From bbf1819d95ca965d368d452d15aede9be557df08 Mon Sep 17 00:00:00 2001 From: Samuel Attwood Date: Thu, 17 Nov 2022 01:14:46 -0500 Subject: [PATCH] Charts CI ``` Updated: asserts/asserts: - 1.11.0 bitnami/wordpress: - 15.2.15 cockroach-labs/cockroachdb: - 9.1.1 elastic/elasticsearch: - 8.5.1 elastic/kibana: - 8.5.1 elastic/logstash: - 8.5.1 hashicorp/consul: - 0.49.1 nutanix/nutanix-csi-storage: - 2.6.1 ``` --- assets/asserts/asserts-1.11.0.tgz | Bin 0 -> 207994 bytes assets/bitnami/wordpress-15.2.15.tgz | Bin 0 -> 129750 bytes assets/cockroach-labs/cockroachdb-9.1.1.tgz | Bin 0 -> 30392 bytes assets/elastic/elasticsearch-8.5.1.tgz | Bin 0 -> 28973 bytes assets/elastic/kibana-8.5.1.tgz | Bin 0 -> 14464 bytes assets/elastic/logstash-8.5.1.tgz | Bin 0 -> 14260 bytes assets/hashicorp/consul-0.49.1.tgz | Bin 0 -> 109249 bytes .../nutanix-csi-snapshot-1.0.0.tgz | Bin .../nutanix-csi-snapshot-6.0.101.tgz | Bin .../nutanix-csi-storage-2.3.100.tgz | Bin .../nutanix-csi-storage-2.4.100.tgz | Bin .../nutanix-csi-storage-2.5.0.tgz | Bin .../nutanix-csi-storage-2.5.100.tgz | Bin .../nutanix-csi-storage-2.5.200.tgz | Bin .../nutanix-csi-storage-2.5.401.tgz | Bin assets/nutanix/nutanix-csi-storage-2.6.1.tgz | Bin 0 -> 10797 bytes .../asserts/1.11.0}/.helmignore | 0 charts/asserts/asserts/1.11.0/Chart.lock | 30 + charts/asserts/asserts/1.11.0/Chart.yaml | 56 + charts/asserts/asserts/1.11.0/README.md | 93 + charts/asserts/asserts/1.11.0/app-readme.md | 11 + .../1.11.0/charts/alertmanager/.helmignore | 25 + .../1.11.0/charts/alertmanager/Chart.yaml | 11 + .../1.11.0/charts/alertmanager/README.md | 69 + .../alertmanager/ci/config-reload-values.yaml | 2 + .../charts/alertmanager/templates/NOTES.txt | 21 + .../alertmanager/templates/_helpers.tpl | 87 + .../alertmanager/templates/configmap.yaml | 15 + .../alertmanager/templates/ingress.yaml | 61 + .../charts/alertmanager/templates/pdb.yaml | 13 + .../templates/serviceaccount.yaml | 12 + .../alertmanager/templates/services.yaml | 48 + .../alertmanager/templates/statefulset.yaml | 148 + .../templates/tests/test-connection.yaml | 15 + .../1.11.0/charts/alertmanager/values.yaml | 167 + .../asserts/1.11.0/charts/common/.helmignore | 22 + .../asserts/1.11.0/charts/common/Chart.yaml | 23 + .../asserts/1.11.0/charts/common/README.md | 350 ++ .../charts/common/templates/_affinities.tpl | 102 + .../charts/common/templates/_capabilities.tpl | 154 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 75 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../1.11.0/charts/common/templates/_names.tpl | 70 + .../charts/common/templates/_secrets.tpl | 140 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../1.11.0/charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../common/templates/validations/_mysql.tpl | 103 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../asserts/1.11.0/charts/common/values.yaml | 5 + .../charts/knowledge-sensor}/.helmignore | 0 .../1.11.0/charts/knowledge-sensor/Chart.yaml | 8 + .../1.11.0/charts/knowledge-sensor/README.md | 12 + .../knowledge-sensor/templates/_helpers.tpl | 116 + .../concurrency-config-configmap.yaml | 12 + .../templates/deployment.yaml | 107 + .../knowledge-sensor/templates/ingress.yaml | 56 + .../prometheus-config-configmap.yaml | 9 + .../prometheus-relabel-rules-configmap.yaml | 7 + .../templates/prometheus-rules-configmap.yaml | 7 + .../templates/promxyruler-configmap.yaml | 9 + .../templates/promxyuser-configmap.yaml | 9 + .../knowledge-sensor/templates/role.yaml | 21 + .../templates/rolebinding.yaml | 16 + .../knowledge-sensor/templates/service.yaml | 13 + .../templates/serviceaccount.yaml | 15 + .../charts/knowledge-sensor/values.yaml | 147 + .../1.11.0/charts/postgresql}/.helmignore | 0 .../1.11.0/charts/postgresql/Chart.lock | 6 + .../1.11.0/charts/postgresql/Chart.yaml | 30 + .../1.11.0/charts/postgresql/README.md | 662 ++++ .../postgresql/charts/common/.helmignore | 22 + .../postgresql/charts/common/Chart.yaml | 23 + .../charts/postgresql/charts/common/README.md | 347 ++ .../charts/common/templates/_affinities.tpl | 102 + .../charts/common/templates/_capabilities.tpl | 139 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 75 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 63 + .../charts/common/templates/_secrets.tpl | 140 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../postgresql/charts/common/values.yaml | 5 + .../charts/postgresql/ci/extended-config.yaml | 4 + .../charts/postgresql/ci/init-scripts.yaml | 8 + .../1.11.0/charts/postgresql/ci/metrics.yaml | 24 + .../1.11.0/charts/postgresql/ci/rbac.yaml | 16 + .../charts/postgresql/ci/replication.yaml | 5 + .../1.11.0/charts/postgresql/ci/tls.yaml | 6 + .../charts/postgresql/templates/NOTES.txt | 89 + .../charts/postgresql/templates/_helpers.tpl | 320 ++ .../postgresql/templates/extra-list.yaml | 4 + .../templates/networkpolicy-egress.yaml | 32 + .../templates/primary/configmap.yaml | 24 + .../templates/primary/extended-configmap.yaml | 18 + .../primary/initialization-configmap.yaml | 15 + .../templates/primary/metrics-configmap.yaml | 16 + .../templates/primary/metrics-svc.yaml | 31 + .../templates/primary/networkpolicy.yaml | 57 + .../templates/primary/prometheusrule.yaml | 22 + .../templates/primary/servicemonitor.yaml | 48 + .../templates/primary/statefulset.yaml | 639 ++++ .../templates/primary/svc-headless.yaml | 31 + .../postgresql/templates/primary/svc.yaml | 43 + .../charts/postgresql/templates/psp.yaml | 41 + .../templates/read/networkpolicy.yaml | 36 + .../templates/read/statefulset.yaml | 433 +++ .../templates/read/svc-headless.yaml | 33 + .../charts/postgresql/templates/read/svc.yaml | 45 + .../charts/postgresql/templates/role.yaml | 31 + .../postgresql/templates/rolebinding.yaml | 22 + .../charts/postgresql/templates/secrets.yaml | 29 + .../postgresql/templates/serviceaccount.yaml | 19 + .../postgresql/templates/tls-secrets.yaml | 27 + .../charts/postgresql/values.schema.json | 156 + .../1.11.0/charts/postgresql/values.yaml | 1329 +++++++ .../asserts/1.11.0/charts/promxy}/.helmignore | 0 .../asserts/1.11.0/charts/promxy/Chart.yaml | 9 + .../asserts/1.11.0/charts/promxy/README.md | 0 .../charts/promxy/templates/_helpers.tpl | 127 + .../charts/promxy/templates/configmap.yaml | 19 + .../charts/promxy/templates/deployment.yaml | 116 + .../charts/promxy/templates/ingress.yaml | 52 + .../1.11.0/charts/promxy/templates/pdb.yaml | 11 + .../charts/promxy/templates/service.yaml | 37 + .../promxy/templates/serviceaccount.yaml | 18 + .../1.11.0/charts/promxy/templates/vpa.yaml | 19 + .../asserts/1.11.0/charts/promxy/values.yaml | 155 + .../asserts/1.11.0/charts/redis}/.helmignore | 0 .../asserts/1.11.0/charts/redis/Chart.lock | 6 + .../asserts/1.11.0/charts/redis/Chart.yaml | 28 + .../asserts/1.11.0/charts/redis/README.md | 871 +++++ .../charts/redis/charts/common/.helmignore | 22 + .../charts/redis/charts/common/Chart.yaml | 23 + .../charts/redis/charts/common/README.md | 347 ++ .../charts/common/templates/_affinities.tpl | 102 + .../charts/common/templates/_capabilities.tpl | 139 + .../redis/charts/common/templates/_errors.tpl | 23 + .../redis/charts/common/templates/_images.tpl | 75 + .../charts/common/templates/_ingress.tpl | 68 + .../redis/charts/common/templates/_labels.tpl | 18 + .../redis/charts/common/templates/_names.tpl | 63 + .../charts/common/templates/_secrets.tpl | 140 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../redis/charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../charts/redis/charts/common/values.yaml | 5 + .../charts/redis/ci/extra-flags-values.yaml | 12 + .../charts/redis/ci/sentinel-values.yaml | 6 + .../charts/redis/ci/standalone-values.yaml | 1 + .../redis/img/redis-cluster-topology.png | Bin 0 -> 11448 bytes .../charts/redis/img/redis-topology.png | Bin 0 -> 9709 bytes .../1.11.0/charts/redis/templates/NOTES.txt | 191 + .../charts/redis/templates/_helpers.tpl | 291 ++ .../charts/redis/templates/configmap.yaml | 60 + .../charts/redis/templates/extra-list.yaml | 4 + .../charts/redis/templates/headless-svc.yaml | 30 + .../redis/templates/health-configmap.yaml | 192 + .../redis/templates/master/application.yaml | 473 +++ .../charts/redis/templates/master/psp.yaml | 46 + .../charts/redis/templates/master/pvc.yaml | 26 + .../redis/templates/master/service.yaml | 49 + .../charts/redis/templates/metrics-svc.yaml | 38 + .../charts/redis/templates/networkpolicy.yaml | 78 + .../1.11.0/charts/redis/templates/pdb.yaml | 23 + .../redis/templates/prometheusrule.yaml | 27 + .../charts/redis/templates/replicas/hpa.yaml | 35 + .../redis/templates/replicas/service.yaml | 49 + .../redis/templates/replicas/statefulset.yaml | 461 +++ .../1.11.0/charts/redis/templates/role.yaml | 28 + .../charts/redis/templates/rolebinding.yaml | 21 + .../redis/templates/scripts-configmap.yaml | 625 ++++ .../1.11.0/charts/redis/templates/secret.yaml | 23 + .../charts/redis/templates/sentinel/hpa.yaml | 35 + .../templates/sentinel/node-services.yaml | 71 + .../templates/sentinel/ports-configmap.yaml | 100 + .../redis/templates/sentinel/service.yaml | 96 + .../redis/templates/sentinel/statefulset.yaml | 674 ++++ .../redis/templates/serviceaccount.yaml | 21 + .../redis/templates/servicemonitor.yaml | 45 + .../charts/redis/templates/tls-secret.yaml | 26 + .../1.11.0/charts/redis/values.schema.json | 156 + .../asserts/1.11.0/charts/redis/values.yaml | 1567 +++++++++ .../victoria-metrics-single/.helmignore | 22 + .../charts/victoria-metrics-single/Chart.yaml | 9 + .../charts/victoria-metrics-single/README.md | 232 ++ .../victoria-metrics-single/README.md.gotmpl | 107 + .../templates/NOTES.txt | 51 + .../templates/_helpers.tpl | 147 + .../templates/clusterrole.yaml | 46 + .../templates/clusterrolebinding.yaml | 24 + .../templates/pdb.yaml | 22 + .../templates/podsecuritypolicy.yaml | 43 + .../templates/role.yaml | 25 + .../templates/rolebinding.yaml | 24 + .../templates/scrape-configmap.yaml | 17 + .../templates/server-deployment.yaml | 232 ++ .../templates/server-ingress.yaml | 50 + .../templates/server-pvc.yaml | 33 + .../templates/server-service-headless.yaml | 66 + .../templates/server-service-monitor.yaml | 33 + .../templates/server-service.yaml | 82 + .../templates/server-statefulset.yaml | 256 ++ .../templates/serviceaccount.yaml | 16 + .../victoria-metrics-single/values.yaml | 627 ++++ .../asserts/1.11.0/templates/_helpers.tpl | 132 + .../alertmanager-templates/_pagerduty.tpl | 37 + .../alertmanager-templates/_slack.tpl | 62 + .../config/alertmanager-configmap.yaml | 122 + .../config/k8s-calls-rules-configmap.yaml | 110 + .../config/tsdb-scrape-configmap.yaml | 979 ++++++ .../1.11.0/templates/grafana/_helpers.tpl | 57 + .../1.11.0/templates/grafana/configmap.yaml | 89 + .../1.11.0/templates/grafana/ingress.yaml | 56 + .../1.11.0/templates/grafana/secret.yaml | 14 + .../1.11.0/templates/grafana/service.yaml | 35 + .../1.11.0/templates/grafana/statefulset.yaml | 135 + .../asserts/1.11.0/templates/role.yaml | 24 + .../asserts/1.11.0/templates/rolebinding.yaml | 21 + .../1.11.0/templates/server/_helpers.tpl | 51 + .../1.11.0/templates/server/configmap.yaml | 327 ++ .../1.11.0/templates/server/service.yaml | 20 + .../1.11.0/templates/server/statefulset.yaml | 118 + .../1.11.0/templates/serviceaccount.yaml | 17 + .../1.11.0/templates/servicemonitor.yaml | 39 + .../asserts/1.11.0/templates/ui/_helpers.tpl | 37 + .../1.11.0/templates/ui/configmap.yaml | 36 + .../1.11.0/templates/ui/deployment.yaml | 79 + .../asserts/1.11.0/templates/ui/ingress.yaml | 56 + .../asserts/1.11.0/templates/ui/service.yaml | 35 + charts/asserts/asserts/1.11.0/values.yaml | 834 +++++ .../wordpress/15.2.15}/.helmignore | 0 charts/bitnami/wordpress/15.2.15/Chart.lock | 12 + charts/bitnami/wordpress/15.2.15/Chart.yaml | 43 + charts/bitnami/wordpress/15.2.15/README.md | 646 ++++ .../15.2.15/charts/common/.helmignore | 22 + .../15.2.15/charts/common/Chart.yaml | 23 + .../wordpress/15.2.15/charts/common/README.md | 351 ++ .../charts/common/templates/_affinities.tpl | 107 + .../charts/common/templates/_capabilities.tpl | 154 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 76 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 70 + .../charts/common/templates/_secrets.tpl | 165 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../common/templates/validations/_mysql.tpl | 103 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../15.2.15/charts/common/values.yaml | 5 + .../15.2.15/charts/mariadb}/.helmignore | 0 .../15.2.15/charts/mariadb/Chart.lock | 6 + .../15.2.15/charts/mariadb/Chart.yaml | 30 + .../15.2.15/charts/mariadb/README.md | 556 +++ .../charts/mariadb/charts/common/.helmignore | 22 + .../charts/mariadb/charts/common/Chart.yaml | 23 + .../charts/mariadb/charts/common/README.md | 350 ++ .../charts/common/templates/_affinities.tpl | 98 + .../charts/common/templates/_capabilities.tpl | 154 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 76 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 70 + .../charts/common/templates/_secrets.tpl | 165 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../common/templates/validations/_mysql.tpl | 103 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../charts/mariadb/charts/common/values.yaml | 5 + .../charts/mariadb/templates/NOTES.txt | 75 + .../charts/mariadb/templates/_helpers.tpl | 149 + .../charts/mariadb/templates/extra-list.yaml | 4 + .../templates/networkpolicy-egress.yaml | 33 + .../mariadb/templates/primary/configmap.yaml | 18 + .../primary/initialization-configmap.yaml | 11 + .../primary/networkpolicy-ingress.yaml | 56 + .../charts/mariadb/templates/primary/pdb.yaml | 25 + .../templates/primary/statefulset.yaml | 389 ++ .../charts/mariadb/templates/primary/svc.yaml | 61 + .../mariadb/templates/prometheusrules.yaml | 26 + .../charts/mariadb/templates/role.yaml | 21 + .../charts/mariadb/templates/rolebinding.yaml | 21 + .../templates/secondary/configmap.yaml | 18 + .../secondary/networkpolicy-ingress.yaml | 49 + .../mariadb/templates/secondary/pdb.yaml | 25 + .../templates/secondary/statefulset.yaml | 360 ++ .../mariadb/templates/secondary/svc.yaml | 63 + .../charts/mariadb/templates/secrets.yaml | 35 + .../mariadb/templates/serviceaccount.yaml | 19 + .../mariadb/templates/servicemonitor.yaml | 48 + .../15.2.15/charts/mariadb/values.schema.json | 176 + .../15.2.15/charts/mariadb/values.yaml | 1299 +++++++ .../15.2.15/charts/memcached}/.helmignore | 0 .../15.2.15/charts/memcached/Chart.lock | 6 + .../15.2.15/charts/memcached/Chart.yaml | 26 + .../15.2.15/charts/memcached/README.md | 391 +++ .../memcached/charts/common/.helmignore | 22 + .../charts/memcached/charts/common/Chart.yaml | 23 + .../charts/memcached/charts/common/README.md | 350 ++ .../charts/common/templates/_affinities.tpl | 98 + .../charts/common/templates/_capabilities.tpl | 154 + .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 76 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 70 + .../charts/common/templates/_secrets.tpl | 165 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../common/templates/validations/_mysql.tpl | 103 + .../templates/validations/_postgresql.tpl | 129 + .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../memcached/charts/common/values.yaml | 5 + .../charts/memcached/templates/NOTES.txt | 43 + .../charts/memcached/templates/_helpers.tpl | 116 + .../memcached/templates/deployment.yaml | 205 ++ .../memcached/templates/extra-list.yaml | 4 + .../charts/memcached/templates/hpa.yaml | 46 + .../memcached/templates/metrics-svc.yaml | 30 + .../charts/memcached/templates/pdb.yaml | 17 + .../charts/memcached/templates/secrets.yaml | 17 + .../charts/memcached/templates/service.yaml | 49 + .../memcached/templates/serviceaccount.yaml | 19 + .../memcached/templates/servicemonitor.yaml | 52 + .../memcached/templates/statefulset.yaml | 276 ++ .../15.2.15/charts/memcached/values.yaml | 705 ++++ .../wordpress/15.2.15/templates/NOTES.txt | 95 + .../wordpress/15.2.15/templates/_helpers.tpl | 281 ++ .../15.2.15/templates/config-secret.yaml | 16 + .../15.2.15/templates/deployment.yaml | 371 ++ .../15.2.15/templates/externaldb-secrets.yaml | 17 + .../15.2.15/templates/extra-list.yaml | 4 + .../wordpress/15.2.15/templates/hpa.yaml | 46 + .../15.2.15/templates/httpd-configmap.yaml | 17 + .../wordpress/15.2.15/templates/ingress.yaml | 60 + .../15.2.15/templates/metrics-svc.yaml | 29 + .../networkpolicy-backend-ingress.yaml | 28 + .../templates/networkpolicy-egress.yaml | 33 + .../templates/networkpolicy-ingress.yaml | 61 + .../wordpress/15.2.15/templates/pdb.yaml | 23 + .../15.2.15/templates/postinit-configmap.yaml | 44 + .../wordpress/15.2.15/templates/pvc.yaml | 36 + .../wordpress/15.2.15/templates/secrets.yaml | 24 + .../15.2.15/templates/serviceaccount.yaml | 19 + .../15.2.15/templates/servicemonitor.yaml | 43 + .../wordpress/15.2.15/templates/svc.yaml | 61 + .../15.2.15/templates/tls-secrets.yaml | 44 + .../wordpress/15.2.15/values.schema.json | 212 ++ charts/bitnami/wordpress/15.2.15/values.yaml | 1181 +++++++ .../cockroachdb/9.1.1/CONTRIBUTING.md | 14 + .../cockroachdb/9.1.1/Chart.yaml | 17 + .../cockroachdb/9.1.1/README.md | 582 +++ .../cockroachdb/9.1.1/app-readme.md | 9 + .../cockroachdb/9.1.1/templates/NOTES.txt | 50 + .../cockroachdb/9.1.1/templates/_helpers.tpl | 257 ++ .../9.1.1/templates/backendconfig.yaml | 21 + .../9.1.1/templates/certificate.client.yaml | 48 + .../9.1.1/templates/certificate.node.yaml | 58 + .../9.1.1/templates/clusterrole.yaml | 19 + .../9.1.1/templates/clusterrolebinding.yaml | 23 + .../templates/cronjob-ca-certSelfSigner.yaml | 46 + .../cronjob-client-node-certSelfSigner.yaml | 53 + .../cockroachdb/9.1.1/templates/ingress.yaml | 90 + .../9.1.1/templates/job-certSelfSigner.yaml | 53 + .../9.1.1/templates/job-cleaner.yaml | 40 + .../cockroachdb/9.1.1/templates/job.init.yaml | 268 ++ .../9.1.1/templates/networkpolicy.yaml | 59 + .../9.1.1/templates/poddisruptionbudget.yaml | 26 + .../templates/role-certRotateSelfSigner.yaml | 27 + .../9.1.1/templates/role-certSelfSigner.yaml | 33 + .../cockroachdb/9.1.1/templates/role.yaml | 23 + .../rolebinding-certRotateSelfSigner.yaml | 23 + .../templates/rolebinding-certSelfSigner.yaml | 29 + .../9.1.1/templates/rolebinding.yaml | 23 + .../9.1.1/templates/secret.backendconfig.yaml | 25 + .../9.1.1/templates/secret.logconfig.yaml | 19 + .../9.1.1/templates/secret.registry.yaml | 23 + .../9.1.1/templates/secrets.init.yaml | 20 + .../9.1.1/templates/service.discovery.yaml | 64 + .../9.1.1/templates/service.public.yaml | 55 + .../9.1.1/templates/serviceMonitor.yaml | 51 + .../serviceaccount-certRotateSelfSigner.yaml | 16 + .../serviceaccount-certSelfSigner.yaml | 22 + .../9.1.1/templates/serviceaccount.yaml | 15 + .../9.1.1/templates/statefulset.yaml | 373 ++ .../9.1.1/templates/tests/client.yaml | 65 + .../cockroachdb/9.1.1/values.schema.json | 97 + .../cockroachdb/9.1.1/values.yaml | 540 +++ .../elastic/elasticsearch/8.5.1/.helmignore | 2 + charts/elastic/elasticsearch/8.5.1/Chart.yaml | 17 + charts/elastic/elasticsearch/8.5.1/Makefile | 1 + charts/elastic/elasticsearch/8.5.1/README.md | 490 +++ .../8.5.1/examples/config/Makefile | 21 + .../8.5.1/examples/config/README.md | 27 + .../8.5.1/examples/config/test/goss.yaml | 31 + .../8.5.1/examples/config/values.yaml | 29 + .../examples/config/watcher_encryption_key | 1 + .../8.5.1/examples/default/Makefile | 14 + .../8.5.1/examples/default/README.md | 25 + .../8.5.1/examples/default/rolling_upgrade.sh | 19 + .../8.5.1/examples/default/test/goss.yaml | 44 + .../8.5.1/examples/docker-for-mac/Makefile | 13 + .../8.5.1/examples/docker-for-mac/README.md | 23 + .../8.5.1/examples/docker-for-mac/values.yaml | 23 + .../8.5.1/examples/kubernetes-kind/Makefile | 17 + .../8.5.1/examples/kubernetes-kind/README.md | 36 + .../kubernetes-kind/values-local-path.yaml | 23 + .../examples/kubernetes-kind/values.yaml | 23 + .../8.5.1/examples/microk8s/Makefile | 13 + .../8.5.1/examples/microk8s/README.md | 32 + .../8.5.1/examples/microk8s/values.yaml | 32 + .../8.5.1/examples/migration/Makefile | 10 + .../8.5.1/examples/migration/README.md | 167 + .../8.5.1/examples/migration/client.yaml | 19 + .../8.5.1/examples/migration/data.yaml | 14 + .../8.5.1/examples/migration/master.yaml | 23 + .../8.5.1/examples/minikube/Makefile | 13 + .../8.5.1/examples/minikube/README.md | 38 + .../8.5.1/examples/minikube/values.yaml | 23 + .../8.5.1/examples/multi/Makefile | 19 + .../8.5.1/examples/multi/README.md | 29 + .../8.5.1/examples/multi/client.yaml | 50 + .../8.5.1/examples/multi/data.yaml | 48 + .../8.5.1/examples/multi/master.yaml | 6 + .../8.5.1/examples/multi/test/goss.yaml | 12 + .../8.5.1/examples/networkpolicy/Makefile | 14 + .../8.5.1/examples/networkpolicy/values.yaml | 37 + .../8.5.1/examples/openshift/Makefile | 13 + .../8.5.1/examples/openshift/README.md | 24 + .../8.5.1/examples/openshift/test/goss.yaml | 20 + .../8.5.1/examples/openshift/values.yaml | 11 + .../8.5.1/examples/security/Makefile | 36 + .../8.5.1/examples/security/README.md | 29 + .../8.5.1/examples/security/test/goss.yaml | 44 + .../8.5.1/examples/security/values.yaml | 28 + .../8.5.1/examples/upgrade/Makefile | 19 + .../8.5.1/examples/upgrade/README.md | 17 + .../8.5.1/examples/upgrade/test/goss.yaml | 22 + .../8.5.1/examples/upgrade/values.yaml | 6 + .../elasticsearch/8.5.1/templates/NOTES.txt | 8 + .../8.5.1/templates/_helpers.tpl | 97 + .../8.5.1/templates/configmap.yaml | 34 + .../8.5.1/templates/ingress.yaml | 64 + .../8.5.1/templates/networkpolicy.yaml | 61 + .../8.5.1/templates/poddisruptionbudget.yaml | 15 + .../8.5.1/templates/podsecuritypolicy.yaml | 14 + .../elasticsearch/8.5.1/templates/role.yaml | 25 + .../8.5.1/templates/rolebinding.yaml | 20 + .../8.5.1/templates/secret-cert.yaml | 14 + .../elasticsearch/8.5.1/templates/secret.yaml | 23 + .../8.5.1/templates/service.yaml | 78 + .../8.5.1/templates/serviceaccount.yaml | 16 + .../8.5.1/templates/statefulset.yaml | 427 +++ .../test/test-elasticsearch-health.yaml | 50 + .../elastic/elasticsearch/8.5.1/values.yaml | 356 ++ charts/elastic/kibana/8.5.1/.helmignore | 2 + charts/elastic/kibana/8.5.1/Chart.yaml | 17 + charts/elastic/kibana/8.5.1/Makefile | 1 + charts/elastic/kibana/8.5.1/README.md | 266 ++ .../kibana/8.5.1/examples/default/Makefile | 13 + .../kibana/8.5.1/examples/default/README.md | 29 + .../8.5.1/examples/default/test/goss.yaml | 16 + .../kibana/8.5.1/examples/openshift/Makefile | 15 + .../kibana/8.5.1/examples/openshift/README.md | 26 + .../8.5.1/examples/openshift/test/goss.yaml | 4 + .../8.5.1/examples/openshift/values.yml | 7 + .../kibana/8.5.1/examples/security/Makefile | 18 + .../kibana/8.5.1/examples/security/README.md | 30 + .../8.5.1/examples/security/test/goss.yaml | 18 + .../8.5.1/examples/security/values.yaml | 21 + .../kibana/8.5.1/examples/upgrade/Makefile | 36 + .../kibana/8.5.1/examples/upgrade/README.md | 21 + .../8.5.1/examples/upgrade/test/goss.yaml | 16 + .../kibana/8.5.1/examples/upgrade/values.yaml | 5 + .../elastic/kibana/8.5.1/templates/NOTES.txt | 6 + .../kibana/8.5.1/templates/_helpers.tpl | 36 + .../templates/configmap-helm-scripts.yaml | 175 + .../kibana/8.5.1/templates/configmap.yaml | 13 + .../kibana/8.5.1/templates/deployment.yaml | 196 ++ .../kibana/8.5.1/templates/ingress.yaml | 61 + .../8.5.1/templates/post-delete-job.yaml | 54 + .../8.5.1/templates/post-delete-role.yaml | 20 + .../templates/post-delete-rolebinding.yaml | 21 + .../templates/post-delete-serviceaccount.yaml | 13 + .../8.5.1/templates/pre-install-job.yaml | 54 + .../8.5.1/templates/pre-install-role.yaml | 21 + .../templates/pre-install-rolebinding.yaml | 21 + .../templates/pre-install-serviceaccount.yaml | 13 + .../kibana/8.5.1/templates/service.yaml | 33 + charts/elastic/kibana/8.5.1/values.yaml | 175 + charts/elastic/logstash/8.5.1/.helmignore | 2 + charts/elastic/logstash/8.5.1/Chart.yaml | 17 + charts/elastic/logstash/8.5.1/Makefile | 1 + charts/elastic/logstash/8.5.1/README.md | 244 ++ .../logstash/8.5.1/examples/default/Makefile | 14 + .../logstash/8.5.1/examples/default/README.md | 17 + .../8.5.1/examples/default/test/goss.yaml | 41 + .../8.5.1/examples/elasticsearch/Makefile | 15 + .../8.5.1/examples/elasticsearch/README.md | 28 + .../examples/elasticsearch/test/goss.yaml | 58 + .../8.5.1/examples/elasticsearch/values.yaml | 37 + .../logstash/8.5.1/examples/oss/Makefile | 14 + .../logstash/8.5.1/examples/oss/README.md | 17 + .../8.5.1/examples/oss/test/goss.yaml | 40 + .../logstash/8.5.1/examples/oss/values.yaml | 2 + .../logstash/8.5.1/examples/security/Makefile | 15 + .../8.5.1/examples/security/README.md | 28 + .../8.5.1/examples/security/test/goss.yaml | 62 + .../8.5.1/examples/security/values.yaml | 40 + .../logstash/8.5.1/examples/upgrade/Makefile | 16 + .../logstash/8.5.1/examples/upgrade/README.md | 19 + .../8.5.1/examples/upgrade/test/goss.yaml | 41 + .../8.5.1/examples/upgrade/values.yaml | 1 + .../logstash/8.5.1/templates/NOTES.txt | 2 + .../logstash/8.5.1/templates/_helpers.tpl | 27 + .../8.5.1/templates/configmap-config.yaml | 17 + .../8.5.1/templates/configmap-pattern.yaml | 17 + .../8.5.1/templates/configmap-pipeline.yaml | 17 + .../logstash/8.5.1/templates/ingress.yaml | 68 + .../8.5.1/templates/poddisruptionbudget.yaml | 20 + .../8.5.1/templates/podsecuritypolicy.yaml | 14 + .../logstash/8.5.1/templates/role.yaml | 25 + .../logstash/8.5.1/templates/rolebinding.yaml | 20 + .../logstash/8.5.1/templates/secret.yaml | 27 + .../8.5.1/templates/service-headless.yaml | 20 + .../logstash/8.5.1/templates/service.yaml | 32 + .../8.5.1/templates/serviceaccount.yaml | 22 + .../logstash/8.5.1/templates/statefulset.yaml | 237 ++ charts/elastic/logstash/8.5.1/values.yaml | 295 ++ charts/hashicorp/consul/0.49.1/.helmignore | 4 + charts/hashicorp/consul/0.49.1/Chart.yaml | 35 + charts/hashicorp/consul/0.49.1/README.md | 68 + charts/hashicorp/consul/0.49.1/addons/gen.sh | 34 + .../0.49.1/addons/values/prometheus.yaml | 18 + .../hashicorp/consul/0.49.1/assets/icon.png | Bin 0 -> 7981 bytes .../consul/0.49.1/templates/NOTES.txt | 21 + .../consul/0.49.1/templates/_helpers.tpl | 314 ++ .../api-gateway-controller-clusterrole.yaml | 265 ++ ...gateway-controller-clusterrolebinding.yaml | 20 + .../api-gateway-controller-deployment.yaml | 242 ++ ...-gateway-controller-podsecuritypolicy.yaml | 40 + .../api-gateway-controller-service.yaml | 27 + ...api-gateway-controller-serviceaccount.yaml | 23 + .../templates/api-gateway-gatewayclass.yaml | 18 + .../api-gateway-gatewayclassconfig.yaml | 57 + .../api-gateway-podsecuritypolicy.yaml | 45 + .../templates/auth-method-clusterrole.yaml | 18 + .../auth-method-clusterrolebinding.yaml | 39 + .../0.49.1/templates/auth-method-secret.yaml | 16 + .../templates/auth-method-serviceaccount.yaml | 19 + .../templates/client-config-configmap.yaml | 37 + .../0.49.1/templates/client-daemonset.yaml | 608 ++++ .../templates/client-podsecuritypolicy.yaml | 76 + .../consul/0.49.1/templates/client-role.yaml | 43 + .../0.49.1/templates/client-rolebinding.yaml | 20 + .../client-securitycontextconstraints.yaml | 56 + .../templates/client-serviceaccount.yaml | 23 + .../client-snapshot-agent-deployment.yaml | 281 ++ ...ient-snapshot-agent-podsecuritypolicy.yaml | 42 + .../templates/client-snapshot-agent-role.yaml | 26 + .../client-snapshot-agent-rolebinding.yaml | 22 + .../client-snapshot-agent-serviceaccount.yaml | 25 + .../0.49.1/templates/cni-clusterrole.yaml | 38 + .../templates/cni-clusterrolebinding.yaml | 20 + .../0.49.1/templates/cni-daemonset.yaml | 84 + .../cni-networkattachmentdefinition.yaml | 25 + .../templates/cni-podsecuritypolicy.yaml | 31 + .../0.49.1/templates/cni-resourcequota.yaml | 22 + .../cni-securitycontextconstraints.yaml | 50 + .../0.49.1/templates/cni-serviceaccount.yaml | 19 + .../templates/connect-inject-clusterrole.yaml | 109 + .../connect-inject-clusterrolebinding.yaml | 20 + .../templates/connect-inject-deployment.yaml | 437 +++ .../connect-inject-leader-election-role.yaml | 41 + ...ct-inject-leader-election-rolebinding.yaml | 21 + ...t-inject-mutatingwebhookconfiguration.yaml | 85 + .../connect-inject-podsecuritypolicy.yaml | 40 + .../templates/connect-inject-service.yaml | 23 + .../connect-inject-serviceaccount.yaml | 23 + .../connect-injector-disruptionbudget.yaml | 26 + .../templates/controller-clusterrole.yaml | 79 + .../controller-clusterrolebinding.yaml | 20 + .../templates/controller-deployment.yaml | 277 ++ .../controller-leader-election-role.yaml | 41 + ...ontroller-leader-election-rolebinding.yaml | 20 + ...ntroller-mutatingwebhookconfiguration.yaml | 224 ++ .../controller-podsecuritypolicy.yaml | 40 + .../templates/controller-serviceaccount.yaml | 23 + .../templates/controller-webhook-service.yaml | 23 + .../templates/crd-exportedservices.yaml | 143 + .../0.49.1/templates/crd-ingressgateways.yaml | 377 ++ .../consul/0.49.1/templates/crd-meshes.yaml | 198 ++ .../templates/crd-peeringacceptors.yaml | 154 + .../0.49.1/templates/crd-peeringdialers.yaml | 154 + .../0.49.1/templates/crd-proxydefaults.yaml | 186 + .../0.49.1/templates/crd-servicedefaults.yaml | 422 +++ .../templates/crd-serviceintentions.yaml | 241 ++ .../templates/crd-serviceresolvers.yaml | 283 ++ .../0.49.1/templates/crd-servicerouters.yaml | 316 ++ .../templates/crd-servicesplitters.yaml | 194 + .../templates/crd-terminatinggateways.yaml | 145 + .../create-federation-secret-job.yaml | 161 + ...e-federation-secret-podsecuritypolicy.yaml | 42 + .../create-federation-secret-role.yaml | 49 + .../create-federation-secret-rolebinding.yaml | 23 + ...eate-federation-secret-serviceaccount.yaml | 22 + .../consul/0.49.1/templates/dns-service.yaml | 41 + .../templates/enterprise-license-job.yaml | 138 + .../enterprise-license-podsecuritypolicy.yaml | 39 + .../templates/enterprise-license-role.yaml | 37 + .../enterprise-license-rolebinding.yaml | 22 + .../enterprise-license-serviceaccount.yaml | 21 + .../templates/expose-servers-service.yaml | 63 + .../gossip-encryption-autogenerate-job.yaml | 62 + ...yption-autogenerate-podsecuritypolicy.yaml | 40 + .../gossip-encryption-autogenerate-role.yaml | 32 + ...p-encryption-autogenerate-rolebinding.yaml | 23 + ...ncryption-autogenerate-serviceaccount.yaml | 22 + .../ingress-gateways-deployment.yaml | 489 +++ .../ingress-gateways-podsecuritypolicy.yaml | 45 + .../templates/ingress-gateways-role.yaml | 46 + .../ingress-gateways-rolebinding.yaml | 25 + .../templates/ingress-gateways-service.yaml | 51 + .../ingress-gateways-serviceaccount.yaml | 35 + .../templates/mesh-gateway-clusterrole.yaml | 34 + .../mesh-gateway-clusterrolebinding.yaml | 20 + .../templates/mesh-gateway-deployment.yaml | 423 +++ .../mesh-gateway-podsecuritypolicy.yaml | 52 + .../templates/mesh-gateway-service.yaml | 33 + .../mesh-gateway-serviceaccount.yaml | 23 + .../0.49.1/templates/partition-init-job.yaml | 138 + .../partition-init-podsecuritypolicy.yaml | 40 + .../0.49.1/templates/partition-init-role.yaml | 41 + .../templates/partition-init-rolebinding.yaml | 24 + .../partition-init-serviceaccount.yaml | 23 + .../templates/partition-name-configmap.yaml | 19 + .../0.49.1/templates/partition-service.yaml | 45 + .../consul/0.49.1/templates/prometheus.yaml | 488 +++ .../server-acl-init-cleanup-job.yaml | 75 + ...er-acl-init-cleanup-podsecuritypolicy.yaml | 40 + .../server-acl-init-cleanup-role.yaml | 28 + .../server-acl-init-cleanup-rolebinding.yaml | 23 + ...erver-acl-init-cleanup-serviceaccount.yaml | 22 + .../0.49.1/templates/server-acl-init-job.yaml | 341 ++ .../server-acl-init-podsecuritypolicy.yaml | 41 + .../templates/server-acl-init-role.yaml | 38 + .../server-acl-init-rolebinding.yaml | 23 + .../server-acl-init-serviceaccount.yaml | 22 + .../templates/server-config-configmap.yaml | 202 ++ .../templates/server-disruptionbudget.yaml | 26 + .../templates/server-podsecuritypolicy.yaml | 53 + .../consul/0.49.1/templates/server-role.yaml | 34 + .../0.49.1/templates/server-rolebinding.yaml | 20 + .../server-securitycontextconstraints.yaml | 49 + .../0.49.1/templates/server-service.yaml | 76 + .../templates/server-serviceaccount.yaml | 23 + .../0.49.1/templates/server-statefulset.yaml | 432 +++ .../templates/sync-catalog-clusterrole.yaml | 41 + .../sync-catalog-clusterrolebinding.yaml | 21 + .../templates/sync-catalog-deployment.yaml | 313 ++ .../sync-catalog-podsecuritypolicy.yaml | 40 + .../sync-catalog-serviceaccount.yaml | 24 + .../terminating-gateways-deployment.yaml | 440 +++ ...erminating-gateways-podsecuritypolicy.yaml | 45 + .../templates/terminating-gateways-role.yaml | 43 + .../terminating-gateways-rolebinding.yaml | 26 + .../terminating-gateways-serviceaccount.yaml | 35 + .../0.49.1/templates/tests/test-runner.yaml | 78 + .../templates/tls-init-cleanup-job.yaml | 67 + .../tls-init-cleanup-podsecuritypolicy.yaml | 43 + .../templates/tls-init-cleanup-role.yaml | 41 + .../tls-init-cleanup-rolebinding.yaml | 27 + .../tls-init-cleanup-serviceaccount.yaml | 26 + .../consul/0.49.1/templates/tls-init-job.yaml | 109 + .../templates/tls-init-podsecuritypolicy.yaml | 43 + .../0.49.1/templates/tls-init-role.yaml | 38 + .../templates/tls-init-rolebinding.yaml | 27 + .../templates/tls-init-serviceaccount.yaml | 26 + .../consul/0.49.1/templates/ui-ingress.yaml | 83 + .../consul/0.49.1/templates/ui-service.yaml | 46 + .../webhook-cert-manager-clusterrole.yaml | 53 + ...bhook-cert-manager-clusterrolebinding.yaml | 21 + .../webhook-cert-manager-configmap.yaml | 43 + .../webhook-cert-manager-deployment.yaml | 73 + ...ebhook-cert-manager-podsecuritypolicy.yaml | 41 + .../webhook-cert-manager-serviceaccount.yaml | 20 + charts/hashicorp/consul/0.49.1/values.yaml | 3122 +++++++++++++++++ .../nutanix-csi-snapshot/1.0.0/.helmignore | 23 + .../nutanix-csi-snapshot/1.0.0/Chart.yaml | 0 .../nutanix-csi-snapshot/1.0.0/README.md | 0 .../nutanix-csi-snapshot/1.0.0/app-readme.md | 0 .../nutanix-csi-snapshot/1.0.0/questions.yml | 0 .../1.0.0/templates/NOTES.txt | 0 .../1.0.0/templates/_helpers.tpl | 0 .../templates/snapshot-controller-rbac.yaml | 0 .../templates/snapshot-controller-sts.yaml | 0 .../templates/validating-deployment.yaml | 0 .../1.0.0/templates/validating-webhook.yaml | 0 .../templates/volumesnapshotclasses_rel3.yaml | 0 .../volumesnapshotclasses_rel42.yaml | 0 .../volumesnapshotcontents_rel3.yaml | 0 .../volumesnapshotcontents_rel42.yaml | 0 .../1.0.0/templates/volumesnapshots_rel3.yaml | 0 .../templates/volumesnapshots_rel42.yaml | 0 .../nutanix-csi-snapshot/1.0.0/values.yaml | 0 .../nutanix-csi-snapshot/6.0.101/.helmignore | 23 + .../nutanix-csi-snapshot/6.0.101/Chart.yaml | 0 .../nutanix-csi-snapshot/6.0.101/README.md | 0 .../6.0.101/app-readme.md | 0 .../6.0.101/questions.yml | 0 .../6.0.101/templates/NOTES.txt | 0 .../6.0.101/templates/_helpers.tpl | 0 .../snapshot-controller-deployment.yaml | 0 .../templates/snapshot-controller-rbac.yaml | 0 .../templates/validating-deployment.yaml | 0 .../6.0.101/templates/validating-rbac.yaml | 0 .../6.0.101/templates/validating-webhook.yaml | 0 .../templates/volumesnapshotclasses_rel3.yaml | 0 .../volumesnapshotclasses_rel60.yaml | 0 .../volumesnapshotcontents_rel3.yaml | 0 .../volumesnapshotcontents_rel60.yaml | 0 .../templates/volumesnapshots_rel3.yaml | 0 .../templates/volumesnapshots_rel60.yaml | 0 .../nutanix-csi-snapshot/6.0.101/values.yaml | 0 .../nutanix-csi-storage/2.3.100/.helmignore | 21 + .../nutanix-csi-storage/2.3.100/Chart.yaml | 0 .../nutanix-csi-storage/2.3.100/README.md | 0 .../nutanix-csi-storage/2.3.100/app-readme.md | 0 ....storage.k8s.io_volumesnapshotclasses.yaml | 0 ...storage.k8s.io_volumesnapshotcontents.yaml | 0 ...apshot.storage.k8s.io_volumesnapshots.yaml | 0 .../nutanix-csi-storage/2.3.100/questions.yml | 0 .../2.3.100/templates/NOTES.txt | 0 .../2.3.100/templates/_helpers.tpl | 0 .../2.3.100/templates/csi-driver.yaml | 0 .../2.3.100/templates/ntnx-cs-scc.yaml | 0 .../2.3.100/templates/ntnx-csi-node.yaml | 0 .../templates/ntnx-csi-provisioner.yaml | 0 .../2.3.100/templates/ntnx-csi-rbac.yaml | 0 .../2.3.100/templates/ntnx-secret.yaml | 0 .../2.3.100/templates/sc.yaml | 0 .../templates/snapshot-controller-rbac.yaml | 0 .../templates/snapshot-controller-setup.yaml | 0 .../nutanix-csi-storage/2.3.100/values.yaml | 0 .../nutanix-csi-storage/2.4.100/.helmignore | 21 + .../nutanix-csi-storage/2.4.100/Chart.yaml | 0 .../nutanix-csi-storage/2.4.100/README.md | 0 .../nutanix-csi-storage/2.4.100/app-readme.md | 0 ....storage.k8s.io_volumesnapshotclasses.yaml | 0 ...storage.k8s.io_volumesnapshotcontents.yaml | 0 ...apshot.storage.k8s.io_volumesnapshots.yaml | 0 .../nutanix-csi-storage/2.4.100/questions.yml | 0 .../2.4.100/templates/NOTES.txt | 0 .../2.4.100/templates/_helpers.tpl | 0 .../2.4.100/templates/csi-driver.yaml | 0 .../2.4.100/templates/ntnx-csi-node-ds.yaml | 0 .../templates/ntnx-csi-provisioner-sts.yaml | 0 .../2.4.100/templates/ntnx-csi-rbac.yaml | 0 .../2.4.100/templates/ntnx-csi-scc.yaml | 0 .../2.4.100/templates/ntnx-sc.yaml | 0 .../2.4.100/templates/ntnx-secret.yaml | 0 .../templates/service-prometheus-csi.yaml | 0 .../templates/snapshot-controller-rbac.yaml | 0 .../templates/snapshot-controller-sts.yaml | 0 .../nutanix-csi-storage/2.4.100/values.yaml | 0 .../nutanix-csi-storage/2.5.0/.helmignore | 21 + .../nutanix-csi-storage/2.5.0/Chart.yaml | 0 .../nutanix-csi-storage/2.5.0/README.md | 0 .../nutanix-csi-storage/2.5.0/app-readme.md | 0 .../nutanix-csi-storage/2.5.0/questions.yml | 0 .../2.5.0/templates/NOTES.txt | 0 .../2.5.0/templates/_helpers.tpl | 0 .../2.5.0/templates/csi-driver.yaml | 0 .../2.5.0/templates/ntnx-csi-node-ds.yaml | 0 .../templates/ntnx-csi-provisioner-sts.yaml | 0 .../2.5.0/templates/ntnx-csi-rbac.yaml | 0 .../2.5.0/templates/ntnx-csi-scc.yaml | 0 .../2.5.0/templates/ntnx-sc.yaml | 0 .../2.5.0/templates/ntnx-secret.yaml | 0 .../templates/service-prometheus-csi.yaml | 0 .../nutanix-csi-storage/2.5.0/values.yaml | 0 .../nutanix-csi-storage/2.5.100/.helmignore | 21 + .../nutanix-csi-storage/2.5.100/Chart.yaml | 0 .../nutanix-csi-storage/2.5.100/README.md | 0 .../nutanix-csi-storage/2.5.100/app-readme.md | 0 .../nutanix-csi-storage/2.5.100/questions.yml | 0 .../2.5.100/templates/NOTES.txt | 0 .../2.5.100/templates/_helpers.tpl | 0 .../2.5.100/templates/csi-driver.yaml | 0 .../2.5.100/templates/ntnx-csi-node-ds.yaml | 0 .../templates/ntnx-csi-provisioner-sts.yaml | 0 .../2.5.100/templates/ntnx-csi-rbac.yaml | 0 .../2.5.100/templates/ntnx-csi-scc.yaml | 0 .../2.5.100/templates/ntnx-sc.yaml | 0 .../2.5.100/templates/ntnx-secret.yaml | 0 .../templates/service-prometheus-csi.yaml | 0 .../nutanix-csi-storage/2.5.100/values.yaml | 0 .../nutanix-csi-storage/2.5.200/.helmignore | 21 + .../nutanix-csi-storage/2.5.200/Chart.yaml | 0 .../nutanix-csi-storage/2.5.200/README.md | 0 .../nutanix-csi-storage/2.5.200/app-readme.md | 0 .../nutanix-csi-storage/2.5.200/questions.yml | 0 .../2.5.200/templates/NOTES.txt | 0 .../2.5.200/templates/_helpers.tpl | 0 .../2.5.200/templates/csi-driver.yaml | 0 .../2.5.200/templates/machine-config.yaml | 0 .../2.5.200/templates/ntnx-csi-node-ds.yaml | 0 .../templates/ntnx-csi-provisioner-sts.yaml | 0 .../2.5.200/templates/ntnx-csi-rbac.yaml | 0 .../2.5.200/templates/ntnx-csi-scc.yaml | 0 .../2.5.200/templates/ntnx-sc.yaml | 0 .../2.5.200/templates/ntnx-secret.yaml | 0 .../templates/service-prometheus-csi.yaml | 0 .../nutanix-csi-storage/2.5.200/values.yaml | 0 .../nutanix-csi-storage/2.5.401/.helmignore | 21 + .../nutanix-csi-storage/2.5.401/Chart.yaml | 0 .../nutanix-csi-storage/2.5.401/README.md | 0 .../nutanix-csi-storage/2.5.401/app-readme.md | 0 .../nutanix-csi-storage/2.5.401/questions.yml | 0 .../2.5.401/templates/NOTES.txt | 0 .../2.5.401/templates/_helpers.tpl | 0 .../2.5.401/templates/csi-driver.yaml | 0 .../2.5.401/templates/machine-config.yaml | 0 .../ntnx-csi-controller-deployment.yaml | 0 .../2.5.401/templates/ntnx-csi-node-ds.yaml | 0 .../2.5.401/templates/ntnx-csi-rbac.yaml | 0 .../2.5.401/templates/ntnx-csi-scc.yaml | 0 .../2.5.401/templates/ntnx-sc.yaml | 0 .../2.5.401/templates/ntnx-secret.yaml | 0 .../templates/service-prometheus-csi.yaml | 0 .../nutanix-csi-storage/2.5.401/values.yaml | 0 .../nutanix-csi-storage/2.6.1/.helmignore | 21 + .../nutanix-csi-storage/2.6.1/Chart.yaml | 39 + .../nutanix-csi-storage/2.6.1/README.md | 192 + .../nutanix-csi-storage/2.6.1}/app-readme.md | 0 .../nutanix-csi-storage/2.6.1/questions.yml | 131 + .../2.6.1/templates/NOTES.txt | 3 + .../2.6.1/templates/_helpers.tpl | 43 + .../2.6.1/templates/csi-driver.yaml | 7 + .../2.6.1/templates/machine-config.yaml | 33 + .../ntnx-csi-controller-deployment.yaml | 169 + .../2.6.1/templates/ntnx-csi-node-ds.yaml | 155 + .../2.6.1/templates/ntnx-csi-rbac.yaml | 118 + .../2.6.1/templates/ntnx-csi-scc.yaml | 30 + .../2.6.1/templates/ntnx-sc.yaml | 97 + .../2.6.1/templates/ntnx-secret.yaml | 18 + .../templates/service-prometheus-csi.yaml | 46 + .../nutanix-csi-storage/2.6.1/values.yaml | 150 + index.yaml | 289 +- .../generated-changes/overlay/Chart.yaml.orig | 33 - .../generated-changes/patch/Chart.yaml.patch | 12 - packages/nutanix-csi-snapshot/package.yaml | 2 - .../generated-changes/patch/Chart.yaml.patch | 12 - .../generated-changes/patch/README.md.patch | 10 - packages/nutanix-csi-storage/package.yaml | 2 - .../overlay/app-readme.md | 0 .../nutanix-csi-snapshot/upstream.yaml | 4 + .../nutanix-csi-storage/overlay/README.md | 192 + .../nutanix-csi-storage/overlay/app-readme.md | 1 + .../nutanix/nutanix-csi-storage/upstream.yaml | 4 + 907 files changed, 66311 insertions(+), 79 deletions(-) create mode 100644 assets/asserts/asserts-1.11.0.tgz create mode 100644 assets/bitnami/wordpress-15.2.15.tgz create mode 100644 assets/cockroach-labs/cockroachdb-9.1.1.tgz create mode 100644 assets/elastic/elasticsearch-8.5.1.tgz create mode 100644 assets/elastic/kibana-8.5.1.tgz create mode 100644 assets/elastic/logstash-8.5.1.tgz create mode 100644 assets/hashicorp/consul-0.49.1.tgz rename assets/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot-1.0.0.tgz (100%) rename assets/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot-6.0.101.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.3.100.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.4.100.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.5.0.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.5.100.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.5.200.tgz (100%) rename assets/{nutanix-csi-storage => nutanix}/nutanix-csi-storage-2.5.401.tgz (100%) create mode 100644 assets/nutanix/nutanix-csi-storage-2.6.1.tgz rename charts/{nutanix-csi-snapshot/nutanix-csi-snapshot/1.0.0 => asserts/asserts/1.11.0}/.helmignore (100%) create mode 100644 charts/asserts/asserts/1.11.0/Chart.lock create mode 100644 charts/asserts/asserts/1.11.0/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/README.md create mode 100644 charts/asserts/asserts/1.11.0/app-readme.md create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/.helmignore create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/ci/config-reload-values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/NOTES.txt create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/pdb.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/services.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/templates/tests/test-connection.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/alertmanager/values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/common/.helmignore create mode 100644 charts/asserts/asserts/1.11.0/charts/common/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/common/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_affinities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_capabilities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_errors.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_images.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_ingress.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_labels.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_names.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_secrets.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_storage.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_tplvalues.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_utils.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/_warnings.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mysql.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_redis.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/templates/validations/_validations.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/common/values.yaml rename charts/{nutanix-csi-snapshot/nutanix-csi-snapshot/6.0.101 => asserts/asserts/1.11.0/charts/knowledge-sensor}/.helmignore (100%) create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/concurrency-config-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/deployment.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-config-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-relabel-rules-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-rules-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyruler-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyuser-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/role.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/rolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/knowledge-sensor/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.3.100 => asserts/asserts/1.11.0/charts/postgresql}/.helmignore (100%) create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/Chart.lock create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/.helmignore create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_affinities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_capabilities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_errors.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_images.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_ingress.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_labels.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_names.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_secrets.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_storage.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_tplvalues.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_utils.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_warnings.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_redis.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_validations.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/extended-config.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/init-scripts.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/metrics.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/rbac.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/replication.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/ci/tls.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/NOTES.txt create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/extra-list.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/networkpolicy-egress.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/extended-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/initialization-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-svc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/networkpolicy.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/prometheusrule.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/servicemonitor.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc-headless.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/psp.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/networkpolicy.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc-headless.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/role.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/rolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/secrets.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/templates/tls-secrets.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/values.schema.json create mode 100644 charts/asserts/asserts/1.11.0/charts/postgresql/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.4.100 => asserts/asserts/1.11.0/charts/promxy}/.helmignore (100%) create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/deployment.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/pdb.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/templates/vpa.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/promxy/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.5.0 => asserts/asserts/1.11.0/charts/redis}/.helmignore (100%) create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/Chart.lock create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/.helmignore create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_affinities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_capabilities.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_errors.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_images.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_ingress.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_labels.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_names.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_secrets.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_storage.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_tplvalues.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_utils.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_warnings.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_redis.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_validations.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/charts/common/values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/ci/extra-flags-values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/ci/sentinel-values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/ci/standalone-values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/img/redis-cluster-topology.png create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/img/redis-topology.png create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/NOTES.txt create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/extra-list.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/headless-svc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/health-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/master/application.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/master/psp.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/master/pvc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/master/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/metrics-svc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/networkpolicy.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/pdb.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/prometheusrule.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/hpa.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/role.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/rolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/scripts-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/secret.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/hpa.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/node-services.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/ports-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/servicemonitor.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/templates/tls-secret.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/values.schema.json create mode 100644 charts/asserts/asserts/1.11.0/charts/redis/values.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/.helmignore create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/Chart.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md.gotmpl create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/NOTES.txt create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrole.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/pdb.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/podsecuritypolicy.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/role.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/rolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/scrape-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-deployment.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-pvc.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-headless.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-monitor.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/values.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_pagerduty.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_slack.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/config/alertmanager-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/config/k8s-calls-rules-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/config/tsdb-scrape-configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/secret.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/grafana/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/role.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/rolebinding.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/server/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/server/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/server/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/server/statefulset.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/serviceaccount.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/servicemonitor.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/ui/_helpers.tpl create mode 100644 charts/asserts/asserts/1.11.0/templates/ui/configmap.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/ui/deployment.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/ui/ingress.yaml create mode 100644 charts/asserts/asserts/1.11.0/templates/ui/service.yaml create mode 100644 charts/asserts/asserts/1.11.0/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.5.100 => bitnami/wordpress/15.2.15}/.helmignore (100%) create mode 100644 charts/bitnami/wordpress/15.2.15/Chart.lock create mode 100644 charts/bitnami/wordpress/15.2.15/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/.helmignore create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_affinities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_capabilities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_errors.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_images.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_ingress.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_labels.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_names.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_secrets.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_storage.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_tplvalues.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_utils.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/_warnings.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_mysql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_redis.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/templates/validations/_validations.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/common/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.5.200 => bitnami/wordpress/15.2.15/charts/mariadb}/.helmignore (100%) create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/Chart.lock create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/.helmignore create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_affinities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_capabilities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_errors.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_images.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_ingress.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_labels.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_names.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_secrets.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_storage.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_tplvalues.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_utils.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/_warnings.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_mysql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_redis.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/templates/validations/_validations.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/charts/common/values.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/NOTES.txt create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/_helpers.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/extra-list.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/networkpolicy-egress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/configmap.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/initialization-configmap.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/networkpolicy-ingress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/pdb.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/statefulset.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/primary/svc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/prometheusrules.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/role.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/rolebinding.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secondary/configmap.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secondary/pdb.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secondary/statefulset.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secondary/svc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/secrets.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/serviceaccount.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/templates/servicemonitor.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/values.schema.json create mode 100644 charts/bitnami/wordpress/15.2.15/charts/mariadb/values.yaml rename charts/{nutanix-csi-storage/nutanix-csi-storage/2.5.401 => bitnami/wordpress/15.2.15/charts/memcached}/.helmignore (100%) create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/Chart.lock create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/.helmignore create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/Chart.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/README.md create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_affinities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_capabilities.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_errors.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_images.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_ingress.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_labels.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_names.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_secrets.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_storage.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_tplvalues.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_utils.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/_warnings.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_cassandra.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_mariadb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_mongodb.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_mysql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_postgresql.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_redis.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/templates/validations/_validations.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/charts/common/values.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/NOTES.txt create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/_helpers.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/deployment.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/extra-list.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/hpa.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/metrics-svc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/pdb.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/secrets.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/service.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/serviceaccount.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/servicemonitor.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/templates/statefulset.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/charts/memcached/values.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/NOTES.txt create mode 100644 charts/bitnami/wordpress/15.2.15/templates/_helpers.tpl create mode 100644 charts/bitnami/wordpress/15.2.15/templates/config-secret.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/deployment.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/externaldb-secrets.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/extra-list.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/hpa.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/httpd-configmap.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/ingress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/metrics-svc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/networkpolicy-backend-ingress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/networkpolicy-egress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/networkpolicy-ingress.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/pdb.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/postinit-configmap.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/pvc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/secrets.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/serviceaccount.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/servicemonitor.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/svc.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/templates/tls-secrets.yaml create mode 100644 charts/bitnami/wordpress/15.2.15/values.schema.json create mode 100644 charts/bitnami/wordpress/15.2.15/values.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/CONTRIBUTING.md create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/Chart.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/README.md create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/app-readme.md create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/NOTES.txt create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/_helpers.tpl create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/backendconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/certificate.client.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/certificate.node.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/clusterrole.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/clusterrolebinding.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/cronjob-ca-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/cronjob-client-node-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/ingress.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/job-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/job-cleaner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/job.init.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/networkpolicy.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/poddisruptionbudget.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/role-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/role-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/role.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/rolebinding-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/rolebinding-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/rolebinding.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/secret.backendconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/secret.logconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/secret.registry.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/secrets.init.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/service.discovery.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/service.public.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/serviceMonitor.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/serviceaccount-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/serviceaccount-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/serviceaccount.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/statefulset.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/templates/tests/client.yaml create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/values.schema.json create mode 100644 charts/cockroach-labs/cockroachdb/9.1.1/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/.helmignore create mode 100644 charts/elastic/elasticsearch/8.5.1/Chart.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/config/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/config/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/config/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/config/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/config/watcher_encryption_key create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/default/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/default/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/default/rolling_upgrade.sh create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/default/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/docker-for-mac/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/docker-for-mac/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/docker-for-mac/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/kubernetes-kind/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/kubernetes-kind/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/kubernetes-kind/values-local-path.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/kubernetes-kind/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/microk8s/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/microk8s/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/microk8s/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/migration/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/migration/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/migration/client.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/migration/data.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/migration/master.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/minikube/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/minikube/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/minikube/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/client.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/data.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/master.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/multi/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/networkpolicy/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/networkpolicy/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/openshift/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/openshift/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/openshift/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/openshift/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/security/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/security/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/security/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/security/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/upgrade/Makefile create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/upgrade/README.md create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/upgrade/test/goss.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/examples/upgrade/values.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/NOTES.txt create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/_helpers.tpl create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/configmap.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/ingress.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/networkpolicy.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/poddisruptionbudget.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/podsecuritypolicy.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/role.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/rolebinding.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/secret-cert.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/secret.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/service.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/serviceaccount.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/statefulset.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/templates/test/test-elasticsearch-health.yaml create mode 100644 charts/elastic/elasticsearch/8.5.1/values.yaml create mode 100644 charts/elastic/kibana/8.5.1/.helmignore create mode 100644 charts/elastic/kibana/8.5.1/Chart.yaml create mode 100644 charts/elastic/kibana/8.5.1/Makefile create mode 100644 charts/elastic/kibana/8.5.1/README.md create mode 100644 charts/elastic/kibana/8.5.1/examples/default/Makefile create mode 100644 charts/elastic/kibana/8.5.1/examples/default/README.md create mode 100644 charts/elastic/kibana/8.5.1/examples/default/test/goss.yaml create mode 100644 charts/elastic/kibana/8.5.1/examples/openshift/Makefile create mode 100644 charts/elastic/kibana/8.5.1/examples/openshift/README.md create mode 100644 charts/elastic/kibana/8.5.1/examples/openshift/test/goss.yaml create mode 100644 charts/elastic/kibana/8.5.1/examples/openshift/values.yml create mode 100644 charts/elastic/kibana/8.5.1/examples/security/Makefile create mode 100644 charts/elastic/kibana/8.5.1/examples/security/README.md create mode 100644 charts/elastic/kibana/8.5.1/examples/security/test/goss.yaml create mode 100644 charts/elastic/kibana/8.5.1/examples/security/values.yaml create mode 100644 charts/elastic/kibana/8.5.1/examples/upgrade/Makefile create mode 100644 charts/elastic/kibana/8.5.1/examples/upgrade/README.md create mode 100644 charts/elastic/kibana/8.5.1/examples/upgrade/test/goss.yaml create mode 100644 charts/elastic/kibana/8.5.1/examples/upgrade/values.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/NOTES.txt create mode 100644 charts/elastic/kibana/8.5.1/templates/_helpers.tpl create mode 100644 charts/elastic/kibana/8.5.1/templates/configmap-helm-scripts.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/configmap.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/deployment.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/ingress.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/post-delete-job.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/post-delete-role.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/post-delete-rolebinding.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/post-delete-serviceaccount.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/pre-install-job.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/pre-install-role.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/pre-install-rolebinding.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/pre-install-serviceaccount.yaml create mode 100644 charts/elastic/kibana/8.5.1/templates/service.yaml create mode 100644 charts/elastic/kibana/8.5.1/values.yaml create mode 100644 charts/elastic/logstash/8.5.1/.helmignore create mode 100644 charts/elastic/logstash/8.5.1/Chart.yaml create mode 100644 charts/elastic/logstash/8.5.1/Makefile create mode 100644 charts/elastic/logstash/8.5.1/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/default/Makefile create mode 100644 charts/elastic/logstash/8.5.1/examples/default/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/default/test/goss.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/elasticsearch/Makefile create mode 100644 charts/elastic/logstash/8.5.1/examples/elasticsearch/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/elasticsearch/test/goss.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/elasticsearch/values.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/oss/Makefile create mode 100644 charts/elastic/logstash/8.5.1/examples/oss/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/oss/test/goss.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/oss/values.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/security/Makefile create mode 100644 charts/elastic/logstash/8.5.1/examples/security/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/security/test/goss.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/security/values.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/upgrade/Makefile create mode 100644 charts/elastic/logstash/8.5.1/examples/upgrade/README.md create mode 100644 charts/elastic/logstash/8.5.1/examples/upgrade/test/goss.yaml create mode 100644 charts/elastic/logstash/8.5.1/examples/upgrade/values.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/NOTES.txt create mode 100644 charts/elastic/logstash/8.5.1/templates/_helpers.tpl create mode 100644 charts/elastic/logstash/8.5.1/templates/configmap-config.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/configmap-pattern.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/configmap-pipeline.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/ingress.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/poddisruptionbudget.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/podsecuritypolicy.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/role.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/rolebinding.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/secret.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/service-headless.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/service.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/serviceaccount.yaml create mode 100644 charts/elastic/logstash/8.5.1/templates/statefulset.yaml create mode 100644 charts/elastic/logstash/8.5.1/values.yaml create mode 100644 charts/hashicorp/consul/0.49.1/.helmignore create mode 100644 charts/hashicorp/consul/0.49.1/Chart.yaml create mode 100644 charts/hashicorp/consul/0.49.1/README.md create mode 100644 charts/hashicorp/consul/0.49.1/addons/gen.sh create mode 100644 charts/hashicorp/consul/0.49.1/addons/values/prometheus.yaml create mode 100644 charts/hashicorp/consul/0.49.1/assets/icon.png create mode 100644 charts/hashicorp/consul/0.49.1/templates/NOTES.txt create mode 100644 charts/hashicorp/consul/0.49.1/templates/_helpers.tpl create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-controller-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-gatewayclass.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-gatewayclassconfig.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/api-gateway-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/auth-method-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/auth-method-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/auth-method-secret.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/auth-method-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-config-configmap.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-daemonset.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-securitycontextconstraints.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-snapshot-agent-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-snapshot-agent-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-snapshot-agent-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-snapshot-agent-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/client-snapshot-agent-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-daemonset.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-networkattachmentdefinition.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-resourcequota.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-securitycontextconstraints.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/cni-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-leader-election-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-leader-election-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-mutatingwebhookconfiguration.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-inject-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/connect-injector-disruptionbudget.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-leader-election-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-leader-election-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-mutatingwebhookconfiguration.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/controller-webhook-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-exportedservices.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-ingressgateways.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-meshes.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-peeringacceptors.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-peeringdialers.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-proxydefaults.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-servicedefaults.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-serviceintentions.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-serviceresolvers.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-servicerouters.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-servicesplitters.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/crd-terminatinggateways.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/create-federation-secret-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/create-federation-secret-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/create-federation-secret-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/create-federation-secret-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/create-federation-secret-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/dns-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/enterprise-license-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/enterprise-license-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/enterprise-license-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/enterprise-license-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/enterprise-license-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/expose-servers-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/gossip-encryption-autogenerate-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/gossip-encryption-autogenerate-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/gossip-encryption-autogenerate-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ingress-gateways-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/mesh-gateway-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-init-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-init-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-init-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-init-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-init-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-name-configmap.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/partition-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/prometheus.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-cleanup-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-cleanup-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-cleanup-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-cleanup-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-acl-init-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-config-configmap.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-disruptionbudget.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-securitycontextconstraints.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/server-statefulset.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/sync-catalog-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/sync-catalog-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/sync-catalog-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/sync-catalog-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/sync-catalog-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/terminating-gateways-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/terminating-gateways-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/terminating-gateways-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/terminating-gateways-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/terminating-gateways-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tests/test-runner.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-cleanup-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-cleanup-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-cleanup-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-cleanup-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-cleanup-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-job.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-role.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-rolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/tls-init-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ui-ingress.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/ui-service.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-clusterrole.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-clusterrolebinding.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-configmap.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-deployment.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-podsecuritypolicy.yaml create mode 100644 charts/hashicorp/consul/0.49.1/templates/webhook-cert-manager-serviceaccount.yaml create mode 100644 charts/hashicorp/consul/0.49.1/values.yaml create mode 100644 charts/nutanix/nutanix-csi-snapshot/1.0.0/.helmignore rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/Chart.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/README.md (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/app-readme.md (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/questions.yml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/NOTES.txt (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/snapshot-controller-rbac.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/snapshot-controller-sts.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/validating-deployment.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/validating-webhook.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshotclasses_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshotclasses_rel42.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshotcontents_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshotcontents_rel42.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshots_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/templates/volumesnapshots_rel42.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/1.0.0/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-snapshot/6.0.101/.helmignore rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/Chart.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/README.md (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/app-readme.md (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/questions.yml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/NOTES.txt (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/snapshot-controller-deployment.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/snapshot-controller-rbac.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/validating-deployment.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/validating-rbac.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/validating-webhook.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshotclasses_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshotclasses_rel60.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshotcontents_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshotcontents_rel60.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshots_rel3.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/templates/volumesnapshots_rel60.yaml (100%) rename charts/{nutanix-csi-snapshot => nutanix}/nutanix-csi-snapshot/6.0.101/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.3.100/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/crds/snapshot.storage.k8s.io_volumesnapshots.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/ntnx-cs-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/ntnx-csi-node.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/ntnx-csi-provisioner.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/snapshot-controller-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/templates/snapshot-controller-setup.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.3.100/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.4.100/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/crds/snapshot.storage.k8s.io_volumesnapshots.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-csi-node-ds.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-csi-provisioner-sts.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-csi-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/service-prometheus-csi.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/snapshot-controller-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/templates/snapshot-controller-sts.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.4.100/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.5.0/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-csi-node-ds.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-csi-provisioner-sts.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-csi-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/templates/service-prometheus-csi.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.0/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.5.100/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-csi-node-ds.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-csi-provisioner-sts.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-csi-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/templates/service-prometheus-csi.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.100/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.5.200/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/machine-config.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-csi-node-ds.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-csi-provisioner-sts.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-csi-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/templates/service-prometheus-csi.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.200/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.5.401/.helmignore rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/Chart.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/README.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/app-readme.md (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/questions.yml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/NOTES.txt (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/_helpers.tpl (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/csi-driver.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/machine-config.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-csi-controller-deployment.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-csi-node-ds.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-csi-rbac.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-csi-scc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-sc.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/ntnx-secret.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/templates/service-prometheus-csi.yaml (100%) rename charts/{nutanix-csi-storage => nutanix}/nutanix-csi-storage/2.5.401/values.yaml (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/.helmignore create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/Chart.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/README.md rename {packages/nutanix-csi-storage/generated-changes/overlay => charts/nutanix/nutanix-csi-storage/2.6.1}/app-readme.md (100%) create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/questions.yml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/NOTES.txt create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/_helpers.tpl create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/csi-driver.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/machine-config.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-csi-controller-deployment.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-csi-node-ds.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-csi-rbac.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-csi-scc.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-sc.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/ntnx-secret.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/templates/service-prometheus-csi.yaml create mode 100644 charts/nutanix/nutanix-csi-storage/2.6.1/values.yaml delete mode 100644 packages/nutanix-csi-snapshot/generated-changes/overlay/Chart.yaml.orig delete mode 100644 packages/nutanix-csi-snapshot/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/nutanix-csi-snapshot/package.yaml delete mode 100644 packages/nutanix-csi-storage/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/nutanix-csi-storage/generated-changes/patch/README.md.patch delete mode 100644 packages/nutanix-csi-storage/package.yaml rename packages/{nutanix-csi-snapshot/generated-changes => nutanix/nutanix-csi-snapshot}/overlay/app-readme.md (100%) create mode 100644 packages/nutanix/nutanix-csi-snapshot/upstream.yaml create mode 100644 packages/nutanix/nutanix-csi-storage/overlay/README.md create mode 100644 packages/nutanix/nutanix-csi-storage/overlay/app-readme.md create mode 100644 packages/nutanix/nutanix-csi-storage/upstream.yaml diff --git a/assets/asserts/asserts-1.11.0.tgz b/assets/asserts/asserts-1.11.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..2bd00fb58f6bf04aa1002a51ed3f5f483467cb64 GIT binary patch literal 207994 zcmV*1KzP3&iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ%cH20zC_KOQ6c{-@v9nF;;%jRry|>$O(q5g|-nP@d=XCc{ zAQF<$CJ6=rWoyzt>%7MI_j|PSBxm79f;UOFWhdzoe4?f#|R>F)0C`~|d^PfGbo z7>D#P?FZv3Hts8VU=$G!IVKV7H30A+hXEP69^^bgE+#DxQI3Zg`8^Or$|FQ8i}{$v z0h~G!3{ejps8Ll}@+ui1XM!lhBJ;0ei5N*nc5pPNaOt8lZ#n1^6r`Tf-!_g=} zbLgnARU*eC00xNi5Jqr>%ABx2&cR+NnxbsGoo$;1F(u*6lqP{1G#Me*hY}s?+Z+ng zLKg15GU|j?V;1k1jaUKkNEni64v@5v)mb<0O-4OMK4v2d<8hw)?0t!P`DqSbQzk>Z z>+ZXI1-uASuL`ex|2TMK!uW_HR_H7Jw%k+t!^dD=Z`lPi>>an`cDEWnVjjh@LZ(F) z_yGkWkgFl!L{Kxtql6-WB919CA_y=Jy{iWHMAb3pG3&Kj*Voss{_aBD8p4VA?#9um z5keesh$BR$gepqOga#Ry5$5A$;Cdu%8G)A@`JY?= z1L9pRe~p>5{&#k_c1r92PG`0LKgCmAI~Q6N%}6zaU5{8yT4NN1j+%T`Ytdbnyaytg zv7Fr*a=Na~SSaoRbnlU2R<1<`rmE}?Fppq}rL@t%^E~bBxt$bZm9W1fKqL7d31IEg za7Uc;>_ zK8{AJ5GMcz0l5Z4Lcs{}R)86AT|@4T0U4??G4VG6iu{=1h_g)zh#@+`9%2ATfRB+X zh$F^f5Fj6X`UKo_Wiz@d9pLs>D3%mKj(UL8L{zg4U+_s3KsTJiw{U<0^`^151}+r3 z1J5H##8Y)pXB5M3IE&kuVMr zj}T+B8)CwRLJR{1V3=^BBYR^QjSzEFMZGBy;1G_`SrP;n$fJm}9{A!9wccB=20Yj2s#yGfS{y-ID9)&Todx2Tw;hn-S#)Gz9 zvH_8eXvs+!$CShrLyiDNfoMIBMogBp{#MNuvt~lD5Bx+a|40>-BSg+8Q7|ipC?!dYRY^{;w2zR@FN1Z6=r9QpdTQ{X5zEi?BqFHV)q(&&k(>vFeM3ykRHpv4{9l1a|40}Mj8LjHlVBe^bGG>13MGc^6 zqE;Ksk(ky(5WP7$JwF1+ufh5Ilau3iGm8gfK6zDob z2(%QSoO{zz??M<$-56}>MTsHK1y>X7;z$@Ash3Jgda%xLhyzH2DS#j%J_0xv<6kYp zC&Wi*gmMW^cW=riFeZ#ktw9QX9Eph{+5tF`T2e0*4e9N-_uH}u&yk1l1ksWjC5f^-3{X>4&1x1v?`jjoqDTCMPd5SL zp6g2PT|>+P$01@Z9C1V^FklT+Ux@V)B}v>D#d@FtdtVli($-l z!Tceip)3$5L2yO_>`i;%cz8ni8AS|5Tz*_z0|qve^Grep9FD;Cm@pwihA;`Z=qI^; zNY^)vW4*)XN+=wTdSKFayYALrSJD?@en>K(w$cZb)-R@-5D$*!))$XzQ`!botT*Wj zxOSnlSuFwp(!9bZw3(mOx{~f06d8Ma>lSn#X&b87x^m9Uy}j-2Y;Sd&HXeuP{@m`i zv(747I1K=j*oPcla50NUQ$?|I-k*~|sGaX+0oBX)8>N^4qw3f-_0o8Jrn+7#VEgT@ zc0-CVwN5ir--ySpHekpjkuQ{iA)!dv)_@}#;z*6tyisoLEdVx7IPl4}E|Z(RLdl{L z;)uyTU@>z&5_u>V-Am|IK%mcBF;V|G0Ujc6>Pc6xh5QYL9y&u56aPX{DTJ@4A4L;P zNfZiOb^<9Dvz!^_QL93FL}>+Fw9V*wQm;^*Q432-H>P?H5Ho>87~cuaYf3_cs%Y9) zX`TAj8S$&%9+Y7SEyAd~<{c*iqNbR}J{*eKIn6<|=Bh3xU;jjcBt-9|~Pq15@UE>=CP z3mgUzhpI95Vwm9aLYUy?E`nx0CitnB!H(N$@9oSI{R>O({kH1fk~a((3+wnSH&)(a z#)WBid?sX*usje0kb~(N)E@D<|c-`1^7i%fUpVU@E1<)qcwT zw9=&<^=A|f@l9I$NKhm{%hffe(oro9&k3SaNnBoXWZvk6pqk$%2KItN6>(tLz1HMBxxdu)J#O56fLTHPEMBH#=_I?d)~F1dC~_-CnJ`t9AE_ zS$Fk(TrIwzXYtkSzsm|--D3=S3B`OWmIZXfwE#|{1NNRF+5??-yOX_pLrD@_FNe7| zRjc|#ma0W<{k1jlMlVLt4{-!y$k;WZeqn9W!bcg>0UB~O9!zN=aO7T+u@sf4*K%lW z4M0F)Z%X_`?!IoM4T;pIoncbK41X%zbYeZpMZ77N2CXr< zb~tHqN)n;LjS1mS7Fy_F#uBmWcog|6+`~~31Pgm-cV&?~FvRAcro;Av)Gz#Uz!8j;)Oz z*3j`57SjySY)?YHXvuvK-je-`8CSERWjmO}It{}(K#riuQ6%Y|L}!Sl4q(x$_*8n4 zIn>XJAr)4{c(2te@8w&k9PaG&-f!=BQ#6>pQuA>xQKRpn3xwMo3>T9gorn%qM+5fX9MBn2OYGP+L&QHgHK zGyuKC>o5p~0cgdEs33|LvD^o-^@!Gsl)l23Jh`RTRgHH5a^_*)K-8;*iHUaD7zKeY zC#|?n+wsu=!^r8h9lEu*uRqSTA`5zqW%d?N8kFtdVu{{->$c+fLS}<@+;1&I(Td#6 zVmHkea(XmQAG}#~-!s2aq#5+6yPuVjX!nu*TkSbqH zpg6^7A|`CEdu6PuP!<$`O9`?E283|2uEyD?!_;*AfiR&n)GmDwYr1ONm|O!gF;5ICUuY>E%&R2VQBzJR&?*j#a#_SRvCD`dk1$G%(egW}<~1iM3fS ze<|sIg=r5obNho;6;umm<56WQ@mbX^w0W$mOhZT8s-;$`L^A$YFftuu%s!0T$`mJy zv6_IJ=}}&9kU@0JAC$vr@`_~XJfD4hr!@%3pcO(f80VbswGU}DIP(Wp@x>+(ze<|L zEIukZbnYn#Rh!?zIJ2S!Nsdy|)K?8%1-}#)9V3qScHB-QMPa!y1vDjmhDi{dRDD!X zDW@@*wSX+|IV!y<^X#Xp--EMZ(*I?~mSE?}5@Ktz|QnpXn?t z!gzi9_SMmO6_83nS_bg$=<7sqG|(qtaxmhiWV3pF0iBzzyMz+8;PW^b&`NA))s5z-~JQ zEKgXGNCn3Az*gJWpL8aM5Z+vH7@!C-mZ_V&ZI&+cn@@T%=Zw5gic)< z@rV2~L_H+5@11sPedk8CR&UZ3RZb5a>8~wo@h`;8E7M+nF&r%$q(-4AYje55q6*b^ zp#IO|^MYy$C~VrKgQjNe_dv6w^^eT>SMCf`x8Teux$?^!$OWm87mjAie}Pir@t2$P zqyO%|Kd&UCeB5BWyWesIFarIjTZt-V&llWjk1fg{zsr^&<$tO`F=s?PU^L8yQA6LN zq)Amo3Q!%$FprL01${)v$LtM-@py5g*0>BS>{;_krg_MjuURIevJtC%7hb|R2^B>k zOahKUNPJ;t$f;4W%_Ru(iFbvlq$~3bw$xjzuYAlx8F@6vlW3LHChM---EEX&aWc<^ zmAI)Kn^RHj{ua1c-7!ZVPpIf&4kI51B$E8gw%^JT9I9_L8oQHw;Ez<}fxc$89H9Ar zR9`f6R5mI`R6`<;BNWtO7CQIotJ5A}IPwsf&VhBXaOtj8`_y7? z64@Urr%`@n<>H0zKknviMT5n*QbB57blUBASOxOv4bQT@lgosadTv7)pG$qKvR~HL zWYEEl@|-QdTa-UN*CCc0zRIsX??9x+NrK%pVz|o~6|C0nYV^327QayKVUGD@8MXu%wX1;aYt#UZ5nh?Nk8Dx3tUy&4?bnuO3z9CX7`B!dcFHqOjl@vQx|HNa7e zjT_d>n0*X@;|N(Ra~U;Ls=+`0adi6HDyql@DF$%-8l0S7f}{UAzPP*q@u<%@Gwte2UjI=FpdemTTgzCp^k>Y)!<3gry}_EJrI0Q@ysCfZ2A$QLVutAa@S-PWkLux}O36Lh8NDh? zWnEfqip^#9TOXkZe+UILfF1(P|7e0{zj^m5ByR#x6ta2>)ptdr(6e1OR%TugeEI}% zslj4H}N1%6d=CAICk^rywimIpFUMo`2&1R2uFn`m!T-< zx9<$5ynLI+Y|S{kw`wYNET8k%xMv%;vL3ZBdX{XC0r_ zq~g|xZk9G5N_fu^PiUlemSRd`M8SnVJ138mRSysAyjc?{4%CyBE9@xD4tQq27edPj zDD641_FHlwY{B}h^Z@|NShXk2EgR?Kl7F)AuMLw%py4W^htk{#12jfXdg%VpL~REk0(kN?CJ88aN< zXedJ}WtNZ<#;dHl&BAO^f-xN60CS9(YvD?z=DJLE{TfF;Xik1V7`q5*EQwwqpuW^D1?IEDP<`EsD?U{1O@KUEpWFIfJ!SvTLV3RLgkz5X zXQ#8(&ijA5-R@3%<^Oq#M~a0kA-w7D^0c?QUzf=it7lpMe_IE)-kO4Okg%1)jf3YRcBNf(5`YLLyyo$P*?^X7WB3M#}B2 z5PUHiwwvX!NTft0!v7_%!CemaoAdAV86-s8rtHlx-?4Y-IzQhWBk^`!oqq zKT?)kJ)Nm}Y{UDV48ZNJ)F(^0)VJ9HGab#Y$x`dL8gll14s^+ex-#=i)YqIl00JCc zxj6E$k0Q?Ije&1iD=qt<@<89qPoLItj>1_I^mfV=M_d~Gf%7H6iw?d{(lmFG)fr1k@T zZoPK(EcPsJ|D~5#-5JMh`>)gK?iTI8&erzo{@*8g)Lxgog{HY7X*8NQNbL+ue@S-gnx&t?t%-d%N4- z-rn2o?Dltuu@W9aekUffZu0lgunC~fMOYt#NA!GKFE zJQ_!%ySEp-kdz5y4dQ^ksI`;sU_Z?nhj+HD7O|x6PPR?B=Jo}l9QkJu(>aaEO(z+V z@oQ71che^QDBO~%53Q6?nXeg2wHa|AI!DG6U zm#G)ahW@$L;W>PMnEsnnfWJgH<&qTN)fUEQ*uuE4fL!^NALS|ge|0|3oEtcw(DSZ1 z=J!debO@z zi$e$cxJ6Gb&c!J8AU#R)2Z+Q{5pl3B>KT+d4AU?$=alX9-YOSsFhPBeLqrnZ13RHQ z$4wHR9{!c*e3Mu@10hfu_|t_!#lh>6@-CSEU}|S{NL>K-yP0k)t6 zG5|AerHAkY(duI-CX(L;x3^BNITXbR@;**e3Ty6|hF(J~SjKWMt$6%7xkVaNV498J|3Rh|YP>B35?WSyGFO{OJ53p}!XG+Q~RC^fqkSmZA zLhg;N^usoobOgR^o}6ADzdk-ZxI8{R=^wm3I={SVR@EqKJul6*Z`JIxq=TW^&At~K zR_1Pf{q!EW5{%LSuL4piRE9F68_WD>0l5p?i%k6Mzatkdt*`icp*fNTXe=^M($cHB z@}#|7-3P1rQVFFnB}}zag6O+0Yu9KnCgiHG^!!3jGKM0*uT>_$q6hO=QI<}rW=X8d zM@$4Q^5(4;jIl1*nryeSlqD*ACHqfB@XPr}7c)jZXdz7#XV)*E@>4a-V2t~cEmj{Z zO!`Z)W4$qqB2-mDe<@ZlAq~CUF;ejS)2B3!V{R;j;MenJ5%Rq5mM+A8fTOD(c>cWn z>CO}xpJX*T@*3qkgH+zXBE)>B+A?Oj{Jqo!#H?eJn?^5bwx*KhH=mXe>nOye5NK9gEzI7l%x2;($qQ~SVu?I0m3pZ zD_8&1KDGY;Lek=gYyr&k|L^YY75)EvyL&7D|5H47cIVe8wSJ)IzABk@>b@7Yb;-&t zSIOtsmVepH)LL34!NB=0{VR7*H!w~KnJQNo=}{D@dp;zh+=_y3V%h^N3Bh0r)~%qt zO<)JkZDtPojnaxFp7jiujMeE;$k9&t>31@CS$oHK(*j#6r4vOrGeQbsKrjDyvo-0o z+!xK;4e%Xk=U4f{Re0*TCiF^P8v)8BCAd)7XS_eFLW%LFQrf0cE#0O@Ww$DL@f2Jf zJa>Q4SJ&xFn$GSEbp_R3rgTNuS=SSlJI{>EN9#m$f!gQn#Lv}z^76f9^q#ty?P+_@ zy0qZmcn-E;jPJUv+PzqR6U4*&taR!6N(~ZAWPZ~@U0Aamov6t0&!i!#i%xqG_JkeinTv8{UzSG}%dF3HJ3gWKWs?%Zmp9+a ze7a{BXh4s$+%1Lwn!vsfIn>dfsT|G3UoD50$MU5vQWo2-i`JIH^`})b44bQ0xtGnD zlAGyLl>16PEzbUj`+w{F|7u{^*T&yB{C|%Be{XAhcc~vr%;{5va50OPZ$OTuyzjdbW5~!_m_1& zt-~Q5A@2B?%BvspTlp2#s7AlS)ZX#X-)c`OsPDOeL4!ieCk_5smoVa3SIos9tgWr( zFN9`20E25dWx9BJnTa{#@Y6eRtk3a^+6^VZe=g8MW6Y_2ng$lLQX`= zxA`!My2R4i-VO;+FTLx`pdXWn(7qX2R=AV;z;TEehhd!ms2pN_u@((bP^KDsDu_bg z!jjQ|M(C!75x|rVQDm;5)ZMC<`{GI=S)2Z)2AC?;v%btF#!tdULW@Bs7h^C^#?Yc3Bl&y1%NK^sJK+jbcb4C$tCtKEEaX zz7T(XdjhDVo~mpg#nds~8e{3w7ym|qotK2~jJpy_CKJStkp+vY*ln5&T@)AS<( zccoZ=#s2*}y2*=i*eiv4rBJUF>XkyhQmCs4UMbWog?gn>&uzg?zmN}FA2vkxYB zrOmFi*_AfC(q>oMY$3j5=9P9UwRWiy9*gjLrSq<0JXY32p}i~XVP!q6tcR8L@by{` zs~C@!74c`cBI>R+Us(~$w<6~7dSykdtcaBrQE2bVidb0@D=T7UMXaodl@+nFB0iTD zQF>wh{M?uJF7YYf|E!b$wfbWe#E3GN$9KQ-Irq%I|GC}W-rmaJ|J>Q#-Pu~*|NIos zr%$aH4Rde1yb$e0OAmG*4RK`2H(g2?LQQ#Ra$(AwONnhuFD*B-&>zCajXbcsC4b`Z zA{h?x4QM(UA`~zKtt@&YNt0`5Ej82Cv8Jy0-N?1rSf+DZ{aP2C+47>DTig0l!3T3- zn9_F-E_fsiNu+P&p34e#t9G-NlmME$yXBSPv72c>E+(zilFjmr+RmFCVGITGg6%~~ zyU^w5k;n?=9zg0F#O1ZwF=XtTP#-YlQN-N^Xcgt=&L)`fv5Rgn<2V|rI`)O;F~t!d zg621@3D$WWEL8v5MtM+G0xU7EG#lKF(%34Gvvb4~8c9c%RM9k#02%y_JPz2HB!LeG z2zV4hj{JJwsRD0o4(7NQ5xx)y>=sM1W;Eh+i|9vv>eqkeMhs!>PGR^U4Pf^A-)VQ- zox=LR*V*1%t^ZH)z!>W*M|)t>X?IqWr*kGtCPDN6+5#lYhdnLKs?AZFEkGPs?`GX7RtW z>D_4<^uQldYS>KcG%BnggD^BYdLf-HsY&AlK5Z?q0MLq)wgChhyl0+O) z1~>tX!)$1|gpL53AUXxzZ7?PYWv+&JLI93|c7GxUAVpw+a5Ms(LhlOsn}9^Y6fi7k z%b}13G#Hvh(hXs@71$>5AsY_}q&|R=4-lnAQ|C^ZEPx#qM->xz6OCKz(|O|`(rS{=vpF- z2*<-I;A6|O}o99;s6J|>89!vu>59tp+U5#m5Djy&aogd$to9}?QvSo56!B_Ja+ zgpV*EBPwSrBLQk|g60sb|JjrUWYl!QD>Q^jAjgOE?V9?wY zikYERm6yN*G(iD)DcP-g5JNsrC-NEOV?p`#7*UjVx(6e`IH3p#Ekx4G#1vhB zLd9ku1I*DD@CRTW57ofY!%TUMgj@tKL2CkOE5L(P)SI&3{@;LqJBVcg2qs z8X2|hTM_C3UE?5-BT$`#J!9p>znRjhP;Gg zJ~f?eh6eOQF^?Idn?|v>kgJ7M6zPj1;HCOQ!(d8e8H-^`5^xP8t{uSS8Vo48W?CYv zRWn_)a0DRu$B@DheYXkzfzw|o93cNYA!GibERXM8dmPJ|t2iKW^ksQpF(KWASG0MA zTww$*V2Gq=5pquPAmJ#5C@K38z?%=Q99#or8r2Nojhy$KVvmbo5s6S!_C{07W?#)G zg{IG7h?qe0(#UQ<<-J%Le@o>fk{%5ZCxZZcU+^9S_s0R4kmy2ggDw@y>Hfq43-elhLnVYdaH35 z`GR>L4Bii-JLMt_zMp2pNRA}k(I4c9`XE{CkuZiF%d7sUfFj69q}P2(QeU9#vt%G+ zJIsJnoh;@@DniX7@%~uI#1Mh?rVr^=Qw-~7fJbBA)WT2|?5k2Qf&7-&2;}q6-a%*j8O_3 zUxZQRl#^(bRv@Clyi+3SMu6E5{11}8}MkEx@E)kMMWdobz?*ts!P zsmT|OfcKFa_6Gry`ekJ;-I8AtRk#mz;Z*UFI;kYE1dk;HhfNtrp%f=r=-5N(As75S zMiDUT>@|8G1R%sCsq6@?l}M>XRRVZG6S3Y22vViQo*F0K7)B8a($OUPS7CF(3A)Zz zHa%|EDFIAksD_vpC(#5^E=7YF(vfPLPD!uVV{JXT;EbXPCJ9q|3Kokul9S&TB&ybe z0rak}A@x~7WDG=iqwBOTMIo6W-VL;hp4qv@PA+!tD{V;xXav0}FrNX6MmR#? zZ$e595#$L)tVF2Nls~rveb}%gNt+3D8GtufWvBx`5myXbQ2^EWx=*VxgR|WA*1@02z~!mUTc` zO@&2}2RF{6xqFuRL_d83MxJEM%?fCiC||SgNXyeaXGqR={|eOAzTc|) ze*oKEnsb$E-*x8Qy{rFPRHD+K_v{KyH^DQd`Of30f@gV)MQw0i-E{7L@ITLWYr0E z(8h#uW;@HD38S+260kVH{4Hi2G+S0smjgr%N#GDu##Q+=U`RR;(AU`EKy=F z9t8lv#J3hfSc5z#flKuP5Ung%2Ovtq0irn&QWBRyr2FD^#GNcgiiKoRtcIn_u@ zkQ-^igN5XuD4&;mWpw8E=hjYE&tpIJ`oE52dARyNPyg?9+TEi5zrEL4>HkmhXyH!1Uwy~`muu%~3_m6)jUUiZ9J#mQm>98MRTO}lZ$cke zg_x_{NKLS=f&rNBgvFw=npbGr1kGv!nxJWXtE#z8upUTNCl@r87T?H+8RQg`&pm=y z&qJPB@?Tk_kM95JcDJ@y@!y~6sgdRCjM-<8{*t?hb#9WGLOmzaXA5p+-qx%f2AQXh zksO~XROz2NOI2+yR@W(XhkZKB#Wov>KEAJ@6o*UBPLmdOPghY>#7e>! z8_RE|r!Tbx%`SEiTpph3cj^F?G9gpQb2u0gzhGmUH#3PTR?9WiM9j~g&c*oqifOIX zq~;7dxbinNSJvkfJTumR4mlbo0ei3!I4AzQ+ukXj|JvKx*h7foEFd{5RDw#6`OI~{!p~-(TD`lSxUhX_yyz6k1IkQ=j;C@}1!zL2Q^?V1s*2>_^{V(%s8*@orQKkpkLH3k+Qf5TMRMPEvR03s zGveom&x|2d0+(}u7eccd-epr_$t-v$)Qa9fH9x@~y`OTU`IL!