG61DN5R5UZ5-ry@Z9>uk%gWJp@kN3MQO4n{1|ot-etkuI&dP=uJms zeF`c{-z75(=_vsH5%m&UqATnm0XyEz8%@E-*n35i>(!+*FDZj09?-hY55*fQ8kB5? zEF)*XaYA|T7jgptaJ&y~o!S+h362v_qG~6`x0mb!D{W5fci>^>en>2uHgea8bRwAS z7&jp?7qSuH)`O)k$X7$BPMR{&R$FhGAJQuj9gW{m*LfN=h?;12Osq?t`dX~VRpJ%S)lc*TZa9I>F`)%jgP^`@@_lP%5&3=K*T6DNZc7vg*N4AM)y}Vfk5KLIytEE_QeGcc za0c(o%}Q+K)!uKn*xxQW>=h>I|7$s*@0UNe0Xy<#J8>5;!voUHM@UBmmUXmB(J>lF z;%SE>wDuWywaD2hDxV;ypg{fLgqeE0>oKG+wnXTdaIv5LhGcD>#tbARpvz!dDgSck zhaEezsuxsaSKtoVLU1@9PoQxdIP+POibIFjXz=Mw&j3;5pj%$5&2{fh+>B=dSqGwO zJxUGOmW?L;nq?noQhX!(0f3 z8-GboH%LynmJ<*9T!S?efFn+j+&z(~h`+QOwE1z7#%;F_NSjr)O5~^IrpXvF4*%L6 zc@j!Kf#&^ZPy=EwJ*ui^@`o2f+Q`LZao7SlS`R$u`G+D#`+C6u6~$vU|hCr_wXS%O&1s{FDP03lS7(_Ckhl~T*$u?zBz@?0spSR){s_Med;t*RCz zSu2m#FIz&*sGZ)%ND;Tdzm}?7$h!HC5}3o!uQ-^YK}BP}>5{`Qp2dUK#kcGj$0C$( zbZ^3>L;xQ%GCIEN%a#{xAr`Ht9tv_D9M-_;<`Yh3Y5eH*IpRUiQp4-5)q(o7j26c~ZGG}z%Be+=a)sWLqn}bC^|n0fI7Z&zgCxZnWVckDZIZS7LUt&C7P2O|j~MjND_E`G`3?yRZWxWc@(RF6R7 z9=*k37x3aX8=Ev9cK#L-5lmP{8Mu=(&nq6IOvf_Rd`mta4IB(2JRf(w$sk+uOYq77 zfBH9j)WYXTb7JCc@mnW{K%-h9&gS72HLX4q3C$?2Va`9;6LhsxU8+W_rc!;cq2ZX^ z@}X_u$_LJPAtBzj=kwPLL#PmSv$=Z|eP6B+@H?kSM+G)wVJS}Bvztb^MLHKi={g1; zWP!+zB@_-PB^=&LUePWbO3XTy-vQ{HYxcD^5Vv@NZimk{6_y^^v2Un?1}1-*J>P!2 z;Pf3eEDA<=U=u9j&Ick`x3KX;6p~x3B+4ewPyVnSvXRVYNsABtxxK)`84415no~8M ziMt5f8@@*B7r*|^M^RWvQ_nQ)3}?T+uhT3V0VcSo5AZ_jj?20sPkbue1#sup%lyIyPMcsooz;6v>!OFA*QEX zx&7m-uS~RhqHdta$%&2*Q$DAlyMrVN|m|G;EpO=B`lz;(u+g9?3Ytw`P)UH)3%^VB0Sq| z!Ae7lYv{%DWQv}tYMFl1X*y5WsoZat3teAhP>&a+w|og1@-2d7iNfeXT|O^5A7Gy6 zJ>44ur%QKH{3)$lsLhNk#H}7ARXfh{lY#Rwgrzoy)(AH>4T7vfLNG4M!pvqqpWLZ{ zL}Uqix#vSXSCHoyK*P_(wqM`~ciws<`(t;L8w5zlOuw;TemH%97o*Jh3^ZL8KRHvv zv5svpIDOt&VZyEKIwA@ao>~YC)iTAek~hiVpzfV+UY)mpxPYUe63o>+LV1PlZ0}D! zy8qRd2%xrQCG%Qvl+GND*e;9~6NXdoZt^6KvsWSjwu_3!Wt#LyD)1a82}N(Zct z<5G#1neI}n)+4_O>-~q2bemW6)%gGulRi zs*u<A3!la7#8;6{M9;a0QSkEkdmPo>PW&4*3Fr5Bv<<0hw~;8C$~)P7Pyc*_ICUs_eUHn7kT zEd*o=Jx$j?I&;@-W=k_f0bWKl0LQsI?KBt)vmU+^lnOdnGmp%I{{CXZ$yRM?$DX-* zUdyc+5M7PDyN|DFXx8)(N9{gje&g$a`d5t!*wx#p{0<4sV;j?-+h0D}e^kW2Pa)YV zX-V!*0u++0X$Oj@_aD1u-&YSlc3XIpmqciAMgEgy`fn~E_m|__>yraznXi4=Vdg$t z&v(l!q~FU(&+{wFOVYM+k>geL-d}Bk7!99}wSD$px1$|b2x)M}v0RnH-4yg5w<~?ZoU5otUzhAQ= zPJcq<-!g{%5ecWSYNsS>klS2;SuXT5ycB#RWwz@Vy8b1a{{YO`!u)y(gzS(8zGr0d z*9v3*{+4(JjQRTvUDT}m=SyJ3C;+h0R}WS;#Q*WF@+(;V?{)nDIzs|RaEF6E3QvFZ zpJ!3u1-)TyboTmfgMUBo9}NGK1bhmt{uQlc>;DpsHUc}=ognuR{Ym*AfM6Qt{jB8l z+Mi@FqKka1N#xcQvKv?-VRdm<7w3;q^Kae2Ou(wK?2uhZr&IN)G`nR81Ih+msMP8m;?v0|j{F{Y^3oTxyK<++SJ)s>i>KRcTiNa_hvNUReP^rf9mg!0`fCVnNJ!GnnfEzyHZ&n;b?6g z1vVIun#Geh&=5|)&!NDEi;KZ#r(l+kbHY>;DY4<=Qn2|E7;qyvOg)YQ8{X6vUe)q} zS%&KJs+&+?!@JEz(OPhhLDEz881+~RY)EH)JsSYK>G-3*mDXxfU_&;~YdSVG;N_QI z|6U4gu)>*tFogb)vL4$TYLwVuy~(^x4hGycw!JGyi4EE`A+~f#8gfDn9#CR~_Wwfc z)*@*L4!!D4fei=i-(C$XgnH64C-23}6xeW_tvEU?9|p{Cj=2~~fep3(ubsMK^H+I( zNok!11vWH9z4kUj1M=SX26R(k13}RIC%N<9s<^h6f;2epH}BJgW|CA(tFrgm6r@2H z7vfR{vkc7*v9qAW2HlMzt{-5){g4m`6AEm2Q(tm50^Mxh+Ok_$lL8ywvAv6qKsRqS z)E@2l1!