@75F5kp z&Mr&Bh1z#e9Mku1q#41L=(1H@MS~tHe?bPW@S#>i->*Dgkc%oe0$rwLq!fp zQgtg}KTCq(j0D)5R%)Pi(Bib3y&ajs_DC4Q;&zh**tqb*@d_{gDD1t2S3ah|iK~bc z+^pJO6SJFKN5DC+(PneQ-K9x%z}_=NYdBggKV)wxNn*jx#i=UJu^hoE1wGKVJ}BnD zlSfpFoK!=rFrFmCMDa7T3pt;-(oFVd3}rhqH#dYU8NJ|$&Bo^+X(X$AIEIwF2XU-* zpnHtn#YQTMCVAefFme-~uR`UGyS1_t-n{N#938$tKfe5D|KQcTfPB z#B%0BExw5O$k-csm(oSfDRf6&t`;904uvu^wRCI!X1RDc2@owR#@5SwVN)}tVo@ti z49^_0&QGL=$Y9J-$clp9$qD6(xdwDNQB{eV)9i^`Fmr;MM${BqWHLR>JerY!qRIlW zz|_bM6vlk|3X92=+RFh$RgT{r0-fmMFn~B*08Lt#D=x@-`5y4ZtJ<)6hH zr+ooQ>QXib%3zljc96!XI{?O5I(w{~?M>x}D6I(&h>6eAKZ@Do9pfTZFD8f%tg0i# z)87GR*&o-Cd*fA1*T3OYE&m5N@^Lg;(lRhN{&%;S|7*9?UhV%r$+LX<|GgSJt7Txp zWq<@oyJO8VFoV?%0IZevE{tV~OnJh34F}|+{PZ5#Y+y6?)8?Ke`!~v_`1L(y`L8pi zEHC}@Jo&%1)!iw||DE0LO8!5^BlEMWE}xVBSrw|ySF2-RXQn@{DznVo&kFvWWVE`m z^D{rIf-@68>juru`&?IU*=e8e!hi*nKC9Bp%lTX&u}Iaz8J|`8$4mHJM`w09E?_9) zI6{Fu5j;CNbv(Y%g?|ub6`{=quiSMa;v=W+E?RtypdTQ{+)tlUMyQlnP2k?%_PV=U zd*5!}33=ypBJVC2d9$Wd=-uolz1ZK1K=4U4N-gQOoP08U~7TnrE=b2nKv?<6>iS?f8g8EJpD47)6fp z#~|NgjX~LK%;rSusLu*sqd~6LO-xuq3z<*!yy?l5%A1(q$Vp81n(!nT}^;bwn@Z@NrXh;#uab1>y z!7CKNsTeOpl7cm`4MH3x95Jit5Z@qQ7wmL(!ERbm@1FRW=<4WKOgg@&jOojc_8-jN?k{OK@mqZrZ^MMRRV{ifI$Dq2%YCrHfmz^ zFfoO(SgkOhrsFULq6u2`VnfDZ&0U5xcC`Zr)28moF`!Wga zL`=i2HY*epqMjvGUeho}nr5YD0L%d7T=a&@X`SXGjT0IZhKjJvDe1nQ=*@oa$Px7z ztVM9pN()8u+}`%SZGXF!14~gz zIO<N1vs*4LE zkY746Am4%m1po*p>vg$5l4nIKg0Izgxvg|q$wwG*+|L4RJEch{GpOfRitO<*4CH0? zB;h^KDb|%q$!2sQj^v3I)Mr;X?oSZK!)b*A2>>2NgrdH@iK4Q=#{|)7KZX>R<3|CA zh?LXjww~^6b0CBYAnV zV+Ipz9iX3yiHe>_XJVx%-9D_Fn>Tk+JgVnQCP0ZW>ASXpK(263*-;g>{Uq#{T+fQ7 zE5B@*1DKX;A%tGetC3KOB7QLql{xhzn)X1LT8@sIHE z;P~)(CtJ0O6a#f>LR3_#3yzX>cw|Rx?eY%r5%VaH)t%Vq2>R-NEO|4Jif+$=SDpR- z;^@2{${~#88Al+_ooNvi_v)T_H+h?7jI7&f+G5N zq)#N(LpwgXJbH6}aCv-sGN;ut%^wT`ebot!e0lpx73{ai7ngm}$@3VguB{{T8ZkL! z>L6-r1D!|@fQ4EHD7-e7o*;Gr8B(5^s*!Yb@Tz}#baHTV*%zZ~4*U^{ki1hw z-bp2mMS>%)??mzlm6t!&A``>*&C$ux`N8GsoQa@2Q?W?3rV6AcU9o8nNOQSJ&hc4C z>*49i>*F{5v-8t;i!f&W6=toYXrt&?tpoq+_~PLEw?_-ZPZ@vl_OuqLX04nmivZR0 znU4{sfLur5;OtlnFY!&fK44IV>EQ72=;EUPlHhzAG4G;K87hIXMk{ z(WV^yd;tyvlK4N%$nx3-9Q=IIKYV-o{?*S1mxn*x1v48{y7e@B}a!zBkKnSphB6%&_kkre|x5tM^Cl^A>zn-&b zWIR&K8lrVpR!J@#UH)+Ne&Mld>`3YCo;OV2oxYksNb~T;{8g-fZqMF&99nc9o*%tB zI=MVPc$*d#i_s;?vWpZBtR9>l+skJUG(VmGd~$Sty9qx1cyjvl+oM-vxjs6%I6cqV zod*{eLdlq2VY9GIY!+nvW`&rmK++d0+v&;Me+q0r9UuLCl&7VLw+EV~wa_jv2^O%9 zUL9XbGD}PIW`$JW%*nOQylmL4p46N6q}Z$)(wpUBxLIDxH*0&^ZkTG1#ih-Hdbycb z5jRV^-KM3XZC2@5o0ejYG{@!qn)Y5lhRH*`L zzSUw71L6F{k}kD4q!o1<1=D&g>8ySLx*sEQ9Ux!W8z^Fxolz7H4{2PCZHr{KWG+b7 z`DkScwPR^4bTMqLP3`n_zdh8)_zF_oD|jVtaF~QnOh}+3By8WW^dkK354>JX7#~r@ zJ_gF6pdBFQb%i^o&atqwz120|eH&Hkbu%!nkD0IT*{8G9i_16XM;HC`SKnuz&PE1h z9v@_*o_&%GbS3Ako8sMs2Dg=Dsby9=F7HN}E`5cjl4(8Alx`9ul!iD!7xKQv{3dOB zb8=PgdKA)+JX3q9ss=ovC6LT)Q1rX+OoI*3-FYbxlkGwQs?0qU7Ia(6}z&X`)e zd%r{PirE|WYXIG-kr5?9z|=jmLb;}h#U!$KA$1NaC#EDulusQwrc@x-$>~Y|CfvFVZ&h@U=Q;pU^~{JDzOFlV}k8ask)#iP9$-H#ym$OWf87fa+SN zgk5W3_Lcf6Yt#jL_Wbcl>JpVVWL=VX!c6ReW^3}I_2Na-Kr2S9q)``z?Z|WoGK(1~ zMzfT&i_D7Yv7%6fP14FpXeq#b15bl1M6?wHedc4dFjxY~6CGetTx^vpH9|K%&~#rk z?Vt}Uf~Z)F#mHm#V}x0ba4xK-u)TW+aE-<)ugK?oYU96`cm2l#=f6w$f9&k8@_#(Z zvxNIUo+|oVYlzDZ0@q;g5er^XbD<32+}yHQ6A8)F3m0?OOO$Sts0g66c1^8|BNnYw zbpb^#Bjuc1Aga&gm3sGckNMS;J@xW`Y1co@yZ@oRvsb+TZ*O(~-xEE{y#L|;3&H(v zfB141gr~UqVLqo8z4)P~pX&H~*9#yX@2-b>tzq_65B5NL+8ZB27%zV5L*>cKJKgzE zXz1fy{qXdcFz9C8?JkBw<^25#wf8Di-OS13U}D1JA|KHvSO@A#PWiey2UYIs%*C<@ z&&rOk6BA_CcE$Y;hLG8*@pGk?ml;0?_MVCHD?QF>*oZG3tA%RDyAD_~@C5ZT!oedE zOG3GO0R~ffY{YEPlo*-uxDtJ?0{DAF$=> z<6b^c!1RURJuuUn1aq$*(AA&l=7Cv$$igY@0+clS|LkHELH{%gs!p)n`EGz2+hKD? z%@f=VVDdOU(Zv8pA%En10gRUMm0b%^qs?c}tepC@2edhPTvuv=ak%uP`WnTf<>+(7>?!tt+MQzlpWWT=YX9d+ zo(f|*Gui7h0T(xlObXe>-Gnu6fhFetEwp6$S%3=&mX!~99-h?lzL4gWL{@w^!#&vr z<;&Q=D1o$kp7g1e{~?JmC-e#Ae|Nid|Htm`?%qoNKgIJYySR4UJ%lloLAe+)_u%YU z3w-AO02yfN5rLzT>k*0wb3GEaCY|O+c5YY?o_Biim?OiWuz=Ko$}cM#O2x8Lxvo4` z7WrbE9=4Jg9XXc}EYpggnfIXgvX%l<)!?^c1Je4IGbU}3^)csDh*R%F#ePji?Jo(}xQ(a36{_40oE1l90o?+?tQ zRK@n4SJ7Mg^iZnHxb8@M`bT)hf&p41$kZQ zb4%r?d&=v7f|r^5|1S&Je_K06`)_A=uf1CTpW>0}uM<2c_kV(G^ZqAzcFzCe_hsh$ zPw<>n_X%Dg&wqkv=J-$W{QUk^WtN@Wf04#6nA1PO%gg6)k!4e|a322zKVA<1JZ+zQ zs(q19rTkxF?(e@WVE^ru?Z0k&CI6q~SxWwITY@fPe`WHgWPurEIuOMbL$L?`P(euQ zijYs)ITn@tP#`wvp_~N&J=@xlj(gjwpWxzV_1_Eo75#vWKx+bNDGL@d-z&U#qT-N55%MHAp6eR((ELCc z&+>5f_S;+SxlKJsFmR5~z%!la5&AxzTj`YI5sqNsye9M-QXl!^7kH+MLf`M-^oQn? z_%#<|2I!0uPQWvjRkEs{?9Vj4S;!w~`i?6lip zr`-iR?Jcm=-Ugtx)4p-XJPay^^ULgOVK`GlH~^rPFxryIOZ61V1G=@gBIyX}T%($M zns5fT!B+RGYBJpmCopNs^?!=`^k=>xr&E>s6+BBQmjARsE2~#*%Gac7RIdL%iUTqY z(Q>x`=B@ub759H`cUJpPK&bj` z`1_9-MPAb1>m$gkFIcGy9KUneQx*Qw$y46!GM#Ut z>dj`;GyUNp#>eb}%hb@lmjHbP>#4vpb+Inc1n!2;|5Spbb1<@F^`{J!mR_zppsc3C zB1nX$bvcda12+XLfm$c41)%wI+O8$EAUmk1s00;Bm*!l)ydhRb?^KmHO{}RSKd1GS zu?P8>)l{(x6eECh=Y382tblI5awO>fvb+fOgKqYrdx157f~=U5%&t!zmEbbNK#AHQb?8x7$dXd7Y{zP?!B9KPXlw(>{tc-PD!5HLL(BItI zSkW?EEF%dizAaf_Gi&EKkS0?rpBAwI$qTw|55Tj82BI@q9AN$yGY*<9OJQ>4mEMx9 zA*PJ0@>%>^?$%40mrjm2Jj_iMwK=Vaq5UBpbLvD)r6%uWp?0}xUSWL+v~@zPP~1%I z65Oi7m2?3xfZi2~{GuLNpv0E_C8JGCvx?id%xK67(25hhGK#VE7Jw)T2kO3@yfiI= z$RCZWAns%_QY<8kVl9TbRY#JTvCEB6;K4k(CW_|eSs97>efRahQvX|G?zg`zu>arb z7XAM_ySv*f{qHHBCFFlwqTj#T@-)M7Sx0QtGFYCR29Lh0_4rI-N&lR6^gUOnaK5G* zi@AXG_)NFPdQl@1s;btiI`x9x2|0C&Ir}zf9GORXJyp(*Fs>t zhkaV3KhK7*!-y4ts^eCv?9QdzEBQ4``S)twm{smeJ0D*Pw4P-V@e8Ysc~eJ1u|}?C za}xK>-mTJ8Q>86zR%6#W3!5wd&e!#r_1_(%AXK-kE*;05^}oHdwNqICx7xeAtM&gW zo;7f$u1RNr6MfAtxE`Yj3=$m3`_E$NUBMAzZetBxjxhtqR|41=1%bTMTkW{xXtXI$ z$#6VD(k!vw!^m%}fe4LM+|IhXAs+c^x&P~iD=*6cBtquqb`T>90vsW?;l8@)UvNTE zV+|atAm^VBFMy9JYq%rKTk>B;e#0I7i?-yy=EZo_691S#*(7RZfQ0Fj#4=qqYrJsT zb=-L24&YVeh08TuwR~+zIoD zk6K@YEHv}~{OI7-yCXOB9|6a__@BL<;{5M+yDR8bez`a}czvYW z!FsKhPdsL|q?JTIqKv~x$Tx>UI7E)T$ZSL1XXZ880>Au#f-oyD)@zrIH;i}&=7xVs z`x!+PeM~UJ9I-~j0U1iraXWke(Qtr(2e#a<+ZKPF{iH4}5T+oaM#cjiN#v4a!Bo(K zqalTi)5PNmMGXfW*cTUiB#a@)g8-!`Tt$z{>)9I)_(e3+k-3E(-Qii2MwpM2fjkPF z-G<CB#Ol641{wUBMLd8ruP^OQ97cgBms~j zfHTOc2>9^f!vL~zL$nJ}6cYe_--Ol!!<95GpW+TCHXp3IDoLz*p|Pc~(nM?;^@k51 z^36Iqy}WbNAQP&Kbvq$u1~Kv*jYE~q1ga#3Os@EwKvuX$;2H;kyaW?q4n7ExJSWDA4f_3DMT#zv58Zqv4i}fxr7iMcy4YAKQ!htgc z#X)68J@^SxJe*2K9;n;48>eDj74WhcL_KXW$1uSELcY4ZS34^gOOTf12Pibq()D6z6K1YGq4I7=jh`RfK9xXRdK()-&S}IB46qR zVw}mAd(^yIW_!1P8|$N)nq0>6lI^{T`OaW0hz4k<@|OH4vXP=|bL%&akl96m;l zm>Np3AL^@4E%}xR@&5{PsC-zgahP6*DtTlr5?Lv5J;vTRZK;xC>U0g@q#=fgTzo~Z z4M`A?Yk~0>K1NKf0aR%?tiFx*733|^0!PhmYlTy7dLQA+1sOwJYo*3xy-!=MZd5)RIOI(#l?Ch@S$ zBP?xCDFvlwC!i^8QnM7ctlUkNO|S^BhLbj@Vp{0R@x;5!bo>sycyU5FdhwzMUI_?> zv5ElM*@ioo=#eHk@}(e_iy{hyPFrPnog|Jzn~cV}h)J;hUN z|CJ4y)&_9En@pdOC#^h~Fa(D30=vK38mqb?yJ2Z!VuT8L8zC*ADU6u38jI4+vM~ve z_pKXSlUs(MPCb&q0Kh=fDDl4|6oKPtNE(fwg#7~q@L%32ISnq9oL*d@W6KKMkZXt3 zXhK5s;?w;ayglW|%ztgOP~>CQQepN>+WlQ1|HoeO{;!?x&T9TY$x}FfT_SriU+jVAt)syN%RKBd-?CqMpN0UXh<2^5~`dwHj^i0P_fjSlZY6cLM+p zN0Jr?=yy&EYho~W+#C0%k-M7sTnydy%Xi986)BgKQdBkp^e19<^}!XIDh*uSGwgz6 zF3OW3M-iZCh$uzAAcBa66RIUN^>&ye=nM<({0dE()E>2pF3RC(#5TbgvN2+t@&G#9 z6h;`6+tof`L`W6+#%+v=*8+5~4dDnuFvFRr{QybV5O*as1eu|0BS&MP#U72}} z!;$*s$k$G{+rH^;ZM$(aYFwe|HKD%jK?PgJkV{@Qob=++MhJ0sCdvUQggEF~M#_I# zM5JK@-|NoJ$|Ij*@4tM+1h^1Vjw5$S(+ar{4fRe@mFDzyW--o;9G`esh&rljHhOm5 zeRuEc6xd6CX2}15cvnloF;D;7+A7Qct=0bDlRV27-j;;!Y`N`*k4K2{o<4orL;G8B zxZN3Sef#Zpx4XAL+~3;&cDK8=yVu#<>Z0B5_OQF}?G8K8--TY+|8{E+bvtcuXSlVq z4Lkdd^a_|BXm;D(uG8Lfy1SR1o!-uVPhjk9?S9+oY;FCoRVczDPv!i#TvW@zF?0TR z+nr81|JzPymH+2Sp0zdbUrc9Wc@vNU46K{Sg*l~PzLE>6I$>KVaVC8vn;;_6J0cy! zSUV?($%ZBj#$x479f&0CGFuL9>JxGaRfeLlFh%{5B1NerYir;zp;VZJZ~}24W0FTR ziS4O3+8H?AEFCmg8k&{3zp=I^ZOZ?WKs0za2c?ohRDZ0gYop9pHx>0|Nh-QuYN8Q< zl)?&#HoXSgh5b&Lt7qwz6hIx}TW1?(P;&OC*SZ^EQnCIUmsx$%8=}Cv=~@Opz=V&} zY99pPhJq;6_#C&SBOZXYHE`sPT=lCed->X$y1-&;D*lM3>hlQ`22p@s%0if75T6!-UIbCVpz7&!E&4yMc2UHC(jgfK zWQu%12EQYZOD@{A6Og8l=C+0 z9WIrT2^fy%%J)nuS8iljVC7j7m30Lih`A2PP`xzG6=W(FWR7d?q84~80CFY>*hlgd zAMi08MTBwe$p{Ct{g%1iMg6SMJK`ff4K;E3Z|UK{8u06)vtmjHh*^6xOx4jr9I5-> z6wpJ{N706v;2KSKLt8CD2H2tgpOb8;7k1IgZP(Z|3=;s%0)*mOI3XP|a3KD<4>nQT zpu&+l;+~gBIl+5eUU_9{ZCd9GOTj3O6*Zt&3r9YTS}a!oR8qV5z-3Km!1*CRb++Ue%_Xn zeA`u{^dd%{+(s@YLQ$VzsgwS4v_3xwuHlqD2Y6_)7&Gu(9s=UeH`O^R9X{~`8(R6zET4F+l`uq|QG$Kck{DQPEvCp3%)`;hQSZ!Th^?e8HZFzgRB!bM zQ<+mpZIvs1NXW>d8ld$G(}Q8cxR5U)j1mb$-D=~TshOUjbQfzFhwO^AQWe#SiSMKn zz9m|s8t23mPasE*>FAb%kKB=#t?_-7p17p%SYkdKX}Yw0W8`PObkT`}O{2_4xvl2k z(c89`gH_O^Aoa$WBjr=g5n_LF!9fs^Yvk*IogVlggZ5xRBJ=?e3O?vWU;@Plfy1ue z1J+l8JcsBY;bRnW{khQA+z?o_!A$QQ@iEeA8q?cH9TGY6%&9{Y$qS(|=NDM1Ll>6S zRN00(VoR%|P7YK6Cgu;0P%sA?AQ3P{g=`=Oym?s%KZRFmAe3be1QbR-2|=eVqavUu z!;XS@45K7O6nol%Zm#@eC|xXbN_&}Y`jR{~Ex@Io)Iv7E2$-+Nrjn{te)Lo1i^jr0 z2_$fGdU@0XKaWuaFn`VjC7V)K#1u_r1bD&b$;OY2Ig@ebe%ent@)l{rnTGo#nga71 zT%oB9jup!urx;E2J;=od+D*`ufFueKGgRks6==7ZUQ1JT6B33@nb$H~rp!TQGglb0 zDv>6R7)Q_-J)|OBML$IoOi3i;WG9efF=!1bMc6rsX4?^mISKZQ8c@F((=IRH6f^%H zdvD(sH;ycdpTGGOT8G`h+_-tk+n(NK&+P#+;Ta(OfXv+U%*-LiR?|MXEsrHbdJ?|- z@6oFzS$^wom?TTzb9aI)Rh3F5sZ^>e1yRKI0&%Nd=03L90e(7;(FQ?T9LgP_Jc1ag zhv2hMiIP7#&=Ax$8~9Ny7xWMT0diG zv;q($ISitiTq@`ehl3kv9_iE@lQL~!?F>@P;gg8n+lK`vXlk)`jB;~|r6_`!A5tu2 z)pNMfkY9T>?My2xypFk^^0I;1Znv38fs4~x)dgwG zk`?HQPYgCn9Rw;!@)Q-KX_i0&lUaG(YJf{$dyw zc}!+cIAFThp|Q_3vN-f5%}Vt!`zp^mZw}v|z1{m>|7&!3=pH+MmQ%(InFmm5Tj~tC zR$w?T5+1q4R}>+aT+dv$&v;66GEuT4T?0P$y)!a)#H+!S<#7Ka40oqg3Zf_$&aC>t z=S2##JVwkblKG=hR1S$%yJQKo4lT10yh(y9L-v9S0W9tcj9JB+d17m`C1|P4`oQ!3 zY4C9hrzoHK{ImsbP!fGMdVRREv%VJ=4RiM!{cYb;H=G{A4B;Lax0`D@&&2Grn9Xhgm1dhdG>{y9~ zaI(2Adr5m&J8oK+EMj(#>eem2me8^)B#H7R(o>@_l}me>UlMcUHRX$#sw{kkAnpfJ zv#S`GO?Z5{;&x;3>iO&cloiS;@9ew$C}ZsQ z%&Vik@aGp={A`3$)$uAYc5zyZ_Rv_i1zvM4?}PZz%J$uW`P7_>0<|?k``|vc(|rr% zt{EI2&Q5n>(R_JlRV0R3{F?Pc(-s0>9_a0W>o@TXO- z0ntpE87hG57CF&y2(~six9kxrk7{4?Fe!-h43>Tf>@sAv$nqi`;rE#F$~|;VsDNr- zIqP;DNCiM2N|W~MIE}!23;~SE1m@cNK>+38j06OZi-eNDCYI6lZsQ!HG=v$!8@DLG zPEZiBB9fydfjNtCV308+8?t*MjbVw?d5Q`rFe(z5GfT!OVL9~(1ggB&U_s|#9~ljz zX`IHisV|&=G_jo)35l}=`U)>r{V+(ZvxD#;^fQtN1YXT}CN>w<8lwOfwOLX(0Tf@y zSq)6e>o~o7&%@o9J!(%lHeV1GmnIpL3@)5co&Z^J&WY#iN|0*#4o-D~srl6uQn57d(4e%MbTp<@-NR~tbT`7kAU46#oTTUj9qSzJ5zZ(}lH|MUeeC9WEkwPtS=38%q* zWg5m`k=2S$eYN#HS0U0YBfCF(;9*@BXc^M??d=U5IE`Jm>CfpNc66Dc` zp2IGdcRJwkCT5qP8v(}gRmymhq6lt0iBr07(7z=;evn3fkdj!H=u%jn1XlM13+{t8Na~(Em$T01i%My8~VW? zTh*d%y$h1ZHJ8zH5M@Uiw;aIbOSu?#7gob_p(>^=6H9m+eW+V*KRh$ORVLsEmKs#m zsSex+<=Y^=nQnE*EOpslJ`?8L3yn9-N+D?8$9pqXGtIE+%@Z$EzUmWPdo|5TtNudS zx%Tge7=OAA6E@Z*6^eM{l{B~15|p6?UCqw290t)YN~u~Orvw9D0`#JW4$a@6^29;; zLjT8?MERJ}K-CRNgD{wt@kq5D(0z1+k7w8LmRnoJRljV<9OP2zgUdcqfqkFifW&yr zybgw74;>?NCeC*yd+SiwFgr@IaB<%|J_F*P4NUF3jXBN+QHt5(Aih=Dr$`zCk%8?^ zoMSqM+Ls#ds1$Sa5bI4hXRQb86emZ?fVlXtcz>i3l4e}p|Ko*cSLE8aFKn284p9bE z&Lx4WW^qX3F$`y60^cHZ-O-@BhS!;&OF__-o`_AixJx)jIXfovBz(g5U*5p!2~nvKB*uh!6_y@H;^D-`j$|lWEB&f;RE-Wa##^ZUX%Y>)a@awhculs3MjS^l zWS&Y%|lT? z5^V!fx;H+>lc&$XQ$M8t3&RNl-UKEI0=FnnBJb&MlHV4Iit8tu8?okZ+gA%x-pIrk z6TP%ylo)ExI9iQLY=lN$(^a}~(5wVNgWV*Er&!m#f&H%sAv zJ`uV6=|ti{l}64UzlISANZlY9cY4}+;eEx2Hj2k%$O8JSF?Yr|@i)|1Cdv-%R6)n~WO2rR2EqwKD)YI#b=UHf8_cbS`?qj7U_KK^YhzhJ~)Lz^m85)_%01QtQl;!I>t2q1KQJc2>$*<+@UYJby{=d<}M9^Wv>>w zLyc}#%*bthkcVguU7`{JFiVO9m)sP&aw5;arG138JJcTM6xu?NWkWEX`9YQ$95PSP zEhI-}x?JJwaq`oy$nC}xRcoNj%H4pgh!(n`up7{zbc&{U_#Bd9s51Igg`*1X`w|st zWG*fu88~j(4vo!UOe*Nn8zx2+lZdeScTNdpn<<9e9JdQ(G+`Pqh*#Z#WLfiQx%iXW=38g=XbIb>B0$8^Q5K;+u~yffVS{QovLwqMk-)@a=- zrv22A2F^FDCRJ-Q%%^e6>im!gAv`hsmJd<_uNZ8iQm1Pzz!hyG+-;T4!ZW1Wx7sTJ zG~yb9=bH^-tRfWwZVqG>waiFXQ8*C)-DSs=WA-F6J;b=ts7yhnCuP}s2%bAJ^a_?$ zsO}?NR#LQJysV4HZ!%)G9KnYRnUy#nAZAvgT29ccl#0>|t3GU2VqQwztbzDTiJUch zxSY^g*R*?(;8|B+mKHth=v90Ctc#-M1<m?OfliD=S@k@kVbM6EfvF93WUmTIeUd--Tt@y@ z_sY4WkKM!eZykRu**bRsvTMz0g1w{|WGC$TgOHuz7KuW30$el<*$MQ1;*gu;<+hyh za-ww65YO#xXQvm4MD8G?_Y;ilhQ2^FvK!z+;mB@~3&$h7!G7xj$>o`Gfr#V|;(A{} z$u;m7iAt^kxmZ|o4ba8ol4}5e`+>{^oZ zj85PQCE+MeV>-$MaKK)$1rY+bL2C3yYgVMZ$NYI<_2Q_2pHM-327>5+3rzUq?R0;E zbg2mP*)veS=gGs4iaeQt%RFElV$O+AOMXA)W^XGh{0RUc%!(n{ez`eSCESui3tt_@ z;%sF^k9TeOl|-2E%>x>HX4O!=K^HzKf@#dYd-EYLX zI)C<$;5Nj&&)DBn47cn`YY?|0yi*u=4cNyxZr7bcV<5M+9xf2dt*w?vK^j~^x=RX2 z3s)I)rlMs4hXH$18)YK+2B0zc>tByX2get??~cz$2gm!T7ssQc{lETop77%iLrWLD zsiKfyNN5A>pue{NwXy65tH11Mc5N&>g|pAG>?}K=T_d@3MEm`bJx5HtTJ;|ysD18z z;@-pB^>OSO*RF1Czsk_<=D>DCyyuK;|GN3p9@_rp#Hdl7`WqufjK7YTFM`}7#--W2GrJOMjJx{KQL=&KJE>#lXEd$9Y%_v_CO zcQ0>l+vD9Oe;y>@-SFvJdc?cFG<1!5cTjXMLGM-DU$3xtb%I+g?%lY&2x{F1lJ9~4#;pom@eBtrvE}9n$NUwF?=^fCmG_u-= z?h5RFG2J$T+Mw=gALa||wh{J->(;_^7C&PBd6C^V2RejySD62e26sDH^T5&FHU%}| z-IW39AK-0cYKri#p!?!uyqkJgALQNA&&M$DR(V|@&f8{w^RDl(xZYQ&clEBfQ?NIq zaa0f_-80M=@1@zktWdZ4YE`Np`rNLiRgpb(AKl7ewq`ujI6al!K8n+LT1?9UlI&r| z>9Ub=fGgWe&+Zn4!N(F|@UcI_vi%Tjb-_r2{0frYllN4`4Pi>?Nd=7oEg^_G*3uct zkA5{+6^w=@sEYH5xr|z9MPWb8N5c8E@rmp+`Otr3ZUOb2zcIOFsS*0=hHj&!vqjj8 z4~|aWot}@5&xhP|nH|h!96lXb5tGTid(CBlc|LP6Tq`J@I1F^9YLfBe*d-F1F^>bK zuobOrA6JG+dvZK^0=|z4Jw4WRm7Vp$4OQ61Og4AENpU%dP5Fm6`!jt}uH-GbmZD2^a~k8llkdYw>hi5I(@c6$U{L zOK*1=tvA8Xlnt*D4Xsuxo{i9Wm@{q%hk3;&coDoTuH*vDoARQmyy{w!R!ZSV&WC3R zgh<3lluKR@fm=SrM86t>SA*@rD?fslagh33n|{9acXhBi6L$N+Hh{_sd)y|$^wy`` zCi)b_V{Ncv44x(dftWmf24I4ff92DI@i8Lo9y%pYyJ~rwg_B#wn8xl?22+*YVJXv$ zwmL?M&~ZxOnGjDyFiV30Ep_>hDM{z+@fjrG zNM_$5Al2MiRfQp#&Q!uP2c+K%lo!)-uKj=PZwZEf9fEClW4gmJ*fQ*HBy68!7FEV> z@R9`G$_u+ING@dK3r^KVoQ~1jI;)QXD#$>0++cw*F$Ub)$^vo{CK%#!M2{uI!oWyZ zGBxm#%qaqIU_Jv|n?__{00<%h^C#TimZ5E!Mau9H7p{rMm>(0L@fe*l`o+XgDYrQ? z1l!x2Zsy6mO>s0lg&|@zj?|r}I5Xz*OPqp`x!vAQV9qz@B)~*znK5QzN>V?85eUE) zLQ$!P>U-=hN}m#W!y1Qd-cc4%T$F3E9EvhJDa+vvi#!U_8A#!+0zA%TU?1gJk&-yk z$(xFN7#g9>-bN{u*%2wqt0KsQlt2+67ZX~O!a*q$rc0>WUCvZbxQ7nyc|eJxix8y* zmi=bu{uD7wTvfitFd#(^%XEza@FH}Zj>ZJ$M{$zGLS{TJ1|WeL1C#^!dl4j*uIv-+G!Q)$0ZFEOn98`$@D^1Ac)_OEnM|O0`r2 zbKzV|HE_T6WJ{{s3uRmCBDD9FZmABzBKel;U@n$$sSfJm8JFrHfBPwyO3mwmb1qqk zA2jKbh5Ny>F8!&`YL#c=`CN;!u|~DH7K63@k5qc;`8G(_J6~5jiF|ZKU8*ChlgAI_ ziRvETKCY-+o0~_rGpf5s_v?-7?#UPKj_M?Ox&Ek1m3hcya@zhqcQ!fQlfsov&VggT zbaHiws_Epc5EIx7FHoKXT-a5}fmcRf*k^3|t^dF^Lg8A^#{{dSdP8I#F z14tE)E@MLwAi*^RaZ1Uxiuj>=l_jmC7ic=NzP9TgI4qB<%=(m$%Bf~qO3qk`{?59?^`UVU6gOGh8$ zI@(2cfxr%%`^^Vv2MzZY*^%-MckU51i8Z+=?(fK6)sd8*? zP^_X*EQJOejZd~Uk1fg~W9YG7u{>usxyd_GFqcf_e6Yvd0EO=x;LEy5Lq-Q9L}?0j z$F!d(Y};mrFNWzEKxs1L*`3r{9HKmjAu-{x{dYoj1VNBAN(pby((B&}-N#Jfhs^r} zr2|d_J%c?nD>4KWW=3?vxqD)e&Prp*lP6%ULTm&vky1%%SucJ1be5^(U+oyu&E_Dz z%4y$5Q6vs6u_(z4;U`3K8-wa}3le}dw;)%}lFUp;!b)kkE7hVi%{rweHsRT#3@erK zmDk8o0*4fEN}vq;=mC5GBUK}?k&4Jfz_RC2EUwQ$q|inA5FDiL8fD5m$4836AYPvQ zB$MsKsbgUG?Qw;34eS2Aqe{@@n06Y|{Vqc)Cgt(jQOPH8XxV#}AG=h&*@A-D?xJE7 za2G5mDAEy~pr~S8?tzSDz^T$NcIq0W?CX;!6t^^TExZr%qsRu&NhYj`qKxi-nT^Wa z0V|&eB9iRq31r4ES;;Sh z(0XY2G6*H-c+gSIV+9xwIVNS+#uHQ|k#-tx?;wNES2=OXP*TqvZ)Hl_a;0P6v^6fs zV)n{|z0P@F`L|&}H_eFFCtFxdZm-8akkJ>udqf5U0N0-)uA6+)hn-dh3)CuC|Sg$CS zX`GJKqJ9*oAXV`s?7+h8eJuPC6JZ@JHvxXLLfI@6W=o_xSUX&Vp$$I1*LIVm;G+|< z2x8GUo(7x-Og879JOSs2XVvA4C|ys`L=tT8Mzo>OFglzdDS)6LlU;V6!{F37FJdu! zCom;c44^h0WD|$<3!vx+wfYF!Xkob|g)k@an8C&RJX6i;2$nGfB80$RIaP=O4=NTz z!dD6I9mJUHz-|JrEPoWY-b~=%+dnzo-yNOr?+rvKfk9rJVgiFmojI!zY7xDO6UchD zTebmXQK-X{6>A~=2xm@UKf;+4pjN*Y=I*EjIcg=btnCCCO_(_cE0FXbdUVL%TYe>n z!CIUGlt+AT!9~U{PWIk1^L_-vIGez{ya2QTSCcjzL6XNIw(Ut%UTjV{QK%*z^P^*# z5qOH!EJsti+!dHvwQ~^wDJzy#u)C9rvmFaaZQ8_e|gBI#&~ z*V^J6Yq^>rtffsBNllq0SzGvbk2lUn$K2o{W9C-Gm1>E22)qP^K|(=#?&b9($%9dT zC9evD{How@V^(fCqAe;kADaXLtyvbY!1RXY69( zM>sR=O{|rDNn%jCoKRA2rrvuH=~v^OR!*LIoYT}E+}Sy;6<>pIS|@Dx>zihX<rhWQ+0YtYQ$7i$sL^`$;V zz@PV0pGLC&I^QoG&~MF8_T3--9iHstDvCOqPz*TC1NNL2T~<6t1%5^4{pZ&9me(|2 zdizUCHrBgKR$%vYm$VVE^I;3|j-OYTyMx151=%<1@a1651N(c~6g2r@RYv8D z_rYrFUA+rdOFti7uv(>P0S_#j`K=yUC#CsF+yHYOrs3N<>iFvqoB8C)fcst_P#4_ z4UDf!w^+mLJbMD&w3v&sQ1(Qmqay!Z*=x`#sIi8u@_E{G-7W#*R0J7ncQle%%M01? zF)kmDZJXAT0=8h>1PLQR{Sgp>UunDQ`h;)j23px{2%c}^ZfH3al`m`pWlXcUz$kmq zYqFGYX=LIxfOPM24w)*J#OW1QM%hzd$j__%=$vHWpEJ5dvqqFm_8GWV!nrW7z`UnoaOo2!Zxt!=NlQJ%^KVn;xw zehEhRc8r>)wx}7!n5ER?(F*0HHdajwxfX9H;v-eF(;|_{1x29myldzazSc{U8ML@` zom|mXXNt9M?K5lHYhNI@6tfyQl?T%MT>&lPI<0^fr3Ky!5&Z2sCHxcG0TVCFnUpBpTr#7@jiW0t{A{`x@ve} z0PgO5LAG}Xc6Pv~4tk98A=sYkMM*V6nQquOFlR5e{q#OJg15iE#W*5lb>`PaX)n=XPicM?w6pjH5XgtPt9=fjpj zn`joc7GSu>MS^*Y!06%{&hQ1xYP^V0{PJ@8+dB9caEQVd{!&F@5?~G@ zE-7Gi$ZJcM4EZIP#%V#U_Y_O#M8o6YAdQK3@lp+BdCKkGCorGJ+y(oo^^U0dj0D)7 z@UuTls(hP@Hyy5WRAkaErc6yE-!$Ydc}y`B*;d89!Wc7ePT`-u!q~~ZD-iGUcbZeI zxUJauuI?Vgdhw#tHPgeQ^4WH9viQJtO}qOWM%Pb%vitg>(%BDP95K!&FiHA5UWott zm^OF#T~zyQd0;s3yFD-JAt@gWH!P>`MIAH}Tsgt?cDSfRpt)YS@YK0nG=Y;&2(|E* z<8)yRwdQkS_*=XX`oN>Z#c~}k4veMYDSpt)ysGf^yVf(;wa%bB-{(2t&vAWcviM8$ z9_Y%xj<@@ZdVEqSCY8k01}9WnTU;{~O!-o=Hz3kxqRGKEx65iw{Hg-ygtd5EcaZkq12BkGDTa z44f)v*AwLO3mWO}^Dcww*(4rIOC(j5a2WFI8<}#gVEv9TSflf8Q@&uq;-BOm(CYc1 z`8n|TU-qy$p5c%rwTcikHxVSCHvpnKH|0>>i-jUYbSeFj3S*+)Z3Am5gb_1VO(B1_ zgmU->#Syp-@|4zDXF((kq!m2E%Gy+wI@Eun>LCc9SKqLj&!c1*AeN?C7*OX_Cn_)= zb%<|YhcL&!)@Reb7A@~Z4vwCkTHYc|&Sn@KsR%0eqQHj@Ji{Nf&EUfZEvH1Ovy9%} zSXKU1O-XcaY3fl0-oxoc#<9M@Q05ZYJ3h0H^(DDxHG9vv3Gx^f7~ok-f{!A>5xeB$ z6_rzlAEj)Ex<&c*0DxmeAb-^zDJ_lZx~r4$ z(A7!=I1(rEA1oacOl^$p+K~0T37>-bBb>3ZEK9&OoGk$bF2>{dBZEzcO#ImuuHrf! zBM7n_W-t{OZyb_xY8lh*L61_(Axo}BXk7>pSj5-|vpY!VF2`MIKB zgp4f5ga3H^eR;nCW0(`X5l#a7A7%^Q;O4ji4kvIL4E`6RbRis@o12@jUc6xc-Q3)? z{=2pLYV-MjY`u8?{N?kPn=iJv|6_CO)$5lp{sU|-t(OhI0+S&BkIjW~*`51JexFtV z@K*Uqdqd#SeRsIALC4$|r0!mgV&1Lt==%A^61hFE7Z$ zNlai!iX5s^tvx1roL;f^ygVie`yd|l)tjqI^swb|Cv{b(S>|c;5kLLOtRLV5CP5kn z2}-eFe6UiWjUqar`%XK8YNg=i zG4KrdsNrI-l7L119s92Q6OPibZ5@4J?KMk2(T_9?Wo)Nce%t>W+k`=Dm7lNIe%lJ^ zfh>v7ZQ=e-GZB?-^IrlcIqd0S#$y{rK&WMFTHi88aQ&(&JD)MIrg3 z3IIWAv=||TX5NbIs$O&5?TmHs`a1X`+8)LHS+nF3#ZrNAl-i3zzL@rD!&zm2YxzfQ zXxg1cQXE_9Odmr8eE_yQi$py%09X&uADLxEh;+;yaRB>b9GmV(?l)8Y*9>yF1tv@R z%Ky>lL%03o50T$XS@gN6sMfILx?Foucatrc`v$;=d92|Ns3@Vy}{v&56U7%Xyuq1;!}j`NFwa2;ws zf!?0#rgHmHQ1oViKA{E!E3l);SBJ^rq(Ewj_Sw99;coH+9cgS!VpPwz@o!O)OwwIy z$+k<}F3qB{;=N;&kKZ9#RQxynJ9ouz8`_v97pV*X;+K;!y;5eA?``ASf4dT9b!~oN z-ul>M?~PAP1f)>OZ$$nz_=PUSTL=Cs9tJLUK%*KlJ28RlVQjBq`>WUky0z@P3hlqRxC|b5Zj9zX*YnIbW8u*PK=`b zB$8r6USCk|9jH5+T?BGc8Bl=-UImYGi6iXoXC?pTcx}b&1T^AKS zK@m~}R-R4DK9ynEKf9BxryouAv@B8c9ZqnAXoXEZzQM2pGSg0%4P=Voho5w|wzGL- zVvw`(X`4^(u-)Vgu+PfphN$uLbof2UQZj1p#DhAXJpJtk0>sOKdP7TuWS@|qj5z!} zMY;YM^?c7W;5tW!Zj_oE;GL$GQA(WaLmrJCvGmsy44{|lwwDo5bapN}S{YAthq(ng zFt>?v*w-1+XGD`~^3b#m)|q%@B{1E7NBGpAe4?|M0noh+rqu*#j9ad8YF30Q;J`H+ z(=F)yONeTC%2L(lL-Tf9gR7)_yw7T4zBjJwU$Xv~EPc&tP_sSAZ=qYGFJZEInd@^& z$iA2yRjBeZC<(D}y!$VHbq6&@CeE*~&)&$txT>u>cdMGXUKf$#@EXwK8yq7{bRv3# z{TzL)uwy2pA4561CtEM%0d54ZQ$~Aw-9SBr{YYYSXh0hbcbv%E;~FnCxU9J8)xex| zN=RwBUSyc}Bv&gwJMedUi8rTl)LlFZvHS2-xq&0~AU%kS znG?U${FITh!23>PI_Xmy5fe6hc!l5i`=Eod!<18$4b>Dwp5RWC#)15GlcqVnu6TEj zgOuaPs~Imws^DpWal!uB`_{9rLO_P%nq-{mrv@D3%$&#TG};tB9IoLnKM8v?{lx-G z8QjvbJ+emz0}%$Pso=tFZ9RK@^7Ip{eeod}+a#sPP##v5 zy{#Mp0piZ#JEnH>0&*ShVqgO?wz?r8fcy9rO5U0ADAF^rI%~+T>4u0%FMcz-d+ok* z^fa+v2?6_>ID-p$+elDRDpkhST)sq>Rs*l1b!7?RojZeKZ8Wzbq^S?(+)ls;TuN_x zZ*7oXV$RRInlv-zfkJFy$o_)my44-c%zgn)B-SHR5|dfvmrm2(Pc za_3l0Ee1J2#2%wG{|PN0Bl)*SYofpc*X{_FGWT5>k4XQqXSU0b%fCLAbTbCKhnH)Z zz(Ywa!(o=m;_>Bt=e_*#S^3RV&%+c;Tm~5))vt;v+H_%|1c{_WH?I#&NXnIUGBM;! zD;17de5L^9&&d-zP+1VAJs~79EY zv@jgZv6U!4OlyHF1CN~%bya;@my14fFN^1J9Zfb|JI7EEu>^<=aHd{GUVyO%wbNzA z!7I+<`uoG7>Xjg>0y-wY(|g&t0{mf-dtpEoq8A_JRxgq_XGFf2(y+}xN(JyQxhW*f zm$sX!d#fmwo{oe(!Ov>2`(p*=DfmFEyjxLiBBGu80D}^#G`l-r;r8R1z7r3aq{kWg zy_=5I;Qr5}goU5%V}-U#KW}pMOu}4t@*sf@VABVBVCDIu|HQzl?#U%gNOk(6F1n)z zl#pZoZI&w*x3Z^xMP~J|MXR@ZhR%C;PVJ)2_HDpztt8ob|I5WU-s1SIF8czpXV6!( z@P?hR?F()x?{<*GYv2;C{_*6rAN|C7Bx3SR){GJ7sKS$4ht1>RB(Rurx|}$Z%N`8u z9wYEyF~PkHknMJpidqr8xO^PwCx7Qe5LBRx+@xkTIOU7`w3*B%K53kAPGrU2ZB97m zZwo|A(r@*%gD~QKc9eKm<<;h#&*4|Uy}hvO*}_9710T(|8@HSOyYFuTPCrQbXNBD^ z9zKvlVX2F-s9OWu)Mt>^_f5ow=4-7_ z9lqE%5DZ&%pc~zf6A__@9l^Duy=*V7;%^#lr!LadI=o2fJMQnp+yP6hxx>SX>V+8i zEqp1CNO+6}%yct$;z-D1DTK~Sem3(el!hg<(x=uTrxZfH(K!YdsBQnJ=NxEMmLGr%F_a!lz9-3XCBp6hR zjyFkF`o3vx@4es9Rve1k5o;`l%JI7Knl4DClYbY*C~6kRfX$CoRAWBe|Cq2@^riWq z_r>+<3cdSu7K2ks5Mh>c&J%79m!`PB-+24I39xPQ%pq5SRT*Gm0)73dr!+HWnx)~u ztzVc%$mDA|Bc80lx2xqS8FPllPYBJ{X zj9b9OFeqVcFS}ND+VAC!+K|`Q-3;&)1RA88Mk+eGwJ>VU`GhA$nd!xtsg3?rH@s$^ zc^!qu8`L@116yeIY@1^Sk%vH4JRc@Q=y#|xV+c%1G6cpgF%<*2=)yNwRtgi!@96`I zW-VwQ*yVde<<4HWG=uNrEuUM_L&LA$@aEa>U!+-lXq~nB*3s5xFR=x<5A~lCoL-DI zH!<8WumAEzdErhHZnx(_@OJU}um)dt?*GwjP26|4(!S8Kr`0GE$hm`yb=JSNJmsMl zy*$B z9HF@@d=6fK6-An0X`&44FA`bvHdJage_6Qp+G|1zyRn(^+) zJ5T9n;hY|;3IP9EZ;LHhQ{dR9rp&WkFG5(UbCA}N$~XV?wx!ZrQ6R&mF%hTgDc|bk zi<`AbO4SvB%rT=)%!mK#L}IYP(_1sy*|Bpg2fChGSW_Z@l5wX%_Yp$>$_v#9S94UG zJ@-JQI}nt1dL5&TR3x}Sp#W)phcy(8dH7`hD@@kF7uQ%)rgkVFB6VF9+XfO)OJqpv zo>*AEwbcApm(iD$gRye--u46ohhXR_Mscynk_Rd1)2|_x3Ye^*gwn;tzWs;1t~?Ql z;Uo!YpE($X1A3$qGTcg*GH-(?4tdZp~MziMoLEjBf3M-9pR^>G2Ru6BlZY2`$mg5=0^k_v{Llw;s9=E>^!>myZhi z^&0iF)T){j;h@Nsu9cxW`Aev;-#NelLjE+B$XEe1$@Cd}C|H1qN(8ziBir=H^`o0) zlmO`P4_>m=YR51}_^&%`hQc%dOUQ04U%D->EGxRefR;08>?G zhp;mLWc#voe)R>weX?@%uHj}AcJUB=XDs-rv%OCRmk$JcU^4!|3IoD+ou&02Q<$3SW3nM{9P`0Gz8)?y^j0FY5 zi>>}JoccF}u>J7ZcvqpSkJ(GMM4+nXih9wnRH1{*O~r(Zm*fnlDrfa`^4ZdQ(D8H9c?Pw%dgZw6-6wgb zbriq1)SXNEA(nw1g$a#vN@HS(fdoALndYe8x9@%3t*er4P}p@+Vdj+?LDM z&kW+!gRj`1dPE=>PO(0ok8__PKgV+JL>_M%_@W1&VCI(qhklRy_rN1yYiG;z?R*~a zKMlA=P24_to z+av~i%L>Lu?eNwLtRDCfM&F$r+>va<*>y#14WrZ2{qEh_mu|lbRA#yX9`o2Eejkam zP=zn(*IMsowMU`k0!H^}wIr=bb#oN5*EswB2-Y>q_;OZG8eVQSIG5(;Gx%P=#&!*s z%0Wi4{cfUU#MRCh1B->>1BtWX&`ERz^9KgC3y|93sZ&^I|n}-e0h~JM+qmiZJz!~ zc$Uy5o;7gkpuvR-omUXbzdn2uV z*1AL{_s z*P93tkU`6O^U4fzeUKVvF(I+xMh>j?Y+w!aY#ov0b+DraPSZ~s1e>5O`a?r%8idlK{~ zKT~I~Q((~YRoG^itIOKON1qYyW`4P(B8r4Vb0INL!N|OTySNNr$us%M& zJMYa6K&ze&-wuFx%&s37pPn%G1JFCEDvwdBj`>rcIsanmlTpDX0OusVaQm&dMJ>XA z>w(j~9%Jss1|&;d9ZdJ{^S@qk+_v^EcMTj?*L8LRM;jN+APHxQVMk1AT)rvdbb-?5V3G6*Mz7il-lqzwKiy z1e6PzVDCNlin(%(I&o-iQ8zjQtVVpI{*;!F(@)}rx)}LSv8#jbg5!tDIzP#2dYTncmhHp%Fvh#cD`IuuW8mrI@o@VL!Zp&Yhak!PCFKoDSUPd2^43xkffmH! z5HmhY75j7R*Dz+I?lWf$5CZ#jhV_Q%zhZNL52xhS+NTb3cV5c zg4CrUh@P2wQFz(;^5$J-y>`VYX6fb?S)RI6h{;p^2!1NA1x`u&Dxd6M|GsM*)WL>ccG{R+Z;{66ylZ_~lbqVwGX*io`&uYiG{Wv)pC;fb(y z-x9TTtD)ME&an5Da@_0?-ss|GUE17z|M{({c1*k9@tJ^WiC3;rdJ~KIeAL=&Gqi5L zao<=)1{E=CAeX0#L2n-^BW+4>vI5z`K81si5A(SF;Kx~A$y+?Rr8i<``7(B zk12|nZDi?wtx|W$B}bQh4ZPN-0dim9@UnP~oA^L0GaEwjDwoH3l)I`(16kc&RJ~t4 zw|ky7pQ^~`esV|1n<`wjkgnJ#HR0s;>~^!UGvv*j#x(A@>2m<==L_ncYuKS7qvH>p z9zFZx59IiyCplFqY?maGq@!KKh6LtEBoR*B>jj+V9&ugEa$L1km$2V8!!s1W?$jp5 zaoIvRVrQaebE8)(0m~aY^Q&_?F0QH{d+e55=6=6M67{yLYYMtOKg_jH2v1fW0fU;Y z$R;#4ZZWudCm*?~4ElCMlr5x5FHyW42bO;-CCSys_60G{r3n5d z1s#&~$6--NX&R9ACRXg^FFL+=U&U1H%CPti;H$=&g0fJGhLvDT8%l?e+#3w%bMx+) zPP?U&>na{~j*7Gt|FQ#L;hLs1t$vLjVowKI~4(AO7qa2 zD@RlAkeZ6Rfr{uh>IgVMou$x>ZhI@y8D=rTW!!PS-GRi30gBBTLgFN(;jUN)RFi4p*Q%&B3MCN&nXW%6PftI2 zlh1)Z_TVylzs=&g#+0JgVidk$&qQZj9sT7fhvx=yDhvd<3yGBjW&*qb7vSU;TlE zTRJ|{16~#wI9@%tDcl}l{-!q>(Og=N?~<}ueb zqfk42T{_08W@51ax}C|hl-&pbRxpJD(7tTg9;u;fA?lvcsP9||S(iRwF_9z!9U8}5 zW^j~wJK|GUT*0gMLVg6@ampJrFSfubHlW2T?(s}SIw+S>QOkK#;jkr8W(@JhtG*o| zq?=wJOAGRh6U%^ZIjTP`$vj)!cQ_al zNw`e@`#fSBWD5;WnXj9Gu7 zy(8zEUHr;==uF3GWnD54U6ZXY@D}2-LmGQk9l(8(R=Mk@X)bxc!v5c>L0+a!e2Pgu zay`R;N)GZQVGB{Omi=T?-EV&xEJg^k@uc%S zOdLw_2sTMyi`a~Bki@zd8v~T1Ar62NuE*x>z~jis#Om!0;!LcB1SF={$8Im6|EDom z(yq@rwTzqfAH7EgwZkLB@-%=yUJ1nSpFF4#i&)vV_K-q#li}JH;No2~#ol3v*}1yv z3~!X}<4&93-|x(2c#f5y0cd-yG`%p25!{;9-N!|y0kai#;-zONj_5Y`{qBK(ppYlB zJ&D@?dvyJibIM>ljf%N({DFynP$8@>;Sc+gi6Nh! zYRN0*@j2&>YPBiKL#!UZKd*+b_xpcNf%UGeIsBduV>SLGcnjRFp^ZM7(1)J6?S_*A zza_%&vJl_UIu(L{)}DeCpdNg=~o`DwONs1V7HE6@>IO zvr_ZavG#b*F{dN4T3C4OFA3Ou(CzZpVMJX_?M|1k69(lgjkl^As3g` zrO9@APfF(CTU`5S{%SeKBv8DRvUI!5|!j9Rc^8J~Uhuc0Jc z&zOJNd)lRLxj!Xz{ps2%B6uAerk1#Vl&?`K#v(}F$(EK;Xptp5kK8E_fBzmHWg)1^ z&?1_K0ylkHK=RoDWeUeenF2+E)N84M-8vPT$!W9W^#$t@JRWwx!= z8Wr7J+JY-3a5@~%8b|hAyFHt~i;Bk3h8fOJcQ@M9{8Ufl;H)SZ=&7>3D@Ntl)^@p| zp;B2Gle^)`6yWnW9x?pS-U^Rw3HF2OB{)uk{UCIrY$Jr=^XfMQJF-;_eJ_)z*RDg>Zs4;s+@+rPE?c;6 zJ^05W?A*LqY`Qki?wCcYlxNPh58pO`B{>POQK5JwOdL|$`Eo#&z|OPFnkmojPdwVQ zm3X*fL?|w9Om&D4k9m9WE{Sa4_O?9%i!J5SSD6n_URC$n1OjQANIWhvUwXtKRUUb59sfNRF z)$~DRKEY2pW_N^DIC=V&ZERIf>m6swwHbz6!5Ns()|hG#rDU+_6Kc(yqpl1^I>qG( z@?aUoashS11=gN|dn9#|p& z!gjbEE<3S+D@-#1yF9{yKDq{aYQc`Vhu7GiR-x>60@>%(4ipuPS5dI(WWE;7)YLlc{9=}kxZ}g z&nnt&hnVtDH1;c^JC^eFwChDYq1MYE@ch`-cI`;zETCL1HH(+y7g7LW1YrBpF5AWq zUrp3HpD6s6y;c)7`q=y9xbmCg*R)E@BdWqg%I!66f=0hZNEwN^c&^^iG;KiVpV+Afu6cT zLcE$%kM2C5)RB*CN$|;RBEbsYW+qDO6iq2XMsuTR;QO_+B#~yO_0p6?Qxa>!MjgcU zr(Lp6jV<73SD4F^ItDLaFD?+U6Jg0@r)f0%Zk-!3gLcN&{d$s{oaN|&HUVGs!@nEw zq31J1)Fc^Ykx2@@&@QonGBO=2FQ?Yh@$K*`W%;U^&gz)JnNXGy-ELjYjz@k=D9rO@ zv3RUkp)|0zsi$IMTM`&|b?6Sbga!n_X8pXcW6#DM3&5@Q^9DQT=2-vR+5-T1JF))w z+MPblWFUCx6&Q-u4Kd@y-3D_Ieq#7x=+;>Bb_P9>C7N*}dtXl0bzcj+&X@7x7;YV> zN#&cXs{st6%4GO#cam=_*OG0`Dr8gOY6x#pK3i?;9l>OA4CuLQ(Y@a`x48t3U8|)3 za*z2WQJlRQm0}=A7o~)HN1ZQe4<=&fAz+{D1mcmlu#P%}WuPOpMp>KYo_YlQ-if`oAHD8ThVuA%rU1XY`}VKz-IbNd(;ucF@`0opds=aPfjiOKhyl+y95{+nR$@s)eyg8(_*upI>)>f zepZ;2T@u^;mDQI&nA7&ZB<%2tq6_^@=O?wXY}OHZ-7Ps7El+!;-QM47`#*vHa)SoV zOk;~Azmnb5)80J4`>QBc3&C>Rje?;g8Tre}SeDiU?p;&x3Zay!t{3eRgO?f@(TTvP zBTO`RmR37jIx59p6d@3{EaS<3&B)B2RQta{Gc9=5ROzyVz`H+44U%-cUA8P8zOTBq zSu6tDLDOO}nSffh0k*xqmYV>*F7G7(;gR~OTpR6j?%;=&iyvJL;6mwpm~$uec^Al& z`rHrn(@+0v*C@gl==SPsN7ZeH)F0exo<)$y^rAWWBL{?=)$ex(CLfeD__jBSec1-8 zF!Sz|fzomd-6id4suEr!9x_^i3Dk_60$zt3v^R9e+G?q>&v-A!7sK&4`PPe-9(?n`x$aN}r_(IO%X##p zV*4&FHFFJAt*tas>+*CHO>aCp8fNp2_Sbd}!a^mUkqy<@lRN^~R05|7{-Ue1wQ!w{ z5uBCB-)@F_!DmDf%j;mdKu-{HsX$wyBqP_mY_!M5J|k1Yhhc)R`*s54!sq=LFG>hW zl{gudB4jAVjDfgV0wJIuXHqe6ECPb9_^N}gsz2E zTOsJJbN5e+LyV0qG(ou6JA-ODSKigme*iv~2d}yo>=Tebxh& zo#aU6#HV0l&1ln<+)nq!;c*`ZaK6xXU4Sh zd`iy_@4Ko4rd$7rs!RWfEKjPRIuv$?MnAJtB(@k9PImt5OUAfAZ=Dh6 zM^&GEzzrg+VQd7e8uyxVsq<9eq9yQq0BAk?8J3LTCeo&T5UsTUdObD60p4%tOy3Ve zzA<0=QEx<4Py>c>b96ek_ttU&Bo{3Rc|vP#>njhgU1A=ekkV3dS$P&@75!byxv~?7 ztLMKd{^{S#uUZ#=u)lCo2z-iBKOv|SK8O_srdCqG!N|1nCHVI_#AgY8zpo{TI^&d< z79{6KcbFBZspA`Va?oEyjOgInbHBF(+1KX$II@qQC|^{0&;vS@pppDG(r*T;ev{*^ z{DU~@NB34ZAo~_EF|#}q`x|D4-as&foK@h>ZmwQZb=Tl&oN#Y%rMUX#7Y{Yp@;a-o z3dqG|AbbHpzAd}+vA2sqE&_XYMhV#7`6bM@>118^n|DD!GQZA&0d`l+x6GsyXWJUD zz4;H>%fNj`cz(C&X}6cox~HBXN#lu>Ckqkf2U0pg#&4pI3M0l@^$h9&@$ zQXfw0hDEUP8*qR8Fuj`c-TU>qZ2Y|o`L^Bpy=&$^4_-OqA==u(n?ul3v^c14O5)7< z%%0wXoz^wpK=Iuf8Ii;rX9u+_%Of4Pc7qq|@rsHi3O(dgA~l_&YoaK)hdmAoQX8yi zm%>(2qV}K{enS=oC-z^aLVZ&A``f@>KUW+*&{OKOqZ`_xRrej!%ew(@?xIJu#qSbk zG*utZRL3cLVusf+MTXYIVz*KlkDhClDnc#9)yvfDG^gVl@0%Il1jeksTO7`||Yu7vPY~JC$0S0W?<6Pmo;T9I#CWeZvQIvQdAkp-;NuYYh*dULME4 zQeBkm_{kQGnDpNZ8g438zLeq}<~f4~O;cy9rj%W|T<(PUmB0cDqmQS7a2cPP3TYZ>wXmu-Ea6Ia{UKUUDwULkI;iZOBxjmYEbLzi0l?Q|00+=6kQ8t=$~!HSup zg{UN3xx+8lm~{bZtX}boM@^9RrLog!tMIos2f_GD&&jM3Lya8%Tp(mOc|^w@!6f=` zsMtneT_VufTK{?56e+Ooe*+ZLn^LD5GF)W*f0$NCaR0tmbg6v0Uh8PunwHRk>0)Vs zPSyyTSRG41lOyh5ZbA8+x{lRo3f~|7?TCLT=8Y2bZTvfeai!!OC-w-*+ zbXj2JjIFJ_)%ILN7aA#2ULh#XY&?^WSfZU&!(@mDNmzX4Y5H&;$_up*J!M?dk;m$o>4Kx3$vW8A?P$kU%(kf6x!ubW+f!4iCHM9&4`(Om|5z9Pe`D|-PS4iX8wv!< zes~*yM^d^cU@tXom0?~^ZTMR`&N)}5eZ__!9cC80 zlf>i2j~wl7`0k_d=0(A}vouNzKHXMJ+{D@a_4+jOt1$5a(8GzHo&EKB?Ody?p>zan zS3-Ch7%02ssT8!R6%|E+UxD$1h_QAHc#RmO*c%mHPkzQkhS9+uBhE+PP+K^^x==r5 z_a3;TR=@V07&u+0(MVm>4|l?~xeW|3nltBsoshiOUxHTzZh<#?ln>2&#< z-mhjIr#d6nk#c5PggLsGgt0vWTQ`g{>tLo%sxzbsdpU_JcJtEMx{X?xl@T2q#?1@% z(L1@l-D`ZjYXbZNnW^Z`n(L-#)$ay7+X8%cX~ziVM9@2bxh#=f;6H!5R6fkdllG!T zfpbJZ6_H*Mt%7l>I7nsL)qhKMQcFrrFV6=i&fMJG7jkPm+A&q9tk(LnH!=yhWsYTC zyv=%^56W@sEuE%i-4LHK=XO7>-u_W7={ld)=Tz+k4UDae&rM(LcHucv5t zjWq-hAg-fBX8fpg?31-)-<3m0LvvCvs2%#>Nx7E9UJG8-Bs)pHh|2%N)$;X>dq|Hm z7NH6U>EIbIwka{88(GlwM2up6)b8LQ|FFk^ptABUQfo0IavSI@Rh+OQ@ARP=Z83I< zqbDX_qR{>it!3CWQea5@@;YizbE<`AcEa`gi#4Pi22&scTVPQMUbH?D5)S)Jd;LZh z>K>R-1{&>(ihK0GL`@&T4LO^*TjMh|Vn2BntUc@FAw>&pJ@@=u!i}+m$8+HY=lDEE zN%}z6jyO9(xs8vxq0?tQs|~6l@mGvCp~Ruq*iH7sfKVA(0u!9f zLh$%CDpKZq{y4ovfNb_+IsY`YO0U~Q-|)vavYYmgk7O~5>*yKePtc{^?!lNyTB18% zC~$x-cmk>*?grgI?t6MUGZDdi5PHvyPpM3KCoSlVZvRS+^G{PAY*>DmiN>;5YTW&iPel2Rr?r^?uKbz-n zn@+UOs9&#I{eYMQ%9l}mO=_#sF{OAatqlbQ;j3I=hd67h92BD%I8D<0tbAAm=|G+9 zvF|#4_df3B{5w0d@2P*D?QFTVgWv@ZbOMA8^ZWf}XBb7=j+X1Ht0B-&( z4d2wgQ$`&AFV2=~v3BWh{`j@Na?IjR33JZztEU8c74ZS*a{ittLtOugb*3F4s@e56 zupfowJ$+_ec1Ple*LH8N#*|`B_eo_QsKs@GhLPc_FE&im!qK)|M;~!Q-w% z0nHHH)~1{c3&_5)h6pRG0hnlD9;$pqS$Ugiucdn;c)-1{j3$6DU~dRRA%8+(ME5>I zJ3ouYIa7oOo$iaskT$9O%9{jjRA<>Qrf*^iv7hx54=;Hq{x3*DOSZLVG4Sp%x^A0t zrjJ=@(?U}TQ4*?APL@Bq_!QsOxnUjt)FyfZ1-n&_^Ol+hedpaW|ai2hE4?3gk`X4%zTG54}i52`oXFVK0=!~H9|Bucl>LE?Lt`eXxyx?s4 zKq7}YA>J3VR(3ZqP&un5w@5}ffS4(w+4$_COsxuSvm7o(=054@rHu~qIms(DI*&bIV6Tqxl^CM(va zK^Di~7Ys2p282-d=YIA;Mp1Wt-7n*b!%k~8eBvoV+=8=6vZZ;XIO z?AtEkfqAWBst}dqQeaN_mgZsx+;yqNPb>i8?gxOzsrF&iUu@kfr15_Gdmlk#@c$}g z1Mxs^aSfwX=NKoH?|=;0y3<65Cdtyg}gq~F!R=P+?H-h+m5@Ox~*LthuvGH=Jf8 z@hN2tT!ibt+U)%Ldl5bWrdi?+o@~81a}5ByZgeRR;$*E-%BDap95-!0uo2G$9MFvo;PrFQ9Wd88IQkl^Sd0C%EUBeP-q7V4H0uX= zl|W~UEch4JN}X@Uk%R_jbFch)!bV_B~-LKbjSp8(aJqd($ghZ5f=7Yx|%aYypF zd7W~ZwSb-6-cx?U$1Usc8+OO@JK~No-?*xrZL8?7^vG$+MlrWih1?MrtjyiHj(tXW znVmTjtrJR8M+p3oRrzPL{-e)f`O)wEh%vGWfBa_MN@*G{xZg1^_TeVOw-4p%Aa<${ zu-P}c1hEKDwC&5#lNU4gZos^g> z17s@}?sxymyR4>q+~JJ89m0Qu1U(u-)E{(^NXsmqabZXyJd((d{u6dbRDw|38Dl=6 zj~4y|Y*O~)3egas!oOKnWuaIoyuiV9*iTIu>dW<4HU9L^4N#?22)IcE1I>MF^j}tp z$*GWR;@SIHwLhsL7kRWOX0-5UM_E=Oe6zaT!h9`dNx7V<)VJ%U37Orsql3tFMR)Hf zr-34ZIuer}u6y*-b*U3I-jj>ttn{DVqY1^n-Tg%1^+wL$Tv}9@PZ(8KXY5UbutX-q zJS38zgP%&}^&?wj@S_EMj+1&ck3GJ5zIIEt9M`t6h`Pk<_DSn#kmk z!wicsc#!~75}(xL@ahS2BcJr`0I6 zuc$Aoie|M(sUD#cw1awsnz=T7ARMGu`b!+Q85pO6s1}s^D{lFGg|CpSin9IIc6t4# zDh{E+Z#V7s?EEUn(f(6pCFXSePmom$v+-mR2pgn2D|{3W&&w@{u5s5i{Gf>1-_ zyZ$fw#=;B^c=-_;<=`0pi^xbd}ZN5|H+{`n8Yk)fA;|MhjYZ~Z}DA) zx@Do(PPzZ@}T7r+{bep_!9UE>nhuNQLEt{afQiElxzU{MhFLSed8kj>i&5FBe zRZ<#o^dZ^6_cMVANgm*8*a|u$$1XaG%CTF~bNiT9Jl zTH;PnAW3pD={qs4aC}e~;m_JCDI$xuwqX8KiwN7H6B3Q}9dEV#aE|IeHEAj1J!)EH zEIik?lDUxIY-*gHfbh!o=ZFhN4HMEh;*up#%`q}_G~Hs0YDvj(xBooZp3xd4>9M8z z)d`Vd2+ymHTRhxr^X>XF^<{d|%Javl(_II2c6;Q=7JeXkBB^FicSOgRAB;3~2v#!& zdi!9UY((dGZxi)LLAvMENwL&-ki1-BxX8L{q||RDR(PnbV~P!BtcAjBxGHj_s(Jj@ z1rp)bGm9U+IvS-^l!w`gOI>$+yC$^MH1W7O<`k)s`Q)o3PdKW@rdc!&a)r)}z3V>M z0Ihs&PQWG+MUtg)Qjl^9LnJU!SPm8u6>}{}FdL+{D-;XrOYhGbnrO3I^}6Qfp6jW` zGG*tS*|jy|zG%~NS!}wB*8tnU-}DC zm+17JIBP}OwBCPgR0`lEN#n|}mr zz(&fo70RY=8t|;oG!W=C18&Pkf1VPZ$IH*9G4|v1VmLy3F&z+CFnZMMaa2d+?J&_w zf+#AJBir$$Q%FHXI;i9n!QQO>XYQyo!#<2>-yBQ%B7d2DypKdU=95sG;HIEh6~K7VEZU#BW_%H>5FA_Hm6QpE(@FE2i*Jl zp?22Mp~8hU*&eB&J8~!vgZCZUri<^72qGEBO|rFwx918wY^qxS2%u~uTQJJ zY~FyUUUuKFr`{$QS#z|S4W37f;o2?HPW|CleZFYDj(!N@uCPVej>ER3^b#4^y|3BC z8{gsGYTp7`kf571n9*;#v95Uz;Kd5UjnO$;=7~FNXmV1wBX^aGAbgc_q%7t^j=$oN8{q;C; zK)>G6_pXbH$5^J@$%cJ=-fafm&=df-mimmbb4V-I8r@W3g}eq zgLWda>K(7n--B;2s@HA?bOn@c`uu}y&&7SF+{2POiKdpx4FE%d6BTWBZZdpPIxf0# zjW0Rpp=Z#ha^YaRdM?IyFK+00>7w?!#WiM!FPnLL(nAlbeWMul*jAh|`Pv!Gn(sdG zQ_rk`i~V{6nBVAUZgMURGi?Ff$u9> zLCt7$JKwvlOgA9SRYv}V=sZEJFN5ZOjPRKFo0GX{faTj3HSR)?wANP_k{GBt-LYIU z8nP#PkDE2-w<+*-TweI-MJg!Go!@MQa$vKaI?;$8(+QVDx2Hks$VvAAUN*8s+Q_C87^bH+E2QZV&GyRCHng#Ks3~dc02yisWuRs+^JwBvbxbP$nK35= zln$~AHpqBuhiyBt!%QsAjJ&YDnhEy>;o85NnYq(CeC!u%VlhhS_xRG%((=6>!!qtx zTR*NlwFS`n^fT-n&VV8oHcYOa+`A~Cwk2&82cpBi2@vS1PpS4!+;+h*A6xuC0H#1$ zzu0WBzpaewP(o9kZ+;mmR-LUNDD6`>Q!=nXtedeZVkEk{k)aFG1;+N-@!+e+87yT) zHxzN;7-T#?j1vtq|2#`2Ha!vuB%pZ{Yqv)Qs5$z=! zxmUz@QL^^SZ-z}B9Y0KI-ITS6rQ`C59ML(BrQq=$g#kK46wAWWBo3K+eqjUbc?han ze3kYMW{`m~LNQ>eeClJ8>SP5J0)ssSA)ZW-w1Foi9265!Ft^_7^T+j=>9R#qQ+P(& zE0VK<4L_Sq{%k}zU32p`V68udet!U7C-Aov^~^m`OhQO0 z*Mx@d+p3E3o8Qzq9Y21E;=n%aW`_Qn9Ahc{*I}Hq1g^{lmc9S~c>i(n{olvCU*7+} zl~0Xr1E!p?07f{Tma@e%GnOTZ+f2afyK^-hBMuE$_?}SwJBc}r&PaHun<2XNrAe8X z@%cV836n&=OHX6O5gTB#6OegAVifZOlkw6qhiS!N{<&VGWC;qyL6K+Y0@5ks`gvjb zz;NR?t3#ATWHCoEFTY$Z#?pceha64P=o}SZ4qp9u&T;%kr$HU~)DHXZS#5P^__2BC zyshqxIK_eH{}sBCJph-hdvx~JtVtgzmi7iQlG4D~@TvauATzzGWeSos_tMC*4zCb} zQ}mYONWc5M6pIoN&2+r-5UAje@}g5Yil6Ho(vv?xAX}dJO#UwBIt)Z+%M(MZT zg?|FR-PBRu?0#%-sr?~8Z&EdgR|>{_WS)RtAspGE1D&~&N77sy4WXc z`p(Mg!sgelh0UzCi#Z^j8#DYPu4>Kry7Ij3ve-@n4jdm+k|1*ZkVqz*vq`@ zNk`)podOPwE^#i-?ESS=5`}OQkmvwh9G&%YF*Ki|U6_#BlRT)P#fCVsKdWtq8e+|z z@C;JF4LP4G?Lq0Ml{cUi>rq;?;)UqrScMf8K#tQWDuCHG80<#R%?fZYUz~22nxO~< zoKVFanAYeS;sr*Ukg&g&IPf_*^;&$I>VE~XwUq`~umA1s?mgTs=zsfr`@=8#-)(&E zQ2(<%i_Nq>0qo9$yqaNznXGeqiBJMKg~25t6D4neYXpKBAq!0?x7@Ws#7+S_}({;t&|EaXj`y$iC0<6)cVK<*bx8Q z8eop*EElfiFasf54b)5piq%wAJfv*KjfD%{Wik!OqSMMe_lh?Sv%I zr0>HRG5#T;FyJ^qHVM3E@a+ql*U$dCVtvyn`?A-gXil!w8FRU}3 zAPUTx4T*fD62|hfsoS>=(8mBJdD68^qBlLRXE>P2r+uSqxL|-^lN|0iosSVE6M4PQ z5EV4xJii`88!|CElF!%~&yim7oh!-2D~o@8%EiIgMmR zSJ6_IW-rhPZU1sN*xYOZ0e)(kEC9G?MwMS@aF}1SVV)LGje*~Zi{6|;W?N~@cw1KA zEy*AX*ho~iTACPt{gsdlhAL%Ln4XH%6-Tj*`?SmH|Qn=K%K%&GSxl5CX z5DGR!e5FTl#UDfW)K5mTX;d>$+E+3+lU@Zar(}y@vq&|^Uh6rOM``&4n{yK8NUng4 zF&1sIbnGmogt-l_1yI`KyabfmC8^gG{|tt&FCY17YX38KnN?yym)QUI_8t!l_P@P{ zkH5r!+{(v_Dlf-kY{oV57$t*VV_RO|2!~x7AGLAeGZG(eJ)EOyG{qW$8;z%E5TbDd z;Td<7HPR{`<1X8*<0d09ZYB`p#^W%2bweBqZtwqc|IJGR!)Gvp zaUhV9eN8Eh3koL_9GsB|2aEcNy6j|*~&NK~hzN?4c*Z-EmK9}*y zZ-mmu$_UuMDze7O&u|{CFm|2J-WJg#Rd4s?tPab-G*UBUf7WkFp_c<>7JifmE$~3s z9d+}{Bp!se^<%c(;uexpX6DQSDB5@Z$GU}RYGPyZ(OW>8R6=Rz`V~Sw+Qg0g88+03 zN4n`v&2OF$fGkR(awj4j)|m#MVSTHif?#18V_$ zlL4JQ%t9gSG~PMn!A$9rD=WQUEW)4vr?LIlikNL{1Fp6I?(ObAc~p%59PWRq|8hH@ z4(-3~48R@Re%oYy+h@6y_FYc-{%5XC@aHs6{wZn`(7F`;!ULwI1O|U<{{dj$&@x z9X&sIH_kVJb737Q3?tQ>Y7r9gS@~{%n{RH@`|Y{o7E10#U;DC`N3Oa)-xlX|^h-xU zG=u8`7NwFj=KJo^DUZAwI-c@dd4x=%{*#KbKFa)x+1*kf8RX8=`A+6}blBdeetvjx zp%38T8D!`T@)_9Jag%riUj?54o5A6u$4ovuUbi9H#4`jVK5IU!YTs`@c{Y=N#HsmI zy2DCy$vR~%rpoIhE?Y?d&GS|->+bqBVPQ9O2X6wgis4s5%y8)vOzQgKIh>-iG>TLa z!)oSQv9mM6_+f-0Ll*YdmyP9<+6}g6si^hzZH@V^`cxLHl9$TlGq-_4hs<#~Yoa_F z*wDjmfKP_kHv?EpDThHIw40?PoDe)5Y3r2!nl zpv@M*$ppukFD%}nzv<@SWaBqHHI4x}10}m#;y%{Gr@IK{D+>X&HIsI`1^P#va5 z?N!q%44WSKSSC*?4al`mpVwL|+a7#pp6*B{ClR7WW@mlb4e<6XUBaG_h)fsf2}LkG zA~E9>;+Q*_R5a-duPO+-!;;M)MQ4-*NYQ5VaEjq9zMs8Re#tAW+P`V8B5moYq#t){1C%wOc=+(D-t5#>qwQG9N`HH z7D0r*C*-p5AXN5SH@jV!s*2GL%WxMoo0>1ZF9uY++2dWN<`Qz%xb<>!WArRcnryFr z@L;{2DokV^QE0PM+OJ(+Ea%yV4q-0N&=y!PMAld0>gNyKb-!_tPS@neg;~UaU2K^g zr(;l^vDexu2}@y{`ayBue2boT4p1cgSI?dZ4Egyhf1;OC~*h`SSIT zAC6z0UHqIq#It-oVxnJB%KeGA4hR$@g{uekxrN3vu zF43ZjdS$QG z_=gqndrnK$`*}4Gx$ot*0qptrYOxPd^x# zK13vd(SXg?TioS0@TEOg-8t>>4!U#Rz$K&zhIq*>bla?U4GZ&hat{k*u6q#+!*y^I z3nO-N6$@j29(OSV>eepf8)q46&ufR*u`ugx`MS&#Xsn2*{<=0$JMY{Q!YdM`bM%U& zag`M5*xUMOLsl2s%1$)LXZ!f=}s#t(HOlio$+zvs{${#{pLerJ)Cn=^zs zv#eN!8ep}^)&VTi=-i98~gd)a?uB>7^LA~!jsZVv(OGZfB zhrhU8o5sPEdf!4sOVwN*irwYZ_Kw0=mJa+Se#O5HHx62k$gi?1T6BRf8X@CTkV_;E640IPMx- z+eHLKi-EfffhbnFG@t5Nh~^dVKxgp~xejpa0TJG*Z!99hw;lER`>n-B)J=I42BMpd zj;NSsEw^mNn5(*FD~4OcEn6|-T5j2jF+UHttYte`b7dP`!rKXtsGant{IOk;@0$*` zsG6voYu!<}Mb&s+TL#I?dNj4|MV`w7AECtO145oil_I#KuF3B z$CZ2uAi1Lel6+gLB1!%^0ytc~{Kg_UYNlDss#CzGSS!zJX*NMOu?DV=i!j5r4~uYm zwvCD~ox6@AST^pLAc9rB@?IzKr@~#u6Y%~$=uf~m6`sd$z%Rf2JK!@Edt?CgQ5tSt zf8*1yHv`B)#duqVVJ5glJwnVrsF4x26PQNaH_fIkMtdcZ ztuG$(2JE)6Gx_lO^NL-Pkg|iF9S^&azg@_;OTH(JgFpT_SSiuZ3%BhKu7&;hr?b~@ zE{@+QpQ-dg-;k5GdcH25&y4~UTp$it1fb4a+{XP;mU2MZ@A22Y;ofp7WF=*=+_^Jd z@K)5KHcHT+P!U)zNoT3DI7C6gz1u~`O*ZcGB7z=p#TQ@42!%|k5@(3cF=Mh?=fP8_ zeD+nbL8*|oPoJ!8Q(dpQlFBZX-ph_@GX{<^KgtRlR-&9~Sqm2Ms62r?OsO9Jl36?6 z`NHTc?SBS()rxo&KXnlLN#4q<0~U&tmyb_-Ww2t5rD|bY1q3bAK=h)a-@qo|4pq7p(0C zn-L}tVvWr1Y0^XrFMXka@l>>~a%N?*gD&X4r}T8^7Eg`kAAMI|kq{k#-6xM8l>jWc z%346C`gROhTeWei%BY_&a;DEsPwg#Jn4@{=#I0kf0w9s6u>u3nfvj|wE!(`}gIeY> zC=aUb?qkiJ6JN>e)+?jDV>hj4KDJS_X)%Fi4&N&Onmz0sh1h+x3IH@u_~JRH2jCwL zLaMDlcEvNMmo+VyyR6xlP}G`ZQ<+m=p=WluBsD|c_=@=R|NpshuE5Un?sosgnlt#C z53JSsrMrXNKYB-?SJ)XF*%%w}t^!Htk&f1{;9d^n9X@*ON5n&S>#T2;Xw}o)f111I z_Ef^)Q3UbaJddd5g?{O|Q&7EJ4PHX6eCgJGP^*jgP_6ZZ{#Oi3FAY~zLaG|73i{Fw zv!5vh0LtJ}ah?kXQ{^JBojvdBE>~Y3Dc_0lT=!fpa&)ENQpAdy3FCwsHMmwY$G>}? zF>16qtn^@*^^9^i^xZpMqnF*Ph-CpHy-b53f-HaA&6>6rCa^J$$QVX>BlWkJgg21_ z3skQ968lBX&*C0?5nJ&hFCFV-&*3V2A!~S-{e5rlGS|;{N4MDrRO{>Pa%J_0 z|DRt~d>~_pa<&u9AT_~SJ4Ul-JNhYAsGd@l?;KZ+RQ=iA-Q9is@S*(g?(S~!zk5%1 z_rKbExWE5s|IzNl;qa^7;ofk#{}tG6KUMor$~dH7?XEpn5xGCfr*t*#r*riyPrwmU`Ep$Az;;_CyDD}n?IaK`Rqy|MR|-)4PX z8%R6$;#}y?c})fUFbuIEI51j?4SA_r)2S-t>xQKHGi07im|IDuygfc=L2J}a6o(1H zncujtYhTPbPx@{^ZnKkwV~*$*w2F?HZ<^era&ND{c{vy?pfEufD#_SVvhA;%08}x~ zicrl+OsIQS0kFPo0+Dx&72%;s5|IeUcKJ&Et@yGwPP%Te{OCPi8%p){n;fcqfYMKG z04|Ta9O{ggpBvMIY$c6WlAs&QNWX&C%TZXl^UF0XV-~QrMlo}r+sKAX zDEoc2T>cwAezaGR|8|E@9)FSlZsVh`=w>lmLMr|j#=&O7T4aoS0KvgiFh%jvp>Ey} z;0D-#{3vTe)xF5C#lh2x%c4e%QpOQ|PUaBDc5QF@!F{&j!d_lncm1~Vak?3$ z1dVS&R)=b}(KhymPX@b#-ND`l*pN@a%m@>5QFb`8!$rA1ujhCgqwok(ZZ(T>WNn2w z#NvQgTfD?|@T)6LPE3joI%bJjTztss67YQGZceyilY$6Q;@*m5>62t^zMO+8D@Z`iA?hZY=)u; zOd~Q@LN1P{+fu#Y_zKCeN9%hShrN3sMpJo71v@|!{1JuV8uJ5lk6 z^C!ECck+S8Ft|(;Fu@UGy$1t!o%9|I#_+QDV8G`|@4^4ky9eGuib=}A$@62@8zhwc ziUQsn;1Izb)sB*1Z|aWTVhuzFkd;f<|9uIeS3-|xwmuS&fRXCWq#{+P}MSC*gCbPhp)cb8PgKUP_wv?vXHeiS|Y1w9kaumwH2fg0=*H=Q+MAv{! z9DIM-oN=BU?5JBXz+|h}dyZKUK|DuPuZ=_!P&CCt92FpozH>+~v*Ex?IA-7_4+r2d zUI2=xGtK~?A&PJeAVq*8iIK$D*Cl1hT4FKfgiy6gDCQVOAW3OL7-E13qA8FJ31Tve z5yznnt^_b%0G5!L5z1yb*%qP%p$yGY%(nrd08S=2!ipY`5x+(#E`s9(f)qZzd-uS_ z%YT3Vrq>&dMl$>JYam1iKv6;f3`3xk#HGEF9qec_Gtgg4mw^7a>55~?`sUU!6Zsi%tJZv86|VXXDAiN6mXJ= z>E(Jn`{C@3i$Ow3D5USLf!N)9;AlpO*n9g}8oHEYAg6JDJJO4vx9RnMCaEGAYD{r2 zG$8z%c!t)CpRc6YN9Z=x%Qoos_6F`Lv!<>+aGK?EiqOtn*1>mcDr|vk97P%e0D)@L zXA!(YX8LWlBXUhiBCf((Q{Hpy%=J~$OiCq*=qHfEITB}OORS%C{E3xO=iFI>a}(Xv z8x~imyg_S$+}A5nTrKaMoFpV7(}h|!HiJ}1xC22x#3jTrm>?)P4wDGNV5aYbAlhP) zCnSoj2JiJdF^zrkEoj-CSUksqfTL*{Xoy zm4Vsn%D`rZit5e$-CY>|;-2mceZqd(#Pg{>q2|;Ll6blWN?pt;@O9OPyEueofM*m@ z^jnG<=7{xreUP&zus7KI>;Ka0t4p>&7!G#DUuW+?Ldg|on8ZSyQad4-fH>P}93mP? zT8HBag_-!J*{$TuhNEf9dOs={ z;-#kP_5KDPJh;Hgg9iuTC1xB5lr_Fg)6tP!4>6UJbKb_dYUxw+(@uyY#1)CM*Vz&T z%1f^MilMFs5t(2GS<~v zT0vr^Ik@5$KSwHGSZqzJ&nF;Fhw}bb5;;)w+meszDkm7J7+#gJ|3>N!bTLw3Xq2Bz zkyBLw(5eMpEWu#3u`vSW3C_|eQbuYvDov0Ltz3G_+bI<;p_Wj%a3*;FOJM>X-Fy^5 z#zw%w;N1F2%1vh`s+j|oW42kKralam-et0aNA?8HEjKN|Cb>eC;t(+~lG)Q)-z{qb zEl?_JPs8K2#_3w}F^A9krsf!~aS9tAQu`aR7eW}qPZ6(E+&Wn`M$ZkR5isQ^R~vgUwj!nek!YDH}KsB3VUYMf??W1yeef z{{(phFef1bo8putl#CHmy4+Z_VJf;*ND|zVOiTlP<3bcmiZ5S~9n}J&M-YG<>A^V3 zZ>|6$$V`X;CO;#%oiKKSlrOzrzcYI zSk4(&XNqN}XMXVWzSY@YWlyySs%{c>#V}_v+DT!`S~$R@d;!c<31OHMIa$S2rbYc! zjy^Q_gb9YUr z)FkTVX-TM-eadtwo62+f6fboZ(#A?qHsftctFgWQ`e0>hjOc-4u7_D? zvqqez$fXSu9AnY-z_Sz_5@*@of=Q7Mz_C@lQYXKvxBjOnR9l<%5i^eCsUkB4vFT!_ z4OnC%^kmc4h>}uhaxXMRq4Lr#v4l1Q$112L=%4u$T%v^#8ODNobBfUw3c-Yuc?rUG zSEpE!%#m(oQ91`@$W$nWG<_i$igi<#EwOs>6{aMXBFq(}SRT9za2y(HsU1f)r7UdL zk&l?FRf1uNLV#mVloidC4_ke8%t9ZT(qf}xr>e7)PcDzof}|9v7sv{rPY87nS1i;1 z%iwqzi!x%b$5g)b5w|l%@|J&r?`nv%^d20s2vytl?T?w{HT88^=_*DUv+hh zRt0Bu4Y*q8(#jF@b}-tchx+MmQm<4a2@bLX_)>X!@$&8Y_s^egY^#4AzI-Xv7cRLaeip-CF4=r={N^qrIv;4*JerGV+KZl?9E3a)$ zQF#kH1y?^jUInlNt}@;DxTtOAYE3v+0QcxsMSI0mq?xJ2?er-YUuKvH460Y!3wA?7 zR({sK+{Xj1egVECSet|EdjhA}OR@<~2&C_p6BTbq;?CHG(EsK`z9wl@dwD&Q8MSI%4rFVqi!XAduT4e%=97N3~Tz&%$# z+$^|z4Zw9@g7%Y!j50WlyCn@p`$Hpe{iLCeGPoG5{%J@VTyXuQ!Alvsf-?uV$=R)Y z7Cbk#`Y1!U@U8@|pEOiahAshK30yyEsG zsG|%83|9U$qznacy`;fQ8M=Zq2e--DEr9DK4SvedExfCpT`y^?Wc+0w2WAI(lDIYSq zmA|9V0=zqj8-iQ?UZkyB9_zAhKCluJvTuMH1egcTT7DWb;p#W;Y;eyJuLAWORtD9) zlGhI0z1>|eE%RD&YSy@Zb@NSMXN?=K?(&EFMm4Kj3u^wta9v+QQU(W3eyPDQ#ki-g|hEP9MKqZ1hV#( zHb!yvRsy$)1u{)S$k92ckfZ5hz!!;+tNFlUdNCN{fa(4~^luNV0{0D(2@h{2L`BDI z=9|Do9@z*oRltw;@+6hXI#{vZI1;1lp$HvKgf4j1nPzXH||$HnMZk3P7Nf+7i`1 zuTqz#$HFKwDXnhU=rRNwTF=GmPE;7FjMejaQiN(rLYY%8nt?>N8-Np8bRz_KlKVh) zn-Rba$VTNTEHdFL{%QuTIH87DO&$i0YeClF#vJ!=4CYVf%X)BQ5+WDYGVT2YPDzN0 z%PVPYXYe*$T@SdIXi>D{NN^=#FriAa7EB{xy&!lF+^XQJB^XtJtA6bq;-&!t*~oQ6 z8HDPo7-S4j;}!wqF1SqynOI#@EVJ5$ov-c^y1O#O4Z-CkLbQ%YC|xaYb#vf0ISeN6 z_dF3=`4NeQaD`*;o?Z1Tuzs$CdKI7>f*ZyxiwdtE>iOw8(61KPfw{(~X{1xkRBXah zaGM2ZtqOI+vm4qLd$L<{*u5}qt{xP>f(!|pH35<3^$l)?w&0gJfeCC5#fy>fyh^Z9avWiF=av}W6(EiooUF9&8 zDh!yR%9lpB1@f)6>P2h(Spi(@CBA~LRt8tKl?h~BK&zso-yj(NNHIsR;{cgl)7q=% zKf9jQ75A*e&nGbY_B-rd-pbXjFz2}8#>!^}3w9lGlF!~9tpjc&qm$=B!Lnb?0yoO? z^rdRq39PGuD+tNCbU_srckKogAgMBpvei1^bpURbYa>{tqx`&Of-hvzy8`U%84hM( zo-!_r^2l2DvI<@*1vf3;j!7CflGhtj23=m=Z#K_{@>x0apefcL8praAOUwkff>tq_v$v!nJbf{&H~J90v4J`gWoV3MUgBINEXj>YAQ_ ztFB9vsjI-%hoQW=esC$2%j**$m9bw{Zxce<$AmBhHe*8P@?zy>DrF%mt!<2yL9LOW zt*P>(!3`?TIas>7rs&$qS+jMl1h>s$hzJay!3f4d8RmL$UlJGs({*K_*8o?siZ?Kx zA{{E<99$FWumZSk4nvi^02;~+bqF;Cw~+-B(K(Lgyx&n6pfgXH-Y0Mpb2OCzaBd2} zSv|p2bOkEJFOwov&A^6ktWRLHUl~;BNhj5b?yR$f(p$+W1s&#;-bzwwgS1lf5WN2H zkOz-J@jA*geb-tZ>{hxK#c(h*^wT6*&Qw4=Bdom0QnhlRmC;_DcqXtW}jJy!vVJ5YNcsOjk#&?)Z4VI=x8HhW~r(Tm-G^G`vOG-6ZnmXx+ z`0lc*o8P?8C9!%{i0>}9dR2(;F1@-rt>`ktdOc#%lvaE$N!HD2#pjY|-TWMXE~(Zl zpW{2rwqALS?=0cE`5J#NIoHcwCoaTypLX3A;=9khZVqwR$=9~usN3}GGQ^$bU#|#s zQ;63{!OkGNoh0lUh?`_#+tA)p9(Ktl)IJg0v->xhioF!#`dsX0&~}=Qo$1ounR@QhWzk0Of;s zB+-djfK0&s`>zg9PCp#IKD{_RIX!;!;q>s;@%{VNN2V#nE2L(-=k?Z-v#m8=J3D*L zE0;sul;^FRpxq6?jUm319BnU-O?^!rrD4L zd~4aD3^<%d}~*G;!Ly#&?)G4VLCkd)N35lc!tQgg%q} z>D3^<%M|JsR;>1E$+^Y*Ruhwp5Vy!oEpD%U~0Bv*L}#5a|#T!gsObmbCG4Iyr3 zcf09~<;H%U+MH$E8k=&WJ&4QoJY!R_IvFH7p~sCpH#Wp`9KX>kQs5x3aE#~aJl}4! zj?yYltJUAi{hO{rTM;#X)+=%S?OSrDrhT?1VUv8P(VxqdOeyJ`WqR4$-7G@X?dxTU%R zO+QQP4=}yAm88{Or?(7MoQ%gAwtn#>s=P&CDi(+X$ErwX)WUts#) zC_WA}qmTrbhz>CEX;&rG62dSie&m*+X8PV5YGce}ILA9mU@*9hyr^+l?+dC!jl(I} z#PfN|rEI|AlmSQu$^n_rQ5>Rhr3XW5P;~mQbse^$VzlXq;9b$xIMcxX8xR z;CYi6RDK#$NR{7ReEp_4*eg>kK2j_3fLBnpu;Y^H@MF zL3BdsT;V321~Qz(tnH0|gu3}{6V!yV6GbRGU&KL`Ti>qFmFdVb@h5;W7%Ra;X;3H> zN7M`|&QQwKF^$o+DYv2GJm8AUu}t^RQ0t_SS9Vv{Ddg4kvrOf-Q2Si!XSG1BnKbhG z6x!+>wVSTUm7UewN9{HWVRd^IS3>QkD`s_rVq-FLYo)b1+qyQWeI_-yTA}msNH1+w;M+7E=#?&K&=^t?6M}@ z?U2aE6!P;a9@hf3W)$-CsWR6BwPtti^C?Hy0=1Ry+8x%dYk}HIyLN{K?pmPM(4Fzw zRKjb4T5arZ0kzMeWZn&-_Bqtn>m0St5>=VYua_jMZXSOWd}fYf4x@H{oW>^B&nI`W z>8G)Y_47$`Z2DQ24C&vsJI#h{`cXCPUitDSYj*8U()}D;qZGL6b&q}D>Z6apV zPh-@&uE1)?;&71H%H$hu9}Z~9r5 z)?Y%cMP9#?&R+_Bxee5sMIgASc>@sIq1Ju8SsAs45eVznHn{aqV|}fRT6yP+sNML+ z)P7o{)}p>ciHvkp-=PI+wRIqTsNHcPh!&`|BmONaMwE7~n~D)lKdldBi_#J$)Ve7x zaVw}TsX?&>wN-0Sv_P%hf$X$cMG5(iQEMh1-*{DvSn-YZs-PB7TlQlAYd%91oc$AK z+5gid)vIF|BYsWjrQ*lS66rHbe?U?87{aMNf@LJRg*`Ereh(%xPte3i`}p#6nHNXV zZz-k-1QA9t*G0U=^$AEEtBkJO!9*KCe0w4Uh?96q5%a5;hheDoNvv7{n(7n_K?L0W zxp_=9L9fE(xC#*m6Li;z)MKI-`t|YS4L5Ys za!yo-$r%Yf$fzd|iq`nM!lroGAK*02J62h5$bvzBxTP z{qCUrn@m?l2}J?qDhcw3bc|?>IAY*xZ!p{ggn|fiM7Kd2!z+j*l~5ncpC4sE7im`+ zlNw5#QQ;DR-!Smz+2N7CHn;OBU_!?*sN04@-*agX!z$TX?v6qr<05QE(kKLD&2vzA zyO_w8T#iWY;jz}AlNK*hbowdKE-l_31_4Q9zGQcNdji3^GsNxfN`W&LFo~;Q`^x+` zvCeE09HfAS%3QwLLO(VpT8r~xB2D$;UoMCj=UHL+TRUth`*m zCv_THbN_W=r)~}tho6Mw#-yv_o}7{JIc7AKTFbLEoTA&gEJc12jt6rb9~ur+i;pbl z2jVRKU#f~SE@_@J4j9+v&~tvK{6=D*&=n54RnYQSxf~Pt@ommcYjBZe{=AszA_g{7 zzDXnuCiacz5o=VaO!w71{^I3%CS~2(r*OIiCNSl*BdIhkVUM4{8%M`tnug6#%&`!p zZVd}ird=8n@*Rp16<4zkmuyc&kE!Va0z^5UNK|e!Xv(uECV9Im&D-i*S9Lcz%5L=J@FF;`sSMr+V9q0C3DWg5m8j`3g*4;0V== zDoTRPkp>gpefeY z8*o=BiF#}R?64&2vO1?la9fl)ErHuXnbT73QnP6zAGobbm)60)Y8_Ld1`PI}40i2; zq<9frFI)b+sJoRD>!c~L$k6;q; z4PFG-TZgV8xE(z5_6dysx;I=-cUOp~ErHuXJnga|Sr52(86(@2?ye9VT3X!>f9EeIb)@pB}t@oWT{OulQd|~aYKJfOUhutRbOkU z49u&5iv<-Fgrga}D}p;CF`-3?(!>WWfc10!?pUS(=O+WjVM1_=XonRkL$1VFFnhD_ zZO^%2!Hm?=Io&eEOg?0RLNH!f6t20vn{|1UMwMm4j!X!jW)f~M@J0i+I`wV3x&?6C z)7=8(H%xa6;5I%C*?WmDw5xtrJPh7=yu7?Ze%Lw=fvlwr%7t|jV{X-UUMKg#n)arB zTGcMC)`<>H98Vp6s%KEAM;T|%5S?SjgxuKB$7LSCQr2p-m5L6|q)09A0J)A4-I-F7 zCMJO5?46FuQzV=dFv^T>2NU+4XgjK*DHUKh^L0H_jva75L(xq<`&aGiS^{>x&&v;X zcTf6RE-(GxJ`+=o>cL*-`|^R^<#T<~1Z%s!_Md!fMZ{Hsz03#Z1G~$o_^MrCOTn)5 zg;j#x(KCD1l)VD%4s5dp`m!R}75sB4*z4G6*M+<_*v;J{E@s`S(q9|2#&ZZz0Uc#JdX9kZJP*mXRn0ob?3ZXB@ddCXF< zZ;{}M8^q9Z+?9@; zGGubHpP!zurXznwg#l{fLG4zJ73t5YR6sLO)OmDwb?NI+SCC?oGQbuwhaZ)8eJu_7 zs%Pe(?1!dK z*ta5Xxw*`7$!AeomZwTj$#H~#N1-CM1*oJiKrU8y`3W_KwPm4jr>P& zi59nymch-QX#k^S1_zf}67~R-oskzemQE)4qsQAQa1*3RHE4mCK8@n+B9Ks&pjcb; z)kvAUdLpC;JJ*Jy2*Fa`X^s8XZq@7cj9&r4U}iZK6dRWg@_wHoF81lE^pL;b&i?t! zD2pVN{B?$+xw$)|0eF!I5N`K+qtR##*{t_9u$zJTqOVZ^|9cMrH5p9#Y>+_4t_cmF zDq+d|DVqV{gddB+dp&uw#^efRk_i(smZ!uey+RaZ0}9aHIYxtC?{DDr^~Lc4cpV3t zPy{nbxlY@U$O47i0CV$zc0w4#QhX-bx+f=wiG2N79QALQDTy6W6rz}87_n`@(qIN4 z6WokSn?4{pY;0Ta#P=wg55R>zHgiU|2i4v}1*X`YZ4jaeadGh$d0};)MagZRy<=O- zD>Gh5xD~Eq4JqoYfdJ;)0ygtLvy0j|#S!o07{G9jW1+pN_*YIy!~mY;37>;r?=TOL zjTYMgf}amxy_ESd>JqR3w?Ih0EE!fzB+r`VGsyV7aS|nzT;WjOGb}Y=d9=&{mZ-Ep zjs1z9c(8!;$amiU1|B@Pz{!IL2jFLtN?^>|7{U3yHN-EQ)*o9!geg2FEmqs%JR#x` zM@&gO@81xG)4OwU;wWpsY|c1O*ul_eEUSVi*%VS05n4owiS2F_KcxdOf3cN#B>*PAK0KSI1h8 zAo)CJc7bJaN@cSvaYYpC7qibHj`McgfZ=H@lepr{k}q#YK(T}yT%}QrC>-Mmb8(7g z8sR|g<68+#4z)v?^u)d1MP{}sT(t}~d0TO8k*4iD2HhIJfQwQ>E%I)e5OVSl<8X&i zXB^A8QR;2mO|n4-;0>B6%}X?Wuhu>!fn*r@>*;glTb~d**8*3p$(wc4#od^ZYwLaZ zxjFz!#Z)z8#0kV#kmm-ZnyZmB`W+lkC}fm}XU(p&n> zdHh$M%Q$~eSI4#q24!;*A$BH-9gC(8j0`;(Q!x~YBOHt4BA6nXfU`UWT~(Blj{i7M zxK;1lTDMC!j>H)xDQ7~bCljmC%mC=iIhmk9kz?&D7UJ-1F{W5YvxDdPpw}}*5f~Fb zQxLheYs6Na2r?GSk}I0My~C8JFaob&FvBrYv^#;6!%L*7hd5LbD$S0kg4#)U5UWCfgbapPFy`XQ$oqpOLsm3? zLZXOVi+LbZn;<*8^|22ms}U5xN0Ge52R#7XSBnp%K%<4h1HfsD z72FiVsAr1)bvL49YX{em#yFlHWD6gpRFHsZp{x^%3FvB`EDt}(DjX3bKOXnQ3>;}f68iCFg_G6SOi`n(fZlPY9Z6$s4kJSQ?!pQvfI(rmZn z1SIJ=!c1ZL;_uH-)nySH1J)OPTd^V;Av1@PSdIQ8Az@#Lw0|4?hi1d(&oE|vrP};$ zH0T{`vCOt0x;L!qPPvMiya;Q~lKQFD>-yP^b2StcS1F2u0oT*76 zS6d;sO;=Kzsg;+!gfS9eImsCbH4&8}g%PXs)wTGn?k%svj$ItyI>Tmzgyw^;B@_p} z-UBew6s|AS`!o(vA15R6{bfw9<9=3!I{!*{kl#3+ibQBt8;wwx7hsacf!gSSO?%Ff z+Q|20GQk0ck#p=FK_!Go!USSjaO{ zPvM_)$k8N?&JhQjB#suE!^$6J4OmHGP`D+@S78u6A+v`WXp6D_#RR5N1jByzZ6Y|M zP*|M7tbf%U29NDbDv`<)4DCrE%@%La>zxRmpd|{uya9!5CPWfmTCi(~IY?uUBfEp# z4|z*i0DB0A7V?OdpYFd{K(dAL~C(Ra4;UklZe zz30n0SOaiqWI_{-e-}qUEl=SBs)aE0agFOJZ;$l^h~i#PWs+wXSGD~uJuxaJWJn!B zndT+o&^oY^b~%NXe@Ei!Er_jokKHtqWpU>gTP2ga7kRg}geiL_l*|b?8okC7Th|B% zQq&i#Fo8H?5+_57)mad7e702PbYWI~u(A_%EL$)ocM7SqoJ1lImKxo<^>L{B46{zk z8ki|6rFHA|Ug$?gi=%BDOQKz~PqF0;E@km5o^Nrcz7c#|bca;xn$}nqZ^P(K5;**p zBC1Vhm{a29~Ey!JuVno>C>AieUw^n$fs8m}91C zfLa$6Dh(3HQhl}r^#b)StcOFzeb0F*c{>tXymOSriO+0BQoYPg)e{^cX&g$W70LO& zd=M8T1u@dO-xB!W#A) z+YU|Qos^-znX516%B(jkvP+<*6Brd}7cYf^_3}I`Vx&)nCecRUQAm%o9Pi9B#v?Wu z*`l>FPOD<)67|e=b5SLYTg4u=_^38Bq2fkI3!|=?l4=H28#YPHoO*!=b~!-ZWng4Y z$t<-)GwbMS1o*ORGp&b$_d7 z*FjZfu0roMj(fK4){-ffEH=S1*lC5YyMwQGz0V_-op_!4q&#K{4U!it5a*of@=PYh zCCiHx2)@tLC~`3K?*^D`sWYARHn~Wf@^t=nZ@9N*aa(g-O-5&ynx$`?Nyn39SjZXX zcx$$#?kkh?%YP~E0-$*TnFSP&^LgGIOP!VBp|hqOEzPU+<#^iv97kllqv-dJb0T*1 zTz2ce-`cg+!5!D-3;gZ1RQ^tW9L4 z^LX^~1WY10RqjDC`FkPUd$*26_zKb8-N)*pd@zID)51bO!ZGU0(Y73a;X$uwAVFBx z<~7)sp&qbHoQT`jzd}^e6HH>gYGR!(aU$Wgf0iy^>BKCXzO?sK`t7{cehlLJ)d{N_ zYGx}7NX$rtdIBuftbd6Xk`3D539@K?39T=rWF=_F_k?j1N_?(Ei3MSF^pZvP6o$B! zS+pccdc_k-6$9VwwOCW31>U{$?}~%j-apO2zIuBHr|hRLdc;I zfA~!C0@Xy?<#j5eBHQ6YEJk2{m$!gn63evU6KOQ{zv~WQBvhk?GP|?f`H49Q)#lhH z!pwfIZS?u5YEU_5ueUcaxu7x+tI()7to>Pyu|H7muPDk_y-~n{41Lk2FXyRz4YM5n z>DjxZ52uH(j(rgc_wIpbFt|(;9l0U43axY0$1sq_R%gVL#+r*Sb+HI7&-z#*($`3s z1MWQAA~hi`0_%rJOh9;1k=V{w{5>>nrLY~PQ%RN}2UuKIRTizlS>4BC#6hdQDjc%Q z93Mpcnq%*TD2O0MeGNcg0ees7m-iPW?T^tE$6LygC5}VYlS)EJmprAGk}cU?IhrA) zg$2a%E$p$DP2J_N6f^ZY*%=AHVL<3+G3E=$>m|)wGN!~lkRdGurqqY-Vh1ez^wUoR z^Sz~>ZAz9e#EjBP!7)jB0fT+1>ks#q{L_eau*jn5Ld@lPQIv#OV;s;je`1dt`!y zbPU#JgfEeNWoWPu`hNpg!@=%gcMIS+)b-kpo1RLR4r3vfk$D2SjDZ|e1SNUZ;|V1} zR!o3#3L^jm+xvAvz}{mqzP{NCF2fZmQbCbSy0Rl94m*KQN|O#l24tpRJOvX31=V3v zc+ARCkHrQ`e}3k(7wkp)W|@o?)z{iYkm)_j!<)pllc6#w)Q}wX0O*5}X4`K4F9mxj zq*-4B^XBltJA`?@w|1D~^Tm27ZP~8@$Jb)XAbxFRYNZd& z1BpA8lJK?-TSCzUe>7o|BRS|un#p2vUHsL!H1#bwvSQ+`;8uw&p;H)3>zFdFNZA6W zd}fERs^f3`J(={Kk5ziaFIy|e=WBP7tP=)O0tEb;7)Am{mMdNPg>6r9MkCzJ^#`Lm z7_>-KNO#wxiyx~p;!7mS7@i(DJ`J&yRdeSBqx29DM)L3sdVO$;uI*uT`6?~8YjfPT zzu5D(DS<1QyPadmwgKY7K%Hh7hA0$M9Z3m6*B#P7!9>es%FL!jSz9VoJ3-B3l{p0w zlGT9Cv>Y!Qe;6aiKO|HLH34Efs>jYfGelo~u_a)!6AI>t!w_;PNq`?D9ZRQOH0t8K ze}iB+M?gO^M3hNhz+Ok@1Q2Y8%C7yX>Dr$VDrH4M^aPnkzojS+gizCa27}9MNJHsL zm2#bmP1fly(-cw|b0ldN0jU%$rTuQCD9tF>xRrO)2y}LYnIUdEd|jMM6}_voD8%we z^S9LM5{j;5u3zRj``Os8hqfLh&y&;|r0*-M?WHUV1^_YmSjIS5wi1B3iC48@R_4e^ zoU+`DP`0%EvUyKiEo6Fy`f>{}_4MyR#uOM%aQ5yAbs{s^ zXqnZ>3Cnlgjm8-Q8I!p{SpcpWi?Vfnl1Xz1j+2|EW5zL0_4$$PW~TDLKe%Ij$W;J4jx*bp zs?}Gg@oO?C$p89KSq1JU>2teQ|tl%YMVbezrGeou$JI$6Tg4A(mI@P&)r;8$j?r z!ea{QLM>ngyLtd2kuVZjZu8@3@ac_Sc40ngS+sd4BHO!(P1Vf#eYR?lKV>UyfcNxTj z>opMkny0K!CVf6beJ!7FZF}TgscR_PK^pNq5m$P=!t6fCq%B34vJi14j3`qC)Y+mq z4hT(1&h@gCD`Uk_!i>0J3e|meFNqEeG2W4k5Xn|X!@!)OXd;vfNHh1MS+e8TF9*He zg9ks_Md_rFlpXV2p>Y=Be|_*kFxN9f-SpSYzk#Li|XiWJ5imdBJ`_hqEt)<8&j_I2>xNOKd#5r7HSNcATeMd4Ov zUY*p~1C<()!8HQ1ui*U`?%s;8nKIADS;Wo*iKi40AE=0^OnZ`6ETL#e$qbHBmLM4e z2xeq1-;fj=aSfIC!}y_?D zNd;pl|9`)q5XSpCAZnj?tnr#);%PpP$aF`m4t;@xGJ#(W`<&>1?(gLMWKZ#vAM-dz zb24+&j?(pYm@ouceNGvWY*zuu^0zbtl@NhGD_8H__KTu=@pMR<5caF|O`I&e1E zw6?WrN5>SX?00#V#r#5ao8l`ZMx`X3n#T;p+=GuFKYn!7bR2_`rF-UPxWDFBxKe0M zMtKxp2+hT2NQ}&plV(b+xBRS3=`cm+Bu7G^Y0`h4ZzV11($_ekicoX;GUf= zum95xP_v#ElY+J2GY-~Oqe~|2eFzV1=Kh{J#A^HyBrv$tR?Vt0Eh+Sg+MW~3hk@q_ zC0AO%QAr9gRz;u#tzN4GIDt4yDcT0t+86>X{VGpbF~Q}s6BEk1PoWOR_tmdrD#Oy*Hm5NAl~T+MP?BIQCGF}Ky*LKbdNBDaq2x^1IFPrytu)aJz zeL+C8EI(V9vdOIu*3_-cvM_y;q^nx7*pYOCkK|pQqzeuX!0zTRxPf#)LBAsO|)uEkzaxp&oazsS9)IwWnBGIXYm6e>Yhn+R0k zTyE^O+KuG(pd^wqq6~g?^97u6Lw)U}=98seWjs{{n#&Cg?Pzlq94UoXAnn_QK-_IG zBiHCkkY}0bY}eY+7g2|}$_jv{P>hv6EY?6815HMSRTV?g?Hovoi7FTPXs|oj8(GJv zfUBVeg%jHAgCBK*nYfkap?b5?V`Qr^M&`_>cjr(cx+Yh`5ipFCO~y8OwpWGlZ-ba< ze>=$YXv6%pd@GRr)_YnCFZ${eqv^A%Z^Pjx%Ff& z2zf3J1W_8=uPR8lzclfFBNHFB2EdSxmk1%7jR~ZF&Aw6`up_nQ$;RWIDTNal!w-3g z_6OA~n`7`RBk`6%$e26;Guguhi9i9-UQoH05i%vf?tT=q>)uC8e$n-SO7elj_@uLu z0cc_`e1g`ia^_%&RP2qoZHzd1T++yERG90GzsqPbp*?7BIVK+mz!Q`t^grFiPUzQ` zs*uD;r`u&Uh7PRvI3laN4+lY>H?7(oreKyfe=s0JS=5msv42ZY$k1X=Qo55|1$`MY zJVA6zWiiAcf@vJg00a|?*vyJdu@d1WoS}eb(CYyJMx&AVPgSg^&q!Wv{{D~C;~&M) ze={TZ`oJooB}4#j*J#=XApuaw!jbD3P|Pm34s?MwT?(w z8kK)7g+BF#?C0pc^7##Mh*UJrrmSS6L?%Iaq~WqCL9(r$9n$4h($!P zG{PuZ2=W3;Qh}i;nY}pQ$}{XemFBb-%-w`}apKGRCfHQj%4L;%PFTj3ElqmMXeHDw zp2E0FlGY_wR4lv`S+T7>G)S`$eTGKXGn$HrRX&yTw6N7y_*YhBT#1dbsmiN3r7r5l zt}zd0D3k(+)D+@{?or5O9vOL_ULiW_={Opld_DqW97Br50XUfy+8RqSF9CIYdhzDx zv)3o57u!}mpsK3gGt|lytqe^`jb{Z9sZD&KOx?2Rfc}D_JihHML#5edAhYU`eI+&% z!O#hHC8mTs&uadmnA3$!{8Qo3dSsbN_9B8)RWwH^c6Qwwm0XvRK(kgdl~y0hBhA-G zM&_6G#1e|MIYS79@*Q_Fk#68v){9gy%d$x7OYv`sQ)Xc_F}4GnYFkoL0{LttXLQs_ zm3x$*wTB)lSuL_MHjU)18>v_y#dsANNKi0f(k?^jK&t-wS+kzHc|xDb%3v}qgoKeT zQ^O=-J6C&S#Nlu>04F@Rsp1%hSBP?1psXkDbK6pMH%?HNj+Gq6ZSTPZ;%ETQ5d!tz z%pGl6fAVDbcp%GpO2vGFKMKy+xU1HEp>67wb(UgzxixNkBPr2|t255{ODLobcL}o# z<}!zY46uh$w2%c)TEY13?!KUiayO;&s5e80d*N7vVC83BXwp3}0a$}bzg5R{I;xT} z6dt-Y{CIgAH+8#Wy=*M|RAi*s<=F+TD#me)*;i00yb9K`-#=qL@>2`KJ>0ttc88Rbm1ML(B!@(}t6b&}?Pa9kR z-jlKuTxjh>*PNC8!r&L?G za4gHt;CL#uqzS)<6!k(ZsQftP&H@>zl!TKtkj0R}#^E_QIo|-!4$n`{w|hUHTzvof z?FIPp@XedU(~FbibMX2NIC_2h{N&=~_31fy{Q?}G{tSLNIeoru61CCCMAdtdDp(}B zv#I-LCN~Bw&ACP~6L?8!oy+IL<;XYkdR&z*iCV@R+G%`J36 zU%Vq_9hKqVxBQ_i&9S??yZiXzL;2s`-QD7UclU?Gul649??2jqwEJ*4{Azc&yT7;h z71-?@ThAwD9MZ3L*Pg40+@It#&#K_&(yc1&*$4gp9DbamIiU-ka0*})U7`i+M>OpL z+vZcKqbu2Pp^k6Yqr;TXoI0lJ>$_gjKi8+~{u?XA+Lyn<{ofnzx%YqX$&|V=7(=jhbM!MeM-oq4&ryH>hmVI(b_@4^Z}@2c%l*HN&;NOL`rUu) z{mZ|_$^MC)pUw!r8{a^g}CqDl;!4dlE z{{E5r*Ztw{j4*zG|M~sl5GKhW#BfUCoDE{c?+=Ifhr7CleyG|EcZa+E-G}|X{foWb z`}>CvzrDYIxIY{`9uEIYwTDv_>j57PcJB{&H($X3$DFX)mTG}GoT>&db|L(IKRkc@ z@aX5+Pr=!vzh3HDwcT1Z+Zzu4I@sG&zwkwZ)Yl=p!T}QB?jPUZKhmJzAMRoe?1#h2 z{P`YUOs0E}2t+3{^5laWB!+W6$QhiX{+=4-(Yx8{_^<5x`PuH?+5GV}eLnm6>--AR zB%J=Ze@4*k@9g*4&(j|teuw|_?7!|0pWPq6fN$WpF?w?vO~)^O-+M86_H**>f4%tj z`1Q-#yLbQfZ8SU|)9Kq6Po{7051+lf`1tLUzrTGppT7J3{_w?*um8?2Pw=ltWP17Y z@9^U9!|R`ax<7pJY)T)!`0K;pk0?ETa}*rE8}5&v{rLLtk3RnJ+wUj4@3%#SDJbTSRtdAR?di%+ZAzb2C(o(N?Ai{2l;`02%ezP|YFKmY#t{_sUGd%k~v z`0Nc0?+;(RJv^Jx`KwpS{o#wrWcRy=NAaua_Sq%*|JZlW zsHVR4T{J3HP(*r1dJ_mW6cZ^49i#`Ohu(X~C?K6sq)9Q-q$miY(t8O-K$?Jvbm>(( zB-{~yd;ib=?LEdlW88bjJ@?-6&j&uN`K~qRT=Ol@^Q;#YeNSJYgQ_ab#LmZ|J(6zB^xR#nqfbMUb@dL-rJpsfe@bTo#0XqyB)QUbc^yXz`QdWcHHL|s7Yo*L{Ws_GpiZHI7v3d$ySqDHz(2nQKw4HZ#wF&8Ijpn|)e zw}y$Ks*Q#-OkYdQR$T(BAE?VM2D6hg0UC>{bBnPT<(yUh6g3M@du|YX=4CWwYGNDaPx2z*VB`+7JKCB z2Zu@9yLtv1i%Y4&oqWBWT>O;8r6k1d{QQ)}m4YO^Z0v$vb@XL`UOJ|J8h&1?j(@qd ziE@yUpM9{8zotr{r?iqgNXH(o<7@lK8z|`kg3G`~4K@9O9!Y4rXuyJ`?e+asM8)g_ z9~r6u{kg?pZsLmC++r}00=Kvlw;1f7QTZoC@xy=R9dYQ~rh+j5zz$GTRxk+6-JT73 zlz#NRXCI^7?Ig#*#aa~#RgCWHv>mf9v6iaQ(lQXueCSxJv7el-wJo3jMlw5_f%V}_ zE-_6_T^|=a)9mRC0x6r)<$Fq+RF9}>!{2RUJFkr-KlQ6a&(%~8lOwnMrxS+*2F;Yn zMkKUuKu+5!p6o@iUCu|}Vq=VniHTthM})`3#JF|<6_k~gr53W-IXF0SJT>o7Ql@Bu zcw%B=dU=?sl$DijsZgXG92_4=F$9#9l+%&_FS?BYE<{^YQi8ZR-i}F3?B1HL0s3#j z$>~J_JTFLbINaJ)HRt!wZt)rSA9u{ovOIhC%rhWBWgz4J$Y;05zFSk2I2=y&r6#?o z6`&`PDSB_osW+s zPu4HIu~Dw0qeIm3D|^FDTCTwYmO7%$TY1t0Q>iHTJqFt@w9yRC`} zL=dH>rY7g*-M^Gm9Qv~w9~NdR|BP3!P<8_u)>Bp1f%DIZ?=UlyzvzoR`@PD^%}v;f zJAbRc+t=6Eo^k)NC=wT%rO89iBt>3f`bp8#Qxtr;r(|nu3p!%;7CKf*okDLeW>x7z zp@gX~Uc7CQpDa|N(9Dyiu?*cO#9jW@S^w?qyT1r^{r-{kebd3shJamErFkQVgambt zlv^q|aU&L+!gZ{Y4&q^4d!YkvPrj$*IsD*+or{Y=O--%Ne>?lo8rLkU`k`OBOIDE-n?UWITob zUDeuZgB)6N#@3H#k&uwIeRi8E8usMp=jUG=DU3d3XlTRbCShkgaJj?j=RUDO>uUJ? z!ossJUo_YC&GdqUWt*Cs9$8ojhsBW`^TuPVA!?PQ=mktF7PM8G_YdB=^@5YU{<5W{e&c(;GrkX>f&yO~F!-yt2#fRl1c3UpA&&eCD zkQ>%Wu0B;PgS{ra!sw&(M4SgmPt(MN;rmA?&akM#DRlM}o0^z9^69glt}GzJY-d8HRt)iook|^Th;usHI9PI52UcYW*b=c@XTpz2p zYQMfN?%a)=LUSEsaEGvIAkeylVC!e|t+Dyt-K2wqgYs6~fJp1ZF^RyS zAjwlgpy&KUW?A1}i;|6=O7lkFs~$1DFIPj3OQiczu^2WaGX#71;*bIP_Mp4Si4nyH zu{fH{6gCf@iSKj%#33wPxv`swLcyGz_@CxjjvgKyguihL{5>eGYi1TY13|xhNjm?F z&1z|BDT4OCsnzrcyE?BWB6SUo{qHXC7a&(>6rrJ^$=TTg2N#dnh;K8u>FYe;4ue%p zv0c3A!cC!n^2zbAJ~_3{1$im{wU>m2&gi9z+MgYZ-SO7|wDE*E91dP%uQd_BzWKg2 z>Wve~a~|;F!-uaGkEP!|uDy-Ko$*R&b-sEKlAM>9=sw$Ejk`PpJ-Gz2hHL@5y1HJ! zehs+7?jrM@7^OUZ;*#;Tkr1k9QObx#A9cUk28$@Am_GVn*1gjKUa zZs~ZWu~4zHvi1%SXM&eJ+rm`_M3vbD8U&tt9Lcm1yXg9pXKr8NI2En`e}7-cJ~*N3EjAH0@e1cZe7 zb#?S$F!=On(z4odgd_BDLW_3 z_B1emRE&b0JaWRh`*3}Xl7@zmjg5_2&Y!$Q2VEHqd^u>Z41*bkY5)E;*mCd$9nZ=5?%(fT8!4ourjATay}M$e zDR3#R^evA zofw~7?yDp)N$-3XncJSOA#SS(P-c@4yi;6UT#F6Uk>4i}Hg7OEA}UHqAn%)t3f5hi z{qnE=rK_u}9*Xu0qo$)<8ZFkSGOYkSb(yR*#3Ikm&OiY>%tEvSZdaNswK|4Z7Y3&X z4sQP2-=Fur;MG9u3LXbgUA$<=x!WMm^S83Hq& zS4*ul7OIfrErq$3u;O8M;ErDgUVJp7y{aLpMT$sCU4Kop)+a1lIa2B12Ic-7Gg{B3a>|@%5urx6pHMUSVB) z<2jar7@w1mjq?r=*8vuR3xuvSpS8}(KeYcE%mMnYJ^EW6vW)?HU7mWKo}Hj{-Z?G-<7e7=pL(x{0Fb~WecQ{+Yt-Sq6rMr{^F{#sVB(WC@*IOxO{KgL zU(NymJUl#>fBjNND@cNTev!-iuCa$jDOE$THb}0%QY?eNCg9-<9<4`4Mm%9ehWdJX z;lBoRG|&swTRKSm+Pv|w1`37#6W08w7mtgNFaA5MAqDW=zyCZZhe_D1jy)_+LoQ&4 zSwgGxXmhey$4lV2gaYr--p_I55FP+N<}EBNR5dhSfV;Vi-@GX>Z}cB^h_Oa~z-Rqs z0c?F&R_S<+gO2OZCX;jW%+%c61dHZiHFQ4N*6`WX-2JWLGqW;CCLz;kZir*nL=Z$TN@BaWH(SZ zf&zRBIGGJ#d!wBf*U_Q4?&Hf1fw1Yn(QL<_%q7_kWT>GLs$07|Q|P7Y)R1=QHV`x0dAjBv? zu(h>i7ZAAV_WfgfZwhBhZmw$`-M2(0=_;=!SOPupdWGqyj;>g$l$S60!)TvjQ-qFH zJ}qQ9z8(f&kl(v^&vCqzGK!obysJyuZtkN293B%HNq{ePUQ0dn;82j1>lFLHGP-E6ssUqg~*?lZEJ7O!OKfrUtixlJglOo zMhbXcR77xgcGf#M2-ViUEha9GH*=kBpb<2#?E3OjoRWbd7Kgn+Ecd23{-^^s_^yX1 zC*Q$OCnLikBO}w%%DJq$mBdvInQRB%!-u2_in)C#PmYp}Eh*^tFYAs-QhND7(T^7gUW=px<)EfKx z(MiA3$6Mgf!(>4`zLnnT#!o!+UWor?-44u0Ocy(SQ4ExuKwh+joO=3GZuv-p?mb&9!mqxzHOrIyziDJlE^aUIW;HK+0FIUY(wA zzULn1j6fi{VzFh>2t~?J7}p;qq6EoI6*n)=q4wty*rlvT1ZYY%8@$~*8zz$DG(q() z-n(?JKs?m#4$7&2JmVY#%qIbJrvBOZ7z9NM-DAM}aq1Kr=cUOPJ{-gKXE%pQ|2@@z zPxb%(sqVGeRI@*Lz%oAO2S zJEyHz7m&Kf#zMP+49A(z_htRJ@WnYxlZTvM6tL8jsO0M_VS_+ahh6yF+SJDu@VcQ^`wYBxVgM$Oljd6bF2f@?~3=C7%2;#-XMSL;H z8nh>8lpx8^&v*Rxjv+KG3~1YX=SvpwhMJmM@6Zq}j^&=ipVidgMv=;C=;&ZR*bRuf zPKnCzwcQ}OeLJepw&U{bcS>q%xFr%hQFgMtylgd)aX$-!1Z(n8McrbGGO94W2LjQv zJvqH6CMK2}Od&&yf3?GYUYb*-1qIjp`uYqlUu}*Q65|noNXzMUB<`%_Fi5f?aGyiU z?R%uLMG)a^V}QzJr8y-dW1Lowlo}d#^yj<_)tRYo9rp2}t$LI1)vdk?!56ZkA}+H= zf35R(MD@W(0^i4TqSrd^|TKRkcl)O z-u>)4%@LNWfRqjgu>uwMu&HjFon<*YI~y&j`$$G7+%`BkxYBZzfL*_VXY^+I5T&Hp z@bK%W7Z)06g$X^tD`}@BZsZp(q=Z0g~DK0qGU^~NA zhyuUOZ>LL1kfPz&jLW}%bJ|~a1L7wBusV<%n(aU&qp_pYj!iXj~9z4KD|EL3q z;9?AdpJNKW(9@OU(GvTdj7}Y`;8$hUeq9p{Ha{nC{2!FdS##@WGZXgw=mj`pW8tO4 ztM-7oFy6m$HF2JIMuMiFoV%r&`QN;INB$Sxv)|Iu!ZW5~NZUh%&6g~o@QFh{Q}@Qi zTi}z+z;$ug4%|3?os{P{$i;X*)YOa=YtXHW_Y$?VwDjZV@BJ&|>}q>+&G^3^DQk``l2tgsEBJ_y!ZB9Dk@4=R^c#Ma}{LC3dyC`jVsp=)=W!FdmZ%q*Qi4>i=@*i zft{V*-<41Gq}Z%1dd+MJwR7?hh5Jhw#L>pYf0$HNi58WVXrLAR)3USUVq!?v#Wy0c z4ESRcI11pk!zepB@n=iA@PrY`JY4EY^umKiap!Ja0-it9oWG6zfLNUIXzi{U1`CG4 zB50_o*&z_ib8_>Iu@Z`wD_qDwtz}p*8s+}F!Di=2eb$4J&xZ_085tQwY;5TMxxm1n zAVci*7O!^h!;9l>T>}HI(BgONVn&EpFSILul?8Gu0GSBYCeK|vs|MS`ZLrbmw+v4@qHnm78d;}Y$*hU=!# zh^p2G-M^GwR^+AE<>8plsKdC1wzl>JS&1GLO30&`^)xp(cg8}~=q-(xmzNi+5n>TMhGBZm+UR}(6mAEwwxsw0z;R6>~D~AQ-3D9|Pl=er1 zk*iLJ zlV2rn5#MHhXk)G7#@HxTIP==_@iPDxMC7pB-uLr1rCurgqH)%f}~ zAV#%yNreIY*S~6j0yyc;A3w|-v!l2*GVt7wHlA<}dG$a-t8-_z(IW(y$RJK6?l2TN z;S9C6x1WFz|2V(<>W$Os@r=i{A7*D378X-g);9q2t7v4@8z)fkVa^h(B>+JDLrq!1 zpmb_==Fz{4oHTQTROxbn+6632F+PXEu-H!fqd8Q z0NBA`RxlV`8>Vwi0lD;?d7qP&#dqZNUHN%{cn##37hk@cb^SG!p-}#luy5&=maQnC z)uDwX2=1Yi)4KUp%i^MqS%WXB(OVjT=l1tcve@r*!e&pqZK`LQhd#SZ3TwWSH#tu* zt!{0+`o1;1KQ%XtbUWr%ng#+re#(Ezmee>W_kLPC_k?M;<)ZT6<;ZG>Vb;U#8DqT7 z&*l)sTua!0e49DioE-V+q`xlSdu^wFmDRw&K=t3XQNSHmR@BFj66@lV71wDE*HJ3IJ%T3=s}U7`3iBKWs)z#T@$xTDQU ze6mbVPJa4VvizH9X>*0c#v~-9fg`r8#!GcUfqSnH8IC$|2@&{YdGS{J40sJ7(zF+z z3SmLHPd5dLN8M%-2!lmbL5`{+sYTw%baEgMiVbob0)gP`3m6Or1sxRqt$>JiWdWXg zE%n?J7S=u|cYc~KXv`rXpnguCQw8y>hNRj?;s7@iNdbF@hX%)aRh9iV)vvX3q(&X4 z2ru;i)Z>leM+lqUpUouXbyR?RG z>9F9-V+Eu$krY5eMy3RVMIAC2#E*{~6t|W%NNwp{O|hwo*&w5ssQ~la+lfDZn5~Nd zSV5=0ml8P)gr#cf_(ml7QP}1N=r#_ zINYeiBgs6u0GO9o^&x|HJMJ(Vo5IC;;;;t11}H8r_Vn@Td`?DJq~qnZI+Pdj#;NWJ zw&9RpyBl}-?9b=nujmB~0U#|ivvXj8%*n}Vw4|IdDsd_7A`*hGf!H zr3W8x#SZ33YoHhOQeV6nd21}PF7EpbE5mlt_#7*P7Cc(jLtF>&XlAvcKdf>U!V)`{ z`(6|ef2BEImEYQZKZX8XXNnY-=J^wI6yQ_#4>dK#I>4erm81gmMt^v%d)^^`Ll=%Y z9y@`;%4EDfUQI<@2MoP>5HD=rU^P+z9W9~n?|4qOu)CY&vpS@PE^yfz22NSdRzWbH zD>yTMO@lZTDk>?7;&^MCGc0bjD!K+i?G1o$J>sI$C zm&u}GU3FbuN=+WBS0OtxxiUVmb7t=9e`y<7$SSqRo*$8rlXty+-x4>FDWZWcbRi@p z%#!sJI6vBq#-kA*@@LoymWvw5v2noG?t2iA^IkhK+kDH#PUm=;zAhZj7lx`_UR_1> zr}5Wa;V!COr^VKN$YZgyEEhiV#{mIbyE`BrXZ+=l9&@aPDoH)<5yZvAlt)WR5DpHG z>)YQy;gj-z_E~JqFC{^GsC49??aVeJR{GPcOe;otWuQ`z z!F}A-e`U7ThWV`0=!67vWhgXXD@O_sFjHT=xOLLe;I%{~<^Cgvk`wmY@U2l6$csZv zT)cRgqY9GRjVqPH)2(R-^gS*vf<#8ij^ukv$yr&YTR9mw$;eWYlb^nR%`V~ogT6DG z0uyzMsc5*sv!e&FSedtH0F(Ret+fY?i zl3!n5Mrh?oElgD-w3~V5p?XYio{Nyu6&eyeg*wk-2|FiB(w;4?$XH=2CA8=TyB9@8Z%DzEo&tiC&8! zrhviW^w+OnpWoah^YHKp3=G6$ToQ6}<=?*s7Zw(-d3bo7o}Y8DvjeQHt?A_hMGFcF z_J-tk@j)jSu%m2bMC<;e?jE)*_4XeHe@~i0BI#fKb;OX<_N1sMmyiZ%*_$5w z2^0VT0H{H=l`9pk!vA;oP5=Mp_dn_X|G(Au|Igq5r2k(`T2k`g|Nl=)RP?|5|No!( z{b&FGHA4UZu>Yt3KjfIp1^^)7{a@by59AhC5SQQpD-r1Qzp?*c+Q{^O^#8lt1n5Zyx&{WreSt210p13#qK|Yvj7#gN4<|Ae;ZQ`XR5u~J` zW2fiiqAjYT<*^f*$cbAF_DEVr zE6~qX(n%%AKS(D)8leGH6$3iiNpXuQ>M3xG!5l#d9WP}axQvmFUXY2dq?WXot5cA# z3F48ik+rnGkB+vBhl#qjt+twOppR`(P_SQssFH4~9`RIyyE897k+5|di8tHnw>%e^!-JHEmp@w3bI)*?!do>L=ppA@^ zhJlo$mlPaojNgW&j*dc*FUZf=RKY$#2PP3Lrs<*O2GX%f3>_pqxy4|l#tzF3f!K7JWW{*P>fy^X{*jNBe+>%e`u z#T30vY*k!r{f*R}K>=EB*3Q9FcG_?+adnWtw4a^6La?Nio4&4HfPy9*u3{PhcX5MC zDT-_RdHIM+>-agE*mIsyM;&i*T_;5t z!p%-s+}=;c&B0dLLq%Nzicpr;Rxps#^a}Eqly=t#+Iu6UowOyzWSq35b)}U->f-jQ z++vCW!CsR1l^fz6|Np!IAa$TAD(Zb5E1WWRZHdC>!Q+;-{+c9yG}_dgDO^6=Hko{ zpiD`Cmn$oa*_7R-?2Gwdc#$h|+7;&SFXg}e{dr_0!51`yZDeEwkDJMfZd|`{W2DAG z$9H{{aC@dUy0%t2JUkpv_Kvq_3Ne4CV%bn24} zowv95qsNa0&)=lxSeK=agGBYPwGzYiO%rGr1EYLp)mPmkc(h8f! z++vclI@y`Uqs=Ezz}k7T&qqh~3=9m~T%~T*S@h7*(D2>A-(99(l8ioSP{cL86 zjg5s@SzSwjal(>V6RWC3@!=(C!ood6d2-c(`!@9CLEf{x-xI7pTDOj2v?~bQS$H23b^OXea)U{Kw}Y@zJ3v}JcR(p|l`rhr{tT@Opf7N#B0-9veDP!;bu7CC=* zd3k0q7%a+|*xTQKmnGI9yjcDI2kTBEaz+V~lQ|^hE)^9N<5do%NY4n%>@GQMXy*j4gtopLAsF z)$Q!K?T23_zJAT_I{g9a%dAI|A#e?FlZ*^#+j~bD20M74>}sH|9}yEnLO@7Ze<@j4 zBrjyx@uS`c&x{WbeMfW+w&&X;)+XN4{TfD#$lfIF((^-Edj<@9h&2a53&baHZ{7qxo2M!(DOG^>in=%X<6SuMk?E^zX3g5lc^rf!#U+5qV3=Tfvc45TmP1GG6 zcoPs2#i10WNk~W@+SwJa(Jyle878_+l+y^&#;?))Ml>|Y1_lMiq7<|{^d_o?^5m9Q z(MVdB2={`bB7)flKPr}p+^5Cmx>UT{UHeNIDCRXJB`+^=Z_jfCsA?}{cq{m5!noRZ zU2ge<;r6ue_H1yPS1lUWI1U~0$Io}W*0jlx{8Q!Xf3$2Zp zQK7T+UN$tyo}Qn_p%lcd%ba`D`1Ma~e+hhgf(_QplQr}uPrasL$a(YT%{zDQu*(w3 zv<(j@5!a0XGRk2IjFLCeVaG4m=$D^<{3t;{OdO9=xNTGB{4h9JwxF;OieYDvKl$MU z3O%h_qhAJOloQdD6BQK|;g>h{!H$fBgF_j^PF!VRSo!7+k=x8?8kPv#<&~A^4Gpp* zz+P=3!}R#1BuoN>xH5*FK`T#|W^?jA9ZSSkm!4t$-kztegF`$@L9D;G_o1zA(Hgxi zZ$^3C#J6t+S~*e$h-4}}r_9e+@Fo9nL&LE9cy}%d!y2OLOYR+>uN1ww`M#BwC1R^h z&#?MA8D06}gI@u=KX0j}J~^4R@bmKvJm}-ipWNIAJNmf03-=EUti+V@`TY9Qp31GE zjA56nGB9-g{?Tcw)&sppkL|qNqV!}dc~T`rBE_9ZJtmFOY9gaR9T5D zrw=*VS)oc6=+-l=CT0x;%!Qrgt+EWGEy9ir4UCPY<&a}cjBiRxl-^Gknm796(;6cqEOv zh=MiY^fVAp^joj6B3x=6C>FWo^mM{zizIH14ETGERIYcAYj4wuSWsWGoVoC7=RVy1 z*$n;bCB9RNzFi&|J-$6t+i4{_zcy01cXFZ<7WUxa-~b=mSJ++TH@yd8=MrM#;@1Gi z?=8BQ`(9A8u_cX_=qRQB=_D(C{~mMpd)4cB%LFial`SMFNCvQyU<7*nl;1pJ1$hF3 zn^|dSXh_J(4JN1{nZoAbNl8g-^tQwq<#B|Bgt4fv95b~ZDxRLA{gZi>^It|0_@q;X9{W2*jDGotFvQ#b;HX=S@;m;WxY5e+o zzj8b}Y^vF%rRh?+th?iAKu<0~zOpRp>goUhI_#L?{Ae?}rw6v#ZYxAf_O0SEakE7d z8J+O!&!1^u@an)kJw=_Joehl3Lp2SX;pGBvG90cTXUkMBWk!aE`IfCu;Pu|zfY+s^ zB(iz8jVsOC+ari`u-|b910wi?y4bFbiH&tScELWoK@7M&zZuS{f_nY=^XKWw2dDE9 zb-wGVN3rF(xy&hZL^*rY$RnGwa=5GOI{}Ll=lG2cXR`+1zH{(nLqo%F!|Cbi3qR_8 zL~{lQhsF*+yk%9vo4F zv4{F2z}{fN}gYqNG7JZ{2mYpRMpg^ zW{KFU^4~V?>gmB}cB?Yygrp=2w2To$%`~~CrR85`AW2jJ?q+C`^v8Hkh57u5qBebLXkuKt?R8fL|k1 z7;0t3K9ncND|?f)O^>^)yIbM?-!mnR# z>Xs55PG4SLu8h%5@9$TqCnu7}oi2fVekH7dxac*~v!@&U1jEC__ZH(t77tbi3YPdx zgMwu22eY3qbVhS>bN>S#&5q0MHbu;Mw6fIL4=O^T&(}b4dPYW3FU1`eQF1$N<%VyS zG54NZmyM!LKRMGh1ni>vUhp$=Q~c6)AS@TMBIP; zx%9ZNA};PG7cVa-2t?1y%1RG;BLCTKhUYIlYg_HJs;#W7{8|SMUK=Z+u>X?vED3y0 zvO0{WW7&SAuAx!wHY25p2D6;}3=ttBr+?bpt6EfC9E*YpVDz}BSs+iC_xJY$f4y{= z-`tF^MqoH3B&f+~g&sOP3uxzp7DnX>2?<4CYT^lkqLLDxcL5=&2wZDX^b{J;m;^tn6<$d)u zI-1zD*8P@R>emK8m%!lQj)8%J;NayHmF%!DV`DYblOchDR?EF9s_N<;uO5UXXJ$r6 zMG=iir~e?=NT*&}$+U!FP%Jq+Y2Wm7q})UiJ>-B%ipNuLv~uRc5|ffBaA(8Fn=ORO zLWX)-#uh<@d2#`tGm2|#r3(rRbHWCf`(7+;Z@Xa`EiEmZaOa!hcc~;XdfW?t6@}<$ zH;8Ta=G*ZH&ZQQfnMnsrp!XX4P0j{pW@Tkf<|1WfWv#oyU3krfomgYfkA$^##+fzJ zBW3XPqOfqJ+)z+6N9vY|iAi1Pnb`M_P7&WK9v6DdwIG9WtykDx{DYgCnjRS%KL7GX zQ!`JNCY9?R4-XLr#o{w^|K2%`M!MNX?c?>RTTIzuEv2O-wLgOeePzw#g@-X1V&uil zoae@PnLV41rsndox?+_7CpVTlYmJ~D^IX3JS!flKwOC7tMFxqhb zVbMneFXw7ZNJyY{D=zR1;dZboOBHhep-y~@kt^?q3NQ3@G4S2NX)mg$$2`~SJamLfv{%U|J9e7}1;-88OPT{=A_ z+yEiN z+U|;RnY!k?8WV$_f_}H$-|xg1ZxCgF9=+IUOnO`f_+c?ireWCmq%qyz-aZbs{H?CJ zfjFa_$V<==?Ee0Hx86j|n+k(eF85-Aj%~vbc)0+k!a%OB+4+Ws;q$t5XQoXs))dgaxNF-G3NODo@iF};@(TMyy^O*AeSeRh;T`v4+jyp0KIZ4AtTkS>F6&?JsYqi2l#$jN2UQ!ev{j^i zjGTEZ4=?w3JntK-Nc$K!^A-y)zkfJWkp}7RWAP06#G-K|;wi}8fSPd`sM9LT9<;Z0 za6n8}nyad+wq2h6#*^I?PL&QTQFc+$I}bvRl{1CSzqW*h1crnx?KJL2MMo36H*QP$ zu8$JpN3E>b$%$^jP|UGeS@d1q-S_U@yVmHxt*EVi+u6khI%mL$Qc_dH!^5w)&rudwdVzB_sEV`m@)8Z- z8d?9S^IDs#=2TQvv=XJS3f#9TDlT4#W_#l4^lEX@X6r{iRXm+YRJ&DMo!8RWGJW32 z$jCo47q)u`HfWghNu2 zMx<%)`uWLj5;*LfT}X($tgNh{Fr~*6+@)t&=KiyZ0nwA7u=%Zml94ekEsfg1&@dKd zm-*KCz0Kyg3KCM%XIyIZa{fZ#)A<`C)vDbfw*J?rdTz4xvDzh_HN)WeJh^~4)H1c4 z|JK96Ku~CCsFeg`N_slC?Akb=6psrAVf)J-xnuSxR&>!qH= zg2H4L5Zlm7|Cy&+8Dk=hJ`q-8L2NE<*H8TymXw+gtwRa^>Rd1WUh82QdcIzw-57e_ z{PCj%IlbsZUvlSbL(!WuA>dr2a{C$v7Fpki?(UUanOeyEa&kr zP_^LZ=3e_&k+Vkcp7=Z8%zG%>wOH0`QJER?#4Jj6S!jBCnuLOaj-~Uy7dTC)@+`U7 zz%uN}P{_Ptd_iN6Z}G;ifWEOY@gLMJk@P!X8#NTIR4i-PPmQanSFf;aWz{dy zreRSU1F>za^oCBEmlF~al8}&8ZK|s=TwY!V0w{PFLQB!jzpVqxQ2!8J23I*(R5dh| zJUy${=(D@d9zjA@J1h0HbaYgFeLoHw!}@>!@EKm%Tj(r6INn@UlG}Po(TJyy?A+Yl zZ+<6>xlMl{q@<+$AEP-MpZ-!|K1nk1XJuy6ZES2PW4;m$MITSevPoq+hla}Af621e zkLc&Nq4$6&27N zDYvab*v(%H3(xRq1!$1?JKy~CmuRix2ISQf`Qs@B%9g6UsVSG32zNs%`gZrECGx&( zRJj-U<3Pq)Rha>uuvuyUN!D%QMwx94mA>)OX{^d)4y^K_K6ly`W@W`L<^Ch4zhB*~C6r-*e?OUvw79sKPe34CyF@7{ zsD7O|P^Uu|tx80zaZ`^J1;mR4Hp`&}e%dW-9!~}HvEtzY)jXZQi1fPgnw&cMXP1fEhmPFAuQy|+mG@0IdVTfVX^f4W8g@vj@^<}9osTfhWH$(w|P zgz(R<4BtPwME_nLj&G>ji_@o+cK5&sQQg1Sf~>FG4Rb=B}c&OKNaw zc``mc8=IRsvrgJ*Fn$$)wu!gKz@P)$E)1ryy!>WxGwb^LdKFwKa50v5Zy}nkptO`E zm1|*Zx(4v{{5<$_iS6pq%0-=JgD)u<3@$*FGOkAazBUCfS5QzuE#EC@Xkg3~vHXl{ zY-(aID=SOpA}uQ`8{CnAU=OK!lGr?&5o&)F7r-PsGE3TnRoJ}27V9+QTXMGT)ERZF zz`asw{PgNAm-8jg3v60heASvgXHe@tdlQL7j!#ZXU(}5_b{(t?mE>c0GcMr9+Zhf&AZ^50rsHR4ST^vg`j%mIWBlKuF;}N1I z^Y-znSiSKCI{{7Q+L~)+Ydb=3$mZRi`RsNBz%1uap2~F(0O0_>fw zqOW$0lOjZWcn1II9TK{YcLfLXY4_-=? z-uw30BNmnKoJ+C&!45xugZQ@9RFyS;objKc%D)8SCznajf%~KNN4j=VhPyPWEWvUU}e8 z{`5~Dd+xb^5`Nbc@A%Pw@h_Ht`=^HIJ_O=N-}U4l3F-TgGTsR3`@*09(f|1G{@wGL zfStecz>mED{r~+B|L}3|*`EPIe%m&j&%X3MFGKOig^+*C=l=M|e&o0Q;AXhCytugd z8$Y@I^vBwteVNt)-hcUfzv>$v`CG5u`SKlLZL+4(7;d_2%_uQ4Q`{>&~_cPr`pWS%hFaD=L|Es_7`H#N#jqB^b`yW3?pZLNT zzVO*k{^UbvhMzpvY5gB>`TW0q_Q&4yvhVuGCmwju*;_Av$xB}H4}L0q_ftRiZ=O5( z-2eJDZ+XjG9@+h)_k4Et(+_;~ZR}@Wc=Xvfz3;-OKJ}@8`ialo_}yQ8$#=c^10TQr zh0lD~XFv9XU-5GHO~*Q|kG%c!uX@=VKmV$Ke)%Q8`{|Fo^A%^pSA6h;A6&n3e#=D+e^{lH5<^O?_l_v!7I zf6L2W`HpwJ>uWxCizT)cp-}GSTZ~paP{K9|s-|)RJ`_*?n|IRBvdi4ix{rMk#_v=PK z@!P-fs{iw+|L<@9whw>!N&bhQ{JTH;^aoy^DY2h=!%u$Xi+}tJ-~JV^y#2TS%NPIr zL!bP~ZTRE=VD$<5t-tnbkN?ll{L7c#`Qo4b>dMQ`zV*|e4nFoBMos>oo`2_i-t!H= z@@v2L!B2eRYrp#V#kYPW_|4z>`#eU@TFJ&$3OV3uUP8+ z>tB50m3Q7Mq}DrjHsAZ+_x|rcHT-)&bm{xwaqEwN?rZ<6mwweZ1;Mf3{LSB7ePZTs zeCqbwfAEtVKlic!@OvNn+pm1(xA(tq^wOXI`JWg2h{sk|ethef{>nf9p&$CxuYBuQ zd%wQ9zW%^FKl0YU_LVOOr%rv%Fa6RlefBrs`<1Ug|K0!a^!CTW{QSRp@8}&L*!aW) z54ZnWR^Y47k*M9BH!w-M$yWjop|NQB9Uix2l{_suz+ZXGd-q@b#S7o?`fvV*TYvWNmp3;4&dc35y%qn~5B=Le_~Gw={N~L^{^HO6@GD>c z`q%T%ef)0-4g9x%YWTO6*XTc6dE4Lo?8o2#_x|!P|ME9}np}VD+urtjqDmN^{D1$` z2mYH^&CUIF(cqik{Ec7#^VUPVM>bJJhXqV7{by}_-Sjzp-minc;WF(lu(eZ|=X*`DN6$e%4fy|E&;QUqbEcI4;mqkH{(l(H%nT^7 z!I>GbCYi0B#BOD6eq|MKLPD9;4aAiAh%v-GQU06QHjYgW->ZULS~D{(`?ujyt|YA^ z9&+D24c5OAUu^z5?DcSjIY!Lmabs>UVf~*uQ_TOgxYS-a(*F+Sxpiy)1lYmDj!Zt@ z!y%HXL5Bh@{s48riTOKsS}jqmwSjm-BLHQpN)V9%Eh~DEiMAzSkO;JH-2yoB!z4h! zQ6%J9bR()UPqg5G*#P?-INNCC0O#>bmmJ_IVdH?=5Hk*($Cfu7@$Z|QxjEq8xzm#1 z+`8qe9w+u7s>Bra5Tz(sO(>4~oBjX=NrvJ+~w@`Fi0JuO^%5u*EAXA^7 zQ%N$7x~v`-Y@<;J+`0w4Z8QRR?xbG;ATgql6DkyH>$MtY$9e;R7!{QX**%@DKG%}y zM|1&hgBuCqsQ6V>M^Rv2?;_kE@D6CV%m=qTkpoDBx`}KwkD`IQJCCXdQN_rk=F=!z z*wm?OFC#ika}U0V=5oyJ?PKE7ITNeh0ghTNcV!0E?9zZvMCptBK>XFN@&A5hV zHHbon@~tX*nWj}$BiE|N_ZZwu78sMj;D28H9dSJUe8eOu@I#*rV-lf=r*k2*XI{v1 zFFU}ysGrkbE5!oe&W z#(ZQUZLU}p#1u!o2OJp3-geSOG(sFP50m+{QU^T992@hc?kxUZM#j zbaDTG>L~yF;XHfT|MLL?9MV4G;Hi|Y0DVkQyH<0gBiNBXKgxt0?xk|HACfK%bBn9^ z(Qd;oIHr_q6_e}P`fUWHw_?NjR94$Ft(XpKTecUq?&V;5XtXsEvjgLpl9*!1#oy-O zPM*KTBnU90i9Dz4CP5!@ui2cb9Q|I_UT)?X8tx#vLWVJ<2sp26dy8#%!6{4rdOGmt z(gvmU29D}-ey80<9JZZ2TI2ZpN%@m)f<^}w59N!MAQ5?K%L8&~KiN0BsUG{ct$ z6i0n;`w^)X93<*|N}}gUw;|F@>BFS0u29#Sp~@6JIP|D9>>-MpE}fP?DRmm@DbJyTXtA@IhWIq+^YHA)F)|S`THWA&yK5B?N7-LhRISLmJ0)-Uy zG2?W4`m3$m9E}Wcnn>Ox@R=|aC}%^x69t%oC2#2=ueA(z;RtX7`~mW}YfA4zu#5Siu!R%NXe^xsy94YGjQ1V`Faj_Lq^S&sz`1qjjsrmI zRq3^~d!qmgGrMod00b2E(M@Sr1UOz2GF!S0ff3kU!N4vsjYJ?JBekse8+zyXL-LcP|B6PF3-B0$lQ?4SVb z4v->fA95Iy{&5C|IKsmus+x@xCmL#TNgNZ(nFVW(o-NEcw`O;)Ex50FZtldjH{W^g z#GO0G959_CLvWFApe5`UAxX)VfdNK81l;RtXdTs#BR5GA7-jwQB_61IU4BQu327 zQsul>>k5N?)KSM)J21q76b9!+2MY_JbGBqt&k8Z^SmB9|L*&UO)3XNo?J0T05JNuj zIPnZr3kwc#81gCN=^q#25IMlc>w_FS*3;4 z#8ICKIWEPIPytQ~S%9Utsv>8OR`qfYZ7p$azW&N!~iXv_b)vH~T zP@0|X6j3FQVV@^BlE=1XEZ8SkFbXQ_myZ6{*cAmw&i;H%!l-fDISZU;qxI#@&8IJI ztZssH8ylB4I^Y?SsP!0AvV#KzMkJxYPpHH~wtfqXT!?w9J9p|kJ*$~TZ^MMBqsVJOFb5|A(eK1BhFIEEnuLpTxy5Fr#OJ&6y{$h_S~u~6Ya zEOZ9O#b|a&m<$o{Lx_j$K)`-Hp?rWSz)_FTp`uP7MxuYxmA5tm0C{@9A|O7?U9jk* z2vHc$56G^|$vmed>4u062;uGkg+t{e?PA6f#O7zR!Mlq5+}!~Vk(Py;>3>V7j`Y97c&5<* zEaOE?Nh}zkAP1m5NlNO6CKmah17?BJHssF@LU`siW%M6DK&muw)ak8JDe9zgzK2v# z(}snS(3yk;^wK^(^T{q86NWjdDQ-Sy6*%k{N{Kht4%4=nS07~SvuV|WfylT5m4|S) zrbg|lv-LOb6&kb6Fg@Tr$mSnp9q9;_D^|pd9Cp1yN48{|8B?)|WlR&-D)F}w1#6NZ z(lKvJZ5T+eComhJm?9r?6m)>JcjV}Tq9{OgJqbfqiy14*+!%6=v*HD!O%>x>x^17V z|F$@nQFY!&p$UoSpt6)q>%AaK37)`dk=ASq)PCtUN!d7ZQ=ha_4`%_4V=-^Jw_YV7 z=6|(vU8_Oms_8HBApwGWVAl2{w3?Zd^HD@grvPcLW7&(VujWd>{sJ61Fb#t^GCwQ{?J2%m$M7?v7p3=&42e3d& zMs^;D+BBdBo;M0Oz_amZykh6>mt}V7!?}+Z>%CUj4*Z!?|JTR*(`^7I>i_Lx{Ex*` zOGozKLwTn0|9nE)EjR*Q=x>V^fg&N2qyYyrp?t-V<8Fx5DH#ky+d*`Bea##OG28T8 zmQk9>bT274Vd{ueTSE0${Y!saCzNO3^sl0Qa^12_MzAkWB=mun6)a0~&&%gG0mJe^t2w1qtZD$+Q)mQoO*=(I_+i30qUtDw3O3)UT3X!VS4YksmCtngzrMD4 zu=f9UyR82&wil1||HF8uu>V`SJmWA5APv;@UslTwG`*POiU*Xhs9tm+UoL(wFGW=l&_(kE~_ni`YJFd(lSjVed)tv zG4eg8Z%o@apyjbY+wt=yCgC=Bg?hi}ofcI`{PV^BOvnEf!A!~iC)$4&OYy%J7fwHX z#QzWDnS%eHyBP}(B{bSd8%U(zuM7`d%cg7|<7P$lRajY9aucI|ijtRh5T!Uk;I>fP zA|IStl7HgiX4327o4|3)I=upNg(Ao`Pzp=|vvER(OnH8HM;Yi!hD{oP7AWOIPxnEg zJKFv_e8cBWLE!^YG zz$Ni6z1juv8rtzV7X?cjNkb>*V@fNUSDq8^1%INQBBti6VdWqNK(8t+b-XYM0g(d~iAjCVR11osL;CV@n;tvPsdC@2ct2sS0^x0bliX-%F{o)q`GA%V9`% zZLiua>W_AFCJH?PQa8hfNyxFA70RxK%d0y+8Fr=jsfnLHSt!ePDj970wU)!ym&l>E zB2>{B)ZA-@=*#SxPXAYT5f1kJw|#2iRLTGI)Y4J>-$Qw((EropUquC4Y>ttehFWr> z(j2I6>iaEKX6JkvAyTCv5&T2(S_e48QTpe&1KvVYE;yHaF`wQ&xfH8Qn(B;HK%?{y zWFG+=FGBg=ii;2Wcn3vhTahqCbqKap+pz9$iXuidk_dS~iUD<^fVpA(>U7ZDjhTHu zVO$>`r^ug^Rl3mM-i0*C4&ZT!`N)$HJcOej*v&3p?LhM^S875U6c{zR( zg(D$db`coB9Wjg@L}6IODH8(Lj*fD-&$IJ1T2f(3$5X|fN&eJ2m7x^~$~AqqsBmai zr(AE!-J+{+C>QBIlkd`#s&w+4ovo?*k*#AHn7wMjT~_{Ti`sx@7%;=H){=^RXB&+g zu^kyVPF~=0Hd87U4Rp?`7~i>t zTd{8Pfk#U#CtoA))>v*)^mqZrvAHNAB1#XUHkE@wHo<^1dy8}d# z^7uA5#tbk{1i6n}3x$>|7K6%QU?U2+@=opRRAZ0kTPw09bJNfGl~=H(lK^@Bj!?tc zjWETqCA#rq39ImLm6@;YnJzC z8N@-B!b~YQ#{R^TuC|{~x}yx-(k11Vm^VTLc@6#fe7^7Yat2$eNyrP>doQfoN zNk~~=Vhd|70)yk*Xf(DPZsL_F%9eA6Sy2*aOVZd36)I6M*8*VC1MBJCb~Dr+42z2- zL!Mxm*>YtDXoH^oS{)0&^!=0zG+naLW&yV9AW%Ahx=zd zTOlFaNerAFA-;{Ser!z4b3MOvULcyV?mSuz+bW!PAG1H(d0z75V3e`y(zhz22pb)% zBILs5Ou>HEd5}HpfPf$sa!RweRG6#p&qj_Jp6Ye{b$jgvTr;26WvXm+HD#@+w8Mn)IYk3x9r&Lp%Q6&xfOxP5O zM#q5RSP)eZseJ>j2#O4Vu&3xRqIz)wJsRqQ_r5scUn0i<$*K_{1mZvqb z!sKsqnvP^PB)f=$Ss^2q!*~Eedu~qsyqF9T#Xe}yf!QRE%cXAXI4akjx^*kdGaus; z53Z|#`sn6{I;dX`!}FL+>y-2Cvrk*N0M0i#;I>fO7^mQL)5f!%m)v`4Ok^c;3yuwv zUN1zIORt*glm;#kbuk&1z#G$KwKIQi%NW}PTkoE}tJQ1>Vv2S!NmyB1fVSGnn(P`? z$w_;~d$v)VQgNT8teDZdc`>;^5m}awN0IQ3o+;1&IH9nQ4)*?MyM5+V>HO~~|NG%Q z)5m|YV-##EdI0jyPbL4>1mlYW*~ODIJeQBEZShutromteU1i%l{XxPgjlNdnUhbn? zj@(kT=IWpTrD}E-r+klR$5$GAL?U^0xt9Jki*Cqcpj?r;f?3(faJ!7U^!TjvtYgPn zu=R>bb(JDh4O#7Ij)ckm_e{tCvq%rqNPr3af8oqR$^YZwhmZWf59OJP|3?9$sWnj< zYg5y#p^|Zqlof$OKt57Pg(y%)iKc#$wymWrIlNm@d&d1}>e6fSdRArB{tIT>k zsR`v7I1J~iYu`t4MW$Q-$_9AQ_dgcO>%ZMTbF}^sC=nkGNj<$v7+L%vYcak|6afzu&o->ShxZidc0Is+8o_tgsfs8 zwy3CWEencOS7H_@v!w^-D%4{6GqYgUwo>Dr!7~Beqhx4ArkcTtGdK45CUuxlzouGQ zrG_)xl^Bga%(7YlVequa))2)J}>j^77iKGVtO{yo=RRjRy%IRaZRk8 z?TOZ?4rd<-rKRMS9$z2 zmpiz$$f4jc=9N#-#@g}qq67Db{(1D=+h;oce;3jSNBt?c02A%M3nlySnT4bL&xi6% zq5nUvCLh2qNw`kJ0x+9eCLH5* z>;NmE_neL?T8!R(Tb%_zj-voLE`9dd;Gtu;*#It{KGShjxY4JV0JlI$zc((fU3{Vg zHnP!!0CD7V6o6Twl3Rhp@7(E#H=@j)J98(2RyLwE_k{}Rr;g0S5uiv66Ghs64(<>f zl(DT-b;UAYm~;$7(GI30Qr9M=b9Q|O3XK~?nMpz+9r$FN7FYM;ie6l+WXrN$90`vv zk!LFYZ+W-OU-uznFbXJ~C=4d>|I-WYGX?&CdhzJ~-{Cw{@PF+IgusfK`7APCmNE!Z zl{K)G;;V_TR7O*2gLTFs6ZkcC<}yzF`Mp9j7m)nz5?xNYePn|*A=W9uc)Uh0^h^<*y1L6+4eRG`%Zt7^a3QRA(Zkxh|n?LG@vUn=%8Sqr+! z(zU8wd)fuCQA4V1p@pD(g(135Q4im2)XX*-d8$&OCF3z@`x0imqU`=cq0hWqn^Y?Z zRf@y0;=Lakfwp*uOrEjMnU5MFDkx?CrclYVj}^^U(|ARehFj|rSwXzcB)~EYSovGE ze`9t4Gnog-7zc4FU!G~V!iCcINvw29920>dxrsvz>BzbuplsSQDg*8hxG}a7TDb8y zmbpz_DkgHs7C&RSUU>0m6Vf~DlfsMg^&e|wAUyZAGm92ZfcsCyLYQCq!xh)Ee29fFt zIxO&gzxwP!OqlcHDyy2#{Ffs)&!cA_`@bQi7zW)2roajNzlYB(o-XYFPCdMEwEsJl zXD|D|3u5M1A3N~fpP{JxX76VPTD$X;x1aa7>oa}aojqR#N~hZKnfkgpnDD`#H+_Y+ zs<(WQ`UA|7&l6gCoK^(LDqd_U;e-0EW1$@(XhnsZZQ}+Zyk_f2txry_*NS$8_%&`O zRvU?aJ+c1e?d$mZ8z>I3FG-|sIOP)MR`1g-adDPvx5c@F^;=_2Bd(a@1Ku6yAjpqK z0%;Sl7tmA%(|C-1xfpVqNWcTL0~_8$`U$pP4Z+6$)^i|7BR9$q}k|8ywNp6owj z=2stkHAVf`9=s7qlhyrW1hPk4ZwXRh@6#4!cXgKxLS^($XAsi$55yppZ>z>2G~SGp zZ=%MGGtsD27*xGc>3%Z^twIjFkQM6(`t@NMls1vM;ZZgvsc#coT2A=jTt+KaJ1Je% zn4#qBbM<64jlIN%V!~eZE?B>m4Z;TDzBG$zR`+FK7E=}MMYf+_({?5s;{;_DhFpN< z?%U)F679aS$uYzmnB+3HG|3pJOEw^SRo-QYyJ<-21GKt9u~Z z#s+Zj#U`MeeR12~^dP2~_r2QQYFgQ^?M*j(pWEIVTWIPu=(}m5IpBRx?HDGRX{-gc z2Q$rGHHnVflDtTaXXA#jANF_mO``YODsy#R6QI?^KCb~) zv{Y#WOn0qmd3%#PxmBSMn71sm%}waT@`)H@U8?S_(v8Z?OTByOJ5?@LiP?JdLAiMS z*12MB9MBb`G8B26k;afUkyBBjJ&W1w<*gGHT@>eI46>(n9U4oVjb`BPx)F^Z+5KeH z*qc@#ARh-Pjd89M3?iU|#cDXm$-FYLB@B5c!fh@Z(>5Bpr01G%c=8aMJX~v+QeEqIFoJA$j|ycvujP3 zpwn48Cbwq^I)$j(G%r&SXt9&Y2PV}UJrlxewm7F2EY)_Zx%_a(YzAxln6}{qHiub5 zoRVVpW)vIK&_3;A_GG;{Ok*XLaLOsDQ7iAFb>?8V2aQK`SGY%3^h$c#J(+_@UAeq8 z$IvaX*H~Oq8S^oHt16XCMzy3}l0wxz-UUu#E312BC3$uCMNGw&<2g9)W+Qq^PFHMo zLQ@CK@9f^f!E~drQb{W|&pg zn%QJ)eKT{7Y@-qLVp+D(kPJEqDSiP3R}p13M!H;MRuykY)p1lD+#f!RVf zzQQ=1Drb$kiM7fV(2dHW8RKA`!F^xpSBvK2YB#g84`+axZGM~zRjCniGLr0~jnR{X z@(M%CiOQrq-F#{io(yBc(E3zh-WT?KD{6g)q5Zfj=CECFLrupn;5S`s%`b1Xv;5o& z)HcR7&n{VS-OjV%+K#98$FqBX@tdwE8KM+}9Ve@+g~D{^r|LHLxi?dd-j_xvCGk`q z0kaiTqi>99X_L`{^DgeP4onNF7yI?otm@cvHXijW1LSXKxn?E4CH%6*k^KXqnlq3Hj0rhRn(^H83>Z2$FU zSd@|5{4Of*^p)l=%gbfGLZaTng3MrDRQS?#FY=XBx6@CZ8MK1rE-Yvzxu&=F!S>cp zduyWb)#-UE;Y}rOs)kTbep8qR5L=?&jI!Fqae1H<8gXLu5D9hE*G=Kb(oeh*9EQ0# zXW3S-#+s5T6}8rs>VB;h@$=0Ctm*t;lloW1^w=~o0pzf{i+aC@23mb4s8p^XFSU*3 zwo8+#hvBGS+AL%=?4=W3yDQS!(JB%PHB)X=Dl^H(#;*3sW2zmCQw&izaY^P9%-OoI z_2S#Qdx-8-doZaZ70SPoj0<%;wXUr8uMQD#zfO383x6r`LZ zmrt?O(^P3Ot@=eUvK;0XXiuLM;-Tt+U5Oam@t;6fg=ru?NdYBb$Beok3s;6Zglirh)$N4Ny45 z{fJPsw>~E5{|l!}@n04emrfn&|A+C+fOW_Pr;^Eh)hr9K6M=4m!$5HH82a0=kC@k* z0hb4u0hYuup_~CWKw&6-UceA?e}JR@NkCBuIo{D?GkXuCpfv*`)K^~8v&t}`y-~rd z<~(pI3P*rMvZeqD#E60rN62e=tDDz1g^+8_fE7uW;OfdI2ry+WuaEh>{8xeB^13h3 zdHJt-G3d{Wf6Py|6U}E0b)mnV#B%S$S|>cV8@En)UAWyk;qhVII`Pe|8E_R+OcDmx zR?o4P7gO>)@_Ea{0fO_Y93{`UydCC~0L{OMY!VID|HirH)eGmmVX)Ue#;^a=51(!q z_W$jNm(CpJ|2~vw20W(n!kN`@9(SqGT2=%Nv|7vH+LI_8=3hTIYck6T(crOx%rH04 zNsN6qAF86)H5JW>GIP@U-KQjp1xrzs1wzutKIkI8iv+{bfT((2t2HwNE}wtx>PD-z zwY4QQ>sEkb6a^^qG1A(*kgXlvo|N<2klF!l@1}Rtc-`n^e4R8Up6il_e;oyi`% zkPTYLfB+w)9gjc~3q3V0CEt!Q=h~7`KLqL!mtjkQKlcTPB$v z-0LM_sC*&idA6xF94XZZI8UN5B;aX6!@yBM%*=qbh^L7FTP?|?l_C;TvV#M}05mu^ z);uw;7*Pgx2iP9~A4Wn2lE!~|(P0OLBnA=M)$^fK5K3w&&HtPc5?}};*hkcBwI0h& zXRZUu@vl9VbP|;-@ zZ_IgMRYD2GuQVrq!pTr>XfB`M1U{l1_plE+VkZUN_hlx{NXA1Dq$z%i@s3DB0gO{O zF})7fDU!AXhB;!bmTQCC_S&y`sO75hE_sXI!b7T#*yJLC5J3_M^hg+zU6ntw8>)oP z>VU+M0^ET(l;8BuPcLOnBhvfDCoz&c!vObsNNVj2`5CA)V7b@B5$0F`dRssx#5fL6 zBrt#|u%Fvt6)~S;xlII(pWEQv%~++|T#Mp_Pp;6q?T&vYeLtvbw_CTtmR|BO#grG3 z0C|k`_!hVgRHkkKfp`JLCympQ+W+DzY~2Q1wtMyCmo7Ql&XVQXer$Qe5&yo)ncD*6 zAQ?a!J>2Pcl? z1)Y7&yJ=xMWKIhw?Lxl-$SL65cx-tEP{c?=eKZZYQ?8?+8qCIUu57IC0h!an8IutE zqbg9F!Wol*AwQv*k91>q1I`HXT|&3l%iuPJQ@1c3j8nr2W4wvz4))Pr`O@H_=zJ zyJRf2#j=ARWEF={I{$Q5gnJ>f50Bd%*fX8U<6a2&7mY%ZJ-G#`H>_RgZ=)#Ks+a=s zg!YF5&@4<%@<7)DC=v@(9p(tJPt-DAUSCT!<>{u~tXifv0mf5}5GQ@NPNYX#7g9$v zW6|X`1DaurqVI@s>=zCjlx4}oWWF1c{`}%X`!(|m56`zBnTIiUt=i1Rk=u6LXXY)o zK8iTJnVRZ-#6T5N&HiE?^1gL@5qX9af9I8RrgpjJQIP(pAjykoY+ zS!~vu{5OWa1aCPE$*#UAsr*~h&pJFLQG*FkablbGCb6`oE2zQ}iE)^)X_Tum^r`n? zDL*K(m!pBfHVo6%hi8wcE&WwbjXSd=*tY@O10gpKwo;9hEPBerx@)Z>0*t00EQI7U<7)*JAf{+XdVZ&utqf`n`c!=n zOhjL`pU;cwF>;s_3j65by!-Br&^T5r#PdVQY$LU8rPk91q=6x$)>!Cf zjHAd$)r`_AP;s!Zo_&38cE&1ObGRTW=yI&0w;q%(cOPqQ2c&M@$BLCrhdd6`$a7JE zs3Jx27fWvv%R8Tf8A2RoXCS%L(WHhH)y=uQ6iBbbrq^%*8;~RnfC529voYPAOg9xh zif$w*;^D|t_H&z#tz%n4YKq;6rrIkUPqvxd-7}K|BlHFb7I%^44yGPb1{Z!zf&BO^wF#Sd^;U2`s&9 zV0037)qZMPn4q|r(doCc6W6@VA2b$+QMgpCR8*evf*vKq)TXipNcVZ8zAA_D6dH*^oX5=eM`xgiDdW}<1jO=w3)FYj13gqiby>Y1l*+PH z!$S~}$Tg+yVU(5XZ8U1<2PakOs^Mv_bv3&pzXu2Md+)S$AItW`e)iy4fA2Mid)@zi z^w^ALLgWhj2)02imb*!GIlZh=3?(nxPsEljEzM5q15mNAPa`Yj_w#EJ@FA17wo&He zchb7lrd;y+nP>9CYiBb=2ip|VbI|9>lvoj_ti5%w~m@t3&a6nsC^Jj|G$It?6 z98fJ=AYcP16j|5%48<@N?oKp$OSyo1c$lylVN~FIuOx_ zBnkluLqJ2JcTMKtOrhy6@uLazSC!jxYwG#4vYQ^r6qe`DO2>C^r_jo*aVWDmVg3ri z>eDlU>EE+|WM_X@sNxINo*^!auk|hxzD^NC5kIcr(e6eWK#)>6Y5{;bQo%#VLuz7Qh9kfX z(2;5ckX{D9x$rWZCFsrF4e?s70Cf`!-CY&Ozl0h!7IPC+vMb5mLcA@#yaaWlo18*` zqaL9{<#nzCF)@3RRD^#)+sl#MCd0@_y0I?mv}RJWv?*>T7ilR^FEaxFHM2hhtmy~# zOtfZz8oGu^$2*z<)~RE*vUK)_iFh(84^(+zomqM|5(FMwEq$^o4^1c0<`V-(U&ULhbVDL1>99@zV!0-zbJKMxBpecHIS-MZ}rMR$bg}UVHtx` zu0^R~+L6R?lpdL#1dI$3;CP6bXkZsca#8k0ZRK!H)#-3d7{l^P{z!EzRfqw?loheT zyli%7GEP3PaV6iou3H^8PGe>7G2?)COIH#K#&PqiY6>sK@J52t*mK!z+`46*%4@~{ zHt3!?g(5%Aw0`GKD>vvM4zm$^o~NS&qiCnoGMc1`^jn!7BWbT;b!%oZA zJryctmZ)C-%NTUo{+elg=Q>}(+GJ|Sbiil(*+!$WJ#Je8rJHtWjxp10WOwdJ{IzE6 zXyX#Cg%y=w{F7D_$eD8W0=szW^0`fq-&B0cClMnd+D~4Gg@wb-?6A<@LvDwL$sHzU z^V)Zo2RS!uJ;9NBg!)2q5|*ACC~>Ev5eS|oqYfaXSQ!iv* z+3lo@d>+cmCe*&0U34%vEi!5VE&K_NL59wp0t>R zE-Wsb)Ujz6&BaEr3*}wBq1-I>aD>?a1=&5=KIVg@E2Dx6Le{}sXBdY(VJ_*pe1KdX zlzHwX-~-IS5I#?+9sfq%ePLqQTAj)62M%D=M@+@tQ~^-M_bj}qUU71}z=>cHgvKOw z^Up$I_7LO=6-@%@ttr5BwBd>2s!unq!?bmE305?+7eM62b3b>q>jUo(Xc6EIbcS6+3>t0!AvRx=QZ zhVBS-2_L9Ri*k5N2KQD&VrEsuTsi!Fn~UW(RS;7^qHr|lfoo49ipED9Hc^HJ3BVZZ zK`Hm7Ik^Y+VI*iO07D|Nlf+xFWEibRr!Ib*lu^&XSh{s|Rn) z&*;*w1kTk|J^>oh;pIFrDHrxw?S+lzeL^Bu%Kj5FXn7XhmQd~Q7{&wGMI8HbK}mIY zK!&7`A|z&h7mjjfR}%x*il-|`Y()@ifT+IhDkJA)A#>y+!6_Lj;#$*Y2dzb$2snkZ z%I(W?u9r6w6d{=KzfAbuitIdaypM%=hq$k%cz!1R(@hw1eaH}-)2l>(iu!8u%osQUJ4=FC zt}xU~LJ;C;n<-i_J&PW5fwp?jTnHwc)r>v@#wWedM%pO(rW2)0Z5`i zXQ5nX|hHxZFFOgm>n5h+wZu%&eE8Zu=IK*lT zZG?qx!fQRF8z5Z{0mzlEAn?(dpWofx^`L~(BeXvss#0wJ{MyR7i<{@% zMIpAYL?L1<6Oi4JiAgO3N5fqpxJREN#no{Hb}8mE%>yGnz6&X81(Yv(q>r46uh>Ei0z<+V!} zH^HUH!Scmtz*B1%S5E?jl~M0zEbr+P3h+>hbFa0jgKn74Q%k-y%VHmdFzP3;k3gU7 zAa!66BRa%P2}l?Ptq>2fx%Xchj`t$U_>g}J`5$($FW06!M4V!uxymPPK9f0n=wnj; zms3ki#r!W1FPuKg|8N*j!2|{4_-d9w;mm8ig;vgXcvaH}xS;3*Y)bk_rIiZ?xIb`X zM5SI6`SQXA<1Xs;kS|SgVle^0e5iE3%bTl@odh9?`YuOw2q+p7j*J0TdE`(sM0|h} z)*3=A?~NeJIxS;0T2?gN0wAGbmg2$MHE1f=c9I$*Z&|4$#OCE*PtBn`4cEVAaGJi4 z@$3K0;^{Msh4tTVpFYa}awyM?IW;x5C9&X&RFGzV!VEz0%<_fvuG+Q;(Jd4fQD7DM zA*3k1TVu>ru^=(ACFMkAw@6LHUQ1`}SS4azcL3Y*J^jiHi4Vh8i*}*kX#ssnS)b1U z5VQDP?#KpY@hk#!S_sr(r;3Qu0k`h70GP1@_{evy8Q{A5a*Z;HMT8^PlF8yOia*n% zKo!ty+4o5j@s4cGbxj}-{S`p<*((FBPd*yLrCYxs8j}&qIN3%r#e7Tx5MYXY9*$Z- zWf~EsE{g&N*!1mY4(eQ)m;|es(L^%$$C99rvQY`0Y0H?A(9Jj$8fHv_Ag$1q6=Zyw zElD)eG0<`;heeh(0bkZAV&XTN0+_Ai&y#Z9o{8 zC*X3aGt=#p`n6;p8h~rhwX6}Tqj#2Wg<=wz%KB4%Eya_vx+x0sEfhM})T2pRpIGa+ zK*7JRPR`9Y)7%QlbiNEG9ARGZCEv}?kRo{|oOYy^PI*C?f*s`_l$PHqjb%n2SlR$< zWi|Z@(%$tKSG7`89dUntXE^Uu6tGeo`qHIRi(S*+HX7MQDT2YJC>*8CM16oM^{Gxx zb+H&k-)BpZi!#(d%a%Ix^Fml(?;`2Qc28hlVaN`130{u7+k!sH#iu_lsDHyU= z$^?kCafPW>QD)6h3z_)?6eOWGE=EKwdS&zwT0d(bT6_}uD3+-Ul`v4E0WyaBksFi1 z6|Ih!E)Cld0>&CgiT>n?usp*}(M4iWn$Qk#&fQ30cw2geu&jW|@usd-rLWcAsRNvg zWK*FC-Cma_!0d&SVtAbd$C<<)NF&2d#$3V>b^8ep(7dSXs;Xk(W06%~P2fko+SD*8 zA)3Jmbb2MJ!RSA8WzI!AnJ#HwTCA_?J~soi=%!~DjnbIdNg%i@o2%Lwn*FTa&K7^q zSe>{wFeuvTsM%I3U@8Q53Ed8`;Djkxe45a09Q9W*m2yqgnUO~eFaj`?S)zsds3(%j z6x$wf#M0b$JXM^E`J1Q`!C;6ZEYxRLtI?KLWDc#}v?n$%8<&GfUrPBafK1)uxMJs) zx}h{)G5HnVTq_~OLwi|U+R!<9WF24%a4*%$imFi7&$98Agqf!r^T36Kag|tBAB&S- z=7F<*6%bl>l|#8jFp-$E!E4sd^g7r}%{k?Wle&*FG3`*mq?;d0(<=dK;s!%BBy^;M2Jw-C zO8Gao&pd%s{=CWAyv}{afSRcR|nXu3OzNpK;3 zZ8j;F)N!d;gQIj<8wMN7k#Q=nAvj&ak((y0YRWXq73GdZ|4{7W)*U^;a+)l?&X1E0 zIK8ki%#>+4g&lCZy?6oZw^W5oo}!+_$XXQWc*rIunjoD_-eCq*7&J*($^v4#lFM2- zTEGBDf`iADbP?!595QuF8%04(WZY&UFDVH_dFNqBcJz)<&FR{@pc#3vBaa{RRf&qC zp)DOuMHn&yLN?*4qjlr9)Q-^1A^4K zu?~a>U~!~sjQMUc1DlDI1zrne71l-hPI^-Jgfhj*eYIi+0|Z08=mkAft`q|KLW8_2 zAl^hii2~LEr`4`pZfDb%ZS|JpAtDJclnjlVOGhf@K>?tnh2={hK;JT^fi>`(80i7pqjk^Xhh{fh)6KImCUXu4%+Yez<9fex>uNYd_URdB|Mo4^amk7mDTaRv89$ zO(|6ls`QECCP7}lQBqq~5ieLL+mr*#ETlH7`jjCvq-b8NzS{4zrC!nV<@1}lj(J$@ zHgmMhI(Ie3TprrC90j%YLe#GW_;Et*sPvDX1#PeWh~+Sq-aE6>OSqPt-N8^VzbV3-b%7<`)*{@lfzvsbVpg6X}&{dWA7|apYzVxB}Ms84V$h z`m(qr9+&i77@4XXj3RV-3Ul2oCkbZKeNfW>_9F%_XIo}|FH48Mb!luBv$-?uLVr7n zb%F?MdFcyc>Gno#N93Kk9#EAe4ht=K#TNpkSO$^rfpZZ@G^Us#lQW-Li?XyP^+cNc z$ueU+f|1s7#8eO9j?!B~)Q2HZ{z{w(fefI5QUjvfRS_6rWPD}>drfm-2=aiw40ta} z3?UAcK#@$$xK8R0RA6hR_DK&UPKD~E#GURf^_0w;T+@Sj&gQRPxPI=+`DHH-dI}jy z2yIkY=N%d^B@9=cfJ`_8$u}{%b#o|^KNfLOI-}XN={tL1KoTl;t+F*W(fZSq@=IyH zO~nA>>Uyinr;X(>`u|8j=I?tNTZ*Db&$F0*GhPaH$t&hF*>m0poBNT%W zG7c^lCdC5_dPxOBEk$xGk(!f=WzF?tw=LZ-6DoK?PxmA`IS&~(bGujvL2h=(15ha1 zsDDi(wcY2bWPJa{vW);R#8wMIf!xM}P%7LAhLmga zYL=l&4~)&vAl-(GWA@zaxU-3g)#uCtm2cM8ZROd<1c3qQ!VvmmBdSL#UOomx82RPl zo;MZ5N1)Am6h_*jYFFKqA2;M}n(E#KK`B#cme#KW9yzu6NVzN@#i|Q+cf_6>mid5` z4pdnBmFeh&2nIrD%=ULDL8AQZ@-!a$gQ{bdv@>nAm6t`d1x4!0mV1iX zT{khDs&=15FpxguMjMp7&uln0>T-g)RI#{1s@F(eZELxd7EE28bZV<7*D@w>M2AM# z=~L(<%aMdB-p~SesV79C^*mEKV{wQJBof-`q%FN6EM2_jbj`TvW&X11k+Zp$55{c& zi=8ytd>899W^XHGC=2I9W!^g+8 ztO{OMGLFZQXgSqV^)+u2mVR6p%CmNUlk9s2~U&Vo8Z6}atWsLDZR9LPCQOGYME7Qo42%R>Tl zk?bURK4CmHI>>n>R9|BToaEY-Xxp+$OomoN+7TvKR$}(@`AzU@&_$5SgYInIMl9`tzvL%ra0?PkOweLa;Tmx&CP30;O_s4j#PF+N{lU<6=d?VLn| zdFjzbJ`}t@tMKX!he8zcU6QpdJ=18!0FH8PW*k8ubLP6YhMyTSanI%>G?9%m9H7$j zF#h=9l40>D)zxL)tO};cv>8%){Oi16auumt%eiJ>S4DD<+7rz~c0JGk)#JnKVn#b) zeh1QdnnXIJ4lC?C^b*ys`13yW{8Ys=P^b&LRC&r(Wd03%t~QBkfefvy*(=MMb_$Iu z77JFEMyB@emxJryuXs@=On9WG4L469t)Vd7Sd6&FcPGK6U zu+XYuq1w1Cd1DtDU<07otjI0L!)W7IOU61@ulC8;?HE$_bFK6Sfa}+Xh{NmF zvQ97KoNQEFLn*5@t6|V^T_Cxp-gAXF&{x*vf*PQ3(nmKt27#~5I(ltc))Z7lr3O@x zMaG831WR}3i6UB-a*o97k$624uSeoFYw}A@yiT#}5ERs0d>JM$3k_inqpy%yB+x?d z`mFcRT;)bxeHXR0Gvf8@rRL)h`qEh1v7KJDVDZ?F-#K+^X{^Wv*J_{>;-Vy4-8-61uIhO`_EMy6rveEj^U0zpT8mwcWeGgO(K!RtrvX z&LCG?N1PW_ti*u4GMYw)5#J&mFUl}pc{LyvJVi!4Rwi{$wO?~;j9^Nm>j9ZIp~5`w z6N(74%;2s$ESuLc$IdJ*9qAqSjovYzY7LdgHr4?}$u5&E^BJq|Wl4S#PAT`oknFOY zU^XWX`2~@M@l-zDfz@W}QA%S;mj zXnn-~DahUIJW66KMG1^!N@9v3N8!k;KVWRADVI-N>QrT2-%V>A;2BRt))!DxWP6i2 zOiUy|>O#bI9ARF=Y6_Cq?syxa_&V-gM>i7f96t>N#`u`6)ax0+T*pM37*AHP?mXzq z5Sa|Sh(0%^Np%k}sZ}(+g|h;ScLh4ZZR()YOn-vhP;FF53?+CZ-+6seUfzYV2!6A_ zkxY<))q-@7hWJ!Ln9lG%p7tAC)|=s@UWrktxc27Ga}UkUzP{6WHh5_6^{<^3|BX`| zjn4=I~=bXsT*&YDnyJl>-E3YB&U^tW_oV3W&Y^snY~QvRhUM zUz=Wihh4IRPJ(X2P0s#MbVqG{M|+IHC`do2?q@GTz0wspIZ`gal$6WHDxsWvCui9# zc+s66mcMf23%Rtwj&#aq5WI+W%Iktijuguy#nOI`6w4HQM~dZ_onmRS4YHDg8B@|# zdH=KqWfZl?Lg;UI$xU!hre{(yFLaYH0$ovt>@ZrQir_Mpk~l#n$r-0?F4h66YwL3i zDI6Bq)Q|*;P%PxFwd;#FZ$7s-#YBVCTrIg9VnB@dF34K}Ov(_8?H4(xMDlg@w$SRH zjv%_4{3k+acRU_QlS=eOz>W`@;WlHblQ@~V@du`5Q85W7vM0lotacClh(wHFuRGYg zyBjojkyM;zu>({ASyVJ9eM`i;?`a3865zk4y|B17dA}zRut%$ZOoA_)y_taEu=ZtB z_kY*y`qN|Le%+qfdy$%%8auty4e9{*4ox>KdlzbA>|YZ53#r#1oJwz+v&zrRfOC=L zwkwy`pUK6i<6zPC9TRL>EzCNqXk+L;;X-3rS=|cXW#Z&F0{6B~C+`8og+{@Csr%7*sPQPt^)TFMjoQncN zH!Ospk(mI+8o@HcSQqKQ*IEaZs*aUM-Yg$|P05PC0Pfr|no_1Ju3p?!!K36=Xzl1J z{VBD>sE(C;E6p+loKiL;-Df`cy(fUu@u|FvX{O{mcf5+ML@hJewWyDn2{!eFKA0#a zNi&=HD;wuQcVt4Pin1)t^~_9uS9vzY1}F?WEi(gJ^I*WaNCJr+rw)UB6eE+LUZ;k> zcxm^wd+jd2ZwC+DgT&HilvkAmr%a_$@R2cGMqF2bC0*fa5#ID~KQiz0;Iy)lf+q z1;_zYtljlXtJg0sUpQAloZRa+o4*h^Fpkfbp_hF0&K;+A!3d>H=7AR_%@Q$CH0oRo z!R-;c3uyq3nXxqH{|b|l6g4dXWTFI+&`@6*NTW$>7rLAX&=YufB|&4FFs`jqIJRm8 ztJWbc`I^d^%`~9QdJ=|i7Ycc5g2~9!WmTyK3SJOe1_zkMAsnexzM1@y{^C;nbd2DX zfT0^Tu%*#kfa4fSwdv9y?q#XEb|f0$MzsW$!YG$lb^nt9Z`6EBb3(&W+lo*9!*{b> z_IS*+YJ-@G6L(v7GjEYuRWtvka-s?KJV#g&gTp zGbi0;d>DrLp})?!Bn$}Su4wVm6bu{h8wdt6Wm`v2L8bwU<*$iaUaNx27Ag3Yj_{@! z1bBkN9*kh;eq;ysV68vzf&M@B{_pw#g)ySc<8jkeu;cfC?RI}z49)TMP3{^li7{@B_Q0r-=T9@Uy=tB&Lr8guQ86rChhuV8$6b4G{%3LgpKT2sj z+f~s*^gdM{4adlz^IGycsule>RSb2`S@90@T)Z^tp_rw-Y=YyAb-CsJdoej?TBf!@ zBisv7YOaK5M15gIYP8% zSS%oOBM$0|!J1@LDQUZGGSjlSQ#&pj?dorx*B#t8##7)tmfVZ=$LL#9OyOJEh^{L5w)G0Un@m z=&^y)OeVmo7efu8DhhPqc1L+oP4LpGpw)U^XhAv_G+jP7A0C)gs{$w9p5UyagHFW; zJR{l$P*sejRt6Vkua0kZ*y6VtE6OSVHGIe_Q!7a8%H4=4v7zv-ies!E!S};%y+AsX=-UWfvI$jImKog!D6Mq#7W|6wO+2w7}NL z5!%+Qw*q6>#UbVxF>iT&O_ycflaK)?LVQ;x==HWAk>X;f?aZZuU$rGkpr)+Vr7`;M zq027fFl}pMr@7J<%1T-p-Q*~eU02qcG*>vwCWd8ndU@*5d}c7)ly!2Q-WaE)Rn4h4 zHxBhpfM-c8&#X#Wq^22+X=JU?hCMh!!ECbuW~dRvletIcz^tU$gTs)T@wvI_5oHo( z?FB*Wy6%e^F;O7HRBInXl`zYQQ)3MCT349NOJyrfR91CWNNoqqf&ly6q;${D*&!cz zoOpbI)GOfV6o3vmHYZf7650z5+lw9dWTuHV1{}sIj`|Mp6yPZrQw4b(nlGM7uUKPM zx2w$RI=2BQ&%j|gS6w@A&vfsNLG$RD>Y3X9s}0_igh&RAZ_vjC|DVOBGp7pn-&2e2 zBm3{6JeHDU_MCn!l`)&bXm;{cP7ESKqA=4rLUCF@@*98}?5KK7TJx*?@6ig%CQ?54vG zqFn_@A93d-a6-)F|I(300cV4pwV7(w88k&Dqi$eYOF`3s5Ru5FrN6RqUX?c^H#p3< zBwt$dT}`UibXQD}e6AhO27A0XTc(J>sLog{^GRW3%4(?6=i2dvp+Y-yjdlRIHqG*X zuDno;_M!+ATzjtSl=Vm}$v^v%|6Lpfg5W2q0TbkZ`_$6I1^Iva^r_QF^8YZN1DF4g zDWbR+YJjH4J!k`8*17;oRO<4M6aZ>MH*-f?l3h2Mo2uhH&+HMKOp2Js4b&5$lr_r( zP!o-K8$**{UZP@Z{vQY3ru#ngOyvJn_dgbn`2S%%#rq#5SjCJcGP?F-Nzg~!R^e@? zt}=%jTbdRG>*f0UWbpR~H?PFYB<4P;Qa!I{G4eabBc7_}hB#U_*8vpZ_M6;6Zo2jw^y4Ea78#-3SF9t`6F zEO;-;fEy@Sr=*8NV=Ory5PuuddF>W*ym@oFhSgjLR5w?JkkWQT-LN&XuUU~A;(-&LHP`7;kd<%db5+*~_o(qnr{u9T|8#IjhXcg1+MNEm< zPoW@vqcTCHKLfHG?LrzXudij5#1dm1Mf|GlaV3O!D83E|;}?~2F&nmcxwgKNf3d!{ zY9S_xmf00%u5wTrF6sD&c)J{pj!W5k9!JT|`tL~`hccD{3~d8wMbREpo2t6+6v5z9 z6pl6s;g91Gu@U2FXn@U#;a)StFT-bQ`9ICUpMECo{}vx!D(?TzEF9hcKa{76$y@H# zjjeb}6_93{Bk6yb);oO+H(8HsaJJL@WT*aIXP>7!jSq5;q{V?ed*c614}SDBiT^LP z7mNNM?WLt7{(l(H!SjD}0CXe<4pj_f2PaL=ILz_Np3haRQ={55qkWzjHJN|wtma;? zq!;HiHUHOHB-B252;&AqV50uNv{1DFEu22G{~gLxasFTJz%|<_CdgdTVwj4C6;ow$h5+u*|9-bCngN=diRdfxHv9adJPl4IG_} zK?fjo=D_T+nh7d}8Jx3BbJF|#*fyB;N#sK=V49*GJr934VL~Be~YDt|_drX4m@(EZ|0xi@|Y4njA!I-DjebMV9#cN$g zOF<){r^wq~WnCpEL7s#)8H;M*&K*f?$IR8R8wug1+hf*fDt%f^M-&r^`6#_pnYB~; z)B#R8d_h$M&KP%=RP`C4APEu8_nCWL*KT(e3@*cs1$+03Llcz zlO;j!9�@!4c*wCNjM>Q~CFK8nWyO6%{m~!{Nhm*6NWjVlEmvuaoCsBUTAkc2}9)sF{Xz&EmUZt znn+XZKdmm9tYVrU(Qf*_DzeA_&)&PYw{0T}_ea_qVwILFcP*Vg8fO52n&u9NVe0^h#Wl`5=*;QS(ZQHhOyUXlSmu=g&ZQFKr z*|zS~`@NaT{FqF#a&xkC_RaZo_Q`tIgSPm+>;wkKj(vh~F_6H1Lq<$E2$t$)nL)bt z)RYH)?|0K-;XikBdmyc=g_2>qvIQujOwhV@(S->;KY5`hLt-`K5#(t$0gl4|Q1OHi z6bN&Zg)dXok-2yw8X zm>ReF82&~}v5aR3D;S14w2eJW!gjHg)CXs1h)cj?nTe!=SElD9N{a1k{pj3nLC})M zx0g2J9mMTUv2nosp$IT7H&Lx0{6z{*LzeeOj_LbIrIb@v(2~KN&K)MMy zi5Ez zlmgV3;Ap|vVUt?EQNnY9f2?3*&AnDjwNfCZAvZ|?l_-d|eldq!M0q1hGq#gllN{J!{714rue@X}Hy%{*0P4dvR0!S@IMi=D*lUpx1)#WXfEhoYaYzb<_MqHNiIal7GcMeP4lo++%0Nbat_rrD<_3}cc z6G9OfMu|ePB2Pyfm}gy8M)<{?eFaV9p7|iXT4cJWa0a9k)~+Fvx?tX;)q^9mgISIH zhSMH0U;W7feDhCg2#(D`$Fx2q&fAXRZRw`*N?BR6w&U`+MJmgTGy|&)l69v0lOgo$YCK3S5t08)14yQ-ukt-qD2&dbN073AtL=Ni z_!PV68|T~0laV_3YzxVzRu<*-{%)&8+xCHFDxG$HM|yqq zTR8l(%60wnm8*NA*8tMF_PxZrOx_nDxU~E9y*aXa0noK)mitSn?`Z-b#(z6t9+=?u z8(j9R#JuI2na>B$ST8WR*cbEri+EL%m-e4mo2?^KYa6L+&qZ_+qm7G1LT!XC!zGU& zDc;Z7=^E24Qu(nSmXaG+vbe*T^OauzWTj?x+MjRewP%z}?YfaQ<$M1Kxqe*K(v>;uD@Bdt!2e}czA)mnm-V{N93wI0q2*0yA;$FKKXM7Cd$Ozb5Mr-)Y~ zXVNg73>6G`=s$S~x@)p>*JY>F#|2>-tLH1ebiiJ@J5-yQ(fgZQ|WeeB$GB zYl7i5u`Uhml=`Ci@2=yP26$EafZ6Oz#!h!8n_UZb)ykXkcbcMg@$)U1Q3{gV6w$G9 zJR5c0=WvzaF1)V^I^kphcc@E5+rpEX&c$w;RU4`5vXi$2hVdo-k>cBuTdr%hym`;P z8vp&vhLryVOm4zHuCMvFnj*qi~Y*sxpmP3l)>P@`s6K)6c5b#F&yn5lCVjz z-Bo(q3p%jL?1I*|nrtUC+Z&AMJWBnDnbtW9`0L`ALOKMO1sg%7#Tr zsZ_-xD@4)n1rY+8lTb$BH@lc)i&FiD6$#~!_cJV}wq4k}9ArWYjfSUqGjV=b_09no zarhOeW$(40JbaqMuuU_LeXiFZySDG$5WsAs#caeI!Sk;W96+v@$Hpq4`2et;jCLE6 z(#uxu<8FGR(?8;F;MQ#}tCE>(J;e;X0`u*iz2Z|+9?b6~N`i@>dkWm5?}BOA>8XSN z$*qin=?(caPSy&2xXJL;tLauBw77q~L={(YhS7L&O>%bhI6UxU=S*g6&2OdvFKQ$G z$&QsvycwD5WO}fh>cV09@8w@JbA1%GHfs7R{gpPSMHhn4=H%uVUr)$BMK7S&l-C=` z&eyrwr86UMe~vvIDwKTxcT-faY^>IgbNulXFIsdu3oW@_|=1 zRv-0lEl={n!*{_PdW(UstH}L$C@iw}Ewx1tXR(I6tygq*D@_dTj5{nW?TtJBTe~Ku z98B9c?n6Jn|E(K@bOy}DZUobKZ7si-j+AfQe=qDvI|Rmm9^`^v{#z~DnNTp+ zME~smUj-OI+QD(%uMnBV4k;7J`fLin(vR&UZ}}i^;i2Zvtuh3%X8KkY|I^!zc_XK@ zBY$^{&8x?wvtcg0HzQWnx6s&O*CHdRo)%eeAGgEo~9d$VO#J?w=vAYPJ{Nx8*IT@sBvOOIC!kq1Pe+Hi6%7022bC ztC2sjFTIenxycU#xHg}Fo1=2Xgp|Yz<}<&P$n6f7nfBh_L#Vk^C#3hH%OM}^)0%ED zsmdz+?$I5je$ox|ZhKdr(D`RILK>yt8PN)>G^iEb6?ZqBfNm_9lRwx<5$Y%PEpGsu zmpn#5=-@x|@7>8paCyR$FmX5skR_j~Vno0)udAQ{;Zr zikJabk|Wm3qw|kcd6Yr83~^INhTWk`dp7=1a?M1%C6)mK1%h%7fVDe6UJ+FFRrIEtn5_B8K{J1Fa+_xY61M2Ug zmKeW@X*J}BRs_%}t8mW%7Bxa8?Dah!471s>PXG>W0GnP;z|RZi#_<5)&!M{&`o;C9 zFa-D0Z-DC$)hnCkXRqxnXY6{}?&w4Ls5xdZ@B`yn ztP!J_k6uS9%!>mnkqdn=5F8-#&MZt{R(Q41|giWLSH9O|(TPQjuZQwf^t zeqLn{WyH&pS*Rz8j}Zpw!H6;&dnXsq=LI#0G~=1Gz*%rU%fa+nyCIPxX$mPfKZt7v zoikt3MuKS&mub`kB!*0Uxao&+S)uCfO%|){Crf4l3pX z{Q~JkrU5AiKFXEk-C-AIOQ+k7wrhRGSeY#2A>a zF72`F{`J0a;V%qC8vKb41}^tQPM!VuDH0vs%jC{}#G-FmB9&e2(_olU4T2-aOj@?{ z{gjbra3%S}cQR>eGquY}dU|TfN%O-AKfAs&f{LX=NYOcYG0uXqghg>QCgm@-_A*W9Bgge&)#v(8|z)uD4%s{#-?=!0i!z zs?C(#5m9;E5}6*e}{u9g5$(eUPTmfC=-)@1p@8*nylE4I&8&9V*O-{2ELC`5{x#~2|lmaNLPk>mfIg|3C$0h zUUALBxiA*io2KAM+kV{m&`yE>RQty8lKOe%ZP#T4&mUNinK!!^un4B-H!J9e4srv< zk})>YBNI@LR!v;V>`#>F8WhAlfg?z8fVeN&2c?W@0vq&a1?LF!CkqtB=wr@006XLeGr8sXqUpu!>bq8S|<$ zaO5EupGL7?cw8%)?8pzw9nw<|zXIn+yO8gyMbBoUh9Iv_Z+=&~KzN)%hu@W|!$$-> z#&4lkVW;H_A*&bk4M(r5u_V8(beMf5m^3b!gf+ESQU?JXA<~evC@smZB{O!MCQ7-F z&zZ2R1Vq?aSaP_j={IXV{{=_?_f1a7zz@7gQz}~j7cK;_`bXuK>db^qVeAeR<5@dM zTbkr0Ra%h4gqyOD&c!N!`pfi=pgnv_#3L5Ph39*dS3G|=9&6L_~bc?JfG?Fm9I4lX2 zr$!($ceA`^IcJDn)wv*Vk5<8?eV`*tw10|89J@>Vq}Gx$E@c``N6?M9qAU1Xm@ z#397=p$D3%kOiD!u5ZM&zb(>#ax-aCTySA~;0vH~2Caav=XhQ-IqE7ViPgI&T!x2< zR=C`RYE-c#2Lsfo6kYh*dD&t_%+&X}NzKY(z9&zn=o*%YiWRNj_Zvg>wD{!Yvq>Jq zGxo%er%n{Bt?s@q8qXn|k>oRu1!qWBG6iwTQM+@MhRjLf4n1P3xNuolQRR#=@$(Vs zqYu=yJ!*@cvL05?b)!G-u6X7h=<00%Y~zxKFjAMVdI|9Q@u3tQFMI&Xo&8)C_D##oLD$$&Schen3}? z2rf^Ix3TGmk_yn{f&|DN(x^%l=-AUACf*TXRU{%@jveqh0^C9)8O?tqD zeFjkogRNO0xO&?f)L$o}(y0m4^sebaS^MMHBy+s~Kpz{|jY3g&a{)PHk}<-i8b*-^ z5sRR;N8*w&l1rho8k>C_CY^oZ#RR}qM5SscowWT5DGwoP@nfzchxvKVS}f2D;&8FV zo|Y<^4asfM9B@x@+Och4EH-F(MPb>yk`h;H&C2C}{V$r(1b0$5rf5ohw|M)wO7*K| z8ymwxq5-t7;-Ex1CJ4ut^s4@837ASfHbTU?NG)UN7S9&)etRnYu~=ECy(&Ll9+k0e zq9GXAO=|iiWAYY_NQ}?8R&?9%*-z#T>mg0%6v#IAC}YD;>v}zo+C@s|X0*(u?TXvK zTwA;IKuV}kXPquAc@Iqq^Te=G342rsUK3X22_;!2XK-u1{@$LNkK8{BsiNu$Rp7;Qb0Dkxl zvhZ`J^)Q##fp9&1C-`VB`&bvIB;WL7(s)9FHNKqCj{TDgx8a(mJJJU{FBMC|OzR3! zK55QF2-nk0$j(c+A6kRn?KYBs(~HFtM&ceiTtKSucOcM}EAcR1}Z+M6T_in=<_Bnk^>QvCfm7)rtStpB`#R%IUU%(50 zdVJ>}QNN_)hOeYt<1e^h#N8;=W>O}d6Y=P|`f?pb`zoSD$Y;8od5pL z!35$WKm~#(fbd`Q&CUHSS)m90ZUyW>Fw)kGIYEbZA%OjCBF#_#vGRG*X9?mnOo%pS zsd!?Hg@pN)S*JJ~+7H4a%+Xa;?S(G%9VDwZ4TG)8paW{>-Va4tza~Vu7~aMd4^LD5 zsB5WRqs!?GJI|GqRVaXr>4wADm}mMC@xbZ2$~`JtLy}A*hmX^|H5PaTQ?znwLt`vW zM#Wm9wVCl-`U+5+twS7oyh?qop8J^edq8q}KnDwV%p%)d8&^X92Y}Q@iFDkP!8tB;7 z&qyR2RViAfB;w92c4qk^;%bRA==&(m+h&(nttl%|&rX-SNn8xQXFRF1^34@8v0O+b zOlmIN$OPG2EyK_6ZLi5syr|xxXh>9v`z)@k{7GK5w6Z>t^m zMMbgeG1uIV_pxO>DMP`}qghXbAl5 zqj;GIF#>_ro+br5xb8MFJpWzsB`Dk;(SK31A!UE=5D4$KbKbhMh|l`DH~MueYwr*0HdJBP@WNNrdnU+0k z5`<_0)WcCJ0h}2im?4MK!zH2o3WjMb^UT|-;8|l~UF2ovKs@iE-x`aS#J80?Gl41-sKxD^{!%(=DbIs=cQt`vw5L5|P`owjl z;SuPxDy>ENw)IhLUPNZ|;IDwbEJg%j?{KgH?$;|Zw;m@W;UnhE1$`_5rryc5am<`F z|1bv!qnJo~Af|OtFn+Z@s3SAOIATBkk)V8_I4D8Hz3{2KL4UZXa+T$@`6N|I9{B&} zyeYLk3f89T%%hM)u$VNUO8TWU)Fn%KGMAip%?Ri?XYa0w5j-0A)<@c@e@;gL>aGgd z-i0J;7yWJ=WYJHlFe$j3Nx<^^B0=Ewj+JB#uw{GNVu)5FqYLhCQKM@j2KuEV z21ZJH>(2x@GkYdnK~5Ys(}t<5!O2XBrj^T0!M5E!Mg625qE1t{>ZN8_oK(M0$;CV6 zA5OMQ-i}dConh|tlFz4qXr5UCO=F74b#DJK6ZdjtwUBd@ngMp? z;O1$j5E&i2Ts+MZhiQ@UPUEstu;59 zbhy&AxT>pUKhqAB%*{IRCvndyVU}|C3L+Zb%o^F|7qp0m6U?nK!OVAw9zvx`rhro} z++{$xv-vvc`I3S6L!l4C@N-qk9v2Ap&CMo&<|LBwK3|Jul|lEC=|N)@)~v(fqiYs+ znXeulrv7e1aFq9`EdL^V#)h(jQB@^ld_@QmR5qJ$b@4Eh^HSyoaCe<>?{sDdd+ z)3DaV-X|)R7sQdreCGkK`2`4G(m=JoTD6C!5glsBc(M=8f3%mxa%7zeJZw*tKPi!^^4(V{}sJ`kzjk z6r=H{$=I9hV}C!5_Uj;qI`mO^MwJ!jG~+4HVIB5PiQ>zh`XFeET*dKOufO%0v@S|z zTL^MN9-#JYz>*peWb9PEGeY&_`cZ9F4Br#GYZ+@n&!dL;?VrigbFhX3v66DACO3Oy z0tXHAi&jhsPW?uegwGJp1uf?UVh!a~-Iss?;np}P6WaVqOV{2_aUpTv_NDc%G2H z4-kAwGu*Z_|C;Co}dCi%BvDtEXz_S+>BNY#263Q}0-RbO@_+ z;#+C@GUu3TxSk9K~5kF%b&~CI$WIj5*0Xn=LlO!Yl#k&shlJ_6&5+9E62MR zw56`Im8rMpuU$)4>qphU^+PyE=bId_WMsU!yqP;LVfLIpP=!bOH@jkv{r&Y(Kv9Wf zOs(IS;4~;b$>9xT=5QuZHiKY>iyVQeO;WABT~CkDddxo~%+<;73pJ^| zaX3rPE%72eY@4tKjn~n^>SGbqx*!#(EB0$&gik8hUNzK|-Ild!gj&Q_jw%gVbvXM@ zdU@9*PVH4~epx7fTA(K7tSEZINh~5hDH!14cY7R7gW5~K@*-$hoBYhi5uRU;0D=8^ zuYkt>y*Go94==CT=N$NFcXt5u8Xo`V?iVcPmR4;wg%R#TFPz<$dcCv3cq90f9pvd1 z!YgpF^R4o2U<0od0uTYBS(<3f!x_q+C4Q)}U0Z@}5!WLRrffVcuY(Ufbp)-dYo#h# z5fD@Ez9#0{=m@F(R;NrML%sV_eV@~y&fZBVL&7<^#R2WUHT0wN7H=S=>OpAit4fcf?GJLaHs z)*vB}Vk?cOojuuMh@#3I#RJ#>3uvp|hCBaaCHIlir&GX%6-0)NBLUuW)Q^PkK87Zr zJ*7u~;68J9%%2a14HL0S80%nosV5m-M~*esT;DgY-GUDxe6oN^e_s(~Q04pyihCqf z%Dtr0)j>QG-RKmR(wfv6@c84XB&5wwq5ijBJ0p)^ z&;!z~?>928`l*o0mmykFXx@@po;X-MShtJr36pu#Y*ENM5Sr!)F(MfGf- zZe;{kG7_-M1D4yLRDj8=UM(=w3Ut6Z)PwDxK~4=Jk})C5A!~odUj~shCSn+po&;j5 zoDo4KuqnA#^fEz*;{Z=r+CUSoeC8T)Z0fIWMOnSIwS;ts(tlk(%&fD38Q0tHyL}j_) zl+s+#^5nnZ8VrtNmtee8_kr+oG?7`DKi58^A8r6NnR9dytDJS3a2?Q5G+EeKg5zwT zX*#r16p+|L@QQ?g3sFW&G36FMgNl-;qtX%u1HBus11~TVmFgheP!g?!UqGpoBI!8` zWgPQfQLG!-V3qZ8u^~4wVICASa=#;`!qRb^Gb&JYm?{e)S|wJ2EYhkmgxQ^1qaOZy z`XFjO`hPIB-%r+PQUEJiSeY<)*oIDVx!R;NwT(2|7kw@L;Ebo@<+u4*=C)0j0Emx|&bP1K+dad&-v3OiKuxOL-AL-zTn%w81R!^=b2uET_|_$B z@I%oP{jj1yh;YeH82f^vuo?UbjPFvLD_HuFeIfFa@@8<2udXM>4($HmupfXMjGOYcJ3fnb^5)ez}KTZ8^Io z@ySo$o)4Q|MnLYb9NSBQmwOxk!q0DYn_?UK+pOxP57+?yJ7%g2|90WkTaUnG`WUh{$L>WD*Ia zCV3RnD~Z31Pko_N2q+?jQCU{4_}-uUlv|XDpe!e#HISPo*aqdx29mi-ETeP`Ci52K zR2ZpQ;DTGIwwi+?i!qYhGi?&DgrI-vFlxLYy`SVqDOO4=8Kg#Cg9O zd)6U`9s;x*C3KLWX3Ge;c>rvwR8Z*Cx%;R6i5iu*o05Jm!W-uAGwl@&8NbIZrk6Ju z$*?OtksMkYHBb7R8E99{%?)ritALz{=wP5At%_2}_mZBbD65Sk-2bUy-`wWYbC=JXPI_3}6PvNf?EbVq z;oGvvM6duIyMd?B5U<*<$+&5Nz(g#m`qCuOL@^CanC|HiPu}qkR9mNAJ|+w?yMtzX zrA}Wc6Yc?`b5=f%BC-V?Ue8}TKnWDYO@V`lG!($%JS5o(Os+uW8AW7iPOjHehFFQj zfL_87vLuI-LUK;EuFYsiiR`27iTx=BtuaxNAH)~u(^i2vl7dTM5<0)f<+sw-jf_MG zig5dXV6xu?URRHH9w$A2DksYwR|Ujl0t>0cWR+!k!eabf=8#m#f}*;UgWR{JAHnOo zQnN!&#ydz5=mas_t~10830B9M~k(OnvR8rSR{0T*`d1_z@r*oz@aJzekf4crhtVesClzHgYU{ z!)=U^R~054sSfWL&E2_|s@ZM31%h7SLB9AW4+;Q+R-I%D?7jFAw(IoeqclF1SUAT^jYCkgPcLk+{x^- zgVC6{Lh*FAG5%|k>ysBn1z!GG5v?p@0;57tQ<*Mum09nVhOMS@2L0%T)jSF_tspRb zfQ3}T=sE@A^KO4TBJ4k6Gs$^&DNbd^5@T?I-T=+hB~bHjmU?>ey>x8{IB7OXWmJ-} zYHKf+(e({x4lYc|a2lo@>-4|(*O%Q3y!{HLwPL|rxUKA0y$5f&kTNOqr(989sKHj~Vp{RzgJx`8D2>K3ew{LTrk0IEGR+i>}LcDTsE# zL>zDsk{!$A_HG%J#1j+KW5#=Y4-oh6S1Y9uIE{Hluz|Qt%@t+TXPV7BY!BnS@|@?z zk*d2c^tD8s>%7PU;5a8PuuT5qd(JlscHwW#3W;A7c&Xo;?l%V69-kxzmC@)Qvpctj znzsO~OZXi7pVR#gj!*FikX<~x_)KR>m@Ma7{eCQ`V7K0ZG$Ug5B6L2ue%DS>bY~z4 zuLi~Jrc6%Jfl)&Dt7>u)TCopKdV7>&eJs;V4K0BCc!UnC9(sBz+XXyIvHh6YUtB2U zqSjS`t1VG|Q?Y{cG6kdouiD^kqaJN_D?tCEI*Dt&iP6u_?c(tP?9aFO^zB|0&x893 zithfo-zl-Ltrd#(`f=ZYeVY$t%&$%|skgmX`A zQti2WEBDFkiR(a0OwH>SP^f+cd2sK5Cfq#6{?;Jgn+?;Vz_(%*k5%?uj{C7iSZ@vg z1Og&T6yHk==l&-wx5^Dl5mZ57x%3x03Ca`D$F1I>t{@a2NbD7#Q?YBsX(`{CdBB8x-z z7?4M#G^EyAlgu+H2p*>a52uy#_9K0bTcMTA_`X)gu7<(pM&?eVZGJk19lY#bKJSML zL6#%8#qcYUy#dbWd+eC9*MgKBEV|s3%8Vbk^$0l_<>eXXgG?eLokte|!;p5O3x}6> zj$4SGI{&f_>dLCylp>5xdXWP8B&1tU6yaJz_&yR5OU2#$(@lRmr{2eaRu3lyj;|Z< zkO54k<2y9H-lN3=z!d?U%=d05&ezS~9EIF>g+7p3iG?keexihxhjzk90TGhhA_g)i zK={MCNtIrP)2P5i;n@6<=SG1V6^@q{k`>l{QfN48pt$E+sL>wF9&5O_LmdTR=z+zf z4rEIoLUt@U$BE)b!12cdbBas0%1P!{0z?Fj7;M?cZ7;4fZ6P7q;T1(YeiE>U) zt^6erx&ATM5L>++eSGe#=~|}z6!8e>^8sZD>Eyp>6**tlWUCnqJzZ7ZXH>8a<%mjR z3G^=@cn#}2&mW9Dxfyzr+3J^iCCX@vsdM`Yp#PQCDbR{2L4kMQIVCM7%d%!lBWDaI z+KJLWH*184HL$xWO4FQU7rUq`zf|0l}B{YRTj-a6wRxJ#TPWQObaVQTIBKtVR=`aS1S4t+cEsPgL-^N*)B*A{yp`YJAU>(Y1)< zQ{d+kJ;AhbOJ>31hi_Y?M}haP=ShRWu$`m=)vk0Bha)yKq zQ*U<6SoDnp`aIfH^mr7ec2d{yTo(b0&H>F?z?+}GzueqqUIaM4dtV+-*AbC+XqlY; z4v3r}OY~Fn>^eu~8z<%Xy0Y?c2{MEf+Bm7J!!Du$Si&4o^TGmsfcsc8X}YsQNp88o z%gv28MCg13EEc{Nn{|SI>l72{6&$JDO3GPJCS~gd&7+x0Irz}cR?1$)MlqK88K9TF z@O*C{_cC?Xp1^Fi00?+#asY7dplQe7WY?izaNHSLV80HVda? zA(=uXog!lFauNJBbY$zy{5O#KR8#y&__mK&3=#WRTYJK1{uGWP3ihiJkr%J2r(7PM z^`=E)doPIfSW7MIRfNz}_ScVg^f8H(f>gM>r~KuY-Xl0z1wk~c@0Da$Py6`rSExH0 zVFpLmC;DEs%@U&-dV}Sy?`n1qaa@E4?sh$JpC8?tyZVC}n$ps{OVyZWH@6wB4^CxV z1t}j?W{5#b)7PG~jOqb%zwu!#GrCGTHA(>XQz5ZzEkFex1m_^rF-yz{;N1e%=XEpz7b}GhpzyrnJ+eV02RHp-IE3dY{Ud3k|Joe4i;%0}x;_Uy>Ud7u} zsrH)-YEVjsTY&0tR~{6ytHuNt{JS5~Pk9zAdbA*AmMh)jxvF;D`ubt=H;dbeyI~m! z0<=3kuFuX&0Hgh{5UW6&&w$ySo7B(VkjyVYH*fG!`+!nUkwE`DuY!tMA zYXPNYHej%O;B(jK`Evb->@~Xh)>ga#^e2U;CjzbR{Po1m{O_=Q6(;%pGrQ?8TkhJ= zDptTMD^SZ6V7vQ->;tg#(EmT%SgU)B)Oxk)t2te9s5MwM>gsP@9<(oPsk57>ZEMyp zd(OAClY8=&oyw~-){ZhWyOSLD6CJ>IdU+i$uS(SE)ID?c~n`r=1*s&RVLDQ)vC|K#3Eqp$9UZw6dl(NS(tNdfHL;SBJ^QN;CA6N;de5 zG`he5B(+f|HH6!}Ce!^<(mrex0~H?m8}2QYHvKn2DXv;;aVXuN!)^`)n_Zz0dBR-a z);$!mB)ar}(AWGthT~nzCe$cLbz=is+00f5G;hrj{2>;V@?@|^O|9u-e<}L{Tqf>EllkT@=uG1>^!?5vl@Sw_ z|Ix7KAUUneSiTwu^Mrlr@4~3%=g^{xp6RwNSTS6bWb=2kBBhts^Wd zagrr-naZnLR%;up;uf#`q%QZmH7vPwX0dhFG@@Ou4g7WMXd4*L-lB^TSEuctbj(ph z5sN%$;`DHL`RlEW33|rzrXYQMROspfd4Vcdfv^p$9^?e9r4?P>Gmo3N_gd7(exV8Z zhF_%gqBAn3N*|+kbmsNsz4R}>=wK-Fc)d(>Eprbs`NXdG6kX>C`iD>@j6i@li~<2G z%4J?w3JTiwr>Q!`)53HecmhoXi<73BEiS-Ju}0;9w}5APEhMQAea4u&+6G)Oc zMx>4|X_OildmNoa)ByF9Z>ZxDD)8cW?Q8$(GmTPdjwRc{){;TYaf_FQ%=AQ#H0JhQ zmB;pFMYgy_^#G;wR?2HqO~6u%jn+5wAF|GB59Q+Hp%@P<0kshJyF+BjfJ17~nmU)7Ea~qxEEW=uu8B2R8Sbg84eOJATVOENqh|;Ct<8v&$ANmOI z0QJy`hHqcD2X?OAvoAe)&ZmZDCQ<@dJa;Zw)n9qdz4|ttY=I}fLZyCKxQv6g;4ym;|hlEjn%}JKOWQ79d@}-{g z{guNcC2{`C*JCRl8NLM(I)S*~d+V}jw*b80*XegIg=ADIQvRv9ZPPmd?FIm!`zs{# zli)u{5Xu-=0X0Stwv7Xu2ofd*XA<GvNVknG!B(p+ZmVrFJ$IrGQX zLAVjeLsKmX`;xeJP#=0eHS%x%9Qe-ne6Dt-$$jh-JS5T;{DqJt%Sfq@O?wzJ(WrkI z!Wop27_oE9`4hBX{&47m+4oKICm|>}jlZ$s=5Y6KsW_4NIHh0jsR&WKBG+Fi z2PF6YeTtanjTH_$gb^DwQEiOQ!^PH1DO9}Qj3b^0C#|ZZHso_`0V-)9`1bcuhrw_q zP!{5vxNwSd=6)l4ENJ2nT$;GjpJd3+oLE5l8!XskIb(jwHUz&C0k|-N-+7q1E142c z+9r8YvsvD>Tszb&opq>VFLEBB4i`SYo!-x%DhC@inDLM7le=d&ZQzQwiAm8Qon8IV z`4+(Ptp{w5{@(a8!Hg%LmW%Oid(r^Awj;29QcWjr$`8|)+VyOrC%34M0|keX%v}sa zXQP*!DlZzBsHBEjRUrot(o-&Ujhl`vZauw2lKf7i$#@slaOK>2 zZ*zb`;tu_FXLPgCWTHI?Sq=+L;)Ij zwl+_FU+z^86~`@D-WQ3@h7k?VfI2BC>$Dwlyw z`x;PUhEX11Cz=#z54d@7^3p^@vhU9os&dMaKZM$2xL}mobR_3v{V}3qA#8{f)ckK; z<`~Oose*k&14BE((^zD2!5U&BJS_oIm4T_&9oz*OhM1BWGHrb%?6Jc|Z0%oVX=m~b zG6oxE1r*_Y+76BoUkYaDXx85W_l>PM$5OAipX7HHex?~8-3XtSp-s@go zkgPaGv!F<-JF^`Eg(QH$CGx1CMRf9s-VefJ0$?wYvPI)4IOykHe%PJ(%(o{tY%;%( zeSY(GxV_B71e~m2JFoz54$e{lgJ5sR(9u9(QL?JY^&-xWVk28ADVMr7_QUcy!y?R2 zX%s+hhB{*JJ)$xgZ2<3=nPsKkbl4V=DNcu89$wesUcl=1dOW>kG2!ksT^RMxVJ1oi z6N4O4c$WS%lt$jS^rTe)eY(&fh|iVWUXD*qGb2mf#YoHauH_#=WlHH~SOiU#{OG44 zP@YVU7zz_kr+?#Y=*BeTm_&%@F3D{nPR3Qc7{F40_0=Qd&AvmzR0qpf7_Rf8>v(2D8!Rp_I4!B_AwwRv}eH5oGB+22=eLQdWZtIMWyZ3-s0=W`_${td(} z8*IIZFtICV{RdqTC7M03;?)eTtU?^Y+V(x93oJ^?@N_qIm4!>+hu0Vx_3)=DO^6A8 z)bmZ$BXfJuzgkK4Ru76fFwKvHu#=CkOMGvmzis$swT_Iej<#Nkrzq~?GoPiTCwsoN zeRO{$`vKB|yLGj%NmhxvM*m9>BJw^N3E2Y7G&D-sU*3}>ti0| zn62-XY=ed$3Q+awFDp{;Kqq=5$ zs|U}BD!=`?PA+!=Yu_YE!uwN)Q+$d2B1OIZ#2`ePXi|dXztAMQJVZrWWA$n(L}`{} zN2#1Bbe@CR(($i%yY1fwoH|GH08YjB%ZBUw_PmB@M1ceyat&5nZKqhvyjzk9s z9MU4o2&~e|2Ls#fO_GCO0nJiFMo{vSKnN)EX}?57d6Zqz2hms;y4A+hH#n}))D`Vo zMQNhBVoJV-YiJjQx0Hjq8(P$_`Eh06BPW+OSiq1&K#o4j;X#2|>Q1h{mYos$(R4xN zRZo{Q7Bmz+ye1|og!T&sA(xrKpS$?%^F(xy-IhS2O72x0*ap98WkeB3;)Y8>u1ha| zWB4tNFFQB2mJ7nNblQ#qfuYLHOIWQX|JWG90i{c_To&O&{tU%`;3{Yl80MIg1U|7| zhIpqqHZw=CZ|B)flu89;Cx2kSzF{N@7Z4v(DrO=n)HWa`X)p=_4~0I=vrTpXjt;t; zX+Z=LW}m4(T!}w9qH2YAhf)&7+PkkU4%5?+k<8bnSHlc}JG*~3J?58u-Bg1yT-~6bP?r#iDGxan)t%yYmFqe$L%*ye>`s) zgGxVtR*;gS(ynFHPI(Ws&(zIMn+??#M&+ErixGru!A9rpL zfCw@hfr&Iar=Xz}GR$X?G_~nNE93ap?=?H0LWU;lbg#2-Z2$d-6o;Z9Q0+XZK4=M4 z#Ugve$sPglpL8|_B|qXAqp?0*dT>xtC~#?}1C}OMdj=(17xB1}$ph|7qFa%$lS}ov zZwui!*^%HhMDEqrC?nDh3KNfH3ZS^sRcny_#;xuQstCkjBVX|v&#Xr-vT;sP8*!)` zGhhtQ|D>sWtFOG}829ch|1SW^5-cb+=`~E^&dV%sx)xb>Ag`Y>Q>`?3#p!_4NFTC&f81d^vox_unCS|Sv-xL zpH|>-S}3Ig=%-s++n!VH$e?`_6a<5jasDcI;YCf2TCW4^Z#*dgvyD9y;C{pU->{K% zeajUq(nWT=-fScx888hMyO{Jea~%=?5>aq086xeo%1r|VXa=?e6jS6wj)D=829_LO zP!t7-+PQAD*=DDKUE{2HfoW64xR!5+PwT(!?qpn@_fhG>;yJ7=CDVE@m{OuAXjL78ufA!gmW#t05FclxaHn@m5iAG<>Z=Hoyt|yU*da01W&-W?Kx_J*^%Q> zoeU|%G}o|f#ZLZFnJTAvqIYxtM`9BxBb%9>wor%7+TFn9rI~T-tX|j@wy<{vKJ84d zznYDmkjdun+(4TW_0DB_NGr?T!UQRu3h+2wn2`6P<9VZi3p|^C=A2;Xp-i)T@6H37 ztY2DPyY;7C|JR-zH`oBQ>i@%H{O`eFZ)5+xmuD6K-|wZ}f+HC*SIh_$i6u!IaIlK% z2RR;xNFB?;Fti7I+g1 z92|3Sg~Jex5#SU?ER=B&IROEl$m_=(Ea5x^0TNPJV3C?Tp|*ztLIs*KL@6qnI*$b5 zY&++B8Q)ZWHiwXAvZv|YH2OqC(FwWQShifvVzliF51DUQ_K+#L$V_0!P_wg!BF=hV7P@OP6^xWN zH=^fp0osamEmv=LKw6!=cTU}uxIUu1X985GfpF}E(L#E@e|-iRo<=BeL;0oAp6zEfxK`GnoS&(Y1 zaYjyC9dF*xHMD9@DV3<2LG~kBf*feKNC=%NP923%A?7<(ON(3bYU5o}`Lyc)`flzW z+W&{cqW(X8ey}^(=>PZetYH7Qba}>M6hIp2ygs$!Kr@diu4F*@5_UQ5UFklvUW-g% zYRRq*RpfVFr`(=AV2*sPSDE8;#S?Q~mh(bJc|IgyrW66s4n9*dEm z=Fhk9yvt*Mw(#>M+Gv}*G=Ed_u1czn{QTOVR{5`ZM*S2e-z^ZOI6&aDP}?FO9PG(I@%${A zOz=mUi?dpfe@PMKCWVAVQ{Zg8o*`4N=HsQ6XhI6owhrh8rF`hw`$p)_c1P6T#t`ut zP!xyIN5K873*2*e{Z7G@aFZkqm*9^ChIoR-#w3nqXFcaN1BlBD; zj%?Scwk;u^V{L@uGt9uYCe_i~Gf`Gr!eZp_c+T;}_<|`Qsgu1$dz=}#B;BPOy+B@L z+f4H;nO?7a3DJB^d8Jplf>Hc0y^`ng=b0*1tq_9rnu(bu8d%j3v&GQkD6jgV`AFDHiU0 zaN2;AJz1f}W(?UQUf3_oTW5xXuhRg@?&M9EHBT%x?4x-xb+uAP;*=N|OGR{dXHKe)s5-{JmX z|9R>BcYhQA`CgtC^#AnuSFwa%HXGJW!#cU8(j2Is>H95JX6Jkvv82j{M92>{TU_AI zm+7BP2fPJPJ@6{`qMzP9c^9i&q3VoO=C0NGAgv={<3%XnTS*eY6faO@wiO9OR7crM zwGHdSs3>BVMiLcVo7HPZ-yS$0_kuGPp7HFRvgCvIBS=V!rew z27krTgxoAI%9iQBYFSdXG$8gZo{W+zkAUnyiNd8=U9J$A!G-9?0#O(iY089Tx1;0S z^?7!lM@uS9yV%d2TBmDh1%Yy)Uli9Dt?HEPt+-q4=_}DizR%Wo=}A>OdCtz(RQ<@- zu?)^$^}=0N{%VWbh-MTp-LF;!igM=?Ejx)F8AS31Qbz@$yhPHE+1-ei`w=adXjy$F z@U3NY5`~P!kX73!xE#%tO9g<@3l-!&H*qWGO+M6YY3Af>uu^0+#2c zz~u$NQGh-+)q0d7UGF^EI^7J2_Su$R;v^JM#3@D#B$Kq`34kF*FjxX#D(gX~S(#m# zRHrJIdsptltJyZ^XCZL)jm6+YJ}hkU4(+hwUhS^C1KbcrQ$BOSa3IH!h%uCY1o>Tj z?(aqiGClcA91D6mmVK;7@^Knj2wcq&Matvb&=@noI1%jLG#3hxD<*?VVPO*r^yHn| z|5U*Kk%v|kOXjAZ@hh(oOHTpvrX!(-u|L9;!mbB?#$gCz>|cTjri`n*zlbBModWgz z3=}Yhsu~l}lRie7yc9UAFS@5w&6@$BFbc>#C7c4Ih7~V^I}QN59ym$wwwtalFf2}zjCev|X491!qz!rUbF~qF>H8@sXgXz~Edp%S zL6CF?b%g{yE%qDfIhqnx7p&~`o(E3l)CiZ>Y$=dS_xKP*=*rBbGDY?9>1oemYDvv z;@HHaA`pL6{QO2rEf2xQgZFH=PkPGiK1^ZX`8}_RU0)kYGD=psA#aw;= zHF8b&RIAO`?X?$h&3Iausj}YHl(nw1eg@-%eH8h2`T)D%);+_*D2xE4kgOlsdiE21I;AgmSrrQEAtd2BvZ zgbq<5S*j7Sb}6?N0;V39%K4nXt>tM=tT6azoTfe54#^dwU|XyahhaQ}V7RlRe!flS zh+-cMcffWM$K_I=bsUv*w{G6b^32D$B!lZJpeg!zst)Q8!|*lc(mLh-`s>dYEr9!f zT<}>aZH!a!tSj(r=Oy=Eni5%w+=OGZWHJd+<j?7duA5nPLtg@BCECZ_PcvD3Dz|NyBr= zL-7h*yj7rUFqlG9+4fF(ztL@EZF?o1TtNhP`JFL9| zw8;O#!Jy>-u|IgWk^lGctR(-V0MXQ%sEoC#Y1XhzlOttCpb(Ic6jHGiD5FGIzsPbE z1qog{zguJml1%dPI5c1EpfXk2!|W>C-Xb-j{12RmJJq!xP+XDL`LE1=cY6P0Fet@; zem30P|G1ZDh54^8^W#Xx%a=EAIRR6#pEtW}eWq700TegsW6CMwdfqp0>rK#O{Z`iL znU@{qLQTWz4toKq@%gF7S+@6{yowedAT^mf(Z`rjt~0qR0N2+q9&KMHW90Kt62}-G zEVtcHpQ;^<)z{2AqoXkBy*lU-@H-=s5RNb0PtxS=i4yA4|Mm5?3qFG}WawZY^kk5` zqLJpi1cw1Y(E=wP(clw8H)L`mmUPSk3|8LWd@aBqzhCWVrlhY z;tv@UTIjpF!&VJxCVUAQ`e&)Cv^MsNv9XG6*o#Chv@9G}U5Ra=43-|)sZfaJ&&+mN z3#G;{gJ(gEY%3Mj$GrxP3kJ4eyud8N`Nz~mFSH=#iLUl=P5tUO&y8DD6B2iD5?!t2Qhm-}solCSF=J`;1>#WL&x%P_QUb_4806zUj z(E?G1eiSc9FM$53OXa!DE?OMq^$twE%7dq!+>xcl4h2^+uY7jaXu;Q$4m=FabMrie zr&a&If;7U>^d?(?R{QUuWdGeAZ1R8K%d>+1|Fhx*0LLWZI^hc?VJL55!D*A)pE8jy z{~k^o!hfF*+4v51WvQwg8*^la}_ML;*BVCeZBJ(Xq6*M zb6=={e(K0PTmp(jH&LYB=iq|ipiFI@8!VOy%A{i$iWZoXNL`zd&e`=DC^T&lWhM!Q zbl{V5T6(&bo@k|Km2@oI#bycllRRzm-*RZ_pZkz87zGrrwivX?|7U~YK|%iS9&GOa z-Osav{MVj92)s0GkVVGJQU*b)(iE0be0A}a$`~vKSZ5qEfnQT+F5|?X-!XJ^0m;_-2kU8URlCN^tjaUpOC8g*mdvF&$g;YG3bK0ONbUMY zs=u{sWLM%^d(gtwmx>)t20?=?U8~B$(=LFW0I9MC2*LO#hUf`J6a29gm`k+uRHXtW z<1uLa5@vg&?EXTb&AeNiR4WKoio>Jgy&oBYws?n3p0VzjkD4GVC}sYpP|3586^&P` zctw`FTk8^8!Mtu8VwoMR{H@x*F*|^1mjN=yL0rn0XW&-2P})9;l`e@55g3w>IK+@H ztqTImrY)l~;OUGTlN+Ih8-I<$t#zuH$RQ2l>I;aCRPU! zWA83_A~b>Q4CuB7UeDaDE31vYk#5z4-hD6(oDQR4n+oek#B{8I_BorQkbE_+-c=Uw zo6_BQ#H;aMiRSiFU^IwSSI}XBAN=gIJJB-c#aUK0ocS*sH_y$p+Wv12DTcv#Ra0Qg z{_pw0?z7_lZ*RES|J}>8&i?O>V1uLYZhiM>*z3XU{Y*z|cYgBr^UZdBrj5JV^Hq>^ zr5&HCuff5D&(_}b6<}3w`5^UYm?NJjwDM4`h>%sh2r1#S`mJLDj#y|#g_>>SDIvUO z>qxCnZm!h|IAZxVZYCCtM89sW-@biqu78T+5c`rv>bg@dQHJ_Jx5UL!s@)dn3f6Cp zHIMYf5a06dIEO*LHxfykQP#PLTVlAX9dh0=($27!!(pfF;C|ai2t(;Ik#E%uQS`UB zyRQ-m+0w_g=7QTmgqlfJ&wUl;J1}8Z>ki0Ng;O)d{#^_?T~@$bv*p~PGSCI@HH2ODRp;fyt%{amg~Yz=9#@B ztunD{>fN$oPR!pGMmAHkzsga~&~F)0TS``qnEn3Cn&DQn|Bz@(ZrlDd9PIDymFz#e zoBJR4@~mb55o~bu-Tz0?^zXNC1kybAaEw59Z|f~V3hf)(g6yX5$RJcE?`j4iUH?`L zLU~v<2BBs%P98*!8K>2#ROnQ_QR$%>gpMGGW5|m21O58G3`%Fn-18`#lGL|WNQViZ zy~=pSf|K$^jTuV5epSzAtJq6yEL!%WcVPWeHV7Mq2Wb}5qVC_oET$^hlk6s~rf}Mg zae}i7T`u5q_cpo0iuRyvat!efCb>*3wHf1d$qr1f%J&%Jy)>lsEn46-A{*OVS7qb& zY;RKe8sEycu>;=g*aS4#uiN&fJF&vJuWNg&fpSyZn+E&9ZEu||G<6#EU0P^vd7o3; zhc+{fHKEop)7+^^v}sH7^$yL=?V@JL?%po?rA;&U@~me6lfnL1z6jdp|Mjex|95wH z@N9Gc^Io2{?0?I%|9*Y@hQC}Ui7#*VlbyU%&o9}+9hv!x#9YnDCu`q|iO+_#rpH$f znYI1BY$zLVuZ_1?d514&^uK{o>r4B34u|Q1j|5_vfls zqrbY*>~11VrQyT&<68Gw$^H`)#-|jmY6NQW{~8{Y>_2DbvK5gY67oh9kM{&Fbqruq)HP}y1Puv+uN^ps6yJCw=6Ss zw6tOEl^VQ@s#~ixta$mw<_lU=%Ec-vTffaO7q8#fR?LlC3Ncg0B5z*N6tV_#B`&l_ zF&n+S9igI$;&?O=dsTx%BXf2dfx9&?H23Tw85-78p9AFM0HrzZkU&hVh&ox2#GZdkY_R+lPsUq%+!dH)TzDg!T$G}dMbD+ux0MWwk1d3Cz5 ziK)q{R9VVu$6`;#DKbNTYb_n3+cq}jNBxW0n%Y;;)hrS1@T`SS5vn%L?+OfBY^2>` zwtA;*0-0|Y$JD~5+J>}~?@q&hy0(o~0pGHz%Ie~Z9J8L$ssYdqEm!tnJ#6!pF?N(x z!WD<0My55QWK;5#uvs;VT7kQO?+pm~iYWvi} zGBqp_7pA$*4^8F1jQw~e`!7WSULz4ii~rxj-e6Gj|J&q$yr0Ke#{hgP_~34?|0))H zFt%TbPQBSze!iK-SG90A#@-S!yP0KGwQd&KT8FzFkV~{=UM$NN0LhdSkm7%#-~*zp z#zdC`W>xVPs*bC2A=TTkxzI4_5^QJAZ!#rPp&xFQ6U9zzt#SqQM`hQHX|T@RUaMDk z@dGOwi>tlB%1(j-X14KhB~qm(#C9UtMLUxxhviQU9VUFX`gm#9|A*(K|3+j$XO+wjVMa(3%qzu~&g z45b8Y(^_4gF zRmUE)X41c$A^(!4r!bP<5`PKtF*6ipN}n?VT+K7P>XMmuNtz1zmIPC}P{Je&9)6^Y)At?AKUUC1wx4S#o?EmlMS!esNx5J{0+~|){d9SZ@cUfLe?3W~(3Q)dRPBJ~CXttQvBHoV=|hG}bERK7Y*Po+Jsq)k;9$|;Zw!vJDy zu{XV}Hgde5>9p3I7)?ZC9ZfYT99bHQw}kUBciS=B?A6#)GPR=Co>JW|15*?s3ONe; z-LF~dEbwjZt75uu8kqocSlvXu-$MtzK3l3(#%M3Kj^#E??cBp~G%alxG9LEQfv(*b z=^XhL>7~1=w<(vIl=F?Vy}eJheQ}E^3RJyFW)^= zR3^Z+`ezxEMGs@S1DSZMOv?P+DcUU8P1K&vxVp=gN~Ja(vusqZYulYXH{1N|m`j+} zoAPP*qIAyvXaUn3qhdPfr7TxuiulWfQWRxIMb|AFZeSFol0!?3g8js_R7W*g={rGUT!Mu8`GVHs;=qi?-41T0bFVeD(F^?z@M z!a1HsgrZw$qecH8Jlieg{~bO%*x%jg|M&51ffLAuq+)`%)sTy2Cj#RHhk=mdG4wCt z6fw`)0`F&-0hYuup_~CWLt!X=Ucel3e}<#!Q$SG&IbP^xGkXuCz}W&3nkp~pZDpF! z-l*U|c0BMd3YUOHvZg=@#E60rN62%$qqFlfvB)`F;HBhI@Zsed2ry-iH^sa!|5fNa z-uPd%FaI?!X4Ag-$NXfAsGk8EL;o^~<=%%mPds)NJ5RhZymX#;d>%Vb{@2+8A0Wjf zVc_`a6?43plHZZf9S;Wx_EkAbes{bD^GSgEUy)U!dj6ljIy`#w%9{tb(njF;_v*9%!Q=zrI6b#`whv1hVP&m)O{%w24dCW%rzE~$b zHtPq(XMIj$?6ZETik@qh+7e}Ur2TtJNfHZ@qSy?CWQu(-M*Ip1fuj*o^*qPf+5+!i z|NZFHaV{<{gl6poC`M6$A|E5Iy^FPVq~XbRUYk-!VCa4HJ{qqZ!Z0UvIRXZ8-H2|} z^U1ug{}zqO7RQjyoJT;Q57LI0Ac=*ZnwFAy!5Duq?JkDSC60m-5IcB0eFI}>jyM$B zvp`uPT(M;mADA~u!ch4_$`frai6VSfgE7zq_fn*ZfRhXo2r3?g);#{(onu~ytr8vh-$ zNPszv;1p5MalXq9XRZM$@qhU-86z0SEQ5Bb-*^F9^cBklC=SVTE|f!|tSa#GCz$}r znJ*Q5905N}7)MmI&Iv_w`^_*%%yD`^v_~Vv5d%YS__x10Jq2LT+w}&2RdvL^5D6H9 ziU>?d7?LZ|Zw|*Hl1HxURKZXWE+7u&H@#WX+^@+hT}FHoBe|Ih@MMCdqRWu4HZ7vr zEpRxQ;0SXp5dAE$5-T4LP{i>BBMR*2GdM!br&#W+K$Ef z%}?9++p6~2`3x@fEP*Mdyody1yGJJc0(=Iih$l1x5QrB*eA7f-sy!pFBG+edVY?*% z^W8gF+a{PX)w$mtp1R`S|Lg8tfJRhikOnza#EbhzB_@F(N{K2l2@EEE@pr^=6=o?a zKAFcPLJ?09%Iqo^c~+@KMG>V$mAgYlPN;yT-m`BU{2_*764{)-_8)< z@dTfE7iuX0nlV5vo<1ef?_}&{tM)||o-mFni7A#=(6p#rl?;S6#(f1mv$d~?YF9ih z2zQ7lF_rQBaL$XFOk?9<4#lRq>2Ti2Y?1s$KCED;e?=iuqCly9+!c#IFdwJSn5w6;BOe zH5^yQ^Z#e>?Y|nil||9>v;PWRlXC}hXxn@Yllb23cLRl+H~B-t$u$*OW`|NPiM_=w{^ zPVocz^GBA^KUpGhjLunv_NRjJ5XXzuhh^obwx`M6h>xtnlPgyks!mT}4+UG7+k7qD z>FoU1aJnjY&}dN0%r>Js|fM_1e)>-ji{x>JDwpLM3`D8muS zqZQN%o|JvZ0^QL#MkL`=h{>o7IT_Jgk|@*l9f3Crq|_*}vO;vw@ep0-XNHQ!uZ=3H z&f=(UO^h>khj4-bL9jl+doEb2rlG6Y>CaNveHUZUNU2h^z2>SKdRQqjx4a#JUi4E&?%tbbZ)PWsT(SdXt$0{a)UsrbE zkcBrSQ#^<+$cS>0&5#abIK>mf(RxJEjD%Q_s4o{Np^&f4)Qmh7jKHjnl! zXPWsGi~AR&P~?v{A@#<3fWsS-MAsEVfL?2NCxp$!)GUv5EkqJIG1Xa(T=too#{1{T zR#RSX*v+ivYO`V-(HLvncjpWo&IUMZYhf&#{MDdl#G-6FVS`eAtW4C5!LK3&aoI@%~EphbnrZ* ziQp!ZL~k%sUC_9J*&}}vJ;Ge7*m8X4&pe{)fj)>a=W=Dgt|KZf6ns?T{!NG)l1#i& zCx{p1k163I*Q-iIwfg{BE6@jz2qy^>I@CwbldF?U#OWx}<>-)xuuQ|r91-T&&dgW0 zx}E;c%Nn)JSQhhw6(a0Ohzh#E2_BI6W9=5|nqJ{Z<8fE5MTZqJP{jmZMZU$#IgT&| zkgBj04d$DDGzQ=lrN&5#3-t>L28uIF(6zGLcX&#|4ks}Q1g5Sw2tX+384(#Jw*-90=@8*KBRHC&5LS+; zoZoYTs{1VOS*$8maU4pUuKanccT!qYt7}bb zu+d3W4uPe4VS(aedZ*t)BY}D8AF&p@QHT~-Dyqn3!7yVJYaF^pZ16h?g&q(pxXM3| z#dxW1+;|C0)L+XeUzOeXiOggtPAGRn1~?khj0>j=5@QJ5!8!;((p_blF01#0pe%zL z9;1XMfhp~FqpVclklB{sIZ&mmx~HYq&w1?s3NHSi-d*i8UfZAgSt0b{(`yc&y8X}S zaRtkQlpOBibAu!^ACu`ky{u7ks7~^bR5aImHQUrjzj9x1Q%3mv`QrqIn1iitmU}mD zI-!Tk8F7^RM2y*;SvH-ew1Y0?X69!%wbXCxYbM%=kS{cCG7Xr1~tMMdMdUvBdS!Cj<(+>{RDr3nTPK zLOJ}tkl%gvVJ&NC8qXk~b#qdkUgvYidQzAPq)cY8R~iuIJ1_A86C4%VLx>}m=nP9U zHdO?ea)LA#de>x502P@&k~~^8eqJUiZf(j-jvw5l{8*z`Iew58>JyKi#Njg=gQqj8Nl+`Id?>U+5vQ~dwG&kTrhrxI}}!&d(Mp+4;sJnxT*Z-pLWQc?8{Fx z=NgP#h&jhelwoh|mL0bP1LcwAW_kQ9o}YLOEgnxbj*HejmWs_wC(^TnXERJb1y22y5 z@@rxtJYZ9y)9UCFNZ=6&c^l7jy?lI6Yi$i(rX-{|MieN>!!em)?nIJFPA5)W#HJ%}EkWLg3#D+QgCP-^Nzcbp4XX>l!1Sf@=*q=f(NV(pQQsq?5Ua zLzPF)X>-RVf}~@srO(9SxO)+Az8*8KQupQv3iLCJrxW5IoNuDzq2axD(B4FDGpCTX ztlidWts=@Lo*YFpNzhQ`8RL{m!RBGy4%)324nxBE8y1m8=_gv?T9^?ZVd5~Rdl%oKr|6F;mTIH)xviA~kp?AKkTFl6N(&;C&DT)tL-6RaQ@9h;%50TA^^7 zHm|CN@GQlDOo>g0n2*MX4~{>DR{Z}$gS}mng!c0P`}>yH=_rl!9(Ot&ov@lDxBZsU zBu#3`^Zm=qU(PNLTe*^XYYu+hW?j1D|R0a(xvmjFj zAxf0tm}G)`!>049>Ua$#^H7m9>3U(PzH7HP3)K9s-3Fe2Q7GClt9!A5ugp|` zCqWc4z1L@}Z`pZA-lr@R$N}@+SL-*^0SQG6mCfxBK^~W40()|9KmkL)bCyW-zH5Kz zNSW7h`0&0h1svvNZx;p8MyrYhTPu-Z%O%0qZm}U}G6sgp+s;fInhXN>aCTgV@+6UkE%nlPYJzS~uXAW7Y8H(iqt)zm| zgLHP`>k>}4I~@!bT(^a^&yu%rmu`jL}Y7XUSp*l2Id)>8NbT@RX-^ zf=NOx8!6^G)}{unIh#yPg|f;?&k2Qq_z}ejCQG%RH=6)Yx!)!)1R6@gg_9YgoKFdF z-lWpe^(@kS%0rUij53?j)aC=g+^-!m!e#SDV42y7lbIaH9F4pe%1_>(Yi`%noRMhr zd3gK8&?`wsh9om$>Q^=#QZPC~v519JxwC;$n?HAMx8L3FyqnOG8shGn{TWO-2|~;X z-_Wx}e@aGb@Jt^BL$^DUS>AFooW>}o$qiS$U|N7jL5pshc(H~v>k^2-Fzfc2)} zb40nC(d2zdQkd}}o1`&S+h(&^Xb_#&KQ#b05Ev%8#L}#8x)j1fX$g`Z{ciW}?yiFY z%MQy%-B^|4-IL>kqtnZyU|TNRZCF+nMCE0{>wLsz|YQ=OyO@4|}cRI^oJW{y-<0fHuF^NVb z;3VNJ>*i8^^*bgO-T$+_w_CXX zo<;NDG3%_{#)A33x4X4dod0{Tp6CCQJo?U*Lndc!AMx9;qhEDm7UCGrY~_l3z@~}l zqpeme8{n|tLOQ(K97@62p?vKgxEby$&1i)5VQuX(TdQ~&*+;+r)^f9~^ijLrGS*`6 zWs4?M955?|WX+b&*R~&q(32KI`j~u3i5nQL%OR`^nwUGeV^;Cx#jZ<0`%c;@!NA0# z)#3uU7IITe_0flWsDD+;so*1_%>ErHdptB3A1H4Tl^=zw9MPKyD?sl3p!vxFGW4?6 za3h6Vt&~NVI?4HgGW`L1YiP({XKb4G(RQ!blZ5mOwUFtBo7Gwo7@;U*srenC{gV^; zoe>I6CJsTfX|m5xSt1MABQSXRmXoZHwlpe0ru?YtK=JPJxnwPt zi9Y(K_f1bS1SIH^1?{<-K2esf{lGFe0n|UfLtCA#Z=5}!JuY`LxdkChM8@KnWayS+ z@7~lr)!V7^Sy%(-^0}G+wtL;)ZnwAHrIR#cw{Xi5m%9QnCV^=ar!=5RkOK%LrrkA- zA5BJ39KxjoHVklLssa*4%=$?CPL$aa&hSKrRmLgvYRtHvie^ZQbGs9PERkER7MS|s z=uy$xCKjX|Y%8Dw-+W^!uFGG+Sf0ZLflzS`9f6O4{0I{)&A<~%{v@{~n*m-Zgd4Y} zYV*}mu40tSnIrdvDm66AZsc50k!-fhU`>q7wBsGq`E%Kz?QURt^R@21PCRM&8zCoA zWFK)J2N{WIMnX|6aSqHWx3@VGva2HYshb-`%X(2DVs7E8fw6xs8X0>zgr2^wghk|1 zrx8B@7^^qXV_B$$5Zv#B z<3keT*(C{C67fFT>B;dY83jS4-fhWuf=&pV3j6Zg7D7Wz<7q~&#u?#b7Ds)wBiAY% z(a#MjK1;&mM3C$j$9=TdYsGAILT*XiM{Sx6S-V9OEw}opeU(i~yQLS-11n*EWL)%7 zTkoFr=Rh(O$vPiCbS_kOuFk13tKZ+t*ZLgKTjlTXE&MBzV7aQd2aE|WGMu(stu$j3 zxfo9Q#WW^dU1K-FsrCWMKL?ro-Y!Dn$$okyVK)Cs|vUmJKc_E^)QxRnZcL>Z3$VA8ja2$MtoB zu1UG34qU>SFXP~fL@nipIwPI2CVQ`2y;Y5eu1k4xV5$>3ua{4_f2NE zGz2@@gouoW986~#TxTpM@fzIf$XgDqie*;Hr6G-px=VdbO2P?L0-dhF=`Przh8ddx zgxmnDjvSP&N?##9VRFT^OHR9sX}6?+zSH{}EC0GqYn|C7ZYxa&sEh=@fx8po?34|W z995(*uI0ubg=QWd5n2Nfq%-QEAovHmm?mK22KF@})NUWy5N$iH8X;aF=$e-5ov-_{ zv@WYOG{5Yca%S+|htPxR0x%4UdX*`+Ymr3Tz`+OV^bkcf6v}W5_Qwf}NL&7tWlFqY z@?1<4M1jeLW^yUN;+Y%~GQyH{%8^)%v5>_kcqSF~jNH;&V(+gXPQ^4MEq#tzv5tl@ zn@0bhW`#xj|J-Tjoxbw2Bhn>J0Sos3uX=kg{r&&;c5i3rdH??u&xa4)uUqpHopxGZ zceUG#O5}jrCB0HPF9mrqIM44W+c6yIS7k{>e@WStglKOEe$t6b>4(}u8#&kED<_!l z*RAH+P+Pwc1slo>*@Em0M*|XKSR~nmxI4Z)A-Bq`24;411W!3yAE>S0;pwF;3x0Je z2{$^etDH0Dd=zsv zw3<&;DNsC{46lwA3Tpb~l3V>Y2YP>@jHEFR32OgW8@1oHm!DMnDsGiAd@-u3pu*Lh zX#)DbvteBqI|_+81x+sN6Wvh9;U?YteS1nFzu`3P_y!ewUhv^VMHR;@)S*Thib_5i z1q0{rnb9Y=-ZnwbR z{EU{*9S823r9mkG4z$Ct9s)5-$uWm?r8F6}k#Y%iy^3W)k;djr$E1^U;23%qtE}rf ze<8vCi6`+!b#0%Rfu-haeOs`Zz!{maTR0rgNMIIU&xNVXk$H8~bzfC+?_+e@vVwL! zBO~(u2bx5vefw)K`1ZH|`q#fYg&*z3fO02dzmLn^KU?l#`EFacpL7U|)w++~{`s*k z%R4_}j@tVAP@0T7H{U2py4Bu5>zqt(Np`>{snm_y%2@kt=Y89qj4p*c8yl9v6b7)Q z)wJLs3LFH2erZGpMBpu-uje%Cm9{NcR3`5QNucSyt)z%P75ED!G>J$e&~8y-{nW#`^wWI)=fSGW zdV|fM|69GSSG}VB_vP;H^Zb8`$DPrdl)h7bS0;JJuE{;M&(e$;H&BJcUO0ISOj$I4Dss_ECI&vLa9NW$U_NX!jbzFEwAGESi zF1xDLBkQbgzFVL}kAl14^7fblWX~AWjErI4ekle$H)9%$T^{CbPBp#g@4)4GUBa){ zgvz{@#9P}wH0At>+D@zRs*^i|qWk-P>9fFcH7y(~c-Gx^v6XYjVYCD<_a^o6^CJ6Q z%3l8S^x)m`>DAH2&-*8Z0D2YM>UGL>otzw9y!-L&@~Rs4 z@>8nP1!`{2gCb&AN2mLzHTbxM^PHh-yL*0d_U7p7$D_BG?=Ie+96`T-IDY+R|9o)^ z^IWQ$H+Z#w@%rfM-QjTqW~lSYYSh}%$^Q38ClBgoooCnb?XTGDD%Y@5{pZ`uql;xpQ{iSdmmL51pOOMAG*k9ZThNYfVrg2JT-z!sOp1$7ned(i+@g71 zk&*?~r)5D4QnMhNo@Jg)2#RVFYw^`7vz;P$#rY z0%~mjbSq0;Kvpie7Ih$*OA&oYBkB}3*n-kiRoL{gssenomGaoOs`Ad);@OXP6jONs zExW7?$a<(8>v0XUIgy8I@p3~ETe3-C*Ql!Z7pgjvDW#rV(WWe`We{-k)eV_#LdLvl zC9R#1$=tUIYN7jkpx;;4v&zGA`D3#s4eQ2M?DzvMoQ=ia72QJ=7UiH)&nh*qsz(9{ zkTEDKau=aMl%wl3_SH0toqA(Xco5`@!PH3yH!E)VJuQZ^!(xu{V7U1U~aQk4M~fhU==b>7>`2G2Fdj84LrzY3m?pbaAH=Fn7Svdc9i~e6P_jX@C&;O@*o@D+v zn)lBW{!={5&3~QOr1{i`XQBSz+bYce-B&xk=lTB>&s-0PM^W?N&#HyPdvo?wFBxh* z8J-W49_v|l{!jVR)4##|FRuT)FJC_Ue?Q6dna}@fhpFf3|7cJ1`Jb_vtd<9O(fr?g zwOyG1TRYGBf1c(k%>QhFLnrToJNe-go{BNc=$|Ui-iDWIv2ej+@?`~!*dwO^;gmv} zTk9_qAbr1-mn&0!u`3{lSGOb^IA2FZ*xxbb`5$*!gyS3t(AoZ}?x(STre4{I#6*zC zmwe03{{c-Rnv9kd0}JN=RBUD$Tp%H0w2JiW-&>DI@jOfV z$^pW=pNqU*dj9L&Z_9{*#rwZv{@0z|t>^jwBu}FZe6@Cyupl(3Af+{VK7f9GZC{-@pN z^PeYq*3dZ?f@JF6A~n$Jrj)^y#&E-Gio+W`BD~YmmkrnqXnaiK7>!~!P>D0(=EaP} zSkPMnE~?IZoJ6fPl#r3SaAjSm(bxB^{*R3gI!odi+`*bElu$}C6w`!sTAjnocb9@? zq@^;-vjqKoaET(C@m6O)A|pZqrI=70t`yqTtO(*SRM z-Qjm>>+8+{-?YB&h>85oGCFE~{r|Pr(9bx7dsL4Pk9e!2FG_B8Xhd*V70=l3tuI|SDN!azO0zev1>aOqG?Ri5D)L`2C#h$e!JGAd>rw104X7?{hi z#in<8(vW3@juLc3W_%O<&S=6nCH9ou@l7N$IvPO^@FYT9sxA>qGZvC)nn_)1%#2Av z(qlx$csg+DU}mJq2$xVp`?ldkY{9!+;PA$q*mN>-{tTc%u)W=T zzrC~DNt03QhRp6*7Qt9LP33>I0!z(SfYdjgSq*Nb3Xr~VtmZD@JlEBKI~dzdqq*5U zFHfS3hW{NAF2PN3CTP+bX10R&L0=;5AZ}0Zf_e1T{{|5YZ%7t+9XHkP?(RDI2e`T1 zxtw^bv(?$&`Lb4(Me;vp;mt$aSg8N)6z~7udp`evqUR&Z?yViUHqa5_qL26(Z@=8@ z5BBiZs|asL-)x89yc}!~cW|`#@?|gjcIVYMy@>2aWN(KI@GgG2{S7AD(aS;j?YBF- z;nwyx{^sRg%id|*NA2z2_IA+Q3AXpHdVBq?o&HX*v%S0f^5wU?+pqrLXW!u_PyPIV zjGMpJGk5-P?QQSv?G@+$-uCnP|C2mxYv{i@31QFnI%WeLqZDU&LIlaU+&Z1Z8TBSg zn9%o_z=c?FpA|FrJ;`lbUTssGY~_B-l`ot2@=A5H)|9K7Bh@Z2Tx)HurT*@#i+}$c z;Oa8UmU=-(l#6U;5I%$zTcw9Ynf?g1TRLf^snJ(1J=I`c6Ri)~z|?uf)Hy!f;*}tr zWmq)^H$JLgRp#9_b)oNMW{~-b%r5Qiz8<>8ThA*nmKr4<5eTO@*j~Etq;`8Qg)tW- z5$I>g1+>mLOhYaJO_qG}D+_q3QAhQ`Q!%!GpX-!o$o`P6!#$6tNE_j3LK8XW8Co}t z!_jpmpzDoh2uNsf9}l>O%0`XJK{X_pxgNdLq^a7pskF9_4I50C?3>-Ml>25s&1ue* zY1$llPr0DUNT=XC)z?0m*M{}=v<2?Uw_;&NB9aJ-V_wF@hivgtZo*SBHhyzOCg>ag zJA}+&Ij_=kDbr==mEX4gFpnDUVKH|;xcxO3VZnj2+u^#(eyx6t0NGXJnKZRhEmT}mqnVc0LdKCusk^3 z06OUOGy74b&rxMdIF6wO)gp;<#?)hm$=ne?egbFl35yhi~ zaX~{gVG%L+_Huy*8BSwPgoKipdcz{(s|Wr!o4%?B{<=gr&Del&dogE3xvFDsLN$31 zOaaYo5lQSCTE64D4j}`~+=eVz&b$(t+#*uddEK0s>N`L@CM2ELD9%P4?aTkH)SRqt z+M^mQ{*cE{gn1$H&t_N7-OtYguLW>IyvKU57_avT?1ZmD;jO zVY!OUPhL^Ud@EHGcvLPgU#`>1WU6xINF3oV*^EfyNG&+pC_!>EmX`p^ZzzS2mGz9W zdI>ka&)iySwdSR25gANJd4(ZTFVtSoT)RCWNKZMH*B$HtMuFBtLs`K(P+^-yk_N^~ z97JS5aT09xg6!3Kch}O41d^UK83pQ{nH;H;hTd&U zHFcIMqjNmd*YVHnRzWTUMI~SF8q9c3rd-HDnBZgzFqDpG?=!b<#GPgx6PVw?{Y`4` z6{IW*tOV%Fo~X_RX-03cAb}a}u7ZE`9#7KPNZfRlZB1IWqq$ULC9)~p`8Q)zbO#I= z(;LujIU#zdAmdn&P0KRw5n2YGkWJ&j=)Iq$O_()>hFeCh&&7}03BY=3 zj&0t`4bwj7bd(@$^?7p&T)A`XpffQh*&XF%Qy(599EODF>-Zp+oiV#J3fD4c{(|iy zU~@kgP+f6r+d;?RV-iV*uH618UGIj>(6s?zndVvwv@~P4G$N6mI@Q~v0=|uR!Uk+% zOI7Uta=YE-x;?kIb9=eep4bWqe_L1p>6}}=^=PQ?Ja)c&tW;624=>-@Qg!Xr^Hj01 zrReHZp3hMgs8rMDv1|ezbOpCZLupvu^zs9pz9BPSIT_aP#xxwu9w_^wL#)clx3TFm z*PPn*RvYkqD;S92;#MLyU}sQ6NN z4CN@q+$b^w{bKb&M zkP6sochG(uvpW*$9Y!BrvqbW_TD#xjG>vD@-{1%){|0NywPJrZ9A4L=lT0Ux8 zF8~_3%8M_$*)$P!LQF!tetQsH{`2(U$BVPmv$vPQ!P%QP$5+;LUmSuy zYO~=G@+ef2qmO#E1e8Ode}jBC1~2D5Y&bgTEhocitXAFV7AGN?dGb9G!wY8Nr;x#P6&}8J!ZuzPc zv(b-?3s4+R*a(F&mBM1I-|?yn2P{dH4Mkbgbe))u0t$XiS#DaBLOEt5kWp2z4k-`o z!Lg~}%K%JAKrh)53CXW1YbnVHtDGu|><#I2fE{3gWo;mk{;eSCGNrnz4{vDlhHx%- z-bnudEMmAdO>Pm#I3v0J6m+i&BAw8LoP)zTx-!;j$;beUCIl&ObhK{nqN773=f7O{ ztKePH3Hg&H1lb=(uaFSsoaO>gQm!^b5rq`T4yWWML!TSG_x{M{pK`LAgS#S~bAeDI zV;_+$W0`6pCyR#Ubj?`EVdXC^ESeyo1Qe{TP(gdi6^l-@Sbcwcae@Y9M3Y1^fz|}& z9$zUIzw+Pu-L9NNzxE}Z-?~zRkCN*mK;=w~j?WQ}BDkNOWgxGN{;sfrQk`ODIKF}W z&WTnZ!AbxW*EnY+8Ju^UX$IOQU;~P!?4OxEho`cT)SpUSnht%SIDIfo zNxj2UbitS~r6lo{>6b{&z%nqvr=>xbP!CUKWl)b4W#miwuOwJig?IJ)$R;2ZX78{N z8QK>jql2k{4IV_5AUu*s1ZJA&uo4cjfe6z0q44plrm{9!GxvFF+G}rlk_> za7-q|ShawS`L%&4yLVZvA!2TeZ`q<(CzpsMVKz&3D=k^LUv=Iv&0;-q6}Q@h{LCoC zsXMzBXX!r_OPD`kbe%um6*l6|Q21{Y;mkWAf&N3pyl~2vFQp zI07l&DwXe}s?z{jv$B;-xj01U8HpK=PUs-R86_O4*OD~yJ&NszbvR)OIFW$l&LgHA z#~+kJCA&p4=6A4Qd! zrE`~ZJ|(=nyR|p3c8;a{Q`gs%a%9MR8?riJ1Fj6)`UoR8|xj9u8?}SL(%Q zni3G63ijIgU?THNN=7!pQZmAs2Z@IPr=x^K3P+L&I+S8FKS1#S)wL$27s)O`wjI!P zOfrss853Z5$AL@dR z-O>A9Up*^G#+Ca3Op=a*@c=_V@?Lra?$W>5uVdE0d5yQ10CtN3p;_<)y_+KE5n>&nN`ia zq8k8=8*lj|PIlGV;nA2x_g$rU}AA-|IGDOqj}Ak5-zrs$%~} zXfk^z+kB_KbojWB{>s0~fB#2!K$9*Xdv8fNW~hD05Qji^nv6Pa&!<;6gg)FiB11lb z3R9_JC)E_XD#v16SGRXvfvj!0@!)BlSO3!lU$ib&4Y_JjM;GQK;S{ojIG#Nl6@3eF zg6>#$gK*4}QElho*lYozt0++G7hZq`%dKI`!X&Y-7joD5o`hhd8k1_yZW(v>22vXYgiN3HWX%z zb5q7UI09>i+7J{|vunBpA+M zfs>V%R)wKC^{!kvH971a+u5M%rs`>nd6Am1&U*9&i#8K;+tz>oC>6!4F+uPnKmAmm zaJo%xAobd40vrtGSHOeW^1vbF2;eDMT(UDDtqlG~qg#_6j`6D z18XqmtHVaE@+eo{jiO(D-LQaeHm5=O-nccTx0$AL0jy&~Qe_pcAzSXa{{qGImL!Dp zO_UKFQTbCRo4}cvraHjkFm*dP#~#+b1sV%t&`qIRI}x` zglGU?u80)Jha|?cOA@jq;;==aI7X3tiMW0XXTomX2GCQIQ5G4v=kV8q017%GY$^=I zEA{7tKn^jDry02#XM~Sg9HAf73nc8DRlxEoIN#=AFV%~MU|Yz4Sy&Ua?N#la3M1D? zJ3X~DxODHME%nwXULU=Lx5fVV(VkKR3mxdAt;%j&cCTbu|LbZTTWDc9mh~$)fxnPx zmj~H^ZI=hyka3p>+>muE0D}ju`*tbjefi|Ps|9o==eplk<695*Z2Rs&u6jZ{$VG$eVN96fD2l`bmyUN+nbxqwCn<_Z8xSv63)Vy{K(i1 zuQL9X1ORNB)Il#PSjq=v$TA{#s(2{3tQz-xt#=#CajIy|1P+^nKBd#bDS1O()`{Z_ z*(9ApK%0(6?$#^~`g2FM1G`-NQa9d+M0IPsfp0q1(Wn2aA$Uh3;}YyGcNXHiaGJlXNgwV<2 zz5tWX>x2a}uOSzG-C8jV$Z|~<6N1#WJ5;$RAi`eMPz_;S3Z+oYkDRolp$nOqzKZxH z&W1uACyj9yT{n}f`J4{NB$`6L0CKC&F1r{)oMA2}EF#@Cng}>rjsk;EfRiY|iJ0 z8NgLlZZA~XB|4$grp)h$E@ZmWko;AB(Ib(&B?L%yWvl#Z+wGVc!n*Sf!zHGB^HwLM zczR-Uoiv^x-j1<6H5N>4?PguOE^N*hgq!-5xo#{=q04ZNL&Xai4!b1lIteuBZ5TDpLN&XKUlJ9yQy ztY9gN*=Tl|W&}qEEa4)PFlA5F7om8*<0 z*e1o8b2!>P*Kd$YBI;yzAUGT^RJ}_8Yqb@=pl7>zLRMzXd08iwv_LtJltw~AV@Z$3GnIb42R_0vrk()b+!JL z5E7|iTn&Ywkpu#H4VRo+Wmf90ImiWU=(EW@ylZ=_E~mZ}85U$TD`_1@k8*cSTo(rI zpb5~7L8h&@@OBY&U0C0mT`)&FzVfTmGGvL6ZAiv&+U>5X1_RwYntL($z3DrO(S_SF zWqEMl)Xq>I*M!-HJ^Nes0`UvE}(bE2`uw=*`8f z5Xda?yS#u+4r?4yZFBOA-wv2s-J}S8w6(pnYvr0jypDKMw>iiOR3M@Jx;*`K z@;HOT+8Xj(DN!+EfpxJhk#I2OvjKabzt4SlUPSE0CVFA(zWB|wS!i%BC!e$EG9_U> zCz}Gxv8}E(_vFJQ6)t5!Xpyt1sv@BDk<&)44v5&lf;#nhM$X4|kFp zm-2ELM_;KStJ`$Ii8W=M_)fs#m@%#sEf0veBP2opd#Bgy^@5%4S9`Diu>f_c374{p z*k%j5u7TBj&tGA})$h7%lE$#NDU!zGR7IZJ{io?sXa)^kLVyy=U%;M2=b{)B9L0ol zGeEq`JKk39Lq!)!=hH%zmNateYF;oy$rL!RJ-I@Ek7JyK(Crh3BQ(%|qvLbAv*r%t zL$0F}r_QwvGaxE^fcw#}Di~Y`l}Q1}641>akwpw>i1Z0e7hJ;lU2QNHvI}LmM%0+DHBheMSU+&``Q%DABuoknB7WZ>rz+s8vt}xk0)Rf&hq~GHoAIaI;|tT=gGgidA7RX;pknr{t)aT!+NmC(tzJj{uh-q)t>ZDTu39M< zaGPA*qyRsH<*^{ljX!uZDUd_U7wM|?)m&>)w^%v_>K06=Nb%sZqD9C};Wn!re9wPA z@X#+EFfM4<1Tw~$PAa49&VN48dvKpjPQ5uI!EI|IwfJ)^#^4M9SM$no(Fqld@e4|k z2;n@;2&`_kzRks))n2%XZL>0MM+2n!bYM~D(?LWtuxQOpjs=aqV5%u3m;tJDmC*!6 zs(X&2nH-Z)1>bPW5~Xq*c+*5m=(Sv_49=5lhhiFPED-(_tnD zEQj>^r=v~z8U0UmmXhRB;PA%3UZZ@q&7z@G!uAb|h#I+lAgO zCReZ(Zzhr~M)|_*pEg9$wBrVL%2xC-cK#Of5cbhzCKqInY`%SbQOD#oRg0tX&y#}% zlUM03F6_K8K(9;f0H$ZDRhm$$LXrnJ*<>*zXH6PPC-ddJh8*9nyl&Aq(`)3>f~;~} zo;u8`wm**)YgN^=#nD!^SUpzARRgqYg04K&o-*>vYxpw=zsgDYr3YYnlwCOrtBM{? zn|Z8YtT|0QAR=oH)CYxS&4K&i*sM9Q|Mme|g@thCD6Qo<`eOxa&1>W#5nJ=%J}hi& z9^{9|Zq0-K_YdImdcR^6*K&OQF@m}38(2M}s~+YEgW#%E6+buL^nbQNzC6o$1pBeihc06{EkF)fpZd1oq(e8pndww)FRj z2J>k3z>u&-u>RI@VFe?>qXvgHgZ+sj#609`!o>24^!W#hmHP8I(PCB9Xc{k8Lg`Zk zjrl9+l96L`dtVbf=3Bp-`BwOhW{q8QBCLu+t8pCJ+%DBek`>!qA)IVc%ku)tO3l~C zNqMCF_l+wnkJr55vI5bb!^PtE1 ztg<_wZ`7H;x-AMlD=1LU!Dki0XC;F>IC1|64?{c{F@zC|fldKmTC1GJ8KH zqHQiO&x>huMBoZhZT@U{)X=s{&|gq|TP6Nqevn&bw?2bNw@SR0Hpwm>@K)LEbJW`c z0{z>DzAa>z=lHirihrx)yJdsm=E{ZzVQ|i({D43>f6v`08ZK}6;qh>_&42cRYPFbu z#?fl^I4>2lR$zeVptYw9TB{wwr;S{zXQW3DU#su&W5%%6cj)gB$X46CM~i0D&Kp|S za?Dt=l-zY|1u&HbD1orH#I57UwRxY4OOf$Av9Qc;wEoI+AKrvW)uMD8dJ(RYw5lvx zPcztrlc_NR%mppC{XE5Ceg^X^8~jc}@f&)>5-M0GxyF{VgQrhvI&$^k_RPjCcT=ve zxuX$Dgt-bZN9;uou+soXa5bBQT?%g4E8}%;@q&Yzju|H1e66c;VaHaYq%#))jXs)K zoV}fAsiHG6+!h=`hcT9V<%My9V z^cvv_%1ReyuM^(HscOvV92LUApRDr)fiTRtu}W!+*9XSr&}gC!Z9Gw0#U zA48bU!S|y|v_jXOP^iu6@#9OjN9g9#!fj3mA12|7opFU+eWTBkuF&$qXD;b#wKH=$C|@a5Xzs*>G%gMWoylGVudQN+R>fAPk9< z*f95)(fzfmjp_en$_1Qs;A9F=)Y)QW4wF2KPou-x`9XfNKicgl&FC$L;8{hxu4&;Y z_aIX0Lyo^EX(zJ_UG*n2Qw2`3Z}oMn+C#3wm_KDiaG51bVZnYg~E%?d=-0$pfJ$}~7WO?1vPIVgo@ z428^jpX4J>1n`u`m2x<7-b7ddq8yD#LNXAaQ+t#r*FTo19e!sxjbkY6`OmkI_TwwK z92fA0>AN-bRrwTG9*nQYW?CUshoX9mnA7lbO5gn>{2-7jj ziy$HfR7!~2Voy0iKYhc|{`s*DEt%5+dwgHtefL1Fq^{$NBRapCx@c9|Vdy9nc0fy~C6G4X=ZWts>c>*S?0JBSsrDFXC6XJAsEnsNDMOh6{er9!wV;0u(Ad|8>ZZ!ypcyA>~au!Vc1;m+Ht6am@|N<)y9 zyAvO%+-Ed`w)BR?Z^zk&G-|GH4^oC|G;f<<;Ia1?#-%85SV8YGlxv#1&-k|Yyv_JX z+l&GSsCCLr^+WI;a)Sl*I;M+PY&=F(jHiQ6$R^#pj7PYM<+)IS19U47~(0={v{0FCOX)^ zJVL+xcyuZugjnF1jXGn@Ewp!XBxp=VWZhQZL@y4`PEU^xu3l`Qt3qW5lXsl{=~UZ5 zM<$|~Bisv6L&fe4jLEw3s!M*};m+A^l(E1CbjrCq^BKyad{KL@q z#fGzLP6{N;t$h7f!EiU_5QEV^+5i6Nq+R?P5guj~=2joIPaSpC;N14x$U9ow((C=V zua6eAbV>g#wInG4kZqP@pFfHQYr7V?8JmxmP1Af{vvMI$$kMFuv>VuV>mrjXQ$U-5 zn)BE1j{fiY*~Qh-#k<4f%l+?9j@}&}{jmS`6J1^l6L;BQh(60KntrU&=BX}kHB`_fMvvTU=cdiUQ9fm4=TFeV-c z2Mw&5k)TOpDdfR*cU=vWR4?ksmzb{F4D8C8s^=4>L0gZNuDTlf12R=t1AI`D>S~Y= z&QDzp_S2-Me!A?vrq|i(NvT(0-s~e~rmlhikfhW#ARm^Gx(4XOQ&HCd{`+U4HXUCv z0rd(z{4ugnSHfOB0d*y~hvc5F1o+Uj)0IF!Nyh1|C(JnQ@9Up5*|gvEQ|FoXTYtI~ z(J6w8l2btt*7S39xfW|xn?-TLNLqy5`co+RfB#foXA=Ss{4P1*kW zX`b_DS88vCiX)QK3XTpQqqQ;pLDMKAfh~!vJv`iSdb(Uc+0s+ zxrdg z1@lmsvO1qWT`jb8VMHt_53C@EOZ>Rp-7&wS}{meeZb-vSVNW(#=AM|1WXgL zJBZn!JHe1+;gE&X2}y*`beYo5BwDNDT!UouZYfNSUTgkUS3juUfs}w!5c`@$;JNUm z-SUuZ-ZvfD==d*~6xiUPsvIvMN`bQ?XPF=dBQ!{a1~Z4-UG%)1-%V(4f-aoNLlZ7= zQjQ*7L~3&o8IEx#cvobE81mXP%JML*Iq!&IVAc-`>Rjwh zE4go#2}HN$FCcD$!OT)Q9aKSy*P{6PO~l!z$`Ps#mo`-n4yYz)b3{@CxiwJ7h<}!$ z&Vig7^Urwe1=gC{EE!!HkOpaDJqJ>+b9D=^U#ht9;v$I(D$L4DYoXbBOKSmxkGZrK zuv$t^7tnlEIbFa@Ie--!^f>^ayumjFaWLY5!>mq<3&gTcWZ<4S%`&NoJ1O0aHfZI1 zDaHlIM5>ZMPDexsqRGZj@W_o^A@9?ykJ8b*EHCmd#-k4!{&!LnO*5K^A!`38H{J?u zv`&*So<;<PimT#kIJqSmDEMJU1r2fR zelIE9ww`yC?(_|~_QMCX5PNig?V75?4oz1rFNkFDLEotHZ=d%N4)|Iyp-^c3QnlGr0%~N_e}EJ^;J6 zaTboLAfcFM#J+XvbCJDq{HHOdAh|EjeV_q^*uf>^o=nOBm&AB_J(R%o3t5 zmvAQJwOV`bH#Oc93FP{#1-fBFyyml;rtHSC9?ftMyvb0sI8K?+#J}#$tl= zW_--_`OLrCW@7)VjUe~9Tp}~SQjvg=lpZ4MIlp6>y^E&?SVsjs+)++8QAQ?A5EBn> z*4;tO!W->*4UXz%Bpf2y*Y|k|+w{3cs*WrL-YW2y>5)-qR-wFj;Ur=cwABlw zB*h^l?2pqiPNox*(GV$w5Va8t%k|s3ovqa0d_HMsMhk9U4_&vnLOrdP8)wmInwhAI zEiTLv5dG7}isTq9*KIipusA1s=`YN zsu9^Tl0=|`w0TUU;z+7@Z>Xf}R@E2$z72kk72n<_R7kk5X?p?v>=EQry4i&Z_qwpv z>r}?v&$4u0yqXqgYu5}{0qJ?L;G4QkxAcBK1I!!O#bfIe^NqTjSm*XE7xWmRSN9pX zVY|2cO-%vA5^reRD{xnU9ZiZO z3fTwpYfR=U2BqXSenuFRS36H;BQ=PNVj`PGtBWymJ~6>^abg!A>usQ2TN<#u-=miN z|9vwfVZHs&oTTvX>DkrMWk_{4D1lOJte-^Yf|_`)TSFYJL4RI#(w_1IX$RK1O$A z8tbHIvJRpg4T#k0Ba+5!Mk4g}*R9rv4}nzkjcZIq@hD+j(C`h5^24$F`_`2OBsbXu zLXsR1O;BDDO(4hWejMwd7c|DVMAuMx<|FVBG-)E_Zwr&%lI$*{LXZTKob_8R=jtZF zws6oO(pX#5wSIxtBN_^`B-C}ywA|LQUv2c&2KoynG>Ihjc4eOt!r6#FYO@mH+%{XU z^#wBKVl>DDw+0V01rYu4;Hbr+>Edvo5Oh+DSE@tv&L#zZv|69%yboK+f`tb;zpB?@K z1p(@^R9NQ;wQPA(lq4dX!K&2ZW7Hkcq&vWT+-e;sh-Hzos~9Cs&jsrUYa+8WT-^zx zY^R3fS|Ie7#A89}Y?^c=l9H=P%oUkk6O}q{`YP47aCwr_I6PaL?mPp*_hMQ4<9@V-rvvb@~7_X{62b8VqS+$c!4v_UknXC zd_a(&G@Cg__8d%*zgu5&kGi3Nk7g7ClH7jRK7XB$e2E#_=wEv8 z69h(G3Ide!KVlRFW5#Qjr0V4Y1#eLkMnyq{w4|&8ZqIHM&>9r{QqC;0K0o=Wqaba* zxT>N4hrVL+cnB(ylbbu&FqB`m)JQfV^Sbs-8e;)o3>Q8t!{&F8C8lj z$ubb}a08@T#^Brp5(OV0BFFvR3{HcD0{8d#C}KpVABJmr+Vf`!XcrX;mmTe@V*2pD zRRc6q9JNpN9hdDA;@+jDWm6SA8Cz>+@`zAFX3e zNx#4iSKwI;+@yB6=!LiB-ZtGe-7PovFT8njd35pf@j=B@Y25yjqCYSuFHlzG|1+>W zuFK8udt~O9dtIctbO7}>V9@p0>tU9gf%Xavo%h`Ebn|`Hm&Wq;qUMG|)G&hVaxi4s z9nPX=+`wLMdTJEY2rML}J_IjNrWwcc+puFAtR&1hcF8hd zQJPPjhtQ^i(Vm1%F8{1fsv1N83go&VVwxr9&exP=rQ6J5BF*iSHms=*l;nrH65SNi zr-bm=1!JP9L$yaS8{jy9t^VFv0ej=?(6AR?(&h*E#)J0YUgcdt>(v)Z)LvqE{w7Kb&)P6CZ<)Qyk9ROdVG{X=0jTsykvTR9;&!N(W zM;5@oabKO~*-NT5pBG&-Pa|&hQyV!^?u}+@ZS92;tY}@Vhww27<>{7R4$)jk>W5Iy z2)c?LkQX(pb6&r}Y75$ITcaRMa9S%9O-VCZ4or<^;;6oQGoj?C&sk=RwSu6s)TotJ zb$d}bkk#kJPPU&$LjaI1UA#d6w+Khb`NL)gzW6mA{W!n}ZjlY;T(NLaHc+hyjF(!K zD@a7%3rKGD2wZDG9W2egN5z_}ad8<;LvA*he`#!8J$Os-cZp&pJ}=YStzp<@E+3Z~ zc`!dC$L`|hb>f9P2~{qq7HY8I>wDO0S+@Ez!JMD0{ilhxRs+=Rbt>33KP%He+Kqs$ z!i_l_LLdr>6u-GnvyHh8Ab6~D@WvzWBS_H(i`w!Uq>-3~hS1t6v zh>k{wu6J7@PqwecJ16arK)d;*kd*z1Dd0uLca z?knKAju?N$f_>V(-w=rSD+-2w$b);#JxRMAE3Zg|enWr#rK?mF_lqt%Vq=q(#suLw zM#jMa(F774aGH!_f+mD>JR+Ow{#sdZh-o}uG!`8q>}1x!xSYyh`KLKIzBt?|0|IThOP1!j86lh{j=_wPC(^kg@K(iIvyfP)6O)D zkxCE)Ua}DJf+Ci@FcySy1Cimyv-JNSiVcAG$a90@` zyLc+b0pK$hllb9$aejHOvL`F*!~Md!dTCw@#+G3Km|Atal>CZbZ%g9bsazVpyw0Y3 z_cBni24h<4nspQ}+{HX+Fjl;fcufux%jlmp8L4-a@aAV1DVBRjotTqk%2Q^(l(s8p zh2ARHVLTP=wY`?SLZ_@-u|jazk|07Cd`UO87hSg{9(1T83?<^`R&-n9P70o@lS?@u zCW_rdR<`+rsrgq!6#tW#ogdTACt91ynwTtlcPx1gMCZY)hTsx(vV6QC$%IBv$%xGiruP!w1fpiGGdsKh$K?2 z<&SW_brti9BQAHnDf5W8?3lsQGl`oct(8x-9>nXH^N(2@@%w-B062Q7Gs%J}E0;3+ zW{~t&h$bU7j1J9eBo42aI6k%K*}^`x&+7B@cuy1mZ@6_fkQ>U*3{RGK0iW;x-Ro`b zy)5{DZ|(Ma&;H*}@qqpUQBFo4z-S*r-W0I+1wobb)xz8&eg+ZWlJluM{ruRc$^6&% zlBu0kKp^048A-5U{%`NTD$f6%ms?xU^ZzNH3hhh}_c;uAZUb`8oC+m?Augsd;hl&i zvjdxtgkQ0v_mDLqZcta>aVdX;z`!Zh8KnAEsR}}z;sK4Rpe3kzO?_x_LzAeFPTfMS z2@yEL0{2_$9ujE8J>3S>nqGR*@-8!}i$QET_li`6aj0({l^-yZI$Am16Dr#DRb72Y z(3}{N3W<#>(?NLv9Vw0~l256ov{tM@M63VepS#)VG zuYw*;un5N|i-*Z6=a1B$YD>w>t66I9XbI5KNZ;G2n5$nko~ukQJr;p~+ogHYM=y7r z6oP5S1PfW*M{f_$n-;w~IM+=G=EAp3e_6Z$%wvotdg+LPCE2->MVd7Hq(2wMFMefQM*jO=-OX2l zMe=`lYp)>xU%q#sS}_@=RZ3o|F50x zooD&~Bu_zd6lH&%bidT;_x>)jeXcb}cj9wj1YGf6k85dFcoc+}SPB+-1{fAJS!VDf zBRmiOGN>E>5iv_iAK5hKErd9M)N%X6q1=Vc`fjjmvGqdP%H_ORCp2xT()Q1}4HYVR zW8ip=1bP~eg-8RJ@saiqnbU;I2Q?-bYnSG}F*_5UfJNAUlw+b{a1^hFuU^-6P;y14NyiDy4#Y+?X> z4$hw%+b>&hc|L{u@|;GO7*x%pp03x#jx&GuE}rKlm(K;|9a?SVo~px)O>#%lx!$4m z4d36-bwzbNSsRSdY96Ka$kq6iZtc2g7j)sqv~Y;(Q=!C}Pt<=Gq1Ad`pgmQcYmnv6Oj%Ls#gSJxgOoO?j3 z_v6iPYAo%%O@_pZ9r%LoB+o|-D;VnwM2sH~+xad0{Vffnj7`&maempkAs;ESAKIUq zvB-*xt=F}0{+*ZC&;D6v{nzI_TCzXd`oH^fyXgPB+uPlJUjLusSz-OxZ16_2!D{RO zr3d6wuK$JZe0J-94W1uiiLGwoff~Z+q`rKK>whzD_?-=aA_|Q8Yu;&nbxn_4{G*+4 zH0u;E8P6VKNm$fKjj^DBwP*5bIHgGvrHm%Ii$z-H3(=e|G!Z1b&C`A$WZpCx@N(@^ zzZwotnBkOM(aHbM-oJOZZDR}LaR1h)z@yAOwL6x4Nt|?iPS3j(*-gC0w_`c!%#-P| zAQF-=rU(`Q?WlF%&;DDuksw7;h0pI}1WZ zk)%TzC_5E?(}yb(fh&4lfRNl!Q;)BU5S)3n9yDhmSR1lq5)zu-HUO|5x=>bO8yR>? zZZRYelOluBt+wXh=ReCcPA&PLLym@Vz)-zFkd^ZP{@%-1ulMuzKQCWy{J)>1{I*aM zm^#)uHr15a=Ja%x9^xxM32ba|782Xd=&taXk!$i#Y20kaVAV#=MeQzP%xn_vAAx;& z0Fc}1h08L`CdzLY9=J^1IPxJ!Jx(DQ5gTvP>p194%GBIXm@F|WOQy;OC zm`00XSU?p8JJM{uV{m29AN3o1VkZ;Z&WW8&Y}>Xbwr$(CCZ5=y*tU)HbpS@4*-KV?P=exQWO~kaRb!8#%z%y-p{B2)d_;yr$8?LO3;RHNBnYnX(s?&U- zOUWgw%>`L98bDax5xKk=W*Uw@Xg8f{3zo@*$~jz?pqAoaz^3#Vlkc@JfxKu$v~;40 zQmV+podV@0Phj?e=%jxla;pYH%FU_#;CDO&zjWXJLb-|U=}|3}QTT-0;_wQDtZt2_ z6>Xb2BX@@amma&fTGGS-HYy<(I2FxI(5#(8z%nL=kTQjmQ@KxAY3A>AWgpcR1QGQ{ ztRFL4wrle0B3~K4YHe0ru*g%_oc{)vKO6d^(o`T!w-0~{Ht%4)be z78oh8Q96H9QRael`A$%i3*oYyf8HcOnxX?2i#`mfqnHFj=x{TE8D549o_9m>1SRWI zl$;#})L9-lK9>+G3ST4-vWLsn+DbK;JmZ0BXY$^Z2#8Lrugh~g(hw6GDq%7-UOYPM zR`yw$d1k)Mg<3qv2tNJJW(>sONB;M@Q`NSIpoOYhpR!<&Wo)FGT&cU)E>sa~9+?$B z*u9AKVAxcR;l&eIwV4^aF2v$;sd2t@8 z${AEo$SH-vUow1yjV(zdDU~q~#@1Lo>6e`DUm!b>FR-W04cwPl{(*TL`yes#NT{q1 z{vv%N>7Ym~Y=l_{ogL@-TUu1sZJuI)A0cv4xh?bd0h^$R?yG?3=8&$9q>)K`kS>@} zvN@XfE%%a$;-&YGk$u?P{`2l`7O?5#$<`iq7Y_zRI=Z-MEhcpS=8Hw!j%mt0WydYP zMkXp7D#+26?nWP1C2 zE+UCH6U!#{l90p?*!I)M4C9>&XX&_ShO8-C&SS=7A8;L zYT3j;wR7Aqk9(+#w-evA7)p3IbHZO{JX+%U?{ zIyTcd6dE~b2$pwe$7ZJ*P2UYP2HQ7@$_>_L4*RqNtKVZB)lOUQ@b-1?qgH8tLw@f8 z>*&gFvMiv)Sd!}%3Ri-_&lKD3yq89&?hMdBQzKhWuxonYZm?0N&W2c8JTshr zR)Ai?i0+JEQRhCngQ*WhNxQ7ZUX)p%KwyKrj>5>cm$zr&J}zq;p|lt1nqW4EjXr>9 zfn~@Eq$mUHIzom*U}ya!I>h457B1m@bbeDQR4_jdHOH}JZi zbgs0c)Y;kypu76?>EeBN@OAR?=I-sZ>L@9ehCVG(d6Mk&ao^}ToeX2_2Vy(@j<&>* zfovRrpN)9M4$%p_%Ft~!dYqUjr)P_JS!{LM-h$F59$)FEX2CexnFaqkG_Ap_W0b}!bsj#|$4ag3QdHwr9i7Ri49folul z8TS_Y-CvO-P^1>U;NkqP{trSM)>xJT@Uz!tzW?7}X0}wv@UABl>h2Gx|&MunQ zJGi>L+WC5U8T3`gqMJar;9*U`aIl;fcwz9{z7WV#I^{z{G>UG8-tCuG6Rn(y@Wxdy z7%@L4?3l&!eN3~9VAgS~beI!e3^k@&R@okglY`03bXic!mML%$f0E^F^)mdqu480m z5O}cbOgla<<6MI8uW?qd?0s>_4G@$!s#AM5=K9bHa-2Q|GFPJ}6BYRvG7ry*IVe4Bb5WhSJ|{?j)tP5Cx-t*hTnRpIucKBF9)ljH@Q%Gd$q&xNqB&s?UfHTj=EgeBe8gHsz9=TUfhu5_ld z_L8Ee*PD{oGb%$8XV4ocEJDdrJirLW?;&zFicR@59xxNOS}YvjgjL*9T88e{0|!=ec?u?A{*sR=O?m-2x*8;X){oo4eV5Prf>V484)V z=hM#bY|U31aNiSe4tKaNO#NQIg>fOR*CyM)tF;n%byQ8sH9OX_g=5!QrhYA7iv^`t zPbKQ*bbPXB5p7X1stqRheDGGPMXhdFt5nY<_2+eDtQYgDWQD5KfP`1nqwSs)Q9;AO zi5ky;+Q{Ek3aW22yRS${SEFtQ6a49|nxL569hd*eSsi%DL!HO{6C?jST_ZjrUaE>s zko>3XcLS39!&#PwbuS+#sjrI~I;wmX@c4&^|B`-jpV@5dL(aTe=k1&ozmS$ZvOU1V z&C_v@<^=t*aZ!lX@&-zNwvNo@=X%z{eG<^!LovuK5m61qo-J|EM_il%tLmDYFjn3k zVkLG~Yl^XKZS2W+{c^(vGoTQj3t>FK1C*g-Md~PEo{xvGqrHPqpu3$<;PjFET22Qm z1j_*Z&KWK&#Gr;smBQ%(^7+hBX-ofYj6A%`4Z?ql3l$;nr27vR>KX|OETUJ z<|aN1-RRhHRsH0VISlfkM5IgHs0=V$jJ3b3m!(hk>sQhUK5_%|#YNgX_E1tj(~DWD zoc9iM+KNm0{s^K)+LKg)U+B&JE4#xB(rc(Z$d--QND$1Q3M4XGOjN);Dfe@!U3@0Y z@Gw(d(`oF&yPuiU6Wm}N}liTw`CmE&z7?zIHXd0I8{$Sj=`TK*> zTfFOruE|q2TJ?Qvmz$QnPWzc3q|EGja049xD5@d4LP)U{GDEYIuZrV|8 z6L|BTrQ?~aW}|c25F-j*nTi}XiTxSm2_LaLUGK(Y=MsWvZIx-LS8bL_fSfR%0aM&w zcvGz+{A7iCDVGxZVxpp&%hCqwH~j;(D|McW z4$7^+ZK)5-I-+{CjoU_8h<*})D8cIJG@;P)f$yAPN2@^ZwHqy8 zU;cp<#>7ca#14je-NT5A4+~QU5t^S=6Bm{w(5Cy1 z9uJB@_bA+Y=GN5nBxCefgNe9Dl&nE;9-CcgVMHch(S}oXQW|Ui5d8{tBqwXy_WEwX z^|^ShqaT143%f5+?3o#^@HL?CgUl-G_d*MftNK}{f>$AMJ^KKCY7st=s9?lx*V|l= zA=2@q^@yqi!G2vXtiAqFMWjVnQ>dcE>YaMc_+|Ia$qy(_8y zEAT5&9FLvM4R5tduI_onO=!wkJNRT6yv1dd<`XN2eMPl7Yt+D+g^=3DkLx}GE-5IG zt)Vm-4}TIyQ%aJbdTl`6*fqX*$J?nYs4y36p4OT14CNZ}_G681Y8gJ8tgNhEvF5}v zL>;CyjnT14Yvoz^o{r*9x1X*``O@n6%hE2s@=a&p!7l@^cyFuM6Yh8Ad-k}Vx^Lb- zezs%Ln~&5|-9UoR5kav=Ydv%N+}ToCb8-@$1CaCGkv=lFZczFHyCIIZJrocvIS?gg zpb}-zK{=6R9jn_s95LsZDhnXzmrZ2B#P=F6bL?KWZmIp3DnxKtP|glB{jnVLOjDXU zM8cQwPoVi)OugYsRB)5~Xi~5m+4L#0^id%M;G9`}?BiG!S1pS933onazRNWj*Wm8H#bBIZK;MqWC?~#p< z2WO6kj@Kgg@q=~i*maYv^>({%8HRZSH9EuGZiwst{w&w& zjrl!4eP`zobn$yXPJLCSF(T;`Tzx~>7qjb~!-;_b`@XGA$24*?{CWGQ)GOM!4OVKV zzl1}HM7t>M+x8o~vjSjzt~DF=&zxnXw4Kjup~9#_I#P}(4{V&B;-G;DEsT@YdG&6``a>quV^dJqy8mt{~5t=$1IP^YZ|DL$R?Q9T!aS%`5P|)x_ zA^+8vz#D6bPs@>KY9pDv5j}rm@c<+!Dk3BUe_rf~;e^d6a73^MS#bk@2LNi8bue$N zcOMLFKhe=%l#Ew;04TZpFR&u5f&q5?sAiZ363VrV89K~e8gmJgEI@4!(*{0C&LB7x9nCuC-fq{7hk zN$|V=c!kx>m&AS^vQW_v*%xd@hZIlsF@{+_xPFiyuqn23y(PaYgUfjQ4IA1b!y5UP z=t03DiVaiq!Lc_amFZ7nT;Eq3cW{a1Cu3}CH$h686U%dJChnyKK1VkavubL_Qz=sT z0L7$(OBnAmolB@mW*TUt-3>&AVhq6R_9w^^K_wcum-|x_$wa zS5)f+YFB1XZS|gP*{+faTr|qu}gGWeDL6I`0TQ{c1hyh{ArR8OX3{`Kak1R3IY8w@T){O00 z5$Z1^HG9B?>!2D#g~TnDE;3=nQ|5Zhm@SX-k=B!GIZu5M>`H0vk#khb1B zUJM1n5PwDFbUOUdG!eq_r}v6gHx!=lSKtFHz1*EZ6lUVPY(^Q7XGLIi4CwXl^^W%n zq>g+Li_}=`2m{1JKNJ!6VTvSqiFTTx3PlRu_dc&fht+fk;%Om?JNSc7G8;K% ziCcbtc?}rdulk}w{Vi;jKv5wH^&yBT25I!_6%fSFY#LL|l-7Zza+aeuRUgZ`muwik zqf?0$w~C|c83Dy52EvS1=fz|@>cD$vX^?nZ=Tapl9+>Ygx!(QLK`dLMevMOMi=;IE z`vSR#6ueb}93EDtzIhQ;wXpvnl$fh4B)JdrGr+!XXh9C}sb&{u4u}>=>y0a-5=29H z!XA}*qf>t5HPca3H&7-gw{|RmqyX@Oy^n3KLHP26)ggWN5F8-08L#R~+05wO6v5K# zP1O4qMxlFgUJXw&krQ8xr4F1bDz(3z_#6##zpi&4eZRi!frn;5zeJ_{$ywGKx8=d; zQoH#f8(ILm%24e-2sJcfQg{t1y*NbBOG09VZL_g77$lyj_}!>ms&B=!2RWC{N=jr2 z)C7&Jh|b=YZGnP8-qWIz*kOT$|DOcDe?(p|LMnNhcvkDuh-FbfjcODe8CWZ+*@{RR z^haFP^S`A=Lu#U`L8#@}Q#Gi3G7CM^D0Wi;XW=w8+6PP#nRm$H)c28vxY{40KOT3E z((7yY=zy%YvVW25st~GEfk@l<7suB?B*blen*(4ORb~qS_SuYl4TUS#mx>K0+_lG% z-hVma&{mi>;edXE!W}OJHNl6pfze_r9(>yD%@bJ-%viDWQSdWpMcD+($k7-sOp$@P zBptq)3&%3I-wAfMhQK9;AwtBi7I^SzSdy359SBb!QzcFp>piL%r#w1mQF&&bhw-+e z(xPY!+ShZkJA1M9=Q+D*elJ=nIb>CTSY$2+lDo0L%rGRDAT^{J?Hl_NrLpy5->}Ne zgXV#yb~qL5U|V3AwOVUqaIe|)UyF@SWLndC3ewp39PHe4n^Pp-&MIFt?0W>7PCItY zs87*tZA&@fkU5&9(7JLxSKtmY8+M@?jM@MN&Uc-l-{xzjpdQ{ML2EX2!bI?m_*>M% zd>e&dlH~9MW+2F9b|gpj=u)JJ9w{}x{uf>y`%ju+>PaPi0+3%d9B#hb7Z$y(vviqK|a0IR%MVJ;%qOHR#O)Mry4* zD}ks?ScAw(M-rYLoJ1;3Ixl$J2`z{~Z~~qF$3zt`Gc!1W$tX&lYMHi!l{X|8793hV z2Bp4r0Op;OJOOJj=nYBz1Z6^GV*9(UEBcW4pqxD~G5_!GHgyzcnk1*$w;ta55)lyE zc=+se1BI2@Okv42ekcwkYEz7i&M!Lins8h;G@Xk0{ZS@UCw{Gtavr?adsB6dLkd0t zd*ykMH%J>$InV4p2Z&Z0@!sSX@}qhKFFZEGNlE8c9(x%A;n@*>i=j`_*K3{|n6C7R z;NpB(t$`rlj*H`5hDyL? z`)7Mg8Q@xY%YW3ANIZM*o0^{d|4>u5+iz;h4)Q{`K-5yM*H?4i!8@2ij?VrCi5-0I zS?8@t>6fqRQe%B{^vz{N1FkkzAvX1t5I;zGlEDN1gQe1METU~7h=&_q%!=L3yOi0_ zuh2}-TY{{o)1UYpBG@6w^dOUk(EXK@AQLdzEodPOG_)Ok8nmVspK4O6(nI@oG@n%> zxFL0)$hv_xQ_{fdP<#rP)D3vbUlKQ;X?lP?_%bFS=M$;SC@xVxTPf6c?0~k69yc5(!#v_2pMPi zv-36x@}{q+g*F_e^ECABq(J=s$2~*XenuFN?lRX-o@)@Zx{ ztsn{S8z_*`-jxW`Dno148fjUl+D-{`^sdV$&i5lfDx8~2r;lE^!g7gs^|sRz>7`qtnt0ic5-#} zTah7~8M$+^2GGbXy5!ZOGD*XnvoA$gX zYyZE5&U;GO(k)U0jZH);`)S)&i2Fp3?&SN7HuYsnfn1&KC%M}H4sP;wTX{N+2sWZ~ z3fYOLe1*FBF({_&gSw#q16!V0HFC$-D^mh;Uo8%dL*plb5jV((o3T3)1p}ze;IoSk%?dKP~xQii=Z#K*Zbu(u|T22Tz%z4m9tA{*eF4@@l==81NES~b%b!$-4+-G`v zI@vBmM~XdxW^ZSSOrp7Ct14xk`wLsbd<4cvQ`atLRm=K$yU4nVY=e0}`+0e~0SPuo z4|!KiTHT901gQZ&L6j%zsDENFr%qqTfSq0CLadU|wEmp9l6(B5q*yhBozr3a3wWTd zq|IvgkN!1RpRMa1r*vRqSWei<;P+rUP7NuO;3Zyeo=%R=UcR1=UcU3^u3I_n3~-En zR0qcZUWw>_l*%SluWO!V%8|gn83vw_HuEz3I-cb+MBOsp2F_6QS9Nqqh&S`!g2Y3I zOp~rAJh0aSM|YS(DVeTuZbjX*ve~$0ZCy!)P#)ma6H(e1rkDJirzt>eJ z-wjBe1J7DFHALwzAp6ct8pxW5Vmht0oE#ndy88A@O&-c0_fAa2XE?Il=Wf+K{T+UJ z;Ex@=kz>iI#SF1sYacEvy6vB0EVjNYiRN8K$C+irUq}m8#8h}L+?f%m;Viz!4}hAm zcIYfXL7EWZZW>Xbfdu@6X5Qz={R`MhB^XwlDYjA4T73Z*QWZ%4m4^v49$h!TTBwu> z9Syl>sHvVI5>f6QR_c64Ara*Q%PwS%@PxG0{JiFM`I+5ax{vzHymT_rwjrU-t^812 zX>uJ`qRBFgsn&@No=g9*yBxnWx7%NRl2fNscQ?h7;}?971hG+dAeUKXbvBQg)^`2K zB+2H@$kN@&4=){PFW!mj9n~hpTC(KEZ|wX34F5x^D!N)M)Kag zDv`;4+C{HkIAUE>QS%+F)3v9jQnh5B{^VGVR{j4=xn?jQIx*x#YkN&g^T(+?Z{JlW zo?31QX2-6UHVPPin=>8PTE-l8SlUI9q1os{^mJ7`48!@#s@*hMRmc6q)u}UMTUcN@ zo0Gyoe@cK}HdW1S?n&qKpn#PJrEp%&#*0$!qMcAsrj2|H#k?=e4?g5-XQzXqMQYw_ z0nu@%ux`Zu8L)k3pgl$?{o8n66>0(Y&XJc3?ASusBz2u`6YFX0rtSm*9)+V#>6-*V z?ceO)5&Zo3rnfLY@u1-Mh(XnPe!)!sE*QR`2VziS~(8oB7kxVi~puBP)3nI*uYM zEw|8tPTM&>g`lMsOE7hqz4hL zJq`Fcb>8j$6}Iff$oWc`Tlk^I3Jl5_+ub@axuo`59dcqu7kAn|Fl~7fNc(jf0^?nR zv*_P^^41p*7n=qK=>U^|ZT!kf=^uyUPY`DaQurI$fTM@#16Rmz?bas}d%-*#%OG5F zCkPa76daofX}HnRr0vr`NN^Mi1)B&zHdqv8jJMVw1vOA;atJHqi3uEB>M9;0Isq2! zIr0gINaQBYL@M?{-FTYRt+|uuuQxu@AogYHy%{h9Ckkbq@8j$7JP7L7zE_(ea*Ux} zqbs)NVx)-2?V@l2AqvKrDwiNd2G$FkumsT<-Zn@ds~=$iJSyCS$-`f0Y$uQ)5Ya(% z8X4loh05?b!T~R?@bpMY#R1zR&{u>@lMM%CVyrZewrLIFwuucd<4E#fb z$2rQjmB=LB|A1p-HU|BsT36mgWfBxTiokRM3F5hB4BXOaixUwnk1MY{jp#_2YQf7- zRzqbkFpW^L3`i!s%A6Q*LIjVf9wPopT#Jxq_UCtG@^d1eO1OsW6HqLvZ)O7c_GZct zT=?4R-};tAk#~pBK*rpt)79%wzd;CzvCwv=MMUna?+uj6$S3Xol+5+GQnDQN))X}T z5Q6K4fqB^e3lf^U(#r~)KH+7NtEtc4f}+@3@>+l7nQEIqGk;IpUf=*2)Dwb9`&$Yp zFj2ch^7w7e*M%`OA50cL(<*Ju`$_SB3HJza2CXRVB@d%PK{$?4CSkA4r6YFQ@;>gF z1o=n_*CoQD3{+UY?Ihwyjp1m+BAvdB9`QIlF1Q+RZEVz?nR)-dUWtkN zDc~n9e3AKU*(tyMWWiKuL#k{{Dcr3ePX*gZLx58m`GF{Wl(O6KL@VO{B8c9T#oS@T zpxjD?<)c)40m*QK?tT&fkLq@f^99jHki9~=Oq7He@_6{aqPx^oKwmT#t@}G6 zxY|}=U3o8Ij3nwKBpZyBPGpNBEt>wumaJsO9xntd>8{&;4}QE7n_2ahU@kzH*^FvE zlI)~8@Expz1f>JtGV{fUOFN{wfrT4TUI=dL%p?t!W!=Z9r1J~}MfAas#Y6=^x&Xe1 zg}r-xZl8C@dTv&G#MTivRL_o3IE$#k80S(IWj+Z_BTG zutqANqM(67x$~^eg5m--%6sDt*=XTaBq4S`aX;QT*|EOr_#iO(!KQbCj7WNf2Qz;5 zh)A3tKx(NJ&dN3DZWbMzg3yKoyX&t!@cE zG~+CnQUc8(&85>$Wc)Kr`KRU53*T!!J+IcQVkHmvwEJQ{lkibejDjK4{QTVbh`uW& zF6|HMXfDeb1**&7zE#I#8e)VSCUN4v4{eIE2|-XIaHKtFCNh=vMY13TZ%LdNrc6im zG^C;38;(;2M+-vn)q=X0Jro4JUf}|DPeuzoX1~*)_i?Hl2LjZHBIJn6Sm4KbK>edj zKYaq52cW#t-L!f}Qd|jadE-0tF^&0sUgZ6fIHJtUJK! zzQQIpACW7C^hcJ-NA=rH=UI^U8$W{je=OYo9ml}5*L&dC?rwi5P(Uoh@2i&?aWpW< z4lna73c7y|$sqWz-N;w@VL!$1Zw^*rPG+LGE{R3dTNrs=W&=D4E1V(%6<;mJPl6pR zsJ3p`JPN6(6&dec)}!=1)jKGlgAvx>sV>|N@r^k;dg&ddFeGvpr&x=Z2%%5nJLr7U z&v=pdepUb1Jp9{jqfw+Ohodo&!fdA;`+HE7c|Iw(QSJ*ojFz<6YEG+9D zn3RmQ1LqWLF$zK{DBGrlgJ^{R0>BS|@pN|x*66$i+lXccr;9D7<}@%yhcNiA%fzSF z0q`$DBEd#)`M^*PjL*3cK8N9v3lp41HX=>zpbvteCr5UGHf{Z;*fOB7hiPDB$i#49 z_=RpoJ{z5vj>3xjkS9`4(EM&*eIv>2YowFzhd_*%n5P}}KeRx5f@q1(J-;K$P9*n* zP^j6?C{m_DP@|aZwF_b^?`49%&S7_3{s`RdPaqy+pTsZb2pj+(zhR7<=$K#p2%hZ) zX?xX~;$7bHXyf=Y@KN&k<)fJIHtnj&>9dy?@Z0%?yX^~U`=WQN`WxK4P9AG4uELxF# z@yJkpqPS4*#2zq*Vi01WYEYue9?wLTAoxyfh3WF^`3rn}b{;0Ekl3N#&<43qMZ^U# zal#H^r8dwXVLS1c{$9}pD~LPjapK`Dt5j&wgU~4C1b4f+Vn2WMG4QONoOFyIT6i1L366qT)rpip z0$|~WZiu#jngHT1n`1c^WtPBq#=`p9Y z`qF*wK5n0h;IkkGfyk87`-p=zB@l|~|CoEU9HqWB&S)y1i{Gc`0Ra~V?4ye#2;NW& zcyNVzF9dwG9im+$Do%)4;Jr}6jjA9(6BSsnJU+;0O@_~|4~xMK%E+Xo=g40xGD)7p z2d~?7*`9!wM~Sc5vH6mrcU@oj|M~$c0^^;SfHK&pMpDqhQ3i7KAh4mOptSQ=}7BBxU1-Z3ll%0g6khg90f#1eoEh>gE0{0<1N-b?tC` z0H`qWPPpR%e8GOeEDz+sQ0GFFU*Lj5-;|qw7?u60;Tq@wkvQ?QX|H;+3^HL+Iw%e` z2}?gTfA{Cek}GCVII4cOQ|o$SWGz+UNg6imB#JegmKrv6{q`2{eH)iPWOU+5$V>j? z&s({j>`(=+;(-0+UG$J5efszi0V1_Y_VAsa)Pipra8xIplp_bVugZ69}tX(r_a zTDEZ+#*Q9*)VY*BOhREDj;98Xmh&PIM-1vg0*k20rF1Vc6EZ=ol}8E7&sE}53*jpi zaI?_M0QM_AnNa+Wx0TOS&{6DLrUNtPQk4PA_UCLFId5(%x@!m@T`TE@;K^4&B>nF<2l;6I1oa3I+k~$eL>7=h0TaiduUwS zI(5^*f`cE=_DZMN&0q<)R(SJj7R`X#joYV;xTKAKOOR%1`({J#3UsC@H;a>X<11M zhr0YnD2Ni=xzHQTTb}Q9K*_+aEBI)n(769nlhuUJ-MHw`zF^4RhS7Qzc8v#xh0kNb zE43kt^pcc3=qD`V(6D?zW`{(w5h3#|qg^eC1y+4@ftJ8~flfOZ8H`H27bFy=ARg`{ zNHQCn`$M+)1VPEeK*pRC1Vbfu3AaIp^X$f)6rv1}4~sj80V4`yc---@!4)C8C07S-sO%=U|w2S^F#&nMO; zFP+G|Z*vod3Z6^=F_FS=QmE)0h?T^|SqP&HGIR0dZHA!X=H#%^Q1L~_Fq4diF&){b z%d>wFr`X7X+f{Y>#e8kxdqNGxkZdek0}aW;&MpfH>s<#T*}^rtiBdM?T{F35t+RXx zM%4K5lEgT*dwgm*QT=?%l`wZdXoJO!C& zcO1e+Cd;PsYJN;^HC3v5LJO4@_??S53*n&l$X)1C(AOMs#VzZ zqO)nCE>QSM^kWl*fRy$FT$GCbp1*Lk9~g@gGKuia2Zod8=&>mJA%Qt2vtli!SJ0lx zzM_5q;$t=j3dJaK_#dJdY8x_QYdb1$axa0~n0i}P@2xy+ke?Z&Qa+Z@wj?t)<9Q{M zdd%yLXt?yvn2p*Q)|}1MS&asc#dE?7%$*pVq>Y~5E(83WknIZ=1wRWmBa_5-OKrx% zh7!bUeuWXjwSF#ksc71fr*Kl{$ZG!K4eTMRSO@s2K%25@x!BOGoZkm)S!XduV*OdY z16B_u#9`tduh-Dol-6~(2j3JJ|D#apczR8C-6G4nlb zDK;r|@w7T=TJV=JMl|RP&p<7T=3!$cK3g3{456L;!`mW+pFi0rZ5SPiTM2 zt|qVUq6gDd~#VgZ&W)Wpujvw93 zw-ae0kvpj|%uwZEUgr#kWsEW{JJF zr@skaxHyQk7quLRaXJK5rGBB}1Hb2`Vdu!UFX27dauJX*Iy-9XLZ-$Fem*J3EtPs_+`+tg9hQ=K;9}6p1APpu z@(9q{#H&JGHf@5C5Ps|np2~fCVSCO8G1LqpV}(`6_$-ztCx8EaWbEn3$IFwG18>FZd{Pn09<$HLOmLKxHlYCB5x`oRqPn$q&NZ1fmNhO8HG=dEH@H zR#VckVQPVGjoh$YIDRUfitL^W@hrCfoJA@HBwwka!s9cD&k>c5tV*8jYZ7{zS1DbL z8*!LWtV#=S<(9=bn@Y!b%ht)LBUELpe7gO=cE7`C&rc1f8Ia8)!FnZ*Q1p_7Y7P#C ztj1p+5I&;R87&@Qtam3kh;u2ElZpn)PR3x9KVVgZBSj!oNRaAHjYQ8y|INc0D{~Ch zv|l}f;%x4~zP0QOtIU=AW~?B>av%N<#12ccC<-ltB*P#DH2RTG_=?r4zP$}#tI3d&q%m-`s@I_b! zcgJBrx0xDa$h9smtdB9E?ZM8}}e6qf!$884Q@zM{OgrGfm8eg?Ad4VvFWBa{0=R*EzVa@)!Dd zhvlJ=yT>I`^bYH@mHh|;$H%=%*1MiuGVYBl`%@^6IBcZ-7tz#9$oS$rf2qMQFh67F zKhzWd4FEZ^v(2<8)p=!eTi8km`ikhtCwaS|A?UQm#}fHl0l&H-0zBYbO#=U6il7v; z2-*9u4tu(MKVqR^QcDu8K?2B_#@ho@*ge=vrdes5`&qKR1!I~1?hjF`LN_0m-ihHP z@0+gh7i}Annk<&O$(hyod8&clLRMaCB6Iq<*oKEzAN&whe4P z`$*>u#<)BGDON|h*Kz=rBV3rsg{@2urzyK>PfSz3BDV7#V#qJ4;z;Ttzm~W=dP3P5>@x<}>`KW%LVRX``x& zOz~5@G+fyiQbmO70T~>SEs)6zvMySs9tNtnKf1FXUJ@=a+9uo$+0kMwI1r`9n=h zd&RbPne03-F?(sFaavkk2AHS%QQ7Kw12bq%>M}k_jFZ?c{w%5u$T4hHl(3b`VF?q* zi@{>lTS*g9N0%qc34~Ds2;nRKvp7LZ@=6;C_dxdp)lQPQL4mrZD>q_pwL({@d!v!o zTz=crl9gX4-9?Tw;zrBlVa0~L=MDfsWYnd+BlYcm%h?1ZqVFaCU-;rtGa}4OrVioa z*UyWoIG-hL0D*fqbsDf_}KBw zcb0P@AEKQiWI^soN~!~EWu>Kl;+DEsSSSy)dWqTp{F)1Fb@m2i`1?Y}hGWzSILV-4 zrViC*e}!xf$(3(mVjCbNkzsH$D`vOpAdA2edq4G%!h(mL@8gSnz`NIwE%3oc`;nE0 z`~BlprE=jXMI4VtCGvASiR;Oq_(zfZQWMh(;tgZ3hcE$TE_>q{XFCe%{Y!s^>ca33 zv*;4$?e8Eh%EN223nRd@f}_BZZvu_74hu6DOShY zP%crzGV?K+D^yO##Eqc3x}mR*ngG)_`w+m%_BAXmOKS%XDUqILMHSgOn}ap5mM*)B zs^v%s*h2#+QREOGV9_J>okQh?y5$$#>{8?l@l$G7rGdOf2#Xv%r5f(d$rb$<0rBm* zJ~vT`68@N$sy$G>e9=mR;fY#oVyOuD@b{lOM+2FztIpKOzR4 z2FR9X5BUnw-$zpmU1`WSK~^GF#~Dv)$^t{JSK;J$VCXHbPer9uz^dR83j^4RcOpgn zuNA|wI}1$|%p9_?BTQ+)QB(0F(A{WJpeF2kXdRI8=tBFM;dYwCcv0Vs5()Y%JQ2Nb z!I&P!#ePlax7>XXj*L5W|Fr zRVLGNAtJ<%3gVelZc8Zp{zfn!I#8L&n0lXDI;78}VTUD;D5kV0-;sCTC51~*AD^O! z897!YGMdh6`8Xz~u>jDcq=&pMr~1kOlgH9H_>n^;s67v4zZUh8hW3=G^*zDpAP~hS zTk!w;S~4Ra3ZnC|&`+Eho70+62ia|IlVD!UH|Ymz)zz=eA{tor;N+w$yD3oyjlpjSoGkcNHx7KJ$!@0+rQ#cr*RXxaQaT|<-veLeWO8uwft=G ztfe0&^ee%upz3cLd_+Y3ynQLnA`ocC$ou1VIz&Bm0a!4oux`mmE{4QLF&XAOH_6dC zbAH;_5|+GL>VDC@ygr+$Q#vjGf%xtsvRE7Z18@h=Yy>~iTndV&D`{i0?#o(u4so%ekTG8SGeP9@uEZJfNWnTx-_p=T+e^GG>|3 z3O+py_($j6kmy+90?3}n4gxV@a2E zJ=f!nf&)iD_gO8WuQ@&#Kyb;hTU6wj3CsjW#q|74!Bf*|bdCuTdrvw@CwSn)2RD>> zx1Pzbdr5(^hMjfo=}p7K@h>sS*J@Wqc`h{U$2es^1!9hea>9;*>>3*JUi85K6q-7E zLt)jX(iU9)7pmyp0tet{NHB?h^=Gn{YYBfJ!l>5&CbrPeOyMXzU_RoZU5ujlU)W}s zdK(woL%a?;5fWU8#3MB=BzG3M>buCOgr+DK_m;tL&W^~0N0eaU^6HVn3%uw%-}KI7 zwG#olW3Z};c$&%N`_?*MvfFzK)j`s&yt@AO*bb0A)Q8J<;OU6Q&H(gW~ zIbuW)H@=M%EkRXqHNJ=>lV<7nY^ykB)?e7=*_v={b!nOI=Nz&H>y3}y-9+6)xjC7-I zjk6BdY#G#N$(l%na?Fd5?~?Mwn|#ts7%&&D%|&6$V7;~@Xo=OAItfQ~ zO+L646WLN>*Yon|fDErRhU1YTzfKlekXEH8EpyIz2$+PhOti8>g;L)C*)7vfvH98* zx2l4}cM2=zx$C1FXQoRc6AF4(pyVCy?gCr_U1_yvWHsFgK9W0ZP*)) zXl{zS4+hE1cng2fXywQGGO3m7J6kg8-DLK~1d4}Q?$cp7FRS~zlW1C7FQVx9=6Cc) zW4Zko_h60G_6GvV%&L$d0m;m;v_RRQZ%^%;T{the-zNe|OU}~*`6s&F`_vOL2V z@6Ko9=fAyNn{{Q@JkQ6-noVAQCC+|O32Ovjt5rbP_m|F@U$&e;d=hK72Yt8%D}A7_ z=)a>&{ee3}>M-C2MWbh$pL=af^D@xW(NV(0av9h{y7xWR)R%+(ppQzfK|ZMph7B zVC4(O9g#(245T2hHOfGZ>*;6gq+g22bMw?MM`Uq#{T!vO%x8QtM4p?^e))_%Gspe% z8F^;j`{gt8%v|_O5qXAw{Mu+kNmNTa?w3RH#T@#}OX}*skaK@s&-*W0QlJzGhxW9W z%0Etns6`}W%M*zv@tU%TI0I#@WD1a-AWpHz7D2ikS;1v>!(c0-WPKa(NXF&c zw846JD=9mxKvo)Tx}sTtY$SbV7Dn?bK~r8!E`E7bi7XCNSh*Tx^vqnzfNFW4op87SF6i`b!miX4QFDD+;aTUr~nH-)l4h0s7tm3Ogr-@z3&t64$(Fy1$Rp2U`B+A<4Yl+b-*<3 z%mvfv^!2|jHb#L_>z9Ga;i%I0!4*snM_>z2CNY;p!r_R?%QA{QGMS*zNB*`3bAPYp zqXC9tYk#jrUw;36fBtAjaS&v#7#9Rnv}4%doY6cTUJx$Lt1~ee=YpvsZRUxX0c_Bk%6Q)}z z@^4(*oMeR7942A8jdyZo9O@XOVol`GQ17xw_RBiT$2DvK~((l7Kgq#*KLWd08`@&+`AIQCQe6dx){i<6Nw3RJi#Rgxa+r_ zt~|C$+Z~3Uz-qDx8Y66|sOcsf*F8HZ)eQ|p6?r8QM zzzp~(qR5jA28Xt3?EQZGU>`_TjXa>oA-sn;&<7Uz`Y?H&nG>~Rp6iREW%kVV?V9E1 zPO#Y7b6vY)b-RjgYF_q9GgZm~wC<{;^%~_%nc0<}KFydWkh+{Z0m!GGOn^Nxz}7o= z+K`qUKuaO5I(pWD)a~eLLz=fMYniF)7eQKm`gDiX_4H{&y4T*{Ywz1f(KjZDWC5hr z2T*rNT@Ro(q$MZO3P{V(plU^#SQ)hrn+}kc97bm#Rq};qx>a)GF&g3!*)AzsG%+{( zi$Yp*(3^qOC4m7*?Q3f!F1T`GXLZKZA(Rj(HlQs6CH4CG7MK=6w>;cXnRRR(NUdYD zwl(8Rftj?IhqN#jP;E#rNO(;M@2?6{-QGfD>Joe3p8cxu`_<4F!?Gx(B@ti2+T!b% z1wEb%X-P;|u(kmDWf5EFLRu2D6|5~n{=#Eg5|kCJEd+j9r0BVjmPB0zYm0GT7F4wW zQkMw!_S&xuVqbsp*I4^5A?oL>{bizX*Pv6E81!Xpe+7ZUYpi{jAoHbbe|b}czf+vgo0mS+plwqb_w)8XYDT&%euyja*5<#w)R&L zZhKKkOSk>CMQdM_PD{7_wS{9Zi?u!v($Z~zZSmG?jHydBbz6(P;(+QkPSGym(rrjr z95KB%q}B1zZAe!f61@(jhBd251(OnGN||0NVev+jlHN!=g=KgI{lD*j|He(~n{RZG z+zPq`HLu*MmKjqQy8{bS6YM*Mc{yNfK$?xYQ8xMWwUP^l;;1qEF0m+#o_`JDD9T)G zDxB~)bzBIABo6%+B?DY?HS`Gj0^K@e zIwufsL1c`S1ayvrmXDbyc$Ng%Fas3&5y55myY=Z*yYf_=P4%5^FH;{}8v`D>wR#jr zI2ieq-CMHGgcBNAhfiAg<)dW&q$skjMcwcYsd$KsZF?xuc&fQZL4`4G7iI8 zSHYU&36@&>6v<9;ILe=+uGJfrELm};C<NN7O_^Yo6-s*#%2CpS{*607F;7NiUE)BlixgkqLX^R{5h zQAV3faY#pqr$LZZU{k1s>;I5}`VxnhbwJxd>bmyRPp{*kN`Kl-3|BH=VhBsyi6-aS|Wz3NrRUsQ-hqBZ%}*S$#Itkm#w=5bGWe$URCj zu`|SHoay@Jvp#^@=Fqe*G0Jw>Z#NqM11>IaPL9B(*zjcZ5pN7B*Y;xpnIeA&VEH>F z97II>U~;1USd=GTBpv9){C>-fqn}5S^w)y{+W{>0#)1>Y3{klfg_LgqVLN()-lJgB z1~+!wEYrH(sFr^em}1g)fR6$scuqK-b)jKk>*^!hR;y&7T-_C}Vl*jgsfGaNI|4Sr zIcHHD#5mwB90KT1aEN6zUwkiyg9HrVAxJFg+Kom>$7RO%D46a52>#VMKLbN-yy#S{ zO{|q4I>daEekl#1tCx2~$vyUEEHx}G^(4g^x|XPv5osBTwuZXf_7qNnQsVm`@ZEPe zIQs6pBk(U0OL)xi7?sT@tDT>>tRLHr#)}uAn+Xpr23$j<9{7ku957{G_(=yc1|NIi zG-Iap^VXR2h#l?j`ov>x4Q|^bligJJzB?ulElzgh&_`5Aa^f5*8*GU-T2{^NM&neH zHsh3pqhM;=K$-0`XDKD-UQC4_OD9U(h(-IZqL9TD>5%6sbpoFtwTLuv>!f+ulYv+9 zFg*lwI1*5)(8@k|z zwR^EjlyST~(Lx-i^>zTmqYw|V2gAf|O)d_PVhK06kAo0VIKTnsf{DU1>nXD?QE3J@dlo;3rX>3=} z2^cZpc!JIZ)DMC%ig6~oYZ-~tw6mkW666{pwZvqWlW|%_idHE&Y2uBDqI>ZK0#7Vw zLAElgNm9jxoYa%2VKvD)l7XY3C?I4ql@d4(@5GnL6Pt~AX;eOC6QN072IRM(wNLh$S|Bp9t}MOxRAtXDgF_zBL0EQZfmV5GNVpykM+Vs6W;41V))fbU`>W>>F#&li39LgJOG_#LS?e zX;R<&3krf@ND&(+dMkBU_+*5GluXhkGs1iv59DIW`#~$~`BqBv+nTXtH>+6f0A`N_ z%9BIVHZBLP4NgNqsIPbj`i#7oBcoUm-=`B~7+$XZ0)i0z`GdBuQAWub!dQ$B62ufC z=nfr8Aq!>F!wLujoDS7g6vJoaIlxfJusp5UEZH2)?1NSIXg1A>{3R$UGy3dWys@IR zNWP;yjm0kAZ?kcKNBr|k(3hKl{Ifm!wXaEB+5KA4MbzBiob?)wo3ozbr$)>%Su2f< zA{p->$!L&F2oG4hZ}UiXoKk+G;YdoMQj%8E#gGX2r3{;XlHLdy-k^k;h>{4=V5)(U z9onGUupKoTEd`Cyp&c2!BkPkkIJQ(yTK8o>^bqAzJm<&^|B>>;l8Fn`NTcf9ua!lL z9F$;ew;<@xuyWS6`}h$DNIIz=fo}SNjJ`G@~N(~@uR(6sFPhINLOgY+Y&jPDpv zI3>?ZeB|m>Xe3xD{(RJs+LV63?~#y^0Lh<1Fz|R_TGFkIP>3k@GGo!=0c+{^t(Fi$ zTB6+_+Pk7w+oOe#1yZ@kP}DWB2xM-?DBMZbQW13(!(JMQ}t ziCtR>`^wT5+m>ewt`5O%a2!jO6%-<9OT{eugc*xb;hty-khUx->a*R$H-A5Pxh>>S zNTri(S|tOmKvqn#m})WveFsMl#cL-qq0U_yAE8Xf8XAXkS!qs{+{wdCgtjf2T?~eHJLa~OP!N#ONC0I_ zIJVPG#3$m+dXJ%E#%abN#YpYlu!kp6FxBUHEo>yFAkg!O8h(8UvHV-D)ZY>E+ENWR zg_EH1LLTmmW9v2azef#VQW7!ocS~NH9LfIm`9M67q%D8iuhOSii3{8j=mZaN%H%tF z060>LVcoEJl(YykhDt|Z|KR1TVz9NUgf;Bb>{kf9r0NvYju2Kn z5(MhCJdNToiE?)LJxkIWD*1#-kmO%@f&)m+1)MM4od>Ci@=0%U_Fas=V9Xpj3VBqD zy8Y)MAcNfr6yWS;&f~kfFS~XtbMA!dWS(*WL6*P7h+-j2 z^pF~$u9)d>8R%O&;l7+vDWIqU5c425J8_8ABcotoS*=3hNIXyyBNn0{Io{uz&tC}W z!ci+k4=oLK>mI`vY^ed3+w^v-tI&FAOPfQ6U=)x63{nq8d6JOTJtCn0448*PNHJkM z-~oXNoPsgD&u{RYBBhH%kvM;c9u`fBulWv zhq{$Liysv|m)D)`dA4r8h7UO$K&D{x2NnI6)tv1$UsKZLsnV#2@nnFg&9u27jh3bj z9EyFBA+}R^8LOss<{sB0(gsIELp-X6!(5kCoSmAIiiM*o^qSbQ+kmOKz?x+$wN{dQ zMwcyK;Qd+hx@P5-}m1f`g@1NH_-q4 z!RtNm?=N@%-hRESBcA+ymlDEllHFypG%DklnFeVnyHab7VK%_kA^5-IpVyX3MXLIFOyxCX7N4Bb zUaMS>Q8=|Shot@kN>hJiY3WfoBvg8aBqM(dgWy&r_SfgVq^YCSGRLSSb>mj0g9nRe|aK`DDp5fq{Mq5w|QGdPKP6sz>vK>IHao(aj^ai9g#30weY&VH9k-1th zrZbW}H6s!`wKRsaUKU2(+0mqI#0@+O2}QnAsK^N^j@6?(PYvqwaO*Ll2wYwEZr)v= z^lm@&POf*-pT}>lA6K1T@2AV_W9!lB#p%uQ+uP3dyWZ^6pE_s9r`K}KuihPZZaQty z(U)};O&|`X7P1g@X~v@r@I0eKESuD}o|V!`mujW3CH4q05_;uos!nv;lEsR7p|L*I z5N&?bXIY)Fx)4+LU(7@VPxauLjFIY!G6elh((-;AbmS$=0EK9Xx%vpR++{Xqmi-X% zjo1hbJYaytQm4@4(tb*AR7@;$aU%1L#+YQ{3;LLGiU+Y0k|ca%Nd2@?kA#do=mF9gUl|c z2pJ7+_G^PL7Q2Bq=eN9W?4eL_iY|$!6pzLn{9lhm)Bgeodj|(*up13s&j->RT4LLYpf^UQ zg&puwn-Lzg_rR8@(A2M*+yB*&(leY&QA3?)u)1P5X zcg!A!K1VX44x#eIg~h?n9M4VX#t$HoQ34o_Vj*md#Q9N5Ho5EOh7{2?ihy}iBszkBB6| zgM)AO4))%>+WQ9VEzno(5;G3zH+xI>l}GNG6zj^n&?@vuUwK5MTgD-m|5NIL_5^+g zKY)FKZCMpgp?3#<5JF1hOJlkzMWu563mKthY#bL{{0{5?;MJS_`hWTIV6*<8qFC!+ z*>Wo54oFAr2((&0inm*2&gzAW?B|C`sZv+IBV z&CA2roAv(`1;%_VmT2BF`AE69T8_!)rtk<12@zi;HHU;)_00X>5g0()&?F?~3#H#U z0@^S&8}LB!iF_SkY0SYS$!{&X&v=*D`#PhIE&|Phy0TT12-Pq-scFsuYNr}i^$K$Y znO+i!rQNhD6!;NMMk=vE;P+QT>q#9#kzf;Ra5_m|y z7y7C#^pW(`lJ`rLB9Av9^~RVZsn$HQFCb?O*7dut){-6P)DEYbH-hbKNYxrp@ z$0N`IXLvv%ovNE&W#ujf3nB6=LwI>f9FP(A5|b*eNCd{>7l4~gJhG5*Z2~KA_y*Je zkG;2TZ`)QDMek?+3LHA!vC@#1?8NEP-r0A%PP&$#wu!Hurq4cYZw!%;gqk8)f|8?^ z`26^oB?wkbC`dv|CcAlFTphqWQQ ziX(K2STs#G&HVc{+9tsz8}+vyJ~kPyUce?UOOU;GFMku*3q<+EfX?Ck(@whQJUv3 zO|cKpHlMEY-?+NBb|0TLjwTzN3IS(@A-aK9TU$0?&??d6E=4VM4Y0$#| zhll%v68}Hj??32&ck+DtwD$xp=xhkyg<~2KvHHK93A6-LGDJ`IuCEC5xu3Tqav>Q>L zA@}>EGgtikzujIBdDqttfb;2-r=5UXdJt6-xHpuN@D;=oIuE8KoJTaCoJbdU`T8|P zq7sS@1Wk~YNF0#-02^n)^tE)`((1A{H(!$F5PkZDApFbqwQ*6Kso2&+p*CL2VGgYu z-C|TJga!4LInHWH^dq`JpV41)mXY#TQJuu0etkvgWSR}pz|kMP>O_K1cEdz=nn%&V z?arg@K~&M}QTJ&SE$D-@cO;$VXAfV|T&|eC8%$h2XM)>Z{cbctkbHjVYRC8y#n_j0u3MRy^`B?_xVUzSdxbUn-2K6ln?jx`tobS@f?uRnsI;81ghgz!{85No8zEE1i-#b87-JaBEaHkEa^ zhAZVJtOni;U6J+T#<(hCYj?v}5&p%${0_8&ZK5tnS^Os(bwrvjeV4Q~66#tv zROzDILr)RLsUwDr3Z0QOcy{MRg_DGD6;W`Pa6FHAXE9~gxJy*2p??V^sT&3z5u{5u zAV)7gs@RH8MhkhV4n?#k{bdNYzT>~$xZ^r;x)mw>fVI0`yUxBpIxg-XbmS_yD$`xw z+j?AJnFL(T1B?dbGGU9IVe zJDgBmp*sru+d!d8#kD^DHP-EpMh>3EI%^_?%>-vdofD06bl@L+>pMs23NK~4Qh9Bm zuJjd_?u9hYAhRQc1IcKV7dY?_{JxBCVsGI@GYU&jRpP-s!HS(9!Tof7?IM(WRr)%R zlK_iyvv0^-l#&Vg2zEt?Mn`an*cg5K1dDMK4CwkAjYxp!oXD1GJjp|eToUP#smszB z{l|fSAjBOcn1S#tE@a3btznXv_AA|*N_V1^?$dCVc; z=xiR>&Bl`_9kn=>D9wP?qGtm$?x)?wZ+-7?fApUG_Wxi1@#OmYk&AXM^q|iuW9N_r z3MoUeXa~q=6}5e7Pm>-RyrLb>B@> zHlIwTAdq}N*U_|8d^ve4lP3oA}UVe%1ireuN{21ZPt}V|f7Ue&0o|%5xRpGg3uC&pzT5OZ1uc8_n~M zLwGrrji%fi@{p3u9?~^^^pgO9jg8VOi62*KWm8ZAo{F_VWp4q}qZztl@#73-)0AE5 zHB0oXphO-z&VLpCovP#l>Ts=bk!nL}akf)N6&%C<$!HA6wpA>cCs#NQYwA~y{!aKW zD*T*je|`ioDx3~qBKP-L$5cH>ug}ijp2-y6z>g}SxQ-c_0u~DXEit*g=_xyRn>&4} zlsxOD`+JPaPm%19EJ&>4UZ=#&3;q+_t&JPZ0P=_y(pZDqO zPiA4A-MqGVo)$f?kl{(Glz3z8Finej{Xw=mo0ctTh_owEbqFsTYBZiY8^7te)R<|8 z86)=_zV{6uf+Lhwtc({JcC$eTTGGv|sMy6arie?$kv{=~$j2;mmqLbHj&?(mq$H3x z(ZSwf(S;03aXOD8S&M5cN^b?ZCPncQ(dLSABi#<3Hhk-%d}=vpz=#MNy@~Lm;0nudU%O&0x7wyw|*@l+J8A#*D9^QR|P7$BS7dF?V5gs zMl(H_k1|?@B}lD~p%`|F$MtmuPk_Qd3%6ZVL=jF|ub#q)Y>H;I>h~MZSqY?G@X*FKl+_ z!?{Py`lZ#itv{RS|LSbN^9G<*{~wg&e;hpDf3W}F$+M3Crw;prMmV?>96@54Sp{b@ z?AI*8868DBAx#vS4x&e=C;Bjmo2K9D8l~t<^^!{y6{=8KLe*FGm-=?f(yaKV{wmui zPYr9N(PnOl^kH>{d{8kWA1Q|gR+ZFaH*1T2^4fbRapogj zlI2;cvJ}TWPm~d=bW@oOxh7LjLUc84?!?L-iewgL8fRoeDyGg?0&%9D^PS2>C_d{m z!90klRwr28YyhoHPQEWP4zY(XTMm}%e2|LkAI9E=rD&J@Wi?*st zjaUc4pbv*nRVy;cZ7a!Es~Lp0TjL?|-P#@!6&DG}<+R!pLLz4~rw28(;|OyO(&k3^ zJSnxdCSI%6S397rkKS9yZjRi5q?tFvF`mGQggVeNf@Oj9eD~8i;&c*|&=D2rmXJlN&nlgLKQ)JD>yzMC@@9pFh>Y2^7Pp)YDXW6t^1_;lJy`Irh zgEdaeX=C84_j4t^F zH@9a09}KGc|3Ux7gZ_UP&l>iBLzjo7%{UF^^MF2G0?lG|>BHv< z34E?@Oq(~LWxC@YkxM7|B`CDi~m;p&weHT*TLZVvj_Qq z7tb2<|Mka2NGP4gTw60_n$kuwWy%<@D59>yLS2w1TKyCy-!4d+(vYCfLT!r!ba((i z>Fj(y9@CG=^{P6(1o9Y?J*bGW0H%OhJ0W8(J-=0|YFP>dY1;tQf>J&7^u7_gvpEp? zTN@%iLr`rT5afRABKL#4`Jix)xbZxSmguiJj_8<*jY*QgV14ITB3p;@ndn16&U24& z&Sq9p|6(jcZf+qT#mXa~Grbyc=ID^E*h^;)tMztm0LxTpwI=&r zhuBu{kXwmRS}92!EWb)xY~D&sYAl9l5T=e1B)UXQGb-1Gn42E ziAqL2k22~Ng^Fw8TxDS%f%mD7pWePGLp!wsHvifvVVg@>sI3WAv;s9>S|R!$_H3a4 z%L@rxJO3R#>sRu>9y~vIi2r*h&l>uFe*7y5KrNdq)=f<))>5etRL|A@mO8VuT}CXa zu#gD(A!V(L+}Se!x$1zo)Rc!_TQBzVyC-iGc}Y{AkqT&}-a*VGVC_W+?~Rc7XhIhx z*4v6XC#ed-mTMcv{Y_CsFO4iFK7wUHo+!{v3x0VzsPD$?{yFEFIy}yi--9Y699&-E zG%OC_X+*Q74-kAy<1xEgUW^?*e%Ui%wK5^*EuI3CGLAfqpT*HqtS(msP4PkuV?k0J zm2t|&0&7M`x$X08n?@@tOyzj0yfd*+t@Aas20>QSFUtytQgy2J*4!<6>V|Te?u+#u zJgF)t&&AoAtRI^?mWJ7{U%0EvUt>`d&;kQ``1M*+S?*ktWhb!%5e9D{b!3FXO9Fn( z?t^H#8_{w}mi1Qx-xxM0QAkS+sM^lpFq=7*iUx)+WsGl&aclU-4m?`n9J_|?)>v&( z^!PJQ5`9s?@VpeTyhJn($;VZ-9_2tcJ5RQWbFX&a?IAZJ@g$qNXwZi_ zWMU4%kHFr=TfbL2kSXS`P%QE+l6@>^@^Kzn23<`_N~FiP#xdoHXH1a$DqbkHT*C}9 zgMo=C#{Y_P47)!1l|~UtXmE+fH07DR z`%5yCDyKljpP_6_f-2_(dEjGI$V&mU{GvuW(Rl|^isO*Ya>U7Iy*H)&5R)&hKMg`BPP%1Iy7BaFlrQ?(tJom4v1#BKg%%_A9GUt$ZZF9M^-mt?uJn@qM%DBw zw&w{6qyDxQqOf=r7ys={_A-ew2P_SW{t{ub5-sSYX!Wo9$R>aulJVEY4EZQd-|*jE6fz=1PAT!0 zFXr<5@3E_gCwpCe-ClVCH_WGTnW`9FLs{c0>t{4Nd`9BHj4f}D+qh>~x;&+_|5}L6 z8S16UMNPMU9%;ABQ-eLru~X_PPOFj{eL8FkpwZP}xCTTuL~7nZD}w?75H^bbQXQ37 zotyVHp+jUymU=*pUCOpXz%;{B%g^?0EnjJ3rO7|f(tISl5xXKO+7)ZWQIt$E8uWVd z&o}cKNojxvJ+wPdl4_~XDvrtrw~23|JP#7IRCqoXZ`puW{iS!NeT$={M5>CMJs_QP+UC8 z!*d0s-WG2Z=o$>B)K#&)Qy&0EF!~ye`_@OV8o8xx%~e4GD%H#^PIiwkS65njL;|w9 zT1$P}C4a#&kX58tGArvf+$Vm z3eY0|`-lCq|HrfbiwFPjJ9*ZU|8Ypt+?ptjwYh0l6UZt@%9=nS$c_|JvlK|9L|4Da zY8NF5UOB&86b6z)@?}Y+znDQ~>as_fRd)SFZbJEQJd1kuweL|}kq!7?8UnX?|D#{w z|AYO(!2|!_#j^(g%gg*Umf`E+=55B%MC|AF?pmGcHA?_VJL;HnLNdkotGD$!=&^bW zbv*sDqg-g{INxC}aH@TN>S2cd-m%y5;yq4v8b|UmVQHrFdddc_uU|gey_}CokVSwT zZFn%;cDv^BR8bhzULAQ1{mEG@gyT#16PUbxQ9@q&zrMb9(PuQmoE$zwo)?mUg``(w zs`-9SqY#mJffhKGhiKBt1WWJx*7+;pLQbBZklE79kAvH1q|}sQ423V?2$e(>Y#&_w zfXL87>s7-xYJjou7<2MNr7GAQy>f)Cav$bW(b!rM6sxJkE|O+TAN6X~V)(PLU^ceW z;GK~b3-CB)GreTW8El=omB%-^!-V{6EzYVmT-dI}Xw+erF@wHac;6@vR0mJ4Q5lw; z?Ct1J$g^8IWXOxD+01*YcBzoleB zQcivpFNZIY`csv%smv@|p5)DrP5s*Ar=E3iX^=z7Va%_dpslpyE2cyDL;rkuzU;Gs z{(ptjn8uUtTYy&kZ@*&yJ$&(y|M^ayHT3^q<-8+2V)INTd`VdpL1qX%S*7;pB%{i| z!;=-^zt0%UR>}F=)=ZlzjzhGYTP9rXbnGG{pm$Hj6fH;Z{w&Xef1q)QTrd6o_wd_C zpZOH;KR+D0GTi8|M`v$N-u!)t&Wh2akYpstNQicYN^S%WzrG%dH=@k-b?+%s%0`^$ zzK{X^z5A6e=L!BEwxTm0%{c10>I?r@JcT6vO(wF8iFY2;Xpw&mO|hGf}N3*qP&PSVqqjOoWt&0LbDFDsQ= z(jJ4RFJZAOD()|o`n28JK&@b@R2&|a@BKgo+VUMTIAiVUj|w3&D5ZTZZFGsOAzrr)u)+dX{Z{YaSRBB#%K(URkW}*J>2_;eC{3TlT9?EX5g6tlX+&|l zG%g58n>Ivcpp$8)jcqI~-S}H6+*(;hM-EvbuD*cSXa(Cct@#Cr2E~+Jfr~aJZD?zox6@%3Oe10QjOc-_z`bQ{6q2vO)w|Bt zeN((^k9axXYvJ5n3bY21>k29?@V)0ga}X_aUgom8>9oH*xOqN2H{Jiua7uAFT5Sq! z+5f#b+<#u)|B25J`@cJQHrfCEEGGTc_gmlnX=1uJdp|wU#+@JBe!khRPxo;4Seid67$>iU+Zv;{lb$^UN=4hKOK@#j6+JelkZpk22MelkBAyt1X z1|hqx27}OQGmhOvgBhpQs8kwMvr*~38H8Tp4397`*ALa}yD})96Me&@YD$vdT3b4r zXVcdOtr+d(bkSgjg4eH`$!r~ai3vr^Ui22MU(yC)f^aX*VoKEg4={_#3MP}?q}RNi zc4M5NtkRH6u-v{)uC$`vE1MiASqGC`A(q;VajIkoqL<}8PBJeKDZNDtoC4&*_SRL| z*q-eTl&{fNwv8R&-oz%Ln*F+MZ)y;0%=@Ocw}w`3YI{@7-gDbqXA4b}27Q|rnl0~h z8pqIPrZE_512fI7nnYJ^Nxl-}*{UJjMEu>pN%TuwW$x~|q5ZEYzrqCAV*eW)9#s6l z4j=r#?&jIV{&y-T{rvy?Y3tTMgP!h<0kD9n+5A_OxtRsf=<9aufAt7n%LHgNal>ms zH7(WJ0P|gIUf$f~wzn!20{xa3wz-x*44;S<)}{L1YTc-Od)51bzEjm=wU})-A5@Ds zZ=Gv+V@p?zs!-TABZVPjBG;lqa~6x)v#k>~U6kiz1+v$59a>48oo3*6-H29?>^>Pa zHq+`u63~$3G0s(jL4s7USOw>*HLpr+b5496;ns@AbV-&T8+-cOs&%a~X&S_oQhDDr zv@!z=jTO{-2`dTl#zkfI2yDH+q=7fY)U7RL^ka~xq!h@I)>=yiXEF^M_N;#~yH@)O zx}K$@y**>0lZa|e^RfnkmOE)bFsa|@=@3@CHw zTV(QBQc)T0n7(zDswLw_(ypvR^*!E#Br%oM%|wZBnwC7X-9+P&>pOfHRMY9W~hl1NHyZqmc5a$m*_eM9?iNv7e3$2<|})+9dmC5ncWPtvRXHr zY@=_c)yO4TazBBxrG_BrAWrE&N%)?myunCkHD*-t7qX5k&9hx={HW}P+lzz2rF0OYotNL(;l$++qwNRBC5!;bu7VV543(8+O zIhxB%y6erSBH?xz=bW6b1?Ii5=NnP$3k==FRnfwBvkf&LyMSMJtu#N|XlMAjm8fln zYo1xM*}83u;Kq*E_Qx}O|N2eWZH6c*U{|fx^^3xK=BN5LZn!s-jowS6lU(s+9s#`- zlcVp9X|Tzth4U77SzFUWnwS0NX_j@&Ia`hT<0%O)i(IpSZ-5_Ke9SdQxzy*h0GB+8 zc9qV6{_`aoJnMCyiCVSe2J~Oso_VpsD4>P9y?pJip>y@*TIe?DUZMk)5@N%(qYUk8 z^+TpMtn1$7*gP@qgRj=@JU86`n@e4z6`*DR|LpLfU-tic(SNxAc_+^%+kdqg7G+?Y zKO)tgzSP{IJh1gKi^u&wWUwwPe0jPTc;zrEW*rYfOP#mFcD<^O8yUlvniQ^15c!}VP>`#p5f>WhU+<_hw2+nBXoYNsAf z<4I++P|&cSPjut1NM%Q>Ni5V&xy`9eCmUPI?d@Y~9E)2HQP;|nR)RTG7dC!AFwNaE zO=+W1X&rg?@N`i~fMSf#Fe8f*Cb0h)`|B{J%{yg_<)$gR3XW^KyD1fFJut&U<+`TT z$#;vbPfrJ2Gu~8ByBC#nZZlh@U8k(xQxeVSBxWgDyN?$A zzyG`v|7CD+FnG}a@8a1(r#KUm3X=KC2^Pyvj7D=Bg+huaIJm?U!hL54y_-^w_&iBi znsLOZB#OZ21-mnevxDCK^zX0E9OvTVLTJ`bND>l< zBn~K1+Phd=hpIhT=anIKhz9;g|D*Q0QOWp*c}hIhiJ25n{T7`;k0Z>d&LbqiM|sCf zG*5({nwJ8&a6;efeisAhlE&c>i5)zh{EQQ4Mlvk4X92PVxMs@)>B0T+Jc^_*B%EjK zTC=58jgb2f5=9LC%F-xwB@jD1=p@eaM1YP1LRu;!Ny-*9BphLlb8W~I<4Q=%(bbd& zQxxD>s6b%+hl>si60rouA$9O_g-*LXTrqk*GB>rzd&PN0% z2`^f^RBvE9B*}y%iP&-`ltZDc%I4uuHby|1$FhAIqad2|jHCf!BA(scm&+7t4@#J_9{C&Uwt*j$9xkMmDkOVZk4dwyJ%0KBEi8@;JwoAG477oQ<;! z^cl%a-3TM`0*Oxwr%Sp2rFGc)j4n*~>L1>|b(Ni^$g}w*lvHq%uuucCCw|8ntphBFBw(|I#U##hcnS;Ag-s_-kVuqNaB_Q)05cuq z1dnLck)3K7Wh4IT{?u_|JG0%KjkeK&IoW}MXI}_;wVq#;hpT2^NXHDPLed+eSRX9! z%EdB>sF08P?hzg5IggDV5anQi;3Vt$f=>JkxuzkV3BD1|AZ78NY~&Z}$3-2SI7w2L zq!i4#c~MwybPF5I`xU1{M1y4=s9oVq zSjb5*PieMPjok*EG0Co2dU;v}w=0~gh4o-u8%~_ibCND-KsJ?2N2e#cg)k74^Zx) z>=vRw7)~Mit3eOhTL#6ACo?>0-y+=AetYAmjYsZko4)a5QZ9u#k^j|dXkuL@*xw)U)N^7s;q`&Xk-6pzJ_YQs9h!6k{qi<&7we^>rc2y4bv zB#%@rL}J01@-Rm%`%JR&(dkL9DX%x}nrpe-1ZYn+#@zhfDFctR5l&qtj768fY0$J- z6n)1mqe1DgL0Xo4%JxPPo9ylP2Y=h^zt|gmw}%tz8MV1bV{hOM4)+YPzKk>cF*nr* zgrhp7>ixwj&Zh5{3Ar!^c$(5U<#N(7mT}2-ciLXoa*BnOz=OMyL0&r9ED`vR^cI;985^c6Wgsfz|w`PAPWN$lW5M@QLa|dr`m(9mRdKISzqDa zW6fu^$i1P!{R(#(Yd$9BOaF6IiWr-avKUd$>Z|8QD-@N8+BG^wIhcf!BSMOw&&P1- z*PSi%pQc3sOhT`%`hV>1=mxn8Sy5vg+6MJi(056exeU(Hr*0)&k~NNhZiK!(=q_yH zz9f!TjnF_}VF;J1?L`gx^2;`As6x5ms-Hc}>4oJPAGz!!l zESwf!|JdCz$~GJ>00q5EWc1c;>2mj2Yul2#b&nM*lMb^a$|KLkAxR}EieEgxNep*B zg)qc4F3v!#)6sbYDaxC3_9~EHht03yB0gpFC`1wj8O=s_^EBU7j8pR0oWxnQ)RhBk z({b_WLadr%H=?NamyEXCOm6qgWNU=p;lSb+Np5RRo3vMRAyuyG-_L0jA`&lX%Ho;4 zXPQ#*a|Z=oItE~=GOX!rBuTdJYWg~he03P5tF5`w7>-3#c{_pUcMY^oBCp!7O$#lG ziyobN3!QlSrG3y?9!BX>wNz2FLKciuHp^`)7l@7iBtfPogl1fZX~)@gtzleRaX#c< z>nLBf!}yUb#UOs7-1JB1XiQU{8AA{d!~GVl?y84ss4P`w)qW6^Wl+N-6tmdVrOjbf zmFi2f9N2>cRl06?N@~3?uE=lTK>p>Ow(jxTe%H?ij`d$&bNJHz-=oJAEG>~M%p=$i zu~=@C=q$agQw$|PzDdNE3$>a(RR^GAU!O--u=n#PF$ypTTidem@q21qYLhN`lfpA# z%C7XXX)L8aIv1On_htm9KX!L?R1z3x54Fsn9S-QCZvJ$U<``P&BtxlMTQK5NEEHJj zVF>wS!SOJUH?z+CZ6^rTMK@I4%cpJrN|A`TIsk;*q$W8v`I*8D=?uDd5cJKbwW^&d zIK6`FR>T9nD0nCLC(sNeO=hrH8WHJ1F5m$Z9L$=Vt=z&7YN=;6^i8 zojDn5`pZt55$N`AxUR#@1(F4n&*;q2_7^MnKxM~DIjc`zk2%#B+) zqNyTQOseh&3>}2BWkQCcK^jjSgu-IFhWb*0E^fqvly^KRM-hYj6b?e@ z>EVInB=abe*G1bJ1!Rwx2+QVA^NM+ZdN7MVK8mjJl0QatT)-i4_82Z)WRIW9Q1hH* zQ2b>4hGnNI;Uvx;OL&yKQ2`K6Q@nH#q8X9FLsvtpV_!x~#5K^dYy`1!0lvQQvRfqR zweE)ajuVp6+(7q8#__M9Mvg__1O;&g(k-Hw;N>N#n|#btjA%S&=}dZ^%Ro%roFp0H zU(ohZ4BKQJ2ShbCB12~O5h$z=pVRu5x1)Lm(OM%cp26f_;3BhJT?0T-_;2){ZwmLc^IQ%uG8F>p6!0A6*J3FWUBy05W-QTI>BsiP4wR@_9^Nxy%46T;(xL&Ks zS(A>O^c`zDBwlxrf!GoPb`W3yfZl=g3ZvVcW^G@hf@~ooSj#BQ;JMlbNqdx;gPko^ z>z8EtGfom3gV?azQt$J)YqCwH1zeJ)JQS<*gcToY+ysP#UmoGCM79ipmV>&3Okj5q z%C$;SNaw@(kt}mm3S7c~1z>X_seV=smrDWNGZV}tv}?Cunjd{5yD-g}-`A2v>5 zW%HPENV%oU6$&Rw_o{LV-zNC4Imu(s6|?c_lW{7q6#vg?boh+KL7r*-`r5Gu9VSsR zV&C^wbYK!MhK|-GbsWFbqx17$-=4j43MF%)j}M2Ase4LPLYAnp{bdEZOn=QhzH^hW zU}G}1M=Id6`CO9a${sI`fYMz%)W?{4HnQt$z@M{YMjHpTmN?30{x)txmMK>;*qgWS zUZ4BfM=7TQ7IPMno8)!q_wP2dLw~SAZikM^9a^(_-8jnw%+1MINTe}K1F>>4o}U`X zpm@E^QG$o%|9*` z?HEG4+`%Kw>K{ZCrLfw~p~0P;@5sl5r5Q4sdHHDfay}wK7C~hlYTqj^I_R4g1vMa# zp+7l`1$ZyrPri_OzCnlAt`KmTlf!4o^Fk7^ko257L<}}U#K1(vU^|Ey+yWv7^@z~% zM}N_QG?aTELj%9>_Z{cAw=sId7GyReDH}>QG^R1- zQxX>UU?()2&PNaxR1mTX-nzpxoXxq%#$Glho(js`dy29tx&gQ9TDhy?qOgYp8sZT*G zf-98*42~jsS84=^W}HN0vBkn^sI-h6Wv}1<SU`Y7id=r5J1CdiAF4&%1Zk%yaSDUqaiV~GGZ8zYi~!D_5e6fQF#kAqQiGKF-aHpMDB&P z=KTZ^3v2%q2wGl5w`HmFcZ`xL9+8X&z)+y>PT7o2NKC}cU*V-?cGWR(jd;3(#Eu1_ zh9p(DT_JK#5i$pugyv)ATdrU%R?~c_pC9uYln<*(Y+Q}nj3Mv6!TbsQH(-* zUfaB84o&im0GqFZ+eU_3Pf{`_sTNbevGJIK0TPOZESQU34$RtW-dXH_SR8zq(TSYm zy`B80H|N9)FekjHxI}%5Cvx)i7&3+y2ZC6B;bc6IP(dVJO8a3V51BJlM5*I>ZVE|oJn0l z;A6PAcXf5;V}R0U>0~dGrTE@YC&#bfoWJ(=#j^cN91+fo1#-01F{vSNG`>PYdQ4Ix zr8$#APp7e$Sfd)ag5xfb98dA&W_%^J9&MM-kzc3w{KpZygPaO<{Z8K0Uf>hZ}j8In^#W}q0*@LF@byf zEJbt%%en8ItDqaY^W2gTW?34b2*;B-o)9!)3nC8;5|Yj+mkT70Lnop$s_*?*hU0%l z86WJYoc|$ZvyaQYVu{&CA8q+x4h~BBUk1;g_xB(2KitJ*>tha1lH$+4-}hfUcP!(f zq1u77Ov+{?o07RuQ`pC)kOl#pjc7~?U$-PLM7T4<6mEWyln)(k_c@YO=pZytqasOz zq4z5~RhAA(rpjDpM9X*b><@kah2Q^bx$^Fwdj2=;OIzrph5ru^p1mmZ|BL7S2mZf{ zN9D|T#ROjt5nlwpdgVtfz>(v?Ipxr?)2RG4$4j5Gy+3hq$yuEJsVK)m&1ZQC?I0a7 zgBu6g8J?gkFmL67(#`u=g-C)!20R%e*M-wgAm%;fxVf1pC9TVEGwzQ0$&zB8S9wt(#b@|`k*pQ?^A?j zOJ)wo;y?ju7;_`KJ^}y~>f_>Ei80|2Sgu6`G6NS4(Wh(2;hE@ovV^}x%gQg}7uc@L z&Jdd6kLUArLWXGn`8UP8U*bGji2R~)Se#@XOFB9^6-2?(Y>2+=f447it3Lqp5h5QU zRbq574!_5dPQ$1z)~}&&wsu|1Ap+H zvE9s1?Tz4EUcll^;EAMYL9vx9vxwgHM!HVyfT#4zU~c>Uz5cVk{{9}FB`I4#W*aUx zB-xaBx=)-?kH%infF~f`+fne*cml=Y?ytwj9*%WY0HO@p5Gfaq8k`~NA0UGW=~q+6 zb1K?_(;CU_eh5-Stj`XdGr+m0#BLrTj&d;O0J&a%m*ZKLe+QIu3aQ{6$vUsWK|y?k zeQ}b482@y7o&_SRqsvFM;m-gG9h%Ikv}I;LsQX7!hLvf@D5K?*8-s z%+24;$PAVzchK+uOx;3UHP!C-Ypd_~pM9t6S73A1?1=d#sV7Nsh7&I(LPX`g%CWy4 zk6p(B5<5yKFy4qwyofAFG(;|q$IKP7ie|?wSBwQ+I6FFJS2V-=DFd9jw6eog1m9}NET=!&OQ%Vt1fKF4%`8%m{P1w+p%>I!YjG zUiuWx2$pV`Q6wb|$x<3{T}yh0xX^`*cENA>qqLc8#}NcJaAh6!wF8KhkNN;Z9o-I5 zN&+U2PSSZq_|v>U!A+5nVZ|qs1wLrE#V94Jykavt+}nc@2_ZcEuK(S^UP=N&7o?bt z9oP$hT-Hy)jvA>JKvH&mfP{#KRQDi(3=KZWMl5+RzRHY4rPuOP0pH*Hf9ne>l?TE3 zEo5*XErMEFJ{mb41F^w%I?+H%bOvszX$qY*r(A@&Xk%*b?-k{ia3BH6)l7TP+617E zt@XfQa_r>}N(|9E!n2=g{0e8-LIe4jq(g*9f=+hje1C}9hY)AD_h1NUdg}N81!a6t zxdHtw+1M1&vj2avU$+14_Xqul{I7TNeEPKa#90;ivL^Sw(mSOWl~;U(y}K`M$KX>? z7b_Ee7JJ}0K!*qLlg?y>I^=pTGLoQ6Z=Ag+PWL#O&aXta4dpY@gBSuwBNE^_SN<`^ zp09|qECYpsjbEStQ;v2=a`X4<&ABKG4t@yZ<=~(VQ`vfb6GfGJk z;ea6bTNk+>-1QkqC0mvupPK-bpCyF)$P|FK{Tl7z__D*wXB}?%C)KELP>CAfQEt`~ z-*A%nwt*zK-b%D#tUO4s7J{lXswF=C zdbqXUv<qd2m zQ@2wC4ZMA>{psW`4K{9#Tnl9yF;Usgm8EfG0dsUKFx57eZlTqD=NAq(e3J@ga5OJZ z%Zt_zz6PGE71Wg)_LQ%*LS42@$O(sdpERDhNcusV4%MPymPGoCuj8>9?P%k zres1s{y^gpxr^WW-rxTC_V?fY(hs-2p~8RK9^-oHL8}9-rXDrNNyo5I?%LoTot~(& z-2VsW$W_@LX*}^Szmw8_;P%iiC$j}fkJ&5{+L$X%#eefZx`sHhFzokwIe|$CU}0_O z!2lE}2o|HY0UePH4{W+#(WzBB@42Qj`IwOyx~{FICb4ls=~z!1Bn*KJ?<=N{@^dI+ z_3@X1=DK_4_;aI-$z{J&o8KQG&Vp7ozS*njTg zQLA>$veim!?N!CRM9Xc(dc`)sr-&TYS4`nmm&IG-<8@owDnT$q_#C>q=(P)ccu4^%^N@0nEy8ZHxln}ECAZJ?l_;CD$1(^MnM-H7=q7=GGNy z(?hKR4DEs?KN}8NT>(HyTcPBcrI7+`XzYsG?Q=yZhq7HQ0#v&O1&C+W+^%Z;yYjZZ zI?uUlKxKztMM$MNL)6x^Z#xeZ1-nfCcXqo*N16y~yR1Zc$y=$q>8;&!?qg(_>}q+l z&a&sPK$PiGQ4}lrS*#Cjr60pjqbOxLZ)~F%?fhX(c;ODRS^I_&(01K1=C|b1v%c}I z)UsuH>jr92^xwjDbtBl2?cl6lxjGe(hg?tjO1(6MWa0dRuCLu{jVm(prF)qd(J={@ zK}76gqW=`f6M`OHlI2slU_XZ=ENg&A>4cZ#Hb4)bK0!rveJ$X6r0tQ_PD+EU!(_a$ zOOSZcNMeKiYHO7))J5wvd#l>IqTm@{g{~SE; zA5{GR1`qfD?&PU#X5@6M8y!UuF7@Fkp(pCtNNCty&y_0eoHrcmH8$FO3fSI>J{4I&Q(bxE zt5-7kfBICU>8n2u6hoF~Lp4G5Hp8NoCZl21fTFwGj>T?cvt%P+72{-!X|l$AXt++a zGDx}m@=3acp?c@f+@-CoY9T9k!!LH(UfTiD|LbLhdGt#PWzjP{6=q37gpV;r4Y*#W5sA*{w zC#B-Wea2F|b%kr;vaT7ffW(x-l~9z%JzV?AxzG}2mHKLnSb2+3JfDq7YBd3(tRHYFhlY7r_eV%{0?yQD-UgFXg1rrvD}3=*D3n+Rp!kAwv`*_4wS1G=j9gqZM7wy~!CGgK z4mUrSzpJN>|Fy1qi~GO*{1QqoQiDSjIUy7&8zC=TJ*DSecAzA6d9C)xYUfST5Y|q z%rG$3POTs@)*j|jK*O|dOTM~sv2ze=DAX>`w?%ix(S}z&ut>B*TWb->7270b84Fl6 zMDLFEk&L_nerg`#aO+5Z9d8W9c$wa`l)=f=#^p;3sfXv*o{sCkxmDagX@DvtdG87^EVWXCE>#<0?mL=_OF{rnYRc?RF3uNv%kZh^*LZhSpXy zcST9`xwu9Bc06{?8}x-Mg4s(oR9j1Dl?q0mkPk;+%T-|u$`gCP4JH4gPrdwylooUn zvy^P1k5>Edplttr{-Xb2|GATA2c6Zel|;-C;!LULGN)2c|1;Dz2=Uu67@Jf4GG?p zeYEkv_+8@v{{Dmi&%^WZJUkE2tv>%Z00960=ze7h H0Gbp4*c>!n literal 0 HcmV?d00001 diff --git a/assets/bitnami/wordpress-15.2.15.tgz b/assets/bitnami/wordpress-15.2.15.tgz new file mode 100644 index 0000000000000000000000000000000000000000..158989a07033ec76b2d1cfdadc0683b51fe073ac GIT binary patch literal 129750 zcmV)HK)t^oiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMa0cH20TFgkzhDX>cKwcQ&^vK>1;`nKn;W4k*(6FWM#lHR#9 zb7F{uB#bG7O@MaPN$#_M2R{jrAVt}V)4gk+nT|yQg+ifFs45f+cO;9_3{l!Yp2Ljw zmT(dOX~WN8Fc=)Zcp?5B3{k^@tKY_uf5%E1a zWib2G;K6N`JNE~9V3H69872uGb^r(=gE5))LdaN*dYJS>lrcQTC>nwkW-LLOw^)Q} z8pCCfzy%tDUq}{>I9GYg-sBS$+@g$Pk_^GtUw+)}?fy9!YsyVrqfYJMK}c6+;>2&E{AP!eK9hn)a~B#AH+1r}%#!f=kF9!lUO zMo|X<*`E2*0U$#up_qvlr#ME#e!tfb`K+ORyWDNj?#JH8QcEzyFq%}`k?&WvVoI4d zc6U`H5>7}K3zDn=V+t`i6Qdr031$gg;J|z`4eSZ{5u#y+Q`reKx&Twa=7^6<9Boms zAe4cWq`!meu`J@+;MPCs^lZ#~t^%oE)=0m}SIOGJ; zFlg_tN3vO;vSp0=cmZdK_Thx&tZ!%*#AHU;GDU&tr3<@G-%;mxMoSh4;O4hMUc^?z{qwEjQF zQ(hIDmpwgorJ(4k*=>sfcm3P%?G`Y-OWb-8cXxaHy@Te}Zas*5y}jO`6X6-6YzXKa z?j0Nsr+?nt-8(pd`}^o%FgQF6UxeY_?%rfF{o%!Avj4;W?!olWFZX|lcB9Gk@DLrm z*!?q_?CwnvL}(KJxidov${^!PQ+IE$w-@a02D^vj!QOE2VmNrw+uPsW-`(ARx%>Zh zzpb40&}0nj-AclTc$yd0G0|BIJT`v0Rm&z^z*qDUx5;Ag2;r7(jF#85^% z&z|X*CnUT<84x;6sl-Sq=+8ky7y@h#8DMiv!5xlcKyFc%;Rp#ev0V8%z)2YA5mypz zIrN;Xi&H$yGZb-kE~m1-Qu_p>@`jJ|EaOTgyoEUC`m`=lgX~bgxkNKeS+;yGe~$7v zzCvM!7!|52Wh8?$bR0vPL2&nih=`)i&3f{$GUh}1 znp+QxrLOo_w3MGO-~x#P8nj&#{QaLD;1F6g*s+=MSjcvl)$Fn0Mx?Uvz+25_f6XT- zOAtd;OL$((Dk|D3fN=7f%2zDooXChUbTN$MWx>C4sp*OF=uPuD=6?Z(7TkzIU|Vpz zR=)+eD#KN@A!uzkR>DIA^x(ojwZ?-tQ-)P)N&Qj`>uK$r42% zLrU}KVC{NC@aanhC0QTSQfm^l8EyOuxC_5pX!uBX1%MU<)5uog%LtT^WwJ^3I zqK_GoC~Ehs~W+524}Qyaiaj# zGs3^rf^Rv|HMHLAsiQwtYB4yg6zA`@@nVrP!DAdj05cAT4-{XTqn!#MsWw+&sn=>S z?%-1E)e!c2y`EASw7!68LF?xLPXR^jxkr0oa8^Me&Et4PVjNcc&p&}weDhY*>#w(- zTzzS^!)TJvz*UMuJY8~J#AZ5OiETu)lnkcbIN%c zL}-Fx!p(?m&;dZ(D|(gI7{Ow#m1L2hPtX+Ru@q@rNAVq8(k+gCG4z;%Exv$Iw)GsK zn2Iil;%Czf!Z?9Y!nPzhhud$AFcxlL64HK7Q5MW{92p)v0dbp@!?p&Bo{Ek3~{SWv!+-@Qy8LNyN)qP zZ)o2rr$I`hz(}7y?}_YOkY@N6G8E`>?@RcoH&cQ>y^kK1R#Yf!%@K^q*8^QzywSqE zM${dvu82jqq}CUuC}IpJGYTe3B;gVk+;Y2q5{rf0rQp4tgwHJafeqhQ z08Qz46lFpSDlpE~D_*5iZYVzcAdMiU{6`5ANY(pJX)ZyK!6YIJusaCCIm}?lbrBe+ zbC~1{l;IFismS3e7k64NR2nSlXy_xRoZ@n@0p|g!p2*kQI8emoZwiFN3`Hp6>Z=%# zi?`#`Avos~K@|r#XbG+j3W4t2by576IZ6O#TU5$oK2@$OIA0h1!o>%kB_uXd%~6^1b7hrs;lgZl>h z!N$-BRhJ$D{g)5stC-9LO#Vj|i2ghToNKqJDE4nYKw~~PMj4vok3jvSOlEHP6&Od5 zK|X&0Gn2^&V+iij559J;!Z}(Xp#ITTIRV<$Wi|Eg@{J2$R+56j3;PDAX9;Coo8y0j zJNz5WxR@62Ifo3uI72X6YTlG$)&znAOc1Lm;`!u1R7J9R0S!t?DowaZhT1LeXMrYj-p7}FM6+y5v2?Zfd%f; zK(1W9be@Vm!H!;%o;_;v2C!G63RX-;KvUX|Aw}ngRR}YAI`US z{!gXg0xd|k{1D>>=BmZk-ofGd77ztHjcxjchPz;mg<&Im%ej3?@(hGIWn|&$F4%_A zElffbfhmG4&xBd7m}*>gS?P7&m9NcfAlNQkT5L{~9yM7?8*C0UX0@sOSKPc$xPp_X zDap8ca>wQGwT~x$WLb``9pX78saZ%2`c7fByo{A5#FrQ`liXEC7{3poth1Pu))EJu z)eA~fH&$^BI)>pKX?5wBeJ~~r#z4MJ<9vn_y;CjA1F-{Ql%G2Jqg({%ddEaCBL7o( zHMKDMHAfjn6i6nm2rb=Ib}JN<>flQ38zjO=^nez=j8wf~M2k_;Js2{fn)bjkOoXW- z)M|_(04cbJaeU2@yiQ1hu6sqN&!*ZUfN}g>GOTGrNZJe;X{#DUg}XsF8$B0TU;~Y} z^Bg3^0ISq+6((6~DC${sfGMX>d+EUCebnP)-N3*d57e3oc2q4Xf1JZ~?FrTjx%%1V z!Fu)7YU)7QgD9{Z5z5XI%&tUS2nELycfK$LIKiwJNhL|fjcm|3DEeLq%qhthkV%il zb&t-kpYwlyRlLmQl%?G&j6`AdF^qGHZ&ADi=pzbq4lR;0pA&PJ8<2!BK6Fg+lR(j4 zJG}%M%B4^`)q+JHGfXi&O%P>Qy$qXk5yiH2)UvVkl*Drg$p72F`8AG|Yug=FKAZ(xr z#rPIwOSASEg?BSErvHpCnC_(oUCn3y@in1LVk8$KFej9i%8W?nmf@4HREAqCvW#Vd zJ3zFFZ3;QowOukJjD#eXB~$f_lT{-urBtgc(gn(RN#O_)~=6Hgc*0hD9gfqk!e6fYW=D4IJRQLzWVxdz9y^4oM-fX&t=u~ats8@QW59ctMakVh1 z_L!?&*Ogvha~`-BEnYtdm`Qy}VGgeQBxSyZ!x*Ky8KGWWuV_XX8|_;$VpA9>^;D=* zOp@dE_(;?^KChj8g;FKh#3)RPc3G}yx7zLH5~A4R6B?IN8w*I6=+_))$oN7%B>Pbg zN+I`)?s&FfxfX18d$oyPOi5j2TNxX|BFrgoS@l_Z(RcLjDNG{a6SgK}Hls~Vi0`f7 zi_J3^xbQTbCb#clrfm*ELFs|;o5saPu&Z)-bt=07rAq0jubDTyPLaRY_s6S?e> zY$**D{zk+tT>J5ma4&FrMlO-8>!Iw~2q+qWOqJs7z>RI3_AueXJPKhJfs>1?9(ZR- zfGkf0OOk|3T?>$y+y*_T!$Q+FI1Wu9K@mqVCuXnGqU5lEXX-dzTd{XlZ1UF!31vvc z(I1mMVc;TPOi;!rV*x}Ju!22onGd61xNd(AlO-6vKi;N0YEN7&2EvWuwD1?O%Mq~O z4aF;sPo74Qp(~a_hGxqia~aC&5miM5h3f%iL~NAguS=Ua;=MyIwW@#x{CJgTGc*Ky2mfBYdzYB7Lj9#vZp+_N zxg9r@iH36&0h%~h)`P+?Bi-n1rIU;vAVlaAAVY5ig( zB{7*TuhI;`=$IsY7;(ZV7^^QpeggKlDdDDI1R$k&CKr7wOTjQBlq%nriqwJ&lFYyq z;+SJ8=RfU%Q!XRL-aMoL+5v6ga(%YsOv3*Y=pF?UBfe;9y!+3p?}91G0>xpST56Ou zi!{R|!)z%68O5mTMW5?AX5rVxKq#UzrO}mB6oH8yy~106UM`#<6zM8DhGBxHBtvtU zL~9Yr5deZlx~(A15L$?U3&AOsewDa|i}j-zLy9Q)y9mknr`r!v0zg@WS8RhHMcFM5 z5e?K*fs+|u(uEHQBN{Lw!Y&XC0}h@Bd}$JY2C5~2yoH>gd7oxgMYnCE9jdtDN<$??D2`AlY=bDWn^5oV zn7xWUkdnw2@ETOf3gALTMcZgM6MtmLmG#y6FtUP;WE_bOuo$NoKvON9nKB)9=MXRcS0*IEKz4FaA@}2 z+4`r5(Q|1~673{XA=0OE(#Rj)dD(u1$Ss#~=&rBin-pOx?6@!6kP=uoU(z8`64gap ze^u11!{Qph`j~D0aVjHiMMxh5Bd#QJF1C;C!p5lc!!BGi9|6RuD3-x`|$CQ$$rhRqw@cc*)$)ltxfVIK)> zP#dH}YZYMQbg1-m2snO1`6m%75Blbj<^OfC;x9@lIl<-C@6s6ap)0N2hYpa^ETqAp z<96$@xj{>bj1ULHdC3S^Ko-uMQPB(h~6bnC*HBLUetBo|Yg0sb}p#rql`R&F^crX$poor!j{e3?)YKDd{!%PfA(Oh2| zW2QyTEFSHYZkcmM!b^jwTK7f#S*xYcqEAQ`X)dC;)lsFs<62TLdlI(TvM?`IgMv6U z-frpzrm^nHz&Qm~yh9OCFYgaEO!E>*{$>Tdjse6cw(OZ;4q%8ZEh35D5FG68on!GP zO!Fbw9}Gmiu2Hk3w(abQSQ<6$@!_$Mc|9JFtc{D(wzH=$Emgj%*6z5~IR3om5d1Ls zVW57{A^73Ni~X{Fb?nq!%fb@c4d8*F$K76hf?{$lT zX)sWY1+uaJGYg1mUX8D=J>nnACzPF!z}dAcDJt{^rzKdtYd<4a+ZNZ6F^o@843}3Z zBuPZUnS2K#{*p^R@s?BDsap#(MHv=CR@57bU-tmRg(}IJhBKBw?*T|{kBsLTqH_{Q z;3xS4F!QE8Fq(@nlmgh5e6a#p$9dtKQEH^*97rLX4?+JfmGPZ@6@)6Hr?i802(~_b z0=@S#(@gnj(U&hvI%+!%_OfrB4CQ|7O7|IqnfnxV1CNK&nFosEp zG8tv3j?6FMQtYqD?UgyaMH*s^Z{*QqT~9`@p<9$Nsg&*y_PCavl7u4K14m&TYQX#d5_AO5_*!<)WSVf&Z?Op`6v(=e4SFaGA>Un3X^=dgOGmCyeUej?c&%pw#8 zBB)XqFi|-IIrUcVpIG4J`Bl$c9)jIHu7EpJl8fvP0Pg%6f&;Ghl%~oM9CGES#PjYp zypecb>E(W1Ext<7s`9H;U_AlmR<4J-QiQby)Ix~01=UiFwFTEwkX68S+&628vY5

^MSS^M5}5H5sm;NjV~p7UhS(bct29 zr-$CtNB-%rvQ+<8{jP0lj;i)=--D=;><=d!YOi$wlZ*#X2C)P<707y2o=`h zR3_9>rUu)FpXQWP4xZp)`AnGGxV?0<Qae;iAWXT6Kp+f*XX(cF^I%Iw`$$Cw>Wc5-4Dr9HnLZy8Z5%xsTx2MWVNyg8QD^`p zj9k(Q*pbmelLX(&JV&!Q<@-;88n3k_-L!9GiUzsLpRKY>OW%OOQ55NzNV+xNQQhmq ztrw~bG1I;bdRQ0+o7#2QKcrc7J(|Ifzmz1c9Jqf6`;1Dp zX3xP{q;mTh`8u=UQ2D_19kGq?2NH&gql?m;m|)==18yKGVi8L(84+eytlby9j~UK# zevF8k1;f)4=C6=gdM{UrqJYw4eL(XU;ED7nIym&y`SfX^V-wxoi8@li7uDoD3E?mB zXO0=N1^Z?q{fO)cqQ^%%bdc~FfjPqgN<%Wwgg=Y&5mDT^hz}U+XcslFIUflph#ln& zpGwfjqVeM+NkrY@31WeXKp=4pLRiKksvqFQho4_vNIEHTNJn`ZZd}Ld2AvM|?*N7R zZ+&1aBmZc1Pmm=rMFJo7vA_iUUWgxoJdlW^#-SEXSwc5t;f)Y(2ty{q%t{I%%;JE> zGlX+?Snrc8baZ}pDU0w!UkSs~r|M7{7lQ9m9TnU>7^)hk;kU2WvlKILp(&<}D#iL3 z#t9fYOUSH%*D^?MJO;kD_>>|!8kY9+ri7}l5ds)RgwsgQ_h&LUVk?Fw%@v>wlM1nG zbs5X3$W_>f+$^E;Po*y?n`Mc<3K0$jO-2ICdyt_{?x#qu=Os-Hfo;yx<9 z+S}Y}#~~gAOqyqm8tUg&uY-jqUrv>8!h4Jvm0ky)F>1QLbS#e`glZLwA{(mShNMUc z`5JB}egVK_1I7Ap9ZUU6#(#f<^He+gs*Z8GbfREK;%N*F@C(pRGj7c!q3}`FZrZ#T z=OS`@l_~=VC9Izo;OeH(sTIwFd$^$Q)x62~S{%?lHR}8B4=_%s+F?09d{82Jsw*{F zaas#clPe9E@Cbzy7^jpC>@botqF)9HlR;d?2Ybhcp>RePAwuF%2^FBP%$z0;6y zv|J+N{gx;WMG$N?)2`=Q?Bj)$msC#CXb7I05~NdTG$$_u34)XXoFZ_YGr>4uk`y68 zu|7;s;SB=U2#K%*2ZI1~w)=XI6V#`?!w98Ub!lkctG2ol?1rh|R;GL1I*tQA1>iNl zDblS#fS6183p(@ z)d2|vINH2kMT}g?(678l|0u&hR3cL-+Y9ef?Fgj04tv`h^3hz4m12J&wejs~h}8%8 z2HUNk5NcRg8DUqUqBaW87p&{((!!u>ed`Cw7?*`AF5MOH7%6@)Pj4a&1x}HRf760} zzYr|mIMW?~e(e0kQrx^x?OJzRD;p!#wX73I5mkA?F&Pb|?ylH^U7PXB{6A~{zwXFY zfl{OsoFE~!^=YFe{=>_i?aiwH@Amf2{>!!h??XJ+S-Ff>ZXWMs{45oJS8Oi~D{Y|Q z6z&k^A}CrIB1%hVeVE034re&#XNv*M;$P(@+yNlhFdV_0O)-i8TgLkN@JfUiy4f0h zh|}o6#9%N(3`USaehw>Cq-}Z*Z+N%FNQKfh0gAYLbC*=NgGJFPA~7pemfCJj2cc7i ziZm*Ym=v)K+m}H|6&+LP7prgBm38Yls ztrziEQD11D`<6w=u}1OYwNVP zrx~roH4?2PXp2BmBFZY~q`Mi{lDfBcRFvl) z&3W3;%p*nY7LyNgI`OWuBHr(Wz*^Jy*3Tf2+rA;HN#7+?vvU^D-T9*7Jh-`E|9uUYL|`lBDVXAQy$6A zadd&goWyK?uC@hfNn&9s_Kdk(s8IFY+e%IyefA#T9J>}y1W5VUb(}^j#&55E+Hp`k%$sG=GHX8p-6>kWepitq9i-u8;A&-UZV~B zQ^mlvyqIWf%@z1Kn#Jk4ww>}=A~q%uu9(9%maLK|9)o5a4lUbQYgdL@M#~NOq*$yg z-gvw4@vmlkrWpzk24>1K!)Di*gvMoV;oKw|p_SD8wUqnaiPMWb9s1s-_n>G=p>Iqi zVC4)dGtM~fS2n8QCJw+*L6OAdS-qr3}1ME{|Tb> z1wij40N6QA-!8o+E4C|Lt_sR%oB76SEgkvvhAC&E$V@}!s*!+)8!yj8> zKqG3r%LryT#K{4;JU%bpqx9yWg&!E)z2a-3S~-6A_Trb%lorA;Q^Pes+&#x}u{e1fN>W8z} zr*#qxH4PFxiPH@jCV>c7(zyOyjU1hvysrcq=`madHabhmlV^&+&ktVhZEjg`ZO@uY z^;+#syLPoN6=y);a0mpJQy{1~27=N#(9E1$^PCd3XjC|RiA>@PFYu91%pTF3&~Ej^ zE7~DBja94ZCZTp_sYNyn{4UC&Raw0_L6j+D73b1d}+O6fUSnr;3k!pu~Buc_@0cbxzPY{@C1NkcmP)$meXKJK6fZb_-Ku6scs4 zKC#~@k&$=?$^4`Y2Wb;Tl?cj+kq&>`7Kq&l5F~gKB|==@*xOD@6u$hQZ6>Y3taHTHeQpqG~u~l~TbADGa8R@gmz7q_k?c`CFg zmmB#;4Tc6)9IpBUa7&*S*fx>Q?x2TR#0iNz8p?s7@>m$#LA;09B> zde0LlbM3=gi`i;Mek2q)@c6LOUoK?A$%*^tvg(31htA)uHmsSELp76er%Mi(0p6tlPzM%vhsv``|>1WZ`fqoE4S^5 zf+2V}!gioNH^}Do(V$XaV!{fjR(xh(C?8X$y5ElJV$C$W8J~J1JdKrDm%{koqnEO{taHL_* zrojxcDUP~CY?3|KeKINs^@R~Ns4wnKB~n}REAHn)>bn*@kD9tj7jclphLP4{bv2;1 ziokE6qGdY#%vvU=a=?zRB%dN;()L~%F-bmFq$T-O<1O`v(OFz-w(ZDBj7iMq#|fmg zdSa}7>R>8T2UnBA7sE5f5xP*8CuLRht*Hg9T$*qVu*Og%bw_( z;JRY_?b@Dpwg0r8LgqcpKwIqpw>S5c`3iW!M-;si}lRGvw`1MhX*4TeERgfBZlG=z!bj|>BXF&hnljQ(}5 zp_~?lOmHHKpa>-wV0Tj}gq(o1Rs zj;k-u&rZr0Bu|g%FBGXAndAvN08iiZw@2yxsW2gZ9jEz6|Mxu0WK>3&l-_vGqGKvO zOnl$<`RzT%?1wl(GHjtb&3(HY zgxA}^65D`(6sqn5b&l`YKztiO11LZ9x0Gb!yyv=iJI|BkLb`kKvi7?JBlnG>uaVhC zE6+VKJ-&4weVI97%@jd#?==ey<@Ou(2w@%%>Sj<^gi@IJ1<|_@t?N#cGmp=L7s=<|82ZS zZv$J7Z9p-guYWTzcL16vst-AvqLisL`%4)Ks{yOnXGvR{PG_|buc&E%(}+pq1);K; zux|nT9vC}XcXT$%qu~_Iv`J&B_A>04%o4U<4A}nB6Ox4o;MLydc0V+LG>Qa;8D-s? zswl8o$D(#fYgw^nTqjw-{9WoJwOM?YN+jcUsZQGdGn%JJ$o_J#0 zHv9DR;(X`VSG9k1byZjIuG+iy>T6y1TCPV)Rt1QyCS}>XlP)r?OA{mbrCeUu9GCn@ zMpK$w<>p#Q7thS@df0%X4vbtZP5@`I5SDxRfwA$fg% zyg$FObX2NiRNMjhc=&bxiJog&RYyO?`Sb#LetGtIZhwsYZVB)adivUN zqR^o{%eia01mrMrUA@-lZ0Om36hL|V*q{>fo9IdG-2$hdgZoO^aNgo!PlBNOvtlbC z>yf-%c7FRpeR1V$z6F+30&cFZ>sNr63sT#6#uRYXnROT{doaAvBm@X0nYO{dz%<=& z;UK0{Hhp_}04&tC%U{@#UDuhEdb2LC)lFo{sRGaYn%N&nAMDqF`_HbpQ>Op?T!oGA zz>A}0UBC#$SQcag-SiruMddn?sfh zZ)ZSAI6V3O12{PLY__fdmY;P2AH<1mfFbd95J5QLKpr-HDs?@OdgmjQeMtcb9k;Gh29R2gyOuEh)ACku5FzgMHiSYm|H(a@XB5V0Zc zVh&@7{HPf5C~$>;%N2o?Pxu{LSWCplIyX;}zT3QIT^0VN8CjJl|Qx7n6NRPsb%qw3Q#0v--*E^_CX)vNhDB00BkicozkiD7tFfa?Kd>`pHuU zR@5F&4(cZG`0V$dNwX|QQeIbbeovIaJcXj71IZ0mIMkb|5)xSf;m$}Uy>sDny%RuP8;x5Y{3y4lE7|pv9a_c7{=!1ml`X$Ks z0_h6#_`-uUBQBZbu0et>7C1Y^mUXr(^2h@@Y^Z9Fyof5Y$sK-MIQ3f?0g|p9Gfg`P zM-a8P`e4nK(mS<@xAC^!P^KZ~PiG_GZpCt@d9p-TqH6Lw9MgZA#VKff{sXlB@wX&> zA?8BA0Yoj-sX8{(&7Wc2=gL9KLAHolu@E&%%KQ#-S6SCn>kZEEVe*GM3t7E;==BrUFw$&Zbkc=u%6@d>I=m-J)kdDIJ0 zy|YIEp+#V0jl#QfZA=*j*w zRR9E9)0RzKyvZBQalGC!ZYa7@V&dvI>63KC!8y~&I;EMA$(ydqZ7j~1F3$(h9vQA%{_L+xl^ zh8cL?IMrRhaka0D>z_Hfdb$b)xx6X`30--{kx?G;98EF0EYQZR5!;K28FKeWRQjM; z^*^cD(muYVz{K1Vr0F+jopI;E8%kZLHGcl|n7yS9e>|sX54GNhFLlFBBw(#aY;cNG zix6z8BECvrs-?y7fvDr=4lUE@a55xw{3;WdjIR)b%$YI@VoSMWS zy7FES_1i<^S=BtO@B-65e%t;! zMn`c!Wwy_rW`Q8140YrwzhrwXr)8%1$l7!D6+hQpZ1o4Dc+!`%n}-{^ZnwLVprBIg;}(-+)(=wSY!q_;1xFJU`>W*j>tV&CzYX9GfhhaLXFERv2bJNIKKE031I|DUD$L*-F0 zBaxQm>Ew#6gVn>7Q9?T}F@^Lk#0f*kLap1KoXSL=_t*W_Y`J570C4lL&0bYgF%lik z1ebB9v}KP;hP^zOm)rft*~e6K?4nJA@9wNC60XY@UxjkRJ-pguiLwHo3cNuYS1;7q z`S~lSBC1n-Pz?bnJ!9ri(z;&-3#6B64eKkOE1*LIky`41bNDq#oQ=3~(YlDTL(wOw zt(ZGS!bTRHNGZX1qu7wkQ%SHv`8A1H@q@YP;0yBpSvqC{=!y#e^<&B&A2W$r3|BA795< z#KmI2DKV8LmQ-M%zmI#s`}g!x4$+RjkG8Z18cbXsLCW$5YbM(#nJmg)NUI#WRj1K~ zraB%%hqC@Yvz_YYm?svN<%yP1!MEkhJZ+L|g7(?*yG?nNE*3O6T(T}cRuii+D^AC&tG zM0R%M++i>~g@`f8cLprX_Q`y^F3xxF=PQdZmO|V(R$tGJ)=~7Y|HWPed@~5e)8~M_ zkX6{$A5fA8o;HGX?8xP33i3|8Vl*EZsJty^dIzTFwq3CQyxr~yboIy5-bEx-jw6i> z`;Jw&_HM81%ssIYH>X@>nr{p*J2uUb063x+_2&y_M+IBU={X~k)?brtelLVF1v}W~ z33=nKQ>f_2VWxtI3bDQ5Bacx|ub{~wrE!1R@XPJQ%in`& zufqp!TBqrD7jE}%CkQgyg%AuVV#E-cEb_lMN9qsQc{lN+0Ufem8qw_yAo zpiq&|Ye{5ZkSwR`2@;850h8R_UEoTBK}rRPuS8tCi&RRsGiPAJ%m^t%Ay1pV(( z20i7k<_c5PxY~{g2Prt~P}TNG>&VTWps%@)U0}KAQPLtjO1Zm=nSVs?wgX$2|7adw z_F{oA4hL>t_K2>Z%#dwGn~*nybBpOf1;xW?(bojHCteJ8lg0UM(w}Ek$uq)NVp6=D^H9+ zt;c(;0DK>p?-8OI?g!U#wzp?$MhV5!)g_tuHi8sJ?uL+gb)^3G7|&o|*4=jk+_DaP zxtQ-5oDzkmTcBBf8Ilt0#kr)SBG77)RT)CBkSM59(8in+;=XyR!`iuur_lO}DAL5{ z7LFjHM95Ddf1zPj!WNLd>z;k^s#b?c)EfxS3~<}+usuktf7YOwF{As;487+v2z73t zx6+;7V|_=zQW#N1e^Z+rIlUg%{nL0e|0U@6X~eDQUz%niUcpX~jbgMEYvgi9{r!L#d!aB_Ipe`feyO5C879J1?orD zr`|waGfal(39g)f#nk_@2-nB!>9Ulo|NRBK6+iIcP}~h;Y;$zM>D$#TTY8D$11n6q z*uzPcn>o(d7i;yl-UUb=9ydCI;HQ7zXWi}J*Xa88!DvwE~zfEjjqBh?!jx*!MQKWD!0%}8uZcMC{Wr*~QQJatzhi{K5=Q+Qn?lKZs6f-tzU=W4YK zOubT&#%$}~sx0bk_)!y_gjc0DJn`SC8QYMsVB>hEiAZ(^Q9Dzh`1;djVIhy-=3=JT zvRI0y7NsOB^~-o8ljA9tEst9wH6P6{-fktY{f1GgVA>Q@QRSC>0a4HfjV$O4%DV(aLQ$$o9%0Bcw)-EO}?}#@lsLvE$^4%N>9tKVxPPTcb zFe{P9Zb#fxPuaUd#JeDye|z$`sOLRM7>^7-YLC@P=t(GN>H2yA&0oB>Fq);&>E#IW zJ;@N`u&8E_W|Q{*h|u;T$LFAH!E2C)uRbnPx8~$y8L)3Kv=CP0+>r92`97oq#O^Tl zsZMDY-Ee~me%;XEZ;07dezBX+-TY7z3{Y#^GIj^8Zy=jp>a8Li{~f*QX?XM61lsqO z9yzz2(bMxTl42Ri_WgscvtrqiOV-wtq8V(9E~CUIybQ!dGOuor`_o6X9s25*xdP?f z(AQE@={~!~7za^xxcG-CV;U6;HYMqdwg~7^o`x0$I!Ysgi-vwY?`r6?*{}37E2vP{ zQm}_`E%b9{xhPjAm6Efxw(d3S!Ix|a54*p)Rl$LYEF}&?q6GvOO_DI-aM~#hT3Y)b ze-YMYta@DR0N3$-y+<24J-jpiUJ~FlXV8iv^uaV>J|s)eBZW~h*iP$2w1V1nqoCL{ z>4=d8lzHM}p{|a#bQ&Z9WrkFyXZ(E5K18sTZM;nHyGKw6SjuK7FQ#_ zQn6sSeHCaI5K7-SBVFx+;s~a1#k22mfgjMpB8n=+S5Uku)pZ3fQ1i81We%vu=qTdW zm8wKfK+Pp$>VeY4R{It>!78Gc-2x^puoIyjJY6|HLR%BTYPIkkWnBSu1j-l_iawtt zmu(C_B|KqfmeCyL1Rg_0up`xnI~A?dOh{0{zuB~|M7OTQp<9Q|@VqpPO~Ri_N1X5+ zMfmsZ_KJ+?pbPxuPibfx&sSR#Su_!hnt@0YN}c0DWrZUM^}qp#eJP_ z{J0;9PzaHsKN29B7|$b)==-k&e&nDm*5j2S_~^hf zwOF%mY9+?ti2?08^T+Onyp}V;#$9^z1p#oiz(2{_ikIsOhB8exIu98~GP-r-7tV|w zWWIq{Qchq^f?*d0OsnkedlcQ1r^6HUvhq|Q->*Oly)^sv5{T2Ac=dnwbkLjtv_p> zlJMtt>>i277d7k>q1!d=|I4Ha*MLlVzQ9}FEU6Ue&d#(WBbXGMarMx*F|6vkwrumaixJ$iGINg zDwpUVD1VPn=+*jvfV4VofaEJ@PdGU*uTaX(W|z`Ww;d4vrN$6B?2+_iNNqUhO)hd5 z4I+ce+OZDcbDg44@*Jpc+AaFJH5R`qZvS?D1uv?PRvQwxfE2>)%a%S+6O}#18lFYZ` z{{}>%iHBd;@UHkW=nZTs|2BgC3x>k|oLlJp+2|YRNC)d{aNt3-fB5cgmZ^8lJiI{QZ3nJyL$n} zIo;wHxkrBl7v2KcjTQk@<~KrFBuEF8DI`4@6z15a2!sH<$)T;=L=g=N%3k#}ES6$T z7M4_9(;GGpkUt`aofX+?>CP|j1F&=S*B}-&fF+2@$sMjX%LCjS3IuyWBhYl= z^WBKr?3|lU#6aDp4u<_B#@`)23Yha;5zNnb`6Q!NnsZhbwy-H7Bzd=$L9 zUuAU4{cD3MKh$wRS+>7(=IL1BiwGQZBKHF%8Ik=WjTpwnC&B&2ozl*mH$jQ2(nv!K zi9nqX4qv9Wxk!DNXCmy9%qE^gTiNlmKx>`7PIPC|D0f)=y|jSpja)GeC&D{#kBOF} z>d2&++S;lq)^p2IErvGYy9>xH70A=SyEw*9DsDq7`^8m`-r;_G|AJ2y*;YAxw>lj) z2b3(~=>Pis-VN_%a z(1+80?T$QyK={`hWMXVua@C97AQyeBQS3M}ZKQnMgb&gGryCDK;=EP_gmtEXT8t*; z;eX>JGj+8EB#y|l zWPAV|J+GtNhV3@IHhV6n%Chb{D$9ENXNQMYNanK88;6nX>3x;K$szMc|9q-w`39z> zrX3l9CYQr`*d-rTsdijPe~(W+G=P$cWO?QfQf5o!BKiT>UN*)C4E6^=UhS5^#v#nSlHkK5d@7+xh`GOr^3o*fIC9I$2H!SOiXpT#d zNlXceXQE`$@C>ilcWLsiRxokrS6zYW<&Bd#RGo*Y<%al63|C%{Fz805z_jmn>K)k| zT1*n&!{YmzqRzWePA9;(Sjm^iOFq|PuK#^HTArkMfSh87zP~0JwTK>0AEg$cPPE)y zz<~8u1ef^a`~&>2GN-ac-Yx`!0g6oS_{6qRCPUwtj6g}NEbW?UnJ?2g0TB<&`7enr zG}->>Y;^x{-#2bbb$B0+dYhjd0!lubFlJ++vg1ft!C^?m{F1*{%qrMRv2sfq*L71R z7>$hZi43Y7mnR=Tkh{iEIm3S2)tQ*v+MQO!*;Ttd6a6WE_3WR1Wc6q(#fOhH-%V#O zho8lVq3&|CTMabi8-PW{UxV^RD09ia`C*|R{jH9)xx`QrHw#(gtLdMyU8vc&6QdkE zn-#AjNjnK*uWPmc{NdBNDJOR$x;n<&Hth+c`aqv%QCTxjkfWf9J@{cp#6 z<)R3whr-^Qu1Ek=u$sxu`1@W|Q^<3K-dX(WjK{FedBi`(qjG$sb7!QgC4^9h+hSJE zY$I`qzyk}!GyVsRN|#DD(dkn)qmf1Xh*&hT5o z^e;MNw}dFHh|6YzHW*XZHjG)FmpDhiBir!`uq88x0=d3T!dzYUUC@0+x72QrNUH|t zLx}y|VsCI)w`Fsfv;8ofWj%zeoXJ-6Ai2cbcj>Y9Nm?^f(dy(nDffaQZj0hvKK#1B z|Fm=mL`>BwY;0lnC^_gr<#<7Sc%ujkFWv8-7i7SnQ^TGXX#%iUT@>#Eel-Ix!}zKV zObg9m=P}RPi!;p8#)y3j0GhvT6*`t|#!Y~rzwgt~+J#zRy+qAOd=*(koZ*+%SQ^+U;2!TH9-{(KudK{ZQ6o^14T&oCjH&Qj5<4XJ_u?743QWF543-K&>} zTepo}_Xsy32#MKl;8*>kr%(_8!A`NvEm#Cv3MX49-rafv+O$>A{`qkW$-ayAJxY|g zq7dHP9ZmR>SW~=9_>iJ6c)}#7yB2P_=L!qD`bgIng};BHKX7Cu6;gmW70loE2ntt-RntdR*E#OE34?DJ`y zmdEfxFqL)uXrIYvyobk{-z?SjwDvvAehSEJutc#W+=958(tmdJ6xLWuk|@-dS>gQ4 zKu)GAgws{@|7Zxlq~lMN$5`{cwpq#K`k$qdPBQ4%E8A5}jlDF+a@dI_I^pRBSDCzt zOKSwo=ObHZ`AH|z6Z}$!hGbV1QePa>qZPx7)=En+(~>L;XJg`k12vNTmFn<9Y-DQp zRKFutQvz5~-P_&R54^m**8Mi(>*Bk3B|^GquYw^o|9r{cmPNu~47lQLP9Ozjm5lS1 zGzMybw)a)m`cf#3eFauJ&Dq}xJ#%_qelmUJf@$;3lctoXA)F< z4+w|{+}t?U{-?2S#04<2{?qT6J@3hOqOT!8P$x{J5H`T%K~(twU`HGzFNaUoI0CUf z0&HLcD~p{CgB<|>_|JM9oTF2Daarte>+Uc!e|pP#)VDtiuNOy6*6^FSC|MAbb7AA~ zN!-QZlcK%Z#92h_(UqSEm`zSq4-!><_w*s~YYNzv&9oliO$2f$V3^B)#zEaGbUGZtRut07eps6`Vksp~w0Hz-8p{UpfHN5Fle}j2t)w%j!$(K%V5h(8^8Azz(|0Mrg_6%$DTW?}MOAk4RM7gs9f{wF7oyF%!IHqB zMNyl9^fgEYeOG<;8%2DGCgwhjC>p*G5#{7mTZ21>G)83ZzFfr!InZX;}GUA_JYZ&Ox zqGCzKdLqhB@uQiV~V^sz)sW`7aSiRtm`|SB6fOzq9Cd^snD3`$#ItU0VzqTO$9As<~VtQ$`VX9pK zL|o$j>?pM}}^@!=q+1>&;%${Sszz+Tki5Il0>6m%on}IsvmWzi7<^ihrIHO zGv~%wYr8(HCdK1`y>~8f{6*pzfV()10nZ#W;J$r#(iz#TcwqYK4*O(VaUyTh+Xee_ z&yD#*XrY{e8^;_EAS|b1xdV|wxqvuiFm)hq<~QN7uVb1D(iJYOvURJ?USwK7Kwp~Y zT0by6_85a`lRGv|Wz^@KV$th{dEw4fs6Zje6sV@ZHmYcu)I!T-+ElSO=}caFgRZ4m zPUP-i)5f?m$DzNc=)XMVl#t}Sj3Ul2^)2$&1J!whi*9wd@*?ITYla_x_=Y| zv^QS+%#7{+ka0UX&T8i=bXUS|;8@%u8WJgh6}9 zR+cRseku%u$2j{$Q*0Rqr1A&V7u-EDrlv=Ktt?g;xoJ!d_Rw=zBZk5a)=UtO`@S#w zLQr4&U#&FcZVzS0HHSvWE53&5x=?s7B2`UWdZQ;6rLD)b(SHaE_y-|OOaLiL+@O;ErayYSO8&$#U8ZRWPQg9>a9%4;b^vmdjU>f8Ke& zGJ(LwdjJKy9omwYKeK|N_5P&H(C8urLem@(th^Yov72P{a&QO;K${Hb48{EJ>*=xl z006BEy(s|FJ$((}Zfj)eNl3A43t@<(+=aqbU$O1UVV{-OO}}3+BRDF8eCGG#cDykN zD!Ieuqc&*kV{qehEH&4N0x#A|eD%k?a4u=UU~1m*p_a2Dx6-{#jUvjCCE2e0-3%`s z`c1qx`w^c!c5U|)p+U{83W~wHoLp9CFKqdi zk#{0+fAcz8j)H(sk+A>2e>3sDPziXN4@q@*93xlrKB!?d^% z{ZTyZ%rl{&}p@TKxIaR(5iY~O}bEV$@YG6#Mg=`7bTcb5R*#>VA>^sm5&BZsTc z_MR`79)Qqr^W&Q%Mt-Z&TRMW~MacRFXlu0R@=D-{g(F2>A;U$WXJFqk;K9Z93h+jp zs0(m-2`s;A6M_v|#NEVzFC@~ZqXa2f-3gweVf`}u!%PbY&GM|>269L~8WxyO{4Dw^ z+nbc|YYh!b2IkGqz~_mXi^03NlQ_(t>Y;o<4yLx z0yjy=RC3wb_gp`0AgX;bFq~E+!2hl!rA%ghpeLBA!5k^nwU2-hF-f_+<<{IDK@bVU zL#uPA(K7*VL4T>^FokJtK4b(bO}BaJ;E0EiF=meqe@-iu`I|Ts4^cof<4VV)WaUDr zThJGOy}dkYWMqjWn%k32YEX`Gtgm>brlN>%YZyZ`n2)noZG3u9Qt{zgZP?E&jx#hY zTEqJD4QVa?oy6KodEPCZi?ZdD1ja7j$@*DO;vbHY;E(wRz|QgJvgQcr9uby*0y;=h{NjJT z4UJMa#U`t-l6_H9^c;TH$aw0RzYzJApc}fZp~Qz&&%~J|H0_ z$6xn!_sx;_TWvUOtPToyXrZBj*}%;a7XE@6R1zXc_1{BS?I-CA16w);)e#oHOLN>d zvGE+KVJIZ$s5nyQLgNUxdxEn0f^-}uIow73_)1zo@|K=;gCXW;?e2>kdo0XAF1%1* zrxPV+x<7y0xyJZ{b`$32pxxaZUm5}3T!#FONQ1-Zzz)(Zb73kw?V)RI43fkk53YJ6YCg;f`|Hid6@Lm z%@sB{OF{W`4j}cFlUs0cpa+Y8jJU)9e7If|>RRYn|2!#m@pOsZm{@#-oc;P@pR}qI zWkVl5z?Sfv$jm4x)+QsHH`L|bdXc~{LjE)bG5O_))U2;!DQwZ|=(5#Pi1t9OoFesWG{;Est4T;WqlX@Ri?)N}N5@ty?&vD9>>dsI+ zxP_~yc!R+mCE}Dx=ZW(jIBK46<7w5F^}5@RBoAz14s^-j%_5v<{-S$dgfcQ){z56G z{hJ{ANgV@Soa!lFAvd6G(g7x&DuNk_zkT0uI7}!Qc>OES2W)W@sT_K@kv#%j9exom zc`xyJLM;f!i`MtHWs>8N!P6TogCy#n{pfP6`?&1a2l~pE0?RC{6`fkJf2ju_heDdm zJ~6f2J~C&A<0)w(Ex(SxF_B|UlaCRQeq}vKPA`NYR2NMJk^OWx|Frc+n&ka{_3Z72 ztOrgwlg`F4=*7eNF38!9Y|>2QXQh$P9i_(}3xfrVMl)%*$u3)>b?B%sQ4z))g`l!J zjX_%?611G7RoJx2`R(oEcW6_~yIcDk!3;cjGfk8m7RHryaID*6X|A58Cx9S+DZTB# zEum9Y|7OhhVzt5!EWwMZ87HjbfbeU%l=kEXu(*th8BO$G3sFMj#5w5-@Lb{u8l%0a z{bpq1Ve=+wavHltTi&KUxR5T?T%BeXbg868dv?w$Jzfw=g0wm#)#{-#K6=A z7GQG%?ta)(9mGm*DK=b6%4r#z(8%fmVm5d%>xGhfn)fpx)2sE(X7ROdwq>$Ob%H7l zEKAjyC}`@y^#D%R@p3!?b$O$Ns~qbD80AQ-pVa$?3bBM*h5{L7ktH=Z+WVyZ$#Xum zRKYE;HTlw#G$$*woy$qW5~xhsFlwOCw)t<2oy{pL=RYM zNHpLQ&xV$`4O@)8{M`KBzZc>&M`J16$inb!lrBQj91hDpu`;wQPw0q*tvk50VNW!% z1aL{|2bhxs4O~dOxVG!)f~Zru&LD zQVBlxKYgeC7+AbkwD%G`+nOz9^v2<3&($_}&a0ez(}J7)Ityi=&=W~I#?yC?S(yGz zq%EhbhUu<#723WaCY|WY(ihuW3XgdojoM$&|1z>ah{>$*1NrST@^aN={&Wx#Iz@(3)Vg96;>1i zrI$ZArrxC}w=XZ)=@?n*rd=1u>@}%BjF<|Jph4Ew`i-!XsHhAo!mL_sPwWWU`tVH} z>Y#$@Zx;2NxdZtY?^#Ia0VZR9V4$e|JIstEW62-ncj7~eH5xpl@sgRo2rLVAHl}hy zxc0YF8IWCqe@ju~c`|%O==d@fXtE8&#Lim8xY%ThUu|Stl~T=1cZUf%H!v8Z!PWmnGFWs3GNlWil~Ne zxO%Y&18M9Zksoa0l=|GalT?bTJ;|+q`WM_Jcl%Y;TSi_=W)ON%+;_$^Z1C)D=>FTu zV=p8L#yMZv^j7&2{byJsF%2DcB0szsdZPX9t_d>q>{fbH@JIx1ZSW~Yak`Ueu@rl;|!ps&gk97D)Sn# z_#~jbc;T}Xl*KFvMi^o`pK4xWY6zETxQ!m1&dp`8)<{jQIeCBRVqxn3p_#%9y%J)2 zv2hRYu3l>`3;vs?gOA>-Ddvh6?OHVAT)aOpp!`X{2;?RLQ_L0wxhcjr&lwN4IOn@_ z-{eO1o!~EoIAtR~g~ZTu6@QE{vo3kJ7Q2=zOi3@gMvx&{aV2hkYX86+9=zsmnfsK< zLYeKltKif3=6o`nqa$(fW5REl4Xc+`RDl3mc4s^sgk%A!aXc_}C|wfN7${03e;h+@ zxIWp$uv6*!hqy5eQN+N%R8VJ4C8gNdhkgf){E!D#HbFdHgua|)i@J6f=J^yp+?hXRT9=K-J%?{BV0+bBx zlIyY$yK&jif17P>R$VO(`;~{*O)G|1*XcY%ovruG1{a<2dOcN)kD9AU{PMAnWwRg* z6L2V6&bvj*Duxh;4!EFKw;^6V5NJ66k*N=w118IL| zaAZdk6R(sho)O>8iz1@IXw#DXVRY=Bk{o~toLCeYD}NQmtb3N5+|?_xqEcDRR)!A4 zG_APeB|;$(FcQ%LroLC+Qkyhzt?(`GVwc6fzo>MCO+6?Tp?2o)F`YUwhTIEJc<_G}V%&(Y>;bo60O%pSwA4bdB&h=P2 z|1P_FAxBYoLAo}|M4VteK|K>yV|8YdaNj~ABuZRAGskC?(NCJenf=HhwoKA44bqbw z!~7(zdvAC&P?v#ed-wUR9`SSVU8&yrj}}h;FVH_LUOOr`qu@Yxo?a5)Ho0QaD|RKf zx{eX)+`E}sosY*Mj=7)b|7tPIqbD{KUdwrXMtUyfiOGQ_n$e5b+)@W_KRg3gGF@H!PzIZ#GcpfO(2-xfmsl#5OG_mM?8X4 zsG?3#Il+8u;Hk9SZE@{rWV)-fvy=P1coR-w25xz&Sx)kI$S_YHw@Q)wE zf_5_!pXvUy9W-tzZ~~%5;Q3;7d&^S)I8fRU2dn+(_zTMhU}Csg7TSl830q+U2ze!w zIkTP{R7=Dq_i@M{(8i6UR3mKmIy$qf|HakvuIr|KaRT#c=ICkIyy(Wk=Tgd;uBXnp zA6G%=edI>gj$2oqsorwgQnkZ}6S14;{1?|7^>sN~1}YQY$BVRU=g)K)r$F_;=Y_KF zoOXy_2xO>ddaa>YDraP>|CIhmXLM>7&oZzzeWex(Wk(=SLE#tJt%{Gqb2vqNya67X z!X;i`1+s5iz*Qz91hMD!ckPdJ+?*pXsV0avi7Gr*Ob^cIn%5c%2b#Rr<+WxmY#GCM zAW*lFCYIzJwQi6m9dG+&^5tW?`eXv4VF1#@ra#=9k!D)#ydlDl;;md-Ut{`}19#0y zONz*XCG$mo|I9dx_8}Hsvp)vSqz~tfG?k{QifuWXlUu0ju~L$@-0(|BhUY~yG~gx& zx+V?a=%Du*Xc-vzpVr>~o5d>t7A??!XrteBVlaIQRg>%mD~;`P%JMEAh)f-2l{ehM zt@Z%G6SDvA>uT=mIR-X@A8+LWs+=HX;C^cR&*`bROWoHBIyqDRzbiZ3xxWJRqD`q~ zBMdW*$&|`WKn~$mrh|Z>(2NlZS5YOE%9$6GSw{Sqdw*FHsB{uD*Eq2WNaE5~$lMo| z49asspb4b0A)Qh=G^HIcQFMCaYQEi%Z0OIxcNQ{f`4-@cwCfdS(_)1?MN)qsP^GZqf3C##PG!z1&H>Jkz{xDK3^yjf?W} zfBfD55iT4MrgrX?vJmAMvFWs}E9vztfE$I@R}vPwVlHa-B3Ad*v3=bCrj1XjAa8;9 z1@GN`ES5|y78Ns8lpPV`I>HqP?RWv6GHgN|@aOl4rYqB9W>#U>*CRtknjP98$LBb& z_4eaFj)!mzs>hnr#1SvUPQRBvMwBvlE#N5E&>fa|HF9KgRW&2rzScJaeHk@u&dL}f zRG6qw?2eY0PNl!!X%}73>Kgh}{|1y%N3CaZ!5cK~~Uc z?qAc)#Mo>B0jR;5GaRXl#Yr&NF1WGG=nxX#xC5y&P@(Gj%Epl224)XOL9%{v&xX*% zD?H%s&|%C!a0a-X!-VNwFD0zvRI|3Z{wohDOhudc|H&uL-n!gAU%J8=jb*~XJmhF( z&@`JkPgD$&C^0HX!odVyrofV8i;l}3DOu(smc$62wYI_kn}<|jF?U4i8aWh`VX{v5 z(f4-_@KEg~_Vy7EERrVB?8tQn$?rXJOk8+VOCG*<2SW6(odoTV>dj%z9d*nSboAFBmuG^;UR z&A_O@x!0|KFY|qc@bxH8pivvGZ*38%Wc?@o_$#eE8@$!F9gaN@21FNy|KR&S&t{lz!0z=LW?JfuL z;^6Fy=1%RVF!q&q`ZxyRaI4<=dut`(fS;)1 zEEL|OP$#^Jlvcq4g$jW74z)#q{Y{_#e-dQ+??QBr8Z6&|83*+^&n3KU6=Fj?35qq} znY5MA3ea);ZlsE6X_O+Fhp8k1GsN5l@=!Z4{)&^tSy(%RG?sL3>YK&c*~RnoZ&|&~ z*k2Gd*qGVl2vCM%_1iASol_iEoCqEo)I3+3%NvKLkp(!PuX3=C#<{mJ$D@p~bys0f zX}Ul5mll(m(Y@`FtN1E;39@*JvIV&ub%kC4f1U#+oqiFcQrERbO=%rjuK_$gJnTPa zr)$4z|6@WZ8JudBIA*^;vbPJRKUmPz(}j;5Y_hW73)a&lhDRLP{zjCUq|3>^@tQc4 z)K!5HhDfhN&mrNJxL0~)844?sUaAQh;8_%Ye4&rd`eIeYksY~{?~Y%D5lK}f7HfB6 z++h*7Al(w@W!diP`JKv@u}D?(_{NIg;;@CN3zyvJ23xJR_^C-!^(L~g?DsQebt&w3 z%YmGT(^&hj>tm_d&ts}FYIfd%rHZRU7RuyFGSyCZZF0YENo zf9m|?9qu3Lrc_|@VX3NJRcXSHbDWg8uMWumUtBluYxD(lK&~>FJUuQS0LRPg0N{re zKX-`0X0cGNbYg6shc`j5^Fx&iuCIUFZa46tZ~w>iAVV=qI#`Sgm8RlOor9}vm^l_7 zgaJ;5(GOZl$ct)-aV=k`rX?%^&az;*`K?V$w|d^ItKrkgL_^W}T-oA}_JmIF$Ea0H zaU&9$ka{W%N5ml<9Cn_?68s;L-yRN%Y0R9_XVRo=N(&$rX=Qy=&T%+ zc5^dyoq4qu38zyI$h2&iKr(B^fxuXttryU&H{rqAs7kRlWQ_4O|p;f9-{(@C!u9ZW%{-Hxn4liE#~Fl<~3)%8?-fKCeu zxx=+vpc%ws!f_ ze-8562toWBSDOl24p6#^W=5=orZvqpYmOs&57%PgnmpfJoUP+<0~w{n|Dpny{ZRDK z0!WUrYfi1X=@Lrhhpagi@V~RNwtgA}QK;K>iJ+$pC5&lH?HGJ6Ekfp)_YkjSsXsi= zwT#e@cx&~0`V**@ScH3BhxxUK>2!wgtH#H~4jf}v8R8W!h50y#P^+aU&x||t@8YTG zv<)B5;Uza4#coM&)yFnxBFpc)naVs+%J2Z_dC|~0(#z}DUORT>IMDg+@$Brf+B(%* z^5(YKzB3jn$TPFQ4i>Uo8u?pi0*zf{;tCr)P+{<8ZYTz3bcbKdeZR-S$QsbZ)-mUvf$<%-#Bc=!w$x zzmjl=lxvQXOWp!IomI^sOrjWL?rh^|z2BL8$W&0f_kTL0 zE`ds1WgJ;-@580%3PosdsNzfASoK-WHIGOiz|O=Oqd8K6)vsr4$?sxo$<>y^f-eo$ zh${D6+Bj+kB|5wrR*}pHr0ub(Ufkf*g;H}jo2=<~hi+QTE<(Z_=;{`yx6aNdpjF2f zQF{!J^aTAe8U24C%w=uBmwDi9C2GX>&%YJ1n%9+@<=I4UlD=8E3LoH3j!OQKljnt& z93$}4^iO)q(0ID-?Elh{Yx5ezklw~`4>ghtU-X?_3I#u<#w0lS_{3ClXA%2vMY*gSL8`%dE;*n0B?!4DJm zBfskl_r*g%W6Wk>-~}qceK7&h(%RQC0}Myc`o98dNpFYRQ-3xx=nwNwT$3p^ef$ve ze*=&v?ACtoe0Y4n0L3`>&ps&c>sUbj_}xd&CL|&KL|x+e%OO{<#hTIf;xIrf`Qyd0 z_A}7d*Rp*S@Y25W7D#k>HVqK^S+?moF4p-s0gw9^rY;Q}mdRTcD7a{QShy;Y_N=B= zc%duRv#s>5mcq8y?~qi3MIFLvNk17vIvRaj98|n!GF}(5<$KcQW>Q@olv=x}R=Phv ze|mkIhQ?Tq*~H6VIR4>39}w)3e(wJySob-d@WnB&&RPboNAMgnUWr)8weroR3)ROl zwGA=|<{^6Hz5vO5;h*WulH#1PXjmE(oFj!l^G9m7Is_W@D6lWdNR0_pzO$hyd{-BF z+gs04-~RYIx<%me-I&lrrU~eY>)x6k|Cyt^~dy!AekE)L$4n9uA3mIT|57F|C+ z_wxAapCSZ2tdpbAQeMAL3b>|1WLfTk6oh`VF8s#OYuGf%x+P z=->bhk_lp!hym5C7muvNYfk>9KXv|3qPl)~sq{~6_P;wjJDXMhzx8tO<=X$_L7qKGL#Axe?9%52x0zSDeX^?@b$Irerxiqu_H`SI{J`bqw73QB18o6V*A+~ zy&7!}fOH6pae5ig5M^+d9e^}Xl429;ddKnTwi6N+`^ZH4hIo3GmdRD+z?>?QT$Gn4 zKsXBi?EL&%x)1`8B{_jfouu*>ZHfu2925x(xdaUUw1AluR#@Gd-8&q3dCh4p?2m!?YRez&d&;f8NnGM zrPf(K2IDi{TFpP@7|K#0;v5gj=G7!dk?NGBr%nc;>KqN=YSyI3dmCf-i_Q0 zz#B{uh|@7H19MGcrWt;SXR|zw*<79(ic{zP>BVKatoUHq)E9IwE7EcZ zIKkp{jEEe>F~KuAtY4PW3dZ@Yor{dqY*eu!7-en zLlQV?KT8T|nf>AKc$4T=Kv3%GR)j)!xW)U-2)a4Z^pKfTzhrU+N5zD8Y zXh24gqy}r_vz)UJjkp6M=LM2a;1DJyo*Yfgrid7**AZ=^w0wj(GBaX!H+Jb*m#)%1 z!nY}91i@Je58$x}A`tyiUABhG)rCfiJCIcL*0>tH0YDe3UZ_BCsQqwlC%P)72d=4* z)wd#av)(dAKdo72szuwf-PPdUWOKZ>JwKL}GbQ`Uf~ii0EDk#j_$l z2iw*e-D$g9PnYkPhhf%>KthE1U;PnMQP7w|g^qYUJ-6~agU6GO+Jp(iO!bx{8 zCHV%tAkK}0;3L0ps}th)LC5{5JXy5tNXJD%5T{Wb@_n$B?*P1kal+5&0AF)LL2c@6 zKVm=763zust7vM{92?* z`;cEFk|KFMp=F-y1Yd8=AZ3UwA^*f7OaeK6K{;fuMc&4N`Qhu5z?8=N6x3-gyslN# zi$a_Z#aU2Dm71V_wo*VrkrYjFiu4hfVE|LHyZhG57?T-f@?<7rVK2%HW{6Ta>DK!r zFwJK$6%$8HWmQ>EcrMOFh`~6a0AAzVzXx#|l@wT*kr4!`fBUQ*k!A7Xcv%e6Q>un< zd5m1l#e>mBMcq*#^FmAnJO-D9pZtD+2}Li!FX@LA-!6`qDA0*c^Gvi};Im+p+C9C@Kui z`OEcnQ}4%l|6_U6EP4IYa{sftzi-=rZN1#x-CW=QJjCa6wL`B-yzedV*h@>yT`e2y!h z>S}Gj@Tr#XdflVL^0b`HPE;{Ie{`;dN`ynHxJnX`XG*(Yv1jOpj36QWc#Kn}bbIg2 zyz0b|GvgWj7|-$BI*>a^>^jOnnDI{uGU>cTE<*&U9DLrhzdp9c zDcfCK7!XO8khnyHP%G)@q> zg|T4$QuAE)SzmVOvGLt^EK7w3#S#~|QR=)Kt?G?*IS`>Rfdo--%c&qNhfS#lD6vL~ z3Jz>#lK`hu01#lzTWv@w4r9I*Nnrw0B%4|EWCzL3r6{XeG- z3spWM+Ck1x$>DIt=HYq{W{`zbeLUp!X#qJE5%RTOgv(u8JQ;!CQ*bs0P|%c9Sw%Z& z!%}X3g&l^NHwnc`mb;CUD1;=^dmkd2vi`-VdOt-H6+to1{zx3jn!-?= z^J5FdUZ+d_w9EAc!mW~+e7c-E^|R>dvxO4+Y})e_+5)w5M(uVQZGq@MtA76R>vUSx z&qAlx_FYw;X;*Z5y+3L-867(4GZa@?mXKOl9jfz`oI))mQYWcvq~%mDNUA+X2!tpW zcFTPB7l*|*m=YDSQ+Re7xtEOi?rxT716*v_hAi-+DsIpIfA-$BJ8s-q6g{8kSKzki zTwAl*0Tx~Ro?qQ@(mB~GF=m+8(FVb<5hF1qY@$wN|;(bWW1Oys@;qdvkbYCt2@ zMmMQ)0Aexzy)wR~ILah#@|Z+P*m0VYB-GbRQpg81Lm6QyO&CE>qDcoLD3FNl0?*Mr zjlpf2p-8#Ci@B;j#BoM&xI*MUVw~-DkL=;Mub+%8>1_uALUq7?fKK`xD(I@o%FB9h zu!{XnQ|%Az0BrZly{<#3FIM?oi(o;-slF|rhd&8dgzw-agzd-RDctGrGLRB|PD7$l zT$~7nO-i9jjYA>kzQrTp*-$U4KTQ_YSoV5LLy)&vWiKFiu@Htl?j;3PhmitB)xl6w zY)eWqAyJbMO}nr)&FFnZ7{aWwhbd+Z&TvNaIhYcb6Li5r&XNg{yO<#@BwZVMl#5^} ztZC%Cv@kT`Oba5HtiUV+7vE(yG< zSf09=4aq!hE&lYHg&z1;MW9#3g7oCYieNF~o4{4OI1y42od_o|pw2tk+0B1t;t>rt6T_rl}!)m7bDw(Ef-28MKbFu+RAkl?uw+-*>jfxZU2JeLmWmgJpvFuW2&_PEU3tAUZxW08$I=PT3r7^*7j@rTZ*5G(R zl3N$y&+B}-Tp#|{i?eB-)k%lEcv^*9bq?vt&AiEF4-VFsclkibpKIx%JBRGUuljMK zUc{n{sl@CpzPCo#RG&J3D0_)ZijEkNe*4-A`|(XXBHii%w8!5By;V?~X9RNy^1um@ z*>)@@$D#4-~R7*SiP5V_M*@A*>p@7u%cgYut;GIt9gbMMNbA zt~1wevCvN-TuT(}h&e(KljAD{b_;nPl*mi4TSKJNr>KoidJA(+VXf^tx3L)Kc|hId zw_9jiQ(V)`%!T;d7u41h(F`W<7`K;j))2rPgZ2~4x-#B%i(+dEVg9?g2J{_+_7J=r z!j+4gb&6bFVpZ3`4q>Zx``iMSTeNbX>LHEckj8LGV>qNS9MTvLX$*%nhVqB+G>xG( z|KF0Z#l}^i%BMa5-_cPs|KG{8q5jjuJl|~oKZV0X+P}Ai$s_<}vOn=tBgLNtm?V8g z&c3DWJY?z{GWBhisZXGsBR`+Ou^}nnkd$vo%J(^v@`;1lor+Ji@=d@eAk=Z6fS?QW zgYbjR^j5|UFB?;6p9ZWQ3(@1BLr%emj_AP(aoUhT+1fI)m zxf$%V-r378r&QG4vx<@_%@dcoW2rh7=1N%*S(A)3pT<#8#yislsq_nij5@~rNU~*= zfDT6IiA^(lzXC$$(4>3V)Vw?kt9nqQOH-Y$GxGohpk<3msI&&_)LCF<)5hJJwLm37 zY4?_>S%KT^895^ecPP7&zGP?Gf-M#(6K@r@)wErpYUFMiQHP`xlAtKD=~xSKcwgOY zLBD!?I5|9=9PI<4-RCiz%;}>yhbPa*Zw{aTd&>v0A*|#nNM6K|e|) zd?x7UToCz|5t~*6$^9W>Mya&p)wqPsG#BGD610z70ihHtW-yn^7ghMR_#_U&DAI~$ z*8LIpMVzc4%T*EMA(!tQtkWg6N8zkCcT`XJvfWrK(QYi3Xopryv@6Rc>TSJ5epuk? zP_`ROCfb!X6K!PCY#G$wk*sFbY@6shZe*MKAkdu8sh>FVUN!X)M`+G_$s=KeV==PM zkEHG%h7@8ev(S7738eW95{T^?B#=P@86=QF0x_OJ0{ILQNSnqc!wE~VpqrP1uXm|$ zYR$Fj%a$R%C7B(kMWT@?K_g=lBebL;nV>TujRMSvlfwfWXgUg45Vm+l7zgbMP1yS+ zwydqOzPFZcC?p*8FpzPWKn@cYg(Se4UWH@dWM&k|A7)!6Fk~rB8QFd>E(Ko@VwiK> zgmRRTdBix$B$Om)ddyIOIgaTZPJpt4J}pLX!FEV~Jtb;Ez?4ck5$r=+A16O7_n0XM zUzeDtCbNdNa`68f{Qnxy;QyySGx+}v{(po2-{Ai@`2RKh|58E(T;;-Owy7szyZ_(e zv!laj_4>ajL;c@}d6fU3xXl?pfa0Efk$~Hab_3LJ=P{k)c%o3`YxfdtVEW)Mcqu`0 zra%I3O4q^K+lCim9iWnwHYx?HW@BuArF1*2jWT#34jzabdmz>@*Wrv<$6s`Ic~QzI zgJ`;Qn|{W2xG{-(U7i1VBfqKr^L;t0Z; zj`Vg|Bthm%5nIdHDjFJdTF^VN#)|8NEb~JW$SED_xwx*Y^oBU@vfW1LDGqK({nR-p z{rC^Exj2MnS&ed{a`ob^ycM+{pCQUV*1k(ZnofvV-}oXD_kqKcq;wu9mu$Zb%8wq#RPwyam!R z=)kMbpaUOt;DZi)(18y+@Xx9PM~bf~uI6-AsjaWsrCcSjDVLP26xaT zh+>-sDdsRZ0m~0V|KaiQY7vHH`6qREohv_S$x5~Ubk#{$ibvuruQ^wtz zeA_Vrw_LkLnYNQANo@8{koBS3L(i-r0%mg6HgxNpTt7#S!PqrC-cOtTFN|D zHow8TT_l%?DfGVCx%fec!FEPtlAXmcD*u zW3cm8pTW*I*!c!K-(cq(?0kcrZ?N+Xc0S(;40gW3&NtZkzNE))|I6t8N~PA=LK%RL z{Qn0h2Pbv=-{Ik4|9g<I)23y}_#YS*&{IQT4Funaz8s=Vy^6Gi+ToKa1vo zISInqG~yY~R%nS+rRg%#uE~Rea%L^eJ6#nCUsdk12|7zwx)b3vQnogi{Jj-hUbV@N^x|M=nZT#l_KWn{do)reTH5IT(N0jW#)y4EtP z?7MPGYORPbGMdj9CGTFN5`DK38x_?fE~%>qh-Ln7j7}8-2FZ7o*aWkF+?Kbp{5pVN zFC75UW&m%~ks4#u0LKE-{g!6-(pv<}0zzh>NbABPrq(7<(@=)Zqg#@|3O8S%7{z;C zVoAkv#J@S!3m=!FIp{2?<4!*P@lHmo;vsZ!z&o8JSb%kL-!~+mBHZ@x?n3nQ(UroD5%x6!L^)_o=Kt~yR$^wGejd! zZF4R&L>m)O`Julez_yc8iEpnIx_J=QSCtNht5zw(o4{(%Pc3Mc_`c)?^2Qe>jN>FA z#R-sAC&GvY^p<2R6fAI*poT_5KVmDybuJ1)QisYKy7CAvn7#EY&M_I`GK)4`YiD^Z zhgE5^p_GKUgM(sH?b%br@?e3mYe(6+_8gxeuY_u#qMcm~f!^_jtQaqwImJQu$? z&&9!^=?i(R{y$0p+?EGWyZ_J0@rxJF>;6B_4vz=_pNDw9S^u9p4i6qc>Z=YPpxWDp z7f=nJlK3|KfK)4&Cs1>c!53)o1=`FPsD`)>Z=f3H4gNrbKhWS0^f~;2YR9$PBdFHF z*C!|}D-d>En~Yk8+B--pMV}D1w-0K=fG(%H2`I8#O(Zxe5rgKOMIkA5+fv^iF_i2U}lyQ)T zVDDP=_@(IzY3YJn&q^!hi_^5b>+Pi8Dr+%7nyE8|1kzj7q0bVX0e+k`0 z5{esSqFh#|Hng!GCPhq zD6H$!%RxGPD-5>G_2Zi>BnFW;6(uPxa59&Pr7%ipGFHx7su75YGZLy|*p@-1={+gd zgV>63vTQ=V1=dS^e<59^&dXx?U0!vzK842`zK6p0NxqztOc`dBN!YRm?Wbjw>W5>8 zgGIybK}ftMiXEUQ;Dcfpon>8bg_3(Hnt?paY(d&>lw@!<99#|S&){k}xEg+8u7+*_ z!7dgsq7sehj%B_LNp1?Ag?B)dCRxc`Y}!rXH8hRlh_BF$V1eLpL$^CF=1EM08D(tm z^)HpiCArWtV~uP`bZ|0GvE~)RK}Hz^U5}m%ld9g7WMlnPrvxgHK8r%lBjp#|BS?S? z`d)nAMvCQiMzC+paX=C-IJ+`tr8oj>4xJ%ovJsOmK4+-+EhB6E?<*+lOREn7(w7gh zO*l$i+XVc^guVk~!EaV7I}Em~@?SwnZ6WiJWy&4et!@RD63jnFOG0!0wnfoZcMq;~ zE7Efn7rSK?#}Oj|O~N)6me^i72wLJBNe>fpXIvO01_&yrKvv%L+Q&UPI5bo z5>l}u-4b84AZE2jn$O2KS12ITjstnD<-MDedtT^~Bd7sFLOsD%T_6@$UV{mLUbKFps9Oa)aO&CM+giOn9D9duY9WB5}@|d>r9`N4I3N{Lz3X znsfC=6tm-wFhz4s%Z_x7sP?MYjl8(;N&WNp;`QGJe6pfZjKBT5U?-PRj)7@6HST+6U!w(AJ@;%WL+x>+)I$1$GuC z<5?Wd7u;}ufOMhitb&?UYCJs@O8U`qs@M%AZS3M|6fKQw>XI^XDNs_MT^V9NoPr^2 z|45I{5Q~Idu1#e7hm*r{6#@$YD_XGt$&0ZBsn%w;E7tw27MUszL39yt3UStMaSSe|Z6YSHT^yn*j&TwQK9kZm zyS*PhBFT(qVzldkCX58Rkif4`?(cgLsn>dp^Kyuj`+H5d{wG+v1JdS;rymTid!@h_ z@Eo$E5p^q-`p*Q>oW~K#++lg<6EWDlib2g-EjqcsSDaTXTm!3u(|k1T!}Barf9nfWD@G$g2lMH_T*^LZXpd>!1ZV!qT(6d+pms5fA3v?Rm6AzoVwt z5f9SQ(~9%aJWGQSBx3~IBO)XA7qQqvI)ioV z9j$On*R*T;?T8g&*E{mv^jCiGO8vb%1^D_Za9;}HuLj?tB77IB@LedwccKp8g+hD- zmAEGZ?x7anrDA*+s`1?@$G4*%_uQQ>75R>o(DcaL1E)cY#U{jWg%6zA)y&O29Hac%Zgo_7xFrCjd`s9p;8-Kf}iret43 z&E7qt;~cap+Plw%Qp9_!+Wj}#p)9>+A7X&9ASVZx`L^-J0t8cEz05;q_9``_ry9 zmGtYW={@Kf2$sDR_1*G}%-+*mRo~5|W!TSlmGymev3-OvKb8GjO8f2|kV^eNYWr?f z@m1@4^RphR{q>aloomv{e}DD9mxSO0qg^1Kmw@mE1|V;23fP4)U^nIfPlLc`jHw$8)bm*sQ>=r;G|Li{l)W>A^-D3 zJl}f$X9I_a4AAPU7X?hhxYG`kxZ`BQtYr1D_1pzqs16n zr%(XQF=0R%nW9Bd0B@iQ@VOKNR-i@+{9R1Y4ra%YHQ;Xm<`y+V?Go&O{FQ7~&jDOP zXg!onD`s_)a~(y*7nBh_fb<`xStxzG;S|6ZLu%Fd3+lbZoRjP+n&y!8UFmXeNfMDH zAUczt-1qnnub8}>+c*z`D}mrNVn&&AiYu3yW+Wh?81^aHDj@Hmgo~WBBen{XxfeO2 z1z(ir4z6sjUS zPs$9BAxT!FLKwtBNy)oM<@kmqkmwM+#)>_GqbE>Lv-Y)Bh9*dSp!TZ#qgYchuhP3s z;HV>ipIY2XA*saSsBl=9H3!ZvFNC<1(u5JIDQ8R^2`+6{YcIFW-N?z-l+>o~C6?8; zxyVAu37C7-p{yia(xymp)CG-9h$IkGVq`zxXtk|wNp6>W z>U1x1yB3LAoQ2CMF@E0m>+0*rH1#o~Z4oH409F*yl)T4VzRP|d)CrYGPWwk(<t$40; zM3&3DrV{&fCb@EeDOup#h-T6y3WP9~>ee}?9^~x&4N7So1zL75omS~G;@r+;-HT@^ zg8f+L+R5uah;tU*8Zj@5kwaLY>(I9b^Z9ziwF?&-5LOYROD<>~6IrB&rgUInwGt1y z2JI3aWqi#E2#mKANP-8L{{$D z_tt+~={hUyv4v?yW>KdDwSH>OjiT!gkavNZPDw4ku*Wc>~pRIcauAu8K&w!lVj@Itw^;~W2 zD$i#=OTrg4^kAN~@HyyJt!4dtiDY%*rhi#3d;KVP#Xnkfso9idlDArw|aeAXIKY9VGa~XFL6!pH}Bj%ZiCg< zJdHU;ifJlwK;eaR^4f!1(nt#W6X^r0fFcD~neO zKUJX4L(NQy!UT|555ZxV`;PX_#HO=1xh$a zEa{PkrJ9o#_lilC*~2%&lvc%N1#UmvGMaNzIv?9ig*ZVt2EmQX zd~i?-yOs%EMJg?EDwcOcR&9R4y0fO-yeQKRh74)F2fqLuYe{PK(?}9T9g1cHjV?D{ z47JkV5Hd~~%UAjwEJ)_$gjN{G6o-F+RGK!nQB@BcP0c!8)|8xa6s*MB?M%E@$GZ%w zV=R|>{R)w;TCu~;?b|t*xWiwHNx3;&#l_WVUUe7|1Igv7O%eRx?KlFugJfQZ502+F zi}+&6Ch)CtM4TBBWG)_;gwbsjN-uGl@oqT<*L9YIYYOHl3WZP_;237kR0c&9xh!&k zqRKO90Zb#IwZ)35Dft~TC?_-_;z!4brh%Yb(o^xJ1YwlnB&16;#la1M6Kv!;Wh92= zq&urtLvJD?b7*_#T0A#8m9^=cxZLGkI+9->8Ngk^0o_Il+Z6LfuXLT4m@g_0C7dFY z+RMpqEvqP#J{-NKc%}S442pBNAcFRZ$<9eaGOhP$d$9hvT9Z`%NTEGyFQ-&prjO?% z=lzn)e*E~RxEb*npsyDes`)Z~x9wc%)MN;fyqXL5Ec>vXoaYd!;(f+`*5#@od{oC_ z!I#8d!-=8E1ikI@ft!*d3`IIij-D0=4`|ou*PLXl>mn9y7Xs*0eKzDDfBEnR0i4R1J?TAKC|TMM`%Xcn z2l58gmFi$6Bn!#-y5f|P!mXJZEPHW@GOUKdG8=>{ye4?F{FjG^b*Z_s0#1%YGXqDu zVc12hbnKru5I^c*L15Kjr9eTH1$m?tb#$5LRt0SJ(cuaL<{-r{^O#3zOx!X@>$L^R zs-~hZL;;Ce6#3E1Su1uMF+(6}C*)!P5UAu-m4E_y&LLh>h~vNJ;_6(PcySIB#bg*i;t)U zP041G`;`%~Pi3+L&dD;Bsue^1+@jV}##Lnm)&`~GuAWaBk9e-*-KBNJS*B300loe| z=dUk6$~j8CqI$8w4BSA=)tn>4FWXP6eYrwt)Y(aNUNSY#V^%d# zJI1Y8nroJwR{PD`$>(5f3nAQ=C3+UcPEy)Xk;Dcel^v@QWnPsAr6enuOld`|Tk6V` zR|UjzOG#pNoiGLz7hYNXNpL(_D5sohfD<);=a4Gq4RrZ(#x!HvDkw|4LCP`hU$eI1 zlP2*BD#j&FC3>~Gec8U2reMS>v($8eJ*A1%6m*MmR3W99QYel#|9xMv)X? zc8&{IGZ?iH3{y2{%+MVX0+gKe9nKP13ddZDL(WmB5Z@vMjtp#cu<5pWa)^0>nt~h6 zReJbnfyMIe)=hV-8~ly6k{ZeKuNdsl+HxrnQ``&XpJCy~>^OTua?52kIg_Ze!tJk; zWKMkRhOA7hx@AnQzmroCLSB)|Q>KiW5*0iB>fM!S7Sbh-5=3IiLAo0&%8;0tt9 zDu4hpB6rnv^r@0z%aEnENi4sIS$By193nr5$j>42bBO#LB0q=7Px-?T`8hlf__W4< z(wuJ|{n;7+`QqsLQ9b_i=*5d6{_`Q8Z$AE0;qVasse@<$AnMO{_Z;FqKWDrroJ0R;PiXEN>j{UvO9Kc) zO5255TS4{}M@nm;rMW-NsG!vL>+_ozr9%`@PbhGJRA7%s4FlVi)U0Yysb28WU8cY& zM_^a8$;_N;ky=*^e}?sf15Rt?+SPwrORibA$Sk~8#80WPsWhYaE9E@IgGHOyt=gI= z3~G(xb~CGA+(KtOWn(RUTnbvoM3rDeZ^wex5lbU$fA<14Cm-kMBwv0Y;J)M!w4zI4 z94VX|g`lJyg4#lGHOO=-P32t+oj@z9f{bVoglxF}1UDK`lc0nL|L?u7s_DO2zw+IRtZgj>HcC1#Ncs!GxT+243q z6jWq^4gaHk7RU5XX1P_V!IwCR(mckzbZ;mpy^TOK9JWUFpdOAM)u%_2;VKNmuu_o( z%*^B8D+xBmQN~==`>Ib_a|Wj=Ny3tuYn-K7QLha>i6$P2^PvZueEwTOjd02eE(w=5p#P_fr*`Gq~96{uL^1ch{84y|Ey}}%MDK6YE#FWLn zw}j|k&D6S_xogU&b{@=bMXV;};?A*z&=Dm^wXOvUS8>x-T3jVFf5IbAERP9PS?HDzG#`U;0;42! ziLNQhgd8aoGYHwCE9?rh3TCI6LBY*MM)Ntu<18oW0;*Rbaem>}+#bcIgbN#EP<5KUm09Il*ECZ-NtRKauPmC+1r3lh+&mszEmS&4ozt*~e&<7@t4g>QV_s&j z;XEx+qy6kii(dc($wWkA>2WlVrm?K_+qq_slkcku^3?_T5r>Z4WN4H8WS#n=x=y$f zn~~U>v<|6@x^)Q&en}O4l9{={;}!qXL9n}mek_qNJ|otnWJ;hvwM4|U%Vt{vbtl;a zy_A<`|E)BLv{hp*j3xnHwrzjK_EMlF&5DA?5l1-S5Ke+oAO;=d*y7(OA0N52tCnti zC0)_GtfX5jzP$yB*{?os@9Mao#k#y}<5nx*`bf5&m2ti6-g=66{c7I!sCa9scMG;S zh4SlGOynCEyzN;lu}`tvKBaE^6nO1h+S9*$ZI9x$eg)o8zv8?-H=|G4T3gZD9bn*E zRcre%+rMJ1wO*}j;ht+QGNWv-U~ONV?oq7PQmS?b8^3<7+Mc`Lr%tV{O6@L@zE7Fj zUdwKa)~G&XS2UsR>s~c)ef1cg^=|uDyOmnT?j`xvx`oT78ogTvF)H1Du?i&binQ)} zv^cSqqwP{GBXtydS1$Dif`1{}mNK;1T7>q?Se#e+S$FYSY%e|QFS+k_g^-r<5@&eX zYl;6)(XIW0(z(E*zAh}WmL$@CL+KpTaI5gVp>$K3Z{`M51Mz0^)Q+z*TfP>ow{(LV zeKoT3RyX-;7MiyQhzF9MzkD&$W5A9kYXu??sVIh26hkVCAr-}tiegAbF{Gl9KMbiT zzWt{y{{u_oh;JbSM0@^+qr<~z&ztqXhx`u@@_g(0A4(h^GC*km7X=b{)5rm#-@39u z6abYR!I=kwnO|vSf-v3=xgdsI5L?Lwp)t2T8$^M>Lq3QhAH_s#q7hkjH zPrz*)F6Lp0?^T?%D+;95diyZA>l+g0i@SZo!7AZits}1=3bwh~(K{Y_7qQ4|#vvo@ zc6aF?gRJ6=Th4s{_~RnR*g0xVJ}PQW0g z8Ss7qVy$y1Bmh|-QXi{`DRqQ%L{L*KaU2t7=)}O8O zXT8(GXKV1;8ho~lXYkoVgU?ovc?~{WgU{CBvo$<@AFKbDN>eWA{Ty?0hgTc9fVKO7 z9Ueb>aZvUDIyyLd@oez_dWh$n_5ZTr@ZbXWv4qMWB~;*L=>^to&~OB^Kvr^^hA)`W zay&OaSGt2W#~M7s29L0fJ;It;>~IQm;j(-N53#{RtPcIbL+k-O#G2=~+exh1$JmT`zAC9W=L16?yCZ&d{4ExgnupEhviJ)F*?@4_hz& z&dGG^+XDP^6#Ho)&d)?sO^|6S8F`U-1f%ma6o_wuCA-x!kTaR$^W&QuiO!80#6ZUgZTE;V2w9sJD z>M^guqBU5w28-6NAB+8mh`pVWkYvE|$BYCS;p2bM>6%8M4*So^$#LEOb9iuaJlKC8 z;;Gqx<}sb(cv9}ZROFJMiyy848^jS%T@%V%x|dd@PoJPN2^zT@L4ezoz)_b~TfOHa zC|{P7k^GQ4q-usZ3DFbFG;t6!HQomzeVc`dL~ls4XKlO037(Uy72{-icK(K0R@E}5 zdwKT3)soPZ1X$c_1uZWDf#k82gGNaZ=bHbgXPn6zh$IOI~kf{i|L&T`` zkTq}YI0&E|AY@>qw~?|$$SUSP?W_4$CNh?Tk519(aAbKMl9+HZPH7wktI;WfA3^9K zAt_Ck8uW6hb+z#}5J-wqC3^Hhk)CMcg$4eY05h#)13=nl;oVm%u5pwI0ZMGlObFj{ zb4(q3Mg*JVm#{Ub=pDH&+;9~_oJo9mwp# zlYrB#Y-|471)RzV0y_S{xutQwBo*)jN%=1VAzm^z81WdGlIGS1U&@r_Ay|;$21U}V zpJbr;AhSHK#>@jPD$8HTno#M1qnXL)$}dhzx`c`hrP}vl9N=+4vWnUa5VCrMvdcSM zFl~HJGCq-=>Zi9Hu7L@Ch5*3FtZV4bv)5RvWl!Z}Rkn@M4OzjLbkxHLrVo^@V_CnD zRs9=Cr7}N7YLu2Ox*@9#cIX$f+Hix~N7&x}RM)wc?YSW<$M%$q>f9Z3UgaUzLZpx( zr<5-c&N&^EB*<1N2l-hZXmozYigSNQ&=TJebar`x0vyMsivbOARTZnUA1Hg)6M6Qv z&Asxi^RqoP&9$fk67HNN5MdfNW!+*{Rm$K-AxTNja!y~X54s78IWNnRgV3Q@QLXCM zl7vydJVm3oWJ$Bt=!X^rP}770%C))9DPvKp<|wW`2G065{e`UdY>Si4^|}P#?mm+3 z2diza{m|WeWo{goeHv&Ehq{RpjW38j|D(dU9YL>)cyxWD9g6j~-H?$uX_rm>PEM3W z{G28nM~M;k4nwK4s+T$^+!)~;$iey9s3OZfx5_E%m!R<(tyO`$Zi{rE)9 zbnoui_zT`ps0p70*E9LiWB7l9c)=}#0UP{?- z#WjoBvC1jRiU-Q~%T21zq1G-VIDDVPD??@O{!Wu#I6fm;ZLhCwuyy@daT|2>cK4gM zMO4$=T3oLBaFN}y_dOTXx><-7Ub5SUfC}hxiR;doV>H^IM#(-~jOxFSNl^doUkwVS z(BS5GY^>r0#%YWb;-vZLZx$*yj_G_HlUowMY%+kD&fkbv=(pe8o&UjTV(Q#3j`cpHssFM~9PH_PgaI9girMEZ_opx0MuANIHZrZi+E$g_yAq=w(y z8r*LGJvcf#Ijq@#pB+3O^1naGV<*c}KD(shmD+JI97Kc}7Q}T-#-<@rBGLZs;goQ! z&589-t_I`cXErYOG4VZ}k{Qj&7=G0eV1?Z;&7#{VCUX*=A}~|^fY2lKL3v#vPEneX zTas`@Sb$??=HV1<Pvo$WnHxM|oW|GKc%Ph?w+74)Y|$x~^P8ld%{E{Tm7+1_PDz zF~0W{2ASp@-AU62*hWKwA`VV?A(@ec5fmjTB&jTvsr|-YWi&m{UF)>8N{xU|7<>o!se`-~u_(5FE-w}RCvzv0=^0t0n{o(TBRry1f zCui(0j3{+wmdE52J^mnmJxf+%U`F0VNq+BspQmX|mL%ag{$ob-lsTKu7&LIc*LR8! zltKsu1E&W)*{_?Ser1n8|IcVl)^h;s;{VT2p4a`qj-Czt|3RKDG4pJS195p>&@B3= z>{w3=@PWo;;O1XFH;06@;?ti#?f-<{=8U5Sz9oo}6ob}6Gyq;HSD~$VDan=*l&5Cs zmZ_LlZA+8@z{z6{=_B=>54O=9>q&d?hVjpcv7E5|-yIzN`^lcR4vrB{BgMPWUq_?A z|6sjgj@6u{xA!f{rp7BdlXVBHtgLL}aR^Feu+2(>^M_V7i^Y5K;g^AfxT3oee}n$U zwyHUxd_{k=#(kx+MuqRrmDX>%5wT)|#@qFQ(Q?ioN(k!5|ECe;XznQnbnyQG>Od90 z!)GUT|L>!d7l#A?e~9N{`Trjz{tRNk*DnUpm?&eirmZbl@Pm%L0U>Z3d(Lu*8DghD zjH}h{lppI>KJp!0KmF;yvW+Oe@jfh|i~b)yJE_tCc4BwO|GES19C;F&|2`geV|Ajccf~f92G#Zb}07;|Ko*IMv z+H;J`H9nN?DUXU07&Dq_5As*R4zG^}WpQkwC? z@+L7x&_Et&PdL%w6rCLFKQqc{K;u(1`gne+9YZ+I=7e8DQ?t7{WFB@8`IlGDA!T<~ zi3amUzye`L7L1V}TwwO<-PI`?K^(OMWs1D3kdII8brVUd%}hKwa^cCq?mx@Z;Qu7y zBulf1k#QUaBw=KO%n$PE$p3Kkym9|KI5-^gKRn1&JLD=2K#2rzBo3IF4xDWkn4u{l z30l%y>CjQ|^;%OSCBe8P>~T8-7U_~g3U{z6vP6cx?( za#rfEvz*hIVl~HIq-ki9gLMU^Nok#%M08(Tqr&kNLcbb+c6Wff>lr!6KFr)j)$BMGX; zgz8z_RGoD>L;mO)E&BT1$JZY&KU`eBzJ7CY{`%cjJ#5sDJj&(b4>-6XNjSNMI-U*m z)sK!(gl7AyuOZK?rBC>M&zMJhJZZ6Qj+oNKfzGYsk~K!h5gy(qOEt!EAhBmmYY$>l z+YRloSVl|^=Jz`SDSNeYBzz;&bm##tD8rAC`ORJ{kHLDgkr}i!X`2LsI@3xKl z9>H4{%2awp)nks3J_;ktYa5t)hhlm}Vm?CW(iIOQnTAwm^HJXNVTJ6;yJbaYb3B`Z$aFtX1WpVR-rNB_Tm zhzBm~8|3f?j|KGaleW$U|-yt_w``^r-X1}lZk-=0j z^Oqhp+jhr>aV&AOZokQG#>~Q-Mzn0L*)|qzTV`%y{K`rqH?~%@X^;$>k1zjUFY;GD zUGZPfkL&(_hbPBJ1OI=BXW;*zi~nyF3;i960S^>$Y=LYUYYZ+f_GshHKJnRDlMnr0 zKk`>TUG)Fiv-(j^XbbkmmTP6Aw6Y4Rz-8X=WllMUyZF-+uHoTVkruc z5+WKDed=nda2X{3k?eJlt#x@5V^M#uR2P4@m#z_?*$98}mKO{iJ z#5RM67{Lh+z5Xl>>T9hcTj{D!UXD{mZpQGa!gZ<}09y?F(tc%*Cq}c|Q zYm1Z<7c=BFvxq^I!c%8!V={uWb{Cq3lEXq=oD#$cpN!<{HNANR)r*&yM*)uGRZ*)L zmFEZDkQH2a-!Zml#W30p)nOIWye$~mVAC-+9O z0&wenN0Sef@>*0Eyi%ss!-InZRDA=!z~V*u`^;=^7lPX(^ql}OVrF`mZQelqD8GpdaGNmN7Jggy2H;aQm3f!#m4GTAfhZB}YFZ9${M