*Q4YaxOt>PtvhP{5MwJ2y_Y6~ZilB2K zzSl^dra%JhV^^1R2ND*XgHOp(B0+Nt|1L=&!9lPxikkunLj3ynouK*Ui7y&zR49-T z5|wgP1e)Uv>pr`d+5DFaooQm~r*wgYyt$xrqLfIuxSgMeA4pIitccq}fds__{q#=g zkSLD}(X2gBfrNyvlq({z4b-rvBJVUM64GVV&&mJ^uFgT4Jd{Y#;^yZ?N1cf!RwOb~ zAiVB;@j>-VlLZ35H)kEtFYP;6mmJ^>ds^7UrH_W~D@e_Fw#a z;ZP>+%@!3Yv=m72NiY!Yg3H;H*dxnb&a5p=uJ=XX*Hlt{={R9Bk=5++=p zn$S=pL1zy?zY~x!CRmZah5`vm{D$^Xp!W*-Hyf%7GgJ~2|CCp#uxBV3dhwtEdBj=8 zR>ObY08_L3;qXOGLle;ZuS0qt(vk;N&G`Q*^AAU_XqudY0go;9s-6%i@GgxX z!Y?;)vdK)cmP9_g>9<=o$k$faE`|Y~A%W91I%5B#(1OY-IZ!PSPNf!VZZVV@Cn=_* zvsV7B6a)!B^$&zny--74my8VsHVpA!os2@apQYP2ROeD)!<52Rn%!u?8=G0BMha|L z4%YNC0Zj09Kx=JU(tp{YT=ZPi`xFd#Y_3K3#Noee@Oy2lu74M1$&#!7E|dZrSW?W@ z4Q{{y>Jar0eiYbX_$ov#2(=yLhqH?Opuh$%fl&V-beThTfWOFP3T)WRZ)6`0mO&v= z|9wR!1vczgF!I`s2E4l5b*BEmY*4NuX-1gSm{rG~}q&Xj5WCx~sbRQ6vq)YIUlV*pL{Z76PC_C`^}C>>DLE2uAvckPkod z7duCR4JQ1?lhI%r6rxn#SHj(W|4|AX1!EdsG~ngAuCw1Lu%Tt!#rGzF3BLBI5Yt{! zU_;x^i>0Svz++<-?R8p$mFm{H@N#F;k);=dn7W76zydE2oSnP?*KQ`HStWZ~=r`-jOcF zY6^T9x_Gf`WseO_brJrEw8DReGoVq$DV;MQMUbx&|C~uF*C0l>JvX)NkF! z?**%r6qpEd`ypU8(ATbnp+e|KvAcIKasLv!+}UH<=qykJ(84S`?&x%!s>@YL4Od>K!Z}y!SmQXrvEg3YG{X3w&c&19e{t3_Ykff7J71m z?_VYzMnocO%t!dx^vBCr-bZ$bC$S4Oey;-dhwADgAt78{Buo`oH3>5ztD1zF5d5mS z!_4%mPr{tjs!zfY#42$3{~tJvER$07x2;*T#`E%$j{Z#n`!!wv##?u2v)Xqai~lbg z9T8}|<)SP9uWNe|+`Ds~T}b5Rw*R8kYAVaDZhM3OV&2u4tg`E$G197Zt?J1i(cr3C f`MkUvo-M@p#hFOE>-xWCTUi literal 0 HcmV?d00001 diff --git a/charts/jfrog/artifactory-jcr/107.104.6/questions.yml b/charts/jfrog/artifactory-jcr/107.104.6/questions.yml new file mode 100644 index 000000000..9cde42870 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/questions.yml @@ -0,0 +1,271 @@ +questions: +# Advance Settings +- variable: artifactory.artifactory.masterKey + default: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + description: "Artifactory master key. For security reasons, we strongly recommend you generate your own master key using this command: 'openssl rand -hex 32'" + type: string + label: Artifactory master key + group: "Security Settings" + +# Container Images +- variable: defaultImage + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + show_subquestion_if: false + group: "Container Images" + subquestions: + - variable: artifactory.artifactory.image.repository + default: "docker.bintray.io/jfrog/artifactory-jcr" + description: "JFrog Container Registry image name" + type: string + label: JFrog Container Registry Image Name + - variable: artifactory.artifactory.image.version + default: "7.6.3" + description: "JFrog Container Registry image tag" + type: string + label: JFrog Container Registry Image Tag + - variable: artifactory.imagePullSecrets + description: "Image Pull Secret" + type: string + label: Image Pull Secret + +# Services and LoadBalancing Settings +- variable: artifactory.ingress.enabled + default: false + description: "Expose app using Layer 7 Load Balancer - ingress" + type: boolean + label: Expose app using Layer 7 Load Balancer + show_subquestion_if: true + group: "Services and Load Balancing" + required: true + subquestions: + - variable: artifactory.ingress.hosts[0] + default: "xip.io" + description: "Hostname to your artifactory installation" + type: hostname + required: true + label: Hostname + +# Nginx Settings +- variable: artifactory.nginx.enabled + default: true + description: "Enable nginx server" + type: boolean + label: Enable Nginx