b=zKwf8^9yk zS4u?)X9VR*^lMHg=%@WMSWeUOwvQKWR42*4f227l*@bL-k%Z*_Y4x}NjbkzDk7jqX zf0QJR{^oDC{$>c9!13lJEaUD064&P@g^l_b;a448E)nWUfH@i|prB$lfWHfTtKq5u zJeulOZ6KNG}^*7NPo=pDpYA+xeiq))N&_k&fIb_s)?iUy7t?6ZCGlLhK#@= zW|h)K1<9W1*QorLCB$Wkd9Zj>ahmM|^4>u219o4)cY=P4!0+;A?&*JAgUuS?><3VP zka_@ht6)Vg=jTdjI83-lxhY$RN>Ht_-jVEDb+X2Dl5i+GFrGyj12=13YS^Qj_RRL^ zlF^uqjBW8)rG)MI*#{aE@0ExtY4=$fiWXofcINzcXDPSt?`eFne6fKlvdPCcSLbIR z)jJE;8&@QMcwut^{kzp_bhRv--17`8DEHk|+y~04OvyIUIq72smT`gF@Wev5T)(EihAx%rdvnXJ#)Tr7<$;@x%k5%%N zW^_sTg5+SOWI={gVxcY7W+~X4NJ}i1SOFEi%73Y zG^Kn|h$v=r2xn8wL&!DJEDFp9m5&0pSijoD1TQpp&0K$M?QfXTH%8E*G5Og{@RSuQ z{$=d7{^_)SRGu`YJljCs=b`};>m)giNv4xx7=IX3HGcJ(t$W1n%{iqpov*IajNtH` zCX8n|N;rJa@v5>OM;pJ@t@G_QR?bPbj1mCdA2S?~OOi$4c|?=YbscE!gF0Rt;aPp- z#ahI@t_rr($PA}~EBmV`J4K&*Y zY>N{ZuZ*-roEjqrG+n`XDs|U1N^rJ9oFa_a0%s&dVU&R~V%C z5QM-+$y`ouVu5J78e0iZSq9IxWpYiH^6HL~ctKkE6Jk5%XRE)LQ)#|-6;W)ZpSI$O zwI-l5tn4soXyq^IN^XN`*r@f@+_*YK$%7mN?b%0a@-RpLN#R9X`*itY&lRo-6o>x5 zcxmP6n|!e3=!Zwm1vV&^n@~8f7bZvYrY3uhFC;;nhb6h46K*s=2b0+O*{HXS{ivZG zg0r5HdBix$7@X{y=|amF(uqSty?In^}HPHX`{_5lP#bu4ww^Ui4MI;U# z6_(+hJb;X2p0kOJrLunc^8KqFemJFJ%Xi~~ye0Gpbpmn3Xs+gm-s=FdtN>yp2WiEjl4d^H$ zZ@YxpKO-iAbG{fa3185#BWFP|u3U|tp)r8Frf^bQ5@wv5=G>!FtI!7)HH z<%0%V;X`4Ar?zx|T%};`w#XRFOo#WQ`PZKPgHk9Uzg7n~6X{vH{nyz$ATlpUKYmh_ zkxzT>^N z_ivPfcAK*819+rD@h4X_=V{K>iR8<4UqNre@0+FK4IBW+k$Q){7KCtMqVk){vy3D> zUV*Pc)%`>AF;v0wh=IOD6~C7bR`yRfj@BCJuc@t`f=uP?_~MUXNUd9C+bqAno9~(Q z;dA-gJ@AIDvkJ$gq6CqMFGvQj3*SMSp~C#5?}EPbcM}R5<$8E(koKbl_U7yCg{HH+ zCkE;63Bm43f&V^r_uATaZJ!RTxmO!3Wb35Bx`ZyRT2m6m9Q_{E?=gBIiy%h-`Jd?Z z`=1*fwUX+Sg=5@ANr+w+KDqjS+LWxMN2F+K2zj<<5sdfaC#{#UHfp(1I(+-B{H_pe z)x0d%m7qEhs{gR(SVrsZa$6VT;y$eA-{VT$d(ME#FVT;mG<~o&(w7<7K`nnXP<_3H!^y^a!f6t z$t;>X=l!5wJk^IJw{&$~I^tYUqeS9BWfM; z4Jvqat$42>p5x>6O7g_!>os+3bGn#_iYV3 z%)B0k-gQkbo477mX5Qhx&}~9-`oXm9rUl5-h*N8)^9G(a>7#Y*FFpmZ`k^JOwad-l z%cd%wKCF%qZi{|tNZ;62Zy&0s6@FKq6&}am^YA;-a-9>s*?I1Fn(b$~^CUaYvEM0f z1y*C!!3p3Cbpr5W|2DJw$M?Uyes}%z#T)BFPSMCIA&hJUe;sc4@NNr#{BU{Rd&Hx* z5x*8kh<<=*13({_idI)WaQTyQB(-1RYE}D9b6)MO!TO zh}AVO`5UW?#bq@dhQ{l=Npw#zj&339`ZA+aQbi0Nq*pY!se5DVT6)b* znc*nTGxBkf5w@Ulc#4iI@1rE*5sqJx7_SOn|KsWyX*Ckyu=*D2^)P09p-M=UXGYQe zq#}mlF#4=ZJ$$I88ueNAQ`CJ?E{6+(W4@@%+FG=}bS%4)VM1n=z;S#D29I{<5NQ;t znw}bZrTQcVvcq?pm!R5IMN2&st3|_s{3?w}6;^3Rt~gEWxIpg9m?(217MiM;V|P|7 z-Zos;^qZ#Rnta++6Qu&hsvIc6umv@{n&;*ev}3BRTEXpU-PLlo>Wt>S2*C|Eu#WW6 zEEVFSi9j)()10?h4@}e3qv8T6^YN(k9d=*nh#?$iP|y+n-&jHOCBvh z&4nZ5RjD89RxhnJ?B)Ri`){8c6M6>5#;ZyQuc!ubU3kH_O7Pw>{C?)<;&RD7&H zUG*Q2k6$$EKOH?A^8Y@>W4i2k7vky27QCm=XEP6~e|pOYs4h9=SA3xSibKUn?~0L9 z3VVyw$NCqYdZPFt&FDW!z)4vAQkI#7KSO$#+~F)dyS(^5N>2`=!P-wZ|6ix#WA*9e z|0hRP{(t!5`HP|c^MgE}yz~EWE3^3qa=@-CO%8&Fi?YAsq{pu5%AZ?Y z*0`#Vactk9C0Oh6VPjW3OBI1-I(0#iv5Z~0N#Ah(nZzfmFOQ#~2KZC(muy5K_l8fs}ipVh3JHN$K@ zol47RH~yOOht|tlu5!|z@o^y9k9ERY#isP%41O`f1e&5r> zxtt674p%=VN0n3Z9qJLh<-cAP->XlT{{QIkdHw$X;@MFD{Xw2h@BeERHuabOOyN&m z@k|*||Folu^n*nBStUZXZC1h1@=h@eZ^6zse208zozX^Op2sA%_3auv1MdiD{J}0u z{C_XJ^=o(<{C`QG3fsv%jG^_hp+6}JW=4Wwnv~AlRPR>*&YH5H) zBefKn&{^5yKUr(;$$x7FS+!oEIc2ZTn5Zmv(Eo>c{OJFuvNWr1sZudrKt*q(ZIRpD-T?BC zPYJ}fk7RQ}6~>N_K+U|#JWGSh(8kZ*16o3x?4tLRgjfNg;?*U^1X@2D?e%GGo+%K* z%>?kRQ;HZY>?vyhLI6r30R~369SXLo8rdd|IXPNrKr4GH2~m`wM%qgMkISxaX-Hfj zH(Ed*d=%4UPO`Gv&3~XMVVvObDO%B7&TtvcGr_w!Mdu%0G4zBHg6{6_6x4*A64HR} z-~5j42U*DW^K_o!kc>GUi@*2USD?eGb;2G?ZiQkkooyGGp(!B=%7|d05DC?uBLQ6k zYlZ4S5XsI|U4!;+#+uZU_J2Yj7X(d7Oz#jUjO*mh(G1Ds#SqR2#7x1#1!HA2LySI! z<*~hqS*SLkiMF(%Sw@$LLOlXG6q-dbkyiOMBdM6i8jYdQzhU znuz=haeBqGD4Fk}(Rj31rx!&WVrgORJ5uF79PaHk$qy?|glgnZeHj@x}myKOlO6!egE8m7-#NHE9Du5UOrtzZLXcgV!qB)&aAt+mytkzq!C{ z5d}0$CjnjVE3s!Bf!s4XMI(q&Y!t?~MO>@!i9g`rh9u$S7UywEs@xe|D(UM+vR8Fd zkjn~6f{vkhjF=XjbiZzTB_3VGHFs1&>$bH?2%evb>#g@9#B9cLIB-rNS%9JByzR4{ z_4Kj)-9wmDyyal>6ir>PKo8XSDU4nFJLRxciauB-1A!HmF`V5`Ju%;u6vjpfO=vOl1%6pK0}mp zo2y4NsbkU0_)W-TVU#aV(daGIyl99ge);0eiBP-|)SykM3M=G1%sB=*@ z$w59TBpa+}*`ktGk$O3k@?;sFdw1c~utC z83Pfg2qU(@83|DsWpKq6?J$P~JX07uM0X1#6W=4mIL>&K%;n^4S$EUb*h)Xkw7WKs zH+#VyOTNc33ew7-`_`0)9pwymRUfBK-3wcuuH-JXr-SX$zgIrk^~T*iA#95rZSpoB zqP5o;SCv!MbbL;@(fk~=h397@ZzM46WWsI9 zgS(Xv)-&Mt5@meS)cPi=wIZcge%hW>?v;kuC6??aBd)#TfUVYmt;&EM4&Eu|UFmoc z4q`Y()=c^1LJ0^S?Jv!4V6DOeReBmLEF%V8NhTbXkF4vZPMZklAxAROS?be zLSkwpRGrfT|JeYOVgPt7E?${rE{SE=%E(f<8!x;L4od z!J+RM`rZ3iuU%D9%)#51Rsh6Yp7QULfN8vaLvi>A9OEP)nF9b$R;Tm2>$1?@XLKiL z)817~w^FpnYVNi71>W3K-)0|)<~+^0V%>b1?kiYL_&sk!hbIB%sNP}EAMLI<=22ip zI)ATq7z2$){Z75?)j0IcflHSnP_?ul`4Tn`jYM<&-`Y-+12D?{BF{3C@OT9z$@q%) zh?&t0HEFmwniXP*zO|Jg0(WyOiEHW9#RH7U{{B2bfX2nMUh3IB zwKgffYp{uKT)BMz;iD5*EKBN#D&Aj6TSs?ux3xcPY=O_Wo5UV-^!v67>gYfJ6KcuV zJL;S{wi5g|Q4*q;H7`X=yF``gcdV`Hm1tX?OB}Y`c&sw&l5lKYMZpR0a564O6B9nP zO~WOrcZu=4w8WMVlqW@>kW2@TKFJ!V*QI6kdKx9+wO~JDg|cef#pQ3O(#nc{>%Trg z$d@jaa;40neE=hEiG(s?j4%h{#W-=i@dpap z#tzuA8VP3TH$lzEyQU~x3R34k4cl+Z=kz7|t92OHoHZqSOV|Qw=Km&QoFq{)cg;OY zILU5t3?$)zxtj4HtsW`Q{cw#}mczUbvWQ0kj;|FtzQ!|7-~d0jR_3$=?eC4>nymy6 zX#Ch#w6nEj=Z4xi&K78O0>y@nlmy8#kM zwxl^NWD)b-KN`WJiuskCSyky0KG!CMOAsjxpB67*?Hkv+u3n@S^zJrNc+~eh?8j+(JbPt^B6N$4O45pa!Rw! zK^iLLK66TFNUl^ei?W0Ht5?KlWta*27xIbm{4^w>vpntj-|A^xS8Jt#>#G0o;;>%- z>+t!}Q2+Ts9(N3aI~8z`WT6sk_HPfTgkzmIs6OUuNFUTMeNdW3w^2;yBrMDIKSCeK zuX&WoEMjRU?tUB*7T{Qg^mB?J+y4(pme0D>qr5H}nZtctM38?jBVnF|IN`ElKthu- zR2}#?$PET{xQh80-+Ky!OmmLzAU_>SGkP0^L|jH^G(#bok%WosC<;l+7ZXT}Bvl^k5O8L)GOc)51da@e}HSPR= z^V*;P!-M}HzNqp4!xzt`p z$i!Ji=+lO^A}0-qj4U8&l!&as#IV-btu(D>s+z;U>cVk0Cwv`ij>ir)OD$FkGWP5G z$*9s;lx6gbHuOQJYVkzXts8x+-6lR|6^Bds7xsAZ{|#zC{tu7(A4kWH`i}=g{l|xS zTF8SZUthPl;=taWq}5pza1AbR8_SE?f6_GqZFb&WmIoYo!~;GJ`d>I<$#lX0pwkU+ ze_izd@Z{NXO3SPFn9=@>Sr9qBpab8al{%KPwby)c{wV+s`E>j zvEYtOo9nF33>|kR@Jt8^L6fX23Wy0w9c!*s&p}26WH4xob=sGLs!Y7AB=kv!?yBd~ ztfyel-CPCC2O1Mwg$3WfQfsc1@plVSlu2n_k^n*La&RVLUI(EmoJ}zg7G;HoKhx=Y za#@uNe6x~SW0?&BYqTKoa>5q-3rcTBrzp+HI7%4Daol`Az9Z3mA+ueNEU!Zn6Hdme zZ00F~AHj!}gd}`AB{Q0lG5iXrD56QBb7?Q9u>QuPFS{6nb-rIhIff_Ag03xzB&{cU z&$n=cK)RHsIaDE_Nxa%h{f0GtSGG|0!A3KUFSJZ-N-1YN!|6wQLlQ?0X4lQdGJ@v@ zREtg&Lr4!DT`{3gEd+akiRQqzV+G^Mi&jgG3BS?;b%(Vb*7UHT_gA5Lm8!LD)$L-K#mEW5Q4Gko^;_0{Fs`SxRmwGcijE=M*zwCX9^Wf||*zmQcUfm9Eg z*u&GlGd@|8di9z8nk3_OLY$xV-?#!Qj?GIPC);1PEFXQo`fQe!SlHvWJws)`A6UEAY-{R3u~3cSyCKrGwJdM>0G^&xi)%QBwd&GuvK%ppp3It zB_y<{t@bHeIu1ED2UaXLk# zlY_TWJ+3-Pb9l3?zKEk`wEjrno$a~H{=1C`pf3O4|Ig9U!4UuRAkX(}|J{4Y zSf#<9)@@IFD*m0P^9+Z?!+6$eEwe{R^@tm)g#ejBLtl09lr@@Y2#NV_pDzBN(RkDF zpKkvDyy5?K{OrZR{~zKR_%T~gQM0zh zyebI{LV@G);s4Vp38Q4bwiwVA|MUF$i`xDF;KkwL!2ciO8Tfx+{{IJg8U``oixvZD zOq2~+v#FL1{y`SOQu5vU+sX2&V7f~Futv$D4V-m%!Nj`g|285(yXgPP!Lxe&=d&UI z)5AOi{ohSs>p6f7bOR+|H~l}T%m2rRgZ}S9p6{IgKSCGF zWzNMf=v=3YLwAcPSRjUPRm$|T+@v@Y6LiMKdErqqN1UQO4F%2Ri-@7(xcu-)k|m51 za)-{uywGK37<3oKF$!?bpa?q>v=1q2D2AQkD7N#bVxk+ertgI-MS6>s&!C1_(ah!W z?Q&@OMri;4Xs7?%N&ePN|Bs*7{XY(091i-Qhk3pa`d<(I2gc+wL4O7Qi{M1LxrL0w+s@ZNVl>0|#gxBIBh3`ojvBP5CdQOTrf< zXPXOt>S>q%j*kxx>hj;o^P}PZ{~%9|JsP`jI5Q}J##tnD+dxICIY~%{ISHR4MhL=T zNE5a{C&`2@ei)C(Lcjv+{wXR4HSkPg`@Y4#&|4{M3M0N2O^M~V9`Fm6Eikhy3chA=={4Y(WIRgd*Wm9n zSuNvJ6_fYrH~pGbelqD=*;;Z2?KVPgah$_eTt^8f*)5Jw(cx0PWkH5hV!kMUQVIm#EseEvbF*Yz#Y zixOBFR6B?+lKof0xuN*rf--*k?+5>WpoX3joRRDr0)PPs5G9=LXL(WtZ{6fmk|l%_ zu(MZ*!M+(fT+XxXGRA47ZcVCH`R%Ji*Ef$-R zIk`X8QT6{(e(^s{fg2&|+H_q{tu#j0*Wxf<8&hqDkK0-);6UrvhI)P1LU1#ivtU8$ zHv=9sweWI|0bXmnWC&g{N|b=x7rACPQF?t#vS?-o?LGv42*IuwYKRWLSOKq>xPcj# z{iUHogzG1hf7>g+Nzxbx;1h37d!le_!fu1pXV1!-x$@x2k;HdYo@`}Y(aI!v4HTZRk`J$NX_lb++0Ef2`quGFz z-blG$gV}e8omPa>l@jah?BRG|B>_W^P0^gJlzgvC;o~}@*HTnz%t0YdeHu?-m;Tq@ zj;10o!HGTcwSnwib2SgaHs>kOw;zso&-JhW-|64~ZSTqdIz9bc_-}jv>pz}||Jjf5 zkB6r}9{DV+P9D}>E;Y_iHwo%b9`y_?6w(E@jU>M68d{oe<@;7yvULjE{CY~mPQqNH z;k^jqn8oz&Tcd{8#-aw2IFQ7FBn~7I*|bt8HGNf~lsZ1p8lnYFXr||75-yuIXq@J3 zQLVM*MN}0)HzBFbFK?MbWOVAoT6&4r)peV6<`nIhUj+9fY$k48(lC#Sxg3t6Z*D@o^_v#~pi*jNiFQ^T z;U$59%zs_!LK^>q0zBcmQ%o0_brQGUcg!!B!adl{av*a9nH$L5mq+IMUm`7@3l(Pz znT4hNrH4ODoHI_cBJEV)2>o-}zmcft%XE6NW~(W%VKh=xXrzoW4cqE3X*8?-R<-LE zsbYC3nG9>pgijuiF=thSkz{#30$GpGA5i9?=!#r3x*GcX{c#jRhR6|A;Sn0yKy#~MM=b0r|2C`NEw!)km2HT)MLj(lE!q^+;E(xtUS7}pp}sE zzPXLBZqiav);AUT#I-Q{(p-xZ(pnT?c8U%=OC?&12NwVEC?Z&|Ay^l<+)HvT%Drcu z`)1v{YE3Cy;V3&T?WopM?^7lR7-uA=xD-W;>OG@>M9XCqt{6@B>#a|34<^qh2cvqg z%RG*C0j$x*>>cHo8DS*hW=ovS8&yWeW0}Qw97fqo!wa_2?2b$!i$tEqF9jVs-QPbv zdNDbe983eRSjJSut+!rU` zw*OF3MO-rCXqw?HB20eB0EudGU9@N&r=b0=aqQh?l*KrXW+Yezv567}(=2-x2eiTq zP2`9Y!q{a-r=;3fAo?HcwbFD|FF<%4uIevsA3;bk$Oy-;NQ_rkB%n#iPEoZ5}ks-ZrSk68puxR?!O;tzLv%sUdz7f@zhUDY3HG=L*6t`AIMKpacV(+4zS=#HQ;3X{j&JUN1V zsi8iWsA15(pTr^j3GnRyXYWbC@(PWqHnY|Mh7ToM^k|o!=yCGl* zo8Io)na=if4_!UG88!h#0sVu3A}EM}B7)(*L;<774RW6%r`*a7iUE}W>#FXaKB}*o z*~!7QA7-b!>eZ`PRj*#XdWS0Gm0&CcLDDBTiy%P8deng_FvTjo2ocgIyT0rals-8_ ze&UzNxbUpQKZnV!rx`WJSJ_vFNeU<`zOd6U;#3SZ(?ZWS;HB)0hfs3H?OM)>%~9{) z2S1&pe@zfQjkrf{V6XhX0h%v;J{$Wp??`cu)j%P0_R^{a=IeD<((pH#Zo3c9wbqJ0 zfWdl*jVI$LdEp}!sQ z9s#M}cI^^?n+;5OskJk|Z* zfB&yog4pVAPWtPWz!htwY57H0$U{a#QDTP;mc~<1jn{!VQNP5OZGst2{S;fFQ=Nv` z3nTIWA`^iI@&DFFNBrMLoD#gs|10oR`G48@e@O{KtJ{FS4OAw9r{|fn%$YpB+S%X< zOd-&8-Nxyt`5@l^SLc>Z731ff+%U*LcnI)UfsSZ5T-|4Xp@ zG#-Ec-`w2X*x=0n*4R+x{}p*QVg9c{jlKblk7Ls)5XUBqvIMb7k{use0Ui*rrhW(l z1l2eJrtyuk?Mk$icG}KFjQ0A7m!l^44#*==B56&->}0l%3&S7;Yyn}1h&tfALuPVF z)##xWr4z(~-jFP-NLARZzQLMUQNNF|2q-Wkk3zl<`W8k9nJ8X@%f^|M%R1WJ5j z6vzBG((kgUJVWOf6tJegGyMOH2PR;)w0=K|r&an&!@zjhb@%JQ`L#mufMs1FCEM6qn^gHhr zv&Jp(>?|;H+eNWSTJzqV(y3#c5H5fb?I=h_b}%$2pm1OkU=@%&J%hq<`ilAx+P$Zy z%ZeXAiaJ{&YClYpxProX^CK&Ip|t{5jk3{%CGHH$iHyz%EdFo=k|R8f=Z5UNUlzcb z!&VFka~JUk9W*1{U8T-a?GaR%ad{9jUy-Z?H;BBn5}pbwrPFD2>vCqb=-M(B0qL(b?_j9**@fTahzP3IZ@J zK#|wY+Nj@1s53*clW>Q!-`KV^;2TG-0{a^Xv&R8PoH@hlK}1Q;8F0=KVAI(h%I>kD zm^BE+us!YQWB-(&i4%DobOgS5bIpD zuz&IV!P$%F&)3*ZdwhI6KK=!-RugQ>QGO6&O91C#AEbP)Bdi04YLXxqvw&ZZGo_ z%3ez0v0k-p>(5yzEhE)#C_*jaym9twOSd0!UHrL`*X{TG(4zI*Jn@laG#crT$;m3Q z1f&d?2lKXq%F2pu2wk|SY8Lg%it5t><=kTL=v3_xy%Myw>oz8s z>v8uQF^Xt&nKZb1b;7e)V(Pdl&8$wKQ7#^hfR;}|GuvMsX!bCNAcM*6frv1S?@FhK znf6}ab4XWZ_Gz0ZmC~hM3z@yK3nuNl22KZ)wCau{PAeB=n`D#JPnty!rVr(d;8eC{ zHnXL^Av#_@EK(H_`IB~{vC>Kv%>ee=j^Vf9oiHbCRiM1Yb+Rfe$|-*e<|U5dNWpfE zzj`kZ8fZd+g)$F4i9}i;l#*l~x@hDJuiP`uDPi&%K{5>u{3n|pS>3$JLSFPL6rpV2 z&K9L&`|0jX7D7dk{Kwnq1S#q_;{Hw34SIPC2|aCaErn>NyrE#Y?09K?#j!FN-g}@z ztS5Ru_1pg*ti2D$mRg+F_lR&qQNeDhQ2dCOvN4X#L>)Oby#T6dnV%~ol|EiMHO*vj z8Ag-R{1_<>VsRtvAm%XS^}uRnz&aev((ukel%7L!n)|MNtsJ8#KQCcH7|rUb(DatW z94M%>wv#Y?<48pn%&|)W4uR9wZok>Gmat3xPW1GSd%`y??X_mSVCY(VWb9JrIneon zz7TbA#u$)&FmCZHN{o+#>BiMS`7rSmy}d-hKtzid=A+5-9-#tiqv->;$J^S>0BSDx`;m6izzF zz}m6#a9QM6KNmco*+9JjDZ^B7OTd2fpir!QO-Hj9@P-pvN9VXfV@UEjyQa=jChGP= zZ^Css6}FjjDODm`2b7WK)M-qmysK1H+WR%-9sz3Ua*sn)@35lH&`lyZ%(|(Rc9bb` zYaus|qQ$w|L+POxD+428vqG2yHk%bpsi>^&N0#~xEuVRRX==czO(koAMF(r%#~FQ9 zWqdWK6#>H{n?j&A8C5YzQ%8Hd`@0KMeg31s46_*r>$y#O>Myz=QuXY8p7{=d<)#4Z z!udia#|?AI4VR=v_H8yJD2lAn)n(3PpK`c|w!3r2tXlm20v(TDe4p=q>EMBeVFwVF z;?yQ9cF0NA0^9M!Yk3m&ZqW;L6Vhn=9{tL+P<6Zfz@=JB<0UQDfQG{^SG}L5E!YUS z_$*m}R49wKm}V=sY+co=d22S$yfuM;Zs>qa6@CKaf0dB;#dw1AzqsQ6Ha1n`|5oG~ z-*n@DRr9}mzJpHkEXQ+Qo()a{cU+eTyCY;5gd$Bk__ zwr$(C8Z@@erm^idP4>zE`_6gJ?Ydddd$H!4bNt4bui3gCJ%i|HS2(}8et8IfLYd*L z{?~_@&_}QvZuwfHHC7(zp9b16;6ORMQ-oym}yPBX@0p;fTztiT= zA+6iVDdyBh&*YkqA)lX`b^xqXsUV|AucS#;QL>bVV)=5^kHlc2Ii}Dst4HOK%LQ1w zlV20b?n0R67(aIcHK^=@M=qut!q5JZ>1RfTRON zbO@tA(HOb5qa!~~pm`hFsPJY0?h5*aPJR`LpyrQsbPR|f&y3`7s~l%H_9 z<6-+Oy%Q^zFfRNs6Nts(aXft{qptYL)EDb?K+t^%quF*_*#Jg+Y$m?}sqYl}8xcQ>L3|QKvS@+-~hk9K_Mov76E< zrfhC{@(os*8DW>PTYuyQ_4HTI2Li_h)S>(C$-)tmY33Fok_n|l;o?_#F&S*z8bixq zZ24k@jdD$qm|Ux7fKJ=SJosxe{n}mEMNPGOSdn3x@uH^&sPM$j7er-#VI)NPZrI5qXvG&JlfX&w!pRdV8 z!O_s5NPSU=$b;QbQo2Tqegsyg)}uKFJ6KiK{yeI~HOP`&f9zF>L%|vOiRPCN`}elm zS#~)07Mvc(U1Jte-gD-bCfvBG4GXeo9up~woFoFE=aeTa-Vo0++`7gu+*S!}v454G zJx0`#MwineN0NPc z1I;z(s81n(L8dv+(vxF#)Q9X7_XPDCMZ=uLQ)NYEnF&5_ssomOF0VRSp*u}tmo+?A zRfp&FVMFVTmTgM_wW49MF<6_NpX~^k6peWd6u+CIyY6a={Wg3`*b#Az*Ym>xu5wX0 za8XR=TPm`5Vq*J;$Vp6>&`j9muD)!{lsGX`@r_m3Ma+fdL)BBD0v;=AczC#VIyX8p z@{{FM#T#aK1%{Qom3Dsb2*}v2A50p{fx1A|Ur*9TUnScxG7|*5ukMS>?9ZRcLj39U z7!t$J((GOrFXj{55|S=Nv0Ie|U8=X4o#nsQ2&j}N_O!RC*)8(RrW^CIZ~0-~k0QYJ z>QhBMyVvx_bwHL61X%A*9>y-Cx1w4ciwR6jg3)$jaSiZ8!=Y)R|pTs?7}>JLQK! zl3&S992W&)@OeXz5>~Sv*9Jjy78R|o=LsEnt8UTv7r!+^aLTWvacM#@J}Ao>M@l)d zRYdLp+c0C^j<-;`Kkh?(Nv%hMrV=<)k2QTqOk0HtBEcO z(+8giBo-tJvWZhQ!ch3wPLmrAJb*G2^(pRo`-3oX^gS;!dZ1IUurB~1hDnuJXK@h*k%EjE542N23g1M=E&vy6oU(FwRNUM2%<(&>5~-@hhvuDx<9;acfoR*2;J^%wX(EwXHN6-t_yqw zQ+n9E8HjT9ip?~8D-#fW8DPQHc`1^Uty}Zbm*#0DB%@`FQ{KKNl= z{&Olw0BD{F+NDd?=pRZQybn%oHdEtuhzrWrJk)0($qCMbp-uzcAM>)z$kRt+mLnvs zK(Q_?Y?T=DmJI9T612ZfEQC|R6m?dVSWSC}-Z@jZ-O4W2EN{ruXKd%ZUA6B?WgBa; zq_3-LqPOWtj?qt{QC}V@LMJhsh=qfGJo@U9KHcgp&nOSm_p&`Je3y~mV(NVjAlUwx zp&bW1O4m$%RFr*c1`n^}xjXstL{G3lotL*cq?}U0t(UWp)7AI3-M#q6rgWy7D5YN| zU)8iBXB*i|q;dOMo1=RGE)0h=yz$!5Jwh~bO^Cl2w$v-lwpFSk4sZpfG{+Sm9$s$J zaP~KMkvA;1RV~b+PsZU9Hc+E(F0O`gkcT#7$=ZUll%AgcuC_1!D+@rfK2WP9{V87b zB&~N5m+lx&g8oO^e`9tjNrE&Ji!dhK!drFd7?>05qCBGB#RhptyxuuP{Tc~x@b{NJH0+Lm%DYWB6*rGD4MI zTLBYa@55tymL&4e$qcIld<*q@BB;JGDT$$!4M{gJ0bw?N1(amA$9ztftIQx{7`ZwK zg2Ko`{!yc|=IWan>9^M_Fm=~^j!NQ3#{>zuqN(W|te#}~unnHt4et991Bv6_SwJT8 zc5b0|e=q{>9f`Of3$SQ|2qLyl+ntR-H08hGv746fBt5f_BMTw{X+=kzDK5#ZWFpM|rT>rg&dY@@pr#BRf zy;dsU_FOi~J^oL#0x&YZO>4RgT3yE8zrzX#DG)JQ>LE{pk*E}^Bj7|31*Y^$@X+4d zhU`d^y?kr<`)z9i?om4(7WnQ0kz?3uT^-^Rjxxvg?unF~BasbhI`K4iJa z*HMU=bm3753574F5TKR%Uf#!Nc1rvr`e3%4a^(G9u<2JIE{;?Gr$qH%qtnK-rgZ?; zINX4q4N&jbAHS!N9FN?Ja(uWn{?di}3`JKJ4WSymO-X33`Y9y}B~r70$pJJslNq~` z>A9yuw3x#*5?8bpPX?wzv>VhyHJb$+VGQC0SZl^9kz>%ca)^qGCMHfs>#j*=nM$#v znKfU@a-cP#)jgZ;71v)6*0zh3+RKMm~wNPMf=p97Md}0?F zsQMYmvVImnx6+`tIK4k_%koOOC}#P$z6O8gr9!0Z1!}&LO`QlvUhql=uA!ta=qg6imNIwVQEJSDtMHgHt#sf=eymv4+Ga(zEL74h7aO zYciEu5V}1pD{_Mrl^4wtg`lWO8+4b;eMB>*5xUF`R2+%4=@f>;jS!$sYuksF4!-sj zMv&23lChz5LJ+SAL}h&Q&jvW3IQifsVp5?dmz6u?LPBava_CqRKIo7mWh#3+W^p8DM7xUk2y!EjCk9XpvNtYro|Hfur|h7<5P@TgRByNq2^ zuH?@LxI1eh0LO}VH)SI>Wy1&w*BXHcTP>h6WtxLF)wB%YI!n76xh|x3Q21pLFA&i0 z&_&>ZhG<--<3KbMQo**S#Y{sa(a|JN_i z(e#6RL)uk^;`53^Ut`Ih2nnw0PBQMC*`^UGB43c99Gw6ZO$ee8LI>+{Z3mmiDKq50 z-;%~&aIkqh8%V=90TVdZwIVMCV0QN*L-F7!lcOT_ry7QSd`=|hYg z!o^_P)|PESy$fM_5ndzG`u2+b(`v0`z$!(^NWd$#04{3O$~V_-pc_AbCS7{mJ86YW zlg)yh78z-thb*=P4r89eRoEAgVL60uA<3%u2@zz2G@)&pqpoU`Ei|n?L%2`wG*Y!c z^w_PaSR1R)v`0J#M2=G&tEAM8HQ*_H7AkaU)6xu=R2yiT*v ziD&Dr!*)?~lvo_HH2&^^J%lP-m#i(8)anv-#h}p~9k}Zo6oMHnHa%Dq?3!>-&&!^Z zYN$e2fpcS^QH|A#UR|!SkJu@H(fl3f#L8%RaJhN58Y0&2C4K01_1kEME5U^ax;y?m zkvmGM2m+5hVk$X5Y|act%z`PTKB$K960e~~1W&qLS@RfgcYT(Cu8Im(jOf%HM-#g! zlB9K^zMQ6b*`uObbh|qmD#{WF|VfbWXk0SWA@DH>5WuL1-hMikE?AgI1YVcUt)f z3J-dXik@z%GkmX}eb`Dwg>b~qV9J{NB)f1@)Nc)Ho!FUYu~Sw^uBTmrg+|!y9~=n4 z0@)TiW~b)l5gx{MifD{d9IE<)5a?xw)z`mLxi5A}q?E^{PNgQ1YC}nN0}=RC+rm{+ zaoPBQw!(D2^u5C3pf%Gs7yi=8EVJcN;$Fn~R|4_8{Yu5|0vF8$t{JyQ4rp2NZ&idX z6XBBmOs!&EouMQ&aehX?L)e)}v2!CDQm#kZnwzAb`1^c=;!8YP99$NQajUsx&L;7! ziSelfnZFyj&%}C6{_+AI(k=@&axKBf1HM^ZV_k4_S}_lPY~!p=G+iXgdlGsW%=H>z4c99{BIXs!2R z8gf$MpaGdd|Q9b=(mOwE?s3?X0Ev*K%DHB(N{Q;?B|BX&HY~!E)B(5)l_>EW;2g z@Gh9nhzj?){K^W?CepzzhgMKozH+_%H-sEJ{Rf8N!-1H`7(zzw5v>_lzWML}$w+8A~{9)_-q7kD@62F@yTqc>anWs824m6($Cq zUTjDq=n2UgHTm%_p%NvWO>J6u>4*!M`nXCW?Ak0lrPxCq6ul;_RMS1WXU;&xio>O1 z5qt|W5{nCL#v0nn7}MScXy%BGM<;g+BkVyL`@O`Qn=)AX6}B);XxiN zhA{D;vh*WH%Jl8Dn;gQCq{2z#2|PbLkq_C-@8KvsFKd-d$cc6>g|TRW*)zBNXOApo|QFnZ1dJ%t@FiexixVmGbmH7r}h<;4{h>4cFYx)d8U zWY828F61im7iGvQ86L8Qw*NSOUN^KHv1j_1uxJMKhwowoM}diD5R1&-?woL9kUCj# z;ylKqL0aZRKlQPso%eP7qX4N^R(lWB@`0OFY3P}=y`HLMX&_fRF@aq%&TPqD7&^v> z9jEQ7=}cBvyeG6&`|8m1`~{br;(7$TbtTl2U$at3Z+LTGF3-;A40~I1oKn-4hbZ^NGM|xWJrC^a6PCv zzXm*sr@mkJi{2Q?XlZ@%+aOdGb0Q;-Luk`65d%Vcc({4I@Mnoyhm-Qe`eI_M6PCI9 zLt%4=u%XB=?^Vt(%yG|>gej=B~6y!a?Su*Q#&5O*hEeP^8S{b|yx?BQ$22@KEiswlewWhRSin{-vYP-sLtlA;`)qUIhpCL&F z&Kl0Qp2Ail9~>_!`W}Q_H>U!(Dg#PUV@$Q~8~zoBiSnvEx{5waDzNF-cH^8p*+^t?`twxG-$~5% z4xT6KI;^>c<^z!bN9pSQ7G!o|gzg#z<1%Ye1E^(((n&KvWwELWtUjbdZT-AE^Zm!3 zu`zWdCpI}%Nt>8P9&9zCl}!#y3j!KMste>Z9%-PEg4Qq>R4Du0ZNL6n86P6y-O0>t zRX&Q>uO1(s<6A#OJI4~>c4|Q2_RBLVR|y_dyipQ?)@jZ@L~f;UiEBsX-~35k5{Q5) zsDyYzYRXy;n=xkgSdvt_?@XqahRp17abrD@*Y2?VsGM#KPrp~`#&-C)LI;A1H02;*Ax@D3{fiA&Yva(Sun2fRsyT$xH4CvaScxzr%pWsbD8Ay=^KgYQtYIj-{`gltNe{f-sxG53gD@Y)W^TSM&;GeEsF$QL#4RFP) zF3m&I*Np2_;&bz5MO323W@RbPXRg8nCkWO|oS-;$bd1w{2Vv3bx&ATNY82AV1|{4R zd(zEAf}&8PH!9tyU83PLF(wH>KCu^P;iCjmejTUvmap- zAeUBraarzRwV?Ll$1>eXj?UtlV1zKAktjQ$$ZxZdcdp68V0&&#gvx_Xrp6tZ`sdO{ zz67M)@dLbJe>eXrQV~ST&brYzaP_~FVrml-IuR#omFGZvdwS&xYhLXTb5P}h-weHf zlxZvC(jDiu^rSsU3Um(3fHYrp#MwS;ji4IPEwm?CjT#92I)1N!Efy9-Rp0mTY%Ia=}e~Ag5#|OlR40a#%oqS?S?KGSt?2<7g zb+e{a#Xzw?0T+4}eD~m0-ZssL0FA>1ntvMh)7?*T#dW_J@qG>U1tvaSMi@KaG6`|N zA}XpIp2wp&UWh%W-sPEPA8a3wjP$fHWh=3l=i&H$(l}w2?j(HDwxF`R*Jk{*-<;tJ zEF6ZJwAlYFuo)!M7wIdr17ZLS|L{#gELVu9_F3fBLXH*zLC&1s(1H(^xKM2Vcfio} zghS=87F%`_FTky7VL=Iz@rQL?uTOmO1#b7Y*ISO3zhO5Vsi(%tku%9RkQu#Eg#)TD9brlcDLQ znr-y>pvNbBRM`HoV9D$7EYENi_t@Voxi^K~-k{_tSGv7f*>^Q9ZqtyVPTJd?Abg2OEyc2unLxzyMbZA;v?AM4VWhp*exzoX8I zTsP^AnY;p;e!_*~Zo(CgZIezy{Qo&H0&S1!2EN)N+az{-gH>gvOj(-Y>?vKyNi4<-!Hqxo;vG6iQ>(|VrQ7$$=HAB0YGr#oiHHbD# z4ggctBc51wPgPYZW8%@i%C`B~DZtL=`|of1JGSYz6a7KQ^Y(s(0IkaXig(u;2_v|3 z@ZOpBpYxEhC^jMFE{A2c)DDt%y&uTX<}&+yX7Haeq$3)z9&W%)I-LIM|RMpfm#5Ed?N1Zz4>rfIO zl2^&%HJCDA2oIsudvi(D5JGk66#-54v6&DF_81bd5)-Vq_Y)(wq+w7fR7$h>YUZ{S zvs{4}M~ZXNv_v1g5TT9dcH55|6(OX`Y55h7-G!NwU#uqQj}C9v&>7b7E6Ghk!bQb6Z}t zA(1DF2$Ab{Py!?`_se%wQb@9e9!gyCG<1?p#J4Gih)2x-eg}|;+O=#e{Ft|s24d@A zl%~!&Z7UhQ$>y|8irF(FLIQ|jpiHwu%Q)NGTx84`rORycBmj8|SR+`;eT^jE_=k7C@oqK2yYVWj?7 z)}WbLXNw{BdYNSF@n{=?Dw2=9q~9&WeLwxnm-(m|@x6n&-cxyOEX9*Hwike**XV$A+vYqw;NrPVOI%%TVQ#INAk zx#GY*17{zVIXRs7G@0xY1~LpTVsSu5Lngyl80*evV2AQOeZ5yCD`O~q(2YBQ4yUic zyRR^HG&)>cH58e_?ps1C21-d!MUsf9waTxtA-W4;>?dqb?12cD`_3?uip&H0UHsgB zYATL$Ia>bKxAWWHhHv5I4Yd1DCbj99I#T0}@;_rhI;e0SOwYFw1jL^lR`C-{WjUfb z>q%RgK5nRG6+^UV&Mh?Q+mVgs5?OEK9)_oDftOh;)LqJQnQ7dF+QB@rhVqev~tS9xDY zj@pJoE*&2QnGfO?Fc^sVs=Zk=BpU9*fFBZQN}UKgR1Jy{CHsgIA`Zt47EOdeYq1f) zpcIc<4PlX*^=Q`dkVS_9(S@2`WQu%|7)b{Nrr=b55f93q6Hkrg_eH{In^9C1p7Au* zHp%(_NNc!p>EFbZ=^}p3ElIENW_N4sau|>#B`pci8<||Z^ikYVQFALkAxC1x9^3_8 zcqq9JTmEG2C|LTB>(Z6aFwupvx9_A`2ZQ#)NJ=;{PHVwfav#pqj~6x7ueo*>S2D5@ zcU<(@bw8@lm=yeO*jH;Fm7&zc4iUWH*UHuT4E|f5e*R$?W%-Z*HW4Th6pz&S{s-9I zbCWc29d`0e=;6iqmYeHqq|<Jejz%Z+#s7{j3QrJ0y^4=tM`*!-J9Um#F8b|F{&$xTXDob0sjpum z9yBfJg!rR(s$2&;oGdjEz>OO}SIpDh4V#W zYjeUs`1fh{cQfvba%R4kTvd!10$pZ<-DPnkSRd42%k-taGn!);<*-T7BHx7Jp)~jF zmxz|))j5l27xHT5jIqI zX`G$?A~d%1}A97QY(u4uYw zg_w&WxOM@aD8H3FO3&jS&>(87={(X77lEKHUDLQA!;JK63IYDxu~Z`pN#8X08#CPW z?PD_xQj9^}sg*?%Y+9W7k+>+QmQYLbn+$sjhg+YqSOmPCrVtYct$dsltUT)R=|naM z5Co0-$A!{|;G4dIsKMrjx@Hn5P-%!5wKSeDY(^Z>u?cUg*@jT2dui*Ag)XJhGwvzw z>B)G16Nd^dp+8N%A5-=^Yap?#rzdUj@T5jYaH1y(R&Faqp2K2r2wi1mUfW3IO6>UFDJs zPCfr%2P0s(b>u?(L8;a!cw}4}H*^bsPMyVL3QWy!sTrbQV3;wwXiHeKj?jmrM;)v+ zX0iHM`zdn&ct@^iqx*-Lu}M!hV}@(N3nOZ50FqK#ypR*N2ZG4OOwxpa=KX+F3!HH% z17IT!gNj=%F{3dIeXx*nmpx>-hUS0(C{{mMe8Dci=voj4%)ObI^!3N(TTsSUD)SgW zR3jFS_3FpZ!05LYEheGgS1HHX$8^CseeD>d-_;J4cvQj%ydzF3Z6lRE(8J!BpnxbO z$v)txO2<38c3yiWimN?ay9p`%W7rtkl1nT#5i1$Q86_Ki=1@1(cyF?7anQ-$Q+|%G>v<;({HWajiv+8GFb5x zbs9{{_U8Nj%8FK64d^)#e1xpjUtjQnzQOdlWMnMNR~qt;4B09*2)sRp zw&?UjaHy_-o5LYb*1i{<3h`wg!>8g?$x==?k_~#85}fvQqYM7Bg}3%^;z}KY(SLGD zEE9V~t2=iJe}dS3j4VT+5#G|lAqM1zE`pUx`7wxn*-j0(wm=K(Xk+x_@$i^voAw?g zqZCdNBoya>x=!=`rDz2F<7H=4q(a>LtoFU35*?OT_a3_BOiD>yr_W^|r{Oo)ENj)A zczN*wq3(DDmgy%=IPv^^!o3<~Iy$Oif|(oJ+lRj%CiOYB6V(pWyx349d5~glo6~c@ zFzFK^qat96R6Z@N4)C~yL1;oX7(bTcWrS}>O4paACIogB2AZd7*Ev731pmptWk67i zmi``yHsL)!aqg6!Q-j1P7V;iaB;=r`K5#^n4_#6l;IWSoE(b4j-`XG3-zr+X5 zk+l2V2fjJ${-SUgB`_*SraWg}`-Sp82(!l2=&3o;0Y|EL<3d&+<@{Efbb5kz<#W2|q2AHFe65fT;y2I&%?7QW6Y z)y=*dDk;@*R^Rn8+{NNyf%zp{**HJjHB`0MS0?kQ-})$Dnw`VYs={OI!(;Qu6BlxJ zzV;O5JH7Q$#5As-&W&7xpO}^ER^C7D1D>U?1xK-V+Qm$T$W8jeGga0)81dBSGf7!| z-k}7*S`}Pl5dOMV7-Y?X;i+l!3pcV9a74Va-Rl%G-><>hDww4l8EU<@&{50CIv2j^ z&RoD;DX#c=#9tnh%msT0YlJV6LuytMLb`~<3^JvKR*p{jY4^0OCcwhhTPT;~C8nu{ zi&$7uY^AN>0+ENK=hNJ@PUDCA8>sU79w3|ODJG9Y4hwx8V3ohO4ko&=)R_BJu!^t1 zM_=b7wudc~sp9nikH9|FUfJH ztap*+Cn;a7s$Y2D)e@5<$1(Ug=+aclrLE{$zuAJoo)G8?r zQPah(2-kTzLlPU{B>9g5RhMMwwEd@_qgah#-VQF_t(Q+N?uoPdEkKHN?IS^BD_-T7 zypMT)bHJ#?;oQ>h7;nX}SA86Hez*xu(BecZQ^If?Ggeis!%xSZfOz#3(jSUDcHe_$ zJ(I+WC@7_)9=VC#r6V3kfAeORa7tSZpL2D0-LjKmwZ0}`BMHcC%k*U?Bn=67NeBy| z!#l!WqAtiH%$;tYpIOh>VzKtzH47G-evWdhx$$uT3S*M+g|wU7B1?dQ%fu@vOE zNKI;XxE(vI?WC{`2BY;sxb5Ux-6YIkC>IjL>%^q%_KBO1bjF zS1WV(CzyDDv7=Doj{lCu-ml!3>XG}{+UukPxAdR>U z{F`-0IBxiW8k@Vfe2`ARljaxnN^QoK!1t{r=Nsf%>|z zcN?{ZGx_A>P5jVzER)d`jjtir!p1o8|Km%X*nfNqVuV@Q^WbF~Ze&J`$55!9+w2$T zLrhaTf;dPAOG&CtJ5iXG>8I3H%U9zR5!p$>o`PMTAODmD+1s6W1D75Z)2Q86$u@=qnt zP9hwiA6})>xp2#Yc;MKUXb-tVKK?uB&omAR(Z^Wl_EIE_W3ftOR8pJWwEVirWx3T$ zzGc5$-{}0_;e_p7^`^q^zK#;tV9H-c&nEOYdl{PYRK}*3PG^$7 z+=$EK4@Ns}QtLzqpNIk*e2dkV8KkagE#+8UG}M95pSqdw2mc`wK)a>6C|0 zHWk7NUHi&clY(jHuDSe8wkj&n2H28N*#a?p8o6pV0pgma?^i z_VvUPIx@6#@Aysn3sJH^ZAVnDLygKjmhT7a%!{iU{96HT$GeKF#L7nt#T<>t2bvln z^aZ&xv#XE^wRU9)94`1zD^HVBunza13U7enl9HY%;tp8h;XN1I0_^Cv0d8$=*LVTT z3+1eT^nLDQo;nEA{k6cm9bexax~NY|a^hUmO*yjB1VEIfsn$_nNBo4q9iq|Y+)*33 z+yw80Owt|0w@>NRcf@0G*&lyp!~?L% z&>8sm{HB`W(SJ#ee|=ORUv|1%Cr^2aOL&Ee7_XK)@4n#l{0TVo=o|fXlMxY~>k+>M zpfGc0*WCSPxc|)XB0Tr4U-QCHS6W@F&rJ?Q@#m_Pw?K94Is;Y1jDwbN@qPxYE?KDl zx+3EVOC8o6)POSSHK1WHvKY#F_s8-mz@RE^F4nGi&zma8POq>R;1T?_D?HIezk)Jg ztP_On9}{7aSQf?c^2=@7msjq=Af_b^t%N}tHuMRMffiOjX@GX2u;;y#wS#gS=7 zFnv`)!tt9g?G-jleF7!h&B7SK?KcZInbrf?{S$o(YtmS{(_iGHU@5 zVQE(b|FU7lO0xNBx9T*9Qx~zOcbTo6?Yf6p^-QnBU3uC*k6FtBc#z9m@pK!dJRmg} zZ;yz&7CYSFLlGt%-W-Mv%W91GIEAIb_icKmou}g+@QYlQtaFAgsrAtOyngylr_r1H zs(S#%D(=V7sLm>`b@Py9MMX!SDLMC4363TC)O}C;7o%Cp6RfW>)R@wrwymK;v&1I4 zQ2hLoyU(I)>LH3Xy(CT>UTV(x7!{USij7)8yhtt&+jhiqv4QPwR~=8fVoB-S^VC=N z=7+D+2$reg1dqiMfZpb!g>o`KI?lnWEBonMF&7$3f2+-FSja$li8E6$!#-fvUpGUZ z!Jj}%dh9d)vk9C5gR(5Kw!pmMZ@;780yMrq-rt;#{0LkZLLT?){h-V^LK0D%cN#&5 zDOE0Hm4p!{=V5LsKgYVi`~CTSzOm(tf)kE$D?UR<++Z#9{PT~#iPr#)kw64=D259F z2YLM$YWuOBe|>I!Xa@-U;LrZ4?{g+c0f7^ug+L#DcYgvj2>kvK_^rT%essPDC>uf3 zmx+c>9=>A`gL@Znz`bQO;VF*qGoKery5T8o9kLTK>)2x7;D6jQ^=nsZKs3pR6~B(Rs|Y9$6nsGgCxvbWjl z&S-z?6wUJ2P~6B=>?)AXyO0PjD{$1Q>STkrd^)OR6~Xa4q$$t%?sRB?~t-J zRV^ba*{RGuDvQ7JYAh(;R!+(^6P&LWrL{ZY&!+Q?KHQwV7v+6kvnCTZ3s&OHy$fi4 z2ylJ+XBbuC{qfsw4y@k4Pb$G0$1L(xiA9Cc+CbRty$dKp)gOhxaosImiF4Z(2ZrV{ zFfLSDJqswGd2DYuHk+ABZo5PGa+mVn2xfh{p|N#lfmOBzCb$G!&aqtM<$gm(i2L!A z4D^-f&HCgsjW3N=lKrG#SQ|w>V=V_>#k0ne@%`u({%XahN{Mst__z;iCeU=pCFqq2 zL?p^|FqcFYYu*>rJxb+6JFEvnOOL4GOHnx+op7D4^G*CoM?`4fh21O&%T?V>@mW{c zYN_^NL$A5LN(PVaqW|CziJmmmj#3f}TQDWWvBo5&0Q)SV^T7#8sUt}bB*l9L)L zB-Q-F22yzScrkn$UFQYJDpCe!PrQ4y2h)G zXUY<~6r};64p761@XCd%QB+Q`D@)xGRxS{i+-y5IAGDbsX1EBF=ZV=?x@TjY{DYi& z%1O$LDeI36T|+|}Cai3X`iqFpB1st^rM(P%-?+TnrcXVCTS+wxkll?`FGMV*- z9R-syQThsm9Nv`b!7TaZc~C0SS`&MWiYy}}h@Z+nXw973KntQIx{|VD($&1Q*fS?S z^`nk!egsn1QzV=OvsK7NV`O4SHiDz4i8YNX1EUD|oluUXEd zch$yEO}7JscMP&dYfXps*s3Eh2wnbDrX0SXwIZn$TQoTihmzE>bk|-VnZ2O9rM0mT zbfTN8E&nyi+G5!0U`0N6f0%IW+WU5MJ<&*_!p`E5M*Ky>9Sa3wI7GDAMLrsHcsQfK<*2s{# z%3xMea?*Ey%139)!t~o_NIZIPF_B2@ha$15edmqxn18R4jfp5N&;&Qeh_$9%OenUU z%^;+1@qbOSKVrooY;9P+k5Z22{f$U}9?QBP%fBAu<8po6!HP2wxY_a}r%r<%AkZaG}QQu}jU!hwYKal`p8tVTPZ zOtNbSi}LhDu%$-{DX#Di7`PA0_aX zi%a!~Q#B9UZtpZ&v2c9LLrdy)ozf8;An+DqoS7^gg>tA{(H5K47LBIW&6s&4x9Pb=%QaMk34edhv-W{4E{=#%fYsx7J3;*Mxz{mhCbluqQawrAVs^a;(4dZ&nY)D-uq0tL0Xg*qB2xen zx|1bkySPL-xF0&SV zEg4=A$pcsour)2={P=F__unu$&N&i^NWBHXo(nU9b+a*1W*TKvWP-J^&FHsAgf3=E zfLBAbH4P^}jL>$FtjSFu>u+R=C+lZGKjdmkL==GZZaReuhf#%gQHF6*hLnhgh!{{y zRhKsQ-*6+YEMv}M(pN9R(U;iIBxbCR?kD%P?KQ!tVV^n|@on@H8yhTY3fGB|ap88U=!SW zP>_&fnHrJyW}V!wuEKqz^Bx=rdKq^=ESXZz35*6E-GmTT$7&!JOdTW-3^h)WvDBW7+UUTHAH1%_&t3JBLE3s-u<4?O&6Kc}*6{cpp7_=6x1aekD?(t}CzzzuxZl*rIwZz?K$zzw zUb-a>E{2dHzm~`*SOaCDT)FP%6Li8E8sOazr4*^_F-L?^rG;rA_9H~aqH+>82@MhL;9@v|#Pl3*Lew## z@`Tm6?E#85OjB}@$OwRi8d?8UP7&YNR--ai(lv`RD&ibWpkbr?J#YERQ7zK z%!UzwBY{!3M-hdfu|St(NZc1!b`y0r+>2la#z;O+NQ?AP5^IrEVwr1uCde-&Oa|<@ zw~JgFM!UYvJV~kU_DacL`OZf_4BH z3-kVaAvQctwhli!3(T&c&>QwE$WCTqTr{G*v-!YXrN0`g=8R}<99B_dVJIvyZ9D%b z;3Xg0s{YX!SW&<<*OnmY87=_NDsYrAM-6jG?Ym<3y$&cj2`n%4mW0h*QwqWtZG(z(8p<2`MD+Q3^z%Q<^Rk4JDJUgSy4-C9 z-T$>TG&|1!O$|-e_>UENrtF{0AqCr2Lur(3(y=97?Ng`of`Tsv;#2G6HRKh?gZR`X zUGalJc8sry#Wa4(z}(7MY@mBV@BEH|?*8`p)bS-+0yAJ8Mx#Uzhov zXHj}cW)&XAV*?9%+ow*?jA#`AqXC{`Y$&~ooPlZ@=8$;{6T{5jypzcmN?86pDh2?< zkeyU#I)$%{ww2{1LCq)hQ>`FluE}62z^Gl=4dM#SiYy12jAf6A>%|P2p`j_!m}np` zhk@QrvJY6=CMNN?)FE0SlW?nDg)}nE);KjeF<=b9avCbj$>zS?>jrGOwl7ggnTR3C z14fvZkQE^{4NOBx8u+9a++=E6P#>mX5s}5x1C&%lE>q>KCOzXnjgi#0NuU)HWbHU> z2+jHj0Rc9r%1jDMP+_q|>_EOjI4Y(aAkk~o;oaND>S7@~u-swtYbjRnI;M1vLUeq_ zAwnw_^GSX%<0}uw(ooWmSM)xHK_ybZ$gQ4%{gAAxa;8ij0MqetpPZkT3&YC+Qdt$N z$ZDLOV<4C|l|9OG(HNo=eJ~@B5|M1V<1+@koXiD0m$c&-W-B~k5n%C=oPoo`kW-EB zE=Q1GZi>3H1Qzv!BN8zsz#aIz4s&0g!9q09>ZJ7OKb10o+RXE1xDPKo&L$F_4@(Uo= z+*683G7q~~;sX>7K1o4<4OnHq!<9BTsvlfd+pducCG~J@^hv-t+9alqf&>xjRpcSq zBMBN+x}eDB+dw@wC+*Kd$b(!KAWmVkSX~W<1eIvoE$8eQ(9fKtC0rT~3X%$yQC4gN z4J~K`o_UP*j}TN*Qs87Mk(E;AZNq>4H_T{mao+zowKP`ae^uo9e(%CLJI21O&A=Ud z=63Z>nl$Nd?Z54|m^5ipyzRhyCQX|3h3woT(WFV+w`%`Q{^NE}9Xn~#q@C67Bh&#w z72%}buGyed+gN3#EcVB#V^1s^-{OZu9i&yPi^Xbz+_}e9u+m2dy>X#qBa@Q+%ZFqQ(lV(nt z`HRjMyH0&}Rzus0k9Jryd(D@n`dzP^dr<7zhi9Gj<{seM`yOFV-0h^x@4auvAOCV@ z{{3gZ_Q5Nc-CNiA{LPmfJ#foU&PhIh|1Ez!_>%)~yy)$_zd8A_7o~4c*|u)Z7mqk? zpR4ydQ2CSc@(HipJ^8*L`oH|v$p=5U=J{=}dhDV{N1s?Z_Wt)@eh?mf#g>OZzW>>; zT==c)mS@ins!I=yC#d(PkT@K4^Weell9_CiPhS?K%5Utc|S?T+f@;#WGq zxAI^6Exh2+>)3ZL_{kLqU7!8e`4=Rgeecmd5Bcn#KQEYZNXui7AN17YpB(w*c?*7y zT1Wpq^wO0_Cf~g2or_naCHsE$Kkq(v?u*wQbow6mezwomwYOfe+y6fN@9XP#eJ8V3 z*QB5P;(Dh;_JYnR}uikgr;J$yz zzC8HEq}Wz#_G*6ix>rV~FCTby^p(9nPCU2Oe%s#s@o%61be}U0+ioQF;!_Xrdqgb% z`0FSC_vW`(w`{ZE-IM=x&2J8PYVP;;pMBD@TTYts_ZQxNeeTE8fA{6LPI~C}pJg81 z^So7KFWqs`l+(By&VKWQ-F`SG-gE91{jc@xvy(dX<4eCWdFJac-T9S|r~Y)W@3l4U zx^$>@k6R9`AA9AF+b(%}!ENuPJKpBM5o_CNQR_=zsQbUy&VO#{(K|2cSFgJAx&N#@ z@xrcYYrgrfHQQdW>Vv=k@XXV=#oyay_0Oh^oP6Vg!MVFIFSlKO@@22@{f{qxW6F*7 z@;^`e_u6Mp>$r25GrNDGY;)EH9XEbw{ob9=qd%?Pt>eQt*L?){+etY$bLw}0d)w(3 zey??p6+7?u$n6*0^WvYI&b<88-Dcju#f8s*`TYMq^Zk!b-si5hdp!F7^Q-=#ewE*E z(b})}ZIgQB-Kn=uTYqL^`jKC{==pyfuGSs9e)`mY@b}cpE$`XxrN<^;_T>+6J7@dx z{g&PN=-vlB{V;z@|7F)6um}I`KmO^I$L_3I{jT`ddFwA*jh=t{vzPz&;b(u^Reo{D z^LD%WoqXcj|GD6Sy46p#y!N**9Xj^Qs~`LDUymG`ekQ)#s%Nhe_PA-U zwoY;KN!xz1Wb%%`|I({}dFbewSI#vs11*YTrK$T-q>s?`{8e)GrTfTzGX)YWK76djGnEUp%$;{sk9a`r51~ z*RTETJMYYSu=U3yFP(DGc>AiA-ESvO+;g{U=iadPz~yIsyW@>Vw|RE%m!8}DrtQD- zoof#L&Bzy@`PM`Cp1Jx*H*7I`=|zwJdC|PT?%MoQ)N$?)UOM7yUz<8>{ozOdWQ!@I zSB+f0{TG-ePkl-G_~3!@zAL`K7*e#h<4kF|LpWyemKS=~UieAZ z!}qK^`hVm9`S6EFefIc?ix;a8E%`oo>#>)BpYQ#n{>BSlUAOFxIpGdP7o_xT0Yj!#M)!AP=me~va=K4FIc=3pJYOkyw_0#Teefon%w=Qpf z?5zLmxvl05T}eAm;*q2o_VTz=6mrz`*2XZ!um+GX+%M^Afh@5?X!!mHQp^Wi_{ zuK&^R|J}HL+m`E3<6fD6_xIO4de23_I{2LXvRC&F#ZNlph20xpxbm;DyZ-Se`el9U z#L+t*sJ(xeso!1CF1upg+H1F(v*pD*{^PHY^dFnt=fGD^IP3I-PWkIuXMgSetN%;E_vzN z|J&--@9wbQuQG3)_xso9ezx|VZ9cmA`HOcsTHX8GU%O!LKd#>C**x`;EBN;=Icr&-nOyha&ChH%c=SEVn{U}? z`~6o7a{s#Nlh>^I{?Y|+Z+-WQAMEq9_m#S*zH``bubJNbwF9Sr=h~xNcHcR!zSVY1 zcK3VXdly{P_w}Yf@3{W&=kK}m)3dgC>D#}TFTL`h*QC4WANSb&KTVgUJyw1A%7s5k z-uOGQ@$?-|{Po$V4L|t7kG^#2tzW(Apq)PY_LH?get+G4_x@>*`f1O8tK+2Ojz8yv zuim@;pxt7*7#>5|GoIp z=P$1R{_v4sZ$J33*S~)EW8e7A_ik@)+w!o_>i2u|l#B0Md*s=>9dY+@-~7jok4YU* z&AfJa{1;n3_1+V6E&e*~56oly8Na>o`0u`U!dXAh{_*eEb2q$jrj$M=zvQA*PX8mi>-k+z z-D5#~;QsB7-sR|~TkpK{jh(+SwN`q4r-80}x47p&Ta29l$lvGvw&{)Yzxvpj2Y&OX z=k$Kz?#cVCxE0*o^yW|ByYIyR9NK%s^{=rzc7EZiz5jXq`q?{N^t;AOetjyF|M9fv z*3WzC&clIn{=UKfS zr(X5j1NLJsjXie@daeJ7*kXSApXOYB@oR5f_}V9bzHQ6&F{tA^d#w8AasNK+>AJVq zd~)iACJFv%WH$jeEQr4SDo>D zc8{<<^&yvwKa zzLI)maNd;{wA9yZ^~Ae>+wYt&ZFBKQcki{^_MQb=>lr%o9Io zZQQN*zMp(HuYSk*(hhYsUpw^EJBIF&UzqdI6VJW4?xxO%U-+4F@zZ-R{r#2~oi+LJ zXVzb|{`bNzM_hAbd-q-cx9XDrjXeA4XJ0=swp-@nXUAU7&-&xbzqtE@-@u0N3iW&M zvBi~#UHFH_U)Db`cbltEJGJY93!h29as9T}t?y>;{p8gpyUS0!^1~0F;o=WW-TvCk zZhY<*&~xLL@4I8=7ms-9@aHa`^20UTE4N&8+1rC)>;2waTX*>Wrycn5U2NvpFI_qF zN4foP`t;_v)FZz9(tD3A@BC}yE3YkGtjxH2kK^C}!;ZiI?CbRQ=i%K_5Rp9KVSEk)Al^}A1_`q^Ol!8zjg1{$(d)& zJ9_wtzUBL$zu%1`ukCTs5l_6h&7txeiw=mrQFGXP=RNfO<(Iy-=IcwsH>;`a^b$(?@sy`wMqp^0yZGpof~4&&#~WZ5ICfoO7P}4_|osfA+t9*KL;FdtGkPyXXG&v2!1<+5O6{ zX-|B5Yum|BZ*k5G&#&VaEq(Bo>yiuqru^yN2M+uqbJP`AoHAwSZB9Q;-f8!*@5o&D z3anq>_ob`XKJ}9?Uhu0}{Y}>=-x==~*1dJdQ?p)u;==U0Z}t9``zNZa`}(C-O=lJau31xAt6h;I|h~X*uBN zri1TI{Xcv5`OO9cHh$bD)UF*AF%x^nYR$&pk(fbMN$pum#U5?!n0HD`YKvKv3R+r9 z(TdSpHCnT3*Jyv|{LZ;wKJT7$o;UaB<@E<#=Q`gjH?uHB)plC4i5CBuF&H9mYK`rG z^ALQ#UOnKWuv2HyZcMCkpz;zFe-!O|^)AZ0Now6g!SB$=)v0CP$yDK7c)To;^K56_ zE4;l{-_5P~>C={%t0(>j%@M$uj@f;+BKYxiRFfs2QodZ~EfF2<>1d}BhI*&jZSggO zsWDDQy%lmodF7o{kfIF~n#QdXOrcvVYRKsgX8h-s$Bxy0WMW(*8;weQMP&hFyXm0c zCPE3iQW|;F&X(6OzdOxuM9pEbc;dZfM+qQ^3>IsF^Q)9_n2CLbxgEf4xz(f5;D-1a7SdN>WWwCC`r> zdsxxCncr%NtC_CD$n*@9?c91}a6ankxV5<)uWFg%@aav`QiiN;L+3)))ORT&TZ7RQ z7e{6sAVtCAjzRtu!Ofx6YdVpx>5laO*3+@CWX*7{#khR1{J-bTUih}vd09E81 zCHnE{46dBY219In+It;oo(MFyZ$(dhuIjG)uyP=RCrj8&&(yRuZTz8{AIl`lpV{l*eJ`#!%WzS z4}Y6%piMs!^jsC@1Ag$UHV4*SsA@VUd3@l7ba~?Cubl+633Ej^)3lIR5ZXT0cLB~V z8`!HVClB4r1D@%FB+(uaa7o1`I^s-9mWnOu(vJmEHN@=#FOA;t9Xq~?^0d~gimcr% z@!D;_8JE=)O!t;LHRRKC>c5fgbXS>_GtUtQzuK~ue?Zlat; z1;ikKHfE_u3kI$VeF}7E-zj#S-`HV6D4J=!T;)BKl@+}8kv%Oxn)mUKjoEt(jm_KJ z%eMQu)Nc$1BstWuOlRB^5x(%`v>cJ-DSdHG#)*DVeMIU{NjdQ8qnAXXu<7|tB;`@+(a`r3n4szNiI?~rO*>m4DR266Bx;8H{$u6w*Pm%64 z@xEC2)uP5hXnC2Me)nW4K~>1Txp8so^JFd0$qS6?S1u`XiT~SlCmxZSKh8MU$yvP1 zn#G`;x{2MGL#0d*+ow=cZFav@gVAj4dA{U3c|M*D9x%fh-y_AnOL7&BIM)naVH9r~ zjj$@CXxV|AU~@Is!t=u$7m_6%gD8EB!}i3%SY@eg2yyvWw8vx9bq$@tTq2lszB#<;V%pZ2z0G<#oc zG`?X9Kpdgp^m}~6J4SwvAk})C=yy!hs=f`JFNU^@5s!YK42^sMLQ&p#%)hQCXADju zEl1qOVU1NJawy49V5}FpvOZf%jr%uWK~euUt(<>{vQ|*zs~`5ee8yoU8E$7;We)m! zf+V3W&(Rk?V+hy7I5aIgOCX~5Bgn8~hKCt-vemFnd; zoUF6Zqsw1-Jbrw9+&QrKxFS_(zB?Ses~NuanM5KjL@q6GvYniqoWvcxm+T^KlQ7g~ zILPniMAo6d_v;bO--N|NNF%9B%glHA4|V+K+t5wD9bz})mse7ShsspVFK7ZZ?Yp;X z>)ak)h41J@?cXRTdpvJ!Z2a{+fT&FM<|Ffnb{+jlfiThIDqdq!m z(OZnIRTUW#lQH`W;5V&V5Bn2n`8?+L+gK1#PPReTSWRCD=4xR%G$f+G7e|xSTL*9W z<~rjVxv(?W`YUuce8x3W(M%xA^L50oQ_80Q%LO$d+CF$46t!;578)k}JH_){7|Y;k zqr_X+nZv5d;9|Px`N1{zc$)t)3!Tazv#66fA4SXZ+PT)^j$~?h07v%v^#JjrvF`Bb z(iVeM77s1q#J?zx`G@-^DjrF$)+@hXopt4QLd&EeIH8C8deQ^7_^2UzhRCP>Iw)F3 z91WSWV6StP1uw%(-y_&3zU2IZ@4Nf!htN`A0+)%f@3pg=N=lwOfY&gec!tHE2g;8! z8R#`o>n25XH8;h_l{a87WSh6Vn3EGD8Yh0{KU%mjyM~tcZ`sb9=%gj{&+(HYBQOi6AXgH zAs7Yyl1t0-lmjPGMOSD%F&fCv|LxTEQ0#Z{IOoqs*K&*Bmyb;wC&zDCiMqBIm`w z4Y*!5e55y_$bvA+u^;jfZ`P7bU$ZFGJ#sM=`Nai*e8Lk={lLVvEDoYMeGxSr12RzD zG&gHex47tknC+R*0{P@Hlp;XQv}}1Azf2*UI$Y~Tna?jD_AE#rpzfNfI9TYV1i(vn zuM&inxlBezAM~Rc&@Q$O4tYMtj&joKAnf-T7pE0aTpDQREQ{`pUu!d*X7XgQkFZP zpGai7Gze9{QD(k0Aa{5 zN^1CpWyEOt80Bb1mkP=6ONUjX<$Un}Uz9db6qH}!&pca+;Dd$N5Le9uzpaE$5gtod zWQ4f96Z8tk;RD90T+RK_|y@K3bVv+JoM!g=C}^6Te$o~oQdOWxT6>_2?)59k7d zg;*D@vD94sC7W=^J8PRf$@LkcyneUkC~n`uuev*#JB}y8kF8}{I*xLcUUypv;WM1SzxDHmRoUI}a5r{V=MyExpLC_{8g#3-b!mTAx!D+6^R>r; zR+B=I@dclISZ`1D5~-L1&(6CLe0Er8!n#}{>WOU@kDbA@2$fAa>idOrgPSdhdDS-< z`=@!gov4Abg2mArMcm?xtNjYBLndtm%_+;m>74t1%e)P^H#<-i_a__`qEo&Eohl7L zbfP!MF4iCt!4M?v(=fHrfHhE+5B$B8pmN0=2w47)b%y@qi8tyN3U%I(8%~!V-SnMB zrOvp7GCR`k2b$odo91cYrtmOiywNG`&tUPF^J%Ga4f+jZ{Na0p1?UGPm)!tb9N7(H zC0-hFPnN3P^@j4avWb}DtDA&<=(bpn60AWWV<*py*{50<@VYt{ys4O126*3QuUR?; ztf~Zpncn-Dk?GL~MmXjWchwT1ZfTR3ws=O)!46($zxtzhAvf|IVEVO^!s&reKH!bEja;2B$={ZOR_)yOTx1^8s9N*w4%#XebuiAIxmT$FIO4Knpn#tHCYG$r zXX^;F!8GRxaG^f}BlJcsb3JEAsbTUC69kVkl2T@^Hz(t3Iq63Y15V(%cHO%swy!Ytm>VA2+6FKo`rnek|^DU7&)tXsLMqBP*MyUvj@|fMLscI zEnms=S5>gn4k9ZxRXV9`zf{t_J57fxc;p9U8it`<3rxSNUzk#w&4)368P5hY`E108 z8O+GVNUgyT&3PXkT1lodxoGc?T8v#&0$q1bdwA#}c(bux6D-%Z4;!ltb#f zC)4xG$|RU39}=zQ=IRPLrkXSK(*+VjGBW#+C{;uMWGHUqk-ie=g=0HkE*;7MTP3S8 zk?rM6C6&D9BvJovaMFrEcVA_UKC`is&qyR~S0D(Y{49Gh3nYkuFFr3WBk^@q@)SBs zS0-joUYfTJl#;7v=SAU*rqK~5lrs9m-&R$B+C-xPH5#MFMt7|GVwm)@QzZX@7y_q%JF zt`UC_RR@Q@(3Nk|=tRAf6LHQ-n> z%^p?z2?kv literal 0 HcmV?d00001 diff --git a/assets/nutanix-csi-snapshot/nutanix-csi-snapshot-1.0.0.tgz b/assets/nutanix/nutanix-csi-snapshot-1.0.0.tgz similarity index 100% rename from assets/nutanix-csi-snapshot/nutanix-csi-snapshot-1.0.0.tgz rename to assets/nutanix/nutanix-csi-snapshot-1.0.0.tgz diff --git a/assets/nutanix-csi-snapshot/nutanix-csi-snapshot-6.0.101.tgz b/assets/nutanix/nutanix-csi-snapshot-6.0.101.tgz similarity index 100% rename from assets/nutanix-csi-snapshot/nutanix-csi-snapshot-6.0.101.tgz rename to assets/nutanix/nutanix-csi-snapshot-6.0.101.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.3.100.tgz b/assets/nutanix/nutanix-csi-storage-2.3.100.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.3.100.tgz rename to assets/nutanix/nutanix-csi-storage-2.3.100.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.4.100.tgz b/assets/nutanix/nutanix-csi-storage-2.4.100.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.4.100.tgz rename to assets/nutanix/nutanix-csi-storage-2.4.100.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.5.0.tgz b/assets/nutanix/nutanix-csi-storage-2.5.0.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.5.0.tgz rename to assets/nutanix/nutanix-csi-storage-2.5.0.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.5.100.tgz b/assets/nutanix/nutanix-csi-storage-2.5.100.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.5.100.tgz rename to assets/nutanix/nutanix-csi-storage-2.5.100.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.5.200.tgz b/assets/nutanix/nutanix-csi-storage-2.5.200.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.5.200.tgz rename to assets/nutanix/nutanix-csi-storage-2.5.200.tgz diff --git a/assets/nutanix-csi-storage/nutanix-csi-storage-2.5.401.tgz b/assets/nutanix/nutanix-csi-storage-2.5.401.tgz similarity index 100% rename from assets/nutanix-csi-storage/nutanix-csi-storage-2.5.401.tgz rename to assets/nutanix/nutanix-csi-storage-2.5.401.tgz diff --git a/assets/nutanix/nutanix-csi-storage-2.6.1.tgz b/assets/nutanix/nutanix-csi-storage-2.6.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..9efb68e52c764b577f9863d7102b3fc9085b7a32 GIT binary patch literal 10797 zcmV+|D$>;-iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYcbK5wwD87I5Q}j=sbH<)yQt~5@QLXpP+Lk~aV%)^|jiA(~GMx)W)XmkTKmxz+9Fcu^fl5sS~ z-J=QOGMb}l`j-cJdc9un`ToBCx7X{{|J~htw)>Zz{k^?sd(V3NyZe9X?L6D*?fwON z57YeeCl?a&zx3|iR=sn-lLt}CB$9+t(GLI+mt=%uImw3+VcmFw=opJWTn7LEA^emj zNMblMTmwggQ%E?OVGfePY&Uuy?Nm#u5(ARp7;%_kE(oJ7%`hqvp<;mJoD(@WbwwXK zlIOV7tdJ0qrD%SJrnp~0W?)#jStBL%lh+U0sCjIE?-;H{x+XB{Xau#j>W?n04wzW^XI#Jb^X7$|LjTsKgP2G$9RPDRDv0G z7%|>9o1$O?-cN`CA^^ev9=>@Uju@XJDRBZLlIjA-I8G7AFhiW6VTy&a3WgXmBm_=? zP|0AxFm7{N;HGjhA_k<#xd+hyU|r(I?#s^N(EM(e4Ak^CS)X4W0KIZ z2sVO%xwpy`6LIV+08EjPn4gMRkRwJ%WL$o_Wc*X>r(gq=7*4S~CLBJiN456%lnqe|1KT4_ zdz7Y-u|xy`WeFbO6vvYBK776jBug=OhQ`mo1Z0ZF_&iV3bCwcCt<%vNljj@@Or?VF zRHxQKKH)YXo-ih`Zt-$L;)!M-*feTvTPv|`IG$59C9(c%3oK*D8kjfwF~>;aB$(;C zx-Cah@0Bq>CQ5P7tVRRB5kxQEN@T@04HL zS_%@=*&pjL>+frz?Pt?My=;4z>ZKa}DrL-)5j@5*NibZh!K)0-B}r2?E{a_f14q$O zNh?5H>3){rZA;i~EsM4lPU=TsEBMBXszCMZaK_m=Ct?aGDc1IT6|F-xZCn=(Z`he) zO(ZQ5w2?GH99u!6gx$y=Yhb)VCnZWfQ4<6k8!*b#bPm7fDAgu$ABRu-p5k&Sfm3PEA>{A8;@7bR0dgR+VNpcI6%NA(2O z5KgK!bi=lgsUmR9u{4yC6C^d$U{MUJs~&TlD5gcJ2uvNr@l?{Q(7e#_7BIuf6%mRX zU|@=F1V$yWH8HH~@jUQnc$aa>;(dhMu{vn2?SoKNt(j3MGoS zfiosUq3dlcRcL=lg+L_2FXIbb)0!DAzewQN2BuhY5*q=eOdOUuby|FKQ{Q+qHiAG= zfW&ypC{b!S0KimPYDsBNq-cm!?F<62HlLWVJWXJVWIWLXvtZsBFixvO%En4a7V^fz zV1~*WXHzUEI2V!r@ad%pQI_>VnVH5uQ@uN931m1XBNA5zG%f^_!j0oBB{33x*bM-* z>Cji~HrK0u#D|P_^%Rc<=@*Wvh7AHxw?ed?(tlu>!g#=h!F)`FMm1pR6PA^A`@H}ZS!YBobn)5{{VKD)Xivkj6<=FZb=~U9z*R%wd^~b} zH2f;F=h2Rj#t&Gc^(*g1y=YITmVUO~FT9|Fy0Ei`7~8?CtxLK_su_z1mo@ z{_pMfUewnA&!6{pp4R`5@f?@y;y!%-41~sMp5Ssp;QIiK5K?735W&q&5cqyrEfx~Y z;SveU_s0BC6-0(&tQv^k85e7GR=mBrd2-Hut!MfC|2V;EhPjAjb`MwJ?f3s)?7w*O z|2@j{`E&O>n2~8;uV|DhtL)o@sUk}}!F~9ydvg=0Qo+eprc6y`%K4Uctapn8TP{>< zbV3&h5FR7oehz`g#OqneIgt{1Y4Ky1Z0vs2&Lz;uxvrvS3pT|Hy}!Q!KGCeIF5=Cfd}8 zluU^<-Xp1u<;~$-)8+VVpvtPXqsVZ)6$Pgwu=`5}h}-rwBsA}cEF2zs^@ao>jl9Kn zEi$X}RZ^2tL0R{)psp*ku)td6SLHkN0{BQ<0FV$L?up*S=yy}QbQ74v^* z@7as`{C~0Y6#w@qkJY*O*FxWym|B6r~KERZoj!_ zx%@B2v)p_MOON)t`e3>I-`Rb>SGWK6clMt@$^XZAHsFY5b56z+3A?@BonpiJl*T#$ z0$-tNmSV_-*$2soIF_m1*@kcgf0Yv=K8{F={}xzjb6l`UMP8vS6G|jCtw^5>OIEX= zwUfBN*mvxtOSvVeidvakLW|sYRR=&wjwBw>jX;rlpY4yPxlP zI0=*_0?t2l&p#X$GZrLs!qSG}aQthIg>1HguOvsIDIB``2NmkkpW-Rw^FHkMdT&VOn;XOXLNY9&T^$X+HIy;^4HHtAYExB72STkTP^-ML z(GTm*Wm~vSElgLUVyb%sJx+&b?JDU!P_>y{|G`z9t)bfjmvMS5DkwwChRe-N$LfcFEI=rMKPS`%iCDWQw7v1CFfnDe&JZo=*LDl@LexXakqF|A^m zTQKGdw)B}Y7No&Dl|HK&33fBsutI^X%>M$;Z>ycJ+5dlsM{Nre{mn3+T6RT>h-cL` z#vi~sxs%*C&(f(|TCO&cV#K&kK_amZ1Gh?egptfSuB%`lE42=5ZCQs?SKHNkzTU-R z!FJBL?8EmjdoNnyRkV1mM8=t9F-!aK{^;EM<^o60%ScoAC~$wrvOaj3?G;9;ocz1~ zQDe9m5u37hj8ilp;F!@wC{C!9vBJFgyjK-6m=l&1AFDRn2$3}B`2B=qF=1)qS9WvE z^*GeAvUlJzUy%FcZ)Kz<3c3=r`v?ZDuZtJyxkalk$8Z@ZOsk4AWy^TSLmNmO#+*nJ zqf}Q=28K>a+-y-{e!x0hmoYjnF30=4RraqE=3Zc~8j|dP(KLk!u7MJoU@GCIt5>sh zmg40_&9|WCef6;NBkk{sl;gmPTLw=vIoG+4pZyVD$Z?@|`kzWVf7>o0 zo1b3vPN|Ae3FU)tHjm$(emHse@!iSaKMvj={o~{L;rmxx_xHanQSqjFTf6PBJhFMI z{5Ln&x)$BruDO;Y_K%-_IQgj8LT86>PM%gnxAoPUQCZ<6Q|!@NyTYQ&VfaOtIyXGg z0INI>OWX*za7Q#nhQi^&g#^?`ptIPm(P9c=MUeq zL^2nV(q|Rue>z#wUYR8#)CHFVSfoE{HHt$k1T$wTAUZc-^a&Mt281fbZxUPzTLKWr z4M-Vh85$#r6BwfSlSzxQ2hG^{vZxhdThE*t@&ifq@`x~s()!%=DU{$@t5YDs%3Nwt zr&<}yxT{0OT0!V9DFl;S%Mx6iB*4wY=|2%uj|9PCJ>i^w&+3^1!`N<&4 znm6(PmBY!(^xr$UjKeUjAF6D;$b*W@^P!{0RkJp|(O4MoSXw>ZS@S%~<%DtaZ<7mC zW=5`yO~@74^-$t@Y7}+|C?kL8EYCzAe(rRB(L$+Q`ohm0bJ(1)pJtd3_3JT~oo(o( zMCgAnk&Gw0%o-q-!O{wF&H9-loRFAGYkRDP+%|L!W2j$=IaG2RI>t4xer31mLmh`W zMP#}*BDT?cwbeDAi+Yo5^rsrb);j3kxtME`cg?=w8KzBcS~61W^rt;IudR8@Ft)-y z`*-JdAAnEp-u807c~J72v*8;}m4myY-<65_1%}_^_a$diEXYD}w+@fRjPZm}Un{gV zqlNsUM%EL1t$OMQLK8yAUqD?AE#x(KVDsU>a4fCTYE|0+E7kRy+L5K$`i+}^TI#V+<2HAHmW#@91J?rV8?Q}K4Xx#;Udpm%4(W{L1#Qzn{IGNx_fdS#=J zAvrXEJ(A2Q_AZNx$G`SkqAogP%YtA;=oug_198%59c&X`wlagamxb5fqW?tR9IpRuG*f3{x# z!=(9XB&?hXiWKym9*RRc55`Vc{1Uj$k$%82O5W0R{*EzOp7ZYd#O+~9$DC!2rnmz9 zlQ4%P*V+>JHKF;H7Zp-3kY|}W5g(;ii8Tx5!iJZHcJHQdgVvA@T3aNn`wK0@dqL9r z!g_|EPX1W%tRer!Jw(5LR>=Ps`}_6#pI+?my?B!UkMT4&aQs_K+#ZfQujrfll@riE zC^w+%->$()Bb4O%<+#-t@szsEkB;F8d_T%NY~O6eg0*6#H82VmK$Qg8s9|@ zY3-6s^Z3rVsCudd5k-Q2Y_6QK7g>7yRQ@6Qw?9R%yfVumWDA<>BCK29-QlOc>n-^z z{X7KhJt$#=g5`xNjuh(yT4kXxfTr#6EFY#sOzwx*B1m^c%yTE`4DjTB*ewOO4vLN2 zUn(fnr`uvg%n=fm+UAxRSBD6D2MkX1iDZRw_4zaWnltGg>D#htvB$uH zH&QV$QtjT-Z@KJi;dn1Yf9*NEKA2T=S37$NqmDhyMQT22TNt{y>#eDh-L*-+DlXpn zD!6#rRJ{eDb0jBqK>A%Bkbe0HI=pfP-Yqn^zQFGHt-sC9yP7H^VeX=8kVcQE?Ij(F zM$~UHR5v$E#8UGn!J4pZqk8=|yH>_5uh6P*@RAov-POm!6LI4okFL=h>&lC9xjl;++q zG_)wFK;J6cdauGFIla~*!vfoYArkocK42QN1SjV9-jHN{^F!y==o@zXj%pF;dMD91 z>I04^3_=Q>onG{EFX~0#@ASXl-|yKv)48kFfot1T0PqPLL0jHMV=DcJ=<7RaTB+M$ zmX!HO_0! zTpp!6ELS2v#`3)Wx|uXtCTIC)vO0K0B4ZU^@wy7HsjI8EK1cTEgvyG&a<7CbN9Z_; z8OKaSF`IVlV`(pcZoN#R$c9^hfhp(buC?U0?bn4sLf|jLSf@o7IF$%x5U= z!=63G($Kv+zKhG1V|M$4XdIJ%H6_+2|Dy>`r$nFc{vd6vkpI1BJGJ{CcAh=i|Bv)+ zz&VlEE)thn z@Le=SpMviqIn9Fa{;$5;pA(h~I6XcQL6mX!FC5DtA_+!aQ;xHL{T>4W+vfkflf&aT zC($%{pf;Az|GnosFKXw%?dZ$S)iOBSIkt-vWAP|YmC8*?Y#j1Y5d2e#HUrUJj-ZM+p=?)b0;4d^Q%RI1 zoUueej3}Tu#zN>+NTF7&WmTF0N(F-nnqmEYh$$Ws32bEGgc(bKW0dH!mz+p!!9|AF zQzc>%l|Y$PmUA$Wh)X4pwY+rK$L>bY%tg$^T_b#nLEsE=Wu2>*-R3OBY??8OsnoAAAUtzWzJ&Udkni?-% zU|WNv*m_7NIQ|4foU%*cIA+r+riqEK4uTNg(irRVc{b)K!K#Yace`UEC;3pD&9-1y*;HN0G47gM>biQgM7IslmYI2mup^eH>{1b3 zH(Y0o2Wxc0(3;S3IO1#?wrGY>!3#AE?;5ZzH8EqH=;N3}u*_rEhXZft3s5fE6zO9; z(z#&}RE*9VJhcrHeZmkUt~tUCa@5#Ei#Jj%w!A9$j{blw2t(^vhHYJuhg^atz(LU9TVbDE^MGH*PIP@SEQ(@k@_n-v-rQ>R!Vd#d8$WZ!)Qg<_De!9}4n_!7ZD*oHJJx-H@qrqutOoY%( z&~Uc<@mat9wZ`U0b56W~lnAL*i;te275u?rpVi?JNa_tw0LQ$}(5XEDLl z^n8bfUbuvCdJc!?oFw??gh-qkA_pP7{_v)#YhWwlYeNBMiH<(A=ickI0EN(x12{JO zmmnreAQtWl1M>WXbxb&j+RpLqD_7n0Y046XBN-^d9Ojb2(W}FA^=pEuw04kE%>&P3 zh`ml*SB3^%xnxQdpB&xPz?^few@d_)Sg3*VB-l>0^8y%$6iLjhpUgd6`phN)(_F~X z#4@Pc)v7ngHtWNxy1J$C>@uziDH%&eS*|3=RuGycuQ9E3Q$vg?%uq@aeaIc7@b1;g z>+TVz^6da#bYE%;{4~s|%wgwc)Z6dw_VoXE?EiOq#x8MF2=Q34L#!CpUTZ14_!&}d9zg#FaoOhcazjOrFs7NZnC?Fq0)Yr*DlUhK5%BYu>c zECxrxoDv}j9dFrXfQINSk|VP|cwaS;tSwqd3MG{;JSl(C4}yz}ilLLktO{*q+O$d#0p)3ckGoQ>-)(5mVhquXDzdHZNS^HPLp6In0(@9JSSgCyR}+ z+itI>#yTOwsh1>z0W&KAgX`i3s|JKlUN>|tREfr+Y)Rv#3E@RdMR4A*uuA*aGcy%6 zhDc0;S0}IEd^~z}`0l+vv-rRdiR#q94$cpcR1qE3pc9Kafjx}bRIaK1P7t{54wIq} zLW=rbjpov0bNZO#t#3ZJwR%%PGPFqy93A|#9sme4`1W(hx!XH^_}uYG*Xf&Y+Ibs^ zNtYWJxDM3m^gG{n8gOqq-*&baSJLyNy{5sa^KIv58#>0Bui8ghR*P<%B8tX135WAe zzoX_z=jP_-+n`2_SP;vd-+cDQoT zbNXjx6rVO_y8fSu9*YTL&tGULCQYnA2XWS-O>xA-pM)rNS!?#-?`XgLNeE+?s-b)L zXC{b^)_^k5;?F@22t$3V_7ros?mALIg`-zf8%j?{I>e|JK`dnF4d+V!~<+ZKluQ%6Q3RjK*H5-54ri9*!ONm+; z>4m>5tX`L?CuWnXI5IR;{Wd-VL=*Le@WKZ%GciL!a1G~$ld|o(20vZkp&td^AXNVl zT!+h_Rp0OTEQEd?T$ldc1%3L-x{EoUVQyUOCLm+PxbG*>9-CWJ>_SI_HyYQ7dC9L$ z?5^Q3mSlz`Zg^qcmW)Zby3?~ZVrOVtD|8Jy^18~t4~E-yIe`rp7Yh*c82!Rk^_ky9 z)969ONSQ!-`z?VFf4>vKU?ExRh!sgQ7iHBlktQ>@2q?4^`P#|0X;NUfRXs%L)+)qI z@%mV5#EMMDHvVtnG2`le01jKlW0gGC2I{Rm_E5NaJf^U?Sb$h_AeRnh8+NxE$W=pG z&(6B2R&5Mrbvxr;WLrLzZAoYz^S2GT@31b2qqsSR2H7qEjc-wByZR;R`ZLlf9E9ID~+oA~- zVwKdGrns+1<}C>WG!;TP>(n#f7j*cV<&xVd`OdN5sku z&WjpiexhHKrf}pZvDJ}LBr}PB3RAbovo`gvZNNeEgQi&R@S2+BcS6=8atIjP6R3EUd7CAzXWh-Za8_WHvc$M!{-r44)-&RvAT10$wS^;smx z^63zBHJBw9HUfi;Ae~LYCDGjexrU4V_GXD<_57qmaCV6|n>{4Q{b%T^=P-pSSI%^=XR1)VVKWRg=1cSb4`&tK`>b z76@Q7%sD9>Li*ajl$m%Ng|~(BtuP5l6s0D(c@<*a8RFfP47(PFf7r`LIF&WM4 zH|rU#c~1= zn(WrjWBz7%#_l3o3&fW2n1@)C-CB9%xz7lUz z?4j^lL9zC{)?z5F1zXKmRp^PBqs;i;i`c~5Beul4Xiax5Tzg=WLbdqPv@>}cRWvu1 z?9kbB`s;a-f$w%_Y{7yZQZ^>>mO|{)OA+c!({kfRy9k27$tk_&F9U$fXts+m6j;J1 zJU`H0_@B3npTArH;$t0|t0RW}*t-j0yhzVMfQ$)zIUy1*!jW<4>r(?RA``<_y;aPn zn2UZ8oO&^YWni?~=_tdtF1&o-=0-<7AkZxoRs;ol@F5J%>ZsglGP@zSMo({V*jxzY zOi2GYu*bq5%*cA4+XJ2dZC+RW4F~@d>Hq9Ex8y%C>pxq;uBQ*K++#n~7jFl}^6aBt zo|#f+C3SE$5}K~3hK6X!W;%F%s;E|aK{De7;drF9mz^)?>LZ+(W66tH)|vH)kgPC{ zFDIB6G%qrQ6vgu?P9g~IFs$2+G1Vzw?({Uf1gzw~&;(S^70@ahfGr@LkLl0O681%l zbMC-W&K9V-6@Bchi-H5y&PO)-C?{B-RPoWQp}sov1;L?ZJC+&ksq+d`p<}m&7S{wP ziW`w9Ms@cdk4=0DUhE1FTrmIp+D(wvlusgHl&9(3xfgJv*3!0o5$~%O{@Md35ls+J z3TH$S^J{j{Q#Ioxi9cZpKP%Ff*+!R_mz7)+3&BNlh;C+*S3~<@E3%v0(`inLoEOPP zrWHB|B1DeGHvF1nVY5Ivj7&m_KJN(&sS~qcismLcpoUXR29%Dz(ZM!d1AnV zFun#z9SmOwRwiV*eo~t?K*vGwPi%%%uTDl7C;F~_t*eT1Iv(5R&5ei>Zv{;hUYE!i z0!0P9UF64MoWh7>J!mY$6c9BvH3iKmp1+HJj|uaCu%|8mA7xp{F-oTRVa@S)FmphA4%B$!FFdeY}f!mI~G_5dJ8l%>UqR>L-)=OU%hqbg+X6}aZeyBHt9|ZJMlEIRGSS?cO7%^__OhaF zd+EV;c_#fYt#nFpY}^p-AuY<>SGN7iP6LPuyZlH-eTPH23ctQ?U7TNEk1Bt6f*SEE zPKOHF?26m2$9;MUeQTk;LDd|>yHMcRC7!T;P#v&bTfEzq`1OmXy6GH4)$w!(2YcPD6kNNb#reQ?lUH^8%XF*OulDVS z8rK$X`>KEc{<3=^=-Lj4-QZY3k$Tr^F1t#n3VGqa-j`LK8mdL|7~h$8x0T0pS?`kb zr0KIYl4|D~#>ATA-Y_M!N3v;0*v#=3iS0?}tC3Km7+=Z#RdRS#04=;XjShdA9=5~{ zwHkYE@k00K;B}&rzD&Q1u%t?F%TrkH-!~i3RUclq(4iJTRR$X0wX4O5>5l&Ae>S_`vJQB~gltS-7x#1M z>-qc3E@MKs8V@xqdqEHDmQk}i=SWT}-8s3^%%zR8_mP}@nXZ&uGnEdV{Wt)B zjLsgw4ytv`04@!z+x2WMd#CkEq^bthuT8+{$Q(knVg3Mpdo~P&OsXzZO00960fEA&L0Pp|+D)B@O literal 0 HcmV?d00001 diff --git a/charts/nutanix-csi-snapshot/nutanix-csi-snapshot/1.0.0/.helmignore b/charts/asserts/asserts/1.11.0/.helmignore similarity index 100% rename from charts/nutanix-csi-snapshot/nutanix-csi-snapshot/1.0.0/.helmignore rename to charts/asserts/asserts/1.11.0/.helmignore diff --git a/charts/asserts/asserts/1.11.0/Chart.lock b/charts/asserts/asserts/1.11.0/Chart.lock new file mode 100644 index 000000000..a22f282fb --- /dev/null +++ b/charts/asserts/asserts/1.11.0/Chart.lock @@ -0,0 +1,30 @@ +dependencies: +- name: knowledge-sensor + repository: https://asserts.github.io/helm-charts + version: 1.0.0 +- name: victoria-metrics-single + repository: https://asserts.github.io/helm-charts + version: 1.0.0 +- name: alertmanager + repository: https://asserts.github.io/helm-charts + version: 0.14.0 +- name: promxy + repository: https://asserts.github.io/helm-charts + version: 0.7.0 +- name: promxy + repository: https://asserts.github.io/helm-charts + version: 0.7.0 +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.17.1 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 16.8.7 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 16.8.7 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.1.23 +digest: sha256:b3c1b799a418364aaa1fcea3c839945d761bc848e310047dc440765f9dc51d23 +generated: "2022-10-20T14:24:17.474167-07:00" diff --git a/charts/asserts/asserts/1.11.0/Chart.yaml b/charts/asserts/asserts/1.11.0/Chart.yaml new file mode 100644 index 000000000..8da3995de --- /dev/null +++ b/charts/asserts/asserts/1.11.0/Chart.yaml @@ -0,0 +1,56 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Asserts + catalog.cattle.io/kube-version: '>=1.17-0' + catalog.cattle.io/release-name: asserts +apiVersion: v2 +dependencies: +- condition: knowledge-sensor.enabled + name: knowledge-sensor + repository: file://./charts/knowledge-sensor + version: 1.0.0 +- alias: tsdb + condition: tsdb.enabled + name: victoria-metrics-single + repository: file://./charts/victoria-metrics-single + version: 1.0.0 +- condition: alertmanager.enabled + name: alertmanager + repository: file://./charts/alertmanager + version: 0.14.0 +- alias: promxyruler + condition: promxyruler.enabled + name: promxy + repository: file://./charts/promxy + version: 0.7.0 +- alias: promxyuser + condition: promxyuser.enabled + name: promxy + repository: file://./charts/promxy + version: 0.7.0 +- name: common + repository: file://./charts/common + version: 1.x.x +- alias: redisgraph + condition: redisgraph.enabled + name: redis + repository: file://./charts/redis + version: 16.8.7 +- alias: redisearch + condition: redisearch.enabled + name: redis + repository: file://./charts/redis + version: 16.8.7 +- alias: postgres + condition: postgres.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.1.23 +description: Asserts Helm Chart to configure entire asserts stack +icon: https://www.asserts.ai/favicon.png +maintainers: +- name: Asserts + url: https://github.com/asserts +name: asserts +type: application +version: 1.11.0 diff --git a/charts/asserts/asserts/1.11.0/README.md b/charts/asserts/asserts/1.11.0/README.md new file mode 100644 index 000000000..3df5964a6 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/README.md @@ -0,0 +1,93 @@ +# Asserts + +[Asserts](http://www.asserts.ai) is a metrics intelligence platform built on Prometheus’s open ecosystem. Asserts scans your metrics to build a dependency graph and then analyzes them using Asserts's [SAAFE](https://docs.asserts.ai/understanding-saafe-model) model. + +## Introduction + +This chart bootstraps an [Asserts](https://www.asserts.ai) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.17+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure +- A Prometheus compatible endpoint to query +- [kube-state-metrics](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) (metrics from the Prometheus endpoint) +- [node-exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter) (metrics from the Prometheus endpoint) + +## Installing the Chart + +### You ARE running Prometheus-Operator in the same cluster you are installing Asserts + +```bash +helm repo add asserts https://asserts.github.io/helm-charts +helm repo update +helm install asserts asserts/asserts +``` + +### You ARE NOT running Prometheus-Operator in the same cluster as where Asserts is installed + +Create a values file, here we will call it `your-values.yaml`: + +```yaml +## Asserts cluster env and site +## +## IGNORE IF RUNNING Promtheus-Operator!!! +## +## This is required in order for Asserts to scrape a +## and monitor itself. This should be set to the env and site +## of the cluster asserts is being installed in. +## This means that the env and site of the datasource +## for this cluster (set in the Asserts UI after installing) +assertsClusterEnv: your-env +# optional (e.g. us-west-2) +assertsClusterSite: "" +``` + +```bash +helm repo add asserts https://asserts.github.io/helm-charts +helm repo update +helm install asserts asserts/asserts -f your-values.yaml +``` + +## Verify and Access + +Once all containers are initialized and running: + +```bash +kubectl get pods -l app.kubernetes.io/instance=asserts +``` + +You can then login to the asserts-ui by running: + +```bash +kubectl port-forward svc/asserts-ui 8080 +``` + +And opening your browser to [http://localhost:8080](http://localhost:8080) +you will be directed to the Asserts Registration page. There you can acquire +a license as seen [here](https://docs.asserts.ai/getting-started/self-hosted/helm-chart#see-the-data) + +## Configuring Promethueus DataSources +Configure your Prometheus DataSource which Asserts will connect to +and query by following [these instructions](https://docs.asserts.ai/integrations/data-source/prometheus) + +## Uninstalling the Chart + +To uninstall/delete the `asserts` deployment: + +```console +helm delete asserts +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `asserts`: + +```bash +kubectl delete pvc -l app.kubernetes.io/instance=asserts +``` + +> **Note**: Deleting the PVC's will delete all asserts related data as well. + + diff --git a/charts/asserts/asserts/1.11.0/app-readme.md b/charts/asserts/asserts/1.11.0/app-readme.md new file mode 100644 index 000000000..5d1a1ec08 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/app-readme.md @@ -0,0 +1,11 @@ +# Asserts + +[Asserts](https://www.asserts.ai/) - Get to the root cause faster! + +## Installation + +Asserts is all you need to transform your Prometheus metrics into an intelligent graph and contextual alerts. + +## More Info + +Visit our [Getting Started](https://docs.asserts.ai/getting-started/introduction) page for more instructions. diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/.helmignore b/charts/asserts/asserts/1.11.0/charts/alertmanager/.helmignore new file mode 100644 index 000000000..7653e97e6 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +unittests/ diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/Chart.yaml new file mode 100644 index 000000000..8ba6407d5 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: v0.23.0 +description: The Alertmanager handles alerts sent by client applications such as the +maintainers: +- name: Asserts + url: https://github.com/asserts +name: alertmanager +sources: +- https://github.com/prometheus/alertmanager +type: application +version: 0.14.0 diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/README.md b/charts/asserts/asserts/1.11.0/charts/alertmanager/README.md new file mode 100644 index 000000000..7daae41d0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/README.md @@ -0,0 +1,69 @@ +# Alertmanager + +As per [prometheus.io documentation](https://prometheus.io/docs/alerting/latest/alertmanager/): +> The Alertmanager handles alerts sent by client applications such as the +> Prometheus server. It takes care of deduplicating, grouping, and routing them +> to the correct receiver integration such as email, PagerDuty, or OpsGenie. It +> also takes care of silencing and inhibition of alerts. + +## Prerequisites + +Kubernetes 1.14+ + +## Get Repo Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm 3 +$ helm install [RELEASE_NAME] prometheus-community/alertmanager + +# Helm 2 +$ helm install --name [RELEASE_NAME] prometheus-community/alertmanager +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +# Helm 3 +$ helm uninstall [RELEASE_NAME] + +# Helm 2 +# helm delete --purge [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +# Helm 3 or 2 +$ helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +# Helm 2 +$ helm inspect values prometheus-community/alertmanager + +# Helm 3 +$ helm show values prometheus-community/alertmanager +``` diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/ci/config-reload-values.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/ci/config-reload-values.yaml new file mode 100644 index 000000000..cba5de8e2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/ci/config-reload-values.yaml @@ -0,0 +1,2 @@ +configmapReload: + enabled: true diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/NOTES.txt b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/NOTES.txt new file mode 100644 index 000000000..91577ad79 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "alertmanager.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "alertmanager.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "alertmanager.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ .Values.service.port }}:80 +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/_helpers.tpl new file mode 100644 index 000000000..0c5fe68b4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/_helpers.tpl @@ -0,0 +1,87 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "alertmanager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alertmanager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alertmanager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "alertmanager.labels" -}} +helm.sh/chart: {{ include "alertmanager.chart" . }} +{{ include "alertmanager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "alertmanager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "alertmanager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "alertmanager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "alertmanager.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Set the config name +*/}} +{{- define "alertmanager.configName" -}} +{{- if .Values.existingConfigMap }} +{{- .Values.existingConfigMap }} +{{- else }} +{{- include "alertmanager.fullname" . }} +{{- end }} +{{- end }} + +{{/* +Renders a value that contains template. +Usage: +{{ include "render-values" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "render-values" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/configmap.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/configmap.yaml new file mode 100644 index 000000000..f9858ca20 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/configmap.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.existingConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} +data: + alertmanager.yml: | + {{- toYaml .Values.config | default "{}" | nindent 4 }} + {{- range $key, $value := .Values.templates }} + {{ $key }}: |- + {{- $value | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/ingress.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/ingress.yaml new file mode 100644 index 000000000..efc9599c0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "alertmanager.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/pdb.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/pdb.yaml new file mode 100644 index 000000000..f6f8b3e80 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/pdb.yaml @@ -0,0 +1,13 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "alertmanager.selectorLabels" . | nindent 6 }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/serviceaccount.yaml new file mode 100644 index 000000000..9ca80f4cb --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "alertmanager.serviceAccountName" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/services.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/services.yaml new file mode 100644 index 000000000..c20914743 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/services.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} +{{- if .Values.service.annotations }} + annotations: + {{- toYaml .Values.service.annotations | nindent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if (and (eq .Values.service.type "NodePort") .Values.service.nodePort) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + {{- include "alertmanager.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "alertmanager.fullname" . }}-headless + labels: + {{- include "alertmanager.labels" . | nindent 4 }} +spec: + clusterIP: None + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if or (gt .Values.replicaCount 1.0) (.Values.additionalPeers) }} + - port: 9094 + targetPort: 9094 + protocol: TCP + name: cluster-tcp + - port: 9094 + targetPort: 9094 + protocol: UDP + name: cluster-udp + {{- end }} + selector: + {{- include "alertmanager.selectorLabels" . | nindent 4 }} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/statefulset.yaml new file mode 100644 index 000000000..cceed4006 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/statefulset.yaml @@ -0,0 +1,148 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} +{{- if .Values.statefulSet.annotations }} + annotations: + {{ toYaml .Values.statefulSet.annotations | nindent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "alertmanager.selectorLabels" . | nindent 6 }} + serviceName: {{ include "alertmanager.fullname" . }}-headless + template: + metadata: + labels: + {{- include "alertmanager.selectorLabels" . | nindent 8 }} +{{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 8 }} +{{- end }} + annotations: + {{- if not .Values.configmapReload.enabled }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | nindent 8 }} +{{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "alertmanager.serviceAccountName" . }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + {{- if and (.Values.configmapReload.enabled) (.Values.config) }} + - name: {{ .Chart.Name }}-{{ .Values.configmapReload.name }} + image: "{{ .Values.configmapReload.image.repository }}:{{ .Values.configmapReload.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.image.pullPolicy }}" + args: + - --volume-dir=/etc/alertmanager + - --webhook-url=http://127.0.0.1:{{ .Values.service.port }}/-/reload + resources: + {{- toYaml .Values.configmapReload.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: /etc/alertmanager + {{- end }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP +{{- if .Values.command }} + command: + {{- toYaml .Values.command | nindent 12 }} +{{- end }} + args: + - --storage.path=/alertmanager + - --config.file=/etc/alertmanager/alertmanager.yml + {{- if or (gt .Values.replicaCount 1.0) (.Values.additionalPeers) }} + - --cluster.advertise-address=$(POD_IP):9094 + - --cluster.listen-address=0.0.0.0:9094 + {{- end }} + {{- if gt .Values.replicaCount 1.0}} + {{- $fullName := include "alertmanager.fullname" . }} + {{- range $i := until (int .Values.replicaCount) }} + - --cluster.peer={{ $fullName }}-{{ $i }}.{{ $fullName }}-headless:9094 + {{- end }} + {{- end }} + {{- if .Values.additionalPeers }} + {{- range $item := .Values.additionalPeers }} + - --cluster.peer={{ $item }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + ports: + - name: http + containerPort: 9093 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: /etc/alertmanager + - name: storage + mountPath: /alertmanager + volumes: + - name: config + configMap: + name: {{ include "alertmanager.configName" .}} + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + {{- toYaml .Values.persistence.accessModes | nindent 10 }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: {{ .Values.persistence.storageClass }} + {{- end }} + {{- end }} +{{- else }} + - name: storage + emptyDir: {} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/tests/test-connection.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/tests/test-connection.yaml new file mode 100644 index 000000000..d1cdb7906 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "alertmanager.fullname" . }}-test-connection" + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "alertmanager.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/asserts/asserts/1.11.0/charts/alertmanager/values.yaml b/charts/asserts/asserts/1.11.0/charts/alertmanager/values.yaml new file mode 100644 index 000000000..c82ca465d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/alertmanager/values.yaml @@ -0,0 +1,167 @@ +# Default values for alertmanager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +clusterDomain: svc.cluster.local + +replicaCount: 1 + +image: + repository: quay.io/prometheus/alertmanager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +extraArgs: {} + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +podSecurityContext: + fsGroup: 65534 +dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 +securityContext: + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + +additionalPeers: [] + +service: + annotations: {} + type: ClusterIP + port: 9093 + # if you want to force a specific nodePort. Must be use with service.type=NodePort + # nodePort: + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: alertmanager.domain.com + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - alertmanager.domain.com + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +statefulSet: + annotations: {} + +podAnnotations: {} +podLabels: {} + +# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 + +command: [] + +persistence: + enabled: true + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 50Mi + +# existing configmap name +# else config values will be used +existingConfigMap: + +config: + global: {} + # slack_api_url: '' + + templates: + - '/etc/alertmanager/*.tmpl' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + ## If false, the configmap-reload container will not be deployed + ## + enabled: false + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + +templates: {} +# alertmanager.tmpl: |- diff --git a/charts/asserts/asserts/1.11.0/charts/common/.helmignore b/charts/asserts/asserts/1.11.0/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/asserts/asserts/1.11.0/charts/common/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/common/Chart.yaml new file mode 100644 index 000000000..39edbb3c5 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.17.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.17.1 diff --git a/charts/asserts/asserts/1.11.0/charts/common/README.md b/charts/asserts/asserts/1.11.0/charts/common/README.md new file mode 100644 index 000000000..a2ecd6044 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/README.md @@ -0,0 +1,350 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-----------------------------------|-----------------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_affinities.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..2387be262 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_capabilities.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..9d9b76004 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_capabilities.tpl @@ -0,0 +1,154 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_errors.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_images.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_images.tpl new file mode 100644 index 000000000..42ffbc722 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_ingress.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..8caf73a61 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_labels.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_names.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_names.tpl new file mode 100644 index 000000000..1bdac8b77 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_names.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_secrets.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..a53fb44f7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_storage.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_tplvalues.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_utils.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..8c22b2a38 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/_warnings.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_cassandra.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..ded1ae3bc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mariadb.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..b6906ff77 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mongodb.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..f820ec107 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mysql.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 000000000..74472a061 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_postgresql.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..164ec0d01 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_redis.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..dcccfc1ae --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_validations.tpl b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/common/values.yaml b/charts/asserts/asserts/1.11.0/charts/common/values.yaml new file mode 100644 index 000000000..f2df68e5e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/charts/nutanix-csi-snapshot/nutanix-csi-snapshot/6.0.101/.helmignore b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/.helmignore similarity index 100% rename from charts/nutanix-csi-snapshot/nutanix-csi-snapshot/6.0.101/.helmignore rename to charts/asserts/asserts/1.11.0/charts/knowledge-sensor/.helmignore diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/Chart.yaml new file mode 100644 index 000000000..3142ea4b4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: v1.1.8 +description: Asserts Knowledge Sensor Helm Chart +maintainers: +- email: arramos@asserts.ai + name: arramos84 +name: knowledge-sensor +version: 1.0.0 diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/README.md b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/README.md new file mode 100644 index 000000000..9b37cffd8 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/README.md @@ -0,0 +1,12 @@ +# Asserts Knowledge Sensor Helm Chart + +Installs Asserts Knowledge Sensor for federation from a customer Prometheus server +and remote-writes to the Asserts Cloud. + +## Requirements + +* `helm` version >= 3.0 (`brew install helm`) + +## Deploying Charts + +TODO diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/_helpers.tpl new file mode 100644 index 000000000..830d9b216 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/_helpers.tpl @@ -0,0 +1,116 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "knowledge-sensor.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "knowledge-sensor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "knowledge-sensor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "knowledge-sensor.labels" -}} +helm.sh/chart: {{ include "knowledge-sensor.chart" . }} +{{ include "knowledge-sensor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "knowledge-sensor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "knowledge-sensor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "knowledge-sensor.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "knowledge-sensor.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Renders a value that contains template. +Usage: +{{ include "render-values" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "render-values" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/concurrency-config-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/concurrency-config-configmap.yaml new file mode 100644 index 000000000..1c5657ad0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/concurrency-config-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.concurrency.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "knowledge-sensor.fullname" . }}-concurrency + labels: + app: {{ template "knowledge-sensor.fullname" . }} + component: concurrency-config +data: + concurrency.yml: | +{{- toYaml .Values.concurrency.config | nindent 4 }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/deployment.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/deployment.yaml new file mode 100644 index 000000000..b08a181ed --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "knowledge-sensor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "knowledge-sensor.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "knowledge-sensor.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: {{- include "knowledge-sensor.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "knowledge-sensor.serviceAccountName" . }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.initContainers }} + initContainers: {{ include "render-values" ( dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + command: + - {{ .Values.command }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: SYNC_INTERVAL + value: "{{ .Values.syncInterval }}" + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + - name: IN_CLUSTER + value: "{{ .Values.inCluster }}" + - name: NAMESPACE + value: "{{ .Release.Namespace }}" + - name: ASSERTS_CONTROLLER_HOST + value: {{ include "render-values" ( dict "value" .Values.assertsControllerHost "context" $) }} + - name: ASSERTS_TENANT + value: "{{ .Values.assertsTenant }}" + - name: PROMETHEUS_RULES_CONFIGMAP + value: "{{ .Values.prometheusRulesConfigmapName }}" + - name: PROMETHEUS_RULES_TARGET_DIR + value: "{{ .Values.prometheusRulesTargetDir }}" + - name: PROMETHEUS_RELABEL_RULES_CONFIGMAP + value: "{{ .Values.prometheusRelabelRulesConfigmapName }}" + - name: PROMETHEUS_RELABEL_RULES_TARGET_DIR + value: "{{ .Values.prometheusRelabelRulesTargetDir }}" + {{- if .Values.promxyEnabled }} + - name: PROMXYUSER_CONFIGMAP + value: "{{ .Values.promxyUserConfigmapName }}" + - name: PROMXYRULER_CONFIGMAP + value: "{{ .Values.promxyRulerConfigmapName }}" + - name: PROMXY_CONFIG_TARGET_DIR + value: "{{ .Values.promxyConfigTargetDir }}" + {{- end }} + {{- if .Values.passwordSecret }} + - name: ASSERTS_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.assertsTenant }}-knowledge-sensor" + key: password + {{- end }} + {{- if .Values.concurrency.enabled }} + - name: CONCURRENCY_CONFIG_PATH + value: "{{ .Values.concurrency.path }}" + {{- end }} + + {{- if .Values.concurrency.enabled }} + volumeMounts: + - name: concurrency-config + mountPath: "{{ .Values.concurrency.path }}" + subPath: concurrency.yml + readOnly: true + {{- end }} + + ports: + - name: http + containerPort: 8080 + protocol: TCP + + livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: {{- toYaml .Values.resources | nindent 12 }} + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- if .Values.concurrency.enabled }} + volumes: + - name: concurrency-config + configMap: + name: {{ include "knowledge-sensor.fullname" . }}-concurrency + {{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/ingress.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/ingress.yaml new file mode 100644 index 000000000..88e5983ed --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $serviceName := include "knowledge-sensor.fullname" . }} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.ingress.annotations }} + annotations: +{{ toYaml .Values.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "knowledge-sensor.labels" . | nindent 4 }} +{{- range $key, $value := .Values.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "knowledge-sensor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-config-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-config-configmap.yaml new file mode 100644 index 000000000..2c19f06d5 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-config-configmap.yaml @@ -0,0 +1,9 @@ +{{- if eq .Values.command "knowledge-sensor-customer" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: "prometheus" + component: "prometheus" + name: "{{ .Values.prometheusConfigConfigmapName }}" +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-relabel-rules-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-relabel-rules-configmap.yaml new file mode 100644 index 000000000..c938d2e86 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-relabel-rules-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: "prometheus" + component: "prometheus-relabel-rules" + name: "{{ .Values.prometheusRelabelRulesConfigmapName }}" diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-rules-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-rules-configmap.yaml new file mode 100644 index 000000000..bc3a9948d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/prometheus-rules-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: "prometheus" + component: "prometheus-rules" + name: "{{ .Values.prometheusRulesConfigmapName }}" diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyruler-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyruler-configmap.yaml new file mode 100644 index 000000000..1edee23ee --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyruler-configmap.yaml @@ -0,0 +1,9 @@ +{{- if .Values.promxyEnabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: "promxy" + component: "promxy-config" + name: "{{ .Values.promxyRulerConfigmapName }}" +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyuser-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyuser-configmap.yaml new file mode 100644 index 000000000..f77e75dcf --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/promxyuser-configmap.yaml @@ -0,0 +1,9 @@ +{{- if .Values.promxyEnabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: "promxy" + component: "promxy-config" + name: "{{ .Values.promxyUserConfigmapName }}" +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/role.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/role.yaml new file mode 100644 index 000000000..867f57eaf --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/role.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "knowledge-sensor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "knowledge-sensor.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/rolebinding.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/rolebinding.yaml new file mode 100644 index 000000000..135dffa7e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "knowledge-sensor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "knowledge-sensor.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "knowledge-sensor.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "knowledge-sensor.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/service.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/service.yaml new file mode 100644 index 000000000..3ca6b74db --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "knowledge-sensor.fullname" . }} + labels: {{- include "knowledge-sensor.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: {{- include "knowledge-sensor.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/serviceaccount.yaml new file mode 100644 index 000000000..99527811b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "knowledge-sensor.serviceAccountName" . }} + labels: {{- include "knowledge-sensor.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/values.yaml b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/values.yaml new file mode 100644 index 000000000..0472521c2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/knowledge-sensor/values.yaml @@ -0,0 +1,147 @@ +clusterDomain: svc.cluster.local + +replicaCount: 1 + +rbac: + create: true + +image: + repository: asserts/knowledge-sensor + tag: + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +initContainers: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true +# runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + +ingress: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + + extraLabels: {} + + hosts: [] + # - knowledge-sensor.domain.com + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + tls: [] + # - secretName: knowledge-sensor-tls + # hosts: + # - knowledge-sensor.domain.com +resources: + {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 9 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 9 + failureThreshold: 3 + +syncInterval: 60 +logLevel: "info" +inCluster: "True" +assertsControllerHost: "http://asserts-server.{{.Release.Namespace}}.{{.Values.clusterDomain}}" +assertsTenant: "bootstrap" + +prometheusRulesConfigmapName: "prometheus-rules" +prometheusRulesTargetDir: "/etc/vmagent/rules" +prometheusRelabelRulesConfigmapName: "prometheus-relabel-rules" +prometheusRelabelRulesTargetDir: "/etc/vmagent/relabel" + +promxyEnabled: false +promxyUserConfigmapName: "asserts-promxyuser" +promxyRulerConfigmapName: "asserts-promxyruler" +promxyConfigTargetDir: "/etc/promxy" + +passwordSecret: false + +## Rules concurrency configuration +## This is for use specifically with +## vmalert as it supports concurrency +## +## ref: https://docs.victoriametrics.com/vmalert.html#groups +concurrency: + enabled: false + # filepath the knowledge-sensor reads the concurrency file from + # shouldn't change this at the moment + path: "/ai/asserts/knowledge_sensor/resources/concurrency.yml" + # config takes a list of rule prefixes and their concurrency + # + # e.g. --> Run all rules with a concurrency of 2 + # config: + # concurrency: + # - .*:2 + config: {} +# concurrency: +# enabled: true +# path: "/ai/asserts/knowledge_sensor/resources/concurrency.yml" +# config: +# concurrency: +# - .*: 2 + +## Command dictating the "mode" the +## knowledge-sensor should run in +## this is mainly a legacy option that +## may be revived in the future +command: knowledge-sensor-cloud diff --git a/charts/nutanix-csi-storage/nutanix-csi-storage/2.3.100/.helmignore b/charts/asserts/asserts/1.11.0/charts/postgresql/.helmignore similarity index 100% rename from charts/nutanix-csi-storage/nutanix-csi-storage/2.3.100/.helmignore rename to charts/asserts/asserts/1.11.0/charts/postgresql/.helmignore diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.lock b/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.lock new file mode 100644 index 000000000..7163491b3 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.13.0 +digest: sha256:b6a17da2d82c85b2f3ad6550d93780de4de63eba4a528ae2d5bc9934c122a856 +generated: "2022-03-26T06:13:30.244559427Z" diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.yaml new file mode 100644 index 000000000..076cb5266 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 14.2.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.x.x +description: PostgreSQL (Postgres) is an open source object-relational database known + for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, + views, triggers and stored procedures. +home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +- https://www.postgresql.org/ +version: 11.1.23 diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/README.md b/charts/asserts/asserts/1.11.0/charts/postgresql/README.md new file mode 100644 index 000000000..954848140 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/README.md @@ -0,0 +1,662 @@ + + +# PostgreSQL packaged by Bitnami + +PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. + +[Overview of PostgreSQL](http://www.postgresql.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```bash +helm repo add bitnami https://charts.bitnami.com/bitnami +helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```bash +kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`) | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | + + +### PostgreSQL common parameters + +| Name | Description | Value | +| ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `image.registry` | PostgreSQL image registry | `docker.io` | +| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `14.2.0-debian-10-r58` | +| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided | `""` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided | `""` | +| `auth.database` | Name for a custom database to create | `""` | +| `auth.replicationUsername` | Name of the replication user | `repl_user` | +| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided | `""` | +| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), `password` (which is the password for the custom user to create when `auth.username` is set) and `replication-password` (which is the password for replication user). `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | +| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | +| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `containerPorts.postgresql` | PostgreSQL container port | `5432` | +| `audit.logHostname` | Log client hostnames | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | +| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | +| `audit.clientMinMessages` | Message log level to share with the user | `error` | +| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | +| `audit.logTimezone` | Timezone for the log timestamps | `""` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` | `""` | +| `ldap.server` | IP address or name of the LDAP server. | `""` | +| `ldap.port` | Port number on the LDAP server to connect to | `""` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `""` | +| `ldap.bindDN` | DN of user to bind to LDAP | `""` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `""` | +| `ldap.search_attr` | Attribute to match against the user name in the search | `""` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `""` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | +| `ldap.tls` | Set to `1` to use TLS encryption | `""` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | +| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | + + +### PostgreSQL Primary parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | +| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | +| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | +| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | +| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | +| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | +| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | +| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.command` | Override default container command (useful when using custom images) | `[]` | +| `primary.args` | Override default container args (useful when using custom images) | `[]` | +| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | +| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | +| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | +| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | +| `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `primary.containerSecurityContext.enabled` | Enable container security context | `true` | +| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | +| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | +| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | +| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.service.type` | Kubernetes Service type | `ClusterIP` | +| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | +| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | +| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | +| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `primary.persistence.annotations` | Annotations for the PVC | `{}` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `primary.persistence.dataSource` | Custom PVC data source | `{}` | + + +### PostgreSQL read only replica parameters + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | +| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | +| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | +| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | +| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | +| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | +| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | +| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | +| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | +| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` | +| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | +| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | +| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | +| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | +| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | +| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | +| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | +| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | +| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | +| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | +| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | +| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | +| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | +| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | + + +### NetworkPolicy parameters + +| Name | Description | Value | +| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable network policies | `false` | +| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` | +| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | +| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `{}` | +| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | + + +### Volume Permissions parameters + +| Name | Description | Value | +| ------------------------------------------------------ | ------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r388` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | + + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | + + +### Metrics Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------- | --------------------------- | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.10.1-debian-10-r76` | +| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | +| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.postgresPassword=secretpassword + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration` parameter as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.auth.password=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```bash +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/.helmignore b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 000000000..2c938783d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.13.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.13.0 diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/README.md b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/README.md new file mode 100644 index 000000000..c090f742f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/README.md @@ -0,0 +1,347 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|--------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..189ea403d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..4ec8321ef --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,139 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_errors.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_images.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 000000000..42ffbc722 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..8caf73a61 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_labels.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_names.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 000000000..c8574d175 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..a53fb44f7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_storage.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_utils.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..ea083a249 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..ded1ae3bc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..b6906ff77 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..a071ea4d3 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..164ec0d01 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..5d72959b9 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis™ required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/values.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/values.yaml new file mode 100644 index 000000000..f2df68e5e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/extended-config.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/extended-config.yaml new file mode 100644 index 000000000..224168e04 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/extended-config.yaml @@ -0,0 +1,4 @@ +primary: + extendedConfiguration: | + pg_stat_statements.max = 10000 + pg_stat_statements.track = all diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/init-scripts.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/init-scripts.yaml new file mode 100644 index 000000000..66ac9bb9c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/init-scripts.yaml @@ -0,0 +1,8 @@ +primary: + initdb: + args: --data-checksums + postgresqlWalDir: /bitnami/wal-dir/ + scripts: + my_init_script.sh: | + #!/bin/sh + echo "Success" diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/metrics.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/metrics.yaml new file mode 100644 index 000000000..df26bb2ed --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/metrics.yaml @@ -0,0 +1,24 @@ +auth: + postgresPassword: adminpassword + username: foo + password: foopassword + database: bar +metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: monitoring + prometheusRule: + enabled: true + namespace: monitoring +networkPolicy: + enabled: true + metrics: + enabled: true + namespaceSelector: + label: monitoring + ingressRules: + primaryAccessOnlyFrom: + enabled: true + podSelector: + "{{ template \"common.names.fullname\" . }}-client": "true" diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/rbac.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/rbac.yaml new file mode 100644 index 000000000..ef92a1be7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/rbac.yaml @@ -0,0 +1,16 @@ +serviceAccount: + create: true + name: custom-sa + automountServiceAccountToken: true +rbac: + create: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +psp: + create: true diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/replication.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/replication.yaml new file mode 100644 index 000000000..1ce6cf8d4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/replication.yaml @@ -0,0 +1,5 @@ +# Test values file for generating all of the yaml and check that +# the rendering is correct +architecture: replication +readReplicas: + replicaCount: 3 diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/ci/tls.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/tls.yaml new file mode 100644 index 000000000..24131f3a0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/ci/tls.yaml @@ -0,0 +1,6 @@ +architecture: replication +tls: + enabled: true + autoGenerated: true +volumePermissions: + enabled: true diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/NOTES.txt b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/NOTES.txt new file mode 100644 index 000000000..710c733f2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,89 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh + +{{- else }} + +PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster: + + {{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection + +{{- if eq .Values.architecture "replication" }} + + {{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection + +{{- end }} + +{{- $customUser := include "postgresql.username" . }} +{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.postgres-password}" | base64 --decode) + +To get the password for "{{ $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.password}" | base64 --decode) + +{{- else }} + +To get the password for "{{ default "postgres" $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 --decode) + +{{- end }} + +To connect to your database run the following command: + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ + --command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + + > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.primary.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }}) + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.primary.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.primary.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} & + PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + +{{- end }} +{{- end }} + +{{- include "postgresql.validateValues" . -}} +{{- include "common.warnings.rollingTag" .Values.image -}} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 000000000..98eb56ea1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,320 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified app name for PostgreSQL Primary objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- if eq .Values.architecture "replication" }} + {{- printf "%s-primary" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name for PostgreSQL read-only replicas objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.readReplica.fullname" -}} +{{- printf "%s-read" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL primary headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.primary.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL read-only replicas headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.readReplica.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return the name for a custom user to create +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.auth.username }} + {{- .Values.global.postgresql.auth.username -}} +{{- else -}} + {{- .Values.auth.username -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name for a custom database to create +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.auth.database }} + {{- .Values.global.postgresql.auth.database -}} +{{- else if .Values.auth.database -}} + {{- .Values.auth.database -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.auth.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} +{{- else if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.primary.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.readReplica.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.readReplicas.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.configmapName" -}} +{{- if .Values.primary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the configuration +*/}} +{{- define "postgresql.primary.createConfigmap" -}} +{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary extended configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.extendedConfigmapName" -}} +{{- if .Values.primary.existingExtendedConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} +{{- else -}} + {{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the extended configuration +*/}} +{{- define "postgresql.primary.createExtendedConfigmap" -}} +{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "postgresql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdb.scriptsCM" -}} +{{- if .Values.primary.initdb.scriptsConfigMap -}} + {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} +{{- else -}} + {{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +{{- $customUser := include "postgresql.username" . }} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- else }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} +{{- else -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} +{{- else -}} + {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "postgresql.createTlsSecret" -}} +{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsSecretName" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- else -}} + {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/extra-list.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/networkpolicy-egress.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/networkpolicy-egress.yaml new file mode 100644 index 000000000..e8621474b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/networkpolicy-egress.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-egress" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - namespaceSelector: {} + {{- end }} + {{- if .Values.networkPolicy.egressRules.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/configmap.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/configmap.yaml new file mode 100644 index 000000000..d654a2257 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/configmap.yaml @@ -0,0 +1,24 @@ +{{- if (include "postgresql.primary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .Values.primary.configuration }} + postgresql.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.pgHbaConfiguration }} + pg_hba.conf: | + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/extended-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/extended-configmap.yaml new file mode 100644 index 000000000..d129bd3b2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/extended-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "postgresql.primary.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/initialization-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/initialization-configmap.yaml new file mode 100644 index 000000000..d3d26cb8c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/initialization-configmap.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-configmap.yaml new file mode 100644 index 000000000..39c48059d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{- toYaml .Values.metrics.customMetrics | nindent 4 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-svc.yaml new file mode 100644 index 000000000..75a1b81be --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/networkpolicy.yaml new file mode 100644 index 000000000..ce0052d48 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/networkpolicy.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + ingress: + {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} + - from: + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.metrics.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} + - from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + app.kubernetes.io/component: read + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/prometheusrule.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/prometheusrule.yaml new file mode 100644 index 000000000..cb2f1f2a7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/prometheusrule.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "postgresql.primary.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/servicemonitor.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/servicemonitor.yaml new file mode 100644 index 000000000..c4a19fe05 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/statefulset.yaml new file mode 100644 index 000000000..ec6cdbbc0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/statefulset.yaml @@ -0,0 +1,639 @@ +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + serviceName: {{ include "postgresql.primary.svc.headless" . }} + {{- if .Values.primary.updateStrategy }} + updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + template: + metadata: + name: {{ include "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.primary.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "postgresql.primary.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "postgresql.primary.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.primary.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.primary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + {{- if .Values.primary.schedulerName }} + schedulerName: {{ .Values.primary.schedulerName | quote }} + {{- end }} + {{- if .Values.primary.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.primary.podSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.primary.hostNetwork }} + hostIPC: {{ .Values.primary.hostIPC }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.primary.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} + {{- else }} + chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.primary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.primary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.primary.persistence.mountPath | quote }} + {{- if .Values.primary.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} + - name: POSTGRES_USER + value: {{ $customUser | quote }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: postgres-password + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }} + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + # Replication + {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off") }} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + # Initdb + {{- if .Values.primary.initdb.args }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.primary.initdb.args | quote }} + {{- end }} + {{- if .Values.primary.initdb.postgresqlWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} + {{- end }} + {{- if .Values.primary.initdb.user }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.primary.initdb.user }} + {{- end }} + {{- if .Values.primary.initdb.password }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.primary.initdb.password | quote }} + {{- end }} + # Standby + {{- if .Values.primary.standby.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primary.standby.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primary.standby.primaryPort | quote }} + {{- end }} + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if not (empty .Values.ldap.bind_password) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: ldap-password + {{- end }} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.primary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.primary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.primary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.primary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.primary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.primary.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- else if .Values.primary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- else if .Values.primary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- else if .Values.primary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + {{- if .Values.primary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} + {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} + {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} + - name: DATA_SOURCE_NAME + value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.service.port" .)) (default "postgres" $customUser | quote) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} + {{- else }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.service.port" .)) $database $sslmode }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- else if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- else if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- else if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + configMap: + name: {{ include "postgresql.primary.configmapName" . }} + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.primary.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + configMap: + name: {{ include "postgresql.initdb.scriptsCM" . }} + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} + {{- else if not .Values.primary.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.primary.persistence.annotations }} + annotations: {{- toYaml .Values.primary.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.primary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.primary.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.primary.persistence.size | quote }} + {{- if .Values.primary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} + {{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc-headless.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc-headless.yaml new file mode 100644 index 000000000..b7826318f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc-headless.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc.yaml new file mode 100644 index 000000000..6d4a842c2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/primary/svc.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.primary.service.type }} + {{- if and .Values.primary.service.loadBalancerIP (eq .Values.primary.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} + externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") .Values.primary.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.loadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq .Values.primary.service.type "ClusterIP") .Values.primary.service.clusterIP }} + clusterIP: {{ .Values.primary.service.clusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.primary.service.nodePorts.postgresql }} + {{- else if eq .Values.primary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/psp.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/psp.yaml new file mode 100644 index 000000000..48d11754d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/psp.yaml @@ -0,0 +1,41 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/networkpolicy.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/networkpolicy.yaml new file mode 100644 index 000000000..c969cd7a7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + ingress: + {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/statefulset.yaml new file mode 100644 index 000000000..486d80371 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/statefulset.yaml @@ -0,0 +1,433 @@ +{{- if eq .Values.architecture "replication" }} +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.readReplicas.replicaCount }} + serviceName: {{ include "postgresql.readReplica.svc.headless" . }} + {{- if .Values.readReplicas.updateStrategy }} + updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + template: + metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.readReplicas.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.readReplicas.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.readReplicas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + {{- if .Values.readReplicas.schedulerName }} + schedulerName: {{ .Values.readReplicas.schedulerName | quote }} + {{- end }} + {{- if .Values.readReplicas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.readReplicas.podSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.readReplicas.hostNetwork }} + hostIPC: {{ .Values.readReplicas.hostIPC }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.readReplicas.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} + {{- else }} + chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.readReplicas.persistence.mountPath | quote }} + {{- if .Values.readReplicas.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: postgres-password + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }} + {{- end }} + # Replication + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ include "postgresql.primary.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.service.port" . | quote }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.readReplicas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} + envFrom: + {{- if .Values.readReplicas.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.readReplicas.extraEnvVarsCM }} + {{- end }} + {{- if .Values.readReplicas.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.readReplicas.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.readReplicas.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- else if .Values.readReplicas.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- else if .Values.readReplicas.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- else if .Values.readReplicas.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if not .Values.readReplicas.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.readReplicas.persistence.annotations }} + annotations: {{- toYaml .Values.readReplicas.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.readReplicas.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.readReplicas.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.readReplicas.persistence.size | quote }} + {{- if .Values.readReplicas.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc-headless.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc-headless.yaml new file mode 100644 index 000000000..0371e49d4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc-headless.yaml @@ -0,0 +1,33 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc.yaml new file mode 100644 index 000000000..23554751c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/read/svc.yaml @@ -0,0 +1,45 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.readReplicas.service.type }} + {{- if and .Values.readReplicas.service.loadBalancerIP (eq .Values.readReplicas.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} + externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") .Values.readReplicas.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.loadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "ClusterIP") .Values.readReplicas.service.clusterIP }} + clusterIP: {{ .Values.readReplicas.service.clusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} + {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.readReplicas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/role.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/role.yaml new file mode 100644 index 000000000..00f922232 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +# yamllint disable rule:indentation +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.psp.create }} + - apiGroups: + - 'policy' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: + - {{ include "common.names.fullname" . }} + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +# yamllint enable rule:indentation +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/rolebinding.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 000000000..0311c0ecc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ include "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/secrets.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/secrets.yaml new file mode 100644 index 000000000..e8cc69ffa --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,29 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.auth.enablePostgresUser }} + postgres-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "postgres-password" "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) }} + {{- end }} + {{- if not (empty (include "postgresql.username" .)) }} + password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "password" "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + replication-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "replication-password" "providedValues" (list "auth.replicationPassword") "context" $) }} + {{- end }} + # We don't auto-generate LDAP password when it's not provided as we do for other passwords + {{- if and .Values.ldap.enabled .Values.ldap.bind_password }} + ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 000000000..179f8f2e4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/templates/tls-secrets.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/tls-secrets.yaml new file mode 100644 index 000000000..59c577647 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/templates/tls-secrets.yaml @@ -0,0 +1,27 @@ +{{- if (include "postgresql.createTlsSecret" . ) }} +{{- $ca := genCA "postgresql-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} +{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/values.schema.json b/charts/asserts/asserts/1.11.0/charts/postgresql/values.schema.json new file mode 100644 index 000000000..fc41483cd --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "PostgreSQL architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enablePostgresUser": { + "type": "boolean", + "title": "Enable \"postgres\" admin user", + "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", + "form": true + }, + "postgresPassword": { + "type": "string", + "title": "Password for the \"postgres\" admin user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "database": { + "type": "string", + "title": "PostgreSQL custom database", + "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", + "form": true + }, + "username": { + "type": "string", + "title": "PostgreSQL custom user", + "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for the custom user to create", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "replicationUsername": { + "type": "string", + "title": "PostgreSQL replication user", + "description": "Name of user used to manage replication.", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "replicationPassword": { + "type": "string", + "title": "Password for PostgreSQL replication user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/charts/asserts/asserts/1.11.0/charts/postgresql/values.yaml b/charts/asserts/asserts/1.11.0/charts/postgresql/values.yaml new file mode 100644 index 000000000..6b73564d0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/postgresql/values.yaml @@ -0,0 +1,1329 @@ +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`) + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 14.2.0-debian-10-r74 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), `password` (which is the password for the custom user to create when `auth.username` is set) and `replication-password` (which is the password for replication user). `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## The value is evaluated as a template. + ## + existingSecret: "" + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: standalone +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## @param ldap.url LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## @param ldap.baseDN Root DN to begin the search for the user in +## @param ldap.bindDN DN of user to bind to LDAP +## @param ldap.bind_password Password for the user to bind to LDAP +## @param ldap.search_attr Attribute to match against the user name in the search +## @param ldap.search_filter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## @param ldap.tls Set to `1` to use TLS encryption +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: "" + search_attr: "" + search_filter: "" + scheme: "" + tls: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) + ## + hostNetwork: false + ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section PostgreSQL read only replica parameters +## +readReplicas: + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) + ## + hostNetwork: false + ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section NetworkPolicy parameters + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + +## @section Volume Permissions parameters + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r403 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + +## @section Other Parameters + +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false + +## @section Metrics Parameters + +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.10.1-debian-10-r90 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] diff --git a/charts/nutanix-csi-storage/nutanix-csi-storage/2.4.100/.helmignore b/charts/asserts/asserts/1.11.0/charts/promxy/.helmignore similarity index 100% rename from charts/nutanix-csi-storage/nutanix-csi-storage/2.4.100/.helmignore rename to charts/asserts/asserts/1.11.0/charts/promxy/.helmignore diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/Chart.yaml new file mode 100644 index 000000000..0c85637bd --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +appVersion: v0.0.75 +description: Helm Chart for Prometheus proxy to combine multiple prometheuses +maintainers: +- name: Asserts + url: https://github.com/asserts +name: promxy +type: application +version: 0.7.0 diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/README.md b/charts/asserts/asserts/1.11.0/charts/promxy/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/promxy/templates/_helpers.tpl new file mode 100644 index 000000000..4558e7569 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/_helpers.tpl @@ -0,0 +1,127 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "promxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "promxy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "promxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "promxy.labels" -}} +helm.sh/chart: {{ include "promxy.chart" . }} +{{ include "promxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "promxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "promxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "promxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "promxy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Set the config name +*/}} +{{- define "promxy.configName" -}} +{{- if .Values.existingConfigMap }} +{{- .Values.existingConfigMap }} +{{- else }} +{{- include "promxy.fullname" . }} +{{- end }} +{{- end }} + +{{/* +Renders a value that contains template. +Usage: +{{ include "render-values" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "render-values" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/configmap.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/configmap.yaml new file mode 100644 index 000000000..41f7b60f1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/configmap.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.existingConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "promxy.fullname" . }} + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} +data: + config.yaml: | + {{- with .Values.config }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.alerts }} + alerts.yaml: | + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/deployment.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/deployment.yaml new file mode 100644 index 000000000..f8a00e419 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/deployment.yaml @@ -0,0 +1,116 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "promxy.fullname" . }} + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} + {{- with .Values.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + {{- with .Values.strategy }} + strategy: {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "promxy.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: {{- include "promxy.selectorLabels" . | nindent 8 }} + {{- with .Values.extraPodLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "promxy.serviceAccountName" . }} + {{- with .Values.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.initContainers }} + initContainers: {{ include "render-values" ( dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + - args: + - "--config={{ .Values.configPath }}" + - "--web.enable-lifecycle" + {{- range $key, $value := .Values.extraArgs }} + - "--{{ $key }}={{ $value }}" + {{- end }} + {{- with .Values.env }} + env: {{- toYaml . | nindent 12 }} + {{- end }} + command: + - "/bin/promxy" + image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: promxy + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 120 + httpGet: + path: /-/ready + port: http + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + ports: + - containerPort: 8082 + name: http + volumeMounts: + - mountPath: "/etc/promxy/" + name: config + readOnly: false + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.resources | nindent 12 }} + # container to reload configs on configmap change + - name: promxy-server-configmap-reload + args: + - "--volume-dir=/etc/promxy" + - "--webhook-url=http://localhost:8082/-/reload" + image: jimmidyson/configmap-reload:v0.5.0 + volumeMounts: + - mountPath: "/etc/promxy/" + name: config + readOnly: false + resources: + requests: + cpu: 0.02 + memory: 20Mi + limits: + cpu: 0.02 + memory: 20Mi + volumes: + - name: config + configMap: + name: {{ include "promxy.configName" .}} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/ingress.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/ingress.yaml new file mode 100644 index 000000000..088c43c71 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/ingress.yaml @@ -0,0 +1,52 @@ +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $serviceName := include "promxy.fullname" . }} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ template "promxy.fullname" . }} + {{- with .Values.ingress.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.ingress.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- with .Values.ingress.tls }} + tls: {{- toYaml . | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/pdb.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/pdb.yaml new file mode 100644 index 000000000..5655c8ee0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/pdb.yaml @@ -0,0 +1,11 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "promxy.fullname" . }} + labels: {{- include "promxy.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: {{- include "promxy.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/service.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/service.yaml new file mode 100644 index 000000000..5dfa6293d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/service.yaml @@ -0,0 +1,37 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "promxy.fullname" . }} + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} + {{- if .Values.service.annotations }} + annotations: + {{- toYaml .Values.service.annotations | nindent 4 -}} + {{- end }} +spec: +{{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: +{{ toYaml .Values.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.service.port }} + protocol: TCP + targetPort: http + selector: {{- include "promxy.selectorLabels" . | nindent 4 }} + type: {{ .Values.service.type }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/serviceaccount.yaml new file mode 100644 index 000000000..a4929fdb7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "promxy.serviceAccountName" . }} + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/templates/vpa.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/templates/vpa.yaml new file mode 100644 index 000000000..16cbe444c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/templates/vpa.yaml @@ -0,0 +1,19 @@ +{{- if .Values.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: {{- include "promxy.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} + name: {{ template "promxy.fullname" . }} +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: {{ template "promxy.fullname" . }} + updatePolicy: + updateMode: {{ .Values.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/promxy/values.yaml b/charts/asserts/asserts/1.11.0/charts/promxy/values.yaml new file mode 100644 index 000000000..a987f2561 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/promxy/values.yaml @@ -0,0 +1,155 @@ +clusterDomain: svc.cluster.local + +image: + repository: quay.io/jacksontj/promxy + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +replicaCount: 1 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + create: true + ## The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + name: + # Secrets for the service accout + imagePullSecrets: [] + annotations: {} + +strategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + +service: + type: ClusterIP + port: 8082 + clusterIP: "" + externalIPs: [] + loadBalancerIP: "" + loadBalancerSourceRanges: [] + annotations: {} + +ingress: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + + extraLabels: {} + + hosts: [] + # - promxy.domain.com + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + tls: [] + # - secretName: promxy-tls + # hosts: + # - promxy.domain.com + +podDisruptionBudget: + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + +resources: {} + +verticalAutoscaler: + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'promxy' + # minAllowed: + # cpu: "250m" + # memory: "100Mi" + # maxAllowed: + # cpu: "2000m" + # memory: "2048Mi" + # - containerName: "promxy-server-configmap-reload" + # mode: "Off" + +extraArgs: + log-level: "info" + +initContainers: [] + +# common annotations for all resources without their own annotations field +annotations: {} + +# extra labels for all resources without their own extraLabels field +extraLabels: {} + +# extra labels for the pods deployed +extraPodLabels: {} + +# extra annotations for the pods deployed +podAnnotations: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +extraContainers: [] + +extraVolumeMounts: [] + +extraVolumes: [] + +# existing configmap name +# else config values will be used +existingConfigMap: + +configPath: "/etc/promxy/config.yaml" + +config: + ## + ## Regular prometheus configuration + ## + global: + evaluation_interval: 5s + # external_labels: + # remote_write configuration is used by promxy as its local Appender, meaning all + # metrics promxy would "write" (not export) would be sent to this. Examples + # of this include: recording rules, metrics on alerting rules, etc. + remote_write: + - url: http://localhost:8083/receive + ## + ### Promxy configuration + ## + # promxy: + # server_groups: + # - static_configs: + # - targets: + # - localhost:9090 + +# alerts defined here are set in +# templates/configmap.yaml they +# are part of the same ConfigMap as +# the prometheus/promxy configuration +alerts: {} + # groups: + # - name: alerts + # rules: + # - alert: TestMinData + # expr: absent(metric_no_data) diff --git a/charts/nutanix-csi-storage/nutanix-csi-storage/2.5.0/.helmignore b/charts/asserts/asserts/1.11.0/charts/redis/.helmignore similarity index 100% rename from charts/nutanix-csi-storage/nutanix-csi-storage/2.5.0/.helmignore rename to charts/asserts/asserts/1.11.0/charts/redis/.helmignore diff --git a/charts/asserts/asserts/1.11.0/charts/redis/Chart.lock b/charts/asserts/asserts/1.11.0/charts/redis/Chart.lock new file mode 100644 index 000000000..357b97acf --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.13.0 +digest: sha256:e83af41b39942278f8389623671732e624f28c6f1ad6ac2d937e210c5f354a18 +generated: "2022-03-26T15:58:13.013691133Z" diff --git a/charts/asserts/asserts/1.11.0/charts/redis/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/redis/Chart.yaml new file mode 100644 index 000000000..e4323facb --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 6.2.6 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +description: Redis(TM) is an open source, advanced key-value store. It is often referred + to as a data structure server since keys can contain strings, hashes, lists, sets + and sorted sets. +home: https://github.com/bitnami/charts/tree/master/bitnami/redis +icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png +keywords: +- redis +- keyvalue +- database +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: redis +sources: +- https://github.com/bitnami/bitnami-docker-redis +version: 16.8.7 diff --git a/charts/asserts/asserts/1.11.0/charts/redis/README.md b/charts/asserts/asserts/1.11.0/charts/redis/README.md new file mode 100644 index 000000000..ba476c564 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/README.md @@ -0,0 +1,871 @@ + + +# Redis(TM) packaged by Bitnami + +Redis(TM) is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. + +[Overview of Redis™](http://redis.io) + +Disclaimer: Redis is a registered trademark of Redis Labs Ltd. Any rights therein are reserved to Redis Labs Ltd. Any use by Bitnami is for referential purposes only and does not indicate any sponsorship, endorsement, or affiliation between Redis Labs Ltd. + +## TL;DR + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/redis +``` + +## Introduction + +This chart bootstraps a [Redis™](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +### Choose between Redis™ Helm Chart and Redis™ Cluster Helm Chart + +You can choose any of the two Redis™ Helm charts for deploying a Redis™ cluster. + +1. [Redis™ Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) will deploy a master-slave cluster, with the [option](https://github.com/bitnami/charts/tree/master/bitnami/redis#redis-sentinel-configuration-parameters) of enabling using Redis™ Sentinel. +2. [Redis™ Cluster Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) will deploy a Redis™ Cluster topology with sharding. + +The main features of each chart are the following: + +| Redis™ | Redis™ Cluster | +|--------------------------------------------------------|------------------------------------------------------------------------| +| Supports multiple databases | Supports only one database. Better if you have a big dataset | +| Single write point (single master) | Multiple write points (multiple masters) | +| ![Redis™ Topology](img/redis-topology.png) | ![Redis™ Cluster Topology](img/redis-cluster-topology.png) | + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/redis +``` + +The command deploys Redis™ on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | -------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis™ password (overrides `auth.password`) | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `secretAnnotations` | Annotations to add to secret | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + + +### Redis™ Image parameters + +| Name | Description | Value | +| ------------------- | ------------------------------------------------------- | ---------------------- | +| `image.registry` | Redis™ image registry | `docker.io` | +| `image.repository` | Redis™ image repository | `bitnami/redis` | +| `image.tag` | Redis™ image tag (immutable tags are recommended) | `6.2.6-debian-10-r169` | +| `image.pullPolicy` | Redis™ image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Redis™ image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | + + +### Redis™ common configuration parameters + +| Name | Description | Value | +| -------------------------------- | --------------------------------------------------------------------------------------- | ------------- | +| `architecture` | Redis™ architecture. Allowed values: `standalone` or `replication` | `replication` | +| `auth.enabled` | Enable password authentication | `true` | +| `auth.sentinel` | Enable password authentication on sentinels too | `true` | +| `auth.password` | Redis™ password | `""` | +| `auth.existingSecret` | The name of an existing secret with Redis™ credentials | `""` | +| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis™ nodes | `""` | + + +### Redis™ master configuration parameters + +| Name | Description | Value | +| ------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------ | +| `master.configuration` | Configuration for Redis™ master nodes | `""` | +| `master.disableCommands` | Array with Redis™ commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis™ master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis™ master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis™ master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis™ master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis™ master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis™ master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis™ master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis™ master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis™ master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resources.limits` | The resources limits for the Redis™ master containers | `{}` | +| `master.resources.requests` | The requested resources for the Redis™ master containers | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis™ master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroup` | Set Redis™ master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis™ master containers' Security Context | `true` | +| `master.containerSecurityContext.runAsUser` | Set Redis™ master containers' Security Context runAsUser | `1001` | +| `master.kind` | Use either Deployment or StatefulSet (default) | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis™ master pods | `""` | +| `master.updateStrategy.type` | Redis™ master statefulset strategy type | `RollingUpdate` | +| `master.priorityClassName` | Redis™ master pods' priorityClassName | `""` | +| `master.hostAliases` | Redis™ master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis™ master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis™ master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis™ master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis™ master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis™ master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis™ master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis™ master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis™ master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis™ master pod | `{}` | +| `master.lifecycleHooks` | for the Redis™ master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis™ master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis™ master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis™ master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis™ master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis™ master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis™ master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.service.type` | Redis™ master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis™ master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis™ master | `""` | +| `master.service.externalTrafficPolicy` | Redis™ master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.clusterIP` | Redis™ master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis™ master service Load Balancer IP | `""` | +| `master.service.loadBalancerSourceRanges` | Redis™ master service Load Balancer sources | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis™ master service | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | + + +### Redis™ replicas configuration parameters + +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.replicaCount` | Number of Redis™ replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis™ replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis™ commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis™ replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis™ replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis™ replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis™ replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis™ replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis™ replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis™ replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis™ replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resources.limits` | The resources limits for the Redis™ replicas containers | `{}` | +| `replica.resources.requests` | The requested resources for the Redis™ replicas containers | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis™ replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroup` | Set Redis™ replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis™ replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.runAsUser` | Set Redis™ replicas containers' Security Context runAsUser | `1001` | +| `replica.schedulerName` | Alternate scheduler for Redis™ replicas pods | `""` | +| `replica.updateStrategy.type` | Redis™ replicas statefulset strategy type | `RollingUpdate` | +| `replica.priorityClassName` | Redis™ replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.hostAliases` | Redis™ replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis™ replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis™ replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis™ replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis™ replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis™ replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis™ replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis™ replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis™ replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis™ replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis™ replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis™ replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis™ replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis™ replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis™ replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis™ replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.service.type` | Redis™ replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis™ replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis™ replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis™ replicas service external traffic policy | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis™ replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis™ replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis™ replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis™ replicas service | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | + + +### Redis™ Sentinel configuration parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `sentinel.enabled` | Use Redis™ Sentinel on Redis™ pods. | `false` | +| `sentinel.image.registry` | Redis™ Sentinel image registry | `docker.io` | +| `sentinel.image.repository` | Redis™ Sentinel image repository | `bitnami/redis-sentinel` | +| `sentinel.image.tag` | Redis™ Sentinel image tag (immutable tags are recommended) | `6.2.6-debian-10-r167` | +| `sentinel.image.pullPolicy` | Redis™ Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis™ Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `220` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis™ node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis™ Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis™ Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis™ Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis™ Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis™ Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis™ Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis™ Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis™ Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis™ sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.resources.limits` | The resources limits for the Redis™ Sentinel containers | `{}` | +| `sentinel.resources.requests` | The requested resources for the Redis™ Sentinel containers | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis™ Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis™ Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.lifecycleHooks` | for the Redis™ sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis™ Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis™ Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis™ service port for Redis™ | `6379` | +| `sentinel.service.ports.sentinel` | Redis™ service port for Redis™ Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis™ | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis™ Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis™ Sentinel service Cluster IP | `""` | +| `sentinel.service.loadBalancerIP` | Redis™ Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis™ Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis™ Sentinel service | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | + + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | +| `tls.enabled` | Enable TLS traffic | `false` | +| `tls.authClients` | Require clients to authenticate | `true` | +| `tls.autoGenerated` | Enable autogenerated certificates | `false` | +| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | +| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate Key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | + + +### Metrics Parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------ | ------------------------ | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis™ metrics | `false` | +| `metrics.image.registry` | Redis™ Exporter image registry | `docker.io` | +| `metrics.image.repository` | Redis™ Exporter image repository | `bitnami/redis-exporter` | +| `metrics.image.tag` | Redis™ Redis™ Exporter image tag (immutable tags are recommended) | `1.37.0-debian-10-r9` | +| `metrics.image.pullPolicy` | Redis™ Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis™ Exporter image pull secrets | `[]` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis™ hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis™ exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis™ exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis™ exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis™ exporter containers' Security Context runAsUser | `1001` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis™ metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar | `[]` | +| `metrics.resources.limits` | The resources limits for the Redis™ exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the Redis™ exporter container | `{}` | +| `metrics.podLabels` | Extra labels for Redis™ exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis™ exporter pods | `{}` | +| `metrics.service.type` | Redis™ exporter service type | `ClusterIP` | +| `metrics.service.port` | Redis™ exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis™ exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis™ exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis™ exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis™ exporter service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | + + +### Init Container Parameters + +| Name | Description | Value | +| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` | +| `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `10-debian-10-r378` | +| `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | Bitnami Shell image registry | `docker.io` | +| `sysctl.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | +| `sysctl.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `10-debian-10-r378` | +| `sysctl.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resources.limits` | The resources limits for the init container | `{}` | +| `sysctl.resources.requests` | The requested resources for the init container | `{}` | + + +### useExternalDNS Parameters + +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | +| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | +| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. | `external-dns.alpha.kubernetes.io/` | +| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.password=secretpassword \ + bitnami/redis +``` + +The above command sets the Redis™ server password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/redis +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different Redis™ version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/redis/configuration/change-image-version/). + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +replica: + externalMaster: + enabled: true + host: external-redis-0.internal +sentinel: + externalMaster: + enabled: true + host: external-redis-0.internal +``` + +:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: + +Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. + +Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. + +### External DNS + +This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. +Example, when using the following configuration: + +```yaml +useExternalDNS: + enabled: true + suffix: prod.example.org + additionalAnnotations: + ttl: 10 +``` + +On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: + +* `replica-announce-ip` +* `known-sentinel` +* `known-replica` +* `announce-ip` + +:warning: This requires a working installation of `external-dns` to be fully functional. :warning: + +See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. + +### Cluster topologies + +#### Default: Master-Replicas + +When installing the chart with `architecture=replication`, it will deploy a Redis™ master StatefulSet (only one master node allowed) and a Redis™ replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: + +- Redis™ Master service: Points to the master, where read-write operations can be performed +- Redis™ Replicas service: Points to the replicas, where only read operations are allowed. + +In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. + +#### Standalone + +When installing the chart with `architecture=standalone`, it will deploy a standalone Redis™ StatefulSet (only one node allowed). A single service will be exposed: + +- Redis™ Master service: Points to the master, where read-write operations can be performed + +#### Master-Replicas with Sentinel + +When installing the chart with `architecture=replication` and `sentinel.enabled=true`, it will deploy a Redis™ master StatefulSet (only one master allowed) and a Redis™ replicas StatefulSet. In this case, the pods will contain an extra container with Redis™ Sentinel. This container will form a cluster of Redis™ Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed: + +- Redis™ service: Exposes port 6379 for Redis™ read-only operations and port 26379 for accessing Redis™ Sentinel. + +For read-only operations, access the service using port 6379. For write operations, it's necessary to access the Redis™ Sentinel cluster and query the current master using the command below (using redis-cli or similar): + +``` +SENTINEL get-master-addr-by-name +``` + +This command will return the address of the current master, which can be accessed from inside the cluster. + +In case the current master crashes, the Sentinel containers will elect a new master node. + +### Using a password file + +To use a password file for Redis™ you need to create a secret containing the password and then deploy the chart using that secret. + +Refer to the chart documentation for more information on [using a password file for Redis™](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/use-password-file/). + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.existingSecret`: Name of the secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. +- `tls.certCAFilename`: CA Certificate filename. No defaults. + +Refer to the chart documentation for more information on [creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/). + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint. + +If you have enabled TLS by specifying `tls.enabled=true` you also need to specify TLS option to the metrics exporter. You can do that via `metrics.extraArgs`. You can find the metrics exporter CLI flags for TLS [here](https://github.com/oliver006/redis_exporter#command-line-flags). For example: + +You can either specify `metrics.extraArgs.skip-tls-verification=true` to skip TLS verification or providing the following values under `metrics.extraArgs` for TLS client authentication: + +```console +tls-client-key-file +tls-client-cert-file +tls-ca-cert-file +``` + +### Host Kernel Settings + +Redis™ may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. + +Refer to the chart documentation for more information on [configuring host kernel settings with an example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/configure-kernel-settings/). + +## Persistence + +By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +$ helm install my-release --set master.persistence.existingClaim=PVC_NAME bitnami/redis +``` + +## Backup and restore + +Refer to the chart documentation for more information on [backing up and restoring Redis™ deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/backup-restore/). + +## NetworkPolicy + +To enable network policy for Redis™, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +Refer to the chart documenation for more information on [enabling the network policy in Redis™ deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-network-policy/). + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. + +### To 16.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + - `master.service.port` renamed as `master.service.ports.redis`. + - `master.service.nodePort` renamed as `master.service.nodePorts.redis`. + - `replica.service.port` renamed as `replica.service.ports.redis`. + - `replica.service.nodePort` renamed as `replica.service.nodePorts.redis`. + - `sentinel.service.port` renamed as `sentinel.service.ports.redis`. + - `sentinel.service.sentinelPort` renamed as `sentinel.service.ports.sentinel`. + - `master.containerPort` renamed as `master.containerPorts.redis`. + - `replica.containerPort` renamed as `replica.containerPorts.redis`. + - `sentinel.containerPort` renamed as `sentinel.containerPorts.sentinel`. + - `master.spreadConstraints` renamed as `master.topologySpreadConstraints` + - `replica.spreadConstraints` renamed as `replica.topologySpreadConstraints` + +### To 15.0.0 + +The parameter to enable the usage of StaticIDs was removed. The behavior is to [always use StaticIDs](https://github.com/bitnami/charts/pull/7278). + +### To 14.8.0 + +The Redis™ sentinel exporter was removed in this version because the upstream project was deprecated. The regular Redis™ exporter is included in the sentinel scenario as usual. + +### To 14.0.0 + +- Several parameters were renamed or disappeared in favor of new ones on this major version: + - The term *slave* has been replaced by the term *replica*. Therefore, parameters prefixed with `slave` are now prefixed with `replicas`. + - Credentials parameter are reorganized under the `auth` parameter. + - `cluster.enabled` parameter is deprecated in favor of `architecture` parameter that accepts two values: `standalone` and `replication`. + - `securityContext.*` is deprecated in favor of `XXX.podSecurityContext` and `XXX.containerSecurityContext`. + - `sentinel.metrics.*` parameters are deprecated in favor of `metrics.sentinel.*` ones. +- New parameters to add custom command, environment variables, sidecars, init containers, etc. were added. +- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). +- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami-labs/readme-generator-for-helm). + +Consequences: + +Backwards compatibility is not guaranteed. To upgrade to `14.0.0`, install a new release of the Redis™ chart, and migrate the data from your previous release. You have 2 alternatives to do so: + +- Create a backup of the database, and restore it on the new release as explained in the [Backup and restore](#backup-and-restore) section. +- Reuse the PVC used to hold the master data on your previous release. To do so, use the `master.persistence.existingClaim` parameter. The following example assumes that the release name is `redis`: + +```bash +$ helm install redis bitnami/redis --set auth.password=[PASSWORD] --set master.persistence.existingClaim=[EXISTING_PVC] +``` + +| Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[PASSWORD]_ with the password used in your previous release. + +### To 13.0.0 + +This major version updates the Redis™ docker image version used from `6.0` to `6.2`, the new stable version. There are no major changes in the chart and there shouldn't be any breaking changes in it as `6.2` is basically a stricter superset of `6.0`. For more information, please refer to [Redis™ 6.2 release notes](https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES). + +### To 12.3.0 + +This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. + +### To 12.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +### To 11.0.0 + +When deployed with sentinel enabled, only a group of nodes is deployed and the master/slave role is handled in the group. To avoid breaking the compatibility, the settings for this nodes are given through the `slave.xxxx` parameters in `values.yaml` + +### To 9.0.0 + +The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the Redis™ exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter). + +### To 7.0.0 + +In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all. + +This version also allows enabling Redis™ Sentinel containers inside of the Redis™ Pods (feature disabled by default). In case the master crashes, a new Redis™ node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel). + +### To 11.0.0 + +When using sentinel, a new statefulset called `-node` was introduced. This will break upgrading from a previous version where the statefulsets are called master and slave. Hence the PVC will not match the new naming and won't be reused. If you want to keep your data, you will need to perform a backup and then a restore the data in this new version. + +### To 10.0.0 + +For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases: + +- Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced. +- Where redis clients need to be updated to support sentinel authentication. + +If using a master/slave topology, or with `usePassword: false`, no action is required. + +### To 8.0.18 + +For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details. + +### To 7.0.0 + +This version causes a change in the Redis™ Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done: + +- Recommended: Create a clone of the Redis™ Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC. + + ``` + helm install my-release bitnami/redis --set persistence.existingClaim= + ``` + +- Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the Redis™ Master StatefulSet. As a consequence, the following commands can be done to upgrade the release + + ``` + helm delete --purge + helm install bitnami/redis + ``` + +Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters. + +Some values have changed as well: + +- `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves) +- `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves) + +By default, the upgrade will not change the cluster topology. In case you want to use Redis™ Sentinel, you must explicitly set `sentinel.enabled` to `true`. + +### To 6.0.0 + +Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`. + +### To 5.0.0 + +The default image in this release may be switched out for any image containing the `redis-server` +and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command` +must be specified. + +#### Breaking changes + +- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`. +- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values. +- `master.persistence.path` now defaults to `/data`. + +### To 4.0.0 + +This version removes the `chart` label from the `spec.selector.matchLabels` +which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently +added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726. + +It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set. + +Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. + +In order to upgrade, delete the Redis™ StatefulSet before upgrading: + +```bash +kubectl delete statefulsets.apps --cascade=false my-release-redis-master +``` + +And edit the Redis™ slave (and metrics if enabled) deployment: + +```bash +kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/.helmignore b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/Chart.yaml new file mode 100644 index 000000000..2c938783d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.13.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.13.0 diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/README.md b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/README.md new file mode 100644 index 000000000..c090f742f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/README.md @@ -0,0 +1,347 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|--------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_affinities.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..189ea403d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_capabilities.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..4ec8321ef --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_capabilities.tpl @@ -0,0 +1,139 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_errors.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_images.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_images.tpl new file mode 100644 index 000000000..42ffbc722 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_ingress.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..8caf73a61 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_labels.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_names.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_names.tpl new file mode 100644 index 000000000..c8574d175 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_names.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_secrets.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..a53fb44f7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_storage.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_tplvalues.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_utils.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..ea083a249 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_warnings.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_cassandra.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..ded1ae3bc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mariadb.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..b6906ff77 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mongodb.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..a071ea4d3 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_postgresql.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..164ec0d01 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_redis.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..5d72959b9 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis™ required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_validations.tpl b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/charts/common/values.yaml b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/values.yaml new file mode 100644 index 000000000..f2df68e5e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/charts/asserts/asserts/1.11.0/charts/redis/ci/extra-flags-values.yaml b/charts/asserts/asserts/1.11.0/charts/redis/ci/extra-flags-values.yaml new file mode 100644 index 000000000..8c1dcefba --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/ci/extra-flags-values.yaml @@ -0,0 +1,12 @@ +master: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +replica: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +auth: + enabled: false diff --git a/charts/asserts/asserts/1.11.0/charts/redis/ci/sentinel-values.yaml b/charts/asserts/asserts/1.11.0/charts/redis/ci/sentinel-values.yaml new file mode 100644 index 000000000..48dfa1d4e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/ci/sentinel-values.yaml @@ -0,0 +1,6 @@ +sentinel: + enabled: true +metrics: + enabled: true + sentinel: + enabled: true diff --git a/charts/asserts/asserts/1.11.0/charts/redis/ci/standalone-values.yaml b/charts/asserts/asserts/1.11.0/charts/redis/ci/standalone-values.yaml new file mode 100644 index 000000000..dfef688c2 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/ci/standalone-values.yaml @@ -0,0 +1 @@ +architecture: standalone diff --git a/charts/asserts/asserts/1.11.0/charts/redis/img/redis-cluster-topology.png b/charts/asserts/asserts/1.11.0/charts/redis/img/redis-cluster-topology.png new file mode 100644 index 0000000000000000000000000000000000000000..f0a02a9f8835381302731c9cb000b2835a45e7c9 GIT binary patch literal 11448 zcmeI2cUx22x9_8Zh@yyC0I4cPR3wC|kVp$H5PB1ZB#;m~gf1}_1O)^|QB*Y2#4gyt zMlbeAQxFvp712m>hX{m(GZyaOx!ZkSz`gf*j(>!>GS^(QjWNFCGu9zzC!56!6&9jU zsKs`+R<0=2Tv-%qj{Ji8aAni0vR)KQEHl>HJ2pI#N)HP{sbegEe^b}f4US~Qs$;Cw z_4G(lQ96Ni5-o-l&d`YniiJz?dw66Zok|Z1{M|-RS5J47uKp%8#vQGzjxpCah7XLM zj-j5O@9*{`T2RE_9UAE9LI+xoBnmwuHj)v%{&$O@SQ71bZ+Kl2DH#*!W~guJ6YNcK zHZTeO`>F9kF${WS#P4QkJslGrH2U}5u}M)uzb^*{#nUN4$W@Fr%;@i-!xQO$57ytD z8g7NACsAo=gGf@4U2vq4|L;yBNa25X;tb>6G}|@C+Q2i|iEP41uyWQ#JBJ%4#8?F< zhJ?qHVxj_RUKr=dpkNn9ac?y zjjf4Zb6GNz?1!C-z2!T|`I6FNrJxgzEdNh&X5<(5KrG*81T6sFq zW4#j0(FP$=R0ktuGQKhJ>5aE1x<}i)7{Yf-uoVV+b&Uyx|9F@?Q)9v%9i!kom8xr_ zZyDi8quLlJ$HoMDMv5Etu;N25ccDbf0|Q5Hey zuy9hmyN{lmxi_9+6lmk*8e~ZKun3K`af^yY(`;?=K0&@@N^D4|ZmdgqQerIL%hrxy zM`KVuoedc@Cs*&NU@z}TC!YjoOLVwfgp0XBq^=QOH`LfZDk)yy$}P!&oMd9pNV2eV za19GKbTn|V3?&(oC>TsM-pj)_-XqzO!f>`XcTI{5(F-#P4|eb+*@i_q#RWz9Cb}lU zY#Dly5oBMwdxVb>J|ZxR=Hn2B(esIp*C%@g#keGsV#(gFfsDuqU)z`@qaaF%b3~+m zaCivCJ1!{#Z-OS0%&mNabUj@xDKwK12OC|CUMSr<(LBO6#=*zKmh2FMcXPB0wAZ(G zOLT#y3^MdVd+FN4H&{DMs+$|$6}}_mun)3ByGD6M!*@NGc#37RH*(}cY~w5(g7s}^ zzJ{deP$OjHtPIHRcv})F*daVJ9OLS0Leg`Niu1-BQNyAVy)cG$-t^cQdT5*_#!w#< z6bFATlk}s>LCIl6HxqO;(KpT^F4{I2o&%lvSS5MJQIi?*1e?StBg+V5BGsE18|WMZ zW@PMb;;rjJh)Z(TCxklSlZ>ctaW=Yo)I?_w8+1I}9FDPYfEk{Rp z-ILpbFFK4J$#eW+T6n?W^l5qJZKu}h5eQ&HLB6NEPly?kFMd+9B*;21U%BtZEs%?pK-aOJA&_a1j0}?4#_1KVkJ~ zb1N$=!~T5LHEY(Ki6ShOkvZyUtN}kg)=-p%p8{pGCE=%=k}YB~GBVw%{}0_J=Dl%c zNm&_1!2faZ@ZlzI_bqfh*IP+9=vgI}rUzo0%pyLDCQ>#KFyN?VT{J-WBp zCg)?vCAY`Vo>`JeY8zKB+H+FMc}Q(BfZHZ_r67MSRsc_F7C zywt+dvh}JDW@2iJ{P>7kKAJK=H#hgl*|VFbw_3cM9SuWCQ8xa>xpUb;&rXoK%1McR zdnJ}CDoP!Dk~;a<;97Nc@fy+86}OQmPoC7l)OA^+lzf7Q)M`ViYrc0ZqM~%M)1#Jw zfq};3$}t=HHo0Bw?;rEaU97FebB`UnQf>OC*hZRgcFPL?lreG9^k2lGzd~ZiK3a#p zy)Aj;;m?Kl6GpPH?|86AUw`=-!|+_};cth8N7wOf@{BbUz8)iD>yD^dMsdu3sjgcm zW@l$t760Qj&u4MW_&1NM{x!;Vb#<@w7h9$;X)0sy)@H8k+&6o3!pHoJ>1>urexUjA z{*xzH?Mxn059_{ZJ+&^q>tPZG7Orn-Nb**9*6rK+L&p|ya{?=HmlwBKDP8rsHUCla zcztmWHlwP_c!*J;ZD_dCY!|w?1!4%~4*Dqs@kWrCfWZ=WDk*3@9_9&Rg z5F_^U)4UCdKkmGFRb;&gdi0)Bv?Q|{S_2<>6TK>ZjGG z9{XfuWax&!)fbyTe+?S#0yhM(;#x%99AT%DK(HZO64jEUVl(pL5m;Fr&fwZPdwct( z%F5ZbwcE;A()V1-YtksJyA;;q7Ewg>BpOX=mYSHHB=uG^+sd@U;l8gOmt?7&bDNkM zu3c;-9?ml75dN@2UC14Kwt46Ayu3oYV;XHVV{t*d3K&7wJ2t7s>ig?!V=XEy zTei8u;}z>#O<*5YkYo515Ix`}TT?sxu@^5d`*D}*ybg@r&so3e+v-a$5 zZUo2RH_Wjx%ILh}MVX!$Yom3g3NIn!T+5S?3nT>6XvGdEb=qi07N;DkD{zvz0b5=XcjZ z%dB}4OKjOLo4Fig7=&v@&9~z!vfyUH!r>W8>ohdhn40=cWhIkX&B#nMgdSzQe698C z&HwuHqLib$HKeUX^6As3C7g@0e3~gTl8)Z9$CYK#Xmq|lJ(njRXfx1~)AFtJO6k9w zkVqt3A`$kLt7TxY0_>xW)*>D8sh7e;aXnntiCP%~e12HDO9BW)FCB@FA<~X*CewMZ8<>mEH4zkm8a-`u%DeyvRRBF-r^R>#fZ%=tc?G*uabB8b?O`
    gt0u3YK+3VbZ)7Cr=g*&)YecY;+uHRLladT3#L-cG+Z4CN zKHgdOtr;9@>`b#Ba+WJ_{4yh$6P!auoRD{nC(pX_v#ErxkgbB-IsWFP&W_}s%qJmt z*68S5|2A?sI~z}@uitaVzm50v=e`T{#J^q`x%l~|^x)X1PD%ECQ3)6r7}&pZlW#!x z&7i92f%*0h4r6aaZ}j74CZ$tSQjUNV{3&o&kyxTw>qazFXX3Act31{S^Z5WvqP%;8 zRA3x!@p~>={SD~@*D62Me{9N}gIbv>4iVJ*7S*vcbLjhxnzRda8yg$XpFfY95st75=?aFC9}wq0 zF)@LdjmM0RV|#f>r?%h2M3;$#Pa{fO)5_jR(9T%&W!y0{L3|lv0qAhQ-1KmF^PQ#ZP>O;1`%Dz!7D2~MQU ziWTB2Dk_SwVr4}3^O^Dya_Y^8?nk&h01c(e<# zn#xC@6l4*7aQx)S269E;yL${|OE<2}jM=QQ;)KaRrkkog^P>D`le>${Uf8$b)1Kp> zs|yMWF0X0_-=xd4u&0Y3+CqaAK$nqa%A?fkq#lyJoui-Hen2>X}amW4T zsHl&Pl3-Q+5SF_hB#eanpW7uIe*?#A_w<-e)@q~SyPJD|z&6%iOR!QgO3a%bavc#AD>^6l_mA0H!azv|NZlSo-Y>{7yA@;9CP`qRRbUn%6+e)_JqE@(-#Tj($SLZ+CP~bsy z^z=kD2pv1Nx#8&8SRE{FDJOU-zYL2!Y4}F2TC*4mHh4*NbaWfddEQmOd&^+c{tSn~ z1k|3gva*{asc|0Qw8G!sK8kJ7>0&1%@zj--rXaiP*RVBWzVhzUM4V8cKhnFInYN=G zH(rj*4J;8!8EBy5Shg7(^gc>&AhW&&K%fp5%101T+q}K=U2!!ZR+L`2pe;1(yhCD5 zwZLA;2r!@WQK-ns$WLFsz)Bk!GrmY|iT$d|OtY-O3CYmGMWK8=bZ|_=(b>~egE`;B z&DC`utbzl(e>s=PLdF(@$Qo;F>;K4_clR(EnVF@3${I-&7|nq*XIAU@RjD#F9Ja!- z1gAUx{SAmEZGM?Fa-d@lh@@~DD8%M>?%ZkX;BXAvqz+>)+VLR1jdqa4x`}xGPujwJ zjrkWlZqbNgA0GNlNuA6sD9GCRDA|r(xQNS{?CRYFpMIBcClzE-x)A0>$IUe54MLV{ z5YKI7rd=<`4U$-_CQ(64=M>`}9L2G*vBc3jiKCFeFf-JY%#xS?czdS-j34BuI)Bic zdm|o%rQaRgNkv&y6rbx8JJcqgxpGr3w#j*=j^6?ni&d~S!D(vw4hk!~PV_BJXp*+! z*WgV`k!x(MK7_Aw8b^7^?KuC1QSW&W@?d1=cj}_1HTsUh>3@C-(>ADeNNAuaxTPcrHRdNQYOyka!)+4~pt_Se?%`LR z;xnbVV}q7fEhKKOH~ewy)Ya|Slm*-y!(D7)Ma_K*%o**nUm81s`t?3R<$}}M49N5# zO;E?-RNO8Q>V&^~b0AxTn{2rwaMM6V%>xSL3uu>2xLgQhlQT=!U!rWP1^I{yYZ~lH zCiu;Dr4yU|b(q->0jx?`SqgmC)WAIw&;orf@uOty$OokjUf03z=V70$*Vfi9CpRq= z6BFxuqRFa7_Xe7xHZ?Q6iq)$~_dm)_vy2nS?9xW&ct6KH?@M@!S2w7Qj z=(&&|);AuKJ$mZYdgjW#!lRHK-s#T|KF`4lq}0^Zf;%qCq)Ex|YizU%>b>pm?R_vc zRSXGr(F4tL*c4;KurAeqW_0EIH*LSGYHF$oXUzJ|^&Mz>+qx9d`YfxIVcpv04@u z7P_>TibzHZ0gUm@th>A0*2$^4z=W}M*)l}U-VX0sxfY*Qo3UcUk-WUm9lIV^fIX2} z*E1>gbxsAwdp~^&w6d{TYiukBsv-@H2jbq;uaTU`k8PiyHdu7U^IHAuYulqIMoAFE z)@W)<+`D%Vl!lF+oh0gfNr@P^e{hY~PEJeofU`lfu=n>@z+N=MaRRq@2)rNV)8nJT z@2b%EV~6$~IkFUaoQa9NiHS*l&Du`{aQhXwH+5(=#3Ug)*1bHtRYpZ6C+V**r214z zInzX4$S#&HU5fJe_fOoltD&J`-itFv$e}!K6uCrNS{k|d=FO@(bLK2qw5Xx4Za)P6 z0|_6JB*5sp?lCk$heZuEFCHT1#U4bGY#KpPcA?gW4GpmOE{Mljcuy6aXct?-SY!Dp z3!^+du-4Tf9pP_A2VlmeeOgNzIH%HHIGOnLW(iBYVtfv6^)iTckbN8)b|_e zoVEKYtaXQkm(nQ~GAVfY2Jx!TxY1AzKg z4W8SD1hSHnb$$=x9jC6&zn46&{rZM~PG4U@@aeQd%k+=!L|h&=GXz-6GC}dyXhKH= z2RD-ik+|;JvqhU9@s`~U>t4gmwFDg}4-1F*+3qmBukUG|ofzK+)Lv&ArD)0Pt3LZd z-u1WIs95{?74S@)R;*r~3HkcRiWX(dl$3`&lRqTHrj?s_W*^34BcsF5WXY98Q$y+qe39R*cE(Z(E%W;ALmX4_goK$fL!PTdlU!K_L zGZ#S${GQ0RvabpPh7{k+h|59y-9z+iMMVWtafpeDDIuauU^oMX>B{wQ?}V2ATkEct z1-3xFh3IQt>T@|OYirQg8@QaLu3rBN++g$_kzWV_bX-8s-S9SA)$!xUm-D{1T24vr z2w=Sg{!3!L9JEK2I^=1iqodoX)C;`zI_trjLECF>-h2{kEhacNi=@1UIHQz$az!l| z8)%lcvZ~uaCu?84c=5SCkAqGC7kmLkoDB}^lYD!N{7&jB&RM& zLL_Grvo2fFWDTItH85H@m+%ZR2)7Vtv%1**&5dUws}CJmvmB zGtS1^z4OMP90a2@w6(J{cXmF)lV1!SAerA&p@-{k0=K79n$nUDi8{9rS~df41@yU! zPg8_JTD8h3G71pC{{UNtA{1TRzuwRQ1S%=35%6pHJ^Yjj1%R3w-0SN*GK-4VKt?7H z+!zW;Nl8h@(I3T-s)4h!D)aJ1NHvB;hl3ET%cg*faQRJkm08o#)4X;fbmidWztg>;!#64Q4Gor0j7EW=${<=D*66b5 zujA|8puV!ZCvyl$p>fKDE~*bq0LeZf$BO##)&K#p0HJ_%O}wcQ9Y9h)n8zMKySw-s zXZgX*^dPPxyvOhfvCXxg%sc?h3$;R^(_K(P3*UU9 zmo=l*kS={AxsHB14URAhG(H6XjehrIFNH9@s`H1Z0V^NwC<~Q+g!6yY>m|$gN=Rl^ zC)eE2fUMg+rTS^MrFP;Z-c2n#cY!_uVPeiZze#uwRB7j-`Ucr7 z1d%86&I~B~qfip>kaqztb`AD8{~L0y=zSrD@@I~B`d2Tngq+?T{yoYEXi*LkuBUpH z0H|_0bQSw`DM}TKRR+*p$t3cnann&fH_kwO9H+mvI*@?5h2v`?1mF>%Lx?i#e=%R@ zUH7lahQrdIgA+lKduYc@^~aB7Sa?aW0Ti5oJ6nWrkqTQAxuWOM%e$d(bO`56eWtQ} zAwti*<#NWldf&6c`I?qc=!pDa3fZy)Qd5EY%4(=&UH>3%Ritcc}65Wn3V;U zGj2e~MHl15QJ{w7^`fl(h_e)2ahe3|wfW)bzFeGAc0@N6uhW(&X@lDYn22!P7*?JX zS_5i1OF&7$Q0K$m87KWL`6GbnHRhxCfFD-V(Sg!n$ez3nUTd_q?Wd&9l;h%{m%vmJ zYTjW<6sS6P{@L>DPstVMK}`bn6c@P7#^Y}sX9^jr!V9FNkWys-P#L=!m_#Y3d=bA4 zshnkXunU{T&JRo5MO)*iN!DDV5)vM-K@C$91wg?Pk52;}n%U9eURqOj-w@Jegh-NE zX+Y}we*8ELCNYG$IG^^iz#NJ$PzKfFm-!=I+`%_M==-;pa)8z>^u1K?EVY%s@=l- zy!B2{l-)a99)1PoVKEd^t^nOjr_({?$m#Ja;%i|Y6XALlsj?* z>f2SmNb!5t=79F8f=nm{tq1iagrj;_Mx5oXzuzcQ%oKKJ3r$X3;Sc6QhcC~WWrCv& zXf3jCE0cQ)RgQir2!ajTv5P`MK6d%PFUPe+eHQt}6WlYhv(uo|$me#iWoEQhPkvbq zRiQcH$&UT0Oko%H9MdEgMfO%NSiHCiiXkN&7kd{M8Aw*3GGGEM3_qo)KC5{Der=#X z{~{HX6C8=gD>te$AQ(BYi$kGmp1&nd8(e8RqDB}}dyzL1z;k#dz?_lSAL=Aj`lBCJ~vZaRd#_rNgaC%{d^a1(O*c4V(IEKPIWeu+|! z%s41R;Cpis01Q##f4*n&tq)o>%MwlZf?K7)8x|0Q+B8i-h>9Z>i#>Z#rjwtJ+1lD3 z!9G!kDkObY&CdG<*>PCB)+SAnpzcWopr+1YmyVP=wr>GG+}yaX!FnYg^j|U!I@Z5A*1U%+~3V zCPXPnD)TY4C4fAUv>D!~AU7VA@vb0?g9P~_1vT!1n$8ix_3$2(n1nwesZB`Vk~c;^CATva2ZRgf1zp?(eu{DL2oO*VOmYB7 zBSIoS4h$fnf{?E}XTO9r-rHMl?%cV3-@h+{@KL~<7Y!45Ic+v z^)Lto6Ar$AW@U!Y=x^d~2*j3yWE7t4A3^l?BOoM{bpL#lP?Yxy3?WM>=}9Omx&{Tw zdU(5f2D|!)$OaI|a0%}F2YPrDy$K$F+9=8^${&_jKCGaGRZx&n(pFN24@E^;byWqs zKkZ#T2?2ixRFRd30S=kEx_bwZ14Fzd|Fj^GT|NJdW~Fl2&%!mz$V#6`a8_3jwp5Pr z{?jIm5FFwi81Sc=0*o&UkNX`DIWmaw=duSO%-fy7xT=JLH~JeoJkk4au+G{41$dfjkSY4t(D}p^=!R^ z)U|CKrYmJoGw(?iivqLLdoBFF*ll?<2 z{d}S{4I;xL&BN8)(F%r&3f=@&csYzVH1I;Yo0Ig+@#@xYm`Gbo z6;m~mpLZnL*4@I=+EvXe#N5m`(AL<@!_3GsBE%yyGAcA&UeVCaP}fffP1ZH`@bDwr zhD2D}kpm6o6;)Mze6)RWD3Yg@kB^c!$`GxJM4>$4F##cp{%-QFkw)lnTQgk~MI&8P z9Tk10zyNPEcN7YiN#By}ZyI8$7_3L|v~!E_G_ke}4lu`u==l2t+o5oZCgwN=4ABVf zui&QcjmD~akyP<08^&v>n44=yl98cgJ8fdPxxR9gqDi2sKN3SAn}o{~-Th!}D@b7- zBK+@V8i5Z|Ggr5W#Ca+Q!5y+WQr{-X&)36BG1AnE5r%G*B_;-qhuCJ z3XxYc5B0Jokc_ z1Ak8sy+8wFWt6*~nwd6M)r1rorlJ;Lr9cdJSMxSgQB?OfRkKvnLmDd)4PlJ%D3S^z zavWp#D8Z=u|LmCG+Xw#siwR1ok~bZf5C~C(k)Ad-qG*2D7mHoyXI?BnJ}PN*Kx35p zB0Edh32l>qHgUl2g57l&%5g8&D_%rGS=zPh21n3VO3m93Nq4b_7)maAO;F`;?+;dI z-ItZmu3&nclXqOPbM=E;&Mi0Mw-@mX$2tScS4HKOIzK$%kW*?FHp&rSe6q*<=x6aE zqfMNg>J+N6p7{PeDbDP4JY7#u(T%p7vpxBL@S=FafS-O?m}=Pk;F*MkEia0-M7p}V zc-4c&*_k(Q+Pt~zwx>CH=JnS3p_-(c8nsiWPJNi4&-gY!bOoI+J3VmwAhdCn=amm0 zH+=HsiKwjX&TZSa_22d72@Vdnu(y|9yOvYvO3Uev{k8tx(8%cV+qw`=LBVvVhN#Cw zLjofsBfQ6=l+*S1@0E2(-XWms^8M5B)An}lxHwI-iyCKMzs6v(*hW9q&9zRg+}zxU z4j*ozS(RlK7iSg~34VOnAdr%hg0FI6f)VsHg)^$E+^rb`NfeiQbaZvIb8=46=~7+QAA^@?ael-1x%chcmnFW9`5+-`|sGz2%raXVf(`V0i3#DLBQH>AZa&2a2=T~O^{ytu7 z_ntkdHWCdMm|YOL>og08J_eIBjl3EpgIlwDo-b!G)p3ziNGKycoxO{cpb_=;P-$uD ztGW=+n+|mtvLNPAp49N0p}>*sdv4gE+APmW+f;m@<~!-shs{^TtOj?H z3|;Z`HzvWsiitagQf-_fQFqNX>Wm2l31a7^jLVlr{RVEKU_915DJBHl_U#HDPj~6* z>wl@t^21tLolZ_>-LiFS-A|R;t4C#UO^_=i3k#WFzmmHwvGX4upPufy!86%eET_S? z?FlB-z0B<5sp4XhVsiFCD!23pXetu_(~``!`vi6N+V0)EUqSA2@$jTkN{!B(Ia51V zQC~$G)9 zYeYmwrckuanlL?8u(o4U#qoQEP6w1;y}D)ie&`;d(?ut!bjv*l&7OQ7YeThN*2=zk zF=KHts7t|+D1+M(wcKMT8s+r`Ah^x8yOs<60_c?`zhDLm8KUmT?H?Qdx5)dH!?D_MFWZI#S$rq1v zB+wAf5s2Dv@Q!zXOEuAN&0x^rX?S5=J_%t|iN3u&ey6>3h?*0=V^7W~8OvepuYS zvHk<{P1I<&Q|vMhYh$B!B)(gK|5{m@Ze`yU$NDe^tnu^n1LmgXJ4J2#wb~hfxo<8z zJA2>w50|v&B#yC>B$0n!H2PB=3kroQb^j@GwmkvTY3y#FQ}dUJ=S&XqN==Q8$Nl=N z9^28KV?J*cH)DPl{V#bM3xnx-yaP3}NgPM4mWxYSY)bJ`M(cy1MRT<`7O_ zS&2B8pFj5K*SZ{Z1c=Sb&E4AIlqrGE!&jnn#BbWy?BtPi;`%AH>U+?v==j3B21pOa zB;M3b+DVT{dILn$>>~eRy6ei~_wNR=vB$oA`NG)Rzt$Jxdojmi*OV2Nl$a1Ul};_= z?PobfL^8X}%yo0bV>VW&u2)vJtu9TGzJ0Vs^!+N3k(S<$a8c%02z+;RZdn)^gotVo z1{PsuXUF#J(aM)~Je8T53HibT`LcEE))dMsv7wqkgPC?Jo;qch5&8iSAKyzjefpBwFgiTI=#4{#8O>d{c3I*NgCZ^R;=lN7vkDzJ4lIuE4zn=j{mtZ1sLs$wt;IpVe=%!g!U@8!+H#$KE(3~X|%7FAQ@$q{#L zN##by{X~*Agp7@i5eV4Hd~3^dNv*B=bB{e__HOSjw`YMB+|DC=`QE*~XAhd|!~FR8 z_+V}5F($YMJYDKqp64&E)$u*PG;18L#Q9MizAjh-arydnR*j20Z7LidKR(S;xIVZ6 z`9qfC6LR8|XW>^5JwXc_wE$g%13l{hqmSaUg!# zjYh}&`Q4OqD)UK$IdQm8ZeP>1$Ki0jow>QWBR~`Kg)d)rbbq~dL*S9w4vw^+7aF3! zkFHJ?GeCl|u~BJzRif_|-WkhKd)EjYCZWMRaFR-QW7#R#SmoLb`}iQQq6h2i?(Vw38r1=E|{@#%l6Kh&4Fnyf}Txn9EYy_yX2aTKPy=i-Trn`)RLyG(v zhK7c_{@|1P?E&_{z(9ao{Y#fFy`)T{W&z(%fKUONXTYj9kmY-06sQ9Jpy^lp^iU|^ z0LAml-n%J+>SBPj0Q#Kf$CkM?*S}f;8ZsRT``FlD?GE9vRAW_2tEzTwY-|9`ZT=c{ z%pwhLE@+L(sUPcZ!V|uOw&fy*U)$7l$KXAGX$WZ>8aE~-EzQZxdq{(M z_%cB3^@<9BqoM@rEVGZV@5szd3Zz&vWwaNvnZ+n4Xns%ys5%8Gx%A;fVU3HFHYaZJ z{rfiq)&V~_0LK%VcM2wh{7I&aSeqQ!!@PqZ0ZFKg)XGhCnc65)a zgoMOM$B_j+ZS9lOhYHStf~;_?cLO{ty^@tyjUDbExb4ZgYu5?F^Sl&FsU)adl#7cf z#BvbSMk7YzNlS}%W#3ri$<3u#t`Fur$E64#i*o5IMM3}LGPq5MqN9k1!n+e z_e)6pl}E#Gjx0Pl4U$XfHu0qn3Uy{0nToNtPQ0MxIZ8S5sgaJmq1U$Wj4SPRu^k}) z{qO}!``Lr_>jJN18T%_eU9Ydgu{vtm2Q*m;XfiP%BTeC$MeVN(??rt3D$caHaSF9d zKwei9U-EyQAL8LS_H|dz*|R7Eu`}+p98=Kmy95NbLynjfAvq76H451}^y<|KfM@rn zgl!DbaLv4!^7gGmSGA!8L(+0+{oGYjQsM=YrZt`K^kMsZ*T1!wr>3%rA3V4piR2X) z7UtE8J9^K5=)fO6>rovtWu~X6ciFsHbGo~XgZSe7NsuS3Q=PDH=dT%~(bfJ#swTyn zLf_v-%Q3U_o_PAy@G6y>LeZCM!$=GWX~hYC{`@&&@`C4wxw*7z_ck$QWv=aeWsdv! zNSPHOM_wNVP?x`8!YB|xWi#pyS;zY>5I+7kaR=~nUIjc z$j!yCUlSg?G$wQI-^I;+W_sF-Q5O}e1?m%t2ZBRFEFB!ub8>c{%grqT!P2;VWilVW zf=+8`X?gncB??-p2EI#=T$*%!c1|)mHMI#wk|&Moff5lF6-B@_C8wpGZuih3k*Yr| zuzK^Ma}yZk1x#G+*(odzxtenD(ut%b7Q31N&?2wyhx&q?YM!r!%8uyc zuo|8;&yf(ILG zbEkIiQGtmc`9lgxfZlG4A09InT-@kXem;+WIxneviCsif5Y`&X7x=9Gwef=l3dePQ zZCTdL{EZ;Is5+y(xN@b7j*~ViRNY}~Yg-$$st6kDG*HbIkl*o98z3MS7z00e@W29x zJM-d&38+x+9Pxbz4lu(jg>)U>x5kamb(pQOpGn*yP!RhN*rw)Plr&kxF-^9!t&JuA z$I$zr**7$zh`EW$_%~ynDr~z%z`fjeCT3=4Y1{7_!7$my#qr&pq-Y5n$oTG`J=U{6 zZ=Kq?@pSR}^z`(-{?yW-XbDd@T8>P>TVoc0ml$b($$(06wLB?xy%~FNG<2~9y^?ivgWfk=c}B{*6FA%m-FDSxA0+prtm z^D;;}bVoqtr!+v&f_txje5%j1ry<@t4R1%|n&awoi9}*5WxThx;XddaW|A~cGoW&? z1=Ev!tsI*p9zd09n#V;0eYcfkkJL8!fHpo;o9iP`V-pHWg|!Cry?GuNi>I@NL)jTX zeKL#_phZ?zR%7`&!5sMK_k~k$ zYjgQC^aH5k+XE^`tFeyh_L6mMH8u)(x-2x*8~rwGCxbgUYHe)XJm0g5rz--(;cu6p zu$PqNtg)GLr9B&OEk7rKplz$MiLAy7L8m(jLpP4%>0w@L?H%w}>d=jKJpJ(3q4IND zE$u=<(RYQ=%W^@|689-XzRzn-X$3EdP$akmBmy%x{#;#R6ua5`4Vql!Mdjsp9gF^^ z2Ws%u!`Nsj;l@7IFC@a&3#gx0Wmq4KyFdlthv-uTQ()163ZOn`f}&T)%xou+7wSD$ ztZ+b4q-How;ONn#LEneNo59@xtelE@d;BbQZT(KuMOI#>eqi_xITRU!GkQTtEHg~dIyyQo^1M~xbpWnHeGnJqeQ9*m?c>|JJs|260Rn4DW3Omd2LTs<>rFE= z3VJCkdMu_kPYQjvx*CX~ea*N11k+}D-(H!RpP$f>Muwe6qm^FCZVl3e(v24I?g1Y}sy)|R&dJZ83RVpkhfARl@^9Ewy1_-(ZQD+Y z8}S|qlhIuHuo-x!1u63E@(RXZgEz&jtoe4QW*Q(CUtGk&nc_tTi8AVxt5?N=7*E1@7dcvTXMu>j!0pg8FxbC; zzb;v@gd%(_6|^|{(_22M#<+x%xK1p6mZo+jxfw6d*Sv2nuX&dWf?;g7=LRtNvs`JL z#n))L5=I^NFs2Tu9x*kRDe147kni(vGlYX)|9_Yv!Au-sF>I$ZEbDY_>6sZ%u~&ArBk|wG!P{`p!p2V&BJGweO`jP?z&+k2NdN@ z=E~um(iJY9Y^GA9X5UDztgcGVY7-9QtKGK#TwnhTHB2f+XXl3)WYUePW&*V!E9(Rh zM`>+s|4iQm1soYtpJTY|SZfBT8X=@e$HcSMAR`)VU)~J;GA9;CHNrElKUz}tLrg72 zda`+jI#?6v9J4l4W>z1w)&K?oJFon4GP@5`N79^nv}Tbtop_s1NP~PlAfV!7zG?j7 zBS!?FE`X}0^vWw!$b{g@7$g<@lBo2cp~2GH`oP>oj=!u!EyCQ~{GqskE3DCno2yw3 zSRg-!d>op{9^15OlZCAu4ajB++Su5z$jQldDX7P_fSLuh;v5nU$7R4FWaZ%C5o$h6 z(mZEgv6@B2Izz=R<9Pqgi2QgAI#1>?6lHqg4i#}MXSr(%%J#(m_~yE@II{DMXkXOV zE`!fKHqI&FDN=`B<6Z?!;)(_jq=xYc{#Oz!Vrzt z4GIEprQpe`g;w-ba|OoK+}wanzVp&X|Jl;pkj|0Ck>*l&FSaS&BOfnt)HBLQQ3;8b zYfD**{sXtRa&mJ1_iiEj?jINCu8M%&y?==bKj{lmCfs zt#LEQhx&zwA>xJ4xp{c(7eq}#J}dYSDucg}>*=2i0xT(o|>K{kpItU_V5C|MX{qks>ED zsDof~;xw~jKaZk*{&@c@(X8zD#<`2?AqQsX<_d?s!K+|IfoKE|SRwL@2iPB1=yW!) zR%T{qs_-%qqbUa$flEq3k>!Ywd>puqII*@C^>a+*m&L@7TIc)ZZQxaxx?ks?I=#fy zkEa8^QO0+d-oMYEFXw!3qyE7IL7)j(5cqugNm*z>w3k-!Fbqu-7TqOUmNyjq|z zNO_NS?;>by79U8MmPx^Gr~-4OTrxk1vjtDydRRPY{K6EMscA0PjwuTSkqEzl$Y zJ-h;(7J$EfvxWra8@?e*1;MaFfKS_^7aEeFG>4UhLj#7-4pIT?)WiY5R!|E;FeCZz z%?wCZp@NLqYahGQ0ZkxMY3rNEq1FW}=HbSgFRU*>f=Ye2$pyu&fe%*?fMABIp?qp{ z+aN`v(R5N#qXKd5PhsHEh!sD_6FzTY0MP8JgL>j}^ITB>#Li~07R zRK(H2;^IzgZEdB03XL#@sy7jI$OyopzQ6yxNSq^NC1WmQolBr@-Rt-bTu>L)Lc;So zA8;yLmO8cMes8{wm0QE!ntoC}V5Ydfdk{&19UcXS%3`m5U<#$gr-)w@netuj+x;;pdLBjKx{+OdZa0uW*APf{{ za2?khGuHi;s2zGJ@RaVc@$($E#@vXe z=4OzFV~Z16OCG;{no~i4NUR*oblJWp;E<$bHiHAfpw!M3J_ao2Tf{Mu69OEGLo9yz zqT}dz(J$YCa)U}y z|MqaEnTt3GLA?x;KRLHhalLyc!p{h7GR0SSeQmlFraAspoDzB)_hX*XKuSsqJf(BDZYjPfQr{E)mc(LRZYQC!b6ex; zio0JunJ}i!|Hdq&O z5Dtc3m6?mcerHi4zGyTMiA`Xz7A4FIxVrzIzW~F60?g*w%*+l)KjN=nzt%I@zhg8e z`N|-sp$ps;#`%EfrAX$74<9n>2ylU_T^?_`dhOcilaxKOFRd&r5Mcal-M&{8tfR+| zA5XugZa-jh{siEysGM9UHIh<^>4V=Bg))8%@U(%X=>SF4nmwGI0JnmNqYDSaupM@Q zR%M(P^D1nDl8wPmU}YqkYp!m&aNz>O5h9Tkz+JZh1FxWfAJLb|<^*5CLIUNmAGilv zt&E>FXE?PF0KotMj!{=7h;wQ?rr`omD@a$t=x-mjF__(up9$XG*G6W_iuIu&TKhJ? zT}w-gJlDH}p}=8Fb8>MdfCX0yx(ZaV0LaQ$Am5=B9b -- bash + +In order to replicate the container startup scripts execute this command: + +For Redis: + + /opt/bitnami/scripts/redis/entrypoint.sh /opt/bitnami/scripts/redis/run.sh + +{{- if .Values.sentinel.enabled }} + +For Redis Sentinel: + + /opt/bitnami/scripts/redis-sentinel/entrypoint.sh /opt/bitnami/scripts/redis-sentinel/run.sh + +{{- end }} +{{- else }} + +{{- if contains .Values.master.service.type "LoadBalancer" }} +{{- if not .Values.auth.enabled }} +{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }} + +------------------------------------------------------------------------------- + WARNING + + By specifying "master.service.type=LoadBalancer" and "auth.enabled=false" you have + most likely exposed the Redis™ service externally without any authentication + mechanism. + + For security reasons, we strongly suggest that you switch to "ClusterIP" or + "NodePort". As alternative, you can also switch to "auth.enabled=true" + providing a valid password on "password" parameter. + +------------------------------------------------------------------------------- +{{- end }} +{{- end }} +{{- end }} + +{{- if eq .Values.architecture "replication" }} +{{- if .Values.sentinel.enabled }} + +Redis™ can be accessed via port {{ .Values.sentinel.service.ports.redis }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations + +For read/write operations, first access the Redis™ Sentinel cluster, which is available in port {{ .Values.sentinel.service.ports.sentinel }} using the same domain name above. + +{{- else }} + +Redis™ can be accessed on the following DNS names from within your cluster: + + {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) + {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) + +{{- end }} +{{- else }} + +Redis™ can be accessed via port {{ .Values.master.service.ports.redis }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{ if .Values.auth.enabled }} + +To get your password run: + + export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode) + +{{- end }} + +To connect to your Redis™ server: + +1. Run a Redis™ pod that you can use as a client: + + kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity + +{{- if .Values.tls.enabled }} + + Copy your TLS certificates to the pod: + + kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert + kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key + kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert + +{{- end }} + + Use the following command to attach to the pod: + + kubectl exec --tty -i redis-client \ + {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }} + --namespace {{ .Release.Namespace }} -- bash + +2. Connect using the Redis™ CLI: + +{{- if eq .Values.architecture "replication" }} + {{- if .Values.sentinel.enabled }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.ports.redis }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Read only operations + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.ports.sentinel }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Sentinel access + {{- else }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-master" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-replicas" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + {{- end }} +{{- else }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }}-master{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} +{{- end }} + +{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to redis. + +{{- else }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +{{- if contains "NodePort" .Values.sentinel.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "LoadBalancer" .Values.sentinel.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "ClusterIP" .Values.sentinel.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- end }} +{{- else }} +{{- if contains "NodePort" .Values.master.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "LoadBalancer" .Values.master.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "ClusterIP" .Values.master.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.port }}:{{ .Values.master.service.port }} & + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- end }} +{{- end }} + +{{- end }} +{{- end }} +{{- include "redis.checkRollingTags" . }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.sysctl.image }} +{{- include "redis.validateValues" . }} + +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Release.IsUpgrade ) }} +{{- if $.Values.sentinel.service.nodePorts.sentinel }} +No need to upgrade, ports and nodeports have been set from values +{{- else }} +#!#!#!#!#!#!#!# IMPORTANT #!#!#!#!#!#!#!# +YOU NEED TO PERFORM AN UPGRADE FOR THE SERVICES AND WORKLOAD TO BE CREATED +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/redis/templates/_helpers.tpl new file mode 100644 index 000000000..a9c0d0326 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/_helpers.tpl @@ -0,0 +1,291 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Redis image name +*/}} +{{- define "redis.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Redis Sentinel image name +*/}} +{{- define "redis.sentinel.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.sentinel.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "redis.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "redis.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return sysctl image +*/}} +{{- define "redis.sysctl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.sysctl.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "redis.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.sentinel.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctl.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "redis.createTlsSecret" -}} +{{- if and .Values.tls.enabled .Values.tls.autoGenerated (and (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret)) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing Redis TLS certificates +*/}} +{{- define "redis.tlsSecretName" -}} +{{- $secretName := coalesce .Values.tls.existingSecret .Values.tls.certificatesSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "redis.tlsCert" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "redis.tlsCertKey" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "tls.key" -}} +{{- else -}} + {{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "redis.tlsCACert" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "ca.crt" -}} +{{- else -}} + {{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the DH params file. +*/}} +{{- define "redis.tlsDHParams" -}} +{{- if .Values.tls.dhParamsFilename -}} +{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the configuration configmap name +*/}} +{{- define "redis.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "redis.createConfigmap" -}} +{{- if empty .Values.existingConfigmap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "redis.secretName" -}} +{{- if .Values.auth.existingSecret -}} +{{- printf "%s" .Values.auth.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password key to be retrieved from Redis™ secret. +*/}} +{{- define "redis.secretPasswordKey" -}} +{{- if and .Values.auth.existingSecret .Values.auth.existingSecretPasswordKey -}} +{{- printf "%s" .Values.auth.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + + +{{/* +Returns the available value for certain key in an existing secret (if it exists), +otherwise it generates a random value. +*/}} +{{- define "getValueFromSecret" }} + {{- $len := (default 16 .Length) | int -}} + {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} + {{- if $obj }} + {{- index $obj .Key | b64dec -}} + {{- else -}} + {{- randAlphaNum $len -}} + {{- end -}} +{{- end }} + +{{/* +Return Redis™ password +*/}} +{{- define "redis.password" -}} +{{- if not (empty .Values.global.redis.password) }} + {{- .Values.global.redis.password -}} +{{- else if not (empty .Values.auth.password) -}} + {{- .Values.auth.password -}} +{{- else -}} + {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "redis-password") -}} +{{- end -}} +{{- end -}} + +{{/* Check if there are rolling tags in the images */}} +{{- define "redis.checkRollingTags" -}} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.sentinel.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "redis.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "redis.validateValues.topologySpreadConstraints" .) -}} +{{- $messages := append $messages (include "redis.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}} +{{- $messages := append $messages (include "redis.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis™ - spreadConstrainsts K8s version */}} +{{- define "redis.validateValues.topologySpreadConstraints" -}} +{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.replica.topologySpreadConstraints -}} +redis: topologySpreadConstraints + Pod Topology Spread Constraints are only available on K8s >= 1.16 + Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis™ - must provide a valid architecture */}} +{{- define "redis.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}} +redis: architecture + Invalid architecture selected. Valid values are "standalone" and + "replication". Please set a valid architecture (--set architecture="xxxx") +{{- end -}} +{{- if and .Values.sentinel.enabled (not (eq .Values.architecture "replication")) }} +redis: architecture + Using redis sentinel on standalone mode is not supported. + To deploy redis sentinel, please select the "replication" mode + (--set "architecture=replication,sentinel.enabled=true") +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis™ - PodSecurityPolicy create */}} +{{- define "redis.validateValues.podSecurityPolicy.create" -}} +{{- if and .Values.podSecurityPolicy.create (not .Values.podSecurityPolicy.enabled) }} +redis: podSecurityPolicy.create + In order to create PodSecurityPolicy, you also need to enable + podSecurityPolicy.enabled field +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis™ - TLS enabled */}} +{{- define "redis.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret) }} +redis: tls.enabled + In order to enable TLS, you also need to provide + an existing secret containing the TLS certificates or + enable auto-generated certificates. +{{- end -}} +{{- end -}} + +{{/* Define the suffix utilized for external-dns */}} +{{- define "redis.externalDNS.suffix" -}} +{{ printf "%s.%s" (include "common.names.fullname" .) .Values.useExternalDNS.suffix }} +{{- end -}} + +{{/* Compile all annotations utilized for external-dns */}} +{{- define "redis.externalDNS.annotations" -}} +{{- if .Values.useExternalDNS.enabled }} +{{ .Values.useExternalDNS.annotationKey }}hostname: {{ include "redis.externalDNS.suffix" . }} +{{- range $key, $val := .Values.useExternalDNS.additionalAnnotations }} +{{ $.Values.useExternalDNS.annotationKey }}{{ $key }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/configmap.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/configmap.yaml new file mode 100644 index 000000000..71a710f21 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/configmap.yaml @@ -0,0 +1,60 @@ +{{- if (include "redis.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + redis.conf: |- + # User-supplied common configuration: + {{- if .Values.commonConfiguration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonConfiguration "context" $ ) | nindent 4 }} + {{- end }} + # End of common configuration + master.conf: |- + dir {{ .Values.master.persistence.path }} + # User-supplied master configuration: + {{- if .Values.master.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.master.disableCommands }} + {{- range .Values.master.disableCommands }} + rename-command {{ . }} "" + {{- end }} + {{- end }} + # End of master configuration + replica.conf: |- + dir {{ .Values.replica.persistence.path }} + slave-read-only yes + # User-supplied replica configuration: + {{- if .Values.replica.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.replica.disableCommands }} + {{- range .Values.replica.disableCommands }} + rename-command {{ . }} "" + {{- end }} + {{- end }} + # End of replica configuration + {{- if .Values.sentinel.enabled }} + sentinel.conf: |- + dir "/tmp" + port {{ .Values.sentinel.containerPorts.sentinel }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} + sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} + sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} + sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} + # User-supplied sentinel configuration: + {{- if .Values.sentinel.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }} + {{- end }} + # End of sentinel configuration + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/extra-list.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/headless-svc.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/headless-svc.yaml new file mode 100644 index 000000000..d798a0b5a --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/headless-svc.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-headless" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- include "redis.externalDNS.annotations" . | nindent 4 }} +spec: + type: ClusterIP + clusterIP: None + {{- if .Values.sentinel.enabled }} + publishNotReadyAddresses: true + {{- end }} + ports: + - name: tcp-redis + port: {{ if .Values.sentinel.enabled }}{{ .Values.sentinel.service.ports.redis }}{{ else }}{{ .Values.master.service.ports.redis }}{{ end }} + targetPort: redis + {{- if .Values.sentinel.enabled }} + - name: tcp-sentinel + port: {{ .Values.sentinel.service.ports.sentinel }} + targetPort: redis-sentinel + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/health-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/health-configmap.yaml new file mode 100644 index 000000000..41f3145d3 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/health-configmap.yaml @@ -0,0 +1,192 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + ping_readiness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then + echo "$response" + exit 1 + fi +{{- if .Values.sentinel.enabled }} + ping_sentinel.sh: |- + #!/bin/bash + +{{- if .Values.auth.sentinel }} + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" +{{- end }} + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_SENTINEL_TLS_PORT_NUMBER \ + --tls \ + --cacert "$REDIS_SENTINEL_TLS_CA_FILE" \ + {{- if .Values.tls.authClients }} + --cert "$REDIS_SENTINEL_TLS_CERT_FILE" \ + --key "$REDIS_SENTINEL_TLS_KEY_FILE" \ + {{- end }} +{{- else }} + -p $REDIS_SENTINEL_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + parse_sentinels.awk: |- + /ip/ {FOUND_IP=1} + /port/ {FOUND_PORT=1} + /runid/ {FOUND_RUNID=1} + !/ip|port|runid/ { + if (FOUND_IP==1) { + IP=$1; FOUND_IP=0; + } + else if (FOUND_PORT==1) { + PORT=$1; + FOUND_PORT=0; + } else if (FOUND_RUNID==1) { + printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; + } + } +{{- end }} + ping_readiness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/master/application.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/application.yaml new file mode 100644 index 000000000..8fc389444 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/application.yaml @@ -0,0 +1,473 @@ +{{- if or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: {{ .Values.master.kind }} +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: master + {{- if (eq .Values.master.kind "StatefulSet") }} + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- end }} + {{- if .Values.master.updateStrategy }} + {{- if (eq .Values.master.kind "Deployment") }} + strategy: {{- toYaml .Values.master.updateStrategy | nindent 4 }} + {{- else }} + updateStrategy: {{- toYaml .Values.master.updateStrategy | nindent 4 }} + {{- end }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: master + {{- if .Values.master.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.master.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.master.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.podSecurityContext.enabled }} + securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.master.priorityClassName }} + priorityClassName: {{ .Values.master.priorityClassName | quote }} + {{- end }} + {{- if .Values.master.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.master.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAffinityPreset "component" "master" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAntiAffinityPreset "component" "master" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.master.nodeAffinityPreset.type "key" .Values.master.nodeAffinityPreset.key "values" .Values.master.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.master.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.master.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.master.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.master.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.master.shareProcessNamespace }} + {{- end }} + {{- if .Values.master.schedulerName }} + schedulerName: {{ .Values.master.schedulerName | quote }} + {{- end }} + {{- if .Values.master.dnsPolicy }} + dnsPolicy: {{ .Values.master.dnsPolicy }} + {{- end }} + {{- if .Values.master.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.master.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.master.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.master.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.master.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.master.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.master.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.master.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-master.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_REPLICATION_MODE + value: master + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.master.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.master.containerPorts.redis | quote }} + {{- end }} + {{- if .Values.master.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }} + envFrom: + {{- if .Values.master.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.master.extraEnvVarsCM }} + {{- end }} + {{- if .Values.master.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.master.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.master.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.master.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.master.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.master.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} + # One second longer than command timeout should prevent generation of zombie processes. + timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} + {{- else if .Values.master.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }} + {{- else if .Values.master.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.master.resources }} + resources: {{- toYaml .Values.master.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.master.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.master.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.master.persistence.enabled .Values.master.podSecurityContext.enabled .Values.master.containerSecurityContext.enabled }} + {{- if or .Values.master.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.master.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.master.persistence.path }} + {{- else }} + chown -R {{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }} {{ .Values.master.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + {{- if .Values.master.persistence.medium }} + emptyDir: + medium: {{ .Values.master.persistence.medium | quote }} + {{- if .Values.master.persistence.sizeLimit }} + sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + {{- if .Values.master.persistence.medium }} + emptyDir: + medium: {{ .Values.master.persistence.medium | quote }} + {{- if .Values.master.persistence.sizeLimit }} + sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if .Values.master.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if not .Values.master.persistence.enabled }} + - name: redis-data + {{- if .Values.master.persistence.medium }} + emptyDir: { + medium: {{ .Values.master.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.master.persistence.existingClaim }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.master.persistence.existingClaim .) }} + {{- else if (eq .Values.master.kind "Deployment") }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: master + {{- if .Values.master.persistence.annotations }} + annotations: {{- toYaml .Values.master.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{- if .Values.master.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.master.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.master.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/master/psp.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/psp.yaml new file mode 100644 index 000000000..2ba93b6e1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/psp.yaml @@ -0,0 +1,46 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.podSecurityContext.fsGroup }} + max: {{ .Values.master.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.containerSecurityContext.runAsUser }} + max: {{ .Values.master.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.containerSecurityContext.runAsUser }} + max: {{ .Values.master.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/master/pvc.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/pvc.yaml new file mode 100644 index 000000000..2f31036f8 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/pvc.yaml @@ -0,0 +1,26 @@ +{{- if and (eq .Values.architecture "standalone") (eq .Values.master.kind "Deployment") (.Values.master.persistence.enabled) (not .Values.master.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.master.persistence.annotations }} + annotations: {{- toYaml .Values.master.persistence.annotations | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{- if .Values.master.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.selector "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.master.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.dataSource "context" $) | nindent 4 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.master.persistence "global" .Values.global) | nindent 4 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/master/service.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/service.yaml new file mode 100644 index 000000000..37ac3d1cb --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/master/service.yaml @@ -0,0 +1,49 @@ +{{- if not .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.master.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.master.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.master.service.type }} + {{ if eq .Values.master.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.master.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.master.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.master.service.type "ClusterIP") .Values.master.service.clusterIP }} + clusterIP: {{ .Values.master.service.clusterIP }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.master.service.ports.redis }} + targetPort: redis + {{- if and (or (eq .Values.master.service.type "NodePort") (eq .Values.master.service.type "LoadBalancer")) .Values.master.service.nodePorts.redis}} + nodePort: {{ .Values.master.service.nodePorts.redis}} + {{- else if eq .Values.master.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.master.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: master +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/metrics-svc.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/metrics-svc.yaml new file mode 100644 index 000000000..94459ec0c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/metrics-svc.yaml @@ -0,0 +1,38 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if eq .Values.metrics.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.port }} + protocol: TCP + targetPort: metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/networkpolicy.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/networkpolicy.yaml new file mode 100644 index 000000000..64c05050b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/networkpolicy.yaml @@ -0,0 +1,78 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }} + - Egress + egress: + {{- if eq .Values.architecture "replication" }} + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.master.containerPorts.redis }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.containerPorts.sentinel }} + {{- end }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.master.containerPorts.redis }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.containerPorts.sentinel }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes for metrics + - ports: + - port: 9121 + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/pdb.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/pdb.yaml new file mode 100644 index 000000000..f82d278af --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/prometheusrule.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/prometheusrule.yaml new file mode 100644 index 000000000..cd8bc68b1 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/prometheusrule.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} + {{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "common.names.name" $ }} + rules: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/hpa.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/hpa.yaml new file mode 100644 index 000000000..468a504c4 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/hpa.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.replica.autoscaling.enabled (not .Values.sentinel.enabled) }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: StatefulSet + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + minReplicas: {{ .Values.replica.autoscaling.minReplicas }} + maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} + metrics: + {{- if .Values.replica.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- end }} + {{- if .Values.replica.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/service.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/service.yaml new file mode 100644 index 000000000..95cd75648 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/service.yaml @@ -0,0 +1,49 @@ +{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.replica.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.replica.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.replica.service.type }} + {{- if eq .Values.replica.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.replica.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.replica.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.replica.service.type "ClusterIP") .Values.replica.service.clusterIP }} + clusterIP: {{ .Values.replica.service.clusterIP }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.replica.service.ports.redis }} + targetPort: redis + {{- if and (or (eq .Values.replica.service.type "NodePort") (eq .Values.replica.service.type "LoadBalancer")) .Values.replica.service.nodePorts.redis}} + nodePort: {{ .Values.replica.service.nodePorts.redis}} + {{- else if eq .Values.replica.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.replica.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: replica +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/statefulset.yaml new file mode 100644 index 000000000..46f5f3492 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/replicas/statefulset.yaml @@ -0,0 +1,461 @@ +{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.replica.autoscaling.enabled }} + replicas: {{ .Values.replica.replicaCount }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: replica + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- if .Values.replica.updateStrategy }} + updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} + {{- end }} + {{- if .Values.replica.podManagementPolicy }} + podManagementPolicy: {{ .Values.replica.podManagementPolicy | quote }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: replica + {{- if .Values.replica.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.replica.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.replica.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.podSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.replica.priorityClassName }} + priorityClassName: {{ .Values.replica.priorityClassName | quote }} + {{- end }} + {{- if .Values.replica.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "replica" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "replica" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.replica.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} + {{- end }} + {{- if .Values.replica.schedulerName }} + schedulerName: {{ .Values.replica.schedulerName | quote }} + {{- end }} + {{- if .Values.replica.dnsPolicy }} + dnsPolicy: {{ .Values.replica.dnsPolicy }} + {{- end }} + {{- if .Values.replica.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.replica.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.replica.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.replica.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-replica.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_REPLICATION_MODE + value: slave + - name: REDIS_MASTER_HOST + value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.master.containerPorts.redis | quote }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + {{- end }} + {{- if .Values.replica.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} + envFrom: + {{- if .Values.replica.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.replica.extraEnvVarsCM }} + {{- end }} + {{- if .Values.replica.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.replica.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.replica.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.replica.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.replica.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.replica.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local_and_master.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} + {{- else if .Values.replica.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.replica.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local_and_master.sh {{ .Values.replica.readinessProbe.timeoutSeconds }} + {{- else if .Values.replica.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.resources }} + resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: /data + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.replica.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} + {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.replica.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} + {{- else }} + chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if .Values.replica.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if not .Values.replica.persistence.enabled }} + - name: redis-data + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: replica + {{- if .Values.replica.persistence.annotations }} + annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.replica.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.replica.persistence.size | quote }} + {{- if .Values.replica.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.replica.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/role.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/role.yaml new file mode 100644 index 000000000..0475e0dac --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.podSecurityPolicy.enabled }} + - apiGroups: + - '{{ template "podSecurityPolicy.apiGroup" . }}' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: [{{ template "common.names.fullname" . }}] + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/rolebinding.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/rolebinding.yaml new file mode 100644 index 000000000..74968b8ff --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "redis.serviceAccountName" . }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/scripts-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/scripts-configmap.yaml new file mode 100644 index 000000000..2123d6afc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/scripts-configmap.yaml @@ -0,0 +1,625 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} + start-node.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then + REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST" + else + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + fi + + SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") + validate_quorum() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel master {{ .Values.sentinel.masterSet }}" + else + quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel master {{ .Values.sentinel.masterSet }}" + fi + info "about to run the command: $quorum_info_command" + eval $quorum_info_command | grep -Fq "s_down" + } + + trigger_manual_failover() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel failover {{ .Values.sentinel.masterSet }}" + else + failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel failover {{ .Values.sentinel.masterSet }}" + fi + + info "about to run the command: $failover_command" + eval $failover_command + } + + get_sentinel_master_info() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout {{ .Values.sentinel.getMasterTimeout }} redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout {{ .Values.sentinel.getMasterTimeout }} redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + + info "about to run the command: $sentinel_info_command" + eval $sentinel_info_command + } + + {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.replica.persistence.path }} + {{- end }} + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + + # check if there is a master + master_in_persisted_conf="$(get_full_hostname "$HOSTNAME")" + master_port_in_persisted_conf="$REDIS_MASTER_PORT_NUMBER" + master_in_sentinel="$(get_sentinel_master_info)" + redisRetVal=$? + + {{- if .Values.sentinel.persistence.enabled }} + if [[ -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then + master_in_persisted_conf="$(awk '/monitor/ {print $4}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + master_port_in_persisted_conf="$(awk '/monitor/ {print $5}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + info "Found previous master ${master_in_persisted_conf}:${master_port_in_persisted_conf} in /opt/bitnami/redis-sentinel/etc/sentinel.conf" + debug "$(cat /opt/bitnami/redis-sentinel/etc/sentinel.conf | grep monitor)" + touch /opt/bitnami/redis-sentinel/etc/.node_read + fi + {{- end }} + + if [[ $redisRetVal -ne 0 ]]; then + if [[ "$master_in_persisted_conf" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # Case 1: No active sentinel and in previous sentinel.conf we were the master --> MASTER + info "Configuring the node as master" + export REDIS_REPLICATION_MODE="master" + else + # Case 2: No active sentinel and in previous sentinel.conf we were not master --> REPLICA + info "Configuring the node as replica" + export REDIS_REPLICATION_MODE="slave" + REDIS_MASTER_HOST=${master_in_persisted_conf} + REDIS_MASTER_PORT_NUMBER=${master_port_in_persisted_conf} + fi + else + # Fetches current master's host and port + REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) + info "Current master: REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + + if [[ "$REDIS_MASTER_HOST" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # Case 3: Active sentinel and master it is this node --> MASTER + info "Configuring the node as master" + export REDIS_REPLICATION_MODE="master" + else + # Case 4: Active sentinel and master is not this node --> REPLICA + info "Configuring the node as replica" + export REDIS_REPLICATION_MODE="slave" + + {{- if and .Values.sentinel.automateClusterRecovery (le (int .Values.sentinel.downAfterMilliseconds) 2000) }} + retry_count=1 + while validate_quorum + do + info "sleeping, waiting for Redis master to come up" + sleep 1s + if ! ((retry_count % 11)); then + info "Trying to manually failover" + failover_result=$(trigger_manual_failover) + + debug "Failover result: $failover_result" + fi + + ((retry_count+=1)) + done + info "Redis master is up now" + {{- end }} + fi + fi + + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then + REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" + REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" + fi + + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + + echo "" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + + if [[ "$REDIS_REPLICATION_MODE" = "slave" ]]; then + ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + fi + + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + {{- if .Values.replica.extraFlags }} + {{- range .Values.replica.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + + {{- if .Values.replica.preExecCmds }} + {{- .Values.replica.preExecCmds | nindent 4 }} + {{- end }} + + {{- if .Values.replica.command }} + exec {{ .Values.replica.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + + start-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libfile.sh + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + SERVPORT=$(get_port "$HOSTNAME" "SENTINEL") + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") + + sentinel_conf_set() { + local -r key="${1:?missing key}" + local value="${2:-}" + + # Sanitize inputs + value="${value//\\/\\\\}" + value="${value//&/\\&}" + value="${value//\?/\\?}" + [[ "$value" = "" ]] && value="\"$value\"" + + replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false + } + sentinel_conf_add() { + echo $'\n'"$@" >> "/opt/bitnami/redis-sentinel/etc/sentinel.conf" + } + host_id() { + echo "$1" | openssl sha1 | awk '{print $2}' + } + get_sentinel_master_info() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + info "about to run the command: $sentinel_info_command" + eval $sentinel_info_command + } + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + + master_in_persisted_conf="$(get_full_hostname "$HOSTNAME")" + + {{- if .Values.sentinel.persistence.enabled }} + if [[ -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then + check_lock_file() { + [[ -f /opt/bitnami/redis-sentinel/etc/.node_read ]] + } + retry_while "check_lock_file" + rm -f /opt/bitnami/redis-sentinel/etc/.node_read + master_in_persisted_conf="$(awk '/monitor/ {print $4}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + info "Found previous master $master_in_persisted_conf in /opt/bitnami/redis-sentinel/etc/sentinel.conf" + debug "$(cat /opt/bitnami/redis-sentinel/etc/sentinel.conf | grep monitor)" + fi + {{- end }} + if ! get_sentinel_master_info && [[ "$master_in_persisted_conf" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # No master found, lets create a master node + export REDIS_REPLICATION_MODE="master" + + REDIS_MASTER_HOST=$(get_full_hostname "$HOSTNAME") + REDIS_MASTER_PORT_NUMBER="$REDISPORT" + else + export REDIS_REPLICATION_MODE="slave" + + # Fetches current master's host and port + REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) + info "printing REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + fi + + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then + REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" + REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" + fi + + cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.auth.enabled }} + printf "\nsentinel auth-pass %s %s" "{{ .Values.sentinel.masterSet }}" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if and .Values.auth.enabled .Values.auth.sentinel }} + printf "\nrequirepass %s" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + {{- end }} + printf "\nsentinel myid %s" "$(host_id "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + + sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" + + add_known_sentinel() { + hostname="$1" + ip="$2" + + if [[ -n "$hostname" && -n "$ip" && "$hostname" != "$HOSTNAME" ]]; then + sentinel_conf_add "sentinel known-sentinel {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "SENTINEL") $(host_id "$hostname")" + fi + } + add_known_replica() { + hostname="$1" + ip="$2" + + if [[ -n "$ip" && "$(get_full_hostname "$hostname")" != "$REDIS_MASTER_HOST" ]]; then + sentinel_conf_add "sentinel known-replica {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "REDIS")" + fi + } + + # Add available hosts on the network as known replicas & sentinels + for node in $(seq 0 $(({{ .Values.replica.replicaCount }}-1))); do + hostname="{{ template "common.names.fullname" . }}-node-$node" + ip="$(getent hosts "$hostname.$HEADLESS_SERVICE" | awk '{ print $1 }')" + add_known_sentinel "$hostname" "$ip" + add_known_replica "$hostname" "$ip" + done + + echo "" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel resolve-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-port $SERVPORT" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}") + ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}") + ARGS+=("--tls-replication" "yes") + ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- end }} + {{- if .Values.sentinel.preExecCmds }} + {{ .Values.sentinel.preExecCmds | nindent 4 }} + {{- end }} + exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }} + prestop-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libos.sh + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + SENTINEL_SERVICE_ENV_NAME={{ printf "%s%s" (upper (include "common.names.fullname" .)| replace "-" "_") "_SERVICE_PORT_TCP_SENTINEL" }} + SENTINEL_SERVICE_PORT=${!SENTINEL_SERVICE_ENV_NAME} + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + run_sentinel_command() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + else + redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" sentinel "$@" + fi + } + failover_finished() { + REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) + REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + } + + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" + + if ! failover_finished; then + echo "I am the master pod and you are stopping me. Starting sentinel failover" + # if I am the master, issue a command to failover once and then wait for the failover to finish + run_sentinel_command failover "{{ .Values.sentinel.masterSet }}" + if retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1; then + echo "Master has been successfuly failed over to a different pod." + exit 0 + else + echo "Master failover failed" + exit 1 + fi + else + exit 0 + fi + prestop-redis.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libos.sh + + run_redis_command() { + if is_boolean_yes "$REDIS_TLS_ENABLED"; then + redis-cli -h 127.0.0.1 -p "$REDIS_TLS_PORT" --tls --cert "$REDIS_TLS_CERT_FILE" --key "$REDIS_TLS_KEY_FILE" --cacert "$REDIS_TLS_CA_FILE" "$@" + else + redis-cli -h 127.0.0.1 -p ${REDIS_PORT} "$@" + fi + } + failover_finished() { + REDIS_ROLE=$(run_redis_command role | head -1) + [[ "$REDIS_ROLE" != "master" ]] + } + + # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" + + if ! failover_finished; then + echo "Waiting for sentinel to run failover for up to {{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}s" + retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1 + else + exit 0 + fi + +{{- else }} + start-master.sh: | + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + {{- if and .Values.master.containerSecurityContext.runAsUser (eq (.Values.master.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.master.persistence.path }} + {{- end }} + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + {{- if .Values.master.extraFlags }} + {{- range .Values.master.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.master.preExecCmds }} + {{ .Values.master.preExecCmds | nindent 4 }} + {{- end }} + {{- if .Values.master.command }} + exec {{ .Values.master.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- if eq .Values.architecture "replication" }} + start-replica.sh: | + #!/bin/bash + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.replica.persistence.path }} + {{- end }} + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + + echo "" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + {{- if .Values.replica.extraFlags }} + {{- range .Values.replica.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.replica.preExecCmds }} + {{ .Values.replica.preExecCmds | nindent 4 }} + {{- end }} + {{- if .Values.replica.command }} + exec {{ .Values.replica.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/secret.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/secret.yaml new file mode 100644 index 000000000..2edc0d814 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/secret.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.secretAnnotations .Values.commonAnnotations }} + annotations: + {{- if .Values.secretAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +type: Opaque +data: + redis-password: {{ include "redis.password" . | b64enc | quote }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/hpa.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/hpa.yaml new file mode 100644 index 000000000..51f0f80a6 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/hpa.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.replica.autoscaling.enabled .Values.sentinel.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: StatefulSet + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + minReplicas: {{ .Values.replica.autoscaling.minReplicas }} + maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} + metrics: + {{- if .Values.replica.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- end }} + {{- if .Values.replica.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/node-services.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/node-services.yaml new file mode 100644 index 000000000..8bf7a2b39 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/node-services.yaml @@ -0,0 +1,71 @@ +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (or .Release.IsUpgrade .Values.sentinel.service.nodePorts.redis ) }} + +{{- range $i := until (int .Values.replica.replicaCount) }} + +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} + +{{ $sentinelport := 0}} +{{ $redisport := 0}} +{{- if $portsmap }} +{{ $sentinelport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "sentinel") }} +{{ $redisport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "redis") }} +{{- else }} +{{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" $ }}-node-{{ $i }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: node + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or $.Values.sentinel.service.annotations $.Values.commonAnnotations }} + annotations: + {{- if $.Values.sentinel.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.sentinel.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: NodePort + ports: + - name: sentinel + {{- if $.Values.sentinel.service.nodePorts.sentinel }} + nodePort: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} + port: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} + {{- else }} + nodePort: {{ $sentinelport }} + port: {{ $sentinelport }} + {{- end }} + protocol: TCP + targetPort: {{ $.Values.sentinel.containerPorts.sentinel }} + - name: redis + {{- if $.Values.sentinel.service.nodePorts.redis }} + nodePort: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} + port: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} + {{- else }} + nodePort: {{ $redisport }} + port: {{ $redisport }} + {{- end }} + protocol: TCP + targetPort: {{ $.Values.replica.containerPorts.redis }} + - name: sentinel-internal + nodePort: null + port: {{ $.Values.sentinel.containerPorts.sentinel }} + protocol: TCP + targetPort: {{ $.Values.sentinel.containerPorts.sentinel }} + - name: redis-internal + nodePort: null + port: {{ $.Values.replica.containerPorts.redis }} + protocol: TCP + targetPort: {{ $.Values.replica.containerPorts.redis }} + selector: + statefulset.kubernetes.io/pod-name: {{ template "common.names.fullname" $ }}-node-{{ $i }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/ports-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/ports-configmap.yaml new file mode 100644 index 000000000..f5e7b2a90 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/ports-configmap.yaml @@ -0,0 +1,100 @@ +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Values.sentinel.service.nodePorts.redis ) }} +{{- /* create a list to keep track of ports we choose to use */}} +{{ $chosenports := (list ) }} + +{{- /* Get list of all used nodeports */}} +{{ $usedports := (list ) }} +{{- range $index, $service := (lookup "v1" "Service" "" "").items }} + {{- range.spec.ports }} + {{- if .nodePort }} + {{- $usedports = (append $usedports .nodePort) }} + {{- end }} + {{- end }} +{{- end }} + +{{- /* +comments that start with # are rendered in the output when you debug, so you can less and search for them +Vars in the comment will be rendered out, so you can check their value this way. +https://helm.sh/docs/chart_best_practices/templates/#comments-yaml-comments-vs-template-comments + +remove the template comments and leave the yaml comments to help debug +*/}} + +{{- /* Sort the list */}} +{{ $usedports = $usedports | sortAlpha }} +#usedports {{ $usedports }} + +{{- /* How many nodeports per service do we want to create, except for the main service which is always two */}} +{{ $numberofPortsPerNodeService := 2 }} + +{{- /* for every nodeport we want, loop though the used ports to get an unused port */}} +{{- range $j := until (int (add (mul (int .Values.replica.replicaCount) $numberofPortsPerNodeService) 2)) }} + {{- /* #j={{ $j }} */}} + {{- $nodeport := (add $j 30000) }} + {{- $nodeportfound := false }} + {{- range $i := $usedports }} + {{- /* #i={{ $i }} + #nodeport={{ $nodeport }} + #usedports={{ $usedports }} */}} + {{- if and (has (toString $nodeport) $usedports) (eq $nodeportfound false) }} + {{- /* nodeport conflicts with in use */}} + {{- $nodeport = (add $nodeport 1) }} + {{- else if and ( has $nodeport $chosenports) (eq $nodeportfound false) }} + {{- /* nodeport already chosen, try another */}} + {{- $nodeport = (add $nodeport 1) }} + {{- else if (eq $nodeportfound false) }} + {{- /* nodeport free to use: not already claimed and not in use */}} + {{- /* select nodeport, and place into usedports */}} + {{- $chosenports = (append $chosenports $nodeport) }} + {{- $nodeportfound = true }} + {{- else }} + {{- /* nodeport has already been chosen and locked in, just work through the rest of the list to get to the next nodeport selection */}} + {{- end }} + {{- end }} + {{- if (eq $nodeportfound false) }} + {{- $chosenports = (append $chosenports $nodeport) }} + {{- end }} + +{{- end }} + +{{- /* print the usedports and chosenports for debugging */}} +#usedports {{ $usedports }} +#chosenports {{ $chosenports }}}} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-ports-configmap + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{- if $portsmap }} +{{- /* configmap already exists, do not install again */ -}} + {{- range $name, $value := $portsmap }} + "{{ $name }}": "{{ $value }}" + {{- end }} +{{- else }} +{{- /* configmap being set for first time */ -}} + {{- range $index, $port := $chosenports }} + {{- $nodenumber := (floor (div $index 2)) }} + {{- if (eq $index 0) }} + "{{ template "common.names.fullname" $ }}-sentinel": "{{ $port }}" + {{- else if (eq $index 1) }} + "{{ template "common.names.fullname" $ }}-redis": "{{ $port }}" + {{- else if (eq (mod $index 2) 0) }} + "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-sentinel": "{{ $port }}" + {{- else if (eq (mod $index 2) 1) }} + "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-redis": "{{ $port }}" + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/service.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/service.yaml new file mode 100644 index 000000000..622ed9594 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/service.yaml @@ -0,0 +1,96 @@ +{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} + +--- +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} + +{{ $sentinelport := 0}} +{{ $redisport := 0}} +{{- if $portsmap }} +{{ $sentinelport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "sentinel") }} +{{ $redisport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "redis") }} +{{- else }} +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: node + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.sentinel.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{- if eq .Values.sentinel.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "ClusterIP") .Values.sentinel.service.clusterIP }} + clusterIP: {{ .Values.sentinel.service.clusterIP }} + {{- end }} + ports: + - name: tcp-redis + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + port: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $redisport }} + {{- else}} + port: {{ .Values.sentinel.service.ports.redis }} + {{- end }} + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + nodePort: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $redisport }} + {{- end }} + - name: tcp-sentinel + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} + port: {{ .Values.sentinel.service.nodePorts.sentinel }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $sentinelport }} + {{- else }} + port: {{ .Values.sentinel.service.ports.sentinel }} + {{- end }} + targetPort: {{ .Values.sentinel.containerPorts.sentinel }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} + nodePort: {{ .Values.sentinel.service.nodePorts.sentinel }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $sentinelport }} + {{- end }} + {{- if eq .Values.sentinel.service.type "NodePort" }} + - name: sentinel-internal + nodePort: null + port: {{ .Values.sentinel.containerPorts.sentinel }} + protocol: TCP + targetPort: {{ .Values.sentinel.containerPorts.sentinel }} + - name: redis-internal + nodePort: null + port: {{ .Values.replica.containerPorts.redis }} + protocol: TCP + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: node +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/statefulset.yaml new file mode 100644 index 000000000..4c07c2f6b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/sentinel/statefulset.yaml @@ -0,0 +1,674 @@ +{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: node + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replica.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: node + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- if .Values.replica.updateStrategy }} + updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} + {{- end }} + {{- if .Values.replica.podManagementPolicy }} + podManagementPolicy: {{ .Values.replica.podManagementPolicy | quote }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: node + {{- if .Values.replica.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.replica.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.replica.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.podSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.replica.priorityClassName }} + priorityClassName: {{ .Values.replica.priorityClassName | quote }} + {{- end }} + {{- if .Values.replica.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "node" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "node" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.replica.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} + {{- end }} + {{- if .Values.replica.schedulerName }} + schedulerName: {{ .Values.replica.schedulerName | quote }} + {{- end }} + {{- if .Values.replica.dnsPolicy }} + dnsPolicy: {{ .Values.replica.dnsPolicy }} + {{- end }} + {{- if .Values.replica.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.sentinel.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.replica.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.replica.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-node.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + {{- end }} + - name: REDIS_DATA_DIR + value: {{ .Values.replica.persistence.path }} + {{- if .Values.replica.externalMaster.enabled }} + - name: REDIS_EXTERNAL_MASTER_HOST + value: {{ .Values.replica.externalMaster.host | quote }} + - name: REDIS_EXTERNAL_MASTER_PORT + value: {{ .Values.replica.externalMaster.port | quote }} + {{- end }} + {{- if .Values.replica.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraEnvVars "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} + envFrom: + {{- if .Values.replica.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.replica.extraEnvVarsCM }} + {{- end }} + {{- if .Values.replica.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.replica.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.replica.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.replica.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.replica.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.replica.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} + {{- else if .Values.replica.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.replica.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} + {{- else if .Values.replica.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.resources }} + resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.sentinel.persistence.enabled }} + - name: sentinel-data + mountPath: /opt/bitnami/redis-sentinel/etc + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.replica.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-redis.sh + - name: sentinel + image: {{ template "redis.sentinel.image" . }} + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if .Values.sentinel.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sentinel.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.sentinel.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.sentinel.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-sentinel.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.sentinel.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_SENTINEL_TLS_PORT_NUMBER + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_SENTINEL_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_SENTINEL_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_SENTINEL_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE + value: {{ template "redis.tls.dhParamsFilename" . }} + {{- end }} + {{- else }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + {{- end }} + {{- if .Values.sentinel.externalMaster.enabled }} + - name: REDIS_EXTERNAL_MASTER_HOST + value: {{ .Values.sentinel.externalMaster.host | quote }} + - name: REDIS_EXTERNAL_MASTER_PORT + value: {{ .Values.sentinel.externalMaster.port | quote }} + {{- end }} + {{- if .Values.sentinel.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraEnvVars "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} + envFrom: + {{- if .Values.sentinel.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.sentinel.extraEnvVarsCM }} + {{- end }} + {{- if .Values.sentinel.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.sentinel.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.containerPorts.sentinel }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.sentinel.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis-sentinel + {{- else if .Values.sentinel.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh + {{- end }} + {{- if .Values.sentinel.resources }} + resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + - name: sentinel-data + mountPath: /opt/bitnami/redis-sentinel/etc + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.sentinel.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.replica.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} + {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.replica.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} + {{- else }} + chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + {{- if not .Values.sentinel.persistence.enabled }} + - name: sentinel-data + {{- if .Values.sentinel.persistence.medium }} + emptyDir: { + medium: {{ .Values.sentinel.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + - name: redis-tmp-conf + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.replica.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.sentinel.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if not .Values.replica.persistence.enabled }} + - name: redis-data + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.replica.persistence.annotations }} + annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.replica.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.replica.persistence.size | quote }} + {{- if .Values.replica.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.sentinel.persistence.enabled }} + - metadata: + name: sentinel-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.sentinel.persistence.annotations }} + annotations: {{- toYaml .Values.sentinel.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.sentinel.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.sentinel.persistence.size | quote }} + {{- if .Values.sentinel.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.sentinel.persistence "global" .Values.global) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/serviceaccount.yaml new file mode 100644 index 000000000..1ce68a769 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + annotations: + {{- if or .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/servicemonitor.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/servicemonitor.yaml new file mode 100644 index 000000000..0d94a4b46 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: metrics +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/templates/tls-secret.yaml b/charts/asserts/asserts/1.11.0/charts/redis/templates/tls-secret.yaml new file mode 100644 index 000000000..5b40dff7e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/templates/tls-secret.yaml @@ -0,0 +1,26 @@ +{{- if (include "redis.createTlsSecret" .) }} +{{- $ca := genCA "redis-ca" 365 }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $fullname := include "common.names.fullname" . }} +{{- $serviceName := include "common.names.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "127.0.0.1" "localhost" $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-crt + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/values.schema.json b/charts/asserts/asserts/1.11.0/charts/redis/values.schema.json new file mode 100644 index 000000000..d6e226b82 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "Redis architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`", + "enum": ["standalone", "replication"] + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use password authentication" + }, + "password": { + "type": "string", + "title": "Redis password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + } + } + }, + "master": { + "type": "object", + "title": "Master replicas settings", + "form": true, + "properties": { + "kind": { + "type": "string", + "title": "Workload Kind", + "form": true, + "description": "Allowed values: `Deployment` or `StatefulSet`", + "enum": ["Deployment", "StatefulSet"] + }, + "persistence": { + "type": "object", + "title": "Persistence for master replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "master/persistence/enabled" + } + } + } + } + } + }, + "replica": { + "type": "object", + "title": "Redis replicas settings", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + }, + "properties": { + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of Redis replicas" + }, + "persistence": { + "type": "object", + "title": "Persistence for Redis replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "replica/persistence/enabled" + } + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/charts/asserts/asserts/1.11.0/charts/redis/values.yaml b/charts/asserts/asserts/1.11.0/charts/redis/values.yaml new file mode 100644 index 000000000..73190313e --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/redis/values.yaml @@ -0,0 +1,1567 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.redis.password Global Redis™ password (overrides `auth.password`) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + redis: + password: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param secretAnnotations Annotations to add to secret +## +secretAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section Redis™ Image parameters +## + +## Bitnami Redis™ image +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## @param image.registry Redis™ image registry +## @param image.repository Redis™ image repository +## @param image.tag Redis™ image tag (immutable tags are recommended) +## @param image.pullPolicy Redis™ image pull policy +## @param image.pullSecrets Redis™ image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: docker.io + repository: bitnami/redis + tag: 6.2.6-debian-10-r192 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + +## @section Redis™ common configuration parameters +## https://github.com/bitnami/bitnami-docker-redis#configuration +## + +## @param architecture Redis™ architecture. Allowed values: `standalone` or `replication` +## +architecture: replication +## Redis™ Authentication parameters +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +auth: + ## @param auth.enabled Enable password authentication + ## + enabled: true + ## @param auth.sentinel Enable password authentication on sentinels too + ## + sentinel: true + ## @param auth.password Redis™ password + ## Defaults to a random 10-character alphanumeric string if not set + ## + password: "" + ## @param auth.existingSecret The name of an existing secret with Redis™ credentials + ## NOTE: When it's set, the previous `auth.password` parameter is ignored + ## + existingSecret: "" + ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set + ## + existingSecretPasswordKey: "" + ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable + ## + usePasswordFiles: false + +## @param commonConfiguration [string] Common configuration to be added into the ConfigMap +## ref: https://redis.io/topics/config +## +commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" +## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis™ nodes +## +existingConfigmap: "" + +## @section Redis™ master configuration parameters +## + +master: + ## @param master.configuration Configuration for Redis™ master nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param master.disableCommands Array with Redis™ commands to disable on master nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param master.command Override default container command (useful when using custom images) + ## + command: [] + ## @param master.args Override default container args (useful when using custom images) + ## + args: [] + ## @param master.preExecCmds Additional commands to run prior to starting Redis™ master + ## + preExecCmds: [] + ## @param master.extraFlags Array with additional command line flags for Redis™ master + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param master.extraEnvVars Array with extra environment variables to add to Redis™ master nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ master nodes + ## + extraEnvVarsCM: "" + ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ master nodes + ## + extraEnvVarsSecret: "" + ## @param master.containerPorts.redis Container port to open on Redis™ master nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param master.startupProbe.enabled Enable startupProbe on Redis™ master nodes + ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param master.startupProbe.periodSeconds Period seconds for startupProbe + ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param master.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.livenessProbe.enabled Enable livenessProbe on Redis™ master nodes + ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.readinessProbe.enabled Enable readinessProbe on Redis™ master nodes + ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param master.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ master resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param master.resources.limits The resources limits for the Redis™ master containers + ## @param master.resources.requests The requested resources for the Redis™ master containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.podSecurityContext.enabled Enabled Redis™ master pods' Security Context + ## @param master.podSecurityContext.fsGroup Set Redis™ master pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.containerSecurityContext.enabled Enabled Redis™ master containers' Security Context + ## @param master.containerSecurityContext.runAsUser Set Redis™ master containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param master.kind Use either Deployment or StatefulSet (default) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ + ## + kind: StatefulSet + ## @param master.schedulerName Alternate scheduler for Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param master.updateStrategy.type Redis™ master statefulset strategy type + ## @skip master.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param master.priorityClassName Redis™ master pods' priorityClassName + ## + priorityClassName: "" + ## @param master.hostAliases Redis™ master pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param master.podLabels Extra labels for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param master.podAnnotations Annotations for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node master.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + ## + key: "" + ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param master.affinity Affinity for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param master.nodeSelector Node labels for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param master.tolerations Tolerations for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param master.topologySpreadConstraints Spread Constraints for Redis™ master pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param master.dnsPolicy DNS Policy for Redis™ master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param master.dnsConfig DNS Configuration for Redis™ master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param master.lifecycleHooks for the Redis™ master container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis™ master pod(s) + ## + extraVolumes: [] + ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) + ## + extraVolumeMounts: [] + ## @param master.sidecars Add additional sidecar containers to the Redis™ master pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param master.initContainers Add additional init containers to the Redis™ master pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis™ master nodes using Persistent Volume Claims + ## + enabled: true + ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param master.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" + ## @param master.persistence.path The path the volume will be mounted at on Redis™ master containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis™ master containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param master.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param master.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param master.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param master.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param master.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param master.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires master.persistence.enabled: true + ## + existingClaim: "" + ## Redis™ master service parameters + ## + service: + ## @param master.service.type Redis™ master service type + ## + type: ClusterIP + ## @param master.service.ports.redis Redis™ master service port + ## + ports: + redis: 6379 + ## @param master.service.nodePorts.redis Node port for Redis™ master + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param master.service.externalTrafficPolicy Redis™ master service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param master.service.clusterIP Redis™ master service Cluster IP + ## + clusterIP: "" + ## @param master.service.loadBalancerIP Redis™ master service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param master.service.loadBalancerSourceRanges Redis™ master service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param master.service.annotations Additional custom annotations for Redis™ master service + ## + annotations: {} + ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods + ## + terminationGracePeriodSeconds: 30 + +## @section Redis™ replicas configuration parameters +## + +replica: + ## @param replica.replicaCount Number of Redis™ replicas to deploy + ## + replicaCount: 3 + ## @param replica.configuration Configuration for Redis™ replicas nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param replica.disableCommands Array with Redis™ commands to disable on replicas nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param replica.command Override default container command (useful when using custom images) + ## + command: [] + ## @param replica.args Override default container args (useful when using custom images) + ## + args: [] + ## @param replica.preExecCmds Additional commands to run prior to starting Redis™ replicas + ## + preExecCmds: [] + ## @param replica.extraFlags Array with additional command line flags for Redis™ replicas + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param replica.extraEnvVars Array with extra environment variables to add to Redis™ replicas nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes + ## + extraEnvVarsCM: "" + ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ replicas nodes + ## + extraEnvVarsSecret: "" + ## @param replica.externalMaster.enabled Use external master for bootstrapping + ## @param replica.externalMaster.host External master host to bootstrap from + ## @param replica.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param replica.containerPorts.redis Container port to open on Redis™ replicas nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param replica.startupProbe.enabled Enable startupProbe on Redis™ replicas nodes + ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe + ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param replica.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis™ replicas nodes + ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis™ replicas nodes + ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ replicas resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param replica.resources.limits The resources limits for the Redis™ replicas containers + ## @param replica.resources.requests The requested resources for the Redis™ replicas containers + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 250m + # memory: 256Mi + requests: {} + # cpu: 250m + # memory: 256Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.podSecurityContext.enabled Enabled Redis™ replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroup Set Redis™ replicas pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.containerSecurityContext.enabled Enabled Redis™ replicas containers' Security Context + ## @param replica.containerSecurityContext.runAsUser Set Redis™ replicas containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param replica.schedulerName Alternate scheduler for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param replica.updateStrategy.type Redis™ replicas statefulset strategy type + ## @skip replica.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param replica.priorityClassName Redis™ replicas pods' priorityClassName + ## + priorityClassName: "" + ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param replica.hostAliases Redis™ replicas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param replica.podLabels Extra labels for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param replica.podAnnotations Annotations for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + ## + key: "" + ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param replica.affinity Affinity for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param replica.nodeSelector Node labels for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param replica.tolerations Tolerations for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param replica.topologySpreadConstraints Spread Constraints for Redis™ replicas pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param replica.dnsPolicy DNS Policy for Redis™ replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param replica.dnsConfig DNS Configuration for Redis™ replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param replica.lifecycleHooks for the Redis™ replica container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) + ## + extraVolumes: [] + ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) + ## + extraVolumeMounts: [] + ## @param replica.sidecars Add additional sidecar containers to the Redis™ replicas pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param replica.initContainers Add additional init containers to the Redis™ replicas pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence Parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param replica.persistence.enabled Enable persistence on Redis™ replicas nodes using Persistent Volume Claims + ## + enabled: true + ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param replica.persistence.path The path the volume will be mounted at on Redis™ replicas containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis™ replicas containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param replica.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param replica.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param replica.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param replica.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param replica.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param replica.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## Redis™ replicas service parameters + ## + service: + ## @param replica.service.type Redis™ replicas service type + ## + type: ClusterIP + ## @param replica.service.ports.redis Redis™ replicas service port + ## + ports: + redis: 6379 + ## @param replica.service.nodePorts.redis Node port for Redis™ replicas + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param replica.service.externalTrafficPolicy Redis™ replicas service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param replica.service.clusterIP Redis™ replicas service Cluster IP + ## + clusterIP: "" + ## @param replica.service.loadBalancerIP Redis™ replicas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param replica.service.loadBalancerSourceRanges Redis™ replicas service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param replica.service.annotations Additional custom annotations for Redis™ replicas service + ## + annotations: {} + ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods + ## + terminationGracePeriodSeconds: 30 + ## Autoscaling configuration + ## + autoscaling: + ## @param replica.autoscaling.enabled Enable replica autoscaling settings + ## + enabled: false + ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling + ## + minReplicas: 1 + ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling + ## + maxReplicas: 11 + ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling + ## + targetCPU: "" + ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling + ## + targetMemory: "" + +## @section Redis™ Sentinel configuration parameters +## + +sentinel: + ## @param sentinel.enabled Use Redis™ Sentinel on Redis™ pods. + ## IMPORTANT: this will disable the master and replicas services and + ## create a single Redis™ service exposing both the Redis and Sentinel ports + ## + enabled: false + ## Bitnami Redis™ Sentinel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## @param sentinel.image.registry Redis™ Sentinel image registry + ## @param sentinel.image.repository Redis™ Sentinel image repository + ## @param sentinel.image.tag Redis™ Sentinel image tag (immutable tags are recommended) + ## @param sentinel.image.pullPolicy Redis™ Sentinel image pull policy + ## @param sentinel.image.pullSecrets Redis™ Sentinel image pull secrets + ## @param sentinel.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + tag: 6.2.6-debian-10-r189 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param sentinel.masterSet Master set name + ## + masterSet: mymaster + ## @param sentinel.quorum Sentinel Quorum + ## + quorum: 2 + ## @param sentinel.getMasterTimeout Amount of time to allow before get_sentinel_master_info() times out. + ## NOTE: This is directly related to the startupProbes which are configured to run every 10 seconds for a total of 22 failures. If adjusting this value, also adjust the startupProbes. + getMasterTimeout: 220 + ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. + ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. + ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. + ## + automateClusterRecovery: false + ## Sentinel timing restrictions + ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis™ node is down + ## @param sentinel.failoverTimeout Timeout for performing a election failover + ## + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover + ## + parallelSyncs: 1 + ## @param sentinel.configuration Configuration for Redis™ Sentinel nodes + ## ref: https://redis.io/topics/sentinel + ## + configuration: "" + ## @param sentinel.command Override default container command (useful when using custom images) + ## + command: [] + ## @param sentinel.args Override default container args (useful when using custom images) + ## + args: [] + ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis™ Sentinel + ## + preExecCmds: [] + ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis™ Sentinel nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsCM: "" + ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsSecret: "" + ## @param sentinel.externalMaster.enabled Use external master for bootstrapping + ## @param sentinel.externalMaster.host External master host to bootstrap from + ## @param sentinel.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param sentinel.containerPorts.sentinel Container port to open on Redis™ Sentinel nodes + ## + containerPorts: + sentinel: 26379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis™ Sentinel nodes + ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe + ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis™ Sentinel nodes + ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis™ Sentinel nodes + ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param sentinel.persistence.enabled Enable persistence on Redis™ sentinel nodes using Persistent Volume Claims (Experimental) + ## + enabled: false + ## @param sentinel.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param sentinel.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param sentinel.persistence.size Persistent Volume size + ## + size: 100Mi + ## @param sentinel.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param sentinel.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param sentinel.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## Redis™ Sentinel resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sentinel.resources.limits The resources limits for the Redis™ Sentinel containers + ## @param sentinel.resources.requests The requested resources for the Redis™ Sentinel containers + ## + resources: + limits: {} + requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param sentinel.containerSecurityContext.enabled Enabled Redis™ Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.runAsUser Set Redis™ Sentinel containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param sentinel.lifecycleHooks for the Redis™ sentinel container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis™ Sentinel + ## + extraVolumes: [] + ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) + ## + extraVolumeMounts: [] + ## Redis™ Sentinel service parameters + ## + service: + ## @param sentinel.service.type Redis™ Sentinel service type + ## + type: ClusterIP + ## @param sentinel.service.ports.redis Redis™ service port for Redis™ + ## @param sentinel.service.ports.sentinel Redis™ service port for Redis™ Sentinel + ## + ports: + redis: 6379 + sentinel: 26379 + ## @param sentinel.service.nodePorts.redis Node port for Redis™ + ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## NOTE: By leaving these values blank, they will be generated by ports-configmap + ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port + ## + nodePorts: + redis: "" + sentinel: "" + ## @param sentinel.service.externalTrafficPolicy Redis™ Sentinel service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param sentinel.service.clusterIP Redis™ Sentinel service Cluster IP + ## + clusterIP: "" + ## @param sentinel.service.loadBalancerIP Redis™ Sentinel service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param sentinel.service.loadBalancerSourceRanges Redis™ Sentinel service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param sentinel.service.annotations Additional custom annotations for Redis™ Sentinel service + ## + annotations: {} + ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods + ## + terminationGracePeriodSeconds: 30 + +## @section Other Parameters +## + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## Redis™ is listening on. When true, Redis™ will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress Add extra egress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules + ## + enabled: false +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Redis™ Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created + ## + create: false + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction + ## + maxUnavailable: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic + ## + enabled: false + ## @param tls.authClients Require clients to authenticate + ## + authClients: true + ## @param tls.autoGenerated Enable autogenerated certificates + ## + autoGenerated: false + ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates + ## + existingSecret: "" + ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate Key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) + ## + dhParamsFilename: "" + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis™ metrics + ## + enabled: false + ## Bitnami Redis™ Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ + ## @param metrics.image.registry Redis™ Exporter image registry + ## @param metrics.image.repository Redis™ Exporter image repository + ## @param metrics.image.tag Redis™ Redis™ Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Redis™ Exporter image pull policy + ## @param metrics.image.pullSecrets Redis™ Exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.37.0-debian-10-r31 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.command Override default metrics container init command (useful when using custom images) + ## + command: [] + ## @param metrics.redisTargetHost A way to specify an alternative Redis™ hostname + ## Useful for certificate CN/SAN matching + ## + redisTargetHost: "localhost" + ## @param metrics.extraArgs Extra arguments for Redis™ exporter, for example: + ## e.g.: + ## extraArgs: + ## check-keys: myKey,myOtherKey + ## + extraArgs: {} + ## @param metrics.extraEnvVars Array with extra environment variables to add to Redis™ exporter + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param metrics.containerSecurityContext.enabled Enabled Redis™ exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set Redis™ exporter containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis™ metrics sidecar + ## + extraVolumes: [] + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar + ## + extraVolumeMounts: [] + ## Redis™ exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the Redis™ exporter container + ## @param metrics.resources.requests The requested resources for the Redis™ exporter container + ## + resources: + limits: {} + requests: {} + ## @param metrics.podLabels Extra labels for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param metrics.podAnnotations [object] Annotations for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + ## Redis™ exporter service parameters + ## + service: + ## @param metrics.service.type Redis™ exporter service type + ## + type: ClusterIP + ## @param metrics.service.port Redis™ exporter service port + ## + port: 9121 + ## @param metrics.service.externalTrafficPolicy Redis™ exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.loadBalancerIP Redis™ exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Redis™ exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.annotations Additional custom annotations for Redis™ exporter service + ## + annotations: {} + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + ## + additionalLabels: {} + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Custom Prometheus rules + ## e.g: + ## rules: + ## - alert: RedisDown + ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} down + ## description: Redis™ instance {{ "{{ $labels.instance }}" }} is down + ## - alert: RedisMemoryHigh + ## expr: > + ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 + ## / + ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} + ## > 90 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} is using too much memory + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + ## - alert: RedisKeyEviction + ## expr: | + ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 + ## for: 1s + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} has evicted keys + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + ## + rules: [] + +## @section Init Container Parameters +## + +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the *podSecurityContext/*containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param volumePermissions.image.registry Bitnami Shell image registry + ## @param volumePermissions.image.repository Bitnami Shell image repository + ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy + ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r400 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + runAsUser: 0 + +## init-sysctl container parameters +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +## +sysctl: + ## @param sysctl.enabled Enable init container to modify Kernel settings + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param sysctl.image.registry Bitnami Shell image registry + ## @param sysctl.image.repository Bitnami Shell image repository + ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy + ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r400 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) + ## + command: [] + ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + ## + mountHostSys: false + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sysctl.resources.limits The resources limits for the init container + ## @param sysctl.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + +## @section useExternalDNS Parameters +## +## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. +## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. +## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. +## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. +## +useExternalDNS: + enabled: false + suffix: "" + annotationKey: external-dns.alpha.kubernetes.io/ + additionalAnnotations: {} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/.helmignore b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/Chart.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/Chart.yaml new file mode 100644 index 000000000..a128114d7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +appVersion: 1.69.0 +description: Victoria Metrics Single version - high-performance, cost-effective and + scalable TSDB, long-term remote storage for Prometheus +maintainers: +- name: Asserts + url: https://github.com/asserts +name: victoria-metrics-single +version: 1.0.0 diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md new file mode 100644 index 000000000..4abb1347b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md @@ -0,0 +1,232 @@ +# Victoria Metrics Helm Chart for Single Version + + ![Version: 0.8.12](https://img.shields.io/badge/Version-0.8.12-informational?style=flat-square) + +Victoria Metrics Single version - high-performance, cost-effective and scalable TSDB, long-term remote storage for Prometheus + +# Prerequisites + +* Install the follow packages: ``git``, ``kubectl``, ``helm``, ``helm-docs``. See this [tutorial](../../REQUIREMENTS.md). + +* PV support on underlying infrastructure. + +# Chart Details + +This chart will do the following: + +* Rollout Victoria Metrics Single. + +# How to install + +Access a Kubernetes cluster. + +Add a chart helm repository with follow commands: + +```console +helm repo add vm https://victoriametrics.github.io/helm-charts/ + +helm repo update +``` + +List versions of ``vm/victoria-metrics-single`` chart available to installation: + +##### for helm v3 + +```console +helm search repo vm/victoria-metrics-single -l +``` + +Export default values of ``victoria-metrics-single`` chart to file ``values.yaml``: + +```console +helm show values vm/victoria-metrics-single > values.yaml +``` + +Change the values according to the need of the environment in ``values.yaml`` file. + +Test the installation with command: + +```console +helm install vmsingle vm/victoria-metrics-single -f values.yaml -n NAMESPACE --debug --dry-run +``` + +Install chart with command: + +##### for helm v3 + +```console +helm install vmsingle vm/victoria-metrics-single -f values.yaml -n NAMESPACE +``` + +Get the pods lists by running this commands: + +```console +kubectl get pods -A | grep 'single' +``` + +Get the application by running this command: + +```console +helm list -f vmsingle -n NAMESPACE +``` + +See the history of versions of ``vmsingle`` application with command. + +```console +helm history vmsingle -n NAMESPACE +``` + +# How to uninstall + +Remove application with command. + +```console +helm uninstall vmsingle -n NAMESPACE +``` + +# Documentation of Helm Chart + +Install ``helm-docs`` following the instructions on this [tutorial](../../REQUIREMENTS.md). + +Generate docs with ``helm-docs`` command. + +```bash +cd charts/victoria-metrics-single + +helm-docs +``` + +The markdown generation is entirely go template driven. The tool parses metadata from charts and generates a number of sub-templates that can be referenced in a template file (by default ``README.md.gotmpl``). If no template file is provided, the tool has a default internal template that will generate a reasonably formatted README. + +# Parameters + +The following tables lists the configurable parameters of the chart and their default values. + +Change the values according to the need of the environment in ``victoria-metrics-single/values.yaml`` file. + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| automountServiceAccountToken | bool | `true` | | +| podDisruptionBudget.enabled | bool | `false` | See `kubectl explain poddisruptionbudget.spec` for more. Ref: [https://kubernetes.io/docs/tasks/run-application/configure-pdb/](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | +| podDisruptionBudget.extraLabels | object | `{}` | | +| printNotes | bool | `true` | Print chart notes | +| rbac.create | bool | `true` | | +| rbac.extraLabels | object | `{}` | | +| rbac.namespaced | bool | `false` | | +| rbac.pspEnabled | bool | `true` | | +| server.affinity | object | `{}` | Pod affinity | +| server.containerWorkingDir | string | `""` | Container workdir | +| server.enabled | bool | `true` | Enable deployment of server component. Deployed as StatefulSet | +| server.env | list | `[]` | Env variables -- Additional environment variables (ex.: secret tokens, flags) https://github.com/VictoriaMetrics/VictoriaMetrics#environment-variables | +| server.extraArgs."envflag.enable" | string | `"true"` | | +| server.extraArgs."envflag.prefix" | string | `"VM_"` | | +| server.extraArgs.loggerFormat | string | `"json"` | | +| server.extraContainers | list | `[]` | | +| server.extraHostPathMounts | list | `[]` | | +| server.extraLabels | object | `{}` | Sts/Deploy additional labels | +| server.extraVolumeMounts | list | `[]` | | +| server.extraVolumes | list | `[]` | | +| server.fullnameOverride | string | `nil` | Overrides the full name of server component | +| server.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| server.image.repository | string | `"victoriametrics/victoria-metrics"` | Image repository | +| server.image.tag | string | `"v1.69.0"` | Image tag | +| server.ingress.annotations | object | `{}` | Ingress annotations | +| server.ingress.enabled | bool | `false` | Enable deployment of ingress for server component | +| server.ingress.extraLabels | object | `{}` | Ingress extra labels | +| server.ingress.hosts | list | `[]` | Array of host objects | +| server.ingress.pathType | string | `"Prefix"` | | +| server.ingress.tls | list | `[]` | Array of TLS objects | +| server.initContainers | list | `[]` | | +| server.livenessProbe.failureThreshold | int | `10` | | +| server.livenessProbe.initialDelaySeconds | int | `30` | | +| server.livenessProbe.periodSeconds | int | `30` | | +| server.livenessProbe.tcpSocket.port | string | `"http"` | | +| server.livenessProbe.timeoutSeconds | int | `5` | | +| server.name | string | `"server"` | Server container name | +| server.nodeSelector | object | `{}` | Pod's node selector. Ref: [https://kubernetes.io/docs/user-guide/node-selection/](https://kubernetes.io/docs/user-guide/node-selection/) | +| server.persistentVolume.accessModes | list | `["ReadWriteOnce"]` | Array of access modes. Must match those of existing PV or dynamic provisioner. Ref: [http://kubernetes.io/docs/user-guide/persistent-volumes/](http://kubernetes.io/docs/user-guide/persistent-volumes/) | +| server.persistentVolume.annotations | object | `{}` | Persistant volume annotations | +| server.persistentVolume.enabled | bool | `true` | Create/use Persistent Volume Claim for server component. Empty dir if false | +| server.persistentVolume.existingClaim | string | `""` | Existing Claim name. If defined, PVC must be created manually before volume will be bound | +| server.persistentVolume.matchLabels | object | `{}` | Bind Persistent Volume by labels. Must match all labels of targeted PV. | +| server.persistentVolume.mountPath | string | `"/storage"` | Mount path. Server data Persistent Volume mount root path. | +| server.persistentVolume.size | string | `"16Gi"` | Size of the volume. Better to set the same as resource limit memory property. | +| server.persistentVolume.storageClass | string | `""` | StorageClass to use for persistent volume. Requires server.persistentVolume.enabled: true. If defined, PVC created automatically | +| server.persistentVolume.subPath | string | `""` | Mount subpath | +| server.podAnnotations | object | `{}` | Pod's annotations | +| server.podLabels | object | `{}` | Pod's additional labels | +| server.podManagementPolicy | string | `"OrderedReady"` | Pod's management policy | +| server.podSecurityContext | object | `{}` | Pod's security context. Ref: [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| server.priorityClassName | string | `""` | Name of Priority Class | +| server.readinessProbe.failureThreshold | int | `3` | | +| server.readinessProbe.httpGet.path | string | `"/health"` | | +| server.readinessProbe.httpGet.port | string | `"http"` | | +| server.readinessProbe.initialDelaySeconds | int | `5` | | +| server.readinessProbe.periodSeconds | int | `15` | | +| server.readinessProbe.timeoutSeconds | int | `5` | | +| server.resources | object | `{}` | Resource object. Ref: [http://kubernetes.io/docs/user-guide/compute-resources/](http://kubernetes.io/docs/user-guide/compute-resources/ | +| server.retentionPeriod | int | `1` | Data retention period in month | +| server.scrape | object | `{"config":{"global":{"scrape_interval":"15s"},"scrape_configs":[{"job_name":"victoriametrics","static_configs":[{"targets":["localhost:8428"]}]},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-apiservers","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"keep","regex":"default;kubernetes;https","source_labels":["__meta_kubernetes_namespace","__meta_kubernetes_service_name","__meta_kubernetes_endpoint_port_name"]}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes-cadvisor","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics/cadvisor","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"job_name":"kubernetes-service-endpoints","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}]},{"job_name":"kubernetes-service-endpoints-slow","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape_slow"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}],"scrape_interval":"5m","scrape_timeout":"30s"},{"job_name":"kubernetes-services","kubernetes_sd_configs":[{"role":"service"}],"metrics_path":"/probe","params":{"module":["http_2xx"]},"relabel_configs":[{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_probe"]},{"source_labels":["__address__"],"target_label":"__param_target"},{"replacement":"blackbox","target_label":"__address__"},{"source_labels":["__param_target"],"target_label":"instance"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"}]},{"job_name":"kubernetes-pods","kubernetes_sd_configs":[{"role":"pod"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_pod_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_pod_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_pod_name"],"target_label":"kubernetes_pod_name"}]}]},"configMap":"","enabled":false,"extraScrapeConfigs":[]}` | Scrape configuration for victoriametrics | +| server.scrape.config | object | `{"global":{"scrape_interval":"15s"},"scrape_configs":[{"job_name":"victoriametrics","static_configs":[{"targets":["localhost:8428"]}]},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-apiservers","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"keep","regex":"default;kubernetes;https","source_labels":["__meta_kubernetes_namespace","__meta_kubernetes_service_name","__meta_kubernetes_endpoint_port_name"]}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes-cadvisor","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics/cadvisor","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"job_name":"kubernetes-service-endpoints","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}]},{"job_name":"kubernetes-service-endpoints-slow","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape_slow"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}],"scrape_interval":"5m","scrape_timeout":"30s"},{"job_name":"kubernetes-services","kubernetes_sd_configs":[{"role":"service"}],"metrics_path":"/probe","params":{"module":["http_2xx"]},"relabel_configs":[{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_probe"]},{"source_labels":["__address__"],"target_label":"__param_target"},{"replacement":"blackbox","target_label":"__address__"},{"source_labels":["__param_target"],"target_label":"instance"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"}]},{"job_name":"kubernetes-pods","kubernetes_sd_configs":[{"role":"pod"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_pod_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_pod_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_pod_name"],"target_label":"kubernetes_pod_name"}]}]}` | Scrape config | +| server.scrape.config.scrape_configs | list | `[{"job_name":"victoriametrics","static_configs":[{"targets":["localhost:8428"]}]},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-apiservers","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"keep","regex":"default;kubernetes;https","source_labels":["__meta_kubernetes_namespace","__meta_kubernetes_service_name","__meta_kubernetes_endpoint_port_name"]}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"bearer_token_file":"/var/run/secrets/kubernetes.io/serviceaccount/token","job_name":"kubernetes-nodes-cadvisor","kubernetes_sd_configs":[{"role":"node"}],"relabel_configs":[{"action":"labelmap","regex":"__meta_kubernetes_node_label_(.+)"},{"replacement":"kubernetes.default.svc:443","target_label":"__address__"},{"regex":"(.+)","replacement":"/api/v1/nodes/$1/proxy/metrics/cadvisor","source_labels":["__meta_kubernetes_node_name"],"target_label":"__metrics_path__"}],"scheme":"https","tls_config":{"ca_file":"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","insecure_skip_verify":true}},{"job_name":"kubernetes-service-endpoints","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}]},{"job_name":"kubernetes-service-endpoints-slow","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape_slow"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}],"scrape_interval":"5m","scrape_timeout":"30s"},{"job_name":"kubernetes-services","kubernetes_sd_configs":[{"role":"service"}],"metrics_path":"/probe","params":{"module":["http_2xx"]},"relabel_configs":[{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_probe"]},{"source_labels":["__address__"],"target_label":"__param_target"},{"replacement":"blackbox","target_label":"__address__"},{"source_labels":["__param_target"],"target_label":"instance"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"}]},{"job_name":"kubernetes-pods","kubernetes_sd_configs":[{"role":"pod"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_pod_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_pod_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_pod_name"],"target_label":"kubernetes_pod_name"}]}]` | Scrape targets | +| server.scrape.config.scrape_configs[0] | object | `{"job_name":"victoriametrics","static_configs":[{"targets":["localhost:8428"]}]}` | Scrape rule for scrape victoriametrics | +| server.scrape.config.scrape_configs[4] | object | `{"job_name":"kubernetes-service-endpoints","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}]}` | Scrape config for service endpoints. The relabeling allows the actual service scrape endpoint to be configured via the following annotations: * `prometheus.io/scrape`: Only scrape services that have a value of `true` * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need to set this to `https` & most likely set the `tls_config` of the scrape config. * `prometheus.io/path`: If the metrics path is not `/metrics` override this. * `prometheus.io/port`: If the metrics are exposed on a different port to the service then set this appropriately. -- Scrape rule using kubernetes service discovery for endpoints | +| server.scrape.config.scrape_configs[5] | object | `{"job_name":"kubernetes-service-endpoints-slow","kubernetes_sd_configs":[{"role":"endpoints"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scrape_slow"]},{"action":"replace","regex":"(https?)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_scheme"],"target_label":"__scheme__"},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_service_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_service_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"},{"action":"replace","source_labels":["__meta_kubernetes_pod_node_name"],"target_label":"kubernetes_node"}],"scrape_interval":"5m","scrape_timeout":"30s"}` | Scrape config for slow service endpoints; same as above, but with a larger timeout and a larger interval The relabeling allows the actual service scrape endpoint to be configured via the following annotations: * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need to set this to `https` & most likely set the `tls_config` of the scrape config. * `prometheus.io/path`: If the metrics path is not `/metrics` override this. * `prometheus.io/port`: If the metrics are exposed on a different port to the service then set this appropriately. | +| server.scrape.config.scrape_configs[6] | object | `{"job_name":"kubernetes-services","kubernetes_sd_configs":[{"role":"service"}],"metrics_path":"/probe","params":{"module":["http_2xx"]},"relabel_configs":[{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_service_annotation_prometheus_io_probe"]},{"source_labels":["__address__"],"target_label":"__param_target"},{"replacement":"blackbox","target_label":"__address__"},{"source_labels":["__param_target"],"target_label":"instance"},{"action":"labelmap","regex":"__meta_kubernetes_service_label_(.+)"},{"source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"source_labels":["__meta_kubernetes_service_name"],"target_label":"kubernetes_name"}]}` | Example scrape config for probing services via the Blackbox Exporter. The relabeling allows the actual service scrape endpoint to be configured via the following annotations: * `prometheus.io/probe`: Only probe services that have a value of `true` | +| server.scrape.config.scrape_configs[7] | object | `{"job_name":"kubernetes-pods","kubernetes_sd_configs":[{"role":"pod"}],"relabel_configs":[{"action":"drop","regex":true,"source_labels":["__meta_kubernetes_pod_container_init"]},{"action":"keep_if_equal","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_port","__meta_kubernetes_pod_container_port_number"]},{"action":"keep","regex":true,"source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_scrape"]},{"action":"replace","regex":"(.+)","source_labels":["__meta_kubernetes_pod_annotation_prometheus_io_path"],"target_label":"__metrics_path__"},{"action":"replace","regex":"([^:]+)(?::\\d+)?;(\\d+)","replacement":"$1:$2","source_labels":["__address__","__meta_kubernetes_pod_annotation_prometheus_io_port"],"target_label":"__address__"},{"action":"labelmap","regex":"__meta_kubernetes_pod_label_(.+)"},{"action":"replace","source_labels":["__meta_kubernetes_namespace"],"target_label":"kubernetes_namespace"},{"action":"replace","source_labels":["__meta_kubernetes_pod_name"],"target_label":"kubernetes_pod_name"}]}` | Example scrape config for pods The relabeling allows the actual pod scrape endpoint to be configured via the following annotations: * `prometheus.io/scrape`: Only scrape pods that have a value of `true` * `prometheus.io/path`: If the metrics path is not `/metrics` override this. * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. | +| server.scrape.configMap | string | `""` | Use existing configmap if specified otherwise .config values will be used | +| server.scrape.enabled | bool | `false` | If true scrapes targets, creates config map or use specified one with scrape targets | +| server.scrape.extraScrapeConfigs | list | `[]` | Extra scrape configs that will be appended to `server.scrape.config` | +| server.securityContext | object | `{}` | Security context to be added to server pods | +| server.service.annotations | object | `{}` | Service annotations | +| server.service.clusterIP | string | `""` | Service ClusterIP | +| server.service.externalIPs | list | `[]` | Service External IPs. Ref: [https://kubernetes.io/docs/user-guide/services/#external-ips]( https://kubernetes.io/docs/user-guide/services/#external-ips) | +| server.service.labels | object | `{}` | Service labels | +| server.service.loadBalancerIP | string | `""` | Service load balacner IP | +| server.service.loadBalancerSourceRanges | list | `[]` | Load balancer source range | +| server.service.servicePort | int | `8428` | Service port | +| server.service.type | string | `"ClusterIP"` | Service type | +| server.serviceMonitor.annotations | object | `{}` | Service Monitor annotations | +| server.serviceMonitor.enabled | bool | `false` | Enable deployment of Service Monitor for server component. This is Prometheus operator object | +| server.serviceMonitor.extraLabels | object | `{}` | Service Monitor labels | +| server.startupProbe | object | `{}` | | +| server.statefulSet.enabled | bool | `true` | Creates statefulset instead of deployment, useful when you want to keep the cache | +| server.statefulSet.podManagementPolicy | string | `"OrderedReady"` | Deploy order policy for StatefulSet pods | +| server.statefulSet.service.annotations | object | `{}` | Headless service annotations | +| server.statefulSet.service.labels | object | `{}` | Headless service labels | +| server.statefulSet.service.servicePort | int | `8428` | Headless service port | +| server.terminationGracePeriodSeconds | int | `60` | Pod's termination grace period in seconds | +| server.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints. Ref: [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | +| server.vmbackupmanager.destination | string | `""` | backup destination at S3, GCS or local filesystem. Release name will be included to path! | +| server.vmbackupmanager.disableDaily | bool | `false` | disable daily backups | +| server.vmbackupmanager.disableHourly | bool | `false` | disable hourly backups | +| server.vmbackupmanager.disableMonthly | bool | `false` | disable monthly backups | +| server.vmbackupmanager.disableWeekly | bool | `false` | disable weekly backups | +| server.vmbackupmanager.enable | bool | `false` | enable automatic creation of backup via vmbackupmanager. vmbackupmanager is part of Enterprise packages | +| server.vmbackupmanager.env | list | `[]` | Additional environment variables (ex.: secret tokens, flags) https://github.com/VictoriaMetrics/VictoriaMetrics#environment-variables | +| server.vmbackupmanager.eula | bool | `false` | should be true and means that you have the legal right to run a backup manager that can either be a signed contract or an email with confirmation to run the service in a trial period https://victoriametrics.com/assets/VM_EULA.pdf | +| server.vmbackupmanager.extraArgs."envflag.enable" | string | `"true"` | | +| server.vmbackupmanager.extraArgs."envflag.prefix" | string | `"VM_"` | | +| server.vmbackupmanager.extraArgs.loggerFormat | string | `"json"` | | +| server.vmbackupmanager.image.repository | string | `"victoriametrics/vmbackupmanager"` | vmbackupmanager image repository | +| server.vmbackupmanager.image.tag | string | `"v1.69.0-enterprise"` | vmbackupmanager image tag | +| server.vmbackupmanager.livenessProbe.failureThreshold | int | `10` | | +| server.vmbackupmanager.livenessProbe.initialDelaySeconds | int | `30` | | +| server.vmbackupmanager.livenessProbe.periodSeconds | int | `30` | | +| server.vmbackupmanager.livenessProbe.tcpSocket.port | string | `"manager-http"` | | +| server.vmbackupmanager.livenessProbe.timeoutSeconds | int | `5` | | +| server.vmbackupmanager.readinessProbe.failureThreshold | int | `3` | | +| server.vmbackupmanager.readinessProbe.httpGet.path | string | `"/health"` | | +| server.vmbackupmanager.readinessProbe.httpGet.port | string | `"manager-http"` | | +| server.vmbackupmanager.readinessProbe.initialDelaySeconds | int | `5` | | +| server.vmbackupmanager.readinessProbe.periodSeconds | int | `15` | | +| server.vmbackupmanager.readinessProbe.timeoutSeconds | int | `5` | | +| server.vmbackupmanager.resources | object | `{}` | | +| server.vmbackupmanager.retention | object | `{"keepLastDaily":2,"keepLastHourly":2,"keepLastMonthly":2,"keepLastWeekly":2}` | backups' retention settings | +| server.vmbackupmanager.retention.keepLastDaily | int | `2` | keep last N daily backups. 0 means delete all existing daily backups. Specify -1 to turn off | +| server.vmbackupmanager.retention.keepLastHourly | int | `2` | keep last N hourly backups. 0 means delete all existing hourly backups. Specify -1 to turn off | +| server.vmbackupmanager.retention.keepLastMonthly | int | `2` | keep last N monthly backups. 0 means delete all existing monthly backups. Specify -1 to turn off | +| server.vmbackupmanager.retention.keepLastWeekly | int | `2` | keep last N weekly backups. 0 means delete all existing weekly backups. Specify -1 to turn off | +| serviceAccount.automountToken | bool | `true` | | +| serviceAccount.create | bool | `true` | Create service account. | +| serviceAccount.extraLabels | object | `{}` | | \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md.gotmpl b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md.gotmpl new file mode 100644 index 000000000..7f579e0dc --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/README.md.gotmpl @@ -0,0 +1,107 @@ +# Victoria Metrics Helm Chart for Single Version + +{{ template "chart.typeBadge" . }} {{ template "chart.versionBadge" . }} + +{{ template "chart.description" . }} + +# Prerequisites + +* Install the follow packages: ``git``, ``kubectl``, ``helm``, ``helm-docs``. See this [tutorial](../../REQUIREMENTS.md). + +* PV support on underlying infrastructure. + +# Chart Details + +This chart will do the following: + +* Rollout Victoria Metrics Single. + +# How to install + +Access a Kubernetes cluster. + +Add a chart helm repository with follow commands: + +```console +helm repo add vm https://victoriametrics.github.io/helm-charts/ + +helm repo update +``` + +List versions of ``vm/victoria-metrics-single`` chart available to installation: + +##### for helm v3 + +```console +helm search repo vm/victoria-metrics-single -l +``` + +Export default values of ``victoria-metrics-single`` chart to file ``values.yaml``: + +```console +helm show values vm/victoria-metrics-single > values.yaml +``` + +Change the values according to the need of the environment in ``values.yaml`` file. + +Test the installation with command: + +```console +helm install vmsingle vm/victoria-metrics-single -f values.yaml -n NAMESPACE --debug --dry-run +``` + +Install chart with command: + +##### for helm v3 + +```console +helm install vmsingle vm/victoria-metrics-single -f values.yaml -n NAMESPACE +``` + +Get the pods lists by running this commands: + +```console +kubectl get pods -A | grep 'single' +``` + +Get the application by running this command: + +```console +helm list -f vmsingle -n NAMESPACE +``` + +See the history of versions of ``vmsingle`` application with command. + +```console +helm history vmsingle -n NAMESPACE +``` + +# How to uninstall + +Remove application with command. + +```console +helm uninstall vmsingle -n NAMESPACE +``` + +# Documentation of Helm Chart + +Install ``helm-docs`` following the instructions on this [tutorial](../../REQUIREMENTS.md). + +Generate docs with ``helm-docs`` command. + +```bash +cd charts/victoria-metrics-single + +helm-docs +``` + +The markdown generation is entirely go template driven. The tool parses metadata from charts and generates a number of sub-templates that can be referenced in a template file (by default ``README.md.gotmpl``). If no template file is provided, the tool has a default internal template that will generate a reasonably formatted README. + +# Parameters + +The following tables lists the configurable parameters of the chart and their default values. + +Change the values according to the need of the environment in ``victoria-metrics-single/values.yaml`` file. + +{{ template "chart.valuesTable" . }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/NOTES.txt b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/NOTES.txt new file mode 100644 index 000000000..6c357c127 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/NOTES.txt @@ -0,0 +1,51 @@ +{{- if .Values.printNotes }} +{{- if .Values.server.enabled }} +The VictoriaMetrics write api can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: + {{ template "victoria-metrics.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + + +Metrics Ingestion: + Get the Victoria Metrics service URL by running these commands in the same shell: + +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "victoria-metrics.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "victoria-metrics.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "victoria-metrics.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ .Values.server.service.servicePort }} +{{- end }} + + Write url inside the kubernetes cluster: + http://{{ template "victoria-metrics.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.server.service.servicePort }}/api/v1/write + +{{- if .Values.server.scrape.enabled }} + +Metrics Scrape: + Pull-based scrapes are enabled + Scrape config can be displayed by running this command:: + {{- if eq .Values.server.scrape.configMap "" }} + kubectl get cm {{ template "victoria-metrics.server.fullname" . }}-scrapeconfig -n {{ .Release.Namespace }} + {{- else }} + kubectl get cm .Values.server.scrape.configMap -n {{ .Release.Namespace }} + {{- end }} + + The target’s information is accessible via api: + Inside cluster: + http://{{ template "victoria-metrics.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.server.service.servicePort }}/targets + Outside cluster: + You need to port-forward service (see instructions above) and call + http:///targets +{{- end }} + +Read Data: + The following url can be used as the datasource url in Grafana:: + http://{{ template "victoria-metrics.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.server.service.servicePort }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/_helpers.tpl new file mode 100644 index 000000000..df718138c --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/_helpers.tpl @@ -0,0 +1,147 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "victoria-metrics.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "victoria-metrics.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "victoria-metrics.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "victoria-metrics.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "victoria-metrics.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create unified labels for victoria-metrics components +*/}} +{{- define "victoria-metrics.common.matchLabels" -}} +app.kubernetes.io/name: {{ include "victoria-metrics.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "victoria-metrics.common.metaLabels" -}} +helm.sh/chart: {{ include "victoria-metrics.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{- define "victoria-metrics.server.labels" -}} +{{ include "victoria-metrics.server.matchLabels" . }} +{{ include "victoria-metrics.common.metaLabels" . }} +{{- end -}} + +{{- define "victoria-metrics.server.matchLabels" -}} +app: {{ .Values.server.name }} +{{ include "victoria-metrics.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a fully qualified server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "victoria-metrics.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{- define "split-host-port" -}} +{{- $hp := split ":" . -}} +{{- printf "%s" $hp._1 -}} +{{- end -}} + +{{/* +Defines the name of scrape configuration map +*/}} +{{- define "victoria-metrics.server.scrape.configname" -}} +{{- if .Values.server.scrape.configMap -}} +{{- .Values.configMap -}} +{{- else -}} +{{- include "victoria-metrics.server.fullname" . -}}-scrapeconfig +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "victoria-metrics.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "victoria-metrics.ingress.isStable" -}} + {{- eq (include "victoria-metrics.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "victoria-metrics.ingress.supportsIngressClassName" -}} + {{- or (eq (include "victoria-metrics.ingress.isStable" .) "true") (and (eq (include "victoria-metrics.ingress.apiVersion" .) "networking.k8s.io/v1beta1")) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "victoria-metrics.ingress.supportsPathType" -}} + {{- or (eq (include "victoria-metrics.ingress.isStable" .) "true") (and (eq (include "victoria-metrics.ingress.apiVersion" .) "networking.k8s.io/v1beta1")) -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "render-values" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "render-values" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrole.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrole.yaml new file mode 100644 index 000000000..8205b1117 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrole.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "victoria-metrics.fullname" . }}-clusterrole + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.rbac.extraLabels }} +{{ toYaml .Values.rbac.extraLabels | indent 4}} + {{- end }} +{{- with .Values.rbac.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- if or .Values.rbac.pspEnabled .Values.server.scrape.enabled }} +rules: + {{- if .Values.server.scrape.enabled }} + - apiGroups: [ "" ] + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + verbs: [ "get", "list", "watch" ] + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: [ "get", "list", "watch" ] + - nonResourceURLs: [ "/metrics" ] + verbs: [ "get" ] + {{- end }} + {{- if .Values.rbac.pspEnabled }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "victoria-metrics.fullname" . }}] + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrolebinding.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..3e128085b --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "victoria-metrics.fullname" . }}-clusterrolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.rbac.extraLabels }} +{{ toYaml .Values.rbac.extraLabels | indent 4}} + {{- end }} +{{- with .Values.rbac.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "victoria-metrics.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "victoria-metrics.fullname" . }}-clusterrole + apiGroup: rbac.authorization.k8s.io +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/pdb.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/pdb.yaml new file mode 100644 index 000000000..473e75786 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/pdb.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "victoria-metrics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.podDisruptionBudget.extraLabels }} +{{ toYaml .Values.podDisruptionBudget.extraLabels | indent 4}} + {{- end }} +spec: +{{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} + selector: + matchLabels: + {{- include "victoria-metrics.server.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/podsecuritypolicy.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..cd1234db8 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "victoria-metrics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.rbac.extraLabels }} +{{ toYaml .Values.rbac.extraLabels | indent 4}} + {{- end }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.annotations }} + {{ toYaml .Values.rbac.annotations | indent 4}} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/role.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/role.yaml new file mode 100644 index 000000000..df95eb622 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/role.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "victoria-metrics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.rbac.extraLabels }} +{{ toYaml .Values.rbac.extraLabels | indent 4}} + {{- end }} +{{- with .Values.rbac.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +rules: +{{- if .Values.rbac.pspEnabled }} +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "victoria-metrics.fullname" . }}] +{{- else }} +rules: [] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/rolebinding.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/rolebinding.yaml new file mode 100644 index 000000000..ad53f8b1a --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "victoria-metrics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.rbac.extraLabels }} +{{ toYaml .Values.rbac.extraLabels | indent 4}} + {{- end }} +{{- with .Values.rbac.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "victoria-metrics.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "victoria-metrics.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/scrape-configmap.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/scrape-configmap.yaml new file mode 100644 index 000000000..7d09eae64 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/scrape-configmap.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.server.scrape.enabled (eq .Values.server.scrape.configMap "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "victoria-metrics.server.fullname" . }}-scrapeconfig + namespace: {{ .Release.Namespace }} + labels: {{- include "victoria-metrics.server.labels" . | nindent 4 }} +data: + scrape.yml: | + {{- range $k, $v := .Values.server.scrape.config }} + {{- if and (eq $k "scrape_configs") ($.Values.server.scrape.extraScrapeConfigs) }} + {{ dict $k (concat $v $.Values.server.scrape.extraScrapeConfigs) | toYaml | nindent 4 }} + {{- else }} + {{ dict $k $v | toYaml | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-deployment.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-deployment.yaml new file mode 100644 index 000000000..d6509cb53 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-deployment.yaml @@ -0,0 +1,232 @@ +{{- if and .Values.server.enabled (not .Values.server.statefulSet.enabled) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: +{{- if .Values.server.annotations }} + annotations: +{{ toYaml .Values.server.annotations | indent 4 }} +{{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} + {{- with .Values.server.extraLabels }} + {{ toYaml .}} + {{- end }} + name: {{ template "victoria-metrics.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "victoria-metrics.server.matchLabels" . | nindent 6 }} + replicas: 1 +{{- if .Values.server.persistentVolume.enabled }} + strategy: + # Must be "Recreate" when we have a persistent volume + type: Recreate +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: +{{ toYaml .Values.server.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 8 }} + {{- range $key, $value := .Values.server.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }} + {{- with .Values.server.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ template "victoria-metrics.name" . }}-{{ .Values.server.name }} + securityContext: + {{- toYaml .Values.server.podSecurityContext | nindent 12 }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.containerWorkingDir }} + workingDir: {{ .Values.server.containerWorkingDir }} + {{- end }} + args: + - {{ printf "%s=%d" "--retentionPeriod" (int .Values.server.retentionPeriod) | quote}} + - {{ printf "%s=%s" "--storageDataPath" .Values.server.persistentVolume.mountPath | quote}} + {{- if .Values.server.scrape.enabled }} + - -promscrape.config=/scrapeconfig/scrape.yml + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- with .Values.server.env }} + env: {{ toYaml . | nindent 10 }} + {{- end }} + ports: + - name: http + containerPort: 8428 + {{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbHTTPListenAddr }} + - name: opentsdbhttp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbHTTPListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + {{- end }} + {{- with $.Values.server.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.startupProbe }} + startupProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: server-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: {{ .Values.server.persistentVolume.subPath }} + {{- if .Values.server.scrape.enabled }} + - name: scrapeconfig + mountPath: /scrapeconfig + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- with .Values.server.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.vmbackupmanager.enable }} + - name: {{ template "victoria-metrics.name" . }}-vmbackupmanager + image: "{{ .Values.server.vmbackupmanager.image.repository }}:{{ .Values.server.vmbackupmanager.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + args: + - {{ printf "%s=%t" "--eula" .Values.server.vmbackupmanager.eula | quote}} + - {{ printf "%s=%t" "--disableHourly" .Values.server.vmbackupmanager.disableHourly | quote}} + - {{ printf "%s=%t" "--disableDaily" .Values.server.vmbackupmanager.disableDaily | quote}} + - {{ printf "%s=%t" "--disableWeekly" .Values.server.vmbackupmanager.disableWeekly | quote}} + - {{ printf "%s=%t" "--disableMonthly" .Values.server.vmbackupmanager.disableMonthly | quote}} + - {{ printf "%s=%d" "--keepLastHourly" (int .Values.server.vmbackupmanager.retention.keepLastHourly) | quote}} + - {{ printf "%s=%d" "--keepLastDaily" (int .Values.server.vmbackupmanager.retention.keepLastDaily) | quote}} + - {{ printf "%s=%d" "--keepLastWeekly" (int .Values.server.vmbackupmanager.retention.keepLastWeekly) | quote}} + - {{ printf "%s=%d" "--keepLastMonthly" (int .Values.server.vmbackupmanager.retention.keepLastMonthly) | quote}} + - {{ printf "%s=%s" "--dst" (printf "%s/%s" .Values.server.vmbackupmanager.destination (include "victoria-metrics.name" .) ) | quote}} + - {{ printf "%s=%s" "--storageDataPath" .Values.server.persistentVolume.mountPath | quote}} + - "--snapshot.createURL=http://localhost:8428/snapshot/create" + - "--snapshot.deleteURL=http://localhost:8428/snapshot/delete" + {{- range $key, $value := .Values.server.vmbackupmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- with .Values.server.vmbackupmanager.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.vmbackupmanager.livenessProbe }} + livenessProbe: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.vmbackupmanager.readinessProbe }} + readinessProbe: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.vmbackupmanager.env }} + env: {{ toYaml . | nindent 12 }} + {{- end }} + ports: + - name: manager-http + containerPort: 8300 + volumeMounts: + - name: server-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: {{ .Values.server.persistentVolume.subPath }} + {{- end }} + {{- with .Values.server.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + serviceAccountName: {{ template "victoria-metrics.serviceAccountName" . }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- with .Values.server.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + {{- if .Values.server.scrape.enabled }} + - name: scrapeconfig + configMap: + name: {{ include "victoria-metrics.server.scrape.configname" . }} + {{- end }} + {{- with .Values.server.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} + - name: server-volume +{{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "victoria-metrics.server.fullname" . }}{{- end }} +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-ingress.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-ingress.yaml new file mode 100644 index 000000000..e353b9e53 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-ingress.yaml @@ -0,0 +1,50 @@ +{{- if and .Values.server.enabled .Values.server.ingress.enabled }} +{{- $ingressApiIsStable := eq (include "victoria-metrics.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "victoria-metrics.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "victoria-metrics.ingress.supportsPathType" .) "true" -}} +{{- $servicePort := .Values.server.service.servicePort -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +apiVersion: {{ include "victoria-metrics.ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} + {{ if .Values.server.ingress.extraLabels }} +{{ toYaml .Values.server.ingress.extraLabels | indent 4 }} + {{ end }} + name: {{ template "victoria-metrics.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- $serviceName := include "victoria-metrics.server.fullname" . }} + {{- range .Values.server.ingress.hosts }} + - host: {{ .name }} + http: + paths: + - path: {{ .path }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ .port | default "http"}} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-pvc.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-pvc.yaml new file mode 100644 index 000000000..35b3204b3 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-pvc.yaml @@ -0,0 +1,33 @@ +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "victoria-metrics.server.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- with .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: +{{- include "victoria-metrics.server.labels" . | nindent 4 }} +spec: +{{- with .Values.server.persistentVolume.accessModes }} + accessModes: +{{ toYaml . | indent 4 }} +{{- end }} + resources: + requests: + storage: {{ .Values.server.persistentVolume.size | quote }} +{{- if .Values.server.persistentVolume.storageClass }} + storageClassName: {{ .Values.server.persistentVolume.storageClass | quote }} +{{- end }} +{{- with .Values.server.persistentVolume.matchLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-headless.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-headless.yaml new file mode 100644 index 000000000..86f57b7ac --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-headless.yaml @@ -0,0 +1,66 @@ +{{- if and .Values.server.enabled .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} +{{- if .Values.server.statefulSet.service.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.service.labels }} +{{ toYaml .Values.server.statefulSet.service.labels | indent 4}} +{{- end }} + name: {{ template "victoria-metrics.server.fullname" . }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.service.servicePort }} + protocol: TCP + targetPort: http +{{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + targetPort: graphite-tcp +{{- end }} +{{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + targetPort: graphite-udp +{{- end }} +{{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + targetPort: influx-tcp +{{- end }} +{{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + targetPort: influx-udp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbHTTPListenAddr }} + - name: opentsdbhttp + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbHTTPListenAddr }} + targetPort: opentsdbhttp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + targetPort: opentsdb-udp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + targetPort: opentsdb-tcp +{{- end }} + selector: + {{- include "victoria-metrics.server.matchLabels" . | nindent 4 }} +{{- end -}} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-monitor.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-monitor.yaml new file mode 100644 index 000000000..9c72e22d9 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service-monitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.server.enabled .Values.server.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + {{- if .Values.server.serviceMonitor.annotations }} + annotations: +{{ toYaml .Values.server.serviceMonitor.annotations | indent 4 }} + {{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} + {{- if .Values.server.serviceMonitor.extraLabels }} +{{ toYaml .Values.server.serviceMonitor.extraLabels | indent 4 }} + {{- end }} + name: {{ template "victoria-metrics.server.fullname" . }} + {{- if .Values.server.serviceMonitor.namespace }} + namespace: {{ .Values.server.serviceMonitor.namespace }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "victoria-metrics.server.matchLabels" . | nindent 6 }} + endpoints: + - port: http + {{- if .Values.server.serviceMonitor.interval }} + interval: {{ .Values.server.serviceMonitor.interval }} + {{- end }} + {{- if .Values.server.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.server.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service.yaml new file mode 100644 index 000000000..947bf2fe0 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-service.yaml @@ -0,0 +1,82 @@ +{{- if and .Values.server.enabled (not .Values.server.statefulSet.enabled) -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4}} +{{- end }} + name: {{ template "victoria-metrics.server.fullname" . }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: http +{{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + targetPort: graphite-tcp +{{- end }} +{{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + targetPort: graphite-udp +{{- end }} +{{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + targetPort: influx-tcp +{{- end }} +{{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + targetPort: influx-udp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbHTTPListenAddr }} + - name: opentsdbhttp + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbHTTPListenAddr }} + targetPort: opentsdbhttp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-udp + protocol: UDP + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + targetPort: opentsdb-udp +{{- end }} +{{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-tcp + protocol: TCP + port: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + targetPort: opentsdb-tcp +{{- end }} + selector: + {{- include "victoria-metrics.server.matchLabels" . | nindent 4 }} + type: "{{ .Values.server.service.type }}" +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-statefulset.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-statefulset.yaml new file mode 100644 index 000000000..d5dedf382 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/server-statefulset.yaml @@ -0,0 +1,256 @@ +{{- if and .Values.server.enabled .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: {{ .Release.Namespace }} +{{- if .Values.server.annotations }} + annotations: +{{ toYaml .Values.server.annotations | indent 4 }} +{{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 4 }} + {{- with .Values.server.extraLabels }} + {{ toYaml .}} + {{- end}} + name: {{ template "victoria-metrics.server.fullname" . }} +spec: + serviceName: {{ template "victoria-metrics.server.fullname" . }} + selector: + matchLabels: + {{- include "victoria-metrics.server.matchLabels" . | nindent 6 }} + replicas: 1 + podManagementPolicy: {{ .Values.server.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: +{{ toYaml .Values.server.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "victoria-metrics.server.labels" . | nindent 8 }} + {{- range $key, $value := .Values.server.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }} + {{- if .Values.server.initContainers }} + initContainers: {{ include "render-values" ( dict "value" .Values.server.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: {{ template "victoria-metrics.name" . }}-{{ .Values.server.name }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.containerWorkingDir }} + workingDir: {{ .Values.server.containerWorkingDir }} + {{- end }} + args: + - {{ printf "%s=%s" "--retentionPeriod" (toString .Values.server.retentionPeriod) | quote}} + - {{ printf "%s=%s" "--storageDataPath" .Values.server.persistentVolume.mountPath | quote}} + {{- if .Values.server.scrape.enabled }} + - -promscrape.config={{ .Values.server.scrape.configPath }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- with .Values.server.env }} + env: {{ toYaml . | nindent 10 }} + {{- end }} + ports: + - name: http + containerPort: 8428 + {{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.graphiteListenAddr }} + - name: graphite-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.graphiteListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.influxListenAddr }} + - name: influx-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.influxListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbHTTPListenAddr }} + - name: opentsdbhttp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbHTTPListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-tcp + protocol: TCP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + {{- end }} + {{- if .Values.server.extraArgs.opentsdbListenAddr }} + - name: opentsdb-udp + protocol: UDP + containerPort: {{ include "split-host-port" .Values.server.extraArgs.opentsdbListenAddr }} + {{- end }} + {{- with $.Values.server.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.startupProbe }} + startupProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.server.resources | nindent 12 }} + volumeMounts: + - name: server-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: {{ .Values.server.persistentVolume.subPath }} + {{- if .Values.server.scrape.enabled }} + - name: scrapeconfig + mountPath: /scrapeconfig + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- with .Values.server.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.vmbackupmanager.enable }} + - name: {{ template "victoria-metrics.name" . }}-vmbackupmanager + image: "{{ .Values.server.vmbackupmanager.image.repository }}:{{ .Values.server.vmbackupmanager.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + args: + - {{ printf "%s=%t" "--eula" .Values.server.vmbackupmanager.eula | quote}} + - {{ printf "%s=%t" "--disableHourly" .Values.server.vmbackupmanager.disableHourly | quote}} + - {{ printf "%s=%t" "--disableDaily" .Values.server.vmbackupmanager.disableDaily | quote}} + - {{ printf "%s=%t" "--disableWeekly" .Values.server.vmbackupmanager.disableWeekly | quote}} + - {{ printf "%s=%t" "--disableMonthly" .Values.server.vmbackupmanager.disableMonthly | quote}} + - {{ printf "%s=%d" "--keepLastHourly" (int .Values.server.vmbackupmanager.retention.keepLastHourly) | quote}} + - {{ printf "%s=%d" "--keepLastDaily" (int .Values.server.vmbackupmanager.retention.keepLastDaily) | quote}} + - {{ printf "%s=%d" "--keepLastWeekly" (int .Values.server.vmbackupmanager.retention.keepLastWeekly) | quote}} + - {{ printf "%s=%d" "--keepLastMonthly" (int .Values.server.vmbackupmanager.retention.keepLastMonthly) | quote}} + - {{ printf "%s=%s" "--dst" (printf "%s/%s" .Values.server.vmbackupmanager.destination (include "victoria-metrics.name" .) ) | quote}} + - {{ printf "%s=%s" "--storageDataPath" .Values.server.persistentVolume.mountPath | quote}} + - "--snapshot.createURL=http://localhost:8428/snapshot/create" + - "--snapshot.deleteURL=http://localhost:8428/snapshot/delete" + {{- range $key, $value := .Values.server.vmbackupmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- with .Values.server.vmbackupmanager.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.vmbackupmanager.livenessProbe }} + livenessProbe: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $.Values.server.vmbackupmanager.readinessProbe }} + readinessProbe: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.vmbackupmanager.env }} + env: {{ toYaml . | nindent 12 }} + {{- end }} + ports: + - name: manager-http + containerPort: 8300 + volumeMounts: + - name: server-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: {{ .Values.server.persistentVolume.subPath }} + {{- end }} + {{- with .Values.server.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + serviceAccountName: {{ template "victoria-metrics.serviceAccountName" . }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- with .Values.server.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + {{- if .Values.server.scrape.enabled }} + - name: scrapeconfig + configMap: + name: {{ include "victoria-metrics.server.scrape.configname" . }} + {{- end }} + {{- if not .Values.server.persistentVolume.enabled }} + - name: server-volume + emptyDir: {} + {{- else }} + {{- if .Values.server.persistentVolume.existingClaim }} + - name: server-volume + persistentVolumeClaim: + claimName: {{ .Values.server.persistentVolume.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.server.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if and .Values.server.persistentVolume.enabled (not .Values.server.persistentVolume.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: server-volume + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- end }} + {{- with .Values.server.persistentVolume.matchLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/serviceaccount.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/serviceaccount.yaml new file mode 100644 index 000000000..ebb616800 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "victoria-metrics.common.metaLabels" . | nindent 4 }} + {{- if .Values.serviceAccount.extraLabels }} +{{ toYaml .Values.serviceAccount.extraLabels | indent 4}} + {{- end }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "victoria-metrics.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/values.yaml b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/values.yaml new file mode 100644 index 000000000..cbfeaa81d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/charts/victoria-metrics-single/values.yaml @@ -0,0 +1,627 @@ +# Default values for victoria-metrics. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +clusterDomain: svc.cluster.local + +rbac: + create: true + pspEnabled: true + namespaced: false + extraLabels: {} + # annotations: {} + +# -- Print chart notes +printNotes: true + +serviceAccount: + # -- Create service account. + create: true + # name: + extraLabels: {} + # annotations: {} + # -- Mount API token to pod directly + automountToken: true + +automountServiceAccountToken: true + +podDisruptionBudget: + # -- See `kubectl explain poddisruptionbudget.spec` for more. Ref: [https://kubernetes.io/docs/tasks/run-application/configure-pdb/](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + extraLabels: {} + +server: + # -- Enable deployment of server component. Deployed as StatefulSet + enabled: true + # -- Server container name + name: server + image: + # -- Image repository + repository: victoriametrics/victoria-metrics + # -- Image tag + tag: v1.69.0 + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Name of Priority Class + priorityClassName: "" + # -- Overrides the full name of server component + fullnameOverride: + # -- Data retention period in month + retentionPeriod: 1 + # Extra command line arguments for container of component + extraArgs: + envflag.enable: "true" + envflag.prefix: VM_ + loggerFormat: json + + # Additional hostPath mounts + extraHostPathMounts: + [] + + # Extra Volumes for the pod + extraVolumes: + [] + + # Extra Volume Mounts for the container + extraVolumeMounts: + [] + # - name: example + # mountPath: /example + + extraContainers: + [] + + initContainers: + [] + # - name: vmrestore + # image: victoriametrics/vmrestore:latest + # volumeMounts: + # - mountPath: /storage + # name: vmstorage-volume + # - mountPath: /etc/vm/creds + # name: secret-remote-storage-keys + # readOnly: true + # args: + # - -storageDataPath=/storage + # - -src=s3://your_bucket/folder/latest + # - -credsFilePath=/etc/vm/creds/credentials + + # -- Node tolerations for server scheduling to nodes with taints. Ref: [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) + tolerations: + [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule" + + # -- Pod's node selector. Ref: [https://kubernetes.io/docs/user-guide/node-selection/](https://kubernetes.io/docs/user-guide/node-selection/) + nodeSelector: {} + + # -- Pod affinity + affinity: {} + + # -- Env variables + # -- Additional environment variables (ex.: secret tokens, flags) https://github.com/VictoriaMetrics/VictoriaMetrics#environment-variables + env: [] + # -- Container workdir + containerWorkingDir: "" + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + # -- Create/use Persistent Volume Claim for server component. Empty dir if false + enabled: true + + # -- Array of access modes. Must match those of existing PV or dynamic provisioner. Ref: [http://kubernetes.io/docs/user-guide/persistent-volumes/](http://kubernetes.io/docs/user-guide/persistent-volumes/) + accessModes: + - ReadWriteOnce + # -- Persistant volume annotations + annotations: {} + + # -- StorageClass to use for persistent volume. Requires server.persistentVolume.enabled: true. If defined, PVC created automatically + storageClass: "" + + # -- Existing Claim name. If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + # -- Bind Persistent Volume by labels. Must match all labels of targeted PV. + matchLabels: {} + + # -- Mount path. Server data Persistent Volume mount root path. + mountPath: /storage + # -- Mount subpath + subPath: "" + # -- Size of the volume. Better to set the same as resource limit memory property. + size: 16Gi + + # -- Sts/Deploy additional labels + extraLabels: {} + # -- Pod's additional labels + podLabels: {} + # -- Pod's annotations + podAnnotations: {} + # -- Pod's management policy + podManagementPolicy: OrderedReady + + # -- Resource object. Ref: [http://kubernetes.io/docs/user-guide/compute-resources/](http://kubernetes.io/docs/user-guide/compute-resources/ + resources: + {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Indicates whether the Container is ready to service requests. If the readiness probe fails, the endpoints controller removes the Pod's IP address from the endpoints of all Services that match the Pod. The default state of readiness before the initial delay is Failure. If a Container does not provide a readiness probe, the default state is Success. + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 3 + + # Indicates whether the Container is running. If the liveness probe fails, the kubelet kills the Container, and the Container is subjected to its restart policy. If a Container does not provide a liveness probe, the default state is Success. + livenessProbe: + tcpSocket: + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + + # Indicates whether the Container is done with potentially costly initialization. If set it is executed first. If it fails Container is restarted. If it succeeds liveness and readiness probes takes over. + startupProbe: {} + + # -- Security context to be added to server pods + securityContext: {} + # -- Pod's security context. Ref: [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: {} + ingress: + # -- Enable deployment of ingress for server component + enabled: false + # -- Ingress annotations + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + # -- Ingress extra labels + extraLabels: {} + # -- Array of host objects + hosts: [] + # - name: vmselect.local + # path: /select + # port: http + + # -- Array of TLS objects + tls: [] + # - secretName: vmselect-ingress-tls + # hosts: + # - vmselect.local + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # -- pathType is only for k8s >= 1.1= + pathType: Prefix + + vmbackupmanager: + # -- enable automatic creation of backup via vmbackupmanager. vmbackupmanager is part of Enterprise packages + enable: false + # -- should be true and means that you have the legal right to run a backup manager + # that can either be a signed contract or an email with confirmation to run the service in a trial period + # https://victoriametrics.com/assets/VM_EULA.pdf + eula: false + image: + # -- vmbackupmanager image repository + repository: victoriametrics/vmbackupmanager + # -- vmbackupmanager image tag + tag: v1.69.0-enterprise + # -- disable hourly backups + disableHourly: false + # -- disable daily backups + disableDaily: false + # -- disable weekly backups + disableWeekly: false + # -- disable monthly backups + disableMonthly: false + # -- backup destination at S3, GCS or local filesystem. Release name will be included to path! + destination: "" + # -- backups' retention settings + retention: + # -- keep last N hourly backups. 0 means delete all existing hourly backups. Specify -1 to turn off + keepLastHourly: 2 + # -- keep last N daily backups. 0 means delete all existing daily backups. Specify -1 to turn off + keepLastDaily: 2 + # -- keep last N weekly backups. 0 means delete all existing weekly backups. Specify -1 to turn off + keepLastWeekly: 2 + # -- keep last N monthly backups. 0 means delete all existing monthly backups. Specify -1 to turn off + keepLastMonthly: 2 + extraArgs: + envflag.enable: "true" + envflag.prefix: VM_ + loggerFormat: json + resources: {} + # -- Additional environment variables (ex.: secret tokens, flags) https://github.com/VictoriaMetrics/VictoriaMetrics#environment-variables + env: [] + readinessProbe: + httpGet: + path: /health + port: manager-http + initialDelaySeconds: 5 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 3 + livenessProbe: + tcpSocket: + port: manager-http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + service: + # -- Service annotations + annotations: {} + # -- Service labels + labels: {} + # -- Service ClusterIP + clusterIP: "" + # -- Service External IPs. Ref: [https://kubernetes.io/docs/user-guide/services/#external-ips]( https://kubernetes.io/docs/user-guide/services/#external-ips) + externalIPs: [] + # -- Service load balacner IP + loadBalancerIP: "" + # -- Load balancer source range + loadBalancerSourceRanges: [] + # -- Service port + servicePort: 8428 + # -- Service type + type: ClusterIP + statefulSet: + # -- Creates statefulset instead of deployment, useful when you want to keep the cache + enabled: true + # -- Deploy order policy for StatefulSet pods + podManagementPolicy: OrderedReady + # Headless service for statefulset + service: + # -- Headless service annotations + annotations: {} + # -- Headless service labels + labels: {} + # -- Headless service port + servicePort: 8428 + # -- Pod's termination grace period in seconds + terminationGracePeriodSeconds: 60 + serviceMonitor: + # -- Enable deployment of Service Monitor for server component. This is Prometheus operator object + enabled: false + # -- Service Monitor labels + extraLabels: {} + # -- Service Monitor annotations + annotations: {} + # -- Commented. Prometheus scare interval for server component +# interval: 15s + # -- Commented. Prometheus pre-scrape timeout for server component +# scrapeTimeout: 5s + + # -- Scrape configuration for victoriametrics + scrape: + # -- If true scrapes targets, creates config map or use specified one with scrape targets + enabled: false + # -- scrape config path + configPath: /scrapeconfig/scrape.yml + # -- Use existing configmap if specified + # otherwise .config values will be used + configMap: "" + # -- Scrape config + config: + global: + scrape_interval: 15s + + # -- Scrape targets + scrape_configs: + # -- Scrape rule for scrape victoriametrics + - job_name: victoriametrics + static_configs: + - targets: ["localhost:8428"] + + ## COPY from Prometheus helm chart https://github.com/helm/charts/blob/master/stable/prometheus/values.yaml + + # -- Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: "kubernetes-apiservers" + kubernetes_sd_configs: + - role: endpoints + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: + [ + __meta_kubernetes_namespace, + __meta_kubernetes_service_name, + __meta_kubernetes_endpoint_port_name, + ] + action: keep + regex: default;kubernetes;https + # -- Scrape rule using kubernetes service discovery for nodes + - job_name: "kubernetes-nodes" + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + # -- Scrape rule using kubernetes service discovery for cadvisor + - job_name: "kubernetes-nodes-cadvisor" + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # -- Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # -- Scrape rule using kubernetes service discovery for endpoints + - job_name: "kubernetes-service-endpoints" + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: drop + source_labels: [__meta_kubernetes_pod_container_init] + regex: true + - action: keep_if_equal + source_labels: [__meta_kubernetes_service_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number] + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [ + __address__, + __meta_kubernetes_service_annotation_prometheus_io_port, + ] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + # -- Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: "kubernetes-service-endpoints-slow" + scrape_interval: 5m + scrape_timeout: 30s + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: drop + source_labels: [__meta_kubernetes_pod_container_init] + regex: true + - action: keep_if_equal + source_labels: [__meta_kubernetes_service_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number] + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [ + __address__, + __meta_kubernetes_service_annotation_prometheus_io_port, + ] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + # -- Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: "kubernetes-services" + metrics_path: /probe + params: + module: [http_2xx] + kubernetes_sd_configs: + - role: service + relabel_configs: + - source_labels: + [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + # -- Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true` + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: "kubernetes-pods" + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: drop + source_labels: [__meta_kubernetes_pod_container_init] + regex: true + - action: keep_if_equal + source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_container_port_number] + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + ## End of COPY + + # -- Extra scrape configs that will be appended to `server.scrape.config` + extraScrapeConfigs: [] diff --git a/charts/asserts/asserts/1.11.0/templates/_helpers.tpl b/charts/asserts/asserts/1.11.0/templates/_helpers.tpl new file mode 100644 index 000000000..d8e251951 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/_helpers.tpl @@ -0,0 +1,132 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "asserts.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "asserts.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "asserts.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "asserts.labels" -}} +helm.sh/chart: {{ include "asserts.chart" . }} +{{ include "asserts.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "asserts.selectorLabels" -}} +app.kubernetes.io/name: {{ include "asserts.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "asserts.serviceAccountName" -}} +asserts +{{- end }} + +{{/* +Return the proper Storage Class +{{ include "asserts.storageClass" . }} +*/}} +{{- define "asserts.storageClass" -}} + +{{- $storageClass := .Values.server.persistence.storageClass -}} +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} + +{{/* +The asserts tenant name +{{ include "asserts.tenant" . }} +*/}} +{{- define "asserts.tenant" -}} +bootstrap +{{- end }} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "kubeVersion" .))) -}} +{{- end -}} + +{{/* +Return the domain to use +{{ include "domain" . }} +*/}} +{{- define "domain" -}} +{{ .Release.Namespace }}.{{ .Values.clusterDomain }} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_pagerduty.tpl b/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_pagerduty.tpl new file mode 100644 index 000000000..e65e4b913 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_pagerduty.tpl @@ -0,0 +1,37 @@ +{{/* +PagerDuty template +*/}} +{{- define "pagerduty.template" -}} +{{- $assertsUrl := .Values.assertsUrl }} +{{- $plus30min := "%2B30m" }} +{{- printf "\n {{ define \"pagerduty.notification.description\" -}}" -}} +{{- printf "\n [{{ .Status | toUpper }}{{ if eq .Status \"firing\" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.asserts_notification_rule_name }}" -}} +{{- printf "\n {{- if .CommonLabels.job }} for {{ .CommonLabels.job }}" -}} +{{- printf "\n {{- else if .CommonLabels.service }} for {{ .CommonLabels.service }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"pagerduty.notification.link.incidents\" -}}" -}} +{{- printf "\n %s/incidents?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .CommonLabels.asserts_notification_rule_name }}" $assertsUrl $plus30min -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"pagerduty.notification.link.insights\" -}}" -}} +{{- printf "\n %s/insights/top?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .CommonLabels.asserts_assertion_name }}" $assertsUrl $plus30min -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{/* PagerDuty Slo */}}" -}} +{{- printf "\n {{ define \"pagerduty.slo.description\" -}}" -}} +{{- printf "\n [{{ .Status | toUpper }}]: Elevated burn rate on SLO \"{{ .GroupLabels.asserts_slo_name }}\"" -}} +{{- printf "\n " -}} +{{- printf "\n Asserts has detected an elevated burn rate on the \"{{ .GroupLabels.asserts_slo_name }}\" service level objective. These compliance windows are off track:" -}} +{{- printf "\n {{ range .Alerts }} {{ if .Annotations.description }}*Description:* {{ printf \"%s%s\" .Annotations.description }}{{ end }}{{ end }}" "%s" "\\n" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"pagerduty.slo.link.incidents\" -}}" -}} +{{- printf "\n %s/incidents?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .GroupLabels.asserts_slo_name }}" $assertsUrl $plus30min -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"pagerduty.slo.link.assertions\" -}}" -}} +{{- printf "\n %s/assertions?slo_name={{.CommonLabels.asserts_slo_name}}&start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s" $assertsUrl $plus30min -}} +{{- printf "\n {{- end }}" -}} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_slack.tpl b/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_slack.tpl new file mode 100644 index 000000000..f71513cd7 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/alertmanager-templates/_slack.tpl @@ -0,0 +1,62 @@ +{{/* +Slack template +*/}} +{{- define "slack.template" -}} +{{- $assertsUrl := .Values.assertsUrl }} +{{- $plus30min := "%2B30m" }} +{{- printf "{{/* Slack Notification */}}\n " -}} +{{- printf "\n {{ define \"slack.notification.icon_url\" -}}" -}} +{{- printf "\n https://avatars.slack-edge.com/2021-08-06/2380420447616_6fa2cce9f76fca45b41d_512.png" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"slack.notification.title\" -}}" -}} +{{- printf "\n [{{ .Status | toUpper }}{{ if eq .Status \"firing\" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.asserts_notification_rule_name }}" -}} +{{- printf "\n {{- if .CommonLabels.job }} for {{ .CommonLabels.job }}" -}} +{{- printf "\n {{- else if .CommonLabels.service }} for {{ .CommonLabels.service }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"slack.notification.text\" -}}" -}} +{{- printf "\n {{- if eq .Status \"firing\" }}" -}} +{{- printf "\n :warning: *<%s/incidents?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .CommonLabels.asserts_notification_rule_name }}|View Impact>*" $assertsUrl $plus30min -}} +{{- printf "\n :fire: *<%s/insights/top?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .CommonLabels.asserts_assertion_name }}|Start Troubleshooting>*" $assertsUrl $plus30min -}} +{{- printf "\n *Alert details*:" -}} +{{- printf "\n " -}} +{{- printf "\n {{ range .Alerts -}}" -}} +{{- printf "\n {{ if .Annotations.description }}*Description:* {{ .Annotations.description }}{{ end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ range .Labels.SortedPairs -}}" -}} +{{- printf "\n {{- if eq .Name \"source_alertname\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_env\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_site\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"deployment\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"statefulset\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"daemonset\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"replicaset\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"job\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_severity\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_request_type\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_error_type\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"asserts_request_context\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"instance\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- if eq .Name \"pod\" }} • *{{ .Name }}:* `{{ .Value }}`{{ end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{/* Slack Slo */}}" -}} +{{- printf "\n {{ define \"slack.slo.title\" -}}" -}} +{{- printf "\n [{{ .Status | toUpper }}]: Elevated burn rate on SLO \"{{ .GroupLabels.asserts_slo_name }}\"" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n " -}} +{{- printf "\n {{ define \"slack.slo.text\" -}}" -}} +{{- printf "\n {{- if eq .Status \"firing\" }}" -}} +{{- printf "\n :warning: *<%s/incidents?start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s&search={{ .GroupLabels.asserts_slo_name }}|View Impact>*" $assertsUrl $plus30min -}} +{{- printf "\n :fire: *<%s/assertions?slo_name={{.CommonLabels.asserts_slo_name}}&start={{(index .Alerts 0).StartsAt.Unix}}000-30m&end={{(index .Alerts 0).StartsAt.Unix}}000%s|Start Troubleshooting>*" $assertsUrl $plus30min -}} +{{- printf "\n " -}} +{{- printf "\n Asserts has detected an elevated burn rate on the \"{{ .GroupLabels.asserts_slo_name }}\" service level objective. These compliance windows are off track:" -}} +{{- printf "\n {{ range .Alerts }} {{ if .Annotations.description }}*Description:* {{ printf \"%s%s\" .Annotations.description }}{{ end }}{{ end }}" "%s" "\\n" -}} +{{- printf "\n {{- end }}" -}} +{{- printf "\n {{- end }}" -}} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/templates/config/alertmanager-configmap.yaml b/charts/asserts/asserts/1.11.0/templates/config/alertmanager-configmap.yaml new file mode 100644 index 000000000..4548a1f7d --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/config/alertmanager-configmap.yaml @@ -0,0 +1,122 @@ +{{- if .Values.alertmanager.existingConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.alertmanager.existingConfigMap }} + labels: {{- include "asserts.labels" . | nindent 4 }} +data: + alertmanager.yml: | + global: + resolve_timeout: 5m + route: + # setup for a single Asserts tenant + group_by: + - alertname + - asserts_notification_rule_name + - source_alertname + - asserts_slo_name + - namespace + receiver: {{ include "asserts.tenant" . }}-tenant + repeat_interval: 5m + group_wait: 5s + group_interval: 5s + routes: + - receiver: {{ include "asserts.tenant" . }}-tenant + group_wait: 5s + group_interval: 5s + routes: + - receiver: {{ include "asserts.tenant" . }}-tenant + group_wait: 5s + group_interval: 5s + continue: true + {{- if and (.Values.assertsUrl) (.Values.slack.enabled) }} + - receiver: slack-notification + matchers: + - alertname="NOTIFICATION_ALERTS" + - asserts_slo_name = "" + group_wait: {{ .Values.receiver.group_wait }} + group_interval: {{ .Values.receiver.group_interval }} + repeat_interval: {{ .Values.receiver.repeat_interval }} + continue: true + - receiver: slack-slo + matchers: + - asserts_slo_name != "" + group_wait: {{ .Values.receiver.group_wait }} + group_interval: {{ .Values.receiver.group_interval }} + repeat_interval: {{ .Values.receiver.repeat_interval }} + continue: true + {{- end }} + {{- if and (.Values.assertsUrl) (.Values.pagerduty.enabled) }} + - receiver: pagerduty-notification + matchers: + - alertname="NOTIFICATION_ALERTS" + - asserts_slo_name = "" + group_wait: {{ .Values.receiver.group_wait }} + group_interval: {{ .Values.receiver.group_interval }} + repeat_interval: {{ .Values.receiver.repeat_interval }} + continue: true + - receiver: pagerduty-slo + matchers: + - asserts_slo_name != "" + group_wait: {{ .Values.receiver.group_wait }} + group_interval: {{ .Values.receiver.group_interval }} + repeat_interval: {{ .Values.receiver.repeat_interval }} + {{- end }} + receivers: + - name: {{ include "asserts.tenant" . }}-tenant + webhook_configs: + - send_resolved: true + url: http://{{ .Release.Name }}-server.{{ include "domain" . }}:8030/api-server/v4/prometheus-alerts?tenant={{ include "asserts.tenant" . }} + {{- if and (.Values.assertsUrl) (.Values.slack.enabled) }} + - name: slack-notification + slack_configs: + - api_url: {{ .Values.slack.api_url }} + channel: {{ .Values.slack.channel }} + icon_url: {{- printf " '{{ template \"slack.notification.icon_url\" . }}'" }} + send_resolved: true + title_link: '' + title: {{- printf " '{{ template \"slack.notification.title\" . }}'" }} + text: {{- printf " '{{ template \"slack.notification.text\" . }}'" }} + - name: slack-slo + slack_configs: + - api_url: {{ .Values.slack.api_url }} + channel: {{ .Values.slack.channel }} + icon_url: {{- printf " '{{ template \"slack.notification.icon_url\" . }}'" }} + send_resolved: true + title_link: '' + title: {{- printf " '{{ template \"slack.slo.title\" . }}'" }} + text: {{- printf " '{{ template \"slack.slo.text\" . }}'" }} + {{- end }} + {{- if and (.Values.assertsUrl) (.Values.pagerduty.enabled) }} + - name: pagerduty-notification + pagerduty_configs: + - routing_key: {{ .Values.pagerduty.routing_key }} + url: {{ .Values.pagerduty.url }} + description: {{- printf " '{{ template \"pagerduty.notification.description\" . }}'" }} + links: + - text: View Impact + href: {{- printf " '{{ template \"pagerduty.notification.link.incidents\" . }}'" }} + - text: Start Troubleshooting + href: {{- printf " '{{ template \"pagerduty.notification.link.insights\" . }}'" }} + - name: pagerduty-slo + pagerduty_configs: + - routing_key: {{ .Values.pagerduty.routing_key }} + url: {{ .Values.pagerduty.url }} + description: {{- printf " '{{ template \"pagerduty.slo.description\" . }}'" }} + links: + - text: View Impact + href: {{- printf " '{{ template \"pagerduty.slo.link.incidents\" . }}'" }} + - text: Start Troubleshooting + href: {{- printf " '{{ template \"pagerduty.slo.link.assertions\" . }}'" }} + {{- end }} + templates: + - '/etc/alertmanager/*.tmpl' + {{- if and (.Values.assertsUrl) (.Values.slack.enabled) }} + slack.tmpl: |- + {{ include "slack.template" . }} + {{- end }} + {{- if and (.Values.assertsUrl) (.Values.pagerduty.enabled) }} + pagerduty.tmpl: |- + {{ include "pagerduty.template" . }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/templates/config/k8s-calls-rules-configmap.yaml b/charts/asserts/asserts/1.11.0/templates/config/k8s-calls-rules-configmap.yaml new file mode 100644 index 000000000..06610cb75 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/config/k8s-calls-rules-configmap.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: asserts-k8s-calls-rules + labels: {{- include "asserts.labels" . | nindent 4 }} +data: + asserts-k8s-calls.yml: | + groups: + - name: asserts-k8s-calls.rules + rules: + # asserts-ui -> asserts-server + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context=~"/v1/.*"}) > 0 + labels: + workload: {{.Release.Name}}-ui + dst_workload: {{.Release.Name}}-server + dst_namespace: {{.Release.Namespace}} + + # asserts-server -> postgres + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-postgres-metrics", namespace="{{.Release.Namespace}}", asserts_request_context="records_written"}) > 0 + labels: + job: {{.Release.Name}}-server + dst_job: {{.Values.postgres.fullnameOverride}} + dst_namespace: {{.Release.Namespace}} + + # asserts-server -> redisearch + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context=~".*Search.*"}) > 0 + labels: + dst_job: {{.Values.redisearch.fullnameOverride}}-metrics + dst_namespace: {{.Release.Namespace}} + + # asserts-server -> redisgraph + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context=~".*Graph.*"}) > 0 + labels: + dst_job: {{.Values.redisgraph.fullnameOverride}}-metrics + dst_namespace: {{.Release.Namespace}} + + # asserts-server -> tsdb-server + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context=~"/api/v1/.*"}) > 0 + labels: + dst_job: {{.Release.Name}}-tsdb-server + dst_namespace: {{.Release.Namespace}} + + # knowledge-sensor -> asserts-server + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context="/v4/prometheus/rules"}) > 0 + labels: + workload: {{.Release.Name}}-knowledge-sensor + dst_workload: {{.Release.Name}}-server + dst_namespace: {{.Release.Namespace}} + + # promxy -> tsdb-server + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-tsdb-server", asserts_request_context="/api/v1/write"}) > 0 + labels: + job: {{.Release.Name}}-promxyruler + dst_job: {{.Release.Name}}-tsdb-server + dst_namespace: {{.Release.Namespace}} + + # promxy -> alertmanager + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, container, job, asserts_request_type, asserts_request_context) + (rate(asserts:request:total{job="asserts-promxyruler", alertmanager=~".*/api/v2/alerts"}[5m])) > 0 + labels: + dst_job: {{.Release.Name}}-alertmanager + dst_namespace: {{.Release.Namespace}} + + # alertmanager -> asserts-server + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace) + (asserts:request:rate5m{job="{{.Release.Name}}-server", namespace="{{.Release.Namespace}}", asserts_request_context=~".*prometheus-alerts.*"}) > 0 + labels: + job: {{.Release.Name}}-alertmanager + dst_job: {{.Release.Name}}-server + dst_namespace: {{.Release.Namespace}} + + # asserts-server -> grafana + - record: asserts:relation:calls + expr: sum by (job, namespace, asserts_env, asserts_site) + (rate(http_server_requests_seconds_count{job="{{.Release.Name}}-server", uri="root"}[5m])) > 0 + labels: + dst_job: {{.Release.Name}}-grafana + dst_namespace: {{.Release.Namespace}} + + # grafana -> tsdb-server + - record: asserts:relation:calls + expr: sum by (job, namespace, asserts_env, asserts_site) + (rate(grafana_datasource_request_total{job="{{.Release.Name}}-grafana"}[5m])) > 0 + labels: + dst_job: {{.Release.Name}}-tsdb-server + dst_namespace: {{.Release.Namespace}} + + # grafana -> promxyuser + - record: asserts:relation:calls + expr: sum by (asserts_env, asserts_site, namespace, job) + (asserts:request:rate5m{job="{{.Release.Name}}-grafana", asserts_request_type="proxy"}) > 0 + labels: + dst_job: {{.Release.Name}}-promxyuser + dst_namespace: {{.Release.Namespace}} diff --git a/charts/asserts/asserts/1.11.0/templates/config/tsdb-scrape-configmap.yaml b/charts/asserts/asserts/1.11.0/templates/config/tsdb-scrape-configmap.yaml new file mode 100644 index 000000000..ceb623cea --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/config/tsdb-scrape-configmap.yaml @@ -0,0 +1,979 @@ +{{- if .Values.tsdb.server.scrape.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: asserts-tsdb-scrapeconfig + labels: {{- include "asserts.labels" . | nindent 4 }} + {{- with .Values.tsdb.server.scrape.extraLabels }} + {{- toYaml . | nindent 4 -}} + {{- end }} + annotations: + k8s-sidecar-target-directory: {{ .Values.tsdb.server.scrape.configDir }} +data: + scrape.yml: | + global: + scrape_interval: {{.Values.grafana.scrapeInterval}} + + scrape_configs: + ### asserts-alerts: always scraped by the Asserts VM Instance ### + - job_name: asserts-alerts + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_labels: true + honor_timestamps: true + metric_relabel_configs: + - action: replace + regex: asserts-alerts + replacement: "" + source_labels: + - job + target_label: job + - action: replace + regex: dummy + replacement: "" + source_labels: + - instance + target_label: instance + - action: keep + regex: .+ + source_labels: + - tenant + metrics_path: /api-server/assertion-metrics + relabel_configs: + - action: keep + regex: asserts + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_service_label_app_kubernetes_io_name + - action: keep + regex: {{ .Release.Name }} + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_service_label_app_kubernetes_io_instance + - action: keep + regex: server + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_service_label_app_kubernetes_io_component + - action: keep + regex: http + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_endpoint_port_name + - action: replace + regex: (.+) + replacement: $1 + separator: ; + source_labels: + - job + target_label: source_job + - action: replace + regex: (.+) + replacement: $1 + separator: ; + source_labels: + - __address__ + target_label: source_instance + - action: replace + regex: Node;(.*) + replacement: ${1} + separator: ; + source_labels: + - __meta_kubernetes_endpoint_address_target_kind + - __meta_kubernetes_endpoint_address_target_name + target_label: source_node + - action: replace + regex: Pod;(.*) + replacement: ${1} + separator: ; + source_labels: + - __meta_kubernetes_endpoint_address_target_kind + - __meta_kubernetes_endpoint_address_target_name + target_label: source_pod + - action: replace + regex: (.*) + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_namespace + target_label: source_namespace + - action: replace + regex: (.*) + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_service_name + target_label: source_service + - action: replace + regex: (.*) + replacement: $1 + separator: ; + source_labels: + - __meta_kubernetes_pod_name + target_label: source_pod + scheme: http + scrape_interval: 30s + scrape_timeout: 15s + + {{- if or (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) (not (.Values.serviceMonitor.enabled)) }} + ### asserts services ### + - job_name: {{ .Release.Name }}-server + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /api-server/actuator/prometheus + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: asserts + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component] + separator: ; + regex: server + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{ .Release.Name }}-tsdb-server + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: tsdb + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{ .Release.Name }}-grafana + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: asserts + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component] + separator: ; + regex: grafana + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{ .Release.Name }}-alertmanager + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: alertmanager + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{.Values.postgres.fullnameOverride}} + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: {{.Values.postgres.fullnameOverride}} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component] + separator: ; + regex: metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http-metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http-metrics + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{ .Release.Name }}-promxyruler + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: promxyruler + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{ .Release.Name }}-promxyuser + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: promxyuser + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{.Values.redisgraph.fullnameOverride}} + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: {{.Values.redisgraph.fullnameOverride}} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component] + separator: ; + regex: metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http-metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http-metrics + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + + - job_name: {{.Values.redisearch.fullnameOverride}} + kubernetes_sd_configs: + - namespaces: + names: + - {{ .Release.Namespace }} + role: endpoints + honor_timestamps: true + metrics_path: /metrics + relabel_configs: + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name] + separator: ; + regex: {{.Values.redisearch.fullnameOverride}} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + separator: ; + regex: {{ .Release.Name }} + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component] + separator: ; + regex: metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_port_name] + separator: ; + regex: http-metrics + replacement: $1 + action: keep + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Node;(.*) + target_label: node + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_endpoint_address_target_kind, __meta_kubernetes_endpoint_address_target_name] + separator: ; + regex: Pod;(.*) + target_label: pod + replacement: ${1} + action: replace + - source_labels: [__meta_kubernetes_namespace] + separator: ; + regex: (.*) + target_label: namespace + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: service + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_name] + separator: ; + regex: (.*) + target_label: pod + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_pod_container_name] + separator: ; + regex: (.*) + target_label: container + replacement: $1 + action: replace + - source_labels: [__meta_kubernetes_service_name] + separator: ; + regex: (.*) + target_label: job + replacement: ${1} + action: replace + - separator: ; + regex: (.*) + target_label: endpoint + replacement: http-metrics + action: replace + # add tenant, asserts_env, & asserts_site + # to all remaining values metrics if applicable + - separator: ; + regex: (.*) + target_label: tenant + replacement: {{ include "asserts.tenant" . }} + action: replace + {{- if .Values.assertsClusterEnv }} + - separator: ; + regex: (.*) + target_label: asserts_env + replacement: {{ .Values.assertsClusterEnv }} + action: replace + {{- end }} + {{- if .Values.assertsClusterSite }} + - separator: ; + regex: (.*) + target_label: asserts_site + replacement: {{ .Values.assertsClusterSite }} + action: replace + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/asserts/asserts/1.11.0/templates/grafana/_helpers.tpl b/charts/asserts/asserts/1.11.0/templates/grafana/_helpers.tpl new file mode 100644 index 000000000..4f2c5b7aa --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/grafana/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* +grafana name +*/}} +{{- define "asserts.grafanaName" -}} +{{- if .Values.grafana.nameOverride -}} +{{- .Values.grafana.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ include "asserts.name" . }}-grafana +{{- end -}} +{{- end -}} + +{{/* +grafana fullname +*/}} +{{- define "asserts.grafanaFullname" -}} +{{- if .Values.grafana.fullnameOverride -}} +{{- .Values.grafana.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ include "asserts.fullname" . }}-grafana +{{- end -}} +{{- end -}} + +{{/* +grafana common labels +*/}} +{{- define "asserts.grafanaLabels" -}} +{{ include "asserts.labels" . }} +app.kubernetes.io/component: grafana +{{- end }} + +{{/* +grafana selector labels +*/}} +{{- define "asserts.grafanaSelectorLabels" -}} +{{ include "asserts.selectorLabels" . }} +app.kubernetes.io/component: grafana +{{- end }} + +{{/* +Get the password secret. +*/}} +{{- define "asserts.grafanaSecretName" -}} +{{- if .Values.grafana.auth.existingSecret }} + {{- printf "%s" (tpl .Values.grafana.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "asserts.grafanaFullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "asserts.createGrafanaSecret" -}} +{{- if not .Values.grafana.auth.existingSecret -}} + {{- true -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/asserts/asserts/1.11.0/templates/grafana/configmap.yaml b/charts/asserts/asserts/1.11.0/templates/grafana/configmap.yaml new file mode 100644 index 000000000..17c0fef39 --- /dev/null +++ b/charts/asserts/asserts/1.11.0/templates/grafana/configmap.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "asserts.grafanaFullname" . }} + labels: {{- include "asserts.grafanaLabels" . | nindent 4 }} + {{- if .Values.grafana.annotations }} + annotations: + {{- toYaml .Values.grafana.annotations | nindent 4 -}} + {{- end }} +data: + datasource.yml: | + apiVersion: 1 + {{- if .Values.grafana.datasources }} + {{ include "common.tplvalues.render" ( dict "value" .Values.grafana.datasources "context" $) | nindent 4 }} + {{- end }} + grafana.ini: | + ##################### Grafana Configuration ##################### + # + # https://github.com/grafana/grafana/blob/master/conf/sample.ini + + [analytics] + # Server reporting, sends usage counters to stats.grafana.org every 24 hours. + # No ip addresses are being tracked, only simple counters to track + # running instances, dashboard and error counts. It is very helpful to us. + # Change this option to false to disable reporting. + reporting_enabled = false + + # Set to false to disable all checks to https://grafana.net + # for new versions (grafana itself and plugins), check is used + # in some UI views to notify that grafana or plugin update exists + # This option does not cause any auto updates, nor send any information + # only a GET request to http://grafana.com to get latest versions + check_for_updates = false + + [log] + # Either "console", "file", "syslog". Default is console and file + # Use space to separate multiple modes, e.g. "console file" + mode = console + + # Either "debug", "info", "warn", "error", "critical", default is "info" + level = info + + [paths] + # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) + data = /var/lib/grafana/data + # Directory where grafana can store logs + logs = /var/log/grafana + # Directory where grafana will automatically scan and look for plugins + plugins = /var/lib/grafana/plugins + # folder that contains provisioning config files that grafana will apply on startup and while running. + provisioning = /etc/grafana/provisioning + + [security] + # default admin user, created on startup + admin_user = admin + # set to true if you want to allow browsers to render Grafana in a ,

Cpy3HwBDMgUtJ0dfS4HKH2^!KfZV1HIf!REG@nYZGjQBi; z*$gpprcVATpoy^+4e2&Yg^S6qH`nE!0wW@rt(3P-x0sL!Sz9Zno@uT{E$XRurSK3t zq~V+pstQaHyF(}e|G7UH3?uVBf2ziJ0m zeDB%FGjnv7#3Hi!wRt_2fU4PK>>6L({%e_Ax|8tde?s@^7nHL zCblH%0N`TP3i&IswR$NJ0@I;G;G0CGK&B!fRkAf-A&>f89 z{<92Gmf?^E3e1#bPR9ei1zAdPR@Xx-G-P+slm8p^_g?r2=+rX_&q}1!IW*J)RmldZ z>1c9oFtw7UR)V|?O&>-`5tAM0HUdWn7TNCv8p%xTYRPFB$gvD?Y7%hzx-!(W$J={o zhXEGCLY?7*wSj^5sC9r{uy%rroea6%}&muE)GE>KKRPcsM z-V}4~c}a4i(`XCI))UGZq8>E86&8IN7ApRBl@;}}Y;YIYbE8CO#Nt|$L-ZDTR&@j1 zv=gVz&J<|=!cm5Fi6J;!q_MbBMJB_M>0ClD*y4^H@Dt%=*5HpuXF6dr*jCCT4n<5u zgcu5$4F6Io>`ca3`_7$`q|;5Re~YsbXVwcj%sMbiABSKBVBIG%+#1VmEAj7cZ}*4) zkch~GewbSMK-?t3qO90Wvrleuw&FG@SP;R5FyZ>Ri{AofH}Xh|t+p4*WYoI0I(_6M zCbRzDU~kYLyyy@1`gp-*t>~gS(!j-nB2@rW9N;7<00g`PMyDuKw3hVxxPneuD34=k z^}%IYqiw1>*7Ywcb#fh>8tCFj19YV&{*C00BS5CD!7?{#|NAXIb|j0W3qWRm$Ljpy z(VJHWuyydvo)SaQ_jA5qPL>6v&23s1^}yI1tyGs`h1|5_)1;W{&p{f)5CNfxO6EWr z3*>!Anca|LmY=v4CbD~*K%taSifw^n)#C7x%vRvjOZ{#M%~8n=Cm%TvPWlTd7OYAr zATJS=!Xz!67itXO(Q?Y(VhpW=k!8Btw0K_A1-p!;T*DbMg87-5;epkH9)CywDBWu& zR1SAaYSsv4{&_(GqbQefQ4>87&YjF;6<5FI0f`n%scw?RRIeT5H&-PiUGt%str42y zgcFp3>+-y|5`!o?$YB*6TIABo5X&&SMUgyO0YynWkBOY}*PlKGAkA>Xrl9-pG+;69 z8oyvgs(kq(gPO&R4q;+xcJI`M4F+YEPx;zq8>ux(ekw33z+57c8qb|cMLjGM>*<6H zGNnl-eT0$pPP#1Oz)c2LB$X;Ck#fn(XK zGZ1pz`AX)h6VlaMi=eq`hNH@RRhVzOxhAB9X7-wJbNNUoRu(K_MJ?(fSI#BjN4*tJ zRFgHsC+~~NSTtfWNy9Q@dAA)6Qi3R30!~*(kj)#q0<#Hb8O)XfzEVJ3zceq7OqvSa zu{;q=(j3X~H<2F6*Gtj9dJ*VOe6PDTf#D63N$*uRl^!Y=a!TVsAK9-Ik=~!2B1`tU z`n71fkvij;)<~RnhP%R}8!)Ynh-WeN5_TLHWSu*##F?pvji||?UE#DqH>AnO8>l0m zl3&`tTM@L7nw0UDs!a+UT5 zf~}%wTVna0=9x$Xk*iA-&Zct1LF?=SjU~yqGNkjoIBT-n`~Z2vXM)JnNKN9OP>U-| zRB`oLAae_2?8>Co7+ky^d$0fq^FBPU7j}9<(`TS%+Z>(!!vhe(rEXg^3}Z?PrK%A2 z91+>1Ts7<#NX{sZ)ah+Z!JMxXB5|vPJTh7sxI8^NIX~?!Bm%;Uz=<43JvA*Rrj=~( zUIA#>QZTkS#Pc~QUH}mA=hf-YXBXh|>IjT3&)y%6Pr+YL|0cfJMSHzorRM3y$%=Xw zIU3qNKD`{D{d9JGG(K(JuD4DH7}7L~uFE_|j_xjUJ$(ZKrIl)#Ysx381geg(YFOul z_uD3yW5&p*x@=hMLg_6i^Ho4^!*UU^MO=QVYlthmuEMq_Uk$h z_0(Kj6{s`u^4w_w+jY=bAIeS|>yr{al{>M(aSZXI>ZegLLjGo)>$j>P)n}Q>?I>P#w?%|y(U+AMv% z4eJsD3qT=PEI5q}LG{r`a|TkMOm&;AP^x=}zC+~56m#BBI3%pwC_z$|m%U1Tq-=%B3jA>VYkr&V*dfv;t zT=~33n@_X1>TvUU_GVUG?~J=Eep`b!J#){c7tJ)l7bnoIv+1SN>DKvlv%r=}Ts`|_OHn+{hx$0-M{UHDcwqMG6ZuT)INQ5f>Ycax_Yl~Ei(3A%3u9;(*7@rUYLPkD%x zLLq+fE|ICmSrx42Su#`;5PUB8Qd2^4wl!!z5~Wt865TUOtL;kDyC789r_TYDfUvzK zkkevor19Qhg?!@MPcGpt!UOnUF0Ny8gA$nrhl;&XrC3!+Ckv891+h8(RpMPXuP>;P z2C1MYU#C+NQPVL@%OD~msHFY*+y?pU4yP@EH5$?ynVbQytSf_1u{tBNBlV zOtW09pWsy<&1BB#hU+0}Cry?ocF>YNiK2;}(j<*0r3nD*Fi{huRC$4uBXbw~IZp5* zUw}lU-R-9+3sJ(j?n2Zc3I$#Hw=*R6RdjaJs0`Uj$O_Kk$2PDRa4EHi2!Xt)E?h{_ zWayc#b`OSNw^L08E0cT`Lv@rhLPIEW>~3g)<|M$DGcDS%Q=+QKK2^Jo8C=e*y0$?qFRuzT z0FOzm`%*H5y)FAq;W7kc0N26rn!qj;Zs7W>uWkCefR$D2hy6GvuZxgn==zbWGj*$A zw3*icXEP>liK_}DchKA2?G0>0_wdQkeFQ_d#1f?(UJES@Jz}Yp$*XLuSm#Q#Bm{rn z-F>N4%7(lwjg7U>(6WKSd037XAAQ%$*3wLg77aWkMaydFYbI-14RGzWEvrG^D}l>u zu=h&kqNYeColA9xvo0aWft<*mgQEVUqQ1kT`|`xG=eVe^+v{fNxChH_GAl<5`0M89 zXaRElOdTzN-Y;iI3&8iw-eJ6aHibr8)^aSc6G-YnW7t>9$&S2US~_Eu?H*Qx8B!T-N-$*d3-=UX$edmh6$zf z3J51ZfX6z~uS^TlG%0ML!YXm>l7qpD7Hxm>-{mz7|7_uQK6ml4Q7Ija5!jiIaK@rx z21S-wzN~h=MP!DVu9Y=rg(3IlOSdvCZ&Q>(8Q3F`JSPda+DjfScYsux72~8znWa~q zwkWl8sb`-M=e*N6nVFGPA%azOZCZN7`%0vYB`7%l4JKvBiX)N5>u^d=znGM6WKel2_;GaOo8ymJ$APoB-{5*-2z|< z1NBB|mELx75yaf?T7@r6#>zzVu%k|%{!cpY=Z@?}UX867FvgC3~B6S|U zQ|P4)s*STHP+)0o3B+=eEDW};8XR4D1g{OXGCpl#S1Xq7KQE`Z;53~OV3d)Mxa45> z!)#zO8`yF)eCB}MqV0Iiq;T-@nv0}}r`QyJF3VY2Rvyf93fAWN%>($J%q9*}_0(yu zw@JJ_60RCNiP5X&Pno#Ou$omSkC6^%xlxV?1p;g@V1{8d*#Y8a4rst}b&es*Vw~J; z+4H;we$u9VC7Y-+hx+gkj?n0@g_i6br`k^$S=8p>DN{=kp+X>)2_c0U!(kr743G@Z zbV|6j(P^0S7d4Yyr3IyO;gn?3NsbiO>JocdyoRJ0N!3b2F_>)Ao%<5kD-}jnIq;Rb zkdkN}o0x z#?jDmQ#lN&Jyo71!ljFUnQ-N~1Z_TO50_`H@W8GiV4D`|77c4O9sZ>Cqwex5AK0m( z(j$+yIvm`%{2^Q^Q3(?|71c(Y8% z^Bka$AxdR<_Q}N+*cM6Z4)z;`3A&#wv1JIVh!Ajsk|npZbWdeKo$PDRSP^u?Vx2uS;Q;@}<#DPEZP85hq(2E2o8rJ)AUZGE`oi5pc3BUh8U_jJ@x#J)0r*=iYVyU>43XLm}gkb>Hll zzWZ<)Od=SQ1j$=*RopM{v^ijDgBXIMhD1U)bd<9>R~teVxa)SHf@{v^y^Ihxf|TBo zEHZHTOOUF!^>q!24Ts4YrQg@r%qge#qEeH;2PS8jw`y8O)~@Q}yppqvyWgw+Q`P7* zmE%g}A>?!kbQ=Llf+@}@3$i>Z&N8=buzot3+b8k4)W8F<< zU;YgMd|azg>b1(ht)w8lXi42HUwA3PMQn0DCr9&Vx>lB&U>c9$>uoi4NzyA>I?+*@}AquHn zg{UXK2A7M|k|iO~gs5Hw{Gi=+pyQJ!b&$=PR)uUn*_bzrxQ2#wehwJ`UYjt)&P8bu z2s0$y12CpNaLU91@D*hMgT46Zn!(xWw*BoUS zHJ$)kp_M&MOVLOc>o!+Z%xih&q*%bKYqpOJLdPmCPX#5Q)0H&>J{<6c_E!MrXaa?% z0b1w>o~?feWT6$7Kw6TZSVbz*;A;K&C*8aq0afCex_GA{*xlXR-F23hqUL?qmNF-M zR+nR5z`wMJPo;H5z`O6FA_2N9iUY8^oJgwt>38xNIj%*CxDyQa{zXZ$sWt|K!Qk-4 z3-Rw@Fev@IyT7};_ov+#`}+s`2ZI-Tdw&}2zIeI!;!j|(DFm9HoHCgGY4G5-%ANaz zJfAuMbib2>-W`IjNJrT3^WhH^E0Ao~mw!I%KIg^RGDWciw~xf`7|ZjqHC$ZU!IrR(Wcp2?U+iwcFem7(J;f} zxEQZ=Vg=+ukijG(3$Qx~_>v7nt|h=Yox>zwpbUpVHf~*^(DirVbOCX^7WPL%{v%PZ zJ)vI3WOlLcfbdFUGi!B2mIdQ$!eSg*yvjV{J-1JsH}zQz}%6I3ObHT3f3;fs>7tDLUy-P6TaDT>K^HFa!d~xWf6xTMiGkwnN^P)jFb22#FC)YN-B>A^<^x?u>136iB{+7N=R2x4zwYlxE&9b0qT1Fajd2 z#Olqu`?^wl-i_fd(~` zumamN8LRA3HxpNJfcZYhQG}8jTma|_4W_G!)I%{pzD=rw(TRwa; ztLW0^sdg`U$K}#GD@>h`GL$d`c+DX@Weoe)GoLLbxLNphP^)NG_dzeM>RKB_v7(gS z2gRt$${R%S;=vRoSuOA3grQm671BdK4tj0eymCQBB(xC+zKLgW(@}tq;lEl1ypKY% zl1@@lQCn*Ix{Gd;)}eev8@sEn=Vu9n%O*MYwYP&ci)qs$Y8FqO3*WPNe)0B;#bxE< zfg|X-KvgQEjT8hb~zLD(GRIk%Wirg@jbGi4^EllkV>G=zhI;=^> zuTjIB6zkRctYu-!tZA3BU)6$+(p%AJ9gTNy@ZyJ>0$SZYFR8mFb-Wv<`8TA+@#x)# z2vODjON3Z-@2%8Vvco>a8}n6`Vzsb}th~o&52#Vpypx7{IorFuhR|F=sIv5?Mc?&N zFpiJ%#oO`eRgZmS8){?4{?G32?m>0`Xa8yc=P{n+*GHFQaB*~g zIs~6Sf!^^PW~_H1FZk@pukTMUug>0H*ah@8(qF!Gjz%M2iK8^N3U$8!UMHiRAdo_a zQ6dryD5FY7NMH&kNCX}T&n}9<_uqFqpFRZuPfeF8FQ-d(93X0AXDOX~uFjC%5%|0Emr1nY5Oz?{;-!CLJN?5iO z=jVHL?k_A8p7ygm>2drxcc7R`a{Z0ucJ6wL8LFIYV)KmTGnpP^O1N#ur{&4Tl?>k! zhj%#dd4)rw_(r9E~B8I5RoJN%NKR5!z$rs=$SK? zf-hfoI-Rlc#VkF&7Txe1BT-$J84DOnsl2UWSdm5LL&TiCyFH-iN73B7%Qr%xKuSr7 zIdc@>%#F&7xYx=XU-#Ka5>{q10>^LOU5!sKKb(zz{BC=J6U_M;;B*H(18)1DB%2HzNebEg$L^;dO;IR&_xHg+dx=8hOIL?z(YBLvr;MQBG8?@_1V`ToNzBkf;71u` zIqktH;$%kRo%->myVJ;o!+!reh1c*qLqVITtlaz}IAT>*5kl9sn8+DX+fCItsxqqd zOx`-c;0*#0Owk=!;3Q{Ox-%OfI2-9pr}Yg3J!5A50+~)wB*-O|4X|a81-)&%fZera zfGwLvuTC%DpB;OcpmoD7TLnR2ihcSd{-24P=eD`#@eyd2i7o1xY$byo@Z}4~K>j1; zP?!IIH7^xCRFgSDN_=#G7;qTFRm+TNu{9HJvdw1hHBQ(rXp~5LXn7;Slw@}>i`tDZ zy$$Qr2A5Ph}!@0>OozWEU>_0nuJ@7U~34madkvpoc zV^kVWfn#y)519zO(3BOy z)wKnlJdg!dt16_WXw(C66%VCWKX{U+8BW*~bpM?O+FQxx>k69gl%{TTR!o=QSCy3$ zT1~P>a#W|=I_>mze^<<*dK7BsRLxX%4D#akZ*gNiWJuyIIkw|7-tS<>ho1H_62~~1 zjp3|NKjZ}&_o?Yz!f`JMH8)mrSl`;2_4KU$`24>g<|s~4MtdxcH_=A3|95Y1?{K%| z|2;U|8$9`cALIG-ssBB=#fzcXJ)7bfakcQr1t&{5M?>&^UrMw7_Z<^-q4Qw#MPdnl z&0#Ea_`oz3{-Ivy7m;W%5pFQZz~R1d%<@GrggHfkk_7^PH9kJ&Rl+Ea2UFh$``uOsl|LQLLhZ_8SJ5Vcs#f*OG**SrX&D2Y%KF0CrcWh(s2 zBIK)x&Q@=YDAyuZMI$>d)WBLEfzb*-3<%POCi^&AW#cTPyJ@y68U|ahUv|=K@?KF>?wdOy( zPp%5_Rr*%i+m|XwVDIIx?sbix(z^ekmH>4cPz@``o6NwO0H<%(QkR6uJaQ{} z*1BbEWmi+XtUciTr`X(a`Pk0^E6B35E{o`V?W~l~S06To&gHlr&_EIQ?$!%eUQNqZ zdFc}1;L8`io1w*X8)K;ks5Xd=pT+~etNy6?8NEOh(P~!}xfLp^a0};F?Z!eXkJBpo zFH4DhOpT&nM$5h)%gwgq^Ma6tRaxL&F1>mN6av~gC$BsNjhKn@#pQF}A=XFqO*2kp zrJ7;Ikhs0tW@)@0Bzt9Y2iu11<|l7wi+`4C09OF`pLlVVPp9}J=my;ik?RSb<-$=2 zwF5>*C|NoF_5FkHJ=bmugQhVN)sL-_aYlvnW5sRc&=G7WgsnyM9bnN|bg(@+9R5>2 z0GAEruLVq-dM$Tdd#3D4Zj?&h+{`SmMiC`voOO`fPSqMbdtPvt#oZ&UDv}x`e>uY zHBI(d3)az%IE?F^7HwN}pxWb5KQ+46u=|n}-D_A!Bx_vP^pMK^uUfUZ;C4e1$d9 zQsU8e=Bt9Xa-1q+VC5KZd@5d@k4LS0zhLPKSzrP@~(WykD#v`%YD+T#g7=o%ah&Q;t^g&L=zEHhLxd&+6@iLC=}o zXWuMTbIyOGP=$o42YH9toaD@U*{zNaFZeHl6VUxf(zS|O{B4Trcfc^?Ka%%HZ{D3= zf%ivm&Q6ZTXKyct|42BCno6I=J-{v4@xAJtPOV3#mW&E?hWoozS^vFs-stIQW|@*r zy-l)J-k$XwJ&qx6AYR?z^h}7r7w_gM0rUo^;xf@Y{2R<7=ioos4g!i8@L~NU%W|~Sd)P?oDc0UI zQaeX$Tq70VuJM_~F}ZuIZcM%)2`Z05xn=|Xb#eyX8*y;~nB+`5e(qq=MMZo@K$?*` zo?vrvvp7tIGkHy&jG!%G@-Z!PKZ#w@DS|A|)LB(|p`8UuHEjV@qgm;>OiQ_HEWwJg zG-h-A(JN$Oc@o-lrerwnh$*^_7AadcdpdSjmg19Pbt#SJPGzQAY4rtbsPkBk73oYU z&J#;fFcR7I(u~~d^Bm?hu$u*))o1%^Oa=BFr1A_KN@$*m$VlBB2fGa!;NRI!DYQ~0 zMd)bD&`a7MPhNevI=y^#K1^1X0>te`cqA$D;6Ih@0zmbkhjfRmM(_i z$K#{p*QZS^U5tfWwvki6b->jBu*VnwCzsVgnxrDP_`}+0j{h6%?(e=R#s3|?92`Ey z|2@W|1hdZ`^6lY@VDJu1u{zs51h>1L8=OQ#W$Jeph(W$Y4LkD2GjT-V>uq@p8{WF` z-X8-08T^_Pro3_HLUWH-RNZAMuO7;xF6dPcTvr^-vaY)JdOepb@cLXGfR=+5c#eM; zUSjdni`r3=5T+8K$}{7|i`GZSn^3hISb?vFt!5L)(()fEajnJAU~>2ZC1EM%{#(zb zKjPz)|1xR90wtRe{wwAGi^GHca{Tw<{=rlH_oFx!Rxb7OSVXE;;cH>5NMy|w03N{6 zKa@jrEP|yZa#{MJJHrLQnq)B*Y)tnp^eo?SN+O%_>P}*=r>n}w>x2SeMSv{aE`(onlD_N)LBcmg>eDC>y6c%>b-&#jUbzYuE&(^ z?uZ#f=Wy@fkmie(JZinr0frWkyWDD#ZyoKSWYV@Q!TjL!haIOg5cZqO``(NIDw zwlL&fMXLJ4azWX6tR8R+LFIX>!LM%i8{s;g;smp$HDlGAhjqumUEP;YRt}jG3Wh=W zjA+D5Rl#!N7pE#j3P(pKC@`Z8(Q*_`f!^-GW=}C68Qv5I7N~WwNJxZQqabp{)ZkzP zk_gC@6x|!NY%FzymTI7BV>wx*t|zNlk^|H?To;Axw+~}Y2YyTTY(STh7-i*kzA4znD z!dzf0=~WI^;)=3UKn@XEVAcSo$Pz0uSP2!k-5^vCL%B9t^RcO3J>#V$CbQ*Lnjsh+ zlZ0#GIAIPO))aXtQ`WUyuxM{h79|5vLht@#<{l zkIAtJtS12d2~PSVjbrgv z&_i<;wmiyNo*apUJ78xAbh(Y%b$iX9DFC)WNxx1a4^kjl@QIPKIT(Oo0YA#WcR|4I zUXfP@bbB;`DV-D6bzaAWvj3QpJP~r}qsSQ=WFVZAy95N6;Ja-cfgs-*%0GSvpFx;2 z5JaF0x*(YD?RZGys$bs_dpq~!YRbDQZ#+|RN`KBso>sf&F_*qBbAS?etX_fIHwU_= zJ@4AIyI1XJb;P|G-2<7n2-Hx&zD08pg zE0>qXs~4;KrK!niYK1vUZp+eEiicNcE(S|Q>mI)wZ_Re zx;(wQ`fzeIK6-U@b?QW3uG6A2rti_>yQ};4QR-v&X|aiOe#*#VSo#3e!TrCYG{#w zoAz`PmzK9D(obiXSL5dSQ)%KSoKfcY!__tO=4kC!-oSMmc|ATlKIVVCeSdm+d3JL8 z;o|K@eT%Ckt#fvwH4>*6N3Y(T7PyQ~FR#w7#-|s@_rgRUj~Er+pi{LPw?^sJo3}r& zNql`JefvhP{(3h0@apZ`@zwb9Xmp>h`VQf=Z+|SvKDs>p>FmGT_jAliIm*x!e_W%h z$FEPx5@zdGQ{GajZMg0O^l>r}F2IWSsP`MJehSYrX z?&q_MtJ=oo0lMd&VH?Hy3@3D@HZ&5^<*&!%Q7eU^qD_wMTO-;wb@kA;YWr1EqSXN< zbYd1z#>8pUm6SJ9%PjdYIQj=jL? z8M#FAdBqVV&2`=A`-yXkRZCW@G zAH+m{ej?R!{uK|eSvP64;2L#*DhR2~0@ZXBOii5%*Tb6!@d4ZprmZ;#L2{yunE z>gJAQ|F7R6Uml}2of3!5 z$0aM_{}l)3O5Vik85U}N*~FkYEj?gJY`kjr#vY8hI~>%(d~<`bYJ~0;UGWExr2t-| zV*{Cz>hy>LQK>kVP_=t*UoKpn6?OAO)pfMCP;0}>mxZ}ZfX2+%H3V=nUAOGLx>A|f z>2qBw5?Qb6I$u+wx#yKUJ(XR7osxjDvM^P;+NLA7;sV{i_W66+TDBB;%d{Rz31mbl zJ4-OTQg>k2^18|e)7Ym-T$T|Ow_yi3!K@cGbt2`uRf5@lZI<_zz}UEE>;Qj=UR-lp ztRbdX6|n#}MmUvjlvyLv$*K82G~(%Z7YpTF|oK3Ch8w8Xcb- zL@!dSO1EO92fGe}l|Fz~bhK}{QnlOOoZrArFAolyC{dmJCAVTpR<1a{3xFxWq^IFH zhPbrv9P(GyWA`>>HFZU0@OiDPF_3`m7W^;pTQu;^ilG^ z4hFl22j%>)dj|(k^8Ya&J`pmQSl76V(U*x_`Sb{apmU!{yGlUa)0F!?KEC-sPvK@J zzIs;7|NR%0{Qoar?(aU$|HpVrN88S^G`K=+`8}zmbH&ctoNj z)jGyLXwCs+n9Z!{?@gsC=ddcN%0W{|c@2*(aB}I(`)p4jtBk4yKd!D+ zlu?zWkA3K4HM=4c6gwWh)BOy9)S@qyb6$BVw6DH!{3!2OnwNbm6fJI1c1#v2%n<1Q z=WcIrKNxr{Gl%{+`2-bIcf39l$D>=6!5MnTaEyNwY*I^&N~h{PN3x*p%#xkA8nGiZ zHi1DBd8b^9K{`hZk}dB!P76`__c~N=*S^tc)ga*=u>a+1saOAFER6!QGxA_vaOM3^ z`!CD>zr7bPpY*@Scs|u(WLjyT)SV^+tTECR^78Q2!Q} z5p1Jhb%Mu=CZj8<`{L=DRaxsc$^a|FbyLOGHSX}eLvL|+dLxI-31x|OFG3(Ll<~G} zidGJ6h?sg~aix&Wogkt*N%N6qaKsB&!$V5ZhMp>Qmz31RJ_af-$3w9RTN_nd*N|y4yL^DV z?o_u2plPzZTTISCz9zIdOJy_Oy|~O8VI7&&?RUY(hqsy}!WmxE_Sqth(L&#bbd{nI zPjRRa`h5-fcWnl|<#^Xk^h+*^Hn|8{P}f?6KKZZv&|q0i8|2@jH z`lxVCIG?ZZB93xIu zp1mO$AL}H_au;n>I%-B6uRUCKi}RCb_ILUC)_;|VH5G{&0%cSL_xB2~TL1SC4&C*C zZ*O;h|7rbyjK^a;sNt7+IVvXr+^>o$gaM|_&$mgul&8z^Bu1~6KV>2#_}b27x1}1F z@`YV!r8-g=$iG*0z6 zpOlVO&+7FbJ$N&C)%t%>KL58j*nc|z@iEpjmqsZ>$IBF%)$nwtvVS6Lk!(~#+RZTIW-lcp z3zTo*VBgLKV9fq^C!@ASwTB=8jFj(56)b*LxCq+#V_M0AO?cwlHME9%{(p>4v3mV~ zcr@6G_5bj2zij^x4i28||3`T?u>O~0#{8wqI}0rgADJ=cZ4xhk%E+R){Pf%F1`5q5 z<={y>|#-sMMri?{mmnNI?m^_RcHhTA=gI^o8dA;2#Q7%=_>$+rHUf1Ox%mCySo_O7d-q+#vwKbpBGTmEyO*!v{u_@W#62afy99a+juenC78lKXy_@B8#Xbvgi+?eH^m;G*m79oEX{iN6g41e_IzvqQs6UvM(;Z_$H*f&&_ zN8>mP;6z>3Fc_FTCMdYu4;W!E4n*l5otrEc&;Cu^Sv7%l-jOfBQ51m`WeZHHpc5ki zMVNW6P7LP@5`q7?^V~&Qx{XnT4jI1XdfYGjV9XH$l42>unT#2~OFuhST1F`bDj(m5GlvTth55QMC{%4QS29N&Lf!##^>tO$HIr1mnh72Ug{ud>EVW3}NduMN<@ZL-((wUJdw!km!>@1@JmV{(Jsny_gP-H=|Vz$OOnOSvZ;Y<0Af07Jc%BS82 zr1zrxdyYa@;8Rr19)x5G$8z=~jbqIb5)p|h)(5@+5VWy68lyhf&r)O|-D;)SsISGV z|2^*h|G~jQ`TnmLFAoo&^uNb=*3a(yVQk7&%%X2UYV^LtMjvV1YGj1G z>5F5tNnOT*x|S-lfdu&9THUWaKKqZwG}vSe*ed`3?qT)*m#6dJkMoo!p6CA0ni7gZ zbP4|jZ&snTL%@2)V3vVlnN7dL;@` z#_$w}kf9>{NI>MpZje$yZ_v{D90WnfAByBL&+LoQs@$sYEYp?03n3W(2xcfbKCsv$0|;&uE>r6&zrx`)LHLpv?ou^A9AB;ov9@l zv?rL-AJ=D3Fj@Go_AGPChR}iw>!Ch{2mS$`LjUW{QM|yjgk)&LZLHA$1_!$bCH-&z zN&kDK=NTA5#!x1Y&C1~icXO10Nsi+PCo_=3@CMEh?RB1k@f=g2Z^H$2j^Y^1Vlt7t zU^tmQ7aMvE-y(4#uJs-!QRf**&`d}=u$^XTia(+V++j8c|F+WuZKzfj0J zJscs}m*q0@uRo$}E9U>@>CwsgX>Sp2yp6{Bzc+aK@~}Mr_YR)oe;?=h&wmSo0Kha2 zr1tm=$)XYG2M`2*>2#i1FO(dJz+?$t$>Z~#PVpI2z~%_tkt~k3C|D56KuXd)h8dW| zWH#fngsb90!$}yB2Qn7?&oqW?O0q={jL03zrg;pOhyjWhX^fr&bc?bj7Yx&kEC6LW zSBZqck|*>)NV1eO7agb+qq22%(B~rtae^}1XBk5M1;j};56KRQ zP#Tk^7*UdN@P9ShX#wBSSaHp$JS#R?spPylq;v=)j9{ ztV}8t1z;gKm`ugTViLhLjky7gNg`IvQjbjHl85w31K9y=4jBkx0w##hnuyOCnP$VF z`)iIeEM|#DLIQTGi4|N7HcZpfQ1dsv2;KH~1T8Gm@a|bMfJ^}&cyKJ?<3zItZ~WOa zFv^giotU+qP5=t#0=vE4KmSK3kO203d%XewHF^)k=`3zJqfDzU95SbB&MmWe$wv++ z(+pCUYP7|=5QG=wouW@@^Lxv5!L^r6!k6EkV~TR8y* zvG`9tiG?M8UCiq1p(8lfocm+m5LqlZbtSUY;x8imZjnyUKSdQCKC2TN30CX@4)yON zn85|&Bl6GfXQ}zI1E{==2E>>$ISGre4wIQQNfC(hOp;!7Og7W$`~`gf{TQd;e?J6o zFy+%b)^wsuL|hAk@TR1sdzauk;^+EPKSD8LNPM;_Z4IY~=&DjtzDnT?EyyjRKo7A^ zSRJ`V0i=|K7&1Lo3TBX_6pIQLPbiKzMC3o8fuH4Kms+ns198=m_xTJ?5EVIO_}H|0 zJ_F&G0G~UbK~VRAhHuR^1l()6WcTm_&d?>AVal@QwQOB=@PvdnoFjP&kf|bme6PFR zYfyzd%Hvo%$mn$iu7N1M)6)M1AO$c1Fw5YQ!~Od|OK??Af#VobdJP^FQc_==)@q1P_*T!+hWAVyJjxMO4~0 zK_*F?sxGr0HbTf+Z#Xs)hO>lFhQo6bnFLf^il2%@GLdlN7W(s3!O=BN63Jk~QSV3f@m`)s%!d5C&Dx)&4Lz^y*5lXv? zL_Ta_Hlx>iq-ON%prWzCiHw-){?l5(3dQnFEY_=6vah^|mD(z=X!5mxS^LT>TAQ}y zC<_gym$|BupIlr zXFXBx;1bX|+&efNLfGr|dSIk903ys7OpCep9N;OSh&`9m&4>UFhj+NTKuZ(~)Y3eT zWvH%qK>25Nk?FmMu9j+N(+k3QYbasYe$*^Y-iw-!GTAh0rRAxNT7)L~%u=#a6yoWU z4~F;xv^(1f&<8(WxN^{q z#Cb5n^OM?fq*=KNFZP&%?4Xj72idPIbffmQB+OCV&tC-9h@Zz60fJhZD zE(f-#fd6mT9=yg}#~6uSZqGUbmmiLBB9Q^buAn{6+%!f%u>8R}>j+VZ>p$CrT zCJPmcC`J*06kLnhL^5!lkOW=#EWE^vD!pLJd)LTZEBT90^{B@Qwia`>;;*ABe&&*y z`|wvgT@zr)&839004JFBBDqjfmFE9`Pu0Vy@uCZsz9zI*^V0RN&c`Dl z?|cArLN{ZgG|)?AnIzd-c!_=6N5Jb{Ma8bcYm=&d3%nXt`!ZgeQtjK|r4Gxj#7m#5 z+XPB2@H$;-d$f}i0{7N7M>Ae9j>+BWB4x{_(fkaKcsb>?R{mQN%Y*=BFf)6|lNcs9 zW~f(U_8DBWEceQL-k#nwx~QxProLG|ft0{vb1NfrJi$ymojCm>oFTp>33oi3gE^Cl z;bnlO2d|p-QTwq@lrDUwmfLGDy(|Qra2vBo>-_0lc`WG^HT0^%OZR6~BxFC;n-q3^ z^<6JB;ar{_C&>zmG(Yut$#!0kj|A-F^E!Q^j_=JPDu>OijtbW-Z^X4>ebjp^7n#VFeSw@2>G=)cwdbA3!8&C3mR_3L(@!}xvgH$74!j?EqZr{VK z0Y9x5im{UBhjlF%xP=*(rem?E=|-9ry|@Qnb=>9k=M;=(xpWN59MuQORU5A+d0)Zn zs^Vu_7pZ!@%AVNsJZ2(t?Lj`-$J{(?K*ILiws6@#=Ehn}BqZl7^q{C+=88%9%N((} zTz-+V4m~4U3YFV5wQYG{LVNC0?>~Ey)JOjMFp5MRvpmWn_9y_RfXi1X_Uwcl6W!%g zqJXd<5o+B#cUqLtR#&EvmnrgZ))kGaq9PYhF$_Jq=%YyOu?)dA%_mb5M<}~~E`CTY zL~K!V+v|58P~*#%XTt#-`vy+A|VN5ir^BY9nE;Yul-YK03<+y6lKXy zvS-%TPE3J7ccam0H2Q~FuNgxzO?=AG4UNJ8ry+X%?!reOjQu0cV~|8F7JIYN5y<%h zHj6HPjY+D~$GG;t(tk&s+M-im($_OexUkkX-k3*FL zEHaj`h)ow4NlI{d%woY9GdWl%+IVfR}K$`6zW(p}H4(tL_Ow zc{61jfH;it!VK49A>XYwjtL3%C$hLhh{j~XQZf?qVoo}oope_gOwz`P zWgi{8xa-q27og`$&+M*f+@kl1j2w#=%EG=-=LJaQAP&=ENL6r|88Kqd$o*h(D)x+S zr`eUUkbPHBDNc{u4d>g=Sa2GWp!KNh=;|m8O+Zy2ro&_Hyen95{ig{F8q@5!7`+oN zH7rCQ%TU zTnCl#7M+P*O=n_E;4>ecK-7DP=md@Qk0WvBgJ0_>DK^REp=pNOZXBvuIQI*fi;S*< ziNYezsQ1vQ-0Dv%Si~$OHVRAi+FSIFg`_$e>b!QpXf(}*1B)xNXzfm60gD@5k%f>+ zkkO$Xhoyw>@T`D^BvhL=XkekdG9L($CP`Zkv_e-!j#Y;Od#_KEj1qI9GwOFgu@-aT z)Wq-aX~H675lL6rEY$g;_~^m0aB@@;q~u3*PP-_B>Mp2^Zjv7sA?prpZ(|!_(_EBT z=*rOkoXlC;vQRV@(42%wwtpxro)7mu3nfPf;^Rpw=?oNE93hbyHc0y6^;BU(mf&7)k+X{#G>jl(S*f>|CF-4 zd3oHT3zFFwJmqx^R5zQ(VmKHKyI{dd5U_c2ma++rNL|IPVo~si3m4THN@Q>AV{x9x z8J&~Y@)mwnS>4_F%EeKoT)kJmYT~FyEYdta;!dZumFA-8W>Z)=IjS9tcPu_C=h!wZ68!-p#TV-XZ(>n(2WrP6zzH7Hh-Q>< zKTKIEv%c(HeA+sC`*!O$`^q??*CZyKpQUU}mTncQE9J*+eT!Ip-&#~NN7-126CB0S zYZBqb1qoOjI(G6~bRwIfP_z@mR5XPB*+y*Rk67J%gSvZ}jYUFI3LA(Ue%;j>G*k=%hw9%BTmxqe(_tSaedO8fDbOVBwTeGG^kfsmLw2aH^O}Tm6HCqdIzs zTcOx2-Vj<%_ZJe2b4%1Om9z?r$_DWOXtZN-VK767OJ{|J#X=7;6^&R#bV7nf5Rso5 zyXxu((sJjr&37Q0CePTs?#d~>=nzX0o@At0O6y@E9l2F8RrKa_!nhDUXRA7Ke+7Xf z4awLL>gvP&6@-zrfS^RNQ4Fz3@|K*XTHmLCvm1nwSxK^X7Oa=Yti?AukbvvH`@ZC} zka#(0Ah8>Xssw04;^N`3xJ9GNWuF^~N`X;RF-G#WgjonLiNXUuDzl4I{Wg)X3yWG@ zCw)RJ6dn=-jL3uHtDcjX< zsa)(j2@A!Jm$Ez#y_AhNkf-(*jhcec+mMi9l_S~1k>MJw|Ia!j+4%hJ>^F zzFHG?By?+(DgE+ZQhb_7Cr*q6Qu{GW?*>MetRuQX_Q2%uVz!ftgOK5=AKxb+pHw!YD)CcrmF&?B&~w zim6GX0elvc35`jJaOPstBEa~LGto)JmUXl1(&-q2Oc4e&RB9~=Kjl@nlF4&KZyuLr zxQ)r+MIKU!bA?J@n?wS3?4KET?bt`UFc4&6FuZ0pp_OS6DqLNY)U5Ngk)_jl#|E_n zXR}q1!0DJ~DNYx#=9T!J;{^l@E3|MJk|K$aMhPmY!5hd)u`GGuN=RI~7RGJEVpwHH z>TI{t(-jG>bJjb0P?mDQ#bj{I?XqV}JFUa2zE=4fHv2RyxiutY*1uC0F3phOLPF&XoQuylj6=)1Z$V=DRdOp5X#4e> zv-3B{N0)D2A3|RAW@6EpX9O>)BXf&JMUBz-aZt@|Z?O~oqjT;S2RqR}?$?3sC)#CA zggC>}tk(Hb|Lo&2r14bdwR=ROK~t|wCzXK(#K{s5&!#M!0xKiszbU=eL!#@#=AGkp zZ;_7eEuy7uRBFstFJb`rc1NP?Of;YU>YX-h2iC!GbI%eaWJ;AYlFlhyL$n#$%uWk) zo0%d+mDW{>WrZHjZeo)5rw~M@(gvM~;q zjz~Os6}4qZSf$lEBJtq$*18~Z(Q=?|MB*VUvo#~pB{jm5TnH7xyAdQ-+b8Nd1)TN~ zD~Ujf&i&xAG7?<^U2hRYs-C>QKjK%BXmli!W`y^U-*p`W!p7_dr9oh21Hi`4{bfhi zo##;y2tC7>X$70bwo+xFnV<%npbM*qdj2hUM_Na50nu2WPkn2u=Yqv55J(MudA8$n zQ*Z$R*KguqcJG($ia^vbBzod-%b;|$8ZDqLVzF{vv4GV18%xuK6Npw-xyzNhgFa45 zC{ZAl^>Dm|5v*?&Phd#>^_ucDmn-FmJe-oOdl{R^EO4N2t9qU(0i(Chks6vnCkg&j5~mFi%#+9EDwyAe8j{~8&cbi3WJOos`?oW|!W zOL5a_!JdwW49Cl#%5+#j;Ll5eu%=@zAcpSg$iRQ|`0PVV+>CVbJU;t?@{C6G50yN) zI5_SkD_{;1M zZt%Z^1)>rBHp@c`_z!G*sDNKdJEvY(?2zcpAt>)N*W4`{eLoz&Xg;!Q@VjK*X->7% ziq;x4(tHWq3cfp5{NZ!#2raN0hui^tcaZqQC)aVrf_DMm9UcDgS#=yi;9bCXhlM|U zI-OfIaz~1_gYS+9fA~B)j<9bx_+9epv?S2EC(+Yc@^ne0^YEE-I`e*)3_1^=GN-fT z>5@9<;dAA5Ub~09jCM8>5?U)K1J=gb0Y1`MHgLc=AA9f74T`C zk@VV#IYmn2l&=xa(9MhnvvLW@oAfb}v|73H7G0>KH^$FKK(xRk49&Gn;!rxt-yQrr$^GBi z7@({0e$_`!)~{2(VA5lwOd%&jO0ZNye`jO)C5?@{_+`?yUGhk0jd!x{yu4A|Krwl9 z^e>vCa1F=GRlF-6;HkQ2#^#i*5MimvqU>F&7kMd6@4a$!F}&qLW}~u-k4hsdvQV7X zNVdz>vXRs%tD;h9fbCTkZ;=umV#6rDscwwEkRZIMwWv4sBAZG`;!KD~Au&q4pOzgq z35<%bryCWhFSR_>%t9pr)83ttFqDOag-hk#QdE}bL8|oC%wRg>$XUuh-_z=8WiX9O zX9hC?UTlWPtS+DO7C!4VE1en4Mg@FmH-*J=KI?)CWLWUWIJhEl_&$ynM_{L<6LIpF6E`=(e5uQafzIxhyrF3I3 ziHbB5{2(E5PSPz>zpgVC8rAM7tUfD}Zemh?OxfHe3YO1`B6e*eCMlaEEVQVM26=>2 z#8Nt4F^6XNS*f7n5Cx{K!JZe159J7};?zQWR@QWdo|rkxRr7{i{I|=X+?z?n1m!=9J4qk0oVmE z*&CH$(ma!?wL+>(B_y%f7g?T7nNS6EPD++%T)RK2Y^l45d=5w=L$Rn;JXu4?Q*P6vF0tw z4cI!OtYuZ!0BhWqT!0n3(jCdxvL)33)0v)R0M5wlq$$0X%J2%=9}7@}l)%9Wi{t$p zp?W~vI_3zYjLee=XQWk*k$HfF83~taWTrl*KhoSUP7C6V0J8w?pE*gF*yG%{Iu*cR zw`_r~*pf=H#3zC(!Ch;DcL%IRzqmCa3g_oHrGk_4=AKWYJN9jY}^tk)Bw36I$|F|H@k z94Fc*hQ!zCS|}jni0~qPHjU9I9o1S0#^1J~%FkiHKc(3$ANv8D>pWcj(!0B#rG)h7 zn8y8D7dt-sk)>!Zug51WovWaE>6nv}i99R{$nFOK9g)g{yeKo^_j>wroZw()+=@%x zSU@xKJWeunMHa8%wD@Va_~&mUgwts*Q}Hu2nvrNO{WGFyBoQW`!8KsF*BgyS0gE|{ zNY8AC<_j-X?n(dCLr9KRfc-&5Qq=f>i^?Q?Abj#>T#jcpl8eo~}{nh?TJMUBy{HlV}d<_RGGx)w|iLa=MaW3U1p) zA&E#P$hs&`cNvnIra0O@`^a~sxppiKFA`Tl?UZ=3BSf=Z0b9;psEu()WC8b;R0Hv6h`kxR@iNwj zJoI3i@>1EMC;IS=mOH)P39vZNQWj66g_%e|d(TwT4G10(lM&`%&=wm9O<64XP~8%c znCB_svKU0kr6^=XE+)m~b{!TvDGR7&cq*XElMqy5nVKJkbTT2S=t)Mw_j)?R9^6Ri zDa9xzH;Tid2SG}jS(Uj3!$LD%6h=7{LGq%a-7eyE8bc!bxX369izG-Xz>Ti+C?+W$ z(}-q*p+V*Mvql>roCA^Ifz8n}$a z;O!^VFBif^qlr-x!xr7bNB0zd6NN+c8)V~?+99nYmDj$;|ixBxt0`#|S z{im#*8FJ)BVk7Xcief@OWqr^YzN{F7~WKkUHd7g-c-Rp@BY>pS`21_+{ zhOaAionsQfFJQr__LE{*wAl>D<{m7h360@SQq};Hmy$lZTqGbUQ-XP!I*-b+D3;K0Yp{Qf?sb(KCstf(L{X~D^l?u&{4@!h`^T!cqD5P9&u!b&c=?BGl^;iSmS(T^_Xh`(vCpkjp>=W-(pt*r=IJVUyhV#D*K8jr2`}})zExhQpL62r zVLUxde+LvhfG*23mQoCk$zrumQ@KHx3r#6Cn)8E*&0~dUTjYjl+aE z48o0-uaq&fe;Kv{AMLtqr9}XUIv|Rj7(~u5FS(X@hMJ(Y)3TrP*ab}T>pr?<8IBOZ zU(UI$X-SQa_iy&SOtki(v;K}&^)ytaiYErp{95YqAY5GL-_jy2?ZCc16@Y9qPre|m zjRj`etybO{HYu4cNF35xambpYxu9N?aIW)SSMl7y)UO1y_G(D<0vQl;grzdqhiKjIF>}kg=v7@J$Oz73F)L84E zT7g)C1H`hkj@oC+(uZ6c74_QZ3{7w#PSjBU4a9Z^O$QY<%4s>F`QeuJU(|eswQI?nwX)2AbK01+An*`Y< zW7L4#E&Gfj6fqo@W}KoUj&O#?jAbaJYVC0Q=ais`1=>I{>a!%P8|}+~c^V2|;3hWn z9~Rmar#6xz%v~D#X&gkkkY?hXU>fdf7zqGMHEla%Qvw@XK{WlP+L(8m)fH`UEO)k| z6R;4X5jN>B$p30VxWK2*fj2C@5>o(O)S%vkQd=4fb?1sH&60s~t$xzVjYF$m`%;Ey zEG5+&1*n^3YBtJZrc53q-Q7sm=v4;2Vqm|y0G?nzEvl~wN#rEMa6!sAH*A<<>p78j z9umWy21yY~QViX8%Q4m2J5yTD$Wij0!q3xWLNgk=Pq}M`- zg{IjvqE|%w%RyZW>2S+;N^6-`VMj2|oA~-8PIs*)f$oqQ;Un zcg>NMXM(KqE4r}8?5gtUEZrsbHmd!o?mdBybp@j)^Gr<11h8FLYIx-=L^5@ZQW;0o zCniDkJBti8DwqRm=J-_NW#5dKq_C};f-nNffFxNJcg#7R#$LigFJ>X>KhdLkVu!(T zMm_yT5a9^UMz~yZa)}6KSIKfgV3JkkKL|?$mtFan+5Ij|a}1_Zjd58VLTwPuVJ_j*6lIIKHbNFJEU>xPivNJ=hcUsXF=N+Qt6GNx@APq{2HE(rkcA)xU%_pz4s zBa4a+Sj!sl)tCtNl|`W}BI3~7eb6`bt|S)EwO|~$yH#p7 zm*?X#Au(J)!V!*yhrOPMPV*?EU|yUnhyabv^o+s3;`{!DVf>yUB<&>QZJVew1r!%{Yedz`#&U2T( zU>B%ugwxHl7P0uC$zLaA;)n4>xJuCZB_Z}336T=%5v3Qk@&ux>>5v7BEett=a(M#Ca=K&0(oi0! zV1Y(7HjEo7;ZQpab8r+>az_hBwS|=hL3|-FMz)_T+$iW*K=CtpU#^>!KwVj(lEwgv zsgfpA8=d1s0K`B$zpQm`zw|$YwU_178HyRAalqyY&S>GW zV==OHL8&Z=Bqi6B<;A#s*D80Vq#%dDd+|}8)Gngs?%?-&7h*3G4fCYfSP14cT4?!F z9&W(3P9MxZeH0?OvXftnck-r4EdL#$C4M@JB9F%2`xqQmPN_1AFS}mC@-r3_?MOgqKOciI1Tmgqe=GW z{adFERqrd{ehA*L@`R&yEjena%~G2%^sAoXRI{%alVxVpW5+BLry8%2w;@SL9FjO# zG)O$@!f4N-%;gYg;Gk*jtu?_1R`?V$)a`;qy1{8E)Vub@kjD}Dce~syD7ZO?K02O} z;0k@xh!on9IKz=8f}-hYt@M^B8S`Ea22CCe9#ZC6ZJE^61#YF~-l4OMXxXl=sg;Hg zET@vZAN$nD94kqy6>$`RlXuHy0QGI6Jzy5P!Y0ogY<{qvw@* zvGi4$+wpPhPw)dPJ&Qf;uh2v+zu`DKW_DTh=SFvbt2;SO} zw=5r&ga%gBOL`leTrrLH&aUM4jxtn$-m7SAR2jacS_`-<*ru^;uH;q|&<6L`gauj$WL| zy)B|K(L$Y;i80C(L&T=MN<+QQ#BZIw!N2gj^L=0Y1Eb;I;c)+O@0tJoOLX$?$M*=m zdi8ho0a!~esi41NEAM@Xe~DP4IhW-*BL zEg2w)lO$z0nEB{TX)4j8azadTtdj?up@n+4Rh};)CUd2mLmdnm#19|IpX6sg`cded z;vmc7T{LFuR8tP;?l;Y29Y81+|6n-sizu{IX!q(^GbS^9O<9V@3&crQgbf+quOsa= zbj;$6e9rtdkB=azbhN8&U3P;B|0!j8B7NruBflq4dMXd0_{8wIGW^bNKx2+LLpa2V zngc`YGjEZ`glC1n5{CnM8PWr0e8DY0UtXT|#s6K%dty~LxeRG6$(RzL^62H@<)Hua z*|YtTX=)z59Q4IIaaefA&`m1M?FmW2!YI^G?NU31QxBNmNlQS_5pGBVBNJrB}0 zb~-;v1GaG}8Nq@WsW7cd_#OS1K3Hgx@KTBddAgTIFpe;a7!x|WjtiCEJTIh|I$rIspd%D8K!M#v$Cb{`Bz| zag4?BR4=2SKK>&0b7>(Ei@Y+~VD%xXJX-!z$m*v^rcY-RbWO?4F5*nPk_g_|Qp~W0 zvKix~@RC>N6*2KJbnGP&WQBc$(}?K)Zbu(oo)hsH+Ot)Fc@LmZoB3S}3#Y zOh_vl2g-~+p`Rto&2gqnIV2>I*Kh3>rhbw~5$_N84xa5P2ZV$wdXDsA#JKe-%hcT9 zGR6~vz>|dcuZJVB;N_+%|LE-GDL3rdyUIufp`Ed79;9jSvTo#3A)RoJEQ~=VGpgH) z&I?)_M8u5FS*Vk+Dgl}E@`4bk^|azm_CX!1Z&-STQ-3|2U^ZETKr++TU%x#q23JAtJi{58Sr5F_#7Y#R_U6WyMdm@)MzR&} zzdbpA^X}q}2QCpGBx4r#+wnqMBcM7pz5&OzX-f27qqjmKp(fc4PDwAMJWJ^~&nyCI zs3=Ef0|;zKTSph@CJ>+q$J1P>ep7Z$ z!0u!1={OF1Ml5z69sl3T$MENpGOmcg=z{_Tk^TR+-ZK~s1_#fc!G8yXLG{1GXT#_J zHhi|f|9t=X;Mv~ZzYT^5;uRXKIc}#X7na#h*j}z#qQo6-In2bXo0tD*dc_$hdw!EVfz6a@KW&`gadO z4hCs;R`0x`uWLQ@p8whZ+zZRBwTEWt5*Y7ibUO2lkb+%nCC|y6r3GWWH!80=7 z?I8s2TQm?dBUY~N;~cIXr0S}}GH5K8CkfT9Xt)pn2k3^3ttj0d0^t-z!N@1Gy+AMC$)vH$QaIp8d{vYCb@&x@qE-N;mpCUHKky+L4$rJtZH4Cl^ zS692m8635D!L37|z^O7V>f*@q0=)9^u8LJuzNv*A+HHvGpGr`GFCo>Ky3H*k9Hy?&j~cpU7KH`Prvn$MP(SUXL91PjLtCY3zn!~At{IG73@=?5Iko(Ob*s)6JA%77)Sxpa%Ocsy|*60xe(NxCeHxSEa z*mPC0#ckqF_zZ+GIsm>ffCX$-(axhVEUMQsBd%E`Cn@Z#0J`zvA^P*LTAxQo>1xrj zS<1R&??x9egcw8RcMd6@#*Ak)C{mc&R^h&3P)ahe4I`>I!a|x+OmhRF2wKvUP#6i z$Kr&P?mh1zq|ah{ch@lCa*vk8l0UyTYRNx6if-_NKNawo3_&@1D&r8I?jjOFmO5}n zeR?u^$KbA&#Mx8XowWuWv9&oTsRz-NeHelFpCl>q#9YvL>dAL{xt0@qh|IC%Q16o> zxBgcON1r7vX>S6-H_?1or|`4uqh^pRam!9Ji^GjwMo;uD#gC!Ruh zL1``pH+T;+1PUPYY-VrbW@(6JRUkTS!B#;BXYmHziEdP`c(aQlYj{(cg@S?9-|lX- zH=K4uQ`sTjxC(+8>ER5I-fdWLIyefed@iB8o4;%7&zfI>;J^;J+sT84n%yYw&D`;#X{hJ6lyiIv_@^VsJz z{iioa|24;-PvHvVEuGWs@5N6i@Y6{~<`?u2Qog^wmMdw>EAX2+IM5M@N|>{@Tqio= z7c*uyW+73&T;seMUBYbJ4pT;;q=kHMH6C z5Dl$`qnH;`jrhf4G}m##-;i<_R)_hKkc7o|he+n)Gm^yXO~%Yr=IEV2MG?IwG2xI` z2!}M5p*f-SL(CI(?x{)pmG|TFy&lmk2K3Zmo*b$5)L69Kgt)7VqCuI-Wks!#aG$cMXrkewszLDUL2a+GUTd6$T1U# zXn!C!O_QF7Xei#<#5qJlC$Hjphz@!PRROlwWxkc6 zI&fImt~&Bq*X}xUS*^RC{iZXYJ+HIba|f60-;v9dtaI|1`CA7Lv$|T1zsygYdR)p| zT{`K&S6#a4$WvXq>c~%(u6pL*hpwZ@QO zR$>N(M+K3kby|XVi1wZzoKkobB)Rx=Ft_#UGZu1j9FduGRgla2>amWRfmh^n)_=lD z1_qJpFW!Wu9u}V)^h!XySaCP@)?ywm5*G5OP8^zhQ&Bu%;IevpTBin5jRpPdUAgvQ z^??wLgUUJPxHt)Y1w=1Cb)DwAPk?#;YMF+{o{N~P%5=2#i;9mrkMNGg=Zs}552C)a zPOTl7pa4*@0kV2i%}Us3jAus?#hl3NMkB-ka;#(doA{zj=1G;&hcMiL^nXFydkuOuu~x32O=SKYhXCv&khyYO`Zw%GKp zDY@w@m?c>1wzx0H=&Ob3yt{>Lk;cWX@$Y*D&A1)b@KtYrZ6K|zm3Hn?nby-sC({_R z{m_Y-!jy6Zzg8{dBhDrnB+DJma2k$QLXHcX}g{J_8}Vux9Y>+YP>Sf#8bhjsb4 z>y`;+n&OJA&|WE2(GxC8AYNEqkLxijf>(5PpU%Ec~lu6mAOu4lKu?Q){wAMrifM{v_;`h!R+a^uGX5z z^q)B?ZZs&|jAjetJC(t#NX#WOFNvusOSwpA77Bv+eF|~g=LClfm6-Ajr#Om8)Jc6X zDz7PYJtK;#KgOH}UhxwrS^tTclM)!O@T}=Mh@1 zVr?hg1$&`%)~44a*0KF_b7IPQ(A`4*iGYB^>q_cvT`=^Y7_fS5QZD*76e{S-Q2mQ6 z#Tl6{q?%-8gf(toxoQJSPIC{cEVay8-O!b4qq9NV=DHS#mTvSZWfeF5ANx<_aGpYh z%1dDz{KGo&85h0=8$y-|Vx zA2>nBn3F>!^OYK9u7JZ-0`1GU7d4**1sc529tnRic11`+Qtyf^Ad84}P>^0MhuT{~ z8EwH~7wx@#so(R$`>Ls{`aoHl^K4T?S)KJPG#yS9@~2ZlxVy}d`mo&uz0t{%BX*iG z7~u?OvqRJucfC5dP(AXkrpjWUCTk! zO7~WAv=MrmaxxSzG!IE%Q{z|bhcm;+Qo4WYpA+fYq5dj|5%10Z!8~pHgB+sa-u^S# zY&4)YHH2<|Tw+|I3DisKMvynU^5l~zl}^8U(p11z1S*j{$}^^t0QM|rJpHzMTRV4d zH^v8OTcyt6$o8?^s`+7V?KF%zr}4SYL%4iEp`Oh1If@ItseAl+mG1H9)w<7c zIwjfh*@q6D%eF`~PDmP%I8*G=*st`^Tdiw((W5*{bpz*pu0eTu+i%cHUi25(9ir!h z;_p*+mGpdI^Vb;*(QC@n95w{>Lmo~^r%Q|`tt>1$v#$4&aO|rzwJL-Ni+4H~gLC(< zd_Je~Q4#xhs(7l51~jiMYts+kbp$wWI_Y<=5xY$o?4-mJ!R{+&3L*z0w|@%ap6L~mx`!mc~jwCCuh!nl1Aq~)k3=V zX=h;V)#vc*gWkdTB9FpiM~BRH>X-MIZw^r~V~oodXiTyjLSpn^`-8z?;O+0dIC$}Q zCy+4(2y3N)S#_c{PY-{K>nP5Qqq5x{!}lj=2n|U;Oknf)#iVjc(g9lb4oeVs@28vDD=% zU&vma-4tfbKp|MXaJV831`WWgzT}N}9f3e|u!B2w@So)SJ+h+~6qcKS>GCQW|8Q>Sn@H3vo}uSq*z>!qBjw4+p;d-=M$u z%tb)!yCMvxLQ0+IUkT+}F*J(`q}5e`&}t-y&rw&P-p8k?&8V&jFYIcq&+Hf&taWdTcd$z0hmbf{IG^xLs6 z3j#L3vb?i8P^iM8MudnS31;2ed*4F_wlmv*UT>pVmJF)kDw7fTn{+c*n0abIX^OMT z7CHBS^_$k9l&Wu555KS))^EuRaad7e8i#^_qsvO}{mLksK+w&}1d;`UmK%qvP() zu&uRZl+CV2q$t)jQm89pG?l4d(TA|CA6=Aq1{J*=&t5=QF88LeJg6Gs0QuuF)b@qB zm1SGWJjoWXY1$!l&m7rG+;R5tSZD1(W!jDkG!nUDWvNQUyH+L*X%GA_^VQ#rFBD&H zd0VcJwzhPgGLji*I#d8}(8ZySEBkU?1u6z5U2i(*zA3=E8ja=m}U zjW8Sx^x`iH&+Cy%>Lav0P4>h(Jo@!wSH*v(AyQG32%(>Td9y2iME{Q7CnUbeaBx-Z z1hs@CO*13+=2I3DIWb4l>v|3WQ+h3wZFJUvbArQPQ<{X24tgqg0ucE}OIkuD(+*F4qf>470FgeI;AyJXJOAH2{hkcZ=dJ0gj($ zveckxr5O+Q`H}^szdOyU{uCO>LLW4e?HZ>MoFs>6z7R@Rc?vOZ@hy3#&^R;Fs#;et z(E6lek2Eq3iJ#^C8C@L8JlpbqjNRx&_%gS*F8y4shQG~sn`GTJH#bP$YnSSlGWY)Y&4o|*Kvk_n?*??rZu z?)?{8GrEkB;c4ftJ7w7DGN?+g(RJMW%f`_KSR+G6SAfmT9bJdexgAy-Lte3QE0L9y z_U_yq?(7^oc`cujD1ufpN5|02&jDuHN`{WsEEjjpb8+`f7x$m*LW*^LaijjOZ*o6pyo%%}F*RIfsjbG$SeMqf=QxS?v9)ma@I$>jKMq zpNA+jgyGWI3ven_E!{0q-L`Gs^~6^$xa93=eJL$ZgXL);R6Z;hE{&P7h&8@jF{pOp zNS0OW#<~C79ohM_Dm|>c&D(v~QfgJYf0*6ehRNK+TX*RCXLruBwcegwXR&f)mS$vY za~?i!&d9XM-^<2a;gMSM5qP~s)>P7wRE4W`9Vi7P`hNIaUP`&UCiSi#Qf1K8*s!8d z@AgZm2W9Z2+PT_-C^x|2YlKm@a_I7aN{L--IOR$sR0AuQ_mA8vO}CNk0L!j}>F~-< zDo!=X(iLXu4799pQd>Hq)@9v2#n1*galIr%t_i$rx}kQObQo%#WJJq*UokDw@(x!{ zP_(?uJEbaG-tC=|7U`SsYT_c-0(0g8fkYneOd#$AMy_li`|#eC4#d3)-8G%j9hi5M z$&NboziQf}4qdLE0I5T#cT0uTq2s$HMJg1EYGS0$e7p)9?{9>S@0Ks=4lKN>Y)VV} zUM;WE((YExu(Y(pyX0D0+UZ@gE)_S7cIG9A)uc)44pv~-VFSA=(cP6_Hr zw5zX`=|Xa70ihUy2PuZoej$su91Ri(Y}oqqPvlEKSbxd!{;$7uZgS;@Wktc2*S3XU zv~xXIJey_L266SPii2}$pD67FbxT3ph^3$Eg&_mCDi(z#yU9&}-zg4_HbV@0YCOF-64wIAY`e9D|4P zYZgFaah2#Jq5eF4LgEk{Oia8qkloRekZRRV|5s)hl-PkxfL4fd1os^ejg|#ucif_) z7Lj(L)Fp|)Ge-J;f>$zURn9WX@dRQgmgx#gZa2Y;%Jf&=Xs%tejKxD^oSoU z4XvbJT4mNT2~Ui7Ras)lVZ+m^6Iv+&kRdGPT>e{{`DEVtB#9tB5C?YwuJc)HxnhoO z^rWsEIt(vgpBq4&nr}LQLgOjnRXWtV?GDk5#Vl2++4Oyx`L4LhEAsM}OU<#yF?*_o@wQBfgYH0u5Nr-$eS&ac}s%L+Z#td6sTw$-_i z7r$HKu3K-7kglyA(XqGLr-yz$I)8Wa?x!9|p&yFNd!e0fDPS%a33+9KQn(wLtxeQk zmAd_c<B262G$+9f$CS@~iNKHGj<2rg zQi3^)`7XL4h-WE_r_loOd#986QInhCXaOjOBQSt0Vf?|MBW`-#*9WrzR?(KVIvZOAyiH3eV)^_Sj1 zCoGECjTq+jy9>ElPEt09`KPg!dF@b6^`C#La=HX_vm&Q|R9RMXF4oM23 zAC;vtXCaB?G9)TeK*dImF_$@Mv|IWN^BIk&e(%3oj^=ba%OuO*U^xaf4M~dTLXE@W zwOHdJN?D%Kc-mKa0HirCNm3>N;4&0(9*9;Xbt=~r9FQ?%SAE?|;;C{qWF+(w#v<-< zlI2OyVoXK(>fv7>xJ8pordX~*7>AJp7>VT>*Zy5Pg&+A$f;=M?22=&FxZ<;`d`yBY z0-p9JEWN>Lh&-=6XE!kz;@3g{&p%O;(m0!-t^dnC1<@ATUdp;c+M^W=AcrfoMgJ}h zVtE?D#2xng!@U>&z#sU-Rr=|xe>x^lqgODw50VjQMD{HgXH(l?MuIDqeCrZVb?Xi6 z|DE)|f6Pdf2=SXGcPRzmuKx`O&ky!1`rmLceDXwBuT@or6i4udU}PB}X!0?%+Cm;QsBKrW2%c`V z9nv5}Te37cW7$@*4CPo`vV3{@TK>JGmyuY0UJL9c#AsU^1ocve-*(zCv3yzA#>nce zJ7%k(M!SW+v?ARQVzV~-4gIb?#j38p^hz#j_8Z0f_)=yyTy!;>UK5^)+1A8X{0V9F zYz}tM{t}|>G*iWMl0}>2vx>QfS27()6HO1bP{fWbe+L_LL6b>UyRD=s5Dk@{sxMNz z?D`Fz#_EI$_(t5>{g(R2R;NxB(dq;|7MriYFDsJp>Rg@RzONjzRfXaf^3`|oCWgAf zX-wlO*NHrQwj6u*zJcZnJoZ~5x3Bd!= zaDr*%w+f+(-lS>xH`NzMhp%MPO6M;)Nd%PTyX~dAnRUzorrcQ1X7$a@_AJiOn}$^; zw-mDbM;Z~n;2D`WkD*N!<;$)5Y>9@yGa93<|B1JZrk-)^Dcb6fQE`U&pZMd^+YfIp z(8r^nNIkP#j~&4dJIH)4lR^H`cSvKfxiQ1>RUUK}&!prM+t zl5!?QuZBC?RG4$AbGXbx%Nf9xd2}sqs2ECDSgRmND{ItczDC=S3&#FUTQ=(}(EJq$ z2F{{FtEhllBxhA=`pRWglzbO`G|pjBEM61Z9CE6*$>M*X%D(5mI}%P7;#Z&MN=KC;GF}thj}?vn1-&$=`OY zp{nj?Ehbr$gltY@642L+whecAqKmRPU z{k2|b^(+Uxrpt$(;aKH3^vd6Som5Qpe2Zclha}F>Gvt;|@>}J8V>YRDo+Z(>-p%5W zq+4hkN$U{2-g0-irGinn(BIHb6Ey0Mp#e10X%$-8dB4^N)f`|6yau#9A;F=UeoMMW z8Ckp9=E!JgPt$=MC@pfI8#gyq-MmIHyW)v#qKmsoa5DDacpf!<(1tH67`X^OFL>SZ z_*<1RU!uxZWgt}6@vOF4KIP6CFFQ15dZ!JV0{sRz=!WgSywudqz;MR%d7ta70fy|^ zhW#1+&A(Jc_J6>foZ)PSw)6+EZEfuU@nk{_p3hssb`x!gIy7_0leYB%%Yq{8>?34 zI_ur+y@b`jGptR8It|Dht5>dvN7KmbV^y#1ShRGMM>N#7mJgSWY1dUOT2-nXnm&2% z50>Hv5xY)XQ#oiQR1#PKrw$QECJ@3X+t+g9Vwra1BXb`Gnhc&qBx5t%3 zUi(F}--uzQYFN>%T1ji2qDF)02O^e)GeJpR5+DHoTG&X^hi_3L{2aV85?;jrbuM=TrB}FULE5b9#Jq z{PUaF|2TVpe)*4gA5MRGbKW>^ZE05vbv2CE@$Byg?8C*I^LIz5Z2ucE=^bOOv0=LN3vL?tZA(|Q(-0L3;!by&k_E{H3$933+nu%!biL8va#!NP(+uJz&_FPudI(==EX=Q`5k2H2_r?n^28flGbbf%lzFy!_W zTG_F_@B}WK)rd|=um~dZGhrH26hz*{oiag5IMXA#(yRIY4k5(M~+N!K? zPK(}Cvw2dPFtZST^;ee?V%EREqo(P$6xVxix`pnfaQ?Y8%(6-w9q?Cn+ite0gbl4= zzG=+4-^Gm6IcN2X=A32yZosV5s_a#Xk6LxTrOD?uuJN@cTf8sLuWigVHk|fM)Ay?h zI>)}#9yH6cAl8(@?#qiDKE|5xRehtOMFM%)0G zJiH$38u?EAv3a$%R+nQH4Y2<4N;~axbx4)i-k7sc(chiCo>Z;h`dyl>km~ZhMdCRJ zVulvEG32a1S47bG=e_&?cJluQWW0#-`|$rB42B2Q{9nUo&t5$Ge?P<{crAsZv=-+| z&ukPi$NYZ}@;F?Fah@?A z;E2XkBeb!5(l1!;s|1P&_A(IB~=(iOwYJU8rUkM223k%w}^MpS!|S%q3^EQ6J&Y z%RegHsE^7Dur61N;zOCI_ms?8S~!_|C|e}tu*iqrvyUI8%3a*K%7Unta?Q#7nxw~U zoQ{~G#x``*A2L1|6IRX!#q^{qQ%3F*-_N%53?$Y@0W0Dftti3>I4^k>(dn@4>~ z0%IKGH@qPr%JYol&(;Y$KKpRT*$R^UYn>_ssV_87E(n~H^e>~#cGCZpF!A_xa2Gvr ziT<~@KRl?O{|<(GkNV$3Jj<`V%zgBFsFW~O-@vVO-8I4IEy~h74$#3q{FBZv^2vmL zMqA!iM=fnb+8Is~-!3*2uzA8_5@+_U(^ss<)#5F?>2(_ccm-u{+1A%qoM$zFTaDYU z?i;LjF2J=ODmSAdZFbL5fT$&%Y_-UeOC4`6IR&kanocbPRX(z2z_@R9-?KJeaWrMc z?U`HmnKGK|9(ilX*s_rCXa7=r@t1fy?f*$QzDN7daQLE{|93Fl8$9m+5AitcKVr63 z&dz%^`y}AM(v%zIjD@c$Pje{c{X-s3Nkfv5E=lhnNO#cNKs7`#9E(%^k)&2c3R^(& z#twRPHgB`hz!&)QhZt9eu-?@NaeQJ8)0&{;ZuvPLh4t6c# zc#7ljC`xAdT|P&{!H&&!MT)^&G(LDn;=sI{E^8eZM{hIx6@Oc0G zFwg4Ny{|~${>laRzlaI$o=k5WHMu!zt3k>n*T&guZfmpGEw$4%ZPg7Q$_i)Baph0z zIqtTP+D>X0Hq}Jtc4@}4R$#4WM>iv77vtogMLc*jAe9=C%?*oEhU)H8S6RGF@nk{+ zM+}bs-r3T25m}vpRk(%PUCAh}KZuN`7jVmaj^ioeI|`Gg-<`-bHGW_`PR?A=H}Htv zq^lL%a@4Mwv72i$It|!XXC`4i-Y&xL0DObk`Cu0M)vO^Nc}gu>Jm$U6I%&fb=MB-ytZm&}um9ls4}1IPx!c94VM* z!|=9rzY5^ria}}>`9Ehd%~-l=`TuP1`JgKQ#eW{<{{uXZ``=}$!xcB2DsE_S6;sSY zk+07QtQM$bTXazSsWm=-X}{fgxEs`|3*Pi@kftlaSnP@y zbzuZsqYmQmns?1_MT!1~pKkiU5gxbk_>cYlX9uo~^N! z^|;DMFQNZEUP51EA-IHvr#Qw_GAD7SZuZobQtb!Zqt@|Z^Od05TOCy}Ryymt%GTNM z9*fuIkHzaAi`T7i(0nXj_gK8{v3T8M@w&(2b&tjC9*fsK7OzuO*l_VWqoz$Fj>J48 zaX@M+PsiGJZQ4{@_cDv-nIH-{iMA#?myNxoY+W=l^PW4jo%%4VCqQrLV`(aMT{z8n zB~a>*Y1|)UJ~Q4!5wJ=-j|7!Bx7ObX&96e5A}>LGz}5qUN2N{1@?d5)=*zT8|CrFI z+IT|a&}xgkxmY?$HbX-S3&ser)y^a{q{$s-O7}nxvs8Z&o zD44OE7$~C+LixE0Uz% z;hnPVwso`d$_wJ0U1c_-^n#1smY)TiB+7b+rId@SL) z&Sv>o!t=3&=VJ-a4NT-?3D3t8o~s^2N{B7OB`LYcSW=}X`CQ%~mygqsDId2vv;4Jc z#MJMrrcC+tbDlzf$rX(v!#w4ETz3{Iyg%t=@_(o6WT>bdB&mR$Tp- zE3Q7)DSfO{`dFt_J&$!tAM2Dp)+zl;>Xa^3+N%t5XPy0Dwti_tssKj;Q}kHD6kc^z zsU;DPBTVPo1-b~gth$;bm(uNY&2AmvkuhR@YBdee$@#LQouer~$NJE>263ziw-f5R zH-B5)z-nN(JNDZU*ZsN@^Qeu3fN(C<=88*|T_V+*?D7+vG%~Kyby#o^trU%xy!>ZQ zc=c4lGnVQDj|(79|8U-twXBGG!1l82S9e(!%ObXy%#@qM6*c@I!n|}zHimV=g0`j+ z8{??_QU2|aZGV1yIbBwHTH-(b8Hwg}8ncwFH^!3uFN5d9O8w{I!NFtxmxpv;Boyw$n#(S$MZadlf+a0GsW$> z=l#9cdt$s$av((G1^R(zF`m<2ul$*EgkuEp;t5G7ES=*xAiF4}JWJ^~&q%0B#UeHq z%Lj=Mg@EA;o{{-3nv$5LG(a>)G0yUo?4og=K~j`BBq5rx6y@T09t*XNfN;ta6fOiP z0lFb$fk;FHrNfRF2uBgQrZ^K##j#P7LnfHkWdOxN)m=}7^3;YgMSN}@x#6n zBK}yR9i2qzPb6j>1vo}yB4$->jW9k=lFI1fjUSTh z{the*18Tt(^CA>o@P>c|9n1b{tfA#T5cw=6;-o=2%?R)HJXGR~hW_yT|LA$LgMEL` zAN+@!7??$kEOg!LU9w_&#alU5fP>^~cmp(HE;+(a;ciOs-0U zAbO(JdeyZ{q+?kwW9j6I|8#~^JST$AzimHBia&M`C&17kH#l@t{))00&NL6`UP*|; z9K?b`O%BuR{T+Sx-6c)F`|c3Er92bjPLr7{UK{~Q#87fceTZq(+~xYGen=vc5%}4h zD1*tIbEZBkzbL4zX^c`bXV-)y%_Amhbq+3$Fy}0wIMYj@i3jpi3{d_=dsTjVu8sO7izFQDI%JetaD$a69k z+v#E?M^^~GX2F%PgRIaXhfUtkgP)+wX?it0+Er~+?XJha39H5tIvxQ8a1*X zu>eOS2@P2PUxT=>@XZ_Xi&EjiXrOk@ZE}sH9Avf-4FyqlR)huwiSY(#V;FjEzBvj* zWl9#H=v_sEM8eXpdRN-~`BxJ(hP8ZTLStJ0Hwsb%G;VhfA;sUoKT+8L%~?p$wg4$f z*_dzyD`za)aCs>s_SekVuXO{p0zwk+6wp9;%BU3@)s2AWSoN5(aybb|O0~RHsSA@E*Xd z9fU^}Ff%+IIX|s}nc*qgrt^88f%wVrl!G}VB|;j2DQBfU!2)yWANa!;UP#6i$KG)0 zrF+juCYT|e5}wr{t%E5W>V~dA;!M%`{+z*5DX4NVB1kEb{EkJ;w0OZ(y8641#4N$&QR z9}(68v!W8z!GxH|dYckVIzcjSQr=o3K4Ws`p!3}zcO&4|!y z6N{SRoW@AB+#qZ=m@O;aDqFi8%%Z^UmjKgU(;2i#^^0EGV2~+c4^k2e7Qhil+w+`f zT8lzhvMn6&NA+;m5xOFao$g>3s-zpk;y7!VOf|GbB)+C8i@~6LjZ-QFfjr-YpwgEN0m zJkVSi2bxt*Bj#uicP_cFXEiHc*JH>x^fXxx%}mLS0u8u3pN~muU81fk1itVi&J{L_ zYR7R0mbaWIOKG04bTf+OgFJ!)!@c3KatLq+(YW+%r5W0RFD!OZ<|}23TQthj+|(u= z6o3S%IC@PYyihp<_0`6S{0W8PH=!#*LO~(NZK8a=&n+7559&q=n*xcMFVQ{{%2bNq zB z0~HE1Z3fQ0;9EgmJ>4kKv>CYff^UliLLXR8fu_x%X)pMeXwa}1R4CB288qz$-xvj4 zdx0w&)^SEG_5v%0^;_Br8t=I+3N#)ITK58rC|~i@a4xVY(0D9x?*-oq>gs7Y7g!W% zJQg(U1>Y74y2ydXV?pCy@Ga3mP~iCz9%wukH0}l88Ug&x1YeVyvMMQLg4PK zZ_v5rQ_bS9jU-L}V2;cr&fQQ^prQbLOC)HefSGf{X)!J+V6pwTgnuIi>|Am!7l2~b z3ltqH&^F(J8?`)RbDR-7r~r-0gr#urk0%)^M8|_5UBSUgfx@rRkLa9cO*FXG;ZVv6 zQZ{ZQ%h#tFE~S8u-1lX`TSaOr3P6)GDDGRMz~1wNQ(DoA9TW(X++icKDG((2w}rl@ zz+hgr5j9s-s=86DEGULYC=2;hq`yYG%)?jvG+4=+i^5bWa6vK~`=`8)y{;$oRX%Vo z7!0cvSXKd~I2+b^pyc^)gA*EfV0o<`Whu3JpcVVF%+FW#tjYs`#yb|DGY0Net5QIH z`Xy1WJPkZx)DmrRA5cLPM)a!q4q;V<^xJqEqE?Ec!)^GNAvG$D#diG>o5FpAzk#Pg zBeF~BwrIs>>Zxy%0Bsbo>X$b8FP^cmC{2qJS?Uy>K*Ev`(Fq#qA4iCC1ix0jgGZcA zvXM9;jApp*aeCiRLtLA)D6Pwf1Sk+^)ca=1aI43*DbP?7x9$=Aj)kPk1V}XfW=PN! z_vtM6>j1StO20T400lr0qARixr(sASv;_UH>FG`ZIa$@Sp+Nx^tDuRnj0wJ$r(riN z0bcU8CKGG~i4Y2$)2Vbl{x+V5y}&FD-R@CY@BsftiO@g+quzA8PIze)rv7Fr;93QZ zm8xqtBGnMdmdGq>?Vt#kt#FVs&e4M9X_2Y~&sjW0>UPEpA#$Ai=#4vE``#&#u<*1< zPU8rHE56qL=@-gVK4nov(lYy8N+SFj(TpROhB9l?G{-59GeS7JnbC;IJv6)%5U`ltFd>5}D4}LX9SFyxu+hF3LzD2F;BYa5PDf`r z#Zg2eak?}9Fep$h4Bn&@>bQYyM#|U${WXG=mtuF&*@DK4ir&0iZ5$I4>Q91{!0b!A z@=Sof`KMtww91t?O9CtPftZ8hyL$}T-SE>ufz~?Y=Dp!btgnrCQAX!7%5+MvNi613 z{4qD@yqsb^0zp$TfJ|iZC7uQfs4=a#A3*n;2iaDWKXT*-hoP$jB)5H9QUafSF^wRU>*2Ax4lDhO3ZX88H=6 z4jImH7*g3p=T&#yC?qW0ULk^Rqff(bSgWVg7~i-u1yp^WB^Qnl_cTyIXVG7NE(k*t zN%ft1O{4_k*D>Lar-1@??esP)nN0!l-M55(%h@o`7!R-zXD#l8r9a`^DG-fb&^Dwr zObNFl>JQOYEogr0VF}dWPiRtLPUCYKd{<+J+YYGDX-wz&9K}Uko(kprI<|r)zha95 z`14v6z@NW%3b_1=O$uZ7k zwv8+f$$sWGC*f@A`hPo20uwZ4*DXo1FbL{nQW%NvJ7;1t>Y%IM3hy z91H*w;EP1bvYqUjJtwtDybK0|!C){iG&xo*I&Q+l4f;v*Ic!Q=6|6@l;*Xt(>dkn>kD0pi3R5^5pc=1t)EEq<0Rv8k)_x(7Uef4mb&mNWE{r z*1-b=?tSzIz_Hf61CAg);Wx18BIpTL9P*;i7_w=SEfLIf?F1BqbQ?pnv+5SAwoUa78Ns*?h`N|} zcHN7yPO+dbj!F<@Oj62nYk`8-)ByoL3i2BveLhsf#62AYf=xOBKJTE9Hl#7 zhX1-KYnA@3)R31*_kXOs04KMKj|K6i&j^m*bDEL2Nl3h3FKfn6|79Ppo$;S3(Q!Qt z+@Q<9{GC?zuFCkG^;tFYl&ep|w9fcTw@J1A3&+;x1{vF%!mJD@#l3nZ2Zf89r$S*z z0^HQU;tsm@Dd7_elCW4ayk2G04F*>;Zyz0)qgs0r^vjhf3U}|+(le_4`!or(o ze(s%(&h|3~QC%efyM|DpNrXn=_o6rPv>?tl45|T!hM2m=+|`V3VJP*y9BYl!#0^5`BQ z9DIw>HH3*@d2|mDMZV?eYNE@pH#!xbdc)f8#^}TgN7u#`y3OcJJH|Y-wA+hvx=e_7<^qIl2kSI1SrLD0a&b$N^z6 zvGGI9QOenbWMeWFppfF(U5~MitYSvjMnbV$E{;3-SngUlslc#YRw<8ek%VHmykK;9 zC7e`Xs3w!~4KSB=qgyPYv>M&r2`AOj^@4sc=sEIAeu-H#y2TPotI^$^a8e!JQdz|v z-C_yFZu#VnC6VP%8(F0~x@HN*Zu$Na;w%{5Qdz}}t`gcDUN=k81!bNVTfu8Xr1uf^ z{03eAwf~}V%X3E8G89eT^4B4WRY%t>f2}#X2b9Drl-VYXiW5Tv>OVjPjcWXZHAd$K z#>iV%(IHxl?9QTNRO4H$JGwmR#hRnLi^vzN%w5Z52zkrPb0VD9h}D~ndbIxNnj@N; zmLERfK{X;{+tD>gD>W@Yd@h4(%u)Aq^XQr*k(!ntK2Je4y0-hdd34QDMor5PpM#)k z;of$1%@IUR%MYJlplY+(Ji3-i1M-$ziTYmVM z|EuuKmVx~9mLEQz|0-OiWsv^7<%f^ee~ZyAVVYk;9R5{!X3OCEdCN; zGIuS5(B~~bd@TBvbYkrS%$G;^fN|zmAKlX6@#WDyU<~-LPqNN2!BH$Z zs&4g8{4!U$zgzBh=C*uSE@&%_&T>|3H@d}60!7QU#>vgpdI!%M>+UC((2VirdX<;p zP+@!>bTxEl?tNfu4>?XDdV(IRHpVY-@HQnJ%X({$uKgLo9Ua`ArZ`*}Ck+aeojNK5 z-PXH89xUaIsH^k5iS?`m)>wCDbTr8bpW(Q1-JR$H2xsVeOv71E*;WL5T&Pq%jdDCr{2gH$S@879FM0sn=&sW4zJ#uIQMAM8>pHzv5Y!b-!_)=%uYuFi3eLM zzf>#D4XA3!K#;Z$M<00}xBL(c?=JTnkI8FFei0!Bh|~ z3F=7xu>-GCEW|bA(UJK>RZUqjVA+jLAt9Sgh05-`XX$Uj(R3PQ#i9${wm@tmT4ieLFELWU?R>+f(flBP?Y5NC>Cjq*! z+ZImicB5K8D)OZ4poqjIlbD!S-NOXhK7A*;d0b!#w;HR&5GTHB2+?du!X`OHb!dYr zjWb_jU(NxAh^ura(ZOPY=&*>q6m&YrF~o3CxZXh+{qy*zAJLG;S~;VFR#L5;(V^{) zxNdO>EgGeq&8U?7R2*kbgofH-DC?2#Q1>0o@g#1d%>O~po?X!N*|S6RPc{XZ42q0e z=@+Y+U$?Cv-A-p~3%zuru|lwE1&n$TkqpyVD2LHsbZ}TS6X?V-VJ>(}#6l5h#sM70 z;w)o!?PqLvnnZ+4DNLTXp+R4^;aerUoz4l6x5zk4M)BOXk2YIH$%3dLq}rKr#h5IY&uq$sz81RW)GNJE_DZkez^ zLQVm0G@Hf=;VN{bBxZ0Q4%9sUEC@Q+(M(~=!Sb?*?Ahs@IAK~X_%J6Bxw+W+awW>P z;U-p1a{!cLHXDuPfQ^b!ba!O^xmieNL$$VwBI2rw8C)#C0G-nbjWL%?ScR7@2N~7P z;wW+(EeA0z+U#`B>>X51l(WGBAE<1J=^!8}8&$j%B~{qk`ZUVWYhS@`6Ql zm50FErOA+Ek?|=63N0AIt`k=||3!S=r7wGP)|jS-bCNkpedKJb+$C$Gzh}tC6 zA^UZh3KKfX!f%m2BggEv=mzL}nnYFH;ek9;J2{1nL}i8jawefbQ-PI$GC-Ofc1Y4p zl(3-^5cnyJ{DehhcgytVOD^Oj^O0ydR_5=;PO$?Ru-U6ldgF9sB|OlL?WkXN`-)Z) zCxcEA6%S{w^d^~}J>)vkO-@vu*rw{5p;98cWDl*3PE)O4kh|p$r|=cVWZ>jW_;W9W*IRPE9@!zLLUlfh;YuhK-Y3gC17$=VKb}>css?pL~@Q_GR~&*1T|(XQ>id$ zr1YWHy6rgP5dX1TYPI~^x5ne^#x(;(7jDr`XA!3wvui*T!Lb^!T4V+xoWvj)WDIH2 zeJVhHRx1yLlwUxguSLUx@s5bx&SN7(+0}h1L;BExPlcEgp-1*}I^sBjF+rqChF%1{ zpr;x91pf}kMdt9R4giA8WIsmm1!i3A1_{LV76?2tk`WpbESIp@kp&^UiB8%4*o9S=%jhPS>75sh3B6nXEp&2Ny02o7$(=yVW;Dx%X~HetdB1GNR_`o&Cgb2 zJOh_W&Zemp1rmS~wyJ41zLZD(KsIU4oU<|sWnt?dCo5hHX+U5!muds6k>Ofx8U~|oy z=6|1jT&wYNJ*#Oq^47NrTn!A)Cn`qWybW&+XTH~GXmkz`};d+ueaCR zQ5+OEl||Z^=D;DttEdvoY~g&VDDM9GS%i^NAORU4co)Q2&Au z{ZSqO2hxYPZi1iiUCO^9fD#825p~b>btInEf#4 zqfknZK%N~*Jd`Ald1M4|gR9qXe+)XEUw$N*Cu%pd=*b*(LC2!DEIlQv*T^I_yXBe0 zR>-hqSN8!M)_#5fxnStIn*Q%_cy*0=B#*?C6lYXPgGSGlXTOq*8%z`=5l&b{hx0X`wah>QPhH`v^RpJ>rRaj;<{u46thRQ8haqPZLl#1c`!mX>aPt7bLjEl@Wb%BZ zj zqF{rBYQ=z3{$!rE#jO9Nhs&SIPv_xQa5ejvojtcx`1=-D%xAZ z;T$ZGkn34W)Cm&wUlwENe@&Fpzgx;kAr_oP7&cvG^OPL@E?9#6^yuj?pFEa&hsfh( z!e+$VL7qIq$TzzpCE>2Q{@jHCbL!?v@k{UXuTKrJpdV>S5mH{PG}FQkdZ$_JUeH6^vVf;QdENi+z;xj`Or|g3|&?VEG-_Iq^v=AY=%g*BXz?aDqSG$s=WX7>yBUEX9|4p~RP6*oQ&Ey>cJD zUaxoX{5kx;*Xx!4-|roK`=|c%{rwmFFM7}S_Wsn{>-WEX{wLJClM$DmspO=8>fO4p z^5DLb$1;yQ>>w0MNuKffAv$qnj}A_$W;BOrw%5UFn*ZDj`oUf&Dq>R}qGR-V(UkH0s;{3=M3QRj-x;a=~s{4v{{!bY|{s zKQ!4sJ{x*k^MC7xbJaeU@c&-_;GoR^pYQh{`Tu=9TU)5a3AeV8x+AtlvzI5kFJI}4 ze=xn^EF?k@5yTQreG4_VL9$t=GTV$HeY$#m!fcr7gI@ zlJ$S^yuVjk|IhcHzj$2#_wjuCwEGOr=;RQtEak}%4!jeImT*iC(X-vppF15{taC=P zDVJwJc>qK9MWwPb0CjQa(nkfL*5mcd&v9#?OP9d zYM1fQHe|K+zB@kivoa<`Ev)L`Si)xW(~`FkX2H+C*ve~1y%#+Dup;rMkk|$ z<*#2WJt|A26zn5ai6kL8>?o5)IM2UUCqE-CtH(!IWPXS~eL}$%nWN92JB1-6(=HQI zp0-}AVIFpDn@Kq;4(h`|-^w^G$$n%P=mz~UWf>`dmDNcSnb+5Zj>g#`>UYcszdDa& z%%fY)qio=A=TY?_tC;Pm{WQuJOw9ia!Y3Nx{?{~@3uf;Y6PM4KTW8iCayi3M?6RrIn-tEz_6s>b&M+ye)+Y&&*KCLQhPBV|#E zABJp_vV~xwqBaW;G|^_Y7pu`y!ydxqZkOjmsj!2IgI0S{VuBxrO9xNDs4+iXH3z z7Sif_qhG&ZHn&{tn%+*w|vYpG{u%w1GX|+J!c^ z#akTk9?$>x@~mC^M|5#U|KO9 zG`4K>7TwEcdT4bv(QaIvrJRD@b$)SYtmq>u_!KVc2GeLnvY_3ZshIsi(VjDNf=p(F zzhsjXbAr6T^@F{>-}9>SLo*!&-Mm4N0g$J<+@19YB*T5rMQc-8Z)3PhNOsNml^%FI zEa^I@DS-vlTD&7)7c=xbP#^?tAY#`|kK9Dw3?UTUC63!xi|= z?e}}t;WQgFPXDFCM680sMb$Tl%9m%a+9ELI(F*vxJ?Y_;7G%E?>KbZp4r|A!Cpscj zOWfg94Ww=Fs>LN!l#Qa14&n$J3075XXeK#OgT3D@dgKtD-a4 znc6$7#N1v5R~mAfjCN;xP-F>mD;1j1y0mip=@2O6Q)0q8fJcDxnJHX=_JjRD2c2U` zU9&)j1yLenIpab93Q*bjQjVBI}Y%Vso|ceERYc8gHn=S36+@6+ec z9zwa1YhXO|C0JD0eS=>aCnNF^l*JItgWw3UA^P+QX08ba^!YOykPuG=Q7wair?w8i zBFaMcUG5);{>NA~k=Fjpc7S{qQQJf7%Kjanb@ac=DZ8ER*PoW#f9?05_e=WU{pb6S_W$?twA23r zo4*)yHXV%>=TVGiYCPd}019=tmq)rX?&aW`C7T2WHXy28(CPdv@Q56$%g-5(X#~Q+ zYuQ1shYpV_S35-^p)G3y*>Ow)XfnU@f^R>-O;?Juageb*ELpGTAx~xH%>Q_UC&WYE zkdiopDypd8>v_fgT!FBER}l7BfUuuKSOG<^Q{xnzPfHaNdsz8(V9ktFQP6cS%B4(j zX6%OZ_-qg?L#S)#a&O2-dMogesTrUjsfue*lt#)`U1%p>4l)O1w^ae#6zS0nU9;qA zhO#kd*JhKH{c0$YpC=Wx`#Z(pKCBBh3y8~5T3j)fQ3aRzzcZS^<$o0m_5~_VqMG_f zVhnW5;^0L5tX(JV`-dk0qsHms5%NAHr^n~#@86!iI!CY1&fcD>pk}Zhb(l31eTV}V ziuGGsRrT3v4IrNRnSBx`6W+c%e?l`d{rR^XVM@}HT37$&=(9yC~ zT+6w6d!>CED=|+{2ti{u0`~V)4t{`k7!w^9OSwr(xH7bvm?OJe#o&EKem=y+^YeMp z<@L;nHHP?2sgkzAaEet4@&*ktjUTVozvgEh`48eeZBG7se$abSmjCv@-G7w-?&DcO z{M`|^P>|Wvm8$<#lK1dfwm)(auVW3I6fZ4>T-xrDrH;8{-O z`l~rENb|%`CXf|2XQ(9YY0}G^b*N~;LRye4EyQ&5c1vdW7?L+rVS!VY>oG)mx zKA`-!mi(`cJK7!qmdXFmzpdzh4|?SBu;)dmyl*<=Nmsu zniZgx$;nSY*6sV@(UP0+Ivcdw3vtHLHu=M8yv|ywTP@XWTBJI#W?nIDn-q%gaw47Y zFtg?BbNvmRj++`pkm2&sKIX}#b|R3crqZkQA&XYpvp?DfS`t;JL7HT4Yu)18FlIPA zcwYW)x&uObRkCH*9SgAo+k4?k?sjL2#b|feO_PGl^O-26G#I zs$22YZo7o-n!3iG0jfB3?!lfLc7eAgu#t;&9WCchZlBsaou$}5~+!`@< z_0Aa?7LmQ|-tv?SQ#o(D8p*p``Gop*Gs`Dew*8Z8`b_0&Ely=tOAXpM!>6r*FFtuK z=+)d(Dpobd;s-KEPSai)5jvBux(eZv&9|zyq`2#onZ?4#;e>cyo4x&~7^AEs|7#cE zP3iyp{Yw0w{rwjQkMjS0JS*t`Em%1jJ$Cj{1B zWFo->Z7!&yBJQd>)&5MfQYGe?>vSWiRm&^Z68VF1v$Ucn9T!` zk}yxLYWvZ{wZE8!Zi!{MbsX_;i{4dH^>4@!|HGbj_`f2X*6e@z{qKI|{&(-u{_lRC z75M+_k0~TkC?%g&xvv`8l+9!OqKI~dhPuE_jQA-_zMT=yX++SCl*5t`9qhxObaFl& z4(Uha`Bj--0jU$+tB}EYrch(`j73dGOkkwT2B0^T>b<4^jg+13fvCTYBH{*dlEyeB z$osR0yx+X_2ZeLQ4X1HDM}JIlOovn+Owtqv8+6_i)w)i(b+8YE6uAkyU=w0%<%(0I zI<`Oza+89C3bd_J_3F*JEDM^jl!V=&b24-z?dL}J7Vc@G-~zmZ8NCEvL%SH~vS8&P zY3Rg!%xT3hxgb^ww8Fc6gnW`{i-6YjYQdSKL$%^=ojI(|+m!(UR}lTYN%Z zN`yt)ov)G>n~&0p8m+8C1!0; z&Zu7$vU05GOdbQUJ~aXKmv73@PA!AYzczB%<`NES9ULmSSKu~HTOBxZX`5u*VECyh zkl1#Esl!BxAS!yw@)i|zo61;?2i=vZ=N{z0b>x5Lk+7-z-~K`W#eP}-fAQ_NkMjS0 zJS)im`Sq`wf4yxk*f$NGI9sK;P(9cFEp=*Vw~X9UVIz_JL#-AMd6Rkm=b{VVQd2&9 z?Y!8{eNWz|$}3dekwRWtorcc30yg%3Rt|fWM}9M zpktK`8bW!PRCi3>4jSK>?cb*&)0f9N^1D!FP@lpp00{m}lOelJVw5d2detxBv@#vG z4^M$dl|?|O22%;&uZhZSXtJS}FbX-(?btYXeVgr4Xhnco&h(u->wE{TL6Fn*QF(XK zf=;#Gif2V%J4BbMzS!Nt;;C})T->aw`iU)J8JL6mZM!P^H5Ro2Eihn)UoQxhxy}`t zw_-XF=JFOiM}^6}B4BpxJu;U2U@TW;UhfY0#?m**LWW;J)#b|@<}#;I*}&nE3h?eM z+nQD5hOVuw8@GmQd{}K!_V^P{Q)3Ko*+)uPju1^E@^MkECppl~CXP!Nn`vVCTFV_c zA)$4~DVY&TS>U4>bAqEe3PDhhTCK^#T~ghsSf*W$v#U8WyK4}6+FLPt=Z38<`_J}k zd}{Z+F7jfMjIyzZ`aPIKCg%`r2;39A^Y=pIF}?IF6pMU^WS^>;e40lULf2!WbHwL3 zrb4C8kAg*Oq11BCVo>QTY(ya+{AvHD8v7r&wK7vOUVg^Nj+2N@a>S`- z)N~>reaBc#aN;)geoVk)Gh_1Dh{Sv{VCrtJMbm}$qDIUq&4*Ir0AmKUIAw{-4wA~fY|d4rK&G1MD7HP zo?emp!frAX97Rz!%o!EseYjYXMqj8yFs56Soi=;rFWSGTr6$WU7 z9(S!SgdglaVS(mL7TYYq791o>$5>aGlAZFniC&{QQgy-FLGK6X43lf3U=B*rsd8u&{SEJ+E+v;j9%ib~R0rHqT*a>HkWVe>idVpGs85!FLJrpmcR}3YPmiYqiiT^xozH{!NGHqg!aho zaa&%2C08es;6Y3x*O}BTtRs6hHTmc~F{YQN)-o-}PpPLoBT^dlnb0YKM$drZSrF9_ ztL-mV1_gp3tQ7&KIx4?9H}7h~hp4bD^?+EXl}&|#X@;eCUAw+jftJWhlYgG^d?ed3 zyCxiM%e~?_PRAJayIuA3&2&OI4N<>~wx?-YEp?+~sr=?OtzRfFLP{&VxTyjek&kEU zvi>-Zf20}csJss!-dnf;7w8))yorpX7i}9aPGE2b)0ikqI15gUr^8`PYL{L;)2R$x zBI?a_QUPy4ll2Du&e1Wo3AWCNdMb#pBn?RE?|RY5#khl*6vwZr06S@cXr^ODDUrtP zl=_&^;$*2dk5$i;x}SI2p-{7}$z1Wkuk`F^52~S+hd%SIde&Jc;F;O?tw>!;knyaS z4q^_E3bTIiL-Mq?#ixhpn2)9t3C&Zx`cnjn`<45ZW}|_N_`8vEEKM#1iLzSXZjf)f z_U@t((j? zCp((RxuOIFK7X~mSCdL83lxrLd3e5%)ZfNg1=hyd(uaTdk!(ZIeIXBG@U?EnO{{&DSoYoSr{;A3QrEihZV7 zR#zQj>LF_!&ErP!py>t|93CXO8h^G2+wa6)P+rc zJ!9x&ks)JQ^hyFj&z5(lr`;m-=?XutEdlY|j6y*Q><;*?aNm|8+0V3hQ45^Pq{!mjSNy8ABs^7B?qj zt>bCt0E%?9x@tr+z3vwu$xYC6{TAx@=4DI1(9p4^G2+JRuO4RT?}EKfX74aJ*@Vf* zl<`bwhgJ=I{(SUg`)WEMVHN{&jMBg|+yC^b-oZe9Ei|(_3X48xBcGw)1xqAzJn}w) zLMV_WRM3ylpFex(1`V(v2hWiY;V8=rmhYxCju1&^Xok7ELRSW6Soz&7ow*Vg)U=tY zn9TiLF}Qp#N=;eXCintIkZDXoV&;Tl;L@2}czK(fOQ~Ngt*J`G zg~myaMqg!HGZ=WTvaw!U3wurWcJMpoX)j$Z=Ed}E<~>zx_N;dNnoHVLx!rIwqeOY) zkR+pAtH;?8J^e;J)jCE*6J!#mKUsVmTT+{D8+~g5j7uTbhodGHsiR4q$@wen4^$Os z5iQWGDh<8Cp=J5u=;#sSx}?@-!V&_LzZfMf@pb7oB-d=HP_o^-BJ;jWhhVX{DkVDo zl`TH?@WBWt|HjFTa6x{MFX2)Ee(F*#mDxqhlf0hML{NL_+;z+rEOIEBiw4zu^M$H+ zz39-FA$dMNU&6DF{C|ykLX%PJBfwJqZ?B^N{r34|{{MSm5o5gf;^5Fzfq~y2pS?MG^Y=q^R*W7+BqL!)BD5_86|%3LO%BTnQnNuo_?@r==^ifx@6Fogt#U>r)48RaZdj#J>C z(VT%sZMtik^+`?lTRLM#MMB90eq221$= zi(dbr#QzWWAN_yt=UIXOYb!v4UYa>COlXRfVVJ8lrIi$aZR{iqYRVgIQVyBG&$%I| zapZAN4DHM}Tn{r{PMK^JgEh$zIMH?+#wIFM}0T8lYF|)OV=H+qg%zMXq%QExEtdoM?&`bdwdwN~b+-{@bb{RkqYZH27H%e#*&^ zer(mu6`2RBQmG|lEo|En7iXiwo~_iUYtjm01>;I^cvANLg9y}RFH*Q;?V67oAu1@X z>n&KZ>J??>)hZUzmEks;L)Q?mw+ygC4_5tFZ`)j4z%1th5aT4Rilf0oRp65I-?s;Q<@m1$z2}eTzk7MsIsg46=ls=o8$bOSTKZznerBMJCqM9p zx!tMH^l>+5z8aLSbmBAhb#r){jn_W(mD;L5@?jp1X-2|q%4;vx$^co#%Pmc_ar4o! z)Q;R}Wrc=g;~8UF!_kpjpFF46ns(&&Ys^fnHm3UZ()!DfuZ!!Sku;_ukVw;TswJwe zexXO=@+>tTi=BeaM`KMRzMSF>pN<^}+|dA#HleKJj9($Rx)ZW%7-{E1bYSRK4cs@a zgfN({B6*`~h_b!CJ$#iw%;r9xwHCYuNN8A8&D2*@z6B8$weA2-bucZ)*nf&5r_Bzy zF?D_g{yCDcDl+MbA-A( zRNma-a&v}on{{UINUJQYhI$)T%*pk;!ps(8_E$Np1^7#5)aH_PGiJYkST)?O^*<~b zv0LeX`n~7-<@nzRy@N;pk9&F6(*MXgfA!seaWeYv%`1U4L47$&AbYgUnji)CEp^8mT?JQTuL2xH`$R$|rUME-D(Y`31oFG{Xm0ZD=mMP8e)7+^_bkULI>z$h0>qX6!-MwD)p;a^Y^4wbg z2k~GRJAy8=|9Vl$|NY{i|LFgDFV9-~zxnz9^W)|fe@+-R@F_ zaW~8B)|v~ouD)`6u6i;0tDDXCD#Dx_e%W?h>pr*D|D;T0BTg17ftJ{R^$#lgpM!%( z|G)cr*3ti*syV+4C6Glv>RFt`$PRQ!(ZWKfH2wq7$WHoWiFfcVO)vAc{ z(`8=XK7K84RdRdtRuqbkC4E?Dr3KbS^}W?9Rswgkc|dJSwOB1?n~(X`;?3vUnzgZ^ z5HnRMT=j~^kTsDjQK3DH#q7CygqkkO^RWQgt11*05@)L!xLftY;*otxiiY*X=ZJ(f zB6)r~A_0>-qD~g1;as%mRf%mXNMJG?IWf7f$lPZ`-+WuNuQeo$3=l*Xmyi!g4z0?< zO%n~Z*}_Upym3=mJOWpoE*)YTaw^r9vih;eQ&CDpKDMakq-(CDy$91ZE#E;`(?l$9 z&)Vn|q8d|uuRx&XPL>yWzca2A}W8~a$b;SH;*tRb#QG3zO< z7BqBA&6Pb_U$*+nC_5@5;fhnxAXeU?GGw#IgVrOu6YfzI{W-r7UCu#3R<1711$2w- zHI`OHMmMKZU8QQtq>;2MyHI_Pcfd((VRb!L;)=UpF%{R2XLH=mM)ZoDuH5R9rZ&v) z?B3G#Szhhg_A4fr#xX4+nFf+bOUvA*hehQcMt^);{VyjGU6u%9iT&Tfey>-y|9kP6 z|M7mF&N>R5I|*0yxcTU-*1Gjj!tAZj`+hWVTbws%q^tvW*6JP9s-j zE`k)wmKuVT6PVL~k?0-aqCrLHG-g!^W~z>-av?SAurn!P@;TZrjNc$7QfVAsoe@QM zX{~An@<;8^jB2n+-QFlyx3L2&D~s!`z^X=q5f!%baV1pcD#YbTvWvDxj|1h;f*en? z@#^!bNq9MoQ$bEw0`rT|=3AKy3k==HlF-3+vj#OEyM*6#t>r#fWoOx+m8flj?VMe* zS-0)7;Kq(uwv)4a|N0fz%hXVc!7kdX>od4H_kgeV{J?dY2Nmmr&-mp=WH?RUyez5CGuMsz&F4TEj|?nqe97ZhJmX!iMF-O zfd1zQ^`CcJ&qS@*aSQsdZO>A6**lM6>hAWny@JfuRePb=AbZIUbXw3g_l`2Oi^UH* zZ0g=#v68%(EXIdEKYi`bZO{MqZr7v*SaSY~}$A5hsmSy0e zKOoh!zLMRcJS^;&EE)EClDTY`MZP@gFTC=a&ic7AgBFqeUQdh34ZZa@+gm^Ht&Pan zB%eocDmcH(VLWhUkP!qvWfOpRml$|(w#F3HK<$1Q=De#KJPuDnMT5qbi-LuL)_mdgUJx1kn&|8^PWJI!;Q_e|JC>1@gthm8R zlyeTvF-rOq(^C`Hpwb068YEC+; za|OAaIgNp!+hFMBY5-L8PrngQt86V#(2S!9J@tJl7Rlq*(Gyu*a{&njPNG1b!V1zT zX5V^e5Lm&)mvOFXE&m5&5>MzTVVtbm#}fI!_hPS{|F{3V*L#%z@8j7*r#O?GN=VvP z^DDQV1P!J%jwBaPad?GCLP86B2ZSSLeT-%T2DcgJ+SwwcfBCSO0 z^?&yI_|;FZgGsb{AB)%jLGRoCx25&pd$Io*|L0zwE%Y7D5Z7fb=K)zUS3Mcx)YI$(@fzB+2NI5{~TW2E8I8 zn4Oz)p_3?pLz1%|KoKp(Lzwhm`4sM z^2L3FlCsDkrGk}|MFx^x`FE1hI>>TRLN-ZRLXs>8sL-oix}?$wib6^SD|ZJ9EU1?_ z#RD3*Tv9cQWvw;V{;6Ay%NN}3m(nIWuxC58@El0?t+&C;@^JO+OAeV~F3M zxs#D_%4s&&jok&D3CXS*zdEgg+ZImU!fG(C3@1+MIpH%Jl6Cpg@#%?a;ST40oZ?&3 z=RX*y|6)moV|2ArA8c|Z+#Zlc` zHs3roT&fRN|JJ4A&PW{(>O*@5;TC-8PK!?Ma~$@y!_B(43@Gn zQGFrLI8;Bm+(Cj6^vj8<_UrZ*l;MnJ-Q4I{WPA#t0|QhufOHzi$|pfw)(+qm3$F-Q zG>Fc~h>DEQk#=KvgC|6w?TDnDgg7J7q1>R5+XW{{MEGgZ5u%C62#&g?q34UGarFJ2 z=5Kr50yl18kjuJ(SD;#d_$IhY;VdR{Rjb(iAnQ1UI-9Jf?RbbS`~JAi#-7zwGY_%3 ze>DO{@i+@oAFKyBydp_-Su+Lb@7ml6VY4tb$s=70kwh*`byp*|eWsT2@##q}DX%u| zX4MLHSTTlZjCuLHQw9cS1I#_mjAfU<7|;w`lzk^GqaksxJCp`2plo*#v(fHeum9KG z-nYB`zwF|a`c`e>)5P!l{exYLttL@FO0O_^wV1O_Yv8G6sS(OVFj#+Xo^gVIW9M!i;gZmON8jidpEExm={s0ZFx; zc(^IbSpS-9QKszQXg>ijTb-lwrNi7p>!0nICE^{Ka!)M5#)s@EU2V94A9F zKe>OMPlw>o>`mtRpSCUplwq%(`oC^(nFfW9#!;gd+XVGh(04`V`9)5SKJ9LCMOL_= zyA}HKXu@!OeMlTF8li>0;tD_s^_Mm1%e{mcN1SAwk{JQpaXLiY-9wON(c3QgwC$|4 zot3ujO53(=+cqn0+qP}ns^sbXf8V`*@2tC{CmkJe24{5k;H=oO_q(3ovp7z`#GTLv zW{|;OICmUqA6=FtF@?t#Rg>nqS3f5R*PpguD{f!@w;i~ni0DRRWw5fuPd&H8PaULt z1jT2!_zKvDTxu`t*qDpY0mt2Hu8SaS^t2h)!iWrig^6)EnGL7kOhKAKd@B3`((`I| z5znl=rUWxsqa+QSI8$Nk&g^FGZw#He!c&$~fea%9sf9&tyK;1tJDI5nB_3iom3h(u&Entq_#f&fhn?K8oy2jpA*CFMI#@6 zCv-{#F;^Ogrjrj}$2tAxu^|*aMmf6yY0tB}(Tg5Rmpz1{LQ>AhU!0cnEyHsBS=6K& zJnSjLr*jT(M~XL@4=jb{FQ?J;s~FqYHuED;-65X)2$Hr&vYSn6hZdEt&;MgUo!n?# zh-=OXZU=@mmm&$KN<0{Oq918|>3yTNepER~`F3@3;mFb9bUZ*TLrG_CjDjw#Z=$JA z+?GCn-Z~dyr`w@cb!?E_HJlQjiQc6@woa;sphL{|FDE!77bz1O-4EaFFeTLC7>q%o zR~5O(GVC5SV^Z)_BIKHha4z04K|?qmDd-SkMebh$KJ{To6(3??9h{+iG)n5fk|y5h z3V9#V6CXEwLa9~wKTg$dA-8~E~D+p9Un|142^8ipBqO(s9v?4rqzH)heyprC>zIEU_5ebNzin7WA; z6i1k#aT9zAvy`_@8RzOr*RprwJd;N?n0nHuWeN_M&7&n_16by#B{mw&8O zxEAf-hby#@E}k0Hx!cJ?Gz6qfAk2z^6eXaJci$bWG1pQyEoo~%H$Dwyih`ao8MfZ)acgmxT#KT$H?fr z+*IKvAaVz&cBFY_43j;oO%&9fY&0^NZdra;JeC~f@n0ot%%|O&O*f~vBEbeEg&UdO zsOGe$m88JmPhWf<+wXm9)89$leE!maLR@26G;nc- zPTogmc-zW5b#wvb&a7Z?{gIS#h^Ew+4>n@zA9x^5l11N-YJ0KZydq4VR&u1o`8!?~ zB(E&9THp}OI9z@Acj9*h3>xzt@CBg=-+|<>Bw;kcYX1hg(a52uzm<($q)3kYoF=VR zBy88@B$?h<&P+U-D^->hgCw09zH|Ig@4g}sXcWG^r;kBjauhiu^^U{3E0ly@9OCM% zewk`hjpY79ALkC^ zC%CiRQ1j7c?k!P7to!PRoG1`yBCLUHbwIlu7B-liMRaL9lZHdm%MkzTZ-)gi%NLb zo9gN+2M|>~+yCuXnj;t4c;Ddq$EE8`kTD@)Q4!zL7MT-gK_RK*Jp&NDm`vWsmfiC7!Go4> zsU!`oW?XaaZ53UAES|{%T(GB>W(S*4UHEXEZ%c%;Mi=Z@u86@TndwXTh?|0v#-I(h|N9*RXv$RLyHsI-laB= ziHI^dA-&SJ8Jp#}Fd7~it+7+Z{y`^(#{Krg*N0R%Cgph$i}+fqz?Cw)suRx4)hY|vHFffA84Sk$2Z0-zeI-xTbvnVw_Z!GrNrhEx!?&*PzqIWqrqka z8EklJDj!yaRDi;9?Ndbm{LA8Uu7|E16t*}XMDuTpa`VZun`4CB^y2R<>q4~iZca@f z3O%jwURA$pNN$6}NLzrp>;DdK+a2R`t`Q*aDC-xt!L z!9ZLdao?rurGork448K|nD;C}K>&jM-0z~k;Qp_5Fz@-1bhzgr-MLF=UyrPOc55+m z&;bQMKgjFn7f)`k(1l!wKG9VyZ!rpcfnN*3k&F>Ae%Hv;Ba6U8FsVb8Mo@MUaAr#T zjRkoz5w%7^Zf^2yB_OhQx6zvpnaMOM@t`ZjGW(-kBje#v?ffIk!}}?_QIxHoDgDSq zMu~I`xeZ%XMNq%FNjb6{*Ok%A=Nc``KBPheRga{Wgnp+#AL*PU6J|oAARgDlJZ|+* zCm{!>PBJlU27y9 zBU)mT(nJRJVuDaipY03_n(^NH*)~6-PlMFPgv5B}-3vu@o7jR-z9dON8 zK+th!NyrvAOi0W+h5!MOMWM*0nswQ^=W>~PWphoDYKN3Po6DY=iWM5@)0|33j`Fq##b%VLG zcya!im_?R22jQ7xct1TI!!ZM3>0^!7g zNW^v0m~t+*tZ5;3Wasa49Q`1;LE<#|%x&2;Ar2+Qz@gFoo15on7k}Uh|ND8{DyfKV zfbf%LDnRJ@Qqeek`#r+ zht3SsxM0|2Wdg3irg$Q5WF1VojgVDWPL+=yJKTpZEoJgYlF)TyDA zBje_g;$Sgr(Ph$s$#>A`mO(?3OA+V6ng7sI_Q5JC@XLJW+t1EPbNSUwHEWGL?Gt5l7yd2P@l3!oiyZ1|$W;nABY6|Th- z0x7sk8N<^_nTwgElnR^mEP6c{ZJd`@aJ%f2)y3?;iXbHK1&a|13W7IT^zBf8j_fcD zC8@`0L`FTy;{RVnFYvwYFzctFu*c>4U;9e=;c3JGcMrCOcpz~G`M$gkl`Nc@xcS5( zM$rX_q`dRosj$_pMU6&s0^B;j>nJh@H?vy{L8di99z3t?=dR-Ec1N7a+wMCgq{(-0 zE8v<0&>Q#DX^_IP|MS!XY-<&z^ZSphUXKvA5o0(JB6HsiUd+I%iEIAnwFSl-O z;d-$f%vn-+O7QV!{ImG}n_k+tk*R~l#9i-`Rs*nm^Gx$b;1&0_dwXh;2GBVUwoNfC zzv(Gtvq;L)ce5BEalu(ghHNW<)F1<=1E-j;q$(Xh$pOBP zzA#ZPMG76!J|1*tRl8h1BQbeWGN;`Pu4a6rJ5--+pUp^reEtAmX#X3!x@rGiuGqQw zR2cK6*tDHXlKAmG^JfR1TjVQqYp41_sX0@8y>EM_=t5AHaZ};LBAG7xa?Bkw7zdOJ zV3j!u-slz;F?lLO@A||3nzzQ`HmKUpkrMdj3AtH)=*OaV>q#;UHHuYK zNX%2v`A2>J2RCZ~xu}*J23xxYnyj9`RGzLau^B^%dzfUMg=gb2C0-Q6a1Gf|wf)I) zCK{LZ!qL!>W@rUg@I>jvmRW*uFyMTaLq%F-(Y5Ja%w6r+wTiTZtHxH~GC*#}Jd0g!%0WHJP92-2JP2NiNVY2t}BJH?2Tp z{K}>01H@w6ah^w#TW+zBY@=&|=v~a6?Sy7qgWDj3guk8m5idyva93ukIDy2gpapCV z+o4N$SmSK1u)Pmc)vu9Ab9THni#)vF#hM zOk2x}sdibca^WaEY1uEdvG%KjKv4R*37B(oW0#G>R3pkYBl&r*bRW=F8uC3luF@I{ zVP5}Ty1VOj-&F-z=U?+%0&I;ohJKqFAnb~{E+2dqe=6pEyI4pQ_70U&c&qh`G4}i7RokySDpI+-wkj!(FTW4jTX%0&!WONkIKI*vw)DV5 zqAKhVQsQ@etKpEU{d+f)@Z~H7UuX(y3QkVyOif1Z!a6sCKPTn?3&c%@{0|VfmfqD% zraDTcD@eSphn~|ewYpZL@XVzRX!KIQk=5+Cv2?9Tfos-koY=B z;a|@+Gym#v%cqVeqYTWS80Hcw^g$| ze*XKpmLPoRASPD?L9+Os?D%V-H`>CMu$7cAZoZ$poq)yV#`l*+``4~7z@zss;QE@^ z?+MVBR+{sTx%N4n-gs_aWptFX#gL*`)ZsZL{Bqn6Ji<{K0k!?#_>GGZol;tN5N*8wQ>>lWD#Da^~fx+ zo?35SCpGCM|A>jxJ@G^T$}zNeSqaGmA2Ok&t6`rk1JMfF#g^@3D~JUDc)*}gko6&9 zgfOE4MIJ+!2=uh7Q3$Wk1=ZvEc5R2vAZ` z5z%2R8Ck7r8+xpC#Gcd2BDD-7&cy#M+W2x?5dFeYB|>58>riT{*6-E9ujAZCuQq1a zY)96ekx&_bYDe(`5~b{ARPCeLUv=Kztyh(Z`O_Lz7Rd7S?qJp85Hn1$ELUd!MbmDiMn4- z9%UU(sK|0XVvE?GZ3^-eq%0UDK|At+@Ho?~tcyU@)Z&Q~%2GoTiDbq;tZT>LC|M2u zV_x_I+L{9wcO_g~eP7P*GPeR-0S?+&A6|*@P*xyTq!akudR61kQbXV}I8sQqfh(91Oi+w7*V&tUJxE{^ zS&}n=VI+*2r9;?;`mGR;OpWG0x-9^`tF;Nu(V^3U^~o)>_u3_@`9QO$NrMAHIrYr4 zJ1rP)Pcl38e32aW`o=J+AclmW{j}=IKG;5U!oz6?qIu}@`+`HKQjl}`DeWm2s6e>M zCTmY~+S!0_!km*<@WL6c`=9997*NWdecu}H*Jb*w90YJL1=tW`_Q;+nZ$^1d6LGxj`1O#Ul_P3_b)k zh>bVIC5H8X%C=|o|B`Jb?EjH%Asq)RnetyMfQ4N-?7!OcyHB+Zz7IxlYjc=r{hzE&sPNn}J^%vbSf~OsJA7@Zls549%suIfg&rwddk3nO z52c8JG?FY66EV8VDNO{2)~pBcy|zoPy$^H-1vUHsE7>*;9j$ANRG{2qLhyK`$c;Rv zq;#(GE>Kp&`%z?*Po`k<>#yWV%L-i&yisUl(CP7Q2{+-gWf*(nkmXC$a4Il$W2;=i zUpi1yg7|^$VIDG3kiR@9Ca@#=KTWGHG+c_GOo`R1jZik7BSI&?X|%?aWsC{M#|(|& zL$aT%XrJZ?DZuQrwDuqWE^S1*SF7q-`!{iU-r{z0ItmXk`vs!%1mZyZ6qtZdg5G%C z|4fsdljF-sXy%CEi^sqsM!?2}k1dDRmbuN0)kRzzy^^wFgd*jRyRI!sZ*7lJFE*!X z^R(Ar{#01B!y_f2moilrL)c{RFRt`q=5=8_S=v&eSN<~knZlBkTGU2|Gvr1_+q<9- zkY(Aa*ho68p0h@U#0^5sWp_Xqk6U5!p|+G4zgZ^`wQ$pJ0i~NK%3Kg$3c1jt=bO2wlKOY3omx#iN3>l z>HhT=CO)qN9zJ%zCcfQ&3WIN~lzBd%Xs3e9s!I*n&T(S@ z(qdSaur;>Z&&7bD@8eFNm)>J-igM634t%VX3qLWEqwyUFuUE`R-?=6^N)pimYbsHL zox#PcKzF;GGH}_cfz!``$yrhEtwh>9Kz&doR@RhC41WBdvMp*~BiJI)Xxz4mx`VRx z`axMz*wCdzf0&lGIlv^TX!N?`dVy-QyF zS8>!~s>Y^LQ`uNl$#mvFu5F?izTuOzd{IUnsGzY4uJ3(`R9?M@N|?JDjt#IeW{@S# zQRZS_wx=7g$ztQOH&$$uXcM$wS}0(+315PMN)}jlMny9&)hTOIH4=0qwd92Opa=W5 zOA6Or^gmqN^Y`m;(SI^VFb{sdUzJWA6*f-&J?)CNT3XlIa@>{dDC7J~miO`O8K-{q z9eZ@F$7zbXwp z%^=S^3YCo5V@P)+?l zxL#c(N~ateCc9zhjlZqBLr%)!Gc+KkqdO!{_C$w+Roh6|GDZ+FwC6gX;(#NV!wNrr#WN{n$NG@NxnXAmNcV4D zt9DR|!|HedpBZMFA>3<+(wx^rTJLYtk!a0lIpky~J@gjuv zf1$s@rkEQ!|1sp6>v%Nz9v`dapmaOx5-c>4@PaXrQ$A45F_!m|5Ej3&OdZ-x%L>x$ zd!tt_P#n&0`4bAY8eex6C5y^kNo{=?`U2;g2cy%N4^cEXX`u27!%=x&621*Glxvo! z;$uMMNTL7q6gh?Inv}6e8QCB^aKFH(O)FXSTe*x>p*3hu*I&-5*Ohq*d-zyXk?;@G zlwmszXp>-Erz++EqHA8Az$00d4Te4}0!pz_6^+ceoX3_(?L2OIhyHc`E2uMsG)b;j zWpOY)?}5=zVy7{&0&97(G_70C$I5XS^-0;s{o)P*Tz`L<>q->a9AM9Wh-0VLEXaAH8*NYZ@m#EQD=+OS|6JZcW6j=<+(=)Gn`pE;9or0uUl(8JHgDp^{HvLz#u89GLP zxMleA3nonvh#=BRB#;tbie65Z8|%KXvU;kgK-J&yk&*eRmKaP5296*L88otNaEg(|eFpMo>Dt_L zWe9rYXH%|n|JM9*&miB^v-AxxEi(~bbP@H$k@!Z*@hCC+5xk+l9KN#PYm%@c%y=|X z5iF*qOQXRU6w=KeRi3#^UtNm`A(=L^Cy|i8#b*3o^6=F>PZ@U0jWbNZvr|2Gq8EyR z(PrJwNKWp`>CavSiKWeSe7qu~-Yhv1=D8cod4K-?Zh!uym;qVQa;=J!gE~2hvc(TBTH}-a(w*UBO@dWMDb5T9HuPmB$dI@K%z6isUb>p2thyjV*v#^dWLPGvL-2ke>}G{~4DZegV39 zDo6bqiXyUU76kSl)h4}IuY(%|_T5v%PGKd#Y_e7IZ5YZF)j}f0{eZCc4@NC{?D^i8 z+hmS$@bG$y6sP4>&R*P`+7#ubC#!--2HI8%YY+ z%py%(mWfL68%E}NY{B$)76Sp80qQGTz(3tuJ3rAuCIH}N*y!^Ia;P2vBt_hPi}LBM zA1<+l8KU6It%TkQ*-QRRtIGRf*=>MV=p=KvA0zmwQi{XQq!rh{8HV{)OyZlXts|Je zji2SYqqtpK`3WNXYgYLcfA$IkYISQ-0Htns{}-Mu_5ZeK%ZUCj&qh)E|7XvZ_2)mH z?Qg>WBhQxD{Qo`AwkY)7JMy1x^soQv*?jH~7y&=4pJohji;hRgqrWIa;e9|G+YgHx zhY|6`34Q*6>E1;63BWd5C$`nw%&cY}mJDujnhrL@MdUFCf4aRm>pfokWS>Ad`YC4} zdwdH+oX^YK3TNE$a6H9&j zZ0`(e8cR58w^J7QV?vKQi%j8|PC8HC-*JOO6}BL9idlDQxi*~{jd2<~wV&qfs{vv;}`zsT{>MiJ_I zf>RTgL0>Av7TKR^43%x(32%g&BAipnA6#3Y^7RXLk?S^@&`plYlgYMG9nA$h%^ZG? z#^r)r`Os#IWRrN6D=2kq*HVr}6t-hL(x`YbmknUE98axfN%ZTJ7K;DaSc1RB@+5K! zRHb|=u^yx4Iy|aT!C+SPVv*GXygtx@jDv^j<698yq5+d?tKM~5JO&9pdF2_SO8q&q z;lUC;>TJRuXS%>Dd{qlVy#Vs(<+;^{o?buo5h&atQT4$j)75IK)W+*b)9DBtS-ph7 zLWVIg*Wy5AMeS`fHUl+lFUzfiWh zWx}^bY*(j2M19HlGL((=-t!nkSi|N9-t7ah_VMxBVq+qR+sl7h+c(jT(`hA@n$yPH zk@Zz$)LEUEgjsvt)Y;k^2cHlhoJs5sH5ZY2^3m#t-<1Fa-6Pp>*mTlOks_(jfc0NT zVT|yeT|)~09M=O=QeNjN;yh|;ZnuuxepK0ZvftodEA4iDLOa@tIz3%1V1<-XlRps1 z|GsYKT4*p8)i}kP{gOt3IbB+M`E3V`3Kt~FuB1QsecL(sW%#-JHHi7=qZiUcbsf;X zFJu2;dDzK6tsQ52Tgt83{)pOYu(J7l&URxqdrD|gikDYY+t;5wt+w-ouHWA3&2WF3 zPLx+1@hD#%94MQEdc_pl9w85@~Y?PE=)hnU0nBu3Cw};r+I3OAZmO+-+O+ z)3se)>lbi<^bsgp(V;}I5c)3BIy9_Mv4x=pUfDVlDbB+;gtLREg|*g=ERh-AFk$kE zGT81q)?)NG19pDEp!905$ATod#5rROhgBHu>w5ZT63npV=^V$YKuas6jA9kOdF%t3`9x*n|rPP)Vx04ohsu|6Ii1GbL@>sn1kMYuoAe5 zENCpm$JjJ`3CA_lC~ff#ehm97$95Hc74z&Adimr~MOmxCAZ}hSo*0{2WAB8*^t>IG zf|68+*pxTGWZGWmnx8Z?VS2+)%Yxac&*<8Q6RP+Y`$?i#!34>7V~;{87>ro3P@{9H*eH8i zLlmHn?SU;AehGB@QU)!MExhtfl#sqvBQGdSoRo6bV%anGlracLtd=fYuMF!N8qU{Y zc0*pKH3_Cu@<=tNqqz8iHl|nU%Qd)YPVcec9E#XebWVb6-|UjBsn6r5$i@<{43MTp z6_XofQ?Cb}n|Q<#pO_dNvzrGfh4ZZMY*6E5HFiTETQwxu7{PX_)k9O(>9t^$E5bnSNT%tSH1A58h@ z$Gx6EQRudkGHNBJY{mE#yhzCTP!}Tc^)Q%dKD;vIbGy2KJ`>#Dj70zlvFhK~mnM=k z;wCEZ1G&11zwVNZP9dn*dYR$hn4XUhkPy`6t zZOWUGi!@z2|DcY1$<#K}VLIyi9Di%uvc6a1Ouvv1$o%57<*!l6i+#yUmuHifXD5*l z0<50Z83Q=oznuZM2DvI%{HKY~H-k{dcdJG9V8m+QgNEjObKN96Vtm+`=c z(+ms<5^|^tEuB*nS(~+{W!f8;tt{-$EKLSiDVAMPTh*NKG@xGfZ-Fbxj*Jv0m91~b z2g@Itqg!k8;TcRAEgqr@V_0Ky+UBu_e4Z_M{qrIYJeJ|x%lYz?+0|luzSFSJyk0V) zq039BKyMrZ8opdZ$cHqAQW$^lso7(xjM+eYj3gr#p~o|{Wzas>j2rQE1x(s z6pz)IHdg^Pmz_-ERFB*AE{?$?OQ}0VQZ7q*HHTZjddYW*yAky~65Ta}ESyFWIh!~x z*BET=%QkY5G--0;YNt+-7E7tp(G1z5+X*6NOj%wQiKxEu9oD|OnmzfOC3zN`SOe7z zycBwzv##0IG3In*(`)Ejex(FDsaz+boqj^jzm)R9^l}*cvI_>@=0qG00q7kJ>h3NC z?Di{tkA``8R$}@8=D^&VebyV-j~jWRnJZ`eh@8FD@HT;cHM*ihZp_h8RkbopsCI5^ z^xrBZ!y78J29B5D1V;UYgz*)Fu4b6m=!>Qf;?^kr?L?%qS%h< zOa@t{&1MT!jdfdNUiSL?s$H8cldvSPR;y|!W{B+w1$#8Bn<>g!5ew%y`k#};B^<`} zkCkK$4D4q6okM&pBTb3t20h-XhFDJ1=fC{9B!E=YQii}C5I^91>}9lK#k@rj?HS3s zYG;VMUfsa?$D9?CeP!;IJwFPb!8MZ_9?i1N$yHa#94qmfkT00+DE9n?z?wE!wEAi_ z{=23M52q2w7u)n`Jx{<>Ge6!d;N)Os17@xc;OFZuzXc%Z;_&`%0{DfSrCj%JAUrY| z7V!%nclRu9i+V8D$4RnmZypYqbe27sNcs&|`Y!A8JDJK;C$_ehE*(X#h-KN>BsZ^! z9ak%K179JOUuHmyXP%ZljZO`}obV*i@ZhsG>$*<{?k zQdv`SY%W~LJ+Ms+#Ez5)!G;OFuGOfZy_3D3G_0_L$pB(Hvn|}XEeO%g`>n!c^hDSg ztASHudQ-rWnbHEwiHO(`P_ujGNKFS4_~#?I2HNU%0B0Gu$>tpTko;i6!gq{VDb;k4tj$n{%vWrsGE zisd%rpxE+lmTRdX|L*72nRNO{)`P{X&UyAn7I*qK*72esor!7!w&AEnVm>81^~;Co zAbfP7j3Z@)LS5cjYDF12wNAp~*^OCxx?Cc<`H>fveTrS0kA_IY%g^W+5ZT0j(7OnT z#O20YZyU;v%P#EGFCCblYypzEoBht=qls#!6=a43xtn@y(;RBm`rW%foPxHe-baab zr=vde>+KBZmIYWk*&X*Illse#L3|%%mN+rLdDDCj@Tz--`2dJTczs34djf>HxAbuu zYbz?uY&!P6HJ}DaMh^N*-($VE+J~Oyw}RK4q=RIRFiK*9JI4;l|LgJxH~z*IZ`6s; zM`H3WO`ZPajSk$w2%nSjl(dsx41N#;2iTYa?TGH9#7it4Q3ha<5e^~$dV-)xTTSy$ zxU>l{>Mz(kJ(Nb;3x0uMo(etCi}1B$cq74%^m~qavmOJ?`z>^ur-Nn+0N7%NcfwwJ z@a7O5Za4eEc7DFriEe$o0CqP)_y@s~k^>u)ls0gNpx^M`s@VI01BEr{iF#il+?FVS zfBA~4MpV4{Ie0ohoH*A(vCWBnee&a86GX#20*3qhl|J(zJzDx`rik16JlVQNl7g-1 zMzireyGiaY|4?eL)%tDbGGi>>+mES50Oufr9xM`(Fut5KB#YLf3)|c?aSwd+N=y85 zN+8aF3pNh*VGz6mJpd6WBEE$8?5?J>e}3neqxbC2%EGD9cm+W#q7+DoOIX->+u%~Y z8{(>!DK}#H<&EpTq{|*`D3*APWj>@rQZXIy2SfNdi=A9ETY&4<2bANT(8?WpA^oyk zgDLsy?{_ z`3w*|5bv)ifdb(ZF|>lg5v48^sEjN8 zXE3BfXz-1RiFYF}VTe?KXvrfmfo?SpUwpqi9|fk~2Q?$lboQ*PF=)X`Ncvq1kfDGY zVVo}5u3!%W+J+~a1fxV4ckE9QuBno`JNUx{9>^R==8X%?FGD39VVLs>7IDo!3^%Vk z3)v%@GJWJp5HSU%${M5;OYxeBkUFyIjp}tye~PJ=&kQ#dXH4(U`!>K+WexQ zJ6!l))+QD0m8JnE4LNT}!ny>6Cx^J;Oz~(^7S_%c7FV{EV*t)c1aPE&pMnTUY3LrQ z05Wy@$3CzuPrtqqq&knk|9lkd%{$BmW0=aSX6|FL(l4{eu3{svo4-FMlZ>HgiI5n0 z_a=d=bAP*2fL4|m2-pwwpSb99@fM3AMfW!tdx_Em;_c3Jic6rSkq%&aUi7D`Iqxe6 zM=;IO`h)@6+WKEs*eE%qu*e1{Knj^czyTVVLZZA zq3)Y>R|NFL{{tci(%V1*_DQzB)AFd@7D;ZhU}%YjgaYz>i+d*04dNf%2po2+=+4l&m~@?c8S*(d!gb);C^hj> zLc!#}5pf;)n-2Kkwk%qQ9^MWOAdH;{*hxqq(wIL#cO*^oun5*z4B|@QE*9=XIDYMc zz1`wY4Yh556-^O+PbPI!7pIycEq-eDYk)WQgD2GL;q(t_zh8WKKT>uQ5N>g_JVB`J zg|OONIjxU(o-s+~{oe&i$Vn%>`cBlWicW7j9xU9?INPSG5v4NuQc0mixrxPYE7>eh zuG@tT!R!3q?aqUi@>5?V)>04@Z#IcT4G_@e-J*E2DD9UV#yj9JA^~LCVH@OAlXUDJ z;RKcnKY@c7uyIx?%4-r(dp2N_O{2$PZy*K`5J3Y>FJS1@N8B)6Z{Fw`iDgpar}w3`UfLNdJH3C zz~K_5$r{f;-e4$|PQEayg7?+CJw{l7n6&bB1ucYT{5D~#y3I;x^g6~$bysKOq@ z%@?$OKs6 zfTSL@(aurrFIGAXk40p1Vdw?`#W05g2A29Vr zC}&7P*cWX1^BEr?(L%<|Nb9Zcd57V?>z%tsmw)<`4YS+}*+w!64bn$aCv>6|HHG9RmLj6wMB}*OUEIgAwMl z2ljWMwXb9?Y8e#x#1SUYIE5ECkl-tu%v&&Grzr)|MOi-wT4s=9|CL^b#Zq>`?H@4r zazreR4JS+#n5O``>WUR!K$oL4p;=hYA#-loVZ1%1+&K%Gk)^kPQ+fDE2y#NRW#{5O zwN6wE)OPf@o{nZh(#0;{x2h>p1;+Mft|2mkH(CDZa>IlRoxScO%H(CSDFKRPy<7#* zdQAr(U-6F!!D*emtzKkAtBDpmBRcw`aE$K4-oF(CyOCqe(CdTDLSx_~EvyD_h&%+0tZ;Q_;OTEix zk?-5KuOH--FxvE57owO~{vQpYLJfSws9Mwt>`S+qrA~pBUGRpQIcSr0lJ4&058T9U zKBokQXj&J%xRZGT!f;e)itNY65Btoa%xIJuAeO}XfrKj>&!>)Q2@o@Lr=7ogrVcyV zh!<%Z=yWBi!c2F<60%M`7PD%D5W!UBrz`1|F3AOB;$PssZ}Gzh82Ah@^28bmfWmbXI|sTnSmE%Z&!#ah zaXA`w1zp=FwVZjc zew>||KTELT=N7yWU?jrtCNTJK9XZQZ`>-@hIgAt3435;&CcuA&NKL=^cga{Rtu{+z zynxP#9kauL?MA|d0-x-m8We`;vO;;=gLQ*aig*oH0Xy!*c%{(a_vNtWsvIhwZts<4 zFq`i2Q@In50*ZK+oQUoPFiAbH*f@q^gA$%dO2ULl^k&j>QUNJsdG#`#BtFJu;|>as zB^F;*8QM%8@-q%!Vv45{u~|-E;+|zpeBRhWl3(0v7i(EFMrNdlJ7YkpqcdZ!Zzhm) z655Z1MQaScA=XGVGrT0Pqnd|m`0Uu@Uy}$K$l~t?C)!aCk3_``Fev6RI;#%cEAnil z?30IS`)?tm415c2=<3BV(fsVCwSm?@mqrOKlz_g2w?rqcup=El__tBbE~&2bN1spuF+sBsE9V^B~T!r;3y6eBcyOmP#I5Nk`iTMB}@&;{;@Y%8q|hJUe;(+j`y`o zMh+_wntcWi=Kg4iqQU+#*g3GlF`R3U@qNKs%u)l&T3dEt^r2jO;N-p8#z>8CNP{_F zS2SOL>36t2i&)6gb!Lb1aNf<73|vaX!hh>ebOxu;g_MS~q{nuZ1uB|ntzIfb0OBIVbORt6F zi$=^37Hbf3D&foqc-kdBg=B<((6k{pY2g~NbmAh#lHqfDV74fKM{2)4SA80 zT)R#K>$Tgr7Se}6;XM?r40@YH0fkl~o?^dhXw&ixq<=3BjQL3p4rthqh0QerAb_X& z?^}H9ayWiEYcIEQY&FT75ENDsgQYe$hxKwyaJL~;c)Tm0iWYWC# zNMnnd`b-P)mag#c>9M7a44Dt8%p4tB^e3$*Z_q<5aUpB%c!pB%{^ zb&1ovF&#jpX%II+2q`A_BauaG4weuPRea$2 zU-s(PD`y~y{QEZ`-+lG!2D{|FehZuXvmv~}#OG5VVE3fldqN1qcv*RP^V;AM#y3K0 z&=p&7te0JUC}+dcHt;!slGFP z%&Xh$+v|#S>5umT`hP&fc#9!xgt897=eXc+UpLsMkIuw}_)aG(^YN{eLA1sA8J^a$ zJm|;XW|(!HCHlaA6cN~~lDgf6U4v2~6u^X><`u{M-bMR z(gxXZNo46rY-uSkqOS-n*YE<~#wJjf^FBByzSt#j4sa4^^llJ)t9kN)7lUq>b=%qC z`q3(-f0@@~*IwTl4tUW0!I70G+&UMKhRVH+LfMmay?7D3PL<<5<0F&2l?Kjl^z{o^ zLjb>Q%NKG5W|Xvd{Ne5HCQQja?g>*r^r~(AXrO3TKI}v>fEdEiWZGWjP>yqcjW}@# z!hIMDL8H6LVHk%J4~c(+YHOCL;(csD$xmxsr88UlqqszAi3Cpw3r0u=GP5O4xs=Gj zOF6A1`A_Eo?(M3(YNV0fu%2?&A-S>;pt2h50@^9 zBg-(13+0>MgAz7dL4qmlbYZA_vJIGzk1~pr+=e_QwVr0KvvQhoY&0R*Wno#8NzS2> zY07*_l_=3h#}=v!d?w#o50x#?=5&5tb_QL7=Z+KM+nVrqClk+xq0Qs5N-vd~lSBS_ z4M4Vc>&rOi6xKLX!ovYU_8o>de>ffMGEK_c77d*E>VIM@aKO`hz*N$i*% z2GPaF>wt!7AZQGIbk7(5($(n`hy47gPpR6tx+adiD~X@vPNj7C?Upw*3D~P#?a8I< z&ZWlmXMs^RTrI+Sclt|o1%e0a;8zFP;t|mEzO?%mhku#|t_`yy9Wskt;wV-W#}_#q z{W?yJP`|}?IV==__4J(wB0vroDLGTWRGCE$PMD+#Qab9+@p-pD2n0h5NtyvKtPzQz zmxq_v)6Mhz^49Rh2ZLPv2EwT^(LA4KaJ&!MS3F89s913bY+rL(SXPx*bStV zx+gh73t~~l0B#CQA5AjH-vMTp=5u#(_HgCc`Z~G3{O5K@FF-Gro<4R*Hz!9o&<%6% z-}YuwV`Zb8-S7TRg1-4p0OYsF%Zo84AuYTIfv7K1ETL}rvG-i3a=)?jVaBs=x?w${ z5Z1IJhp@ibO*{{2xI#mpGJQM)j3<$|w0GHvizo8ePvT>h9myXQBRULPchB zp6&+@^g|Q6qdZSd>KdNtKZv`f`(LQH-x)9&{D&w(m}Z`8`p9A!v^=RBp<()t0UmTR z>0N35g-3GXgkzrm!vFk1NmY1z{tp1jKsLXUz=WjAX8VC8VE}?uZd@1zC}Jpy6U^nH z+O6z@X^1{5gQiS<1%OYuR!-!CDi@y+Db)}8b1=opf)09f!ineDsp&HxHBniD&~O29 zlzmWBw}*XB4GqC0F{BhRI;0HxxA|1Zi`g)9Smd9){r$a<`v=blaWw1QqNVU!-~+2$ z@T7BE&&vqd^MHI2CuD)x9Hq3!k>l$qN(`=em5p+mgf051&2Oq@6*zos=p(MGL^oVR zCMSd({h{b$a4ii1C^5=wFI1AudU?K~(cob4;%i&C8svXS{M)tLXv+V0aBxtR|9ju< zKgs`xcs4D%4f#A8?DqmZLzImHox}YXhvSidaQFf~fAL}j_ovVI{_#Ef$BXZu2ma{0 z!^!^l|L{k9&kw%y55N0||DAt;_K|-$dU4>x$@Kff12lrqd)XELG3fKXgEty^d;3?T z@5ZC=#|O^`|M>3v=ik5h{_r3F+5g&R;+J_U=f80ZvThr-^MCZ>@Zey-IR6h`ym*@b z5Akemf&Zu2p&E zU3DD9H6T+Ci3{LUJWCU~8vdU>n$4TBTdkKkqOon$t zZ)-~!F#fjyqQDOZ^;%osxnmIR>A)5GVXzCphu_k1` z9fx}h@0|p~m2In6V<1kXwzk0OK)AtdZI!4sman;*zF6vt|3vDX^sV%8+uG8g&6?oX z-+G|v2hx|M*4(J_QChra4u+X==?8g?*Ob0V*x1Yj7dpo_MQn$IH(&~c^482CdOE#1 zBO*aL7B=CG)3tJ_PyabwvvvWnF6IC(!^+hHF4ispR~Zpc2v>l$3!h0KRR9E{1czu< z8S4UE5rm-$S&Yt+5tCGnml>v%5phJv{}YDU_AJZ(1GZ^8@l<|D?b7Tk8#xNZh?LqH zgHNAJc&Ip)3WYF>TDh6lCG0@&*Yn~2y7c4vr>>=D0PlW3Z zIMS|@(uYxc8c~@GR20apr8?ZA?NSLduM|N!1GJd!ywy|b5*T1OiwI@dm)>#e7$$ci z;`Q@F+Sx8g+x|9C?qyZrxB2MD37H_ZCQXp``U^5gEOj!R705$J?r0&Fd9g`v$r^+- zuw(UKM)FC_k;!+bj=rnb6b$Ko;{h5X6xX#0lNkj^{GU}?u>57@QRf z^Ecagu}Ed|SB{zx6ba%~;OdHy5;hpQ<0(K=FBSbiz@^?0K{yx;21M7w~?QS!PdB#HoNlFl+Pcq*NYg%`Ar`ZGa# zHgWC|)y878S$2B{PPb=m!U4+hS=u2p&*zbs?DYW9n@_FERC>3|&ztjb7vP#?dP-5^ z%~Bkop-jCo+=>(A@v*?s%#-i*1g-Sp7EN__hF6|*(zRwHvNorpx(Ya`IW==_*=g4& zxlZMaQcMCblRrb=3E3|%PVgOMC}XdoQZ|*Vt^6xqMc0f=YNiNdyQcI0))qKpKwhzW zb#(a?UpR&&0dJ4qoJj_saivX>P0BunkmX~aPZpT?bIg#q>tb9;H(qYv$Z+2wiI9wQ zl^}6s$Z@+7tE^dm4D#Z<9S!p+WpflURj(kqVJe-#4ZKn|A0&h@?ac_z&1-1Fw<8hP zc{l?Pz}YM!e4mD=MMqseU347EfrEcmwA*e`#CR*hM~P#S1+MUfn@U2Nm!y#s z6qudO&H#iGC;gfIlrpl&j|Ui0Q=@Y~CLx(P`!T#YJvw=FI#>i-0yOUu^mL2PzUYr* zuvlJamiJPJ_`pP&R%&&KfBFKQ5wgzJBaNziWa3H|jL?Tp{Fh0GT23(L*LzN=e9w@* z7p>j{GpDf!J)<41;b&}Yqc+Z7kfgRB8Re?_l98knDZg0f>!)(T%lkbo-KCI8Q#DZn z#2^kS*uE)=y_;QdV=-a&!hy|AwsF9UhFtHDv44vKkjB!(M|w!fAjJdWnWj*hL!omh zlIhDJ6x`@TIZMiMJhBf4&9d(@1A{J-z0USA7LD9=6mHQO>qzU0x~xGm6{DQ(P&Z*! zcWs!on9^l_z#*dG4M`)$MU%L23qzr2PQ@pclP$j+;tCZ=4XI*5u0%mfMH>swG)h|L z7qG<_;jee d@+RLbBDS2J$JjY%BIltqH;#9HM?h>(lYwMKi z2s{+A1S9G(BDScA`5te8dVG$FpPp)K zsJmd`R!LKvCcnztroXvpY7~=l2}i%nJED;0Q{JI!$pBhh)4H7uQ6&G)cHCTB<$tE!QP?7iTJmO zxht_ntmwr{$&dnzxUvnVkX^u!*Dwsp2NYb#P=FsDzLEXFQQ*NKND!qjzm@3VK+v%P zgH@kjz9Ce-0DqGn9A~F;BXxy?lT5!}szlQE7$rmy}Jv zzm}d7;kAz?okH^A`d=wZme(Pfz1(xWysqws3#pJqGgX-n_REpDpCp*Z4>5|^Z|e`2 zVkyreK;H9~T%$Nyrs3NFRvm}DEGM)IE+_f|#@V8n?N$oQeys>m#+A44u1-b#g$Q8w zOlgX91fE%ipXCcSS0~kerMNlBFe~j3bRXm$q)V1ShGxqFTgLg~p_g^aAmd9F$Aqeq z;wF1LYhotGx#$iF48$vzkWid%8PJDY5*<&qf{nd^g{M5^5D7Bmiz|tZcy|o>LZ&tB z3mM4fy{OMuws+A93K7%AjSwYPQ75$$v&1<}7#6ZW|0U7Psg#AOG&C)v!|j*A7PN~s z7Bn}SxzMfTg_s29N$^n+U=;)^CP69hWsyt7A!s*-Aa{IWM<0f2QJ2e|Iw6XGZXqd@B8hc98Z`VD+#oZIvbSfFFKbU%BW>JFuQksW&FPH@nsN4OpIlYL58`3R3%GR z`+%C_9){EW$EH~&Ux54s%x|r^a)n-VIQ$<^ zqvlb8fam8342!iv_iCi;(ojp!dFLU|1?hu%jNGEAr9 zRA&rM$XmiL6`SRArwXI0nG`3OB$zF;Fo0au5pN7X>HCxgoah<}FHR6z#FjWHA((Sj z5v_9~l3b<|dl}wn6D~R$rl(*IwzqMSM(Bg`Phr*v|t*NS_@M z`CJ@(aUrXgMzX)sQaUAkk0&F9Zf$`ON4yLSeov_=u;493$VZfl14>SU1TDxN(xJq{ zC72{okVl+@JLF%ro+(rf<+bA4s zIje6z#ML{4oG8ygi0@E@DBT5#xW$jCzCR|8KGl_jO-TIwy>8RXn)GBd!!4t-c(dc) zO-SUz5@Y&$(IN5mJ_lY>=-3jEXbn%x%g`h za11XHNtuRsCI4Il;1uF8P0-amL3B>S0Q?|d0G7S!4wR-M1ac1aQod*cDlXFH?+PoD zc62y#}?JQO_;9G8>dWHfGs9XSCB2IO;@ljCr%lxa7-~?Rw;9xX3m~-=8P(4&O!ae zDJ|)Wjhzf>e{BPx8%uVF-^i5RLAGGa?m$~IW_Q3XSx|v;uwhpsqNx1~#O$3~ za7$=RQXDcIWh3(eVg~#<@^4$}!LsF>f)mV*9fCo`Q{^prMpLqt1>ze&Oc%QnlFZ5> z8COMH6$QmreT{~4>l1JVIO%1tqBq18U}cO@xw{pFIp3*rK1YGtp8a1S`~U~S>6^`w zy6Gbg1?q*Yyuk}h;vU>^|M{Nfwhgw$_Ery!qW+Guua?I$cjiW-4}8+^>34h>xo8}N z{eq5YLa1UKp``r~!ddw=59Y2N+Ig1mlEIXhR?43AqDiR?-k~?$<>I@7wUFhto?D!A zB*vicc?JJ1rd6#65M2BvKElg|#cSS565k&t4C#GGbtXMQ) zsvQM+3)#5BC?DDiWSk?ad!ieza%D^q6~X3B!sPc4#O3_lp)v29iEE8hgV{ftPDJvf z%XAXpM4T;Wfq>;8i=#?$V@ZUJ%vw`5+qPpy?UoLmm1?VIIB+4QE_|MZ_{u%st@GeHtC4>I$jx}J#FhtFxX1X*s z51KFLh*8IE9hSTj8ynA3WwmKsmIk7@)ou<&r}*&-nYUVSFaD!^UgO|e{DsnC!2$ANxl#4Ld%GH7-eR%*rP`<%cjR(xz)Vlq*Go0diP24hXn;Hw`3&=_QQEm}0qH#9!& z)VQisYFxe^gMWA^|$@)_39C$Z^Pzr`mePIxeQEcf&0{c)}ad04@HLp*XgQ zTe)WGzWJIF+VmQK zdK?XJq8hPIA}#z{^cQ`UAg>ZQonl`(vne%RUWZb#$idmU^gd4R#Hw#}t%Z}GShPKr zI>HQWZCoJS{SaW(Q1x$q2gfwFs4+{P-bB15d@ZNW3Xd&<7ZX!!5qeNU+a51!hVTK~GIi zPod{>O|Bw<<*Yo~8_56P8}2`^Vmzz1Tw)qnFo8lkC^LqTrd+o`A7erh*p75UFkzd? zu9M%Wb?inOA$AJ9pn$f(z|@M*B~?XcA!DsIi^$!@0xre9d=*ThyK1akr${6h$vn3& z<=?g|cUj!+iUd*<1p04Dg!+89(mxin~8XxB0Mccekzins>z-CSmYrF6M3Om zDR)#j9FkzOqU;VQEQO(mV=A1C)d$YhAF-|Q7w9tvZ>8U52bxL~l6k*NMR3VArb3Ne z3wHoAri8DEYw6>~g9>Tjtm=@0nJMWmm&p@MlT>Exf0YI^X?e;$G`pNWCuwAg7xOea znB?}KU{Y!K2_^$6wADH>R2yvot8f*Ol}J?QDVeX<0<`G>;6`DAqoXW-@*5oCMY;e{ zx|pD37^B2T5rZ>S<$Eo~xd`dt-@uQn zV5#PL8ns5yYPQnOnILJ8_z6=+lI3f>z^s5HM@$z}*l0PCCCSKw?p-QZ^vnDnhN}s2 zp686+Aty|I^p2`BRKK?)cx123F+8$Qb`+27^)8?xyhE<=9a))*wv<`$SXkNKW|Yj2 zfpp7;{m={;B`OvVEOYRyMF`0$x7ipWIbL0(gsh8^Gfqg3PD7-Siq`KdR!EN5*BULv zWWd^ZAr@tyB8C(qhCG%qAbSJxe-f#uU?5*47>MG$FCXC}pWCa)_^6on4;tko??+vn zk9+}siu7SR8b}S+E?f2b@jz<(QHTiQ>`HA+kdEEibX1UX^X|AH_UiCAj|^gSL}P4_ zHEFkIbdVg`Ht|93XPj4#5Mm;~ZjgzFu04gBXbv-Bs2p7aP23Mttr2RX)Sa(90*$2# zZZZbVTAPA& zxJpEkis~DRDN+G_^{65h0N05tQUP+^$RZVBpJIzVn%E+yU&Tt%MXCU7D!xb+{52ws zRDoP8#z+;=wWEww0sia988H|96(fyQg4kHBk;)dk zm7JdDu+OCe_kz46INAWN)cE$0?aoKDnk8-oFSRS>luM^FqviU+hk9G*G5YeNI zKvhhSS`;2_RF881%5gnvd*+Dj0ni}7hiydoFfND7dqp+DKgxJjg#XBq`|1OLl>7X* z4FOU={3`?jF|HLog#l>_1L9=F2Mz>M#^GT@ft1^S3I?)%Fpx&7ewE=sY>&vt5D>)J zLv1D`NXZcrvp1*#}lNq8%}015*- z|6AU&7Y9L^Jxraq45n!qigFAs;!s~6&LW|d*vmrKTq=($ZrAEfs)>5fwQyFqk}@L9 zr8W_+$SsP%k^Y$JWNM@V6W?=zpWF%OUaL@sO-&P8Ds63n3lbvm3UcM-NT^Oy#^UPtCJ}y(BL&=AWfa#{e+~$8)X*3PO_)A{0y%fSK@HSBzXXMSr{T!-iwW4m8Z+PLQCi|p;(+(w1=;&v}%FDS!>X|>^5F3 zQYK|DoXJ4ynG-h(c3L$W;2ENDIwkwxWqFo9&90q5tkd4zYR9p162=gjH+`?%$2)w*J_@m%bJHQK<1TW(+Do-2v zA|O5ABLI^GW_O?kq_OffmUYGo$N&@dUbDs+=u>|6UysgF7)moDoQ=U~m5{G$jqeTPRX0$^Sx=w|&e!;cg@`AS`(kaugLoF5YbHI5*7JThZsW46? z3?+ra+Td&TSG~-Z7vZJ_ps?n9K1@JdhTCE}&|nLTz^TTpM%EXrW)i+s*(u2F>Rcoj z>UEaVHbfP?Jc5O+nO1HlplVPD=>3Y2fJkKX#haFX2fVinsQyijeS-M3*98o6j&(@d4QGh;T(xQ1WpzTYB#J_DQ zr+f>!sJ<39g6joZOi*%N!4D$#aHUX@Uqvw2^2a%X37a737>n#v#@Tgcm@+Qs?lycS z&fFL3982s9QdwO+!ar8_7xBO#*VDK&q zmluSvAF>D+2ITg!3ydvQ%?9r&9Kl~T9D$xJ-GdQ0Htbbl3CfLh3QEwTrN3u*g2#AU zT95ULcctCcH+56m4SkJ!(r$oj-I8{LT>Fl+8|>F}L)v}AwCYA`!^A1vrhHs8XXTsR z6#zDNkGlf?I=8qhK(2R(y8`I?H@GVRe?|AVJI^9R8`S;^Z%Bk0X|QqmBte84rY=uL z#va+oiI}a4Zk~FRicOLaV7FG>V_V7)P^Ag;)3WGK}8k2!Yb2HkZFu z1x}f%R`{pLU(!9&ARZRFq_~}kt&~MsZHLQpMT5VSiMUrIl&8q>iID+%Nu-SW$qePr zAB+h12q=&3ePe`^J3JqR%**AzJXVf4EMU@NeJsIf+Q35)+ue#dS;NFC(iyqdKxOi9`Yz zSNOrx981F995INkEduFG2nW{z4E|o2McnWT~ zMsTyMP75i3Z7|suHV);aPr*&$EdEBFW=Yt>ns8HrNs@+$-t2Tb8q=;~Sfq?qt4kai6lciC} zx+76&v4)FX17VK6Xj|M9$L2L?06YLgl(4b3rg$ghgK>)+ppS7f25>@A#J1D;)9+;R zvaft#`=7zfmteGG6rb|B_QJGfgyk!~fTBB;h+7IDU}9cpS6}5FOkidQlOIdRy1LE+ zQ3_{h44!GLkUshVpFV+`PoHkU=g;69iOj(I_W85;hA9Zhhv=D&O1h9X@Dfy2+*%Jg z(ZzCLxy-zk7dv!#>XPHkQ4j!i`6G)6y|vYg%xbo?jPgP%pm>TO&G6P1L~Bm=2*-%NH58mgj|0#SkYZ)YAC0 zgFhE5zTVLDv2R(;Bw_D zT&h3|nAa8_(GZAyS$-PA1ds&Ja8$<-EpV*i=eHG1EO8gd3-Y=o*LSs10A=0b-B9Nc zvRVaGVgA=VzkHctv`u%`?3{BVoRfe)Y>(s}|26xff}M%AG3(2*%%JKJZza6jww|4o zK5AyJ!g7=BT*xOZdh%clUDd%2vGfMI)sd^KIPbt_=;d|CK6*RBdHxn)46JEm^Hfy!wjS9wo z;*LVg$6pP1RBl!baTcIxd7Q^rydtM6NQGV?QE`0?P=xtXn6eoW_c3KO3;u#?XLS`0 zVi%x~K8mHc&dJ+Luq^`7yf~;8w$|Y^iQrm_DB3YiTHz~+SJ*BXMheAgsK{u=m@!2rQ!K`az2&ZEuX^TcW-WcU zy}(xg_Vl!PK9D4c`3P%6tPT(>uZ0ej+vV?+L@T$kx3{-<`24x}@7~^C;lHE(gYRDa z+vxeh!Ha_zd(Zdx|7~yd-QoV|-@x8Rds^|Nl)>cR_SSBz*txId`P2iT|BW2w{uuP< zjK$;OkdL>g#-1dzq5Qek-{r;GGDf_tlydT2oRAnL3?tefgHK{Y_F>}BF+)B}6O_F* z>Qk2BXeR2*_n3v^gEpU80J36Jk}Uf2G&_42AnGSr_+)SZ&=z%ZV}C|#fg`#@p^a27G4pTYi|H`CW^(^{QV>r)1+ zt{YaU2fLm+uFw~zf;7>g8%E-4obZ%T@dS*xB9+v1b~vScv0ZGW!yH!E&hk1dc2sE` z0)kM^=a2&P(x`F}Xf-TNbc)yEdOc+@_6(Ix(*QKs488ifT<=$q&00gc&}}UV z?BvBxgnS$fxfufY%>U|zR#|vDt+nUMjFd$f*8#^?TWF1##Z{wRK&60=5ec0SbX-8M z-56A0C%!3LM(Klr;e?P7!Kg4i)$Q3`D93a!11fN4=iv2y3*hGhA5r{Ak@}!vo>h!O z*6bw**@+$riUJ`f`!vKsVQNY=#rrpylVDW!6@Kgs@BE7I?<3538$aSQ{EC?f8kPrO zPDNu#hMIE;!rtWJPRLIUR#fpTOXlbHPAZaXx?U$*(`3UR<8NdutZ>nX48g z;$@D`&s`;s;@BwE`}SKMO-w{OVj@oZhdI{Ket8{$DVQKGb^;WKWQhXs?YF(&r%xWh zQ!w~ho=624<n?_TP{ocW3|nxp$QT63HGBigG|W0(nKS5PoGxVW_gI%e0KLhK#r! z$WQEfrucr(Pl+Rs=79NKOz}gK!+6(v85+VfIf;q z_|Z&|pzZ8?)Mv`em`2K_ND@eGL~lYB zV`qwr&N(WVW2!JxQ6@C|NLQI5iCK0JMwQP5Gm2QU6mf3{bY5RHNuvQrk241fsif8w zjzu%Sh9~t;}v& zjO{)cfX|-?RTvHEoi9Er_E#<-Cqx9P|NMFU=@ak?3=#EFR!Fzu%B)mZhWAGaF!Zmi zq-is?%ocq)r$wJH^9VYwUgsg`@3Y_aIi>1L>As^Vkn=QH;0RMD6<0q&!p#wea-83* zGqSNbw(J3r+0e(}n{AW*RCvc$-1q5I7IEDoor*FjNd`Ouey1ej3g^rIClS5)>1?^aIZm`6`OUd-;t;8^z=W5u^Gok)pPsf)3;WOY9ECATDBn-6 z)JB8<=V-L|+_wMh?>+zS$^P>o&!a47RIRYHuJx zm&hi*Qe8-`F5<5XLRe9E=*v*v`D^+24rqzDKA~uXx21EejlZqItlN(qf3U4D+TnJ& zXm+Z5T%jYa-S;ZpYh5awh_nmfOaRlF0Dz44FK>`GaHWwDp{bLxS=8)mrux{N>K^w7 zitKbDiEA4kVHQj-r77?DO{TRDzs>Bf1!rAtQIye;-oRKe)u4uM#U>2Fol(FllR++v zvVPktmgF@=A+P4CKA1wWX8XU>B$tQZ_S8uyD?~Lbr>_Gkt&t#hlDxOYbuO3Bu6%}4 zMHluK9c#Fo&@X2#EE2N-zOR1tTLGygo-t45g@y%;^F+aV<2hKh@E!Lx6?YR zb-x8!MfI$&7GYr&l&E8k8rU{B#FYfx0S3WDr<}9~zE-G!Sg9GE; z%l^lYA3yeYDu?Gw+pwOV)t?sjUlH)$6Pd)8aIu03xWWH#Z**9=|Gz&PJ>Pq>|31XS z=W!yEifef#hWkXg1o8FL^E{VDrO~&{J}P=T9(trti}`Ox8(n%b9!w`m&@lh^UySw& z^Z#J~;Jc^!{}7MEKH!cQYbxWb1ZirnYXtBS0t3cac@U3Xj!=x;#9#m!9QR~EFVTo$mXxTq+d_$bh7ly%?Yi+N_*Y68lBKg4;ErP`6(Lrtb4kEE zQF8k&?J;Ft6>Qop(k!`w(=FHnXh?J5a6-;^kGWGq5j8Uzuk>6t!ZU9IRkMKxd<|@A zjC{@mr8sSlIA@&)>rgf)W#`p0){uF!6`U9#zfeG%({ z4!riuL6iOGyHU~p^Ww$+ll|vG9>@OAa^tX%;@ln{D=!G^I)OaiwL*4v9c9%XgNdJy!~8!S9UK(r|7i3S|Mfwh4cLE*8GziS+GlTh48|XY z?UVKAuda!9vHrB)C9G~JQhaAwgUq?vZmtzeHP7907MJ?+2Dx@}larZNpux;j-LT=! zQj?KDU7RcrlGXY~3`NzbR+x%L&q2W@$1r}iri__)#-fQMp~M%UhKb%Pba2}QtJk3p z*}tmUeWmnVD}!2llB|U8qnke~_2OQpR>uTpk7(9)#Qd>M$d+!Q6?0@Y;@7U$nNMkp z5vyIdM{X5peMY?3vyYDL|Gkbx{#H+i{eK)xR&xMr^8eT??f*yn-#yv?9^|RGcoS#7 z*-&h&`PZJ?+rj?9gjCb%CR!JBULO?^o0}-;9CdY{^}% zj!0Hb`0;%N3r$+@svC7wwVI`sW(e2ZQ#@-FbJ`VJGw##+{r7r0tpAijhNfvqQAbDc z`t|?$;o)J?|KngZdRqS<$mrv{Z)4JYnUDw$$#$Y7=y2G5Se!`TI zWceB|FmtY@u7ZzY0R=k3z}xODU!ifNaR3>*WC>(wwvXUNLu-0lmV^@_jApD+@jgY=@(*I$GIMaD!wjOT+dQ zY9+BBMrzj~s^wt`lj>+U6>_R#eCC9*qYy)ij9wcr*9#)D&x>$5u9+n3n^^jH?2OmLtjx8b=RKr#QlFX)H(T z&1S|egWqz{R5F}sv=EBMmS876vZhi6}a;RQN#osDWLj!F2Tx!k3DnZ z39-xYrtvdCu8(6x0@NBoUbqQE6QD$Izzc%@En2oJeT$Zgd1$NhvS?Kgt0uk+aQQ&a ze7hO;x7t}b{w95IW6 z6-72h&ngTyN8LEVB*AQX970NMLX|$bjfo`y?lp=FYPXnEEx@TcAtt*d@;(UxbC1KX~MS~dNu4jNc2kpauI_gS8i5>XqS zN`I0H>^H2S7oe}FrGE*+mYrtCj@X-quYl0S-MjnB0GtD}6$OH;^YTpInrjs>L;y=! zygd2%lckXX#^ZtE1V=-Wpuv9cA;0kE&w@XMFQV&v7cK#mg()o#O_D}O^gTt1N-EM~ zG^g~(grqU}{264~Y!pEajEXYBLN;r44EBrBOVC?>a4$b?094HK zlE}4Q_ztnANm1@&%}ne*@7m3>3X)dN2Zxa9vc6TptzYF@@!qGlsnzl-Um($$vnyq_ zMiEPb+C0w17P=t20lGhEnzt?#7jQO=ss($4gw}9FJVpM}57AGA+!nCUzHO!pg{Ic& z42tgD3&g9ltG7pQ&aO{RU%mgaAc6&2$`X}CFj;~=OE{u^k#@Cjc}q+ACzIyYGpEBM z=A^iY&6rYT=T#}x(fxRHba8fc^6J{kQFHyn+3VBFPGxbAtwebG5L?Em%nr5fbUcMH zn~ngIB6W_dgSPdnMJHVN|6n<}>PMpdPqe&1)ACp2B(*s+k)!r4T4sx=O^tFNi|m(; zt%%JjQpuEtS!8hAX(G-0%hQX>5p{yRPj0&pM(e<1sZ^9#;;~1~UR^oM@w(XGlcTGn zS4WrCqhwJ#%Vt*3JRR~fR%3Q?dj9(CSOhq|e)I060>l0SQihU#Yf$ZHih-=ydflgZ zHW0iQDV=wvldx9R$jZ~n)v-r8wOkZhW13ZHNg@*D4U-i7bw)zQV(`}6Bxj?S*GFHWy6&Q3cZUT$xYAeLaU z_t&g`u(wz0RxKKruTM|UudmMDRLPEZn9vZR_zH_9Q{%F~CV|CBokn**!=yyoP3XuL z{FWMWy~6J>;F^sbzp4GK;)@rR@A9;7L9gRCWoGnsSPZA6h^j39^G-jIo-3Yzx{7Mnax@~>|#Wb9QhjGp$Jjxm;|BuX_K?SZgT_Ez{1o$ z4;-CwPK40L?P(_bZDzs+f&s3W3W@b?lXIca>INo*jjMY$xccLq4oLyMr}^+#n-6U# zNt<)lDi`*r!_{_&tH8Mfs>sXe{9Ltjmcqsg(^o^aKqU3_P{fjDOmM_J*~p-anc1<2 zvm=6*_a4Q3Y*n2R1#0kjS*duXp$u4BHIk06^<6Z5UEHR)?KXMpD-G`2US#Gm>(*;+ zn_G9Q`Li(*@6Ci@HL{K!q0p0JJS~T}kSbyTu5nB#WF_w4pkUSP>ZqVAZ`x6z3GN0Q z6-q~+kK>q;FQtKpKE@&tiVFOE;I-yXd=ec9)nIxgtK|9d+mJ`CrCvhl&e-r>%$FG(ncz_k_vVi4?%TG{f! z*QldpmaSUg^JgL4<$pI}7A>tppllfZ$7t{Q#toyoj~lS0I6-yYInEi2e?+V((qgIU zxalObo|M0}5lA(zxrLFS*%F?l6GuJpknP6m#yZe zR(E}C*3h$K2pk|EZvKWt26v^q4U!GZw=_1p!>!!iX2*@TC}@t!QOKq~Xg4MsuspQ0 zIyCjGtg_npylLH~`w$fEgoK>L6P|+LZNLc!ZT9Ruo&u zU8~%~CJ!1%N1LmxCA$pCxpDbr!R{=>>TYH^E>qQ((Go0#c;T831$%5(mr3kJJ)3)d z{wkjhaoK!ajerq&MIVQl6S?D+u>$VGMfL>iJa}d!ZArP^h>h7DC137xO6hnhS=zy3 zL>J&fJzPCpj(v-LLxDw%{z7*&md%AUYHGA9w1?gC(yTY5djJ4MtX;mjDygOR*3pSg zUfHI#CpVLoroe(2%5`r`A^%s3XmNi@8A-G?v-Ye4|Kaqubuf|wIq*YB^VkIju-YL3 z{aHvRFw6_dzjs>5SqouDtZ%x}zyi+JT7`i4WTZH=25^({-@3&AyYufQ{_o+zK{5W{ z=wSaT|Ko!^&a_>ZGD6K$1iy!m;8%*U=ET(zlWYSBcZlOxT2QL?#{nHLsq#K zpS+3UBG(E-q_SRLC2%^$zB&utCP@p7UlSO-f+382l=OF6RCr4QbWRf1-%(w3wqDy^ zH@=n_tRg|@4pkKnjbfKV0leTUr()!)ueIH(2bt$5%sRBaQjfMB7Z2-DIXmCcLuJ2i z-I+SRtg26uhzN0H#cM0PtVO^HU=0kU-OY)I{InTGx4!lI6e3pdjPos*yT3f5`1A=> z2lP{z2tWf-x3)~KbeEId1HfQ1Lrfl>nRr;N+)Co)0;DtV@6^RFRP`bSzNyQ)+>WtX z((l?4wrfjyJEje!!f+J08u%p8_5yl0z7aqW1dHjlO=2!jCgy)g_oh9sq_q(uw`NuW}pGLjGsD@(UT(TDQ@t|Bs6PKl|T(ckm?tAL7xc zSdIy$M!hP1pVMdHU*pqB{zr&?Ajz#v@$cbi#w#|j1r755#f#?$1^NHt`Tpoh{y)Uy(Ersa zOXsBg#JttLn;k2hybY=9T*)q_xavY2HD;`LBz)fAMd9*?geIGjUWRJlSWK&w#hs_k%2&K@=>rpy$EYgTw6aBY&??--uN_&H^i}cT zxT`yB{rqg6$r=Azrs zb%CR!JBUNB`bh}p8_OxQsbU?W3U%Sf_Yo{KYrU&$*iqT-T3_0XuHtKdn6L9KS@>&N z^PZmk>9qb+1{s>BAw{f<9#FsjKYxCBSoHrtcs_bs{~zS})G?@1m&M&=mx>ksQWd#; zTG^jg_Vz2g;!0YvTB^^-B#qSF!vx)7&U`;%%1E+&jTe|zRxTHP9P2B`KzO;lU1fH} zBzOZOI715*F~?nXL)j>oY|w4eIDiaYvIH_TQ-$q!&iI~{0O~IY>!nGJLm{G7DT0PE z|5k8w&=CAN@^5Ln7+R;%)+lU?VDAIW4I_M?o5*giF2ryY)5$WW5%XvwUy96KF@C^U`pYeGe<+a#lDg zHgM{kP<9kzNX>|E#>@2rIJnzsX511TD)EO_C<`%%jX)Tiz&vZACE8Yy{0y0l(Ydgz z#ZXm|CafTjU&oelrSwz)&l5xu6Og3P>Vv-FJkTmMoDjwgZyrYj=qB)tNPt=+$qP4Q zX@Zm}s%R0nXxXy-Em|s8qAhF4!d3ljKM^?S^5KyAc2g6=YH5>mnUN4BMJ2;{xv37A z?Q9nRn1p1uyo?hBgJTj=mOyM}C8{j4xxQ85u*sgr2__;7PY5Zsm&wwns+~XygnKnC zXA)ek<+km$>puw^6C5=sH>!hIpOK-(pg9#DE_jZ0$_^?640Yoe>%=nTZwqE!SF;_^{&~8R{pMNVQ^=mONR!r;H z40!{I{R+MLO0vAUlpd2@64>UkF1N9IQk|7(|2Wdyxs41Q(uR>OK;Iy-bI2i{B7f!)!DnZ*KgjPR3!ZD(-7XFel4UoN0(Qp z7uP?%yS%FGWBX9)jqRMjySTc3`~JmqtpL;b#Zk4!|S6TFDqo3b2nl& zP?mIEaHR|;ERBDGn7xZjN4YMXFRzX+uHK(t|8jJ8b$xMqb#Zpu3Hfr1g9Nbzi~XeL z?Ss9&QrBt`xqN+kdVYO%_NHoyZHo&H5sI&{Fa>IC_SYt}7_rmn?&m_TNU$*rmDR#J zx#;VSg=RCyZyE~7W7v`!SDx{$=yv?3%$iwBMyHsFsx8g+fY%vbSEo6uQY@{5ryFwR z5OzxBYy_IuPa%!-!NJ~PnMu}6i?yk?tKF4*^ zUH{r9zP6j*J!yXtL_!j3ieLfAjyBHy?DxR{Ai-CWda<3>+~?WGA_&Y327{Tw%)l`) zVH3L03sT=dob?|#Z`Nki7ROwRY3RaQ;SDKZQ{f5`8Q|Jo$V@)Ecfi?6E%BYA8viLO z^`W9tKPsxZti4R-EV;8CRovTNseLcHzP$ib{tEZXo(ng*qq5uF)dQ;s2U8lUiIp>f z`ZG|^`*AmSt$TNAyInKu_nAw|bH;n&p7V7rk?g2zStDz>xV@sY$7S-kOwO}6+2_tX zir3+nGvh8`b{dnD{)r!;Mw%0gowao@28Pg-U__rg|<)gm06!`ED1*W|Z_^_eq=O1_Bj-+od+uLR zeuO@KF5Ee)m+(o5>C_e*NUluJ7eqj1{fEmJuE?f%t}!3qArmeyWw5>~B#Vcw%81XR zUtnN2DIOsV#Uz#bTG;rr>Ujk`>E~IR_qD=a>2S%dslxqf`p4g9MC5gNAsM$mqXnK- z`tOqbJXFR~rc=)ku}D*Voz50a4C;10!Rvl1coixh zmBLz59cT>zx2WS)*qN#gCzFd%q6MsJ(=QugN$}fToxg5`%KB}ChE-PNJg(aDEv2By zhO6tAXHDDYemE17@YAzQS>cLqyC=4F*X-!Y=L?`phsp1l4dEmoArUFOlsq_6(|}5G+8u9O{g4tRlq{XjL~4orV{nVV*0k z)-ZR~+Xcwgclznmy3hiHe+$g4hR~dz*-6X(+5(|EPOa`i5XkjD&eT!L{kQ;#(k@nl zLVJ8lVbQPFrBBz7Utg3zgQ0U|Q5I;ez0PHcbVXRoQt8TDrTTr$nPff-kI?1GnfXm( zJ|m2!?1 zN4Aj?-4TQ^nr%cFhHY{Ur>+{=t%#ND#++T#fCL))F4_vIkf^J3(ixK$iEb~uA$=~M z*i<9P$!{~tNr1Y?=m*v6)i>yzF^O#Nh>E1qf8-+gTqw{j8Xi6;k-yjyEVF&=u_#y6 z>Gg{38&BfB&0oW*i`!4z!WnyoB_3iy8qHeVa>nx0*VtXV>?$ldv%UMpSXwEeeodyI zEVDGLur6JpY2#)KwFp|v+24p_*+~Bb?HlW=)k~;>3-rIe7cX{m`rrQU;p6=;ck&c$ zI=4c3#ieffb05>X@$pY(5%fpxuko2qZlczIQc~Idil;me@h}R{B!dvhEJI(iD-z|r zELpPDe7Dh4`}IA|<^PmLR5HGP`TzWR;r`G4z5TsM`F|JB5{H)NvstB)B>WnO>A{2jr3rY&uM0tq z&A<>o$1%C2Q^ID>;ZWx1CID6Rvm{g#7BQZ`&B^((2}GrRED4YP`JBK?p^;lBukdO` zMsEzk>NjCj48_aPQx4xFQPyxEm1p zi=u81OG*6&sOxKgD)oPFLc%E>M~stI$5^2M@4nc}#sBUd9_$@F>i>7~JV9qzO2Q+7 zBtv?>(anTJXgH%`K%+5=v44ffM0lMi=yE~@60;bB3y_$QFht{!4YeSl(Rdp~sifBg z(tw=baTIi(poomM&vYy1WJEub0NqeILI2V7(Ay}SBNoAz3M3R0jzSs{uj9SC_;4W^ zC!Htg1VjXScXELO%0|GgK_Up%h=J9+-=Kl=SX!g1U;l|0PxM!)~} zPUlJTr;z~x8qU!-Iyt!0u`j7WI6^EY5z=W!+feRd7Ew9x2jrTBEG7ZE_}||{4jP=2 zsSTTOBqvy^?{8>8!a1T5nhAn1XR|0kazfAz<6(e;83FMm1tQ8ch&dGmjR=-APQ*4E zh2$fJd&lP>Xpqms5D%HjS_KIcLKgcNN#ak?i1MlMI-U1#ua)LNZV($;WPjP3NEwTx z9lI7h#>YFoPUn*2fJ`yJ5=TZ5vXQ*OoS;zWz$#2iDCMEc2|=7FLk%ROOgchS5-AW# zpm0|Rv(bof)tBm*-9)-4neD)5(-=oop{}r1G-D&xXo>{k&rkH^_QTi+D?)>VS~Y-qsBgsBxk|QS8#VaKyc_E4H=U{avTeU(fh)z zjj5c>hVI}y>7_n9k`uBs#Wc!Sn(86vh|UI}qkzOAn=4u&7OCOBOCrG15i?O?z2w`O z0DhYg^!}eDoTlv+B|I_dS!O}{(3E?bHI=R$EZo(VvYncHtcalZTo&OlU13xrb5sh; zQ>{KQt4GQt7%^^g6BUT+8_lHP@s;RWd+~&`Di96@OZ4=AoL<1_|KG*iH_1BmIvvCD zdZGmKafF6M@u%75fqXcQbHr1>cmcWI=>cR8(bXW+H(f!k8qSW9|o}e>M z-~d)oNkpg9N9lB-J#X)Cf9dpf2M6B1x2yg-d#A~y@Fm>pHg+}6l<^VHVQohvj)mki zIBGW>3e0S08G!0^E?L6m>Q~LPfW2PDn(LLgMT2x142}xRtm#@&6K5*~Y0`;g)|ke_ zA%o>kgP|=dmC5th%<%pUb37%Ay1#5aiIYEiNDx?+Aom1xlfKn5-ORl0l_(j`H5maZ zJxr(bcl7MpC5@jwJ3`-6A(6t@AS=uQ8UQiWP+Bhh7||-a&+Mz6fP_R6ci7LGxqeN`GTcNu zKpA+=D+JlhT42qU)bmqGqFB>~S5K%hI2ul9`}u78*m-w;so{Y34A7QQ++Wlbs4c-9 zBn`4~f6LScsN>b$#b-7ww53G`hi0svIR+b_I#VSfeOzSyqiP^AkbQYypDOT}WBxpc5 z33>@2pFWpR#5p3%@`wS%oIkAvhB`omKOw;^BwR_9%+!F0(FOuaTA?i_C)xyytQOEy z;008~So#wbvp_7Gnlc`NG>uoV(dL%#F^F3>LeK=U;jhG(KpMR-7uBRKa*e|oY^9*- z+OULP9uN@VIY7z_$f+ITHT)B$4bYSY1Z}CQi8&h*Ws-)WQegrr^Z_?ECaKj0Yy-36 z0uuEUAaIf0pcW9*!@%$ebj;F~tAI!?mQ+zol;Q@DqDU9+&gmM$lmUYISPbmcjK$ia zuz=7=r|flqadtzy1pHRJ;wJaSFY_tx=JrLMTDQS%{mXnR>7iGSE_Tda1va67Vze*R zVE+h@5;LHAdz2MrvZZ6p1eMICWRZ@x&3#~T|IaNNbfhDsZ1mi`$RsoUVV+wwn9e_xkSe94 z&GubLN7e9;NJG?&ALIO*M&;`|A~&rT_1z(P2Tub!=I(j7=Ps$UG(DgPj{HMDx9N_` zc*QhMOh93nfP)9BCB&|On64Owit&(kjJ1;Y~>n6=Q znW>o<90e$*{uK$(EJh>FrrOrjQ1tY{y#Z;0!J})OxFCS8$XuX7X)Ou`M_nfT0LC8V z3nC1f&@oeMAU(U%r+JD40Z?Jo@+93psVcBZHh3`40zJI!(gNeVhx;v%bNzra0wJCi z!Yv365F43j3KCsY&LZ&OU#qzss%F2ZrvV*HZgv=$b!`-$WGQPhLPT`c9KiCEih~D| z&&a?-ugHi-CIVUs2EFXGQV*+0@%&(0$5aKnaYm@qQQq=$2664F&C)S<%;?gQMpOpF z3pj@nIlboYYb#-DYb7&!*@Vpf7QTW}r_F`&WP-E`nS$=*^%H>4^AqKP3NT?5Y}% z+r-wc1yM2t#XGPh*~nKkBqPQNVjSU-BpeBextzuI6e|<(8R#cW$m5V=L29Sq799tH z8)KoqLs)-U2f_+Z1KMXOR1N=a8O%;!+(e;Gilpg(62 zhW#S|IVeKU-S=mhOIpf8w_17?oJo(`yLEGhvDwf_E9{ZJ~EKD3w*Kwggznc!DbT zF?^bFYo+_4X=H6H4;_agyCH$Ts#+YOfnX!4&#)%gbzCaz{pPyu};X@6rV+}hu& zp^sQVvY?mBog(z=!#wdp=By3;2DC4M{))_N!elbg!!l3?yV|ZGd$}R#O`heT*Tkqg zd@X@qe~=*1l=uyxU#Mdyoi6Apxrd@s-e4ihlFMFH*Wfxdyf{~^gz%m+ZZJ(V=n z>s0-QgpVPsjm2hy+yu-ecjE@oOBS<`jpr9JCpb7^ky5^BBnvX<(lkW6C32c>h?5#{ zPRuFeRL&t)tD1XmmG%e?oy4sTvwkzqxgh?G>kDlp`6$yog-lN-WkHz6$W*r3pu%=* z{MqfGABlf(Hj8u6!*A&HRbrk)-AuL9>nnGkYDfEANHSd=a%96kclYX`Ph0}^Gf>=X zQ-_Giez_jdo6)`!dOnMeMRI-)#~R!veKj^~gnnt-1N3iLbPlH_x9EaMC1<2ECBc7Y zzI!T={S;a1yWg$^{UX{YXJV&{qka zI+?R6gcRp2ShYFmtAtLe%-QffG>|zt=&OWIxy;!t`0e?=O6XL{oK3>tK<4D2uM#>{ zGH1ikFQUDU)3|VytqRMq5F=vaB%pf6CJe*|mZ66Jdsl3idtnRETT#C;@Eb#ao?(De zyS4y*!Ze!#zqwWZ6Q=TQTzv>p0{w7CLrJ5AgKjXD$e$4Z3bDBQl%hF84WNg5G~b4J zL4;J%6NuB3e;e5q(ukmu>T5A!8$697TqMV@qw9B=*THX3`pZMWb##s((v9z0nR^=e z?_KCmeyEAEsEN-p@IipP#Zlq5BI~rIeI`w0A@sWSra*6a`arm#LXya@bETy^rqjNR zO-y9Et=x#w;LLs?-+`n5B*b(&@X+Z9fv0R6ir2zLq^~H?LBH_y!G+#NdBFe`w8v3O z{tD1ash;4~_-RRdF&my?IVq?8#cUW*4yV#{d-AD|P2lJdl0WeJjvkhPzECUC>8Wrw zm5|*cVe2Wv_jeCHt`6~P0==);CKK|tGV}{$qg?1gi~NBF#mLeo(Cg0;e7_>#7W(&H zrNjKhsU&YBpLBm2)Nl^{chzBkBhI1!UbhGQum7O6-lz=p)v+SC$Oe+6aYU~4Nrey6 z(q}!;H_~(Tfc2V!*5RP6rA^DzyA#~Dt3+w4_?RPHg=ksebxjB-?j=G^q=q`p(_=t6*$M=Ov*RG$4Mxepw2=`EHX4G=W~< z4^$aGo%EE4$*E>)`dDuaH9&u&>zkgQ4eFtXTUWg4T>KW+$AH&B57o_G9cN|e4-R$@ z>$J2S^!mo8x>(pI(3@^nhyHJSyU&|IAF+U(Rnxx_^bn#6D6HjapyycV{UV38hCb;7 zou1t-^dZB+H#o$RUy4Ez`s@d~`kJ$NsX&A8ohA!p+KSMVkCN~RhnF0WM$|8sM>DpS zA5x_bm`ff`&vg7WzsBoNKul%MU=j2#DK7xDa~zFH8mDj^1YG+uv4pyU*u-!{`d5Bt z>^x9`+!<&KeN%Z4yFM)23aeauMD%r5k|FXjW`dxti18_?59!qvP?yQ_n_O|OhR|zQle=o2oF74?gqt0$W|RB49gua< zFSHDUp}Dkwfge-LoE=l#8ew$C0`!UsKGXTm-^_wBk-FZK`g`>#(+06o3i>IHj;}Ed z6Omx111rW3US+(N%-x8g+KT=7pTB;)h%>6DgvGV{yR^Nk6VGhczdqhvJ?|ggTY>SlW&ht_aqqes0K!hta#aA5&$D#^ zlApJc2=O&pz5swTZVGG8B1>^FF5we4iz-qREe^>#v7DM>(%!G!0*5MjmEy3WdIsrA zT&*lXji!|1u!*V$>q4L@4olZIr~q`W)eUO(jueLnT;TvUorl(S4l?xLaHWIVT|C8M z?bQw{a9pz9Y$F_6*E~oi>gKB+pt`yT&i=68$_E#v7_NlF;(1ti{eyIx){>ysNG`2j z1!2ulFNZ_BS_m1C>#HF+JLv}MA>??eO+|zp4hw4{tcFNURRl+GZCe*1#i3zkgq4tJ zG!Lz-Bjj*cP#>WVfhNzgIMmljD8-?+O2R65G}BvGs+5qEN$aka&`>U|TrXj>Xf(oM z<*ErA$6+xqtv!E#y*M?(VI5ig8=Q(pa_IrruxO0KT~xAIL8EGl!}@9}tY7`BiEOOJ z;h|JkK-MQ)p5dRdr`y$65Ji8+#wsi{oQIXGER^B2RvcEChx@O!fSS(3`YJAzOvoMC zqHC?YuzoZe;qZW~FQEEU#tIxBRt*M&Lsd?61r86Z5`)E|q8dX54iBpygTbMyCPM`d z534EzsyREY#^GVrW#oOJ|tS;uqu zMs*gP^Qw(kT37;yM%5PTa9DS}g{CoBZEG&n;jr$i3#hK{LIp21sk~6jOKYyZfaMx*Hy2c$owHku;z*l zP2nKo;vpYRo!7B4iBNe18QuG-bIy%<>Ou(#bB+s)2PQ7T+va6ZI-lfA$I{?ml${1RrUj&Kw}31(PIX{0gZC@RKvyMyZ$Xq;zf zgioo^!eFWOcwaSFvM`j@UqP+b_I(vzX$FJl8SQ0rrmQ|YChP4owTLEQJOHDz8>pcX z1!xSZC}vd`JjPq1r;k!%MuFSWAjzRPD$8xD(j@GRlpq3yI6O|qR7hLAMTaFh80gRX zvBR_Q9kSo8nXfb=0rRg2_b4k-i>eWcnV@Q49<)TnezyTchEzs)N_WhE`(i@Ea8Qqk z#N$kmRZ~PH9-}QfozA4*tMFKWZOVzyrc)9HBv{gHQ;Nl2KOjSjqyFArpTDqbMlB)% z9TOo3tr5}RS%v5Z&ykqm{TGKv7<-=Qp|g-+L6po@J2G{o=(cu%$Zf4)F&jdm`cdR5 z*YXx363@agb!0S0M16;1o$j~Z=N1i4M{k&fjP6WPrG<#-V{-v{{1@hsL9e%dvZjST zT33pRKv*CgAWV9`uz4jbxXRvaop{3F6}8rJtQM=@tpr6SJ+cn`T; zYqn-BELExw$|6>#;uJf3ZGqpkX0!0AR(&cEb5)*VX9dJIrRgku990O8n1a6Lm_Zq0 zSrw?*Sq`zyX+BL5+x7OId%GF+=tXMrW)aJ(L<!+u?khG6tS#|v=Fh)X+{g5 zYSpO{u~cO$c6R?Nl!I7>DwRWQ!Lf?zEbsVHoRiFA%vL-@Y4cQTBss+3%}NjIu73F0L|3NZA}SD{MUah2@4&I& z*h`f|>{m8~O6R##d}X#oPPC0Ke#|1{HsfQGMxsatu^?CfH@$L2eOu81nr)Baj!#L-Vk}i_?0QqzUt+O z6<|D&(3cg$@t2A@xzi^f?;p7n+bH0roMgt+WxCTx*mR?}u~h()iEPhe*Cwnd+i4kg z^GsgyR=Vmp6;ja$)NJWWRZc$6Ycrm*0Y!2Fi$ zYB{q3cBM?~sx{eZ(%ncC{5F0-M25H`Nk6fxOG~+m;w&!?@`AA* zyXtl4Vpl30D?2TpJHYZTA9wCLolC{VLv~FZyAMrqY#j)uuB0jb33jYb+kT&fHft&P z%hp87SRC!_jH#T=hMv!+HUn%Yjd0qLoRFOWt%9doVZ| z>9kY@)%pjwvB%7xO-ZCfK)p`KdfEy0Cn<%@ffbYp>GuVZ=!(o=LXD93+sQwF86eEZ z&>iG5PDnUKG!hbr;XorxK7!kKyVDsA216_+ov)DF3{B^KZd^D&cM#Hp;hCIxoH2QZ zg}7lnc&X!VWAo=WG_aT8zr=C;A-NG>^@4P_F|*jK(Op)sMQR0+A`>Gy;BXI=O*OUy z0(w~(2A<>H3FnAP$0?UUqjrP<4W{!1z=7B4{2je{d-?hZy^VYm;q6Z_2MMn41t-C_ z>W~UZL5`W(aV0Zpr&>10P)<}q@KjiN?{fkY9EV~XiJ3n^P;XR;q^VA7wg`xAGt2)Z z;nYKyZr>u)yW6QbhDon4-$nrmiPY6v3K_2gZJoUnJ-xjQwIQN$RpjTSuRB6iZY$Vk zq6{@Ck=&;d!oieA6mEy6*NPl06o`&cQWe7MbdE!izp6nv-$oey>-dN7;Q}~Q69X8Y znoZx_fSTxasfaK>x>(nu3DC`ig2n`FYZnKg(w@`%BQvl!$J4N!S^tinJ-ejwvu8)> zUu*{8SnAl)(eIs3e%W&V=yf_zo|tOD_Cj_=Zv%?{As`adP-qX?dvl#PdUt_NGbtCT z>{y1`H!fyJK?aZQpa3OIN^v&(xebq3lg=CHbiUC9(2A3tP>dpSV;CEHfRl15+{jnOr_k(LEfQU60uGWejna18 zNYHUaN7Tnrl4K5R!{-#>M%S}2A{-BCNTuRqsOahGc|6f*T5)EE>U1s{nzF#U0&=hQ z>V$NZL=?>p&)JZ34BSS8G&d(@47DGb1SiE7Jiqtss7c)ExtofU5R|OB>^gGVy!=1j zzr6n$n5o8b%$eG)K;IS23JW73_3feXtw15YB1sssFf=mJU-aK<-bS2=iC!3yPxKz~ z-p;Y1)7my)(58V&Eu#a!YAp+C_c5Go&}tApt7h5era+FBYe9z05tYI4LbuG2Ixi+8 zWJ|m`Rm4r#wmOMk6JZE_Cm?ERVxduDM!iluN%JsL;eSnW34qBr8A#vgG$<@JdlnO) zs5czA&>sqtV#NuPh6;&D2J>}=q^+PC2q|iTC5nP7_G<3P=&0IHo!6NafiRj0wW^H7sM)BllDcaCPoAe`c)3+;cr)LDng()}-P(W&TT0*zeIUQxMLr69Npba5GS``X59=O|IBr4<|dgq*HJfro{@~C2j+ql+f3K zC9puOLqox=^irKLRYb}|?=J|^(hrzOvAg93sL>x;QWig6C&QV)NZ$<8S28W5HYr<; zPHBia$m>!Lv*ZtqDwU~OmD?8Fs?UzJZA_0`1?W2`#*-&$1@nz>+(I%=vX-K<=YSj; z;01zxil9NhD@A2FNeX`1!OdFK%W$d__b_^2D9)aul9JP-45+P8@kuPjj=9}nC$+=+ z#tz%*C6)KhMjA40VCltWUQ&_l_IjFwxkAFX@4*~WyBm$h+iGhwnyWXAU#Sj3^C%jZ+o{t;=~3?`XR~2Q#Dp<`V?0wj zf)WD7Z<{gf2>-T|>oxy(->Ju+Qrm15$HA{NA(30@gN;hA5=g5;bvnnI(M)##EK-|6 z#G*cDOgbb_JOo4;{%ZS|3}HQ9Qj|(eXmvR%B$!pK9FBx}y5Uq3&EqsudVw-9zH!D* zcWWw=C6F3$PNmbrwb=^Hj2Y(mGzvg#NImpVc0;a}c?7&WB3KEK)Vu?SBh~7ZGj>3Q z=eGE2ZP_x(O#GG>jh9&-?R37SQBa~r4cSbh3A<6>2Ly+Dr73${nb~?J zauR|-kPI35`cyc|1DNOU0rJxISF_N@L>aQ7^&YsN_a`Kr_F;fN6=Ft&5&A#IV~zvB z=~O<=vA@zTK>8Luh_226qGe|L$>t^OWbZ`-rC58jIg1Go=Sr<75y&j-*>PCNDoG>C zh1OlRkzi9@%t5%JU2%x#BryJ^#Gm9i+SCYBwV2g<0>=t8d3u~W!N4n!eDM?seF~AS zAQ7+|VZ{J>iI6J<$ z`04HWt6#LQ>lTc>BS2Yc$S{?&p^#M0q+V@thzMAoS z!AuzOe96$>p114ms$G~WTl!aE2948jHjPE%ZL=HykmE?%I}GjZdWRnRmW4n%rGK!| zi24-n$Ix1iTBPX$FvQWD%y5T9I|&!|N1RRjra^yi_eEba=g-5Po<46)*>*_e4Iz<& z;ss18fYa%`VFnGoY>dSj6CaFMt;Q)}%_KUM*sY`lC)#~1lnln9b(>~gMqrZ#fj}Ug z)WXtIT5PL^j0akT4%K|X?QqGgabhYN2yn=oS+mNVkuqtW8zsm`BaM)Tqk%Dl zGnY6F&CcYQOS@ zlGQy<93EGM|xu$F;!bICrtLCZkr~e53JngC9-VT2yzJ$-VwU@Z%OjFX#~-wSn}qU7!9TTP0D!c|S`X2ebil)5UEvbCd`<%y73&P1P$`f@`0 zF=vW9d&YjzyR|*ep~CK}ioK0>l3bEu3m3z&N$QvfC{JJ`*PFCGP@$2}c+3>D=+npK zNX+i<#^FRGgX)1k1%O_B7FnY+nNw(GFhEoa5{?ijW6Tph*plq^+wZ+j=l%Bt^GI7S z+G4R<2OR0aL9#YctYQkI2E_PeR`N}`XU@zjYy`}cgT&0gWazJ&2m0v3=t$04@(tl6 z*)JGZ>OYQSg1M&J2wyX}PC&6Oiy+jlWL}Rt2=&2PBMF}h^kIsHB>V$V;DZS9HTi%h z_?qO_k~wxa9~nVwzp_H%1Gs^-4|UsxJ?3OYKiVZZ&|_+6J`6c9KL4A1OEZvZYR4ID zE520PD4aZbfYU(a>O?&om{_}2YI-(%#1 zYY@pBW|d_$fFpVw!c{SVtTQ;s{YxjzAb(n{Yt;ts_NPFsbDP#4%tAY;Sjcog?f+PZ$gZgss6(^eTFP z8u@G*V+nCJRwU*ivWQ#!oWGwhWz-#Hjk@PMPpAV%-+<9KmK}V6qd>Lnc}s!)JO}oR zrNDlk1^dN9u%8>SU-T3&=}pC^D8Lj3I5r-okz+l(J|)eeJTTum!3HFpdSYT6->UJ4 zArbOJ%&{-2PsEP?V&{qNqOX7GX}+c+VPtSd(?~*K2@z>AQ|5#*Xn`)>E zFeHnqFLq4R4;qD?C#p>kj`GYwF^T-Shkjr@7l-HWYHAOdNgC>kcxEw-*enXrd&U3t zXBv9s;(3O~=!q>@um9{DfVG>gXWd5I5Cx8eE=z)SEC?(xyXu{zT8kG=Q@i!)wDzFR z9XG=Xiv;;?Mj{^!_HVF%b%S{zkmV(fv+wMd`RajL~&iS=>;N0(J#Z7FQ^mj=7-B-kw7ZQbk8%}I~BuiQC5R2zq0)B2QJpCV!*^v%5Xw83Jpi)#p_ zSLjo+qO&oHpEI7tB|VL%-9l_$zJL9HPA@J`-~8jl*}Icv9h8|q9RH+Sh9sG$s_D?| zQ{(M~6QRVdYooZzr#4Ykzt)PXR>BEamWYy2A!CYztpl5B>sN6x07#`Umz!+iI2OI_ zM2c=*@AWjKS2POH)~n>~zUQH1C1S54b_1tasuQ^66y<{q%T)tBXmv4%{CIu2D2%#(lvsli{yj}i)WHf zu2v=t9ra;CJ@gv$kdj0Rhx0q2-2n<{pyP8j6?JVHO-7$_PJ9{8jWVJvTtOq>=;m5a zPOjyKFpZe_UZ-;!p?X7bC!U4j&feDtyMHy>WK0b?2bQyhxou1_d|IW`)!UR9Rr9!W zy*B`V>&*4X;+Q_odf&7yY3l!!%!7`Nye!(H!`U>pA&npa62mR!$V1JMP4vt?qh}tt z+F-;IRmixG&B-K~mMdwbdv~IdcG_!pdpXT+ziy{6`+T*Ax0luM_IDPlczZ_0+wUy_ z{C*DjgOz~a&jNq25cYio`#~>Z!55kZ8|x%!2CSeD>C(VjqvTqtp0MIm;e<2^uk)kX zTyGe^!W@*l!T}r*Es;8jJeLO8rMFr`DZSAu`N~4l`3halhDu=BXnt3Ou$V+X=CYq| zxjq&?4#-PLBhq{1lPBnV>XS$irRv3VPRA38{+G|<`G2DQ-Ti%gpwsD?cCJx;9Ake% zY!BPWh%~hC?V>H!ple=rd;i%1s^dA#iPlr7&>{XNH_8a9kYXir6S-!(@H+o89q5BX z*jnPbm7b;*!mV5}>PQO+rV(r;Z!jmFBxoT+APW_Bq8dyHX@t7R7wGh&i@rI&IK9~J z{B(Nx&$mBbqMwe>&yU|+p1!_7Z_m-m+c&RHFHhgTxj=8fMaOUcg}ys|^J*Ir3QlSA zF@~%(#u1%@YtZXl5Rw@@$-~pZ#y$#hG@juxL1T7JIK+jzu`W0YI#B=G1V5Z7c176${xFON_C*ySsb%{5kx0cXv1c-@V<#um807{NUil!HeDJ z`}=>|-QPVteDNo=y8(O)&rC?n|FpaESb5~WkjJ?<;i!XC0eZ$6J!&zG4+$f{9)$I+v_0hu}C7V zl*H3J2?&(o+$uSp37e9mGTpJEZ=gec1-I?Mb&?0{CJGr2#7@Y@OeELdO)ceTAjW!-eST#eI&^=4zVPiJ{rv;h>7U*EvB91u3QeEt6l0S*(ng3@vs3_ z9sQXZ+bF!MyTxCoZIpm_(eB83OpcJzKRVah*}iYKeSFsRG?f2NdR_Z57RdkIy~D$t z{NLN#-+z?)=-&Q(lXX~T*crZ`H^>24EvGW0sbg?@kJQ+8V1`F2z;q$%y-1C?_LbWNv65ci?1NVV_3oGP;T6LN%}?R@^+>8NI%b0TM4*^A0pgS@z7%?op<0%GUW zC!0uxx|(}Dhh=nGpc4 z|M_zVp!xKvZ&D~0ji5e>Axnaj;1xuFUicFd%t9KCPsb5UetxZwZET!@{)j|AoR~sQ z1uXr^Yi%W3ZCO8kbVcSz=+h_UU6DEZ{JE1><6x#JsnVyNpKaWxTew4E#UZA{GXbWV zp42#M2y}~nn=wi9Z`J1{3hd7}gpMcj2<>(3i+*t)CzuB-&7gv_9kr~vJr*WbqM1Dga#3Gt84d(E+nbh!{ z4oN6TwpYzBZF<#TWO_C9uAx0hz?cP={yXa5k)-YC1F8{biFO;^4@8MJpV?04beGW^i|_|azLu_Ey-zyyoQQBbc-Sy1q$80-Rv?o3>`6vw#YP= zbBAcXd{Y#28p#pr;yCuQIgH6iN9fO@>r%cjoFm`!a^|ZmGT%mD>9EhEmnD;uhv+LU z;6T`!?@Gl{VPMH(7P9gDJ0&TzxJ;N(wghRp1+8x(Wj3VySxD)Qb$1J?{odFwUoh)i zE`N2osPS4^eWjGFlOyg&5$2+^w`nGsyMK0Rm@7of) zpQpY3@8dYBzSPVEP;dY5?d`vKp0od-?>~RE|L^2k!v1&ejdGIBZLzH?k&$5=B^Ay2 zQMy&qQL-D4LpH==W{u}xx_!6}Yg+Z4W*}CazwI{bow#s*mwxTpUhDvsJ-f2SjIy2) z8rdeMfFNfvrx2Z)9Ng(r5G)9&;4?U=8_t3;kzTVo(*;evw7<;E2{OGV{De(o%n9oL z*Pge(*Wc|H^@nOc@OnvypaY<;9&+b;Z%8EG>t@MX)wa7fS^+sT#>|;gt_JaDRLWM9 zZA`4MSEf~3->VtD44^a`dslx2nR9+FlK znplPYei*iV;J>XraG5w=ixhsO+FkEm=ieNkq=DlNR}~*(zlFS6eZSWO&g6t~Q-!n@ z3F|&zA1P1HUo|D5&x029Tb=cAOjEXRMY@VF*GIMEvs06R-;j1VruKv8B-~vG2{{=j z+2L)8SpMz$$oNmi+ANYdL}x5O$1}-b6TXH5oQ+J0|l-n=R%0Nz| z@y_)=G+990!Ut7kUHEbH=@3Zr8L?HxAqhYiGDzz(9C!zR@jA!o2G4alIpSYcw7$VQ z+%ri~4bUu-G)x*Ccn99D4sOp{)T$dpL=Y8`4-g8IzCTEViX}5F4RSpJ3*yU_hTgC#8s?XIpel;eADPgsg2#BlKSf-hoLt zGNs?UaR2oP`?|O=WW#oKc{;E2?Aaw$n&76C3RHK4%nK}W$i`0vn$n0)XHnT~JbTtq zsW!C%9auB#!J$m|)7JI--TvQx={l~FNpce31_qML`$B08A+YU zta~n6DbQ9r4~ z>yCGZp{A2*RIMN`B58WWm?sq+=KsoQ1c(1cD!2!zI0{O>w;H2oZvFO7#g8Ui(mj9p z3ScxeJ$i|{KSwru{sO%|KYx3!@6>_yXfF7%H*s*FLb`r)i`+@5^t#o9zBH<2=Ev^O z#fzcS%Pq(?iOl6noVW!`w-F12Ol4SeEr+>F01JHqfcf>xHU*=ShluU$b8yE}rP8DZ#qEnHjMJihs_1WMVKf&58_pi$<7+ zkH_j?^3z`b)0YdaQU7~>xcefn|Lq<=f7Ji(;%TA(IbIiC4%`&!Hvvrr^}{d<{HKey zkk&Tf&vV9P8hdB;A2}hqHR|fqd#h4Z?Z(*=5CpV&Yy+)UpI$YetsNiGGi}v6dIO& z1vj;!Q(&`%P8XnK>#LK|R$BVy2nsA@xs8)3ApC3=hWaaEok6{tMG&XWb4wvnw<}k} z-gfo7{a(6OvXL)M7ET5#M|E|6SBwncDVpZ_(`6Hr?%=YaOQU`gFIgDjCBkv6<}LH9 zSIWHEzdD(r&8>I+B2e)i0YXP;%Z+h$y6M4upkj!OX&Y5w4=EJut@)Z{&m6syZ`lL z{{NjkZQ_6b0e%Zfpx&qAT@tCy0~|OsEgBY*^sZDVK=}CVG%4uix_*nhiD57^O0w=v z4SVAWHE+#d=G__NGJR+M%KInJ9B-u4XX1$TU>}4VS)5zlOiPQq`?VS;`FiIxk{*Je zpyt>X<0zUU^aL=lVG>&0S~ewLOHiYdhKaSyb%+Elf^g{Wz!ZM=uwggqOvjl^%#Qj<(2ena<0i zm3qZi)uBat0B7d4z;;<7eXk}m^B!h4e|&D0FW1adOYKykuAa(nVGPx@ z(4YI#4bW1gvK`V$W_#8ZjSXXUhmc)jISGpaqM)S_yF#dlquS(vwr1~8S#6Q^6UjA#Q zX(9d>pZ^}@&wuy7evJRSo2P~RfBi9ro9%KJc>tqSI}BVI(@&e2RA~4Xq={8ORm->6 zgmW4YbgT5R$VZ0<@J~9un2kpCBkJ~xI=u$c+)1NL1_PK1=H$*JQ=Q&i3g@SHGc7{E zY$(NZ%l@C0?(8C>|7{%+xArPJ)cs2rbw6~MM+zr|8_mLSj((frkdCM_OyU@j^*TQh z-8;0GY77OrNJ7xzrUqvxPpw96wm`jddoLmtXv>i5)td{|7Cd1w@q1q9bd)Wwp9I-E zw5O?q3+N7E^a^+bZ9UCZ!-64c`NY0Vc%`39K`bR=b4`b7q=60nsUK(^)8KKW*e(t72~b7((=^Eug=6Q-*#@1#I%RQo>fZ$dEQe zLk)KeX;Zb;K_ZulNp=Hn|0JCk@?3a~oJVS9{A1(Ko{hb4z%RqC&}aw>HkEPqVWe zT2NpX3;oQQb+Ut&5Gd32%lz(Q6rJLCEp5fVNr=vKeY(3t#8ctiIXzj^-$$;7WnuQp zx9y_pSJ~7BG^Kz=zg!W>OPwn+ZzOb}%;gF)N0-UGA`o`meH1KrAy}@+ygVK7jpJ`p zjjX(YPZuw5n9GDmRR>2eb%FQHvMpIP+0wOzb(8%f8+=&oQH}Tmj$<1P@5DzcSY9F; z1>|GhS6?MSSBE$*Tx_8 zS0>rjn#|cXh`J_QF?g3PTbs|H-7Cqd-S75LHzd(mPP%As7v_+uIfNL3tOcL>cWv;P zS^5QzMg0uRKGie%G^r|tZs6)vh|9J#rUJoD*@0KL7IHn8ECzjjg-a;ZhkV-q(w+T1 z+gn~J*(^UB{aqrIwh{5hM@j_~zl8~fyB_+9h9Qcne}zVr3z^=GZ2|(#`V4eu8dNo*3|vEj`CaU2C~nh;KRqo)(~(Kn2R1V`Dfewq--*py6}jY!O=Ll!32 z9xv!R^yIl1}JP8<--kUJ|d4buDTv}$90PhvJSzVk)-$*5mQQ0}OCV?2N~R8!_e zUj%9{nKK#EFi>_iE9Tu(n}c4!$u3mjQZ1miPDcoru&^2n?ru%5wS;Zl@}8ycQ(?YL zxxqU05?J-Q0+uDiq_tas*|T?vE0mHXVD$8g%xi~{wm6FBY?w1D^80YQB(1+tlad6z z4nq4LI!p4}EvnZP=NCyzJS8yG$6yBJ~@5uaH&ZbJLyVviCF7k4s-`T)YW2I`?ceXBm<-pKF4gH;? zUc)wBibL(_dU{@AiNV$~cgJ_H)%I;Q^{+}DvD%4f=C|hss*BXbaXWTZI1>xzzIHG9 z$+Cl0#tN-7_5VMWRFby3R!P}~%T&$&x%+4Fa~B1S=sH(M%q5$;e*bgSwP@PW>r(Db zByh#NI;l@7mKANCw9Q*IJbX?f-^JX;+sO*dr82_<$yTW z%DT$HRKrrbuCuvSp3%s1lYb$3g2`6MZU{$PYOgpB;|WH4y`KK_&1_0I_0e7rZO!7i z*y`5QQu)xWTEEa<_>>l8an%Q8Og^6L!}{Ye{GLkiQFVX*`6q`KkOFITQo8iYg-!u+MW{EkX#u>NF3SV@Gp1wgGHh88^-K`qXc};f ze>RIoEyiuclsbMx1;j}UM5U<}rBxccQyMd&fn}*TkGA%t8RwlzC^TYgI@dDr3$^`R zq$+y3Z=0{Jt+PnMv$NlKDs^c^rtAEeAu1&DaO&nh%hIq+NhtICW<LmUqurcp<6DJ5%;#}TP})4Yr;xR7(MmYF!I`=X!`^CCU`4b&ezN7G&dlz7K#FzCS)gF?9oGpH3UTu-z z;2=2Dq?bEdvYW5lMkhW0-2J)hRzz`aibdaQBc>d(N^BlCf`|9Cm;Y&9mZm$v0{Opt zxchZp{vRGZ*8jVcrYCM1$|(X9M4z|sSBhoDd~fy7Ama*~iR7(KOJjPu$Cep0?dXwB1JvYC?H+}nK zL%C2fu;Ve}HtMe&W*G01y^gNmVQy~|CLd$QrMVqickuc1%dfVsW<%o35Qt-)22R-i zr%&Yx2KsI4nKe~djGc}84E-utq=e(k?k8{vd8&mj`tkYm=PtTMLoCSQbJT}&lz9is zH!~Urh(y=u8gqSwt^>@l&bwJSb2%#LX|q!?o%a*R;NrQ+b>(=Q;0**p#vuidg;4*1 zn(#{BH3&Ojz!AX-7UbK)r*P8H&sVX_kKt|-mA$2f>#AC8A$?fkpjl5M*(~)8E}XgA!`mcWO8?brO%*y$Jx&T6bCm7Opx4bh8_T`5u-nMD!(ZW^ z_T158(#*_eGEyOC&*`UMa!4ENv>Q&YDbblYB$AXH_c$A&r+*etjgJx02-yqMzp6it z&ACmttiLq{Cd(nti_nAS7g4Ir=2w&1WsE?m?ro}1UY-p!&z4@2{Od>+EnUjM(rJfhLKg$c0G z|GQi8|2{u>y#N1Bo)-H5PkQ1J9G=H3>6?EXq4N}b6c9;#NdmN`RC4FyfX|6Kxa>uX92SNt`JlT7(3>9EQ9jna6w z+?d&rR!}P#*NVee`P@IKK%LJbg)`QkeQ5}yi_&JZ1q)HVBJaFv6A@iNw=x{Mgn7G* z089N~#dqbg&FKNmVi^E6PU6CSnYQ1O@M$+5xilQPrUJ|CBMm9$b0ECf5_VDnNC9gfMT0i=EEwUy7awf^p0Btl)6jXPS` z#G93yqS9{et#m7&^yZUc`)M!>uB)(mMl51Aw9oh)mE@~P^CBC%l3^Q)|EIx&o9AML+8 zd6u#Neo(Xi>YKG&f0mmbjO}L;t+f0g8)h}D&yKMfo3DhVtt>wKz3C3mi&r+pXoM~8X8XF$zt0`Wyb)119iwywj zGRiW^_yvY5vyiiak?viH85nxS0QYq}AuOefL|&^KA|G$>qOUIybEQw$Sqt47B2+A@ zYVIp(-+&3zuQouYGMMTq_D6B#G}!^y=F3^5GSCF>C7e07+mim4apW}YX3cIKi$sfg zU($tB)ys+w9NX;!ci*_;w9OjJD0Lfj-fVEWWl&gUow++wn}t>J-I^V9YW=pD*;LK` zB4;%Pf5D8pQnGBu+~4ol4Y#8IheczyqW@=a_xVA-{`ZR)FCOzh?&Mj@|D$I8)i?i( zlktD9-w9+`>ftznTx_d7K^p88eL?O}8*&I0$=l8$WWHaELnzx| z_{&rlzJIqLAi2@VFBoA%ZoWJ*+d28*>$SM}+@6+<_{spYbi9|_%VV_HW3*S%!iN?8 z2XJcLcdS=Nay}@p(mh9dX$E|Z^SU2j)51M(eV(RuZTyR2UdFKFDl(N-kezAGAU0bp?)>LAq2u0StVkqQHWGgOoXEB|iBuB$?>T^JR8j$3EI-&qmJEFNP$iP{*=M|Z4CWvQmILg%Iz9REJ8};qG zx_zzU!blH6WpM@hkR;IRTexXtptf6BPKZ}-D)ks-)#;oOQ*ozKX)9+Ohdni?1mt6b zuQJy)m+{`c`I;8*pzS;ni~DmnI!&m`tG-(>Xnv5z0kh?nvMpr3m7h}wmU16bFN;o% zJzY6Q+m6@ls&Y_l$uY}0t!g@2(R1Za*28vRS!YK8-MogwQr4;o{%5$TaO z{V_QZT`WOBS1vBi8oovD8jA}mWA;v`vX6=_qe|8;>_X)uZa|W_%Ib2WB&+Uz!CYL5 z&-$dBOX!x8F5l~duGTE?+|lCYMP8|G`vtR0B~A-irh+Bn+%k9hp|0Ki_>Wif|8f%0 z#TP*=i2pl0*xk*?|Ls5C|9Ce~XBh|ZxtjLPr2lG;dN96U0H@mR3$Iu6`05chEw#cg%?BHTt{%_1m^VLBzQ--sBqC`I&(hpuJt!veHT)-4_hh? zlh4ss8vF)VBIWStmIYDt7JgOyfc#d9nsp6Ux!WuC>Lzhud1rBX6j(7xFrdP9KDHuN z;zC?ZB)4f}@?@a=QIO-AoV1@$!@`SUoC$K)3d{%L&3A4tOewTVBw>cy)gIIYcLl#4 z+UR{*mz@)TmgBaX*g3alwQoBsf-47Z9Vh3G{^dKa7rCLdfUVoB%QuB~&ZqJ|R@t4IUY@ac|v;M}NvwG5>Oo)Fal2aIb!HN3lG6?-pOjQ4Fned*6?_P@K=ReJ#z*#FND5Ayc^;q&KT zKidCy@hoHh8*^B-0YiUCinhMi-Jv}!>=PD^c6XI<*~+VY$)&&WQ@6_2Pl6eYiqzlT zHEMFjXnX4&Z7&(EiON@{>FH~aOKDSvLh%aZ+%%xr+3YQr}@1saoxa4bo%(>%@6+ycL7eBI38W`GH>#N|U& z$2~OA>(i}D-x%#B-m#3qw3vGYjm8CYA?0B&ndnNp$lQ@%a=mmj^)}%$d*yuXYF~^~ zB`)3k6$J~I)_`&k`;zASRf;>&7#b% zoxIO-*^AoK6<3v9sa0x=nB$}Bc3r=d*G-L|o=w7Zekq=IUl-1~zq-ar#;95jW-H4y z854OjjBW+KmD_KS`=%^1M~sv9V=U1BcVF!1@BiJ~ z{d(_F|G$gp2|B}4Nh+auThFlCb|N&K(J)X_JjVVN9uwhpo}kMK6-dnDm~knPn2<1p zm=`p~(x1?1yp1>sv82~#+f0AQQP6pUA~M!d(p%a!VWLsdfAl=`HVWs6MewBp3B`n? zkVeGoc&{!#T&PX1^8}p$OQLrt7bu`ybi6T@JMjM+{Ej#LH{XH(w?9nAJL>=JpW-^& zNjn;1|7sS4?ISwRJaH3uo_Rxj)p_R0Y211Ce>+dmJIpDY33U4Ewdi;;XTK6(c03vo zyrbK3_G`zx7CsBe&KKmBXt@5*Umw5v;k7pnmKmdd{U7drz4vu){qOGYKi2=bljjNg zhRO&}sa*}<(;-({%ZZx*PUjfC|0fBj*`I&enn)Roqn#bKEqG$G6EI)wNETCH?1Z}M z2g5;6RGS|7zsH=-VkJ^ESD}!NsgH(4-Vh~l3?TYDuhV(*1YLgrpRdk4oxxzBH0w@4 zViE-;@+mReyV_fiOn#b48=z2q_Dmj(@;$XG$bi+Oq;#16*P9ARk9c1p@a!BsyG^ki{q>H)cN2Oexly8w&H^vzr8(;s}ok_d1<# zGSitE03`nV?`A`S<5;A$6z1_d)ZCBl~e(G ztDsUl9}P$(>4*}J+~*d(BEshsEGyLbxkax(#>7_^)@c;a*I(lT=0qJbNd{O#MfUE`Y&)>YU2 z=J>p;{{Mfvy#cBPWrBH-0Y&|A*Pz5KutX_PC1!zzWJmowlC%u61Qef5V-}G}CIF>= zl|hzODnZdiDNto|pumDU!7(1vu;G#_Su9JfvF1?;W=F;{lKBaZEf?3UhR{E#XcX;XIS2-y>QX9PqA*zJPIo~QW48|bY78OA`B zaQd7@zp|m1?%IPgIB^_v7IO+-(4;BsO16h3=Dh`+>E4$IwJDrV4;zG2NG!={77CIF zv?-i!51WINMv&LC!o1ra+7YuYoP3D=5+GZ^dH&7u3F1Vs8TUyWa9ggUpd8G`aGspM zT7sBu;fz^G{dpOvP2p5K8S!VF%DL%m6L3aE-Y|Z3Rs^>xoTi6%Ft&yh$Mk~mYwD9_ z<2jU!g$LfjU)s^K8ctB5UUSZPE9Gh9TGP6o*0xZyUR&sI8&}-c^=t-EcPS9y zGjA4;ISxpgt)NfvlhbER2n7LUI-7Jj?f@I zGt?|Tu&Sg!i=$>VIpORE;RpeM;C+DKg=Dc_h8kjo!Ibw>TO~h0KI+51aAH1^pZ0nv zYucFAcsj-7#iq<%`39DL7Oj!Haw#nRxSUI2PV|3DHA%Iv5Y0NHSr{T{2_C@W3>e;l zCg+UFZesMwviwNy+5^|{j&80+Hl5XF9|vplFy)YpodBjh-YD_ za}va$6oFUFzam`oAUY>wDkPsHlg97{Pl-TV0f{;Bu_VEf+MrN&2u`Aa@UwIvL?a;y z4thD%lf_br{oZ!>|Ks3g>$!}*20?vk*ca1PsL%z45S+S_bj+mrA$sTuT512>U z&M;)-o&DXtzwPXPy|ee%9URlX^R?*HsK3|WJKS-^`aF{OV{)wE6M@QzYVC_NEGL)q zm<${Q&p3^wu$d&rz=%yl8wQpf`IBG`YpKNKc;HVRQO!i3gjfi*vk$6>N^=d@O5EQG zQGLSY5Bdc0ocuN;LZ*6EfvAZcpuXyxgGYp;h)I*`qt?mg_ZLXeab()j5%po4hLbrW z?XjI*ukPo`@^^l$P|K`mF>P2P!tR8qpbLDDha}vTwNN$m5=R>A-L)1SR)jzmn|Kvu zJyy1wBOznG4VY?LgGutvtKEjVj!;l zY@0!yLkBd~X6oU(IAi%^u61$7BA(Du7g}(az^=%w#6#o+FDH4CYPJSe9Hvxh4=hPDcoboZw)N zeAqbx&$Z(-iDi9LbuvpK)HP9)!Mkkul_jzrd#_vkZNJ+?-H=3MIq9OkUDOqlvuK)4TeC3f?U(#duVaYfill8@5-p{7HzR1n{+4VBatf$2DLo8hPyz8Gg(}uvc zl5%UT)HESU$0@#(&Zko*0v^f>j5iPE+5J` zOp5A70pXez)xSiNA`Qu`N*H1qrKdlcbKzM9E9#WM>@JYx`6l_rNKDu)43Gvv7wWOY zY$ry=h?C!DvHbb+2pUXv6Qo0U6|69lTx|WSUXsMZa$E2S! zAYsCCsXP`m#hAE5Y!ZHASrxf$YtMt|ETbEq0v9}Vt$jAGI@Ra2>^GT1SNb~k?5g## z&i%hbi2u`vtNp-x`(uCZkoxfSp2Jg*{{wyeg{1|O!+(5U0c7TT8ePLLTL~O0;`f1~ z8QI;eXP9AYBzuC1)28+%^rp$SHu)-e$?v2fd_x0OaP)Q6dmKD5+- zo_8JG3i7!LE&6NX9F4BipKEe6I2a5Ru!NM9o2KEillH8 z$XuD>S!qm7?7XH2ui%)n5ke9Kw+Kt6D2xCKNx@QKPfhLx(1__ftw(M8YamI<>P~r0 z{b42Lhtl4)`a@KxC)S>(;Rn*)bp=;PYwOM{x%(grysA5|Mf&@1=yC|YdM-%<^Q zJI+0?V#dAncU5l&|NLoH=Akb?&YW98Z!wXQ@FXV<-L0#)*RGcbS~suiucGsbby(5y zSbA*R^8}xY`}-`qmp88-VCKPXO0>j2_10&oc-+kouVT(f&KaM!-@~kM=W?%Wk=BcZ z6%Ot9I@kMFy|7Y=a*?KtPfy5H@BCI+K*pj_7FNf$07a&_$XEG1qxJK9f^HXv8I2i9 zfuRItJfm|Wy-YIQRSjR1+nkpD06>))-Pav5J`DhpT3!1t5ymz5;7Lth5|fY$%mE4j z=p~tFDcy$ze-$wi1RfGo%TUKvOElyO)Q?2T&^B@puqDhz zQkSm0k?zJo$CM;zIaBlq6(HH)t%D8O-*k-;{`ngVf{dtHTfZMHUi7$DWYXxVf||R{ zoSo?yrFR?ZFmmmJC)gzcbO9xRM0fF}$s4w^*=7`2ZMFzf*TSWb=j?*VTr8l^?7XzS zpVRU^$uh=q*=Y1-|6V}>nm(-;a864b=X*^sw*Hdwn}{&6vzDpI@P6Wax- zyh`236>0i|mX#>AERkVNSfN*{Gn4V!bUOjg9K#Dm9#pYD% z4i<#tq@3zsn=><7-1bkLF?4u-?CqvJP0?POlKhu{6c_dSg$v2@v_`OPij@*{04$nl$^Ja4S< z_sn9D`=4`K-a6vBhjG5@fbIdhDv|f?8_F-}`T+PS)}e8%JvEWjq^gg9Vc6J`O*vL-*4&_ExtT)nHV(#9BM^HC|iC&Q=B9HaXDP;BDW41ek zprO|+M9QGlEM+96xsnaFSzJ|{uL0Wsg?VY~2O#MBlB!;II=v-nzU*|+<~Np_u88Ws zJis$I)j#VlmXO|WMyn61c}FiZkt^`JdHL-5c`>H3O7X|8`a@XfrMSeN+8Q7f@I?x) z$$Q!P8tFAJ^6csT$eNJ9w!5}1D-UE$s`B{g)Z()%*B*)sx`kLW#g*VAx3+!&f3IYYeP+FZnLrx;i-mp!b!p^ zGcv|CuvZP%b9P8gOKnY%o|g)N`6I><97?sFH$Cjngx~TF1rxn+5nck5vY>MHA&rl2 zXOXp28BoQ|e};vmVN4{In|7Ai zulUp`&+(uHTwUxE{!d?k@biTymwV7ku#FY?VL)HUeHhzw~PPX3o{{A zSQBFOyzTY33MbbzN0<-Of`*z0951}s4VAF}+}p<8>>Z0K*C)x>A}dWn*?+_$D}U9y z*RGo_L15b@Q1HZ-Lp{hyJfp6M9ymjoYBRcG_pK-EEW+#DkG6kw^P$f zZoeD6etS548}90D`;@0t%6fwwmu7E_4H!FFfL=YOIW?;~Qh*&Mg?C>UCB7&mxzdyiMKEQXZuX+fqG zrs9H{M}myzb0*CONq7>ZY|b1$#T9m<|D(bqKR-V|KR-|Y`CkA40RR7852f+|It>5- C4x>r{ literal 0 HcmV?d00001 diff --git a/assets/cockroach-labs/cockroachdb-9.1.1.tgz b/assets/cockroach-labs/cockroachdb-9.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ac91560ead5d77d483af38a4a84cfffe9e4a80bc GIT binary patch literal 30392 zcmV)eK&HPRiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvJUmQ2GD30&n^D63&y~id$dSC$C+1W$xB|s8RY|H{q?*4Le zgQiu^GZ z>dnYB{>y_t+uPgQFZcHF-|g+~>c9Q|ZvQX+z1`gxyDzr)c6R=<-QV5Y-Tn(~KP(!} zPbL)+f7!lwTh-3}Ngk3UToJ{1A_pCSkSG%KaW5oF#k9xxR!D_nBSxbEq(rEMipF9Q zlW9z5K|-c<0EdpMj=pXzeVq+ya6^S;JQ={VulD=BFN5u8jb#OmDUsAd_UN@kQuc#` zantXRG|hkR?DYD*e!mk@848vveCc5YOacKJl9&u*x(PB9H|)m#tprcT@hk{=BAHY) zQE>5(*ANj!hD6d{XTmiq6Qxo)*xI_iz3t^_#bhXZA)j_wsGD?U1i9^vnVMw7Oi~f@ zL_^i(w)_Q{|GhOOQcLV+8CPIpET@MWQ?I?Hh>HM1>`pzFs*z0Gh$Dhj^5@%FCya1Tb z|6laC_g+-_|I1ge*8Kl5o+t1vO{gG>MlfQU{T;o9)3=v!d~|Zzg9~H?0~ls3jR7E<&)%>h*SF^B~spU5e*=m zkYr4!wA1N4frBVwS}>3pVlt$$1jT`*X*|O};uyZqhEya}Q3--to~Y5n(HhP`O_&5^ zw!Mx4VG(_z;qROIz=^60R0H(8mq$#3s7-yQ#Ka&vA5y@f&N2eDMan0L%ohR^5 zo`Ib3ERKNRP;o1mqQDfe5zKh@Oi;)qOU6JTVxtiiT2%3bZg!pkR}(63nWQDLm+**6 zh?opDycyi`&>(Y!tq;Kd?8Q7Jai`M>c`_Pc-wqPsBBFvu5HqQOk7{iI zQA)63ru%N{~83W zH1cu)KmBY8C;8t*?Uta-9BK;Tp z`f9@tGo)06G*KEHA3-{qNfweArgX~13__9si6w`j9VxBZIgq`b7X}XEKY*PVe>MHQ zph~MtdU5HcaYF?gY3irIaD}RwZj0n3V+LnJ0oephGpS%oR5*blRkxHTxVj827FgUc z0#};KdcSg(TsbIuiIGGjoJkr1k)ZoftX;&0g{Z^A?Sv*knI31v4{4DL1ZAxAEGn5+a1PL3?199W_RkFt;!Lt(~@C7Pk= zUJFX1S>U&lW0evnkfR_to|^tJHL-&dF{$;_z*azgIPg0^fEkrIY<`gebi0;XX&mFA zNGfjh_;6t3gbQjL@M~Sclu4X2xAbr#n1m@Mi9#yRBsJr$an(#H0s5Xv{M&UOd#)uc zzExaTDh(fwkKYTN9t4Zb8mmocseD0S?ycpKL#p|-ZjDC3laTu3SMDB3B80Ni*h0vs zLzd8J6Nv*`$SE1YAw?l2Wod+BLh+n(AfdOVj%=2?W~n^yfsrF)!d4}Ng!_xfQqqJ- zNI1~Zh=wRYnns05B=>wxYA{PQI3ls6oqSeE6bUM&V}?9QXlN*;K^B>nQ6(IM{|SmY zBjtD_!9_b_uvG1USxPoH|FE6CVM-YW`Gs94a3RlH*Y&u^?1*w*)*5cS_KKU1sL=Wgk}Q26Qq3(U)QRe07LBR0vRM7OL4ywL^dYPBI@~d)MNAaCp^gtA z+7_>}iUz1^uy9ht%8KtaCLxV_*hSqg$drUygV8WFm!(<)hdfJ+jJPEt(u&Q@g294D zMa~Md z+g_(}Ci5bOm5%BYg0_T5$oUd!9K(F_>O-g{0!sqB5O_l2IqT6LT&Y<~_osAvwSl5D zDfFd+Zn}E1yJop*P+Hr)rl~3*HmJ%*QDwD7P$g$%`}u;$!U>5Ho)5c`<_56+?bl^y zLgJX;q7ul%Yv7}iq(-;$^n#uqBR)i>tz6RdJRfi-A!bviHm!oES56#5D2SYBlAf}J zP4yIO;4!IdZS+bC4W;QqoYE4W& zf)QbHCNz(daI3XYVyI~(=x-TKLM)UeAr*?SM9mDx%&~GRk<~;`xkAkesW!(3jf|ne zLu#dx`&NeKA7$;rnz0&N;}`%vcx{#P7Np{7YSEKS8*(I}Jd^PZwZcLJ&DW(C^@wFb z9cBgx@M3#=D$7KXn`%o57%Np!qJ%M{iISTL&KSgc&Qd{BG(?@m(P)+g1VRz~RzhTW zgf2O=JEmJ*o^0(M7WY0t`d=i^lOP`WJ>Q18y?wl0Y zbQTz5(YBTqyk>{M5RRqYl#c~TCpq7;{)ir27N5#a2V~@8wuu9&yF-nb=K=%?uXQ7A zoS1Ev9vnH=lqo(XO7}OOfuL!uHELrsOf@k$W*aeduA{eukAP}LR58sOw0to{tZ`*H zE7BOsTG&%P$1JfOn@~svM@0IP}n6iCx;yrfjD(DY4^{npqcUs|u#K8$kKuH;neHH8& zFncv9X-pET_9+o+vY85g!;+BhPf5ZQACk?G$9&%yK}5_pQ+`Xu{%*&I;B5Z$ENQfp zkh$qUBNA)*I^~hoBODoOoy?kkhSfdyzl=zzxPX1=TV3v0>(9A>ur{aGF)XL&TGHw7 z#&fKxb4acKAu{t3G?}EOFAGi4a&dGc={NZH$Ak0Jlhbbp^H9Z=WlT*PY3t1B02h}B zr$+~`-<}?KoE3sk)5zuv=|T}jM_GJ9t=@L}_7c8%d;SIv;PCaki_7ElUK!jGDp1Bg zEilu}Jw?BgnG?irs`)%*39dJ7BZo01BA%52W=TW^&NAF;UT1yA5ogJ`()K%yy7`NtpYn%D}Fq?YpF^XURqmpnqj_n_PJDga%q?D0S+2&S&yR zWJ#hY?0DxG6qVWr8WpP4lFlmAQ_dtY&sH55GwC>;YWi?YO$r(ttOO6PtNEfP9_ z00yx0a_7aX<=}sJd3gq?KuMz+Y1=I$iXT^B&rG*r@{`OKWA5j_pfyddD_FTctsHlK7T|)=e zeGRRQJ3VAL1I@Y<{j%8YKnoesz?}oTu`xq{W+S50@z#^wXtPU7bA97!yimH4@oZ3Z z9?p5J8QnW9fHW4pAqg2%z0%yS+Zhogj;S_cjLX45n3DJJl3ev1K;JrAtS;p_;8ER5 zq9A4o1tP|oS;v|y-I4^UHYHM8tJ-;8EjbwH@Rb9CyDwr~-h2syg^a(99DT0@0h-(} z!4r)Q+z`Pu1es%lp6QU=5Q>hbu$xk=Hj?G-;rHin4-UWk<@og5lhfm0-W>ejUoQT6 zdicxHyYqv~leecG=bA#vHh}KV-lSW`=YocUYQ>pM3$p@sn^XM;T?5u6@;g74p&=Lg~^$2w%GC z<)hJJO6DF-yB%t%xV9G>@@dKwny7NvNwsk=IH`gG#fEZcg@+ANkQdYhA3j>RqY+EA z>MOF?x~63~p;3mqKpQx%eV(G`+423W8=ZV{DCzY{5sYJE8H%Y5GGo1OM4ndN(j zd_0b+)q|wnE6~WheR@*w+@>@6EOSRPy`Auwf~1CNHjIeY8!3sbK{oB#!Aum(2h?&H zG?sYEV?LgJPiLM+*0UuJy?s*j1f%zagn~=yMF^lJwFw9Rf4K?9N|8WSXrOp444^#n z6E2lzVGbXZS&h9KxN*Fae59^6;c7xebfpK!$X8>AKS!o!!C4+Jo8WEqJgKHZ+B!c{ zG{g18n3kFWD%f8+dvFZw%gSROfMY^CMv88ZksIpMWl zINI7y1s~EygrSJMmfj|-CWu_w^fzBE)WCS(^G z7uMl-rmJ~lr3-)SlzQDoWAJTFD2dgic#C$UE}Xy8+)OV|ZD?NDw>EO+h{j}gfgUJr zglxM&J1Q8D^7k)F19(nN2mh!6EDD$p`N*BS51-f2Nh)qwh?b>pAtzg{se~j!ox+d% zqwmdTRN>v%KgQ>0ho(Nh$M~f@hz4LR($H&%Xj7N9v-?VY?vMM z^$qmLUODhRUGB>6-!Wyjk%lyfrW-)N+m-7?&jzO?aAC%zXA8Rm^D#yQO`PP3RE*=u zF|5NAE3DVLgG zx;W93GqY!bLss5B(833XB*q{Z&$Z;X1$O2lZ>G^HWgJ|(yrUcAnzWu? zkBC?TQ!W*ROoZ9gdiibqmf49N{CQ`x>WpN`SdS}C*DW1F#(Ew5ZqR9P7M6mutI!S0 zF89d->!H>)_qJe2g$kzVMibb5>yu(qW>gFyrb^Nz6th%W_o~($oTp<2xBj9%qUo{Qysp5Q_c(I^Mlvx5JCyw3rmlIDFhj z4*DMQx?a6urs^H;*-6HpnxVBVl%h*}mekKsU2@jl$q26M^-XmGXO*T7W5T96w(iV@ zi#W?Y94(`<=^cNl&kqW`N_&-E2D3nN@4hw?zGaQxLTfDmz4{dN_f4+E1Y^j zQK>d9IJ=MOJYIQ=R21_v;gTlse4OrRB0c!=V$<#_iwJmP0e$=Z@uvO;{{e4Pnp`Ln zUR#fjkBB3cWn@%A5{-l-OOmV5=$G^@F9W+KqdHIg^Fsf{hjs#sV1H>&eV_xU$NU8tPwZ!N=5KS--u;3k?M0t6#}guNzvyM{im);myN?Mwk53uKwIR zU?JYY!`}kwllb(B?+ahibNH$8TG8SIjcs;F=C(m#{Ua=%|ZY-Hispqq@n|8$tH|{SNqIt^2 z)WlEBiX(e5B`y+O=JSpoH_e|jWu&Y*%V##`JO<*rmuU;|+~NWM$hacX#u?(CHoDWa zxgw3rAGaQC=%lUW9A8={7}uFW(|Hk;=Hf7+g0?x_T3lz{{`Rz6^PP43J72zG-Fd#c z`4!PiT!^>(9e0pQ*UPnZNtI&BSYiNzIrd<_T-XoAVFNe0T#QM={>Pqm=|200^FuCD z2;emjNeq`1Pm4V3<~6AajAWAbViwXwYLWizy?$(|Ow!5;Lv$c`o+f)_HGi{GXHj+p zx)Bp-krF|sRGCmY1J7=44dAEOZ@)b`HHbLBz&zCMfJpAySd0u!LLRYXy#Fjyqu|SD zKNn?glk%A9|9?%w>nwHb)1H;o;*&+x$}Qxt3BScfgNnz;R9?0XijYz}0g>4cY%PVOlksZIo)Q zJn(K@f)N*i!OqNq`8%-V?ln@(L=}~vy;6c|qf4(%c=mrtd`o8X+1&n(C{dZ9JvgV+ z{CJMp1T=>N;p&@ruV2I02Z!IkJA;GQKOX$^;>rU#%Hr5ewr(;aES~u-x{mr||F9#L zf2fa{KWcc8;TMr5un*4?e*5fa)C_-|P`j_J2~LZHOwf2{-IABDFTmzm2?-vVR&j&D z4$hHv5MrFE>+FR!+a%n&W;~aQE$p3Bv#O=hW6h7e1t)ItTxPx{Q-)+_%(FVs=Cpwz zR|a6+M6~CJZQOG(c4-F;ocyRNK*-bCAN*w54k*4o z=UkaOC9hbZ3%7tov!H-ul(RYn{l4Q?nK_1HkJlJ@nAs+xk&Pw4e0||&N|Tul4MINY zWirT}TFID-Qgo%=d5@*T#UGV20(rz&5#1FHJx8myIou>UQa4s0jYk)3oKWwmpRttf z30WT=PMV{hc9`|WQ-`Ysq+1tu+Re`8fe#P$DmG4Rv_N^G8n7WbYoHqI@}2NFGXAS# zQRTCRG1nnMdPj0CKsj^VrkNm#^8=$@Uo`C|rduc=Z&-pyNe;bUL@s7iPcE@X!Trvd zqc3I!<%Qi6xgjw#2b%FjvNUIJ91>I0o^I~Q)*QggoxMqpk$a8FB1*%Hy7k0pz@|fG zFnhaSZf_TWj^C$D%;1(K5x;GMHl;)x2(E-Zm_S06kr=3{&D`-lTUq)i$hBeVn1Msb zwE8209Kg%HFI#$MLwo1+4og%9>ebGi{)G)NSL&k&U|v6S#L9hb>uS!eS~{w~m%I7p ztC#cUu?}#hUgp*3^wHr|?qUC>*TqJ*6Aclv$EVD?FyLzo$zf_xbd8(BMzEDx(vO5G zJUdrxKlx2tkB>3P@vseMkud28n8NcnIQlM39^FMfc&imJJj-Wtwcvqg4-3m*(92Sw zlW&u2tOl^VE$@Km*noWygi;=v0OovWU}x&wgzqFR?Z==GKx^jZ`OxT2b3v#-nJ{Qk zk?}Tek0fw{n>pr$n%j~yuZ;3zj@DvZEE(JSCh?6I;qOa|A|Hx`kPAU&%9E%FipCHD zY~q}Hp7{I_Vgakx3xk;xonyhZl3dxQvLCNm5)EwcN;}upox2q{oBX$7ZSv2{+k9P3 z>uK5wDXpBZ_WQkUZ54n2rG)?7@AvvIjB*mwF$rgIcz)z;p4Y`2v!!l#1#4TQH+?ub zI{}-OQ994ZVL`e-^feUk#7xYXPwNs{hnucwCDkOPg=1gLk08c}3l!gggU^ zJ*7;-kjnaj28{E&VZ=hqW0QJtqUh8*S@9UVRK`NF`F8R&XE7h+@!+@Tc8l6(MFBkP z=)C^Kg)%mr!7}N`(lpl0wG>0+8MOAe7}~8~Fb&2%VwQ$89+~6687*MQ-jDxAD71y(p;LVXLyOsPp57ev33WXu=VamNvhbaS6#2JsBq!_DAbM;;@y z$|Ij|_pdzuso=lTP~pJYzdIew@0DgIRF*_jmKfR^k&wcWPFNDbiOYp{fH~*R1b;t+ z=O+he8=9?t%lSB_a2WF}(%ejqxR`dH_<1;NWSR{w!V1wbBB?%G0Nfz92(=g z1pn4NYyPlMdsnQ47OT-XvVjtAItP)nV~Lq$ae)V>QiGs8z#H8XG{0M zw_Lk0ryGuH%u)8*0x6m$N>QP)>i)l+I|&(dpNd>*gFet z^t;?!UKb7wgMw%N-=Q2XTRvwUn?NJ166Z1n2c|IjD`~<`e7l0}Su@{gmEN z@w@M%+Grr)JCRez|5yL_W9Q=^tr!2hJih%`T<>uD_VW0mr{1dvX=8!?x7Xj>so8(K z>-#?*jYS&vN(VdP<3}(j<2uEO@}tuW z8|EVT)aCQVm>nBqIp}mgd;mv(T7k}~vNy`&SXb^s4?cbj%t^(bM(Nz#4Am===zRRx zlQ&_na&^VmG$dK&A`H7_A#F^vRAWIe{_z@anV^sgu6W4fB23o0B0=$vpAytMH4{Hc zrw7caT0Pyl0F!}pl@Fwfr8`aoA3t_FUV6f!S)O7hd7H3IPB4Q%FJ&bi&fGTZ!1#Et zvmp&tj5|C5QxF7V>gD&c4#5A;*>4b_#NBUA^|+J}Z+o;Zq2@dnUY|fruu;SAa0mC}%~!YAgLTedrfEZnNo z1)k3(&kcC4m*#VGV5+&ObIWU%x3Q6r)&MS85>hzz3wsIWO(Y5KlH%Tp%lPaKggq?N zX*dxCM9@K})9=A|}7{#gZ<@a z*ssk-#mE>)CH*-so8w;kx(MOi8t{>JFH^x1HG=M6W$;(otw1)oEDhh%W82>)I`s%Z zFD-jHuAY3C{U={xMxk3k2w1Y1plY}L*)V_GpgZ^-<8rlu(*6H+q5Dhs?rX2gA6kwD z&FzQQbIPZfdad-`P}ZI#@u$U6bgi+FLVYyqe=xROq9s5s=)RI|G7SNr|mUa-B1A)l{;ZB0x5 zwVRqvS}-|D`6Gjb2wnPK(FB7$w{H4Fsz|@WOzJKFzx%XjyULPr@A^w=VomGRd)Gnt zvOUT9L+)p0SZ=`ov)}9Q+_~Q*P1{Dez4QtLQ*x0hdx$|>d)k_x&!BiR>S2|lxu;B? zByUXm$H6|(-wHdtDBi=|=f8vE7q}&{0o^H`dO(U)EqE=e22`@sJy4jN{dYirq$o(>AJl0UFdc<=0Hh_nzTdd!gD*j zy4-%ZjJ|%iF%P)zSph=-+HY;EZD1-hGPgaGUpt*zisoF!YmTkE6;RA$v zd4&p|+Y=T~?Imcxn~NR0n_Xxm`y)fiex4f(AwT5l9ij6A&RLRXP0T?T!5F5B>ei@@ zEFrSGUL^U-qPsxLY#=`2N3^0Im^#J0G*xfljL%nwQSQ#fE?`gb z^p)i)OG=do`!Hn*JeS#ULDThMky^{Ju`~=nfT7-ljb#w3MrJe&#Bu-@;ZmQZ+Aw+} zZd{CW*K;U%;w6T_t7yHoY|rlf%7^w=7M|Qtb4@XN9r3&m-ga%A(FhF%6dIUBVuBcR zcP9xaFy)DwU>>yHK15_DH(^5Exf87YD<5Ktd66YBqPJKGC=oG3egXt$l!zXj=s!!? zZ+32JegN3yeZ}v5WG}&*5Lex`daG^VnaekjP=zLLN#nH4ub;x{}Jgl7pA?+^)L z%q4}COUdk^0CPF6cebeq-|<^|L&YZEN-w?A8Z?4+U3NW1Wb2UTvC@#7<7~Ms)}C^p z=rsKfr%DT+#p{dQi_hhp4`HN}`s<17!<0vUuXgr)UDE7Q{N{=m z;r1BoL0cfX9so4m6*Ce?P_fOx3bTK%0y zWNdk_Vp?Xr9IS2ltF-_7q6uaV^Lb-6Uq^5$HkRQDW*Nqg2kJaF9& zN%G7ah}sx>sTd0Dx$0?hD?8@=I!mE@)9*spwB2orl35Dt4Jdi>YnU^WBDFG4{!R=w z)`g1qe#uqQN?|445pV0Ose{b~)>d#xVT>MaqZW4>MAF@ePD5xRxM~pEl0?Ua36fbs zz1~>5hCecP^8IPYtf&@j*Dwfu`u<^^qCP-9H^Hgyv>msqU9da$%M!r?S+f19Kt=fI~z@wOT9+w zYri!sS zv;gt48~gs6&VVK%OD9xJU25MTKP{c9$?A&;AQkL}DEd9M*ZPup%mq`E=>X0z4)B$^ zxpHTF@5@d(O7WV`E{bpX`=F>UB=Hv&;GJbWF_ImxFS!G{GQ*@j23P+=tz3TyirDiC zx~2QKI*nx=sud-qVS+1{vzTgm-gN^$nNz<;Ab8rtlD1($OIFl{T}7L-eaV_wy5hpR zEB{|C|Fu5YUT&}D|D!x>`QI%6?JY}d!T)Cx{I$J~JB$6sO^^Ev zeM!X)6-Ma)nbiPX9iOin5G8o4bv{eoJcUNrz3K0~>TUP7dwuuj!w3HmjLGz~)Ipfa z8fu2rTk=%RA`UYLK4!kUdo%eVE0a0ph))Si<~IJtvaKxw@`(n=g8ua5vQXJc|AyEFkMF7a2em@56xEm7g5`}2ASY58X%{~xj>V#&RN02cB87cX|J z`#(FccGvv>F`hq)|9@@BYApu-b;SUWsWow&7??A~9cRt>I>M?mZQTo2_!xNQBvoa5 zs~Ko(imH5eR-vcQTo$$Pf5DSq`7j6x-d=f8#K_%63@qUPyDwk7tnmN-?(T~<|9^~U z5&vI0ka(G+UM^&GV*{2>=;GfGU5?%@C(t@LJ8}2S_P!$$xW{63Xokxa24ml;>p)vB>|*hnKdz8AAtB zKSL5;^U>%vn=&YgB4haYv0KOL%)7mKA%4ZxG&NvE zj7!6!2gZy>z15N7or{wi3S+*Ie#5ckF9!R7Hc?_OUVU;c7>@aDKw z2u!}URkZnf3mWRh*}-8u=;r$xnqVEies^(seE!SP+cyU%r|kfnwgpNc%PM3;VC-Ch z(0owo;pP7V{SS91aWniLir}L7kC)rk_|M(`UVp9sJ;rnY^J4RKwTIW#metc9UQ1g? zgMLzFtudw3T4DQBD{L#KxM|j&%bG0v%{VsH^m>K< zv;;{vLS43BbAqMIaBX;9{pIo`?IB+cFzvX^)$HeSv@*!GcK`3G-G2sg zG|l?IyW;Equ^)d~tpC4w^{RUQ_vQA>wf_GoPxbt-o%m`>iKi*Ci6E;b&4;2KUaIMp zD_s~`l+#P%)ZQtxC@#-W3h{J-Ezxu_#MX(ywPsf|6)vJq@7NkzAS*R#Y?e}bJ-zWAM*n1U|i=75H?X8Q8*Qik;;T^-Cu!g(_Rk4aWuYxTBWVCS3Y{2}{oU zZ4(`PrM3Ei_b*~Uu|lp3AQ|O)0W!nNdeQH61D1uBw1@y}7`RxjGV1PmDCXA)vwfNQ z-MXBmbO0yQG^SIUm=%7J(vXcKQCrhfFKJkSiw8JI^>lf}Y>hK+Injz(_#AuA4-eU3y<*lYX1!t- z{AiF~%7tJltw+p}m#Qu-=WHi6+kd$CbN|2}`z+l5+3i>3Keu1*t?j?Zcve3D+ps6p zwp(LNlO;A?nl8<{Q(#QRY5{lxmlGy|Nw}R5Wpm?6bFHh3IyX16PB_2r!H-N$c&1E& zm?b8Oyan|uA8JS;Pb7<|pb?}*D0dsCO+Vhl!d<82Yp~q`q=E*hZO8GZ{yR&@f>;-5 zscdjd*?6M51L*E`8$L%griunB`sKR=L_3gK7*ZP1XcK>q2#aa-=de0H{nk@?C&;Hn zXpRM)Lyh|J2lYM!`w)YB-vPe&AVXziZO*1z(}r4UJ8eu8D(V|*pW}Ag18$}@ZKb)9 zSZ}61&Su)5Y1iy?-XN=N5-qhwbmtAC`P)NtH-{Qk^d+{4mfav)xH;4+Vjg{CXpa6L zQ*uwm-#&}t|NAd%`#&#Utn7v0o3S?R&HbYpws& zX#J%ThJR089|s{z>zbM4Z2Ld1cOfnx>A3B10l6Ix4in$da+wX0e;Wlu0vS%lO)65!=#?`+{cd zj!66Q@7e_*g(lmm=-xfer0(YWM8Q216d$85&t=#Q zxFOW7Oau!Xsx&i4r+%A!Ls;w*jOwWoQd1hw}_cp3Y2X>b7LntIg9H9#Aw>)9ebanS3i) ze2oA@KAnVP?G^=a>{eqm1o{dZPy|U`a5&Q&SEJv z8tH#$o(QsUR+c}_4Vdh;F%12D~LHyVMs%gNopL{|79H1L!Kp337X;> z5QQwYIwiu+vuGcE4QD)(@I1=!eoOsPu_=WFJm}(88<)j=oQMV#GH(oC7`@ z!H5gQz^ZAoSE_Po8xHw2)tbC?cZ6zO9pNF4jKnq(8dy)i+$@3Ol}ZyLVWy!B7yq|9hwLV<7>GzYID2cVqeGbeifD81WKBOzhWW&fJ!o15pdOERi(K z1f3709?noMfZVmgFVl5g&nQ{*`sWqg|L~#r@#Ebw3W5ojYJXX;$aZh3l0j>G?(w;F z=^$EfEYh&Y5=BKqVtfa`gSo-F5$euY|Iy!Qq&P#c^u1P5Bf8&x`oFt>Zzx8?35TbK zt{dU75&ZNMbe}p%UD)4;?sgY`{~fxvBEI{g>+=G;^lLn!`vv^`bK~&f#nnSW$#oN+ zBi4i*GH-ZMuMqKsR$hLr0`Pdk-)pSJ(oGA?S?I>|pWIz|F9y`eKjd$53-zzgJnq6e z7BP;6Y-7O^{bLsB9hYZI7lVMlr(ve(es>O^vS&=}61p%7#b))z5B1}XReyB3f^27g z02jxXF04rZeR*>FEgl^xgU~(Ohi6Y4zWfe?rZEXAbbDRs{-PQ8FD_8YLVVV=nqkf= zYaAE6=YDR#b&0vXJv=`?xIBh;7suyt@(rB6y@cccdvbAkfqmB1-6aQ z7EQA>qWm^7E5~bIzna_nx910^mvHd6EH zXxb^hIQ;JT=-umOruY|^@G1JmfS)q~-@HACuMZBte|NTE2u@Bf-@>!fCj(qd3JxDX zK5Of9Yp<6h5zVFw65H(F3CvO);r#gU-TAqe4~_j4TEq(@E9UdDroL*?{Pn`g2KeUP z>(_2Z8qp{Lx-UQVTRV9DJ-a-4dwMaSKvrpB zDUNiHhsUfa#Z6*bl6begY1zEg4Q7>H&bw=MOK4x-)>E^pRT_fU4FuEa@9C^@ z3!!Mj8=MB}y{5A|CV@k|GiM@NUOk4P;0Cz~X6sPj!8Z6qCSpFGLDvM?8Yh!9h3+s- z%h=wZesie>x%wW*gKQJsX;;<^LgPM2W8djCRkI@|2Jpehv>sDX-^5;UZSb;(3TlWp z@7m47NX62gWP4bYkl+7GLq#i_x^5aPRA!K_FREn@_04f7trl!%C%SRl6HTZ#Wo_OC zm5mpw*C8iSqc?~tI+gWd2@DqrNiP(2Ou^;=Y5hFq5gp)ecpGHwz&y~{t)Adq-K&jj zI$NrZ=5mc~G;7sO1a`;U@QWv+Ba+4HO)DBzji!D7`osF_(9iN|j{mj^UrhYry@S9P z<^R}uwO76Wf49HR|M)0RMF81}H!%smz3dSN0n-M855tqkFmoE?+mF%@Aa1h7*7DApRG&ByS8%7|^q~cSP39(l)7UqXL zdk|42@Bky+RM5aX?uw(;EA_B4`?&^Fr-A~jRkYRtbd|_xw}vpsxEe2nNt!4p#9#k8 z;$jNK#n0Rq>xT$(zdtSeGrKfRFCd40E%Ko)270XEc~gVhzGoqkZmV_!`b{K;u{i(5 zhn0C6a;~HjB>lIUtd`RW4>3#aL8MKrLvbL{lqK-)1RduX+$Q*xstL_3BWdMp6Q$Bs z_?j+X;cKhJb*>GG2Ys6L|CC1&lOn^tieVOw>3xoZF3|t`FYEU|@4Z@||9q6k==Enj zI?Ct!Yn<;qXY>5jpvFYpy6JB^(^P>4u6SzQ)t* zw7UsitsZPb*IZMj|1xLZu|fqtNmJR_M!`L64QcS@Do7hn)&wi$y;-8SDUWIx*#6kA z{`{F5E(`eogCqc7!2fr4ws)%f|IXg-n*Tq>^ZD}sbyD!Aq~JU2q~L2|xE6-%=YgJf z`TszdKQ3Ya?e13d|GwDWUHktY<(VHj_zA@NT<)?q>;6=d>;YmyEwT-wsv76kA~t_s zZxG$*Y3Kh#mP9NWKY$x>5&z$N@v36~?Yw%mz2^Uq@jSTw_q8FLwHxqXS6=X#+7lv9 zUd)-|4uGdctUARq8~#c|WyO;LbWw@{MBG=Uo7E`iUs<9o$N%r=23+L-+kUlO-T!&H zy^jBVl;^YO|7$m3lN)e%?FRf86^5(9ApEy}7RvumfB#p1Z>M(u*UOjd z`@bILS=Rse&|-b<2K<+oWOJtY?y_vP)ZuI4w&-c*|HjRWxoc<=nasF%7X%CA|ElLd zceeNT*7o0{JQe=WNLuIr=5Tn4_1}lV>qgd0{*PhuYL?OgyiLh(8SS{)vot_|gKoD( z3FheCiFcI9WZdq0ACDj;$uk8*YBGjsNIn%YiRqdZ$DFI(8b)A`9R9+ha)NZf{oi5u za*rlqQF{))x z-&3jn6FqbJzq=Xgo<5*O{Qp&dyUPDx?5yLz9_8^e9cm7@2~R^|ZsLqssGu7SyTxJu z+HGbV&}9j;x#PToi*7;NfZ`TUyg}5cVA!_*jSF)>-E;bz!LQWb20U%>TW!Gegf^D` z_^}fN!Nbe5r`o9b@WHnE@uPpET3NC^{e+_J={-f;ocblv_Vj+T?dg)j?dgL^w=yab z53i{(lImB)@}lYp5F&tsS06O=J9{|KzBed)c?1u`M+MidbRfd zKgv_}|IE8~xxy<;eDqPTKyKAsJ9o=@JSW$2Yer!&*|4{U7cAJ$r%x<=$IQD;DSHhH z&7E3n_Wv4B8~-<#@kC69{D$7s0$9NRU+lc7#(!;Zul@gz^VlFLJK?~Scn0)6lggw~ z!%%xTI=ujzD8Z=2+)$K+6G(XkEa{l*7BB4SvkR&~X5j?Xged)G1|dl>oGQMdrXpr+ zdnV!J3`i6SDkYV@&J#FM=AuSz5ZHzZ#GFLIki=U3jKJMMcxG;tobW7;u>6ohCTRo_ z6Esxutn&nhGwY$1z!I2psUTz`%%(<{mAy`B-|@jbTWfdLJ>6M#=JPq;?f(Scx$9Po zZ+Jax6fykUUZ6@sm66z7gbYI(^IPw-Ru?|#fw*OH3{v5pu3CBvDpO1}4wCa^6NVUq zNG(7nVJP@D-u-7`Nj{};W3w~?A9**OI@BjhrE;*fHD+p(4SOM^GpMbf+4@jo?lqeR$lqXDayx4}1 zfW$F4@{{KF(;^$4?y<;{#N8I~M2|V%kn86Rtf;kVk<6}=P2Ky#_?8R>(W<3~0be$t z$!)oS$=v;mR77QR>xKx~REUf6eo*;tJ3aXBO1oMLqIS})FAI+*SEgu}l__)_bpWU4 zD#s`ABZXU%D4Ykp57>^d&*T+{3AsTMW}@KZkY>Y}$qB_If*p4ouO!#h#lqGScA7Tm z4NbgDiD%CQ1*D=)kSqz!O9W`z<(lUs8R>OK;%ohHAzw7kTtrlul6dQJen+lF@|3G{ z{p!GBKft{{%w}s-9qJK#iobkSyfmMXCsw?iP?!>yVD(L0Dm2n^XncNlXn#vM<5Goi|~s)!g=6pbuK#!&z~;3sBxoQrm?a7zM7U^<$zb{)q+c1TY6Q>kf|rq+)+)$ z3|n!Nr>ElG2@nalG>-MZ6G~z=!Fh`4FdIY8^xEbN*Z*=I@>#{4e%KV8zob+v z2%pMa3k;2~t+ofU+APcX3{19qc7h6yzWzM#@LMG)vSth}8jJhr>C4>hHP0p^X&R)0 zD<1M#4&d2`u2vShgYI{imuDAUyuEW?bG5z$45=c$Fy>j*8*@I6DcX-VR@jD(U`zJ; zpzZ*=OD@J1d@44JasM~jS7yBR_cFDv_4&0vzt-p1`uzH-K6CZ|H^wdZiS_^8{$9VT z|L<+D_5VkCKA3BV{poIyjP6TdH-Q(4(7@YNuh3FUJVD_B?uA@XE>WrQq6~Z>>&=@@R{!p&mTAt* z=D6VS*HfJ~todR(y^M1tndLhIC9H~ltxj@x**)5-Z6CFC2sPgu61(c|w`prZ z;f85xXu@oGU9u_VS$<@y^s=$B#%k*ve1F1cuKq{Nsp|Wt09<_js~Z2aySI-2e4OWj z@;}YF&atuT4T)KVV%3Va#vA~v`FPiv0zbDCW@|C<**{D3|9hkWT*UwD_do6I?(VGl z|6@G=Li~T7DX=M1V1Jz{a4ihmpJn*}C-(pLw_ono{l72Q{QohY75IN8)s_v>e;D4q zN?NbAD!=Al>*s-<7XI&T@P6w2pSv$!)$ad!`Rc{`{MVyAmUkDC{UyfT%HVtgDJoc& zx89xm!-DYcADHneF8)T;PgkS_LDQIpM3y7Hybiho6z(?;D~?3#SbSLq z=tN;bh7q*xuXTu7CZacTHzq4<=1+s+gE@JbQce%jvwX zDj&ccindwI8^4`l2!@kDMa+m-{)Wfdl)lk4BAbz`&aZx^y1ap2>vlVkz+_sQ2dfOB z#^cMBlwa0Zo^Hh88e3YpTK$t2p5#e*L=Q$Iy>e!4deg%1iDG$~LVVdb zgJr~a2@S8W{`>af*Y1?`fE6eWkiE6;FB0$FuM0T>ZR^N>Qhb z3OJ?oqNK2wmS|mh_n(JQVdp_xMVT$071i2u#U=v%vaOX8sd|xhtI~<&BUPc3RL~I> zcP13GGqyC1nBw*08aXz_I=-Z$K_WdkVJ;-ig~a*L)C&c zh8%@mq=J&@kS9_J!aRj1Xs5DP>Ut=ux<57Dfr^&Wi&ho>t;6gCos#z#*Ywu(&HnJe z*EmQEd$^s@6C^JU)K|X`D%u z-bt}39@Zyuj7ROC$sAaMF&vnuZ7fKr5eGTRRK#x+%&vs9)N`m)F=Ywj{;e*3Mg`;1 z1s;}^19-V@%Y}1n-e_32b-Vs`7-*OZnsUh$7n*1Xwa)rgE)Cz8UYR4KnZ%?;zhxw5BSs^*nsBKwus;}GVGxhVLPp|2rSe z(u7TyYOIQ3zX#uu8$7cRRN_r57T5Q*mz6@WJyG&rd(}x zDjV8_DFroD%=M&MQXPt)UW!SOA&F@OS-Pbux0h$7QrvvPHOezp2V~pT&6V1%j4kZ+ z;6Q=*Sy$DOqZGie9iL zL6t+T4$RCPCd6VG6(*=ABiPjz_LK|S*qhxRoTz6=4%3)Qlc_Q9i_6!w>t);01^U4m zkLoB`^yMbpPFPHVDHyXGDj}1=)07L9p=Og$MwU8+>%fp>VY5CZUVQoLZ!h}WI~5-BRZ!6(>3bS_uAbtrnp(j|poPHu(xn-2C0R0#DJBWH zs;j6-!hu(&2DYx2=Jmi#`+nuyhla~ukaAnBIQ(|CdDT!Os8wl4$$YbEkJ% z(J4xxr_Bla=A<2HYP%h;273a01*3^7TwZ1^3>wHH2>b&3S|m1s&q?lS8G6K|mP92W z!3`B`#6na88k<~Lt4^EEyg8)D1NjEEVaMe8fE#s*X&6DHpT0nJSm6q0mfLF%L;xaR|F+-M0rDAdMZ#BBu1ZY8<0d ziB;RJiZMOEblw`r0{iVzK{=2Hhr|kaRPIiz53{>iD;Tku`uwK&v{ku&YiZ6C^RePm zMO28|QuDs8&^;rx8{-MYxPe72J&Uaye^n`7X#lO1RlFM$7X50$rSfEwfWgTBMxp^qB7l4;ktKJWr zh{=C)2f|r3JMt3p!(}iVz~$jtV~aLr()!W4k!s~}ucZ;gf>z2J!X=?#2K}qyBiHpn=3p=}l2y#6vUB0<^Mp}!nhHT7kXhNkt z6MR@Q*XMYC!%QkZeeKt*^RRh)F--s#FuDfms=36sR8@D=Y(fu{Gp_p0PvzFy*SVI7 z3@21i7v^eQMr5;uDMsQW8k1S>!`{`d4PqWjDwg)@_4zohiW2IAzv6W)6phR=c&$f)#fG8S^Yx%3dVO5gExiHyL2Zz z4Vppi2oAK!-|EqvhYIq!Z-`HW*3vR0P0>C}#M>^XD?J?W5ZiYK`%j3lAzmWyi>+Eo^6zCcbR#wM)p~W$8v`aQewb_Q-Ug|NY6+*Op1|BTv^nL-S54HB7 zWn*d1GMsz*uuUVW9Rv;LN3#VWe~YV*xd-VjhTs-KIE@HZ`rD+}1x>Lxw%e6r6E2na zVzsNnTDN>lO{82@nwS%8R=rH8X72{Rr>-B-Ko{BMu)Jb^==D8Ysq#v*r$U)sJTg2FA0 zLq4VdtJC?03(&gG48jRX#&i=>Tm-<9P+-y%3~Rr#cTZpC3>+_t|LJf-gs~=me%=tA z>ro=Ui#uy6tq$J^$~XhcH=LlR!!5)nzwOH-m4p1qo3 zvQIcWxIFw0xahn&IemNX8h~jg@wWPW$Y`_)v^Va-)n2dP+r5I|EA!{xRRabc+q7<> zrFoZ06o=2?G9|xqQAMFMAB7ja?cVlP502lHX&O_E-7XJCbrd>fG*}YGSww*(vkC$> z$0>sJV&*sfYq&@<>kI`Y*BB~p+qE}Dmg4MnFLUlKd!2Q9x|JS(MV%iX9KAVyNX~Db zx%|Jsv%B}I%Kvv>t@Hms&hwxDD+mJkmL_;}e*_~I(@i*f3#V@{;rQs}vIiGvgbiSr zu{iRaL^-)Y5CmU!o|M+*cQl>?vgl6dC-1{T)}Q~q0fD(MKBb8@1UCV%oeUD9*bRk9 zTfkaY(FiX7@!GqVw)5l(9Pu#I+|2~2cfO`Ezr`bSFcgfAfZu36jNWQ4#8W)KmyB!t zrRWD9<-wyYGNmCKu@IQ%jCmXGT#8}aB#M}ROJZQjh>NKygT>OA&vauY=4WN8q;$~v z3jWg#)9vkTFCUYb49&$@5f3p-<1nUMT!a%UF@ss)jbw1k)Fkkn>=QMOzv^^OwQ7mi z^Wts0{wTRahthO=x3{eo{0SRRs4#9(ro)}i7w~=F4)l9pcD{hKA3$b! zQb_mN9CwSTh_T}=83`hl$U>C~3eR~G&$Ky_Nj#F)=IgxL=)q4%JiMj?4=>%aB+~L- ztMeEwhn9zyF;wWO*0S0nL8FC~hhvIof#lY1|I59NUgrxq8NrNa#mO_YF7zvrA7D}( zPYPbXzQCPob0~tE^H(H}!FsdM;K~wvVqz11!Z9xN0Zi*nBeM%|{`J8jq=MbBn2xC| zaCh!0L{{;Xg>p*_Nw~G4rwUCX#Fxb}jHxDC=xTjtnj-#Vp*up~D?vQ)U7$j6JH`Gn zJa2-LAO~Ap#JHbhvbG5^}x+MiP@A{ z*Pdz8EaSXSnA6?p4>(+r(JqYA$dd6u|bluK5Xg)S4e}Gg@-59Lql4(jc&@6GK=zZ!;|U zk~@kkbVWmXUJ`nAIKb6(7T6b8gDPqcNKpnFnRzrc2o=l+SBGA(QHC?=#&5Hr-b+Pso+%rzST^P<@O(LM2}J>?N1?z5DhMyWU;W81|S)q@|}LbFX6 z4D8M8dJ@f%#t0-;Mz(S2Z|ynzfDHK!^{y{42s57a;KvC~Kx9c$6Hd>h5K;TLCN&&h&89vysIJwO^2yrJchfR|kCU~M{ zDV|l9O7LVH&%AlSnbDXU1!4xI0?hOUTO{IAXpnO&96Xyck;2~#j35{8r}XeP%LHy8>wrcnr$5tbUH;ZyoQrw4D2VZozy z;D6#@7ncW@?=IZii_3%aOa1HM+v85b97`jx?E~s>^&LpNX!PS1=}+6>^dAV$&I7^G zgC1PJ{52H1Mh@rDjeZRdj(BN)i#6%CqHw0ol>-q@Ek;RN5>a9!H2I8PTs)T+t(+D|18bE`LNV;aryTA;9Cvq!T>$E zczX(#XwsW7c)9oGt1szr6pVI9+d;oizYNIm#W2|0+3s(XFX{I7?h8GHnnBvh`thyb z!V%u{;=TBqXGw&AS$4K%BYuK8L@E_YA|j$%2VV50#q)1_FNS-6B%b{x@r?eqvmO0` zc6I#!2gWdS{;6LQ0NCN_~#h<8)5HS*gFldy~yZFt<_-f+7U7o>d4jk4w$qV zWYSb?$JH6IUTrhET9?!$P%PW>o@#CN_TZmZ_jPuX)^d^XSlM@>-xG+~Xhemk8=u}u zrY4vi3r2!Zjo&SyFr=E0GigZEvuL@n(1rijv7CrgnLJZq6fx%p^4dcJ*PwF?3oZ-9 zH(|ttwK1~PT1KTMlSB}6f;P0aK^1RBg-EcWHr6o5;Wt~~S}lzEt*d?a?*`W` zW_w$crS&mQs9>QlF9O?$o_}*T-Hd^$u~jQ+`9>@1nw;-~Ghily36~1`JFj}%z3pBf zT7;?DkDvdwH=PA}DB21|@%*;4#}Oy^qSsu#^+UPsrApPCU1<{Ss4p>zSkg@*GOw@T zlq)*G)Mqjq{z^k_XklOiy4w*)lr%%4IRe*$CinUn=cVr~G6K*zkn;Xr6>)(*ctfsr zQvzK&Gm}^ntJn~UTsqZVQxRr)g)83+b>&!Ym0gsCqvqvStZ9RBqFIFdJD}OmNth{?i71<$qt(8Cp8|ENp5miQZ`V^nFT0Wi%NB zQ*mwRBV=@iA#bd;;f}5pKd=>Ds2o;SduOoudIqQ%;%GKR?_D8A{-EjM%wzS?xz8Ko7jQA`me=S0^G`~n3Kl#)3^G~}!Yn4lN z@@c4sAJx_1wvs1WUp3`P0_N8_9l>)VZQs(A5}|3!7pb|&Zv#@!66b*OOL;4-Qq>89poG0YiMq^9pTy~e?Akt=FLK2*eZurr^IjL4Xm9`;Fds z{BEO|_y0fkzWupz8_7RE^RGZT-|yMZiqyleiF32JitWw%G7qoq+0>S1Y6OvxjF=)c z1ZhVZ&HsLd20(%opOUhBw;QD@W6LD)!K=~eZuAGjm*E@4Klw%sor;rtS-EHGt)uw- zV;o!!yFSeEh#{rZ!jhnQjZ_N>rN>d@)GL%#5=8J^2XSVYvz2Bi>j_wdo>}4f7a>XmO8(iUJ<>N)U*CFnNOa?tkkH#)oQEeDbY7qPwembn)ul z-Tl?A`1$_&%@3#+7kY{I^N9Aple7Bj7b=&d8m7QQk~mpziOE_{EsucX{U`bQkJNoc zY%0AiimF-6d6#ew`o#kdW?GyCNHpjw`u!=$c+!*B^+AdH04k47PrE=h$Xo!|w2-zbh)NU@*# zcWq;Wb|;uq*G~S#N!0xsSlwtavrUiip;(fj9h%)IkKHUF_GD?ZKxm~bppiC}$oaF+ zrMp4qti)P|fmb2pbWlR|w|6n5f8CL*L4S-#2iv$D3d%d$#`Vyuyraw;h6_SnD7X;E z3R$w*-V_IEB(&c`_`0VE)(^OT?*7= z%est-IuAi~uRiU-1wSO6)Z)9WQVqkP{SKXUi%YHiiId&fs?GQt^eT2AskFm}GKW5T z#t^jNF+?MsRvckBiXqwu3WAs(6)ls-awxV|v74{e^N!2Pg$9a4@DqW#5lpda0|sNO zjNmaliab#k^Q5oNE$asvZUJh7x^$ixYK1J|C?tVLLW$)s#GkKi`pFF!d#b_&oG0va zXF2yvcYpgAR89(w-diiQ{DeYe0|rMwn#wE*H5Eo>$pg%jSygI)bQTvp=Cb*M1#r`I zE$-;X$1chDAPdq!0=2%)sI&t$F~?;hbex#(@f;+C_Cp^Qt#diCp|Vn${Jx}zUS?IY z@-8ygdEs+OAH7`bqRYbdk}QX06^IrTwNI@#W0sV(6KufT#U6P%#Xcvp`oEEoPM31| z1`N)`l&eDJ@mL)Cl9hwGlJE{1!kA_;`#zc^=FJX@p=o;cz$aD|&0>_>P zeW#x)&h?Qvs_W9Bu$9Px*qcKq7aFWQ!VvMS?|9fW(3d=XVqVJ-huJB?Q7lC8ghbCm zGfpJhpyv#rPX%Nd9<5@fWfS3kPPT1wM^7UWS!71RRy0;$F6rtrWMolc3vAVbLm8EM zVS0zbD{h1tN=?D1T-j(7SF-rph(T2IY5k6hn!+?p9Mw7i(ddt~JF4Osr_?8oWv$SS zt{1iatk5OlZb;=Jc$1GPLAImid)5ls`m;f;w!Qh=nG)K*XRQ)Dhs@$TZdL0=a+K8L zfBEJPc`_exqY}m$zfjZKCGI4xd>habckZx^L@{vdqSz;1fP3_zWvyAJ5Ovq+i3h=N)#s}c{nK9e?5p)CsR4JQ2xjZb>Ld0Ro2!)?aU zH^;3+hYF@qwp=k+g#Pm>CLt}CDBH^u&C$?q-+8539}>B(0>MDN7Uw|FgR5|FDNiy) zM~!h;$P@4b$S6vm1=7ECSb%#=d6J{BXpCD0v_LnDi2-FGpUoPUux)?KZ1yeR&R$9h z=^Tek8HWLfq7aNRK;l)7dvH29Ioo_)8mag<#Qm51`h+7375{QC#vZg+Yp#@*)Vuodon_NP|3l~+ajJf-g1rha2x zn x2nOy5&o+@KS=1T&D4JpQ%wu$6OM=)pcNW_{<7%=FJxwIhTF81 z>Q_+^&nL|fm`58Q98BEcr6+fAH*i)rV^-)LJdU_}UaD6{Tk7_E(cgPQ;_scKy;~W8 zAj{mV9ELUA3+BB}49IoUeTBwvL-5SpisR+DJHEjo_I=`yC1NmAQx_Xwkw_eW-UavxQ@F!kR^$pjzTg7kCFNlZX2S2`{nXf5S3erJlq4m%aX4$U z@mxW60~HBo`!pa3hcn1>(a2)8)qy_8x7B8&m$*srgr0EN%(j**VMn;lZ0)t>t*b#Qu#HSp&Cr2u?Es1#S>WyiBlwJgIQ82{B`60*R1W zpWkT?+IsLA+-5HD9Qbl+xU+pn9O#GBDGi#~Bvxqj2CT>G1r)|U;U7kW4^5Hp4EKV0 zjbRJi*Fi)=`-XXI;QLL$?-X|s(Pr3JXe1uCH-fB6z;VQOkK2jZg86K={E-y2VFmY3 zj7MZ}sz5TrB@N1#FwU+>O&eUNVbtQTI&rShy*Ny=X)CNb+?-8YTW;!cKNC88C@Xh` zeu6(sx_AkoT?7$U*3DaZ-~Tyn36U$+9u--R$#PINU8lg1rkC zh$8_lQC3!Hbg!OA@&#nPp{Mmpg;d;`94y5xRPwt=@;uJqz9h4dkTk9v5Y6!tO$dqu z@Gm7U4K0;r~;c)W{m(2D@xI_!Sz9`Zm<2)^Wqtt(N@_@7S5VkF|Zi>;6t~ zx9IOu+!cMU`rFp^wF*zl;(mytMMEcMh5N5+QfF~*?*1#l-7MIr40p|>&f*sJZHZgv zJ!tMqTcI17b3p-YVfaRe#f9781@|`s9(}mRBXDc|9BX zR zX;{K|)ZO41pTRAvYl+*O!@7sHVXtAB&*s(#jXUz;s%3Nd#keECIrbGA2eh5zuM~Hh zY};4&JFi}rf}ga4d#XXG&f0Q zi1H-QzzV6Xx@~Z)eMj9OZ-IS$1Gjl;?*burN;dB-_ zbMI?~Sas52YD^Fkg1aGJh|ZXkD5S1Vp*Bi;?5(QnH^Lcn656wvdW3gpGEJkcF4zn3 z1%<7JfvWD^WOFMT(ydj_?D*D{u)XT0aqmXuYzBUpxZybY)Z{q1%A|o99(}}g(v~#!QaSF; zRZgA0UF@SbZ31vtXgJ}_k0T-@Y*`?+pNOfL*4nERTRLE>x!WsDG(SBEVV4k&+~i8A zZNW4b%hw%_e3PQE3VFrVdeDK1?yi{WF^kcX@;r zN5iB6G=hZ0#kjZY@7Cw;2Dn8(oBjWr;BFi~WY#(w7REj$NXuu)u5h=Cut;jn2U=tR z*92MY26wASg)HvkfQ3eVzNN{4w)EsCwbnXxYo_^D{heV7X!W+KpM^?bqdHX5-#*z%V^;BUs0d+E#JRw!gWb=^8 zJuP9JPygP`_?g8mH=hQGTjG|P%uT?>xEtR;&fzvvVK>A5HklmR%;Q1=me6G6aqnWD z2(9f7cv2b(^i&R-xtjO`i+wLij1HQtnEZJ<6E1PLGMQFFcJWQ^`dnL*7sF&dDpHz@ zVUi6B1Wv@#w#aNIz$KNWA8r77Gpj{aOY5f>EQX6AqP$`uTnsCkuz|2IhdieNoyT(_ z`!Chy-?gGw=(T)Gg7VBu!U^xBD7XW^%1M+wr3dW^`_z-9Un)zoOkAL!TW{s*;JE#5 z?25suY^17G{~hwSs8OH+dJyxnQT=FqeDtCf@H)s>zbt6D{0SIxi=yo1-xY|-D+r(*LdynS)pHkyS3t+B-M|nm?4Y-Szl3OSDwC{& ze8gb8_g15 zKqF%kkW@h4+;3GuG2_fa7MDhJt_JhdJyrSNR43sm7Q*kS)E zT2I>I7RpckysA=tYIL4vnQ_|cJne87>OWPAPcr{^rT{tl7PruU47+NwKQ>PYr0tVx zxkDTj5OONY%0_nVOmbrTf%tPGtt)cX4(4HFlmx+FQiW- zsYK$70440>`FXBSVxp_sC_EquI0ii-tKdo)5AO=#3f30Bd8 z_|abi+k@&vaW2MgITMKP-h`!A6N1QfmFs=ECZ2JQ-4>h}sy{?8iaB0LB$6Qv(iG9Z z32RU_U2;n6@)M>o-^6-eFi)?K?ixx-X{(G19k43MsQVidh|ca<;&m{|oFhpNqKG9u z7VJmBj*z7G60>x^h&m_=muL~HOw1$zTEdXA=uegK&*7TwAJN@k-u{Fxhxfzphj&+Z z-&udK3qF6aR#K*3;s{T$cC4?;pEk%qK63Yg%rWdEi`hpPN7zgTEWYMT9+7!YdY6=a zaD+nk%nw_%@#6Mscz>0&5>0UM_??yewtac`!|z|o!Wp>*n_Q_3-xZ z=*O$SchCg;z@l||b#eWA`06mJ8%k(V@%5X#tJ`}~!P{KDe;dAfcXekS^an@B9n|mj zdOhc)cle#9Ug@`)5?8OTF7DAc=+C!rUuWw{=EonhbAx(fpVsYM6+b1gp_K+#{M12T zjBcC3egCP|0*pvFr-7tSP1c`c+Joh{mw#(d)A0OG_WJKm_6mB80{lR*A3a#s_r%3Q zGZOokm_I_>Lo{&x*drW;WET5aKaJc6;yxC#_7-&9< zyKgM%F~`VdemoDr6dg~e)YTK;BXa6X9ZuoVtX=v}SdMhtNeRet5J{RRN!0@(9eKW| zjGhKW&V)xuDi09@#G1l&=*?+>-d(Fs9lDxI!2Dyjc9>m7G*dA3vh0K&gB@1uim*k- znsarn?{$4be-v7rJ!RoD4nh9`o;grXfPVnZvHJj>$Pfz>EeB|`4y2+4V^&U@wx%Vi zVwP$G6|#$&sLJ`%Ui4n{q>vISyD};PZ`ec#4WAh2F0-FSyPqhRLi9hy`aAD-p}9g0 zIv2%u|0t#gV0-_GwFhVJQ6FQ{Kl4uaz9?*&L3N5-h=s}au z?2{9F<_)|f_iT#(gv8g~ey=P0VsLgoI6((9)_2aFqeBY|X|GCAGQQ`)e<0y4{>eYL z7Sa?Ve(rXwl<@wBjrlLmeW4@2R5V)_OaV2YvWy;G@h1xcNJqU7;u)Zc&OT&GEnb$8 z?kkIsq*PX7v@M0@`tls1&rQbgizVKJ=fzr41Df#rX6(n7b6Kruv}k5!c5du@wMYdKJEw{wjOP zVtYbnG&q!7tkCJp4DJz=(f?f;>f%T~Py_N)-#J15A^tg)`q(@c>c20JGI1Cn7UWtr zS&9my#4f977B5M#97D{%yi=QAeR9wn7LjwgeS=sJh8_}5e@%j#lfz-4e`m3WNbp2M zCNEtb5NGCe&<{Ue303my$GgK0SO}vGd#OGu3-#CY5Ee~Voq;)zg-R%zo*uXw@ zBpyBn(ZScu>zao5y_F#xF5{7YZ%OAu5o^WEV`YX!1~m-3%n4sLB4l!cZ&`T+l8$im+G?CVREDtn>=i@ z2hu#9ImWtNdkgiqraeSeI6ibNYt;X6jw)oF%L11yz_V;{F?Hp=JbS@BxcJchS|;@q zzw6tJHV!;HljYeO4R%wR_`gx=kx^~**bx&%^`!VZKQkcT3`K3e9RS#7Ykdob55MOx5GMmyg^Ci=_eKn(^tK%>&iFo|H$X-%z^&m z0f&)g<-CI!T^d=Y@BaD<5==~_B*l>s$sB3-uMo_s_T!-I2+in|+F!)x2FBD5dSD^_ zl?4&@<*tLU8#2z(JoY2H@QK{&R8%JRpYf90EI^94hDt`uz>~Qy#2E#ygcDDwPeR)U z#VFepsD~Rh`^$vhJ|tNxI~IZiP#R0oTnM-)f^g_Q(1^HE9AY2nDc zVQyr3R8em|NM&qo0PMZ{SKG$6IDUTp>aW-}IS1&CYy)}p`d->g32it{2p=GA&*Eg^ zu{5@)NE%f$0(=7h`*+Qr8EGWT#ymor7Ok!ZOEY`k`!)MPBO)XV1SMH8?re`qCfgGd zM}ND=r`zpzUp#w;|8~3G`oC-4^=E%ud$zIheB*id+4{!cx@*t6-Sxjg_dYu@>&b;A z+26W%ZmT}HFXSOf!X=T6C!*&81VoaEkJbrC`GERoG!u*`Jy`yBbFIDh%Pz~iwR34VF}Gd&+~!Cghf4Y;Qn6; z!~>{Iuh%pmg6CO45!jrLSL>WrXY6zD$;ap6o+|!7BT-JpeG`EB_{J;ME z*(3gch{yMRFNks>X|{*hq*d7wEid6A{W0Tt+Jjb1RJoStEy2;4f}q(M3n<7jk&y5N z^miDk;sVZD6oJepAUOm)NoXL|pXXzmz;B!-EE$0uQ!vdVP$oc(c^-u@Q1G#W(>?ev zX!$MpFDQD2SbM_rtkSrre;n!#_MnA*t{`{FctnNnJN9%yfuw1~Xs8;Msw+h+dccAf zB~{mm0Ggb!j3+ToB%G0qkwHX78+O{GHdbz9Bb&N6-co^)&(F_Y;xNitNINvCqUBCT zhcu%}Ks!O6Wi*kUn1^{pg^#euGLDwiUp}_t;r|s8_sv}3pCOT?_~RttiKK}vUyQl) z%7EFhu>8(z#37U%I> z?AIO-sp!GF=TY&N{Km6_V(WF@cuOGiV2sODA-j_}0+NIf@zJy2*4t^uQ^n&@;Zd=Tb$jsf%3FfzdOf&Q?*UHf zq^JJ^NT`rBRBr(Br+PmH+pP(krl1#Olt{WwGuZ=~sW(*o^DKUsYKF{oBh7d~h2WWJ zbNj_W^MC!dw-rcsM)z%@ZJsA`a|1X0h0I9vCdHXeQ<}`$?M%4Gf+nFo7Zl8Hgk_qX z^_JC$+VC%)LqHP91;y3kLoBM;yey%T;#pBkGD#%4fHBReM^*QBk~7hR;}2>)zTt1) z{_A9C@8{ivcYAMl_Kr?|-a62u#aZhqz$f_U$%s>Ng0QBxO~gq!W9Y+-$8OIA4KgZ$ zXLgUpB=u-=_Cv;F(>31|I-oIlISjA%kLB54R2NkSe+ z6JSF~xP*`nSwcgcFNm0sYNa$>fu}-_Da#-wa*TTCD-kn?uL0}{2&ivh{(3y;NQr07)0gHxKhw4vI;8ga&IM`YB47P9W<&3+z5 z`#fU7qzA3t;U1U!85J~^mO6V&3KKI` zi$nqi^ ztpiHJUos}?yCk5k4>&i@MAfGXKuDh9#@Xop$UH9_kN~B4Br81_l1M1*U>LQnAW(;@ zzWnv?h7VK|N^;5ZupaSKnphf@^6=0cX|u~3+Du9)BBg=uahkC+7SWM|xd4Vj^Ot5! zS+2IsL7r@htz@Eyt$w^0G@DaK&^Ii}FXolV(=?)r7LW*A6mtse1uIHe{9pVm5Pk6` zRZNUf+||$JVi#X&oXW{7mU&)LE}%`A+?*(^xCC2aXi<>)f(TS$&4w*ysqUd9QsL!8 z)8V2GyEvq_1vDxC*^JqeJcDx8Cyfp5Ag1b6kaa^v+(Y|QxVJ2jQ4+pOqDjF9sZZOy zP>oa}hujxDrgE%l2!KJKgIr7o{6e2p9>*jJdvLrQ^5v(nT+~?pVBqg2On$;PN-C+= zWItnEotW*22*q+pMF553P7O&0mN*hZ$)2EgjR!&zr+}tX7%G)#xPYCMhkj~+`)Nki zBB}RF_GO@2^isF|;)r`o@cpFNVY1-*Vsc7BD4s+U6yAa{RdQ6Qm?EjzM<5vmn(%xy z#^DsFELLO>xgw&bhfXx4gr3oC)?BpVP_J$=6M_$okQo|YyEULf0v!%{CR>#u_ni6R=6#noB}NixO05@~ouoL$Lcs`Up0&ZUqUNz=L( zA?4v)l8_N1`hp4CH?0)9i)P7yCBM-?wL6#;+Kq@Mr@B*$f6fIBpTZ!QDD6aQ6RQPQ zTf3@WP(8#B3+%BThS_Pcl8_91lx1D13Yo@~1hnlf!R`=G482Hc#uUlWO{F~4Q5iu;K6`)yCt0izXpqsCQ`^o&a$@W?2zJ@x;6uEf&+Uhj52 zlf2Hm>BPIsd%`_Rv2bfpny>DLp-E<_B3ZT#e~@@*SJ~zQq$y4y#7+W zQd7%G_&te85~xWupxu{;*z*IDj0{}|MV4unkmx8=XFMp5NXzr`G$fK9N+mjuCOtUd zQN)tbdwg9-NHMv9JRxUNSv%i0v#QCq-~ z(a(|kXc`i8T_AxqZ%Nfg*%@(%L!}RLUtz}6l8@Ya^9FaM<#-M_mp`zGiiwakE=~|O zwZ{|nx%$#=e+gdmbBMUYfgH{W)3;a^DG{-Oa;p4*jDwO$Waig!BE(f=dvjJ+`9)As-YA9n3712wG!2c zRlcG{vA}se8S?BzNFsA#_2aLx#`c&7r~6p22d!Gs%~3{a@(~u&Y8c43Wd&wi3S^RX2-0Y4*@&)O}^NMIMh$f0aajV3t(m|F8sZO1uW@^71 zTA_h3P2R@jjFws=LrfH3h43t8XURw*)e60tCD5o7R-H*xyN%p%4-~6<(NIiA!Y2XF zl{$0^p9T)cjMZA6RwQW}wi{ciQZ=vW0UI(!6BL7LP=Jp=ditW-H+m7R{4t0D6>b(w zpg5_eC3OrUi@KLeK~(pr0?(I`(1o0~mkNQkp=rE8es@N*jD>o4DD*J(QXiGQ`fD#@ zLmEs1g+fuYl4kT!DqM%M;)N3Wb@Qd1)anda(h=jM>}u#-)tT2oa}AA-Pw#MCl-!VW_Rz^&aWr? zTSrGb2YZ{Xh>wIMV(fq2ata;3-a2@7vi^O?48nykUXOrtr~@4 zsYhEfh?Z)Nnqr;!5cb?+rB<-5QR=S7ZHhHiES=)ehD;F~s`c#&KW}T$y9w}2vDoT0 zQ7kiVVx+!R#QhYQgoIMfR3U~|M{~#(3#O<5vh}9NA3v6dqLrgm4sE!)^7YN2gG|-% zG!DWpSVpiSk~&>_eRQ-BirF;{Rj9kKuQ`3SAMe~!!B$_}Tv4*#reWfH%{n&($cBnk zMl4{6!BNf=mhb{z!bz0f@Y)0=xsO**wdO*%rp25ARZCzb$I2dB7NrDfTO~;dF_FPo zRZ?RBvs&$bwO+gg_<4MrbsESMMb#Q`V?RXV0fqq9W!F0-8$Q zwGtAXGdac?kz>WbglvfXqC}OjfEAp0taLtRl17UE3ULNj3*b1jZz^hAR4U^Q$}mIJ z6;?~{T%_v2TB|!-#fOi0jjXCZ1)eGnOz~s8$x|&VDMr9T{BY&jN!uzeW@?DSB8HY4 zLdy(FYX{n}$0aRAZT(Hj%+Vs>F zGgtcpm5H4CXy$e5y#iTu(3Qk{cGj!&SLJ%~jHvxBNpx!N&8=P{7sy0c@J*q}FleJa z6NfCc-#_1$eB3T-yGVOUSEc=*+t{n&sfx>%h>OnNyQ7`Mw!Dz{(8e|P-`$tbH){5O z&!4Y7+W$Ssv(|=R)LGGNftIu(ri$YgN`j)0rwSQ8K{+{)5saw0Q}O+RkZykb2<-!H zrQI$N6I@+^A1QWyv%(-&&8i%B5&Uy+y$uIcW{jRu%YG>)AzK!Ok;`;{tO3hHU0SR! zj{S`if|Q)0MDoq$kL{31(zczsT82v{SJD^Hzz@BTAANR(lJsyj3Z!N0m{#y+#o|H+s}Da}M%rgt_4 zzUKVD=yum?=l{jV%jb{h{~?}_A3I;e8H;-;ZVXvOv6_}(OndNk2e(n@Yj5Ww zH3nkHL0e-3R4lbUQ_eTnk@b_M50+n+L1C<|9gc9f+9TttpWspv&Ln^r8~7)S5A)%W zU7!`PU)$fhm)mHE0;FgIHQw-hP9k(;QRoQ!-}Zi?8akGjstq+3C0qqW$t6nufuG7d z2psj0(a2m@b})~y`V6Kt!ux%f=knrX%oIfT~V zh5vWas$m2T_J)%>tJit8%Zho8Q#mQRSJx%ZF4<73_~u%FUtRgmm(m8@_Bj$$)hnQ{ zt8d0U3)a+tn(9?H?sn2S~&9&DJ8Vb z=N6cv$a>E%dP*l)G$8YU>aVSawfEr(iL`ixbHap#6__!)ilcxYr8_z8zt5SOdfnBg zsh)z@7H7eoVU|lz)EGxJ+1{#w@&nR>jTg_W+r*SUWTS+J+v>$lrY2#LGr0=5>Og%9 zU_)&LehHEvO1y!+gu#nvGzsdvK$rfBPG%K$_Q8{Y%!NDWG|oCtwNcK*QI&EJjP#5< z$D%mSEq)&;t)X6ZHf}fbg>i?2$*hK5ZBv#=SSgly#Wrn=tghO2pX8QWUWdc53V^DV zkz_>S3401puxg%279C2OLf7fWnjN@lLsO6^46d%88bCK3HG1ikBR1VA28T{bcCxXR z+stgmt){Z6Z9~-}_2sR7ZN#z0X|z}=jiZZYvZm>92_lV{e525CtKC|Ku0~&a_Sg`$ z(<_0#F%dU4frmfbt`tqfCTMnV{N!B*u?7(Kz%@;TL5`{KI=0}{@2%JF-h;i8Th*R z56?I1@gH8iTW>R_yXEP@ zI)pnVa{LsY7{|fhX5&l(@~)~VTwV3x5^0gCa*4uCBH`Iwx-+#-rJLxdUaQ~EV&C|k z{<#;dI;D4Cw9kFE7kOske`_vxAE6+w!T%fGjcy(PKYPUg5A)RUid}YlV^MJXiqqXQ zQr2~fqN0*DX?KrV@vbOkO)1?{wjaf}qO|$4ug>L+3Ru|1hQ>gKC8PG~H)!Tr;74O2 z(Tp9-QD0rvP#FUa} z&X_Y6zA$#x@Xc$-Y0Qxlr|VQOxzp&3#$;rMA@#J{V(uE(1oqi5eAnRCt$?rX+@nQ< z7Ojhdrjtk_&-B3 zQ?w(zBNuob|M%kAiyHs;^2Lis`=1AS3=vu3S$Un{nvf#DRp zqh8OH-Bw8b@&r@MhfSFwaYoJAdGr zw#nC)-^RH~t-Z@oaC2QZ#q$^BXqfT1q-#s?L&jquxg7J1{l{2X!^)VP74F?U%V=PN zV63`+QuX<>Ps2RgXFPmOTd@qI2$?rwe=dSzerze zmb!KRV+r16+WtMrg;bp_P0f*CZSKl94Lvb`&fj%YsHD2}N~7u7`>$~aR{W^Hux&Wg z-{hM0b>{NR*pOw1=j_UR+L6=Xw8M%q<3B9T`0u#LH^bfagYwC_@mc&|%EQumU;FOg znhU(n{`*DuWtIP1U+X^Gc;x>c;;CWdYG?#kb+hfnHE3_`?;1W%v|keeEiET>&emE} z%D3WEp)r|NU_d2VbGN-_A@_Oss@RI(>o5}2eBy#f%umBX$$Zr#K~yYU>N5exAMM^4 zwLgNmJ?H#ehx|LsfY;9bo6?@DRk=hc$K(LjIBHt6JUv`hvgCBu7xMeC&#d#G@rd46 z9Qf<(Kh`(u`k&`7yN~`K5AxK`KU$dG=aEN%R-nL(s;Miu10K=q?%%%j!(80$_&`!t zjXvsQNUlT}1B=k!b6d;_agSLOC}*JncN>QY9WyOjH2ikmBoS-jc96%lnAN zzl>)V{?~>t=o|Q{@qhRE%ew#f%e5De{QrYIHT+*Dq=6bDFVMAiEA@2n!>QnjcQ6UZ zq#Mmvc8lErUwcD)t>N8#>Tq>cm=n+Tnsoeg+ps!AEdS%+#QEp{el!5r%Ky*T>-N9v z>yP~3gFLnKZDAk&rWeJXjV+K?P06p zJw0UQKy7Euu#f!%Ads)V(xtVCuU9RN5{{EV{uN z30oS5I}=DVNA-t6?Ecs!2f71>ufg~;qI#P`X%UoPl%2T|Yq%duC#5z~a$UQo+tCR@ zsGld8d&w`t_Z0T1mJ|dwt5Xm5ctWAf8}YuBt+zQB9u*_W|1&wojtKk@zFv+nbkFYD)jV}1Sc{6EA~4;)0& zRFtL}ZX)Twj%(&a=;#}8S2gIO?(YnATMzJ9btyIIZtqso)4h8+s8!U_G%L(z5n|J5 zQW~=MR?Q3R-*v@W%2Mp%lq#xPsPU@9$;w`JJ#0v`ZrFVHKmgqMP|WRu-duGj$m&VD z(E(ZDklgN|+~%+>d|(yd40^BZ)P+$%Ot-k6@LNj#nh!16tioN zSmQ>z;VL}tj0TjtSQkXZ>xz2S`C2PJhCBCj0UKT!fo>uQaps1@@{sAERfk-YkE((QrmU0f}QEAf4i;8Y12u} zC686Ps@QkLPiazR1B?NwE{)%-Bds8JCo6GT%1u?=jL%=p^gn25!%c-;7ONykzJ_Yd zU9%NOhfWg7wuVENFgbzNm}FsVbxr}nhf*C#r=!KkdP~Iy%NWPqRgLQgcs*15ROPs4 zSDapL(~I6U!=FEN_jDmjE=#yh^%?y=XBiD&VPf|~jU8Ar+8rglc)fE$gIsM1x2CU& zWU~wZtekOfbxc`6(zN!WA!VHVxGCeR@D?GbE;ZG=J>?M}O@5+P4%wa1qp}Q4JMhd~ z2;5=|E<}pS)o-~H=ah}cvIlFG!Kv2l7-$yP=j_&Fx6j=5zkUbI-2>O`g4z3E(VZ|4 z-!@{gY2={sSh<+ZVLQ5Wj=H2-%o4=5KV~GL`_*jz?rlP2$r6%gnj0Cls#V!rMHwor zje7@@OhwJpwW{-cU0lcVvG~(moV?}XR1xQshBl{cBV*Y3YDN_9`k1LGVrSbYurZ!z zL>IhKK<>r+*vxj8{rv4LF2hFOXJ4xUsTb{V)wF%8yVcY=#uk0fma6Tjn^?F{^|;nk zn<2cZpZ1&66-+Dhie;FE--TX1Op8GE=ba5R2~b5ENhR1%Rbw1=7C~3%Ky;kCl&Lt-~Z%?r}E#0q{5wnKS`ukC< zalEVcCO?gu=VK0cIWzKX1;E10>AWSv)GGUV6djs0n?=F;mnNBOs`f&C(wZ+LJ-lJb zX_dH4f1cURkFudaCOzIzdItMiWaHZLRK?81*QC0sTlA$CP~nXJSbM^nTxE+&= zlbEC@D4K4%DhDk4bNrTEyd~+j`h0cO`rzo+3J3kB$j?k3*aFvbRUbdj$NV$#{sP(# zF-z6q_T@9Lj6;eBM2wxEe&GDLtk59|KFv9#ETu!jBF`m;6*^wbrzZYxL50&9umn0X zPCK@s!BL&BJ750~guKF|oYKkWla&Dx6nV}kY_;;424fDbtuRE2!6H>c5sab_r*wka z#Hu_uqr)T&eFW0ND$shu+%jtN*&V zf)D?rT1loSXxU5u##1<#EH_O16sQ(l&Y4>9FB$;5yMwv28>HY9 z=;R{nh%w1%EhCvmpVgP;QLgN-P63rBXHAp`iN;QH=F*+&aiz)G4;haeE9*})tCo1H zp>iE>HG|Mnn-ES0Uu~r9;l`tIH`>m?rJs)cYmaxnOv2HbpX60(l~+oT`H)%Ks0vrYY1_tC2vN zfg(YfYUhk(3?o4@0WlMTC8MW6FPK#4qX~@a@Y>XeDq*ps+tn9>2@erI(pz;}^Ayer zlXzUo5PEi&9IWu-*YM?q$DG;sIIlC@S2iHjKb(n`oTL(ucKkUBQ*+dlFrs4!4pD6yO zX*OOlfis;50RaidRE?LMaTY4RDpC^@BFAFBVm|GF=r2K@MGY{m1-iXG&{(y~1--(| zqmZk$#m4^^HrmhEr=Zab3_-njczAO7>id)ThdU?RTidU9HWNNQoUxQCtgOPvhCLGT zfJB&2WV7|;kYPug9c?=cuDEII6Xk)p$p_l*?=~J5JNrEUNqEZxx zsXX#yJfV~22FS0Ej`mNs-@V$|e6oVOsnuyIDHi_zQT;p#cu22W(}x-0V0-h)cQZD_ zF+BNruzdx7LZJ&E=4}Rz5$7z7-FV=i!?N3}W%&1#kKb<{?rxuKy+3+=1-D+j4k$^_ zp4)?M-TS7)U{Ei9Z{D@jFP981Wka3aKy@D0yWOYoyt|>6N8d3c`X9p1A=pI1Ou&ow z#hfWF7Vio+H=(uO?Y6F&Y}NU0(*}!XzJjhya{ixAsBRVVk&numicZ`ur1$L^Votp z8$|Lv7()e3-seVI-ZqnEvS?4J{4}#Qf9V@uO*8gY=6M!hKb5RP3mR&vT$O{BNTwWk zr<19aKnf48g&@sHigAs8Gn=p5)S8V3iCs}T6qzcMiI?I(RMK$R8KzNag3~p8(K5ZY zoUFq&60Blk3-8pT|9mRXNudYVy9QMuj6^58>WS*PnC|s_;jnN|tV@WEca=q#M-o;d zn#@e(j=gU|dvz7M&4a*s#$q?^vW0zv?&_5Dv-8eR5uVjmc-h?Vkcohw(QMNG4^7%B zOGfQHVF3|Rr#-ysXy*ADPYtgU*tWS>g3|Eh)Ayu4(e=IAe1aOW-;@onvq^N~6`a}Y zpqa9-bwF4j}Xy)0L0W( z_XMljxigxvAq&tf=_KZ1^H~aLCUvo!w{S`)jWDmfK0xb`j*L+AedAW09^bL`Ad`1# z{lr9rm23t9TC67lS+FC;R(Ys-FB*L4DQ{}{lg;*Q>!k9AYPOc%Twqn$!#NPmwN=9< zS5pJUCD$zQ#T?AIt6J3ctG*sL_I`od4b-f)P%P{{Bl-FEY>Rcv-6ECBO3-n8)riS*OmRI!)dlyz1C*+M#K8;EN&YR?eIPa zIoob>dOzOc&iQ_Bo$qw-d@CbLJ@{)ZDa{PcFmk_vMWq2W56nzs@7e-JY)FGi5LHk` z@v@2Xl{K!TeNB7iFKC;vfL+3U*d*M+9^rF`f0!BnLsB8}e}0vd&>G~Mg#@`K{?EqR zT0Q^Y`pf5QkMTbq;;CT@wc=tb`fFoApM4%q2M8>b)VNLdNKD_I(JW(OJ)+;7g7vsH zwQzu~hPeFx$B$41B!}m42@yZ18D>wWLbk4nd)FG%C~k{!XUzF&s|Tvi^anqr5tY=} zSqxh}z?UKq0*q?sgx|Q6AF>HL;cha${=H3b~dThTj)?%Vg+#&z)@yX*D*ug})k z9`ipx$b$@D$7`n(_16g+RCXSZ@?Ykup8vPxlnz;RpND^u^FNjUW8?YSi^uc-5RbLn zXtz6K8l^N79mSmTq#d6=qJcmEQ$7C&J6o^b?zH3ZUfY;^{@0#8-{{ukKW}V2dyN15 zAkR|G2jVr2V!#l9o_GA!@%K54LJR|&iw`SS@MH0)Eyj#SA*KfSjV7lo5gpON0-cba z@l^N$Yn$EG4tVD`KCp7uea<$afD(WWg!OwDmVP-O-r9MMijQ!bd~*~GT%bg@<=CBZ2fVc2vvi{Gibo3@tc zq4NpOEOr|G0w7|evD9IZ;G9g1T3!3$14%;2@&tIE0Ur)oz)0jBH@d5!{P^McL)-Jd zg|EN&xYrGI#4`AR4{8VIm0G13hB4m~aGSBE!IH%sX zkWobwl$>X~0NWAI!)o0R#~)y2XZxpBAVRw$Q&9{}4Mq(r#wf1dx0Nm&N)nv5y>Gp5 zVQ2d%HDH_3-mx?0t*>K+H3$2mK3^W1GDKLj>~S^!zv*NY8-%YJCyDX+LkT zJ@vkYa|$G*Fed1b1^kR^?=hZ?xO$?!RN^ujdGLCZ$C#41w@I+>8 zkV~G4w)UIFqs9FhE(Kw> zw)bsil}U;*k_Qobz^S9LjSWNLr>&-*3Ti6^B*97Gd7}2JIcCSIX1O{aj%jde(B}s| z6>g)tgT=MrpzNf{+@hfE%sgM-w=m}C^o(XWT$%(t&&Y_@_K@U2laYFVZZ|)@U;;fR zs_ScgAFC5<_aM%qS#C3lENj~7X3Z&u|FuYb#1MZ6Jhm9V<4~3k6C$Ugv-WahP4_|_ zSO}>kED~+c``@p8Uwbz~$OFj(7|{fCDauiot~AHmM6-6J@9y?Y3UJKIOQ@AjU;?%v_i&ekh9*zphE@7Xqw-og9*S6fFr z2*LAwI6lxmj;cZNVPz?Eey*zTyNQt6Tk^xo5-WbJ;vInfis5Q;1Yv<;v}dGR3|t~- zOBHZ@;@fJzspexfUyiAd(_2=XYB8i|G~y{v)pVn3HDQpEBp6p3bZRxUscQMU7LNWs zVro73-2Sb<2(=#*u4viHQm%ga_zS;o8{&*8=^Cr z9#VK^ZRu6j;=4~0-K1aG+BXiv)DRkB*h@B8A-NpWL>il3Z0+dH;i`!s6;2P-0`e6g z-vaWhaIjZ0626VeROwR8M(UiyFyk?(P2DlbQ%J6QMVu`z4cHf&X)oQs3?_%xRoO-#!)ni)3K`EB%d&NKjy&!QK(GM$2nxQhki&Ag% zNU}82pg*iE#pXA{E0ZpxBEtd;TD(S{wm`arh_*d|uiTPfW-xH1hw|# z_o~^0t+xf!@z0;%!kCiO^AzWBT=JC_?2n>P1BamItt7VUXYu<+Pzuz21=Mzi$sXwH7VlI&RxNu}dE2iKXkqHDn%<6hqBqEh zNj(DSt3Lz$Fk1 ziS^+>-hREc_v6l+cR#k{P;CQ+^p3wj*xCANckjm&{q@j%8_*%os8?_uhzTH}=jJ$= zNi#dgVMo+33mMCvE&)QZ*(8EvgRF5M@?mXrYI)X(2DzZ2M|3iRAHyk&ncOq@ln-HoVw~}*gI$F^QNmO2=()lu?=(nU<1ZthXMEoyDRp5bQrxt!2OTDC^^lNv?38 zrwVWHzwf-Iv69>Sg>!EoOYoS=v6={xGtJqcjix(yYK1rm7N?Qwf?g@D=_$1gI5lc; ze5fN{j5405XdGI|`f5{pf~EvHD}w>G5fU7cQwjtk&QHM%@faBpwc*X?R~;VVegGCy zqI&9$6>p%{^qgm>qK%3co~y;ySV_&JG3R&zPK2Y{P|4!q7uXp-C0;vl{@xgUot6B5JeczTAcRttEc$5IRa z3xzQ`Q;AY1)&5?#KD&SYwW9-fHb3L3SAWEw|ae| zkuOT{R)5PirWGWfk|;jOCjLavCG@MgyKR2${_HCC)o3ny35SN%SqW9iQ$Q1w;z~BI zRhCCcwuYM6B0fj%Vkp&{bECQs72n^&OCvfQ@=Uhc@J^0tW-@0K1+{@%_z7q5KA%hI zt4W$Y_YGClYRs~M?K_b1Z0s}!7c#7>z^hvmBL@!-UT&G0L{@(=DZ@U(vEn4CDrjt! zKgpbYzULD9in%`-^6W&<%_j2j|Bx)EJeQkmqP|k@YV6HEMVDGat4yuA2(7Nru^Y<6 zii~2+^C-lM3Hv=q-m_Rs!vSK7{FDS=6f&CoTtdI9Qdpo0u14YgJgbJg8b%Ie0m@n? zPnw$0!^1b=IMa*!9^M!BTtZ)F`5Y?IP(`iAbTWpiBc$kt!udlI36z0CjPZ%0rAhr8 zsftgHd=iiZ0+I^~BI4(e^3Vn$#~WjzV}43hr;?0nTLA+}*z;o44&}LN-}8ih(&zT8 zf$o+i zwRlo$RIFrnA5--J&n5JaKip(3>}nVv`Z=r@Y$=Idpb|)H2SDv+1h$>l{}4 zg=tF_skSF^q?JDXh>xEAw%$%No+`9QMZb+#;>Vi9Lbpz<%O**oSuxV|kY_Q`?B8d8 zE}{SN>Q<{!YQbhfK2}A*xbWM_s3|FIG~shZK&ZV#^6gwgspIq8SzM~&6sSMva|!)c z>vpSA1Z0>cZ!EGJg=?dG)AP@t-`Z-5!zDWHguaI?KIp^MhA;9E%y@2pHr!BsO#m*P zoVIPecA+GETHHC?D<7+SLp@r+vobcgLT{)%-Z_MrB|Ix`Jm9?{J4!Z;RX+-Fg`Gs@ zR-;g=E9$Q=nTTCo?YF5AUczO?ILmI1Dno8tQs9u9CA92}6?EMZ+IB7I71|!P>oeGc z7yZ@SpN(o@fd&YTRGbfSryGOGe&7ITBJh2gMtvCON$}TDJ>F?Gc9OH1WCJc?2SaBZ zH!7+ZN>c7Tl{=6;>6ED6}O!q(5dnPy1Ty;o4^;BsR;JxhCOE zScM`QTv&CasjitN^-n}y@K2o_aRo1g7rhwKPVrw63*={4lihYTrh}nO>#54s=+BIP z)JJ_3&dK9*`_(9Otj^S^Z#(9GaO~9h^9s{+JlZo|%aQ*Po=fQe z_j&w%|={Oj4Jbym9Bxanx>Hs3k@WSYM3hJ;b&J+e75JdXQPNLKIeX8+DhTL3`joa{8X*YmuXJ$ ziJsf8MkQa^47zbt%F@^M9=Y+lLtp1M{EO#W88~&h$&5FYE?Utyy2iTJ z6$o{NN{UHrPpuKje4lUEMUo|Y@gGuud|N$LOfKFhR->Hy<7#3-1E7-IQ6sLx0@rN${)#C>BQ|1#i0Z=7f%R4R zFIelhVb@rqv!vOiK)|<~@bW(A?bAG$&|kmJYRtdefNSqJ7P-&3pAmjZ&uuZ4lc;f~ zM*ZgsN;-D)Ku(E#NSps0Z0a4JOXzno+4SOSTz55QYH$m>vF8>nL(ElOctReCPQa6Z zrc!jQrL%7uVacdt{?zFS7!{pWL*)&1?mJ9b|HDeVMU zOZ$K8-hX64*xD`?@{7*+zxLs2m8exevLTQ<(Niq4O;n^~{7v2ZmsO|j0o>~Muo{LT zzxiq$(uf9<&!}3L#oZcB*BX*!BPvVNP2+26Z#9}d*8XJAZO?|2j&ddy-${)ByAz_o zgARE&}HgZ;%t~~8tkK5oej<#HYpcx}kgppM= z!Lh~Un8u2Zq$DFzM56-5$uXTEjV zvfNval>ga$j&Jtd0aMx4m?3jCSt%HASfX7lZBRv>;;b6yB&Au*gw|@fk=&fP)>z&+ z=judB{Wfexg1gbDbbK8XdrHe3l4gl&VOAIVCNY^UxnCdZ4W;FWSdENv+~5%rqS0&o zvSdq*Li~8&t%Nvfj~B>Haf-PiCdRM4QXb-5NHxiN{zDVZ=TG(ARx^@jT=Ia=L2r6B zY`Gb-h7Qp^6)K?(+m02RrV`!(PZD9NqmPs#-%Dny9?ot75FfsgJGxQ{b77 zO@L4w>qsC5vgD_9(HoN6Vya?8@2l;64Tq~&1G6d2I}r!IHbz~;7zs+^SiS$@{=uJ1=x^NSej}S}y#qJ4;Q5Q0>dbg>=eDaMf-w#AXiiL|OW1R{TM{8HloX1pkEEjh z+?K=D_Gu+E*#uc@4MCfu8-B_#S2c}nnKk*|2KGfhw~fJLR>LNkZuH;SO_-YDA`5ka zmu%o}jNSV9l#e+ZD`lAdj3gnCqsdH;##xOS&dCO{L&Yf(ESi|Ovcy<^Vt8VV7Xl{4 zY>l2{2#aAJ86&4WL0P2|T@2Gxp`OrKlYY_W)VH<#6!TSvx6~T`d7~sO_S~9^8^eAw z^OEBdj^A(+eorEj1ej#4a=&q{8(`r&PzK~H!z4wVgfOt6*|6-8oTU1CwC}e5g>Y)O zz2C5dpH0RKDxUDfA5#)y_BpFJczl|k+f#9~8b*n8l#$_(1&((85)OGxA;4saCVgBc zOm-KGy-)&~Xbe_4NsVw(pV)Msta35UsOp$Ws1`ArNYJ7t?CyU7r|k9|uI{q+RGt<) zrZwuNx3UrljakU!VR4?@>TvC9Xs?Xd1`+iukl)}p6GMcACfd;>(whC;m2S-Ts+qMK zk7Q)_bLZ7?Q0ne}^=#abZn&Tn*QGH1uEufwdNZh=S2#W4(zQ)fg?INc=gK4@u?dGv zgwEknL}ak-l4;0;T-xL>ZpU@*9Bj>`%s}@ZN_37~9rWDego~kJO$XLyIP~I?;wBVvtRwK;^5fkG*E)OUP zCtG2dQ6V&@+UBTz$_$cB?ekFEwh4;4qX=f9`cq#< zT|yr{0d5-EqADUaL#`!uFt_}0G)W&rR5d@B&^KXh`Nlelcyjn+VXw1`=Xbo;m<@n1tR4kG=gvJVHfhy%{ z{2ad}7jH?rt!8LyHPFCTt8Hh`X+mje)5=%Q(qHkpg#P-A^|fcuZUNgcB+ux-p;P;z zO7_Q$1azNfjE7Zu13k@}3!0E>f(ASZg%c@KW)l;%TS%V%)r@m5p})3%qtI=3HG~xN zE@Dd^Zeh}<>Oe*#eW_J=zTzs_Amcind7j(qa3zmuHrsil!GFW4 z@kqjFJhzqpDssjgpV*p=vG^U+&7w-ynyDlh_<{mWUPAxBH*OJSvYK6ZPGpOzG{j8? zZS5JJH#qm_gvqIF%32larcf?3W1~||%ER_l#z7}PvRPI~X;x%Z4zWl92Esh6B((i> z&n5H^bh_#HIBkpaRN8%SJ0dJTDv*2)^0ZYnGFS~&@uTbOg!fASvS;DkB#tKGZ@DnG z$0qmiie1D0M)yb7ht(o>Yu^-cd>W=SFa$z2M4M?@Kn&15;qyGVx);YxzCUdJKb_$I zwT|DVJ;U4_!8`#{8W{fc&7qPxWX1-$TAuGb@2HXmz08)Zy=Qm=X~x4`hfx;+i7EkI z%_-5@hP@(*DY|Svg@{W5dd}uQDlZa|#?o)4Zwnj-3Y8wqHSqd1F^p7BhjL)E+{YUaYnH)U)2)25zwh zORwV#gvkSVex$ca@ZC$%O=-GPe;Z&(P3pme06swYv>6_6}4|$$oXq#iZ zK|3~UeH(Ym5^PUZ_Pia;o{r%sbfW)=1x!X0Ak%G`3;&ps#9mzJn)vsa2q1|^FEj|C zaVjU;LYfcJfyU5h^!_G+F>{-4#q)l_Z1lJj(6G%Z;_J9#s#V+rwYgQB!`=d!V;y>U zJk)Y&lgEaBu>=NOj;rffW<+S~*Pe~b(eu21zpoIyhhKW2PNPk~*Yg0TlH&E?(o+b( z1c#OS{l4eD<(b-0lCTK7a=f&*_RR}e33#j!;Ho|AOE5R;Sp_2wNx&i|(H3wz7j@xK ztg(5K%yKYsZ1@bsCkWO_~2^%DeAdT`7OT>2? z?_^X{+EBGkCJhC3C}uVFZZvrvGKv>*4ZLHM6w)nZWff}PqFMhr?!buiQzzJI#7?Q^ zEWE9QAFC|Hi3#%P{c!N^E!-$xd+*7|Mo?Ftckq4>1}v$T_w|^IDe(OPk--=;nsUJ; z&nEsT5Snw@(nKc#)Y{n0mo`v8OEfaqrlg!{HGnqiak6LX=`qQ*(Y;hN{z`}xaPF)R zp3b)Ct+nB3Vp}s&P!+c`ndY`FV&&%vTBcgNfpU$#VvV(3k;3JaNMIo)3Zs<^q#gC0 z{l4kAVMc_^@<8Sptsb#@=<)9i>-s$rEU>uA^R~;(_!@ORwY4jQtJ z`5jpysI@5d28WeD0en+dM=GdJ> zyQW12>>vs^h3;A*dnIOQQc%WG%#+Z@<#N(KFiGQLH|ms@o*ZX99~C62mWEW&pkUGp zmprdi(EC{L?YLaRDgYkQ*BxsT}5AUv~EjWL(tD4pUAkzj)h zZGC-iYx~~rTHU8$Op=5~o6AdDmWY;{%c;KK!;bxh>X~s?v3Z7Sm_kupwIjU#?G9W2 zS`=8BD^v`r9V2@9r>{C<%3voweOaKo)Pvh~Nl(bXT#-VOQ$;0_3ng+^S`mF9tms{d zb3?6~LE&1eg^84K*Zmp%b%i!(MFq1C9qh$UXh z1}m{y3*~LkdyOo#sHO98n?l~GxxhEXy;^a z>+Q~FJUOv&oHDz6uXcVt+21-k+Bw+UY(;z|BoSl(>y}gK@b%WgtCQ__@Ar;2zj59l z?CihU-QF@^)|@XphbQk3-fSui-0O7kdQOQVz5ibCcAa8cqk4P{ttTr%o<-mb@Huos zde%vDB|M(P^4~Ft_K8~itA8iU@I(V&ZNXQY&|2?yTkzq-|3Jt=M3knmrv6UcL2A&y z?!P~RmZ{w-CZqGDGEXh=U&AtbZ70${Lfd?Yf$01uc(M$Bxcsrjl8|1Uq(n-ZC8E_k zUjBEh^`tVRt$(+cKRj(&#eb{!v87k;gbz>j%C&mSPn-!}e(IF4i>k_0CVTnn%Frke zFJ=;RC7FyoZyzs!0F#-*@%FpDql4Y=-yiMn{n(DtfNp@wM?_>nQIjX?cx!+D3H+Wb ze9RN!kpa&osxCr$MkAi0?h3WV7G-BVphC&jQx^|CurzqYt&X`8Auaz^M zG>@W=s=O335#$)U@g#e(v9|W&#j|JYUSmL(5_&`Yc}c{n=#VgG2@{fLzEKl(inH$9 zOG3W@DLPAry>s6AL!S954~18WmpixhBKkc)Q_KcE@0if{{yCFlpAUYcffOAFUPnQf z%(p?@7ldEY&~>zfl!;nlA5XSlZ|(iKbEtO5!V5Nt z_@EOLmUJ4xc*pwhH}8JDB~Z7%cWgE1O0svLou8k(IxM7>9a>XIb&9Zf9iutyxZv7j z8AnA6_F}Ah$907JPO_vYPiih zRY7Q@vO!%cPPRsAB;LwHL-LOoajc_e`t7uEqFydW?^iU zL?s^cVh2^7|A>&5eqZKxvc56TlLS8H*| z1(=#KhE8jR8ze^&hs5`>CI-C8<*(O6$sSZlUpG?k(5E{ZUgh!%bpquL)&iusq`PXL z7cBeq`ym^}B<(DfA4nAWr*z^Y_VQE0GU2ntCuM1$h!Ujlbkr~U=*_r%TcGPKQRLbW zi6p+u3u>#7#^#&>E}?d+xl_Il(B$)>uS8fgAg{PJyT^m&)eU>@4>ZE_8m{{8uL%p% zJ06|78ygR2d&K!Dq6ocQM4u)jmMF=dMzK>x{cMY|*K|AB*kPw!1+(ZnwH|xNO3>Mg z7!lWPuDL0aNErH5G3QkHlH=K+GVswRK{Ju+PoL<9I@jng?vaBT^K;c9(~i0A6W&ZM z#{D;)3+l@;^$UHnkTRX(JS-hn*cZqGwJ3ctfMb}J4^P$ z)7LM&=?wgLK&eWa(tv%FuHU!m`a4TnKjIUtBgaIl`4k%cXmyrXWZJ&{_B9YX-tlkb zi~vvTLep)R=eM)iH_!}O`t2-M^fv{;{&OERPr>pPECc_PB{$%WOH4Kkl{pwnf%a^+ z;QJ6LHK>j^r9->%MlGpn0SfQb5csSZYq#Go=3Qq=h{!jgITX)D&PA=g=15eF=mO9d z$0gvUPC%at3))u=`ZfqvXUT-IQnRh_j+Rw??fK@jwA#V@m;?pSHt*GwwJtE!EKe$o zii0S^L80S7AylD(GSjP0^y(eQEXerjH}}bZSdiY7mCgN0xdr5sXsG6lMf`n^MT7K? zKM5<<@v6x#X=Ad>yJI@H5rgbzBoe$AWfUqq3XRl&O5&TqJ6;(-SMe#h zKh6Mcu*>NxlFQxOBnbo2JLV}(1o~^--xe!iddHQ_FSqKy>bQmCrx~R&;t_>2^-FZ9 z@=Ugcdl3^Oc19D0$%|wTK0;TNsf=WQo55)1iy!bf&5>s^z?^P)CN}#g*-hrA{x)6L zRjsUPFNUY0(B5GIEGT?MFJwnSH^y+a19t0^Yof{MA((RJ4<8%x%8SpE!zp!U_pmG$ zzQgvE@a;O)?wN1es*#zBHp@HQdIQew?)~k!;`-ONrr9kT*8HGuLzqipt$^y+ysKu$ z*tq)$&tg9&7k*4qU)wUE{8oSK%?d7YQ%!El_5V6c4nUs|&25qEoqwA%tqz{VYl0F| z$D8j7et)~9%u=j{;NrI<4%eKm?@JTzReWIY%pO)QJ!bhIySn}RQ|W6Jk#Brly}vy^ zcX;MsZM`L@bjTulw>G-nZuiBrXZUZo+pYh*_VW4jzpXvn*m%D2y!&i@<8R%y7cbT} z{s!Iq8sxku7m{Ru>)yGo`ry8h$9T8&(DK0ZSQ12eNTJ>C=>NtvO4SLpJEI++dfvg# zo1Lx09q4VMZ;7wDxgi^QN4sx#-n~CkU)I*UU7;YNPP6Cze;BOB1YiK)$B+=dFIh}^ zE;pa7n7XUr`=y_QaaM594Ln&f?XQ|{dY<9UdfxwM%^^+v2V)LtcDd=L@0yj>J~dZB zW4w#?LC-pJA*%yB{^1OPdvBQ-?B%X}v%$XqJ$eZW@?3Y+8@#4`9Z8 z!*1)ZcenDt;X*k}-Dn(p*J-FjMT_PWb`tXBL+iS-EdCGOwGgc*r>D1P&-qI4h7m8=|z6QtHsBZb&gMLg-3$KH|D*j4$ zs3EjK>6&Ogx^ z_`niLtqK@J(0w@mU?XARJYbkO&+}##zdvP|K^_WhM>S@p1icmRy&YE+`P|3pi+gUe zgtu+uI{g1^t)UjppgXLO#79D!piAFQKJ!pOW2<@HZtiAJQ>+ooI`(%IX@bH&+2e07jN?Xql zcsQ}%06w%ZdR(jcz3dozqt?IGTU&1Y8WKsIA~UC8(IGdFZ01DVe#px$vnD61xfb-G zrB7?C9B4}siJuaF{#3_-!_(dJJja`&Rdp~g+^ixdWXt+tFzMTocg;M6YS=|Xg&(J& zG%Vf@IF~|ZBrP%^7N2hEDYbBQ^qsRmW&&uI7XFIVV`0*Ihc>Rm|Lf1Xb^O1v{;2EP{~OQN>-yi9FV-H<|3f_Yb^mAJ z-1h}w!(E@g{J7Jl$Kz8x*PQ=*xd6IO{#$#wHg*5seLVjU@+`qCb8=@~0BxA)sZEzZ zm9W{~arOSC;m+raxWuXI#TxE%{(KiU_O#b;Y-$U7=LR2dYW{G~H9I2HnM_U$)ozRN zE!wz_|9kOlqb~n-H(osA|A%;%zCs-oMx0H~Ft!r-7hVxoF3tGG#F{t3KRgdn(?7iZ zgLm5}yRSB%eC3(c4yP=N!0$rqiTT!oZ_A)V>)-wZV+iSsg<#B~rHbtw9>VS+9K7G# z+ui$7Uw5#fxij~NghjACbx;0Hx4YIMDeIiAb+CV(gv3;&Bye_aVRX}k&kg3*@0Q_z zFgRhM%+lQ}BYK-i1QXpo8VNe1Xu_o}`&Ak1iC!=XI*`+l>01;XQ^~`SO4Z3Y+BtZ; zySH_;^Qz@x#qOuYlsBRXw`}7&{_pul?f!SYyY}qS{^voSQ<^0-(t$5}9!xn9^h%|E z4_Z1sWy|yG*T!=W+3jwSAM84Hfg9wF>u-=Z?%@Xc!7k11An@)OIr-M|yzAx4;x2H@ zJY+ho-`v}c;)+>F;fyurA#SvnFQ4nK^YeseJ;*qh_hu)*XsYCuTA0q^+*2iL7tla zuSv644IcHGEc`24KhqLs&2=<=k7~f1KZ~9JyQu-MiFv15t^p~XK|7B)`r)4&uk`>02M?g0 zWV;6~h3``$$1NP1GtT-*i`poFzFh#JE*4MiZUW%7=YPGf|L;EAc=Z2xkmq{&598^5 zCaKQ`#6+$KZBiWGvp3tls z)z~d$^Qa?>a}NV`2J#1ybQe7TcM<@vIsfY~>i)m$-Sy{>^526zOYqa~-mAMxeLt}z z{LHdm*?{T{{4aFdFWX(6zj8R#2_6S(Oc;9 zhIw7pfGR!z|Ji%i=D2MnKbyY-HA=1RE0dasHRDxXuFB^)Sy$r3B{{oSrAtW^iP2!i zA$S0&@oYB#{R$0$1Rpb;CuKXt7imZkjaN6i8~spuObsEK`*G?=(bBoPP_zvFBuNSS z;ENghkkc}g_ZAWW<<#cJFa`)>$4O{TaZxqrf}U}V(Um#xRk|mYR+7+|KQBww-0wm%lO-(%b3|6p*|+5fasI{feOe@$Td zgE)XS;s2;?|2vrUC!PG?N@>>rWjO{q%a5{~LAue=Fs~#oO=S{ZCQe*Gum>$~S5+;a)aj zM0*A6IploK#Cz>4xE~bNNEwc1at$PvVscMNs*y4z_0&Lm>^0q{Y@YOScNpvOe=r)2 zEBxQ!Y|`O>8%4_hCalO0DG9MMd$H1Ug8 zr;zWmD6RetM{`HX##voEX}A=}8BVC@I0Fw@NQecjDqoruZh|5oO&R7hqk?dT9{Pzq zV3a39y(T6a(jQfo&D*BJ{k4Fu>V5=i;QaHyxn zLm#EgPZyAhUVY^YLrK%)mN1$;=7CKneAtrF7S<@#_vns#Sx{9!;?(g`LEW!=j)FtFr#9azhdOd)5Q$Qn{(&oH74s`MU`EG)Ia>y%)__+@?QrO`dAtyGL(tngQV<}>VMc|=1qQ}e_Zu*oGd-{L7{ z7|9b&RH=v3gx2m9A2ICmWgNhmeWb(w0FFsgO{Yk5L3FBm1ks6M!vLXU3M_%GS-=l1 zzau{LSqK3R@)R+W_Dv}R%w5I-4xMR~@)?TAy+Vnj*ryiWz2ECrxZ3 zbcq3@A)T!KhG)b?omSAve)G|9a&K*P2|yog3}NW@UgZu}}7|8?=~_ zV1{(IS8i`ZCnQ`ja+|_r&}r$AR7rKv)veD-fFcs$m;)_D@ALgZk;)VaL%xAN-@v@8 z|3CV7H`$J(`b=gF2f}!Ks$t463ecSgDdz)@sU3)P7RzX_$TaBpT*T-%&|#7>(}~uIU|l ziyhdJg6abV=UW=Zl1d9n@FbyCo z&eJ*3TM#C|K8t*1c21}EqCFcvcNQ2xnLVo@5dpyDgF(%OkETt)MxtB)wRc>4q3 zT-QYS|8|hi%Ri(rEJ9ANipz=b# zP<$X@ghVmtW<3_&- zZ7~?b&RYZOAACUlngP{~La(9uPLF9$A2h2K5*|<~3wr;;v6o0GERAJN;Yn=aHwedq zEfuofWSLWL6ytAZ$Hsjve*-q;Xdvl|wUroNLs}r`qO1ZwOu#1#MHtj!DtBAf@1}*h z$Oen{8?0jw)~1oAOf7hc%6&KE)5BlSb9|Qrv8CDaN9tYv*{_O!mMn*+NmwgtK-c9* z_gX(uVw@~_8RQt*ZOH@7OkPPI4p&O;`*lY*>Y7HOH(%5Z&2dZP4ze!1c7@S&|NC-0Ec<`=M_vB6R*LJo zR;IV1Q%VL`4E+iG_YW!nXHRX6p5tKt-v1|Me^+Xwb2N4wMkBEN_|4hOLZoCMvcf(D zbl^S77SAmS$vf#R#?erPVV{K#=KLze)5^%==FKl^rv(dhp% zsQ7=p?DGG#Q!4mhgUz+cADaY&Lfq)p3K`Q%ZwtyJw`9){8R!y-1CKqGUu4;agWMHH z6aG(zW&h89zl;CbPEq#1A8iu?3`*ybrT116XPTTAlr;sT3g-mW@=|t&(B^0{BM}!y zxp$8-82je>46Vy3rJ4QwiI3`kk^E={%4737FMl9g6Ty}EuMD6c%l~umvOE7dUxvADtZ&4kvRds8iJ6U?fKcn~T@qA)6wJ!L?nx_Sy zSoNq7#SPqcyHoPdS+>|wJHu#{|I6{;2b1xnJO5iLUHqpnz%h2Gi;unHzt7W1ki%sE zZ}$K14=efqUyi%`zgEgl`TuL2M&*8~)gH(fnqfMc24NHT&!c*=9^Iw1s0BfHl=E7p zM{(@6ui&nv?u9mwdh8w9l{U*-`hN)J&nEhxalcIeNB!>prhguUz=KV?t<^kAs`c2HM;TX-$*X9_eS9_Ndy9BxQChmW8Qq1D>pD zLD4+Bje>cn(POD+c{_Cq4E1?&zOqSZUt?jwl6gI-40a@mu zD<$)Y|2Uz-5 zrk-`i80D<bOK}ga{zx!C=JNRTIFEK~LXz9vzb$7z;6JY zt?)fw?lF@a0I&vilqswObfDR@&A!*$P&+4(;K}B-U!Vn6oTQ0};fJA=K=3>fOBLD? z+D9a=Mu2oqvJf^p+RKJ4kj@?SYJ3tB9;6UmRO{A#jA+(~Qjiq_SQTjdse zgPAaoRNeP9jYWZ~YGAIlOlob^2S3*kPPrIR1rjBqjTWzC=>FVgGr?v*7)|=0vugbJ z@u=hfS}7axf7;-_7M^pMx@W$@QWII z1Acg*oVLl62!PQ1`oo8TPHp2fsodBBj zfBiwl|9{fi|F%=~LVtjTHjIEeUo){fJH7FzBq9L;xtJ$@fcYhka3Cl%C-Mn;9RxVh z$sOXXo(^dZ(cdY@ma!O1Bh1k=72kJ81da$7I7A<4$e-(0=e`JLKl!&f;<@rr$|C0y zPAqU7y0YJP^|zlAhT%HL`o=}SgECQm`vTDfGhcQdy^CLDzGYX1CV%@wF*IRFRCu6^ zG{QV*KoT03=U`=z*Y|pTTeZVcpJgK|JV%A$m0szwmY&MS%00_eZmaeLuzGJl3CY(* zTkVxiRy6~E;HAylJ@WdN`~R6Oa^AhirbAtMoU-ElrwNYvj7&uv`QJt_Yx2K!@_#F3 zU;e)s&$MInzqHbb|3}aN)*p=eXVv^~9sl1-IYGZ9IKGriy>9@JtfBQ0K>n1m9}ep_ zailO3Ino#6NF3d#A%|P`YslV|qCjWQ0cc0ycQ0Em$xbku_`k_$Qr7>R4ZHXct(4>3 z{~Z6Cr*exk+UOQ%S7jbHO$IcDc5PNT?iKyOv4 zHs#tz1S-{h#+N)0(Yu(4H!2SzW?y|w^)IQcz<;wN+KB%;8cr(qU&DTv|GSlPsQX{D zVH|z#UA}#N@#b&W@7}-u0qSj)I`#aUXO|yezxna{?{6q)wg~rLq zjUkS(z**%w)6%+!Zi45v&jTj@{cm-jQmfT+k~E4+5v?Jm>$&qp%{G!X&^OO&mgKpy zpXGUNHb?F>>xw18DWg}E^`=cN92rOa8FiBymX1wL|JnhI$3w6?3R zE7?Ev^eOtwU)HyUnJ|Me_>$+T3u9jMH1IcqEGt?+DjhB_Qcw3)&u);cp4IcU4I%He z*i_RlQk8+fO{l7we$TuCziLGxL zzFpa{+^ni$gY(MLT;n{t!!c$gs7HO*oiaLiU_ZDvyl@l@W{6xN5789XkXn)gOm8q6_HMqDUq${k9KwNi=J$R_C3#IQ=+asM%fMrc7xG${*SBn|D#D4 z|FM-)zW*tm0$-{Z(4nt~PCvUb*W3-6wQIf>T65v2GjD%(UZ? zNM*eySL|x|9&M;hxMbV1o(Jlp!ZHHx)km68-}F{itBozO-A9#p5a%}Ax@jx-c*zB2 z*xSNqeYNUnL!g4CT(kkU9Dk!}hO_$Z_wc|AaRBi?geBK08vs=+mCq5@cPIYtFVUXHdkLyZkxY9D1JAC zJ1_yO16WU7*Vb&aSBIVO{o=%|tn@iYidjMb^>ylDGQc#^|6zsxk0;}PNB`R>JKg`k z`P=J@k5%uF8nXbskDTu>et9pSPrSjz8$3D5?(4zt^Fif%=I9nrDZ{#!PP`b+|K6LdkNh{ShU zCqs&%D+|i*(PD;U{YKV-Z}kbP-CPZsLLuQgrQ(x3KIttE{FGy@RWE*EBFF{41oux$ zV&rEw_G{XH`+(U}w`jtr-eSbCI;}(GtE7|MpJSDtn^XB<3949AZ6z$-t%|KfLPO-b zT)Q)V>nF*#ddf@!n$B0}GcOJF{~#G)n(RNvqjLW5@wngFf3{Li(65?A7q9;oB#O#+ zfaMD;lLiK8th%f5V??7+J#sWzhcvZuMofwD>NCLlahO%w>#FQ<_f1|a7fuG*O7~5z ztp8SB+7U(*|JNUk%KHC7=l|PIIfVbm{;J-UTI8z2`SWlLdBh=a>oKBH`2fBmUHSS- z1N}dQ`nQq)JFD7%optV!Z literal 0 HcmV?d00001 diff --git a/assets/elastic/kibana-8.5.1.tgz b/assets/elastic/kibana-8.5.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..82d74061059f3a6f0c17643978e936995526492c GIT binary patch literal 14464 zcmV-`IDf|Dc zVQyr3R8em|NM&qo0PMZ}TiZCcIKIDL{}pFKcY#@)1PbkJX6ar^vr|6p0GH62yI(F3 zD7KPla4e4`hh_`^`}fhCEj!K&l%_MY@$NGvwsa&N=^P!MH{Fmfic#ZmfS9O{(J=bc z(?88-v-x6oSN+>;Hp~AuU+(SvX?yqi^S$SL&E1{ne`;>;?C$LT37TJ^FB4D71!8|{ zes){s!TnAi6vtE`L1@fd9zcKuifF$cAR!`LC$te@CPBH^t@qff*j?bZW2 zY+zljA*=bS8uv&bA=|?8OWhQ!2ecu-@`mngJ&F6?5Rq6Q5@W_&o)374NYnxc;D6_} zJpese(_ODHbWT$iUpJ`o^+J2+riw4kc0FZl_dTJ<0m z1ImaXnE#VRxCH^K2TYX8GaTYr5ERXBDJ#Z3kKrUD0pcy#_PjM{e-sP>jz@&ic!*;G zBg6>mMwo-3fRY5qq5Mk>2#1)4_yfIe;Jkb=5xp>FDg__{a9~ z`PEMcXYy+XMGWwj`tzz!F~3qB@z&rVis&teF-_$tBZ|T)cv=63Fg7C6HR?7Sy(PUe=rSW_?>NC|OE& zp11TsYCTHp5e-me)?2NMn0?`qA?nLT8q(kfGk2#neb)cfbis4fZ$V9MS?0}Y8bzlx zBEh%?wWHoK6{iey9E+NqaukL{_nt$9x;WyV{-*_>?mf?yZ`6x~h6km0Ye3Mjj)v&p zG)A{v?WK%L?t{4>M5*K^l7nQsF95^8rdTpcMTS9=N*pzt&7r2tAs$jDySwuPk#8b0 zBnuYy5=I3LXru)U&*PYlFq3S#1+}J{g=Wq31{g(Ra5%uhjh@z810_j@%L&3oVW`-T zp~W7NBunCoC8SFM2{&Atp|i(cZkulb@xk!`oKySP+SWO=Rn%+)IZ+0yt8 zVVW;EH4UGhQ(a-~w9JMJMeNGRrhUz{BUhO@5ZH}Sw-Bbo;n*iJ5sG#U>+Gg{+@&AY ztAGxNC=Oe2v5tcQUEhNB0Uobk8pua65nlv)nuJoc6ATI5A4}wjaUy5oOm0<3;99nb z^N)v`c^;ig9!OF68bv4$3`rNY*i3taq_M_2Mc;x7;s6Af{>y4Bu@u=K}e6%J5V$HMtJvc7!H4 z<^lybS1dMg)+JxWl(3r-@MSQ6%m&%oWMtSW1Io z3wkKxa?J-0#m0RSe^m31#6Zu_(J+aylqA*Ub`*mr!IT*mJ9LiIUoT>yf zqBcM09Z!P*b6$cW$Pm+1WJUM9T=vq3EImv~q8%LJKv2y$1&uJXvvhIkpwg3uCXqbd zG>%Ws+nu`jD4wp3x%%H1FH8EL-Rh*fM<%I z1|ot!7E-F@;46)+(lzXV`ULeet*5OY+qZCk4}Jtje>+h|eZKW}>TreyBY30_;^t^5 z4*+bPLxMQJr7WE6ggxCa)DQXLC#~O{sYX(rqQ7t&Oa8vU{;4hx({vb zF8HDMywrD1NYxVg=MTWrC)CVY%QDg$)ZzZ#$K2Plf5iaQhf?pe`JbTws{xJ@%y?ZS zPo)Z;L;u?^_R9L-z2?r&ivE}JeEQV*7Di;)l4m-l6_8@t{!pSN7~mFs+ql2?WGS!x zF)`XSb)2w@OeMS2JyXs%=fP~D>P713A5j_!sB43x;susCUAX}63;Kg(GCmD9q zUXOf)nx6y1aj5>*-8)pL5I|WQl0?SvYl1C(+M zTr$6Rxh7K$w?}XkazG4gbq>z;!yDbPLdBcojx0;!zS2}|PRB}4zIHIAmm#7oBxPl$ z7FY;d5ziq#Q$uR)=Mz$3&y`bR>n4oEq6f7i0v=oVEhBT1y@jeG+qlqG(J0ohE&TLcAqUV19@rEbwGK^TAJ)!nxK0 z^-`USafm}zp+xmgM|97035Mc6hG#c;yamscVq3D*nUz#&xW8AZFm)VuWFZ^oQTl0T zVTfYX$C=Pq|An{UP8%0!%!Ss%!oF3VZ>*~q>zm&@WqO4IJ@r+6ZZzNwPc!nV61_AI zo|F{q;=);@f_>=mI>RWGP&?x|*sx7Fi`S9c zit~K)9e-;Km&G2v`|!GbcHBO1cdk0^v!9L*+gEQ-I_Jd>+GrX2zs=ES&Og84@Avd@LOz&g&jO}Pj8sPx*twl<(= zpB#+ex71IG!uy8#)5XU9^^Ac%3~(7G6QEyX#4xK^P3sMo#u-kET4ci!%(-5Z|HKSe zuF(fT)!r^HE0$P-H%OoYEhs~s9_LA-cbNT*yAH7!(69yTZ`$wM=k4_^^B$#Q&@yCf z-vy|pNK5~||9-L+eXN?%%BdukN4BAn@~|c(IE8BaVt`SoY+d>GvTpo{{;js(^%ks~ zIhV{TTLD{6`5?fFkOfhq9EFq(@)u6yb*Gdv4#&bjA18Qb+52fjedwJ1t_Ew@?9W6D zKnzfPqx@|w*(#G39bwjs=&iEXDIW@niN@Z`=g)VZzuavM=&diP9}EzQeOc2tt`S7nF~=HA21i4p%Er^*Smy$XlpoR%x7PDI_58JE1p0}v0Kz-kfCKxG z#>VzuC?$n2F-|b;ZMZn7s~?>lG<>rUwG2cJ{_+=?RbCd4(-}uT;GBXwKDUO{R7O(-H^36p=B1Z z{<-F2?K|$4?kThNw5YaxMcq|4a?kjgV zT<_Nb#UKSC*lq3tWw6(5W@Fkag5o3&ur{E{8tWVqN@C&Do< zYofhvP$Xr7v7L%=3&a4&a$o_94FDiw#?(xs>jaG>io!BI7wOc_>n$S!SJ%%6bU(2i za2#%A1@6sXh8{AWtldD`T5Q~|?;7}q+Nc3rxm!QavD3A>l_khwqqRwYql>*ild@Avumh8>_W?fF? z#zw`Ck&jGbMvhEwIi*1@)|G;YWST7QF~tQhpi9Fs?8E=-oE+B^#5m5%7nZIrtWmVD zDrtLB-T3Jh$g3SIq>BO0JMo%VW|)g^&%sG3`_o{HXg>zj2!JA#q8 zzp<{XtQYq@DFQQ`AZDy=-&w!ni5883rFpU%Hdla2Z@f|57izh}tJZ?rXuGym{C-2? zP=3*8i1Jsf5399G`wc)XJ9EkE(@tF_fTo(MvFI_Z1mwQdNy#ZB#FGU5n&R>hrgdLK zZn?8pYR26UH%k*`EHE?YX_6-1eb+HX*Go*biY&?p&aJ95#1?!qT&?9Si~G$2V=ewQ z!OSGDcmiHlqV@-~ohj^PF18E3(GaI#dMchvC-AMRBg|$s8Z|{4zZuxi)N_dSM;AMn zx-7pXA{fAiDV8HSKpexm-cHtAb66_UTEv2WPcx@Hx@$e3`O+p;50D538x;bMZB5BQ z8|588(>H!3Vq@FgJDtC~45ORxi-VHuV(OT(MKi$GUAJOj?q~|Dba{g@R>LXd_z>U3 z^ftEh?=H5=roM<_YxOMjOt=3%T`=H0|F7K%|F6C0J1sqpMm!d)1erllg5T zf@~H|BhEz2Cn~fzr^SWa)X)5B%l)bHIt$F&#LTIlmsibVT_{G2K22BTtH!rlecGce zz#I@T%vHnyF;10M3WEXS5Da7|L+y*{!kw{mJCb>i^n(EoZg@H@5aWjO=XhWO~j!?KE+_f3J<)ANWi=Y z6+way*5FX5ONqwX<6f19ZbX9{Yt{j+!{=EQK~X}y@(6!S0$xhdKlBuWfuEU>wk@Ty6j&t; zXz$O1!^4vg$LHrK@7l+cEvUptC6k-pZ{Oju%4`IsXJH}2S_LN{sGKX+pKR728>(N$ zyW8<-)^@Hwmk7HQ`{F{>xu4t>Wz#`bHDF3l2XBFt1LY@S6-!KGMKTUw>Yu~6SpDu|TI36iL;1^8orX0K>T=~DpoI`*DWp)QNq9lYKi6Xge z$ziau`FcCRF$73|2~rkSz_dwSva~vC7d6(VH!4LFq+B^Ga1MWm=k>jv2{8C$LYaW$ zPUoug=JnNwPW$Tc;P7pGKcju(|9^jI zpM%fA_j`y$;J=@24z#b#1^6-4o_(rzi@&eICH&Z73mie2fCB8Mf|Jsu)Ca% zMf{NnXg&xJD(yl|#g4S#2P(9qnetA_+J|l`i zRoE*ei4;!9nRKO-+*IRuBH+;G#&9`Ro-m^-3^A**2^-qev-6mV^OWn50`FY?Kospc@nrV!6OC0;2}*niBq zd4V(YQ=FGSz_G|py_y~|43JaBF)+lTC1R@!_~yVjHnCLu&_)Q+*ZrR;{p z{rb&!D&{V;a3AS<)#mMd#E-URPw0ScM`zo#EA_y;B>~Rb)~3u~P&AI2*VT5h$vOoq z=JfNttthOKR%lzXE#^*F2C66wO@Q#-+?K~eeTs{u?=PS3Mxl(Tb8-6-7Nm96s? zDL&MDmPR5jHi0agn9v=lBp@qj7qSxCoP=`WPC&}bpR1IMRs>SS<&=;j z0WRt~oQ$6NGmS>_N2m2H9iQTK*u_j&bPqhm?YcPdfmXoH9=wBTo#fkDCdpKBdFl9= zjt*<+RT#O;a`Ke0G_lg%A5;FG%l{|#e+2;`!e8YX4ux z<8GB*B!WS{J^nx1t=Jmf_3;J0z~-lZ`D3PdvHQB@J+#+*PliO86s-kME!Vfk_zqbk z*fAcdOM0NvpqC%KRq%lC>P8$6^*Ls_&oImtlC3Uq>W^uNl_p*OQM+{DAl5JFq_oH| z51yO0s4qH}XcwN|*Sjht#Enr9|*wxC5bT~@$QrlQoOc3ET`R)_st z9EZ)?SvihJSuek${c@U~b#YDWlj&M#s5&R~t)(1bkMB(dpt9H8gSRD^<-zt9oY5A; z-RC-+O`Q@WbN;B}nwu~8_Wn>>uGKT`nJND>8sR560L+X3dik=f|9i2wx61#$l*g6- zSr-L$43g&4 zf0x7|iTj_!2IkQJ_Rik(BK_|)n=kiP^uLVf5%m9BuZR^JSh{W??f!xTVK{-FkYYHE zmkWcB5QwwnC6fVMI(3QDQ^^|48P3@m9^JTQYcm$%N+A6b&rJSb%ue~}EnuGf_hM(S z%>Q5Ptn9x_c`AeZOH5_O=$FjsmpK2E^q;3xUz+`AZ+p`Ivx@&;%JXphkF!3$D(P3J z{{JJffofaOPV)%}l4d7jArvpN*~j%`5&$<+s)mTblF|0ABc{C^qtzjFT9o#u9P zrTjnaTf`W&hjVp0xk1?*CoN^GN&OiqZc; zY=IN>Z)kpr@!#7ocFXsF?=^Q;{+~;ErY86|JYbo*zpE4G&b)HJR3;D7olHblh{U$_ zo-h(y*jUnX8#b(T+VCg}U!w@c0cJ<12785fl~5GDE18>7{Yw~?9 zhba*2V=*&_Q#pD2jJ)X!qSm2mP}=oJ)k5;~&u8Bz~NgqcLE=je1T%tVVTpE$u539$cP#0nf~+(q3j^3vjmeH?$ye1>m>Z>Rpn?p=ub;tVf4LJ?7X}2vDq$K+{;RRYPVMvSvOzmlrs=F?{n_Q4xCYx`#(j%}OgC-C9)&B1wF zLGU~uF3xl^f7u|v+*o7I&rSLLNZUwA+`rsdBiWBlWjwZD)h%>t1YyQu^i2SAGSn0~ zODcooBi~l@O*LOt^Thyb57WHbM2jIF;fN**Rg;a%*@P}baWE(}=+vrcQ`YizEj9WN zic{;sr}l6Ch0FCAQ@NLItflgouYReohh|q+EaY-yEpUIU68}8-pUaK49{Sac>n**N zbFI0VPNl3jei{R^xsd~P5qn6uW~YS4|G3;(8_-){P+wQ|WmUZ@eH#17w^jX{@3`+) zEjFC;?BZ}mWcCgo*g&Zm;8>7AbzTwE`TNc$m_)Bm4^p0mfk+s>h2a-L_$Us25pmx@ zD0ak56(mvGCoy-x+etKEO4Wu+H%zr}gAMPq_mH|!R6*Yq^h*Wp>=`Vni4UBgn}(Fz z$8VmLkUwy&Cq4gmesb8#3xryLlcJIDtD8HNOlmvf`)mk45#W#D*+z03Zno4_A)E#9 z3uS$b;*g;bHB9;J)CRtw&EWC=9LlJy<5L?7H~@;aUQ}ZN({L^S4Ah4{5&xaKg6zBN3}pvf!`hn1>XP6Zt*dJ^0dlyFN*+))pVoTqcW%{>>HkU2d9XkA(oQmyyp(yU>%Pk z7vS&kkps|Xvzev5JAd)#A!UD)&te0(^X}lYRYr#@H2Q3OIleZd9sdXp0JbXBN&ozVBO1M}q26^yy z!F-W1efDz)*H$1Zh9?dY7nrsFw$p50S0H5~>hRiyDUqVC9y0nUc~ZI1p(B?UH~CI% zqDd~zW~u|rxhvNh+y!}a%Rx#NGIYphHqeUKbaf!4}(F`y*DahO-O{b^l8h}E7iMMbMK z%W^zC5-As#i|sz8JCvqZszeIy$&(#1TK+sQMJ2YbMG{>@FO7q*A{0LqDeZVPM@o?} z+v?7)!a{i98u$Y9zxZq$ZXZ6VlGe*McQt%zvB6@d~6$?8w%S}i}J#`S^ zSj+#al;Snk=T%Us!F9nO^%{J*w$83@kASk=t@RpepMjKGZ84;ju3eqE`wXzU>PL(D zmQ9u}gqG63QjjSj#c0r#ehGzRg|0D8l}dnBHCr-j zV5=3rZan*BtK2tGl30c045TbjOe2MIaS##2=dJwmDcPy``_LXdfPAc1_5%78xl+^x zzsd%oS3)kws;Nym&X$l~gKF7urAKv7(qG}ZgX_H)&Fw`_$)%iI^T@}+!bPd-<;A6r zXZnpkcW`~wJEr24VUFWztDuM!ecG8$Lsh%aMY*;lBu@1zlAIwxv06O{5=KUnB{1A4 zT(GgeL6xS)ujdOQBOk!Ruo;&Kee zN@m5w9%VzMg_}nqWnsm&j@4U$e#$FFS5#)pB#HDL(}1GLu9Sp^%TOIH{yYRJ_R{|O zs)Naua*<#8KcMtRqNu*KnSbc>0HiE*?tzN4kG3(ZV~rg015ZBJb@x28l;;6wpO}WY zW1veHkj4UkoGSm8c#5Tt3tp^lS&00We08&+^E_ZnP8gwTNcOht>6*8)iR0qbt*e;q zG0hkU;mRvjEg$0!Unmd5lndx$lWr}99%1}Tnw}rPQ*4;@f?~ccZv5trl6r=Mr4EP6 zCqCDMDBI;V5Up7mpb^egDx635{&}5L_F65-Cqs&CdXZCdaR`g?l!7ik0{|C^1o4|y zt~`Kz7*-DI^ToG2S8ZTwfp#yj_<582VQi2(uET)d>KG8oa5ulyXcv6$;Ch}iB}a;p zFCHqqWsEk1;Idc;Kfjgd0V_oteiyJz6p(@uC(&3Zga%}+$Dlm)jH#WI5SP$XhYuY0 z(#W{3rm>P`9W%XF&{5?CV+_&@3CN2gWnp~^UuZvm<`)?_qr=``q z&xP4129&GeXLayP~T@JGpbh=|6SxT`(D^qy^;V~0ot1I*!8yC@8my4S?0 zJgM5|4z8PZ^}kso&5)Ak;F`Jn6jurzVRp-i&_q%*L#=7FCi|@(HYIBtr$ame zMOjF_3>#T%ML+$z=lzVc2u>SQQ8f0l2=K7f57S)UpI*5~bha@na}AMUUORR`IOEE33hEWx+c+QO092w{8_q$E7BCCgP#y6M8@(*BQ;E0p0cI-7Wy>-8 z7bXVEBT$PrgyQO`!@p?i$xb*<#O|_kokOqHtvb20buM)D7#$YJS~va+`u3VE+Ly%H z2dQR~tuMX3(lm&0$}>eK-(IHpQoKth5|7!6Z}`>m>u^8rnxPzUYUW51xD zWtCUTK`?&7r}&~^!!4mqk7nhJGHD8?K~B0xca zIme-w2X{?(!jlz@FOej&{9I6qy3Qkx8kTN#dIpEllp`Y5;>+_aNV?Z~6G{cOb1_