Server + group: "Services and Load Balancing" + required: true + show_if: "artifactory.ingress.enabled=false" +- variable: artifactory.nginx.service.type + default: "LoadBalancer" + description: "Nginx service type" + type: enum + required: true + label: Nginx Service Type + show_if: "artifactory.nginx.enabled=true&&artifactory.ingress.enabled=false" + group: "Services and Load Balancing" + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" +- variable: artifactory.nginx.service.loadBalancerIP + default: "" + description: "Provide Static IP to configure with Nginx" + type: string + label: Config Nginx LoadBalancer IP + show_if: "artifactory.nginx.enabled=true&&artifactory.nginx.service.type=LoadBalancer&&artifactory.ingress.enabled=false" + group: "Services and Load Balancing" +- variable: artifactory.nginx.tlsSecretName + default: "" + description: "Provide SSL Secret name to configure with Nginx" + type: string + label: Config Nginx SSL Secret + show_if: "artifactory.nginx.enabled=true&&artifactory.ingress.enabled=false" + group: "Services and Load Balancing" +- variable: artifactory.nginx.customArtifactoryConfigMap + default: "" + description: "Provide configMap name to configure Nginx with custom `artifactory.conf`" + type: string + label: ConfigMap for Nginx Artifactory Config + show_if: "artifactory.nginx.enabled=true&&artifactory.ingress.enabled=false" + group: "Services and Load Balancing" + +# Database Settings +- variable: artifactory.postgresql.enabled + default: true + description: "Enable PostgreSQL" + type: boolean + required: true + label: Enable PostgreSQL + group: "Database Settings" + show_subquestion_if: true + subquestions: + - variable: artifactory.postgresql.postgresqlPassword + default: "" + description: "PostgreSQL password" + type: password + required: true + label: PostgreSQL Password + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.persistence.size + default: 20Gi + description: "PostgreSQL persistent volume size" + type: string + label: PostgreSQL Persistent Volume Size + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.persistence.storageClass + default: "" + description: "If undefined or null, uses the default StorageClass. Default to null" + type: storageclass + label: Default StorageClass for PostgreSQL + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.resources.requests.cpu + default: "200m" + description: "PostgreSQL initial cpu request" + type: string + label: PostgreSQL Initial CPU Request + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.resources.requests.memory + default: "500Mi" + description: "PostgreSQL initial memory request" + type: string + label: PostgreSQL Initial Memory Request + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.resources.limits.cpu + default: "1" + description: "PostgreSQL cpu limit" + type: string + label: PostgreSQL CPU Limit + show_if: "artifactory.postgresql.enabled=true" + - variable: artifactory.postgresql.resources.limits.memory + default: "1Gi" + description: "PostgreSQL memory limit" + type: string + label: PostgreSQL Memory Limit + show_if: "artifactory.postgresql.enabled=true" +- variable: artifactory.database.type + default: "postgresql" + description: "xternal database type (postgresql, mysql, oracle or mssql)" + type: enum + required: true + label: External Database Type + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" + options: + - "postgresql" + - "mysql" + - "oracle" + - "mssql" +- variable: artifactory.database.url + default: "" + description: "External database URL. If you set the url, leave host and port empty" + type: string + label: External Database URL + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" +- variable: artifactory.database.host + default: "" + description: "External database hostname" + type: string + label: External Database Hostname + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" +- variable: artifactory.database.port + default: "" + description: "External database port" + type: string + label: External Database Port + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" +- variable: artifactory.database.user + default: "" + description: "External database username" + type: string + label: External Database Username + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" +- variable: artifactory.database.password + default: "" + description: "External database password" + type: password + label: External Database Password + group: "Database Settings" + show_if: "artifactory.postgresql.enabled=false" + +# Advance Settings +- variable: artifactory.advancedOptions + default: false + description: "Show advanced configurations" + label: Show Advanced Configurations + type: boolean + show_subquestion_if: true + group: "Advanced Options" + subquestions: + - variable: artifactory.artifactory.primary.resources.requests.cpu + default: "500m" + description: "Artifactory primary node initial cpu request" + type: string + label: Artifactory Primary Node Initial CPU Request + - variable: artifactory.artifactory.primary.resources.requests.memory + default: "1Gi" + description: "Artifactory primary node initial memory request" + type: string + label: Artifactory Primary Node Initial Memory Request + - variable: artifactory.artifactory.primary.javaOpts.xms + default: "1g" + description: "Artifactory primary node java Xms size" + type: string + label: Artifactory Primary Node Java Xms Size + - variable: artifactory.artifactory.primary.resources.limits.cpu + default: "2" + description: "Artifactory primary node cpu limit" + type: string + label: Artifactory Primary Node CPU Limit + - variable: artifactory.artifactory.primary.resources.limits.memory + default: "4Gi" + description: "Artifactory primary node memory limit" + type: string + label: Artifactory Primary Node Memory Limit + - variable: artifactory.artifactory.primary.javaOpts.xmx + default: "4g" + description: "Artifactory primary node java Xmx size" + type: string + label: Artifactory Primary Node Java Xmx Size + - variable: artifactory.artifactory.node.resources.requests.cpu + default: "500m" + description: "Artifactory member node initial cpu request" + type: string + label: Artifactory Member Node Initial CPU Request + - variable: artifactory.artifactory.node.resources.requests.memory + default: "2Gi" + description: "Artifactory member node initial memory request" + type: string + label: Artifactory Member Node Initial Memory Request + - variable: artifactory.artifactory.node.javaOpts.xms + default: "1g" + description: "Artifactory member node java Xms size" + type: string + label: Artifactory Member Node Java Xms Size + - variable: artifactory.artifactory.node.resources.limits.cpu + default: "2" + description: "Artifactory member node cpu limit" + type: string + label: Artifactory Member Node CPU Limit + - variable: artifactory.artifactory.node.resources.limits.memory + default: "4Gi" + description: "Artifactory member node memory limit" + type: string + label: Artifactory Member Node Memory Limit + - variable: artifactory.artifactory.node.javaOpts.xmx + default: "4g" + description: "Artifactory member node java Xmx size" + type: string + label: Artifactory Member Node Java Xmx Size + +# Internal Settings +- variable: installerInfo + default: '\{\"productId\": \"RancherHelm_artifactory-jcr/7.6.3\", \"features\": \[\{\"featureId\": \"Partner/ACC-007246\"\}\]\}' + type: string + group: "Internal Settings (Do not modify)" diff --git a/charts/jfrog/artifactory-jcr/107.104.6/templates/NOTES.txt b/charts/jfrog/artifactory-jcr/107.104.6/templates/NOTES.txt new file mode 100644 index 000000000..035bf8417 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/templates/NOTES.txt @@ -0,0 +1 @@ +Congratulations. You have just deployed JFrog Container Registry! diff --git a/charts/jfrog/artifactory-jcr/107.104.6/values.yaml b/charts/jfrog/artifactory-jcr/107.104.6/values.yaml new file mode 100644 index 000000000..f5fed29c1 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/107.104.6/values.yaml @@ -0,0 +1,77 @@ +# Default values for artifactory-jcr. +# This is a YAML-formatted file. + +# Beware when changing values here. You should know what you are doing! +# Access the values with {{ .Values.key.subkey }} + +# This chart is based on the main artifactory chart with some customizations. +# See all supported configuration keys in https://github.com/jfrog/charts/tree/master/stable/artifactory + +## All values are under the 'artifactory' sub chart. +artifactory: + + ## Artifactory + ## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory + artifactory: + ## Default tag is from the artifactory sub-chart in the requirements.yaml + image: + registry: releases-docker.jfrog.io + repository: jfrog/artifactory-jcr + # tag: + + ## Uncomment the following resources definitions or pass them from command line + ## to control the cpu and memory resources allocated by the Kubernetes cluster + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "4Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory. + ## You should set them according to the resources set above. + ## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx. + javaOpts: {} + # xms: "1g" + # xmx: "3g" + # other: "" + + installer: + platform: jcr-helm + + installerInfo: '{"productId":"Helm_artifactory-jcr/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' + + ## Nginx + ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory + nginx: + enabled: true + tlsSecretName: "" + service: + type: LoadBalancer + + ## Ingress + ## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory + ingress: + enabled: false + tls: + + ## PostgreSQL + ## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory + ## Configuration values for the PostgreSQL dependency sub-chart + ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md + postgresql: + enabled: true + + ## This key is required for upgrades to protect old PostgreSQL chart's breaking changes. + databaseUpgradeReady: "yes" + + ## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false), + ## specify custom database details here or leave empty and Artifactory will use embedded derby. + ## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory + # database: + + jfconnect: + enabled: false + + federation: + enabled: false diff --git a/index.yaml b/index.yaml index 2966ddef7..f7dd1fe9b 100644 --- a/index.yaml +++ b/index.yaml @@ -306,7 +306,7 @@ entries: version: 0.9.0 artifactory-ha: - annotations: - artifactoryServiceVersion: 7.104.13 + artifactoryServiceVersion: 7.104.14 catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA catalog.cattle.io/featured: "2" @@ -315,6 +315,42 @@ entries: metadataVersion: 7.118.1 observabilityVersion: 1.31.11 apiVersion: v2 + appVersion: 7.104.6 + created: "2025-02-02T00:01:52.2486928Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: https://charts.jfrog.io/ + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 54b98e48caf3ee492880e7d98708ddf4c73bec82eade5a9b3b92e65739926488 + home: https://www.jfrog.com/artifactory/ + icon: file://assets/icons/artifactory-ha.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.104.6.tgz + version: 107.104.6 + - annotations: + artifactoryServiceVersion: 7.104.13 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + metadataVersion: 7.118.1 + observabilityVersion: 1.31.11 + apiVersion: v2 appVersion: 7.104.5 created: "2025-01-30T00:01:44.563864869Z" dependencies: @@ -324,7 +360,7 @@ entries: version: 10.3.18 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. - digest: 2377bdbcf3a31606b319c0d71ea7058c017fe5ebd9a8ec9593766e4ee2fa19cd + digest: 2a29d9bf15bcaa9cce87d78022cdf2c9041effccc2dca7466d543ca118ea013e home: https://www.jfrog.com/artifactory/ icon: file://assets/icons/artifactory-ha.png keywords: @@ -2099,6 +2135,40 @@ entries: - assets/jfrog/artifactory-ha-107.55.14.tgz version: 107.55.14 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.104.6 + created: "2025-02-02T00:01:52.688318698Z" + dependencies: + - name: artifactory + repository: file://charts/artifactory + version: 107.104.6 + description: JFrog Container Registry + digest: 3659a460b6aa11177fd3fdd6e43bf76c3a2685a48466347fbf54c061c4a87f39 + home: https://jfrog.com/container-registry/ + icon: file://assets/icons/artifactory-jcr.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.104.6.tgz + version: 107.104.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -49126,4 +49196,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2025-02-01T00:01:48.430240952Z" +generated: "2025-02-02T00:01:50.553154414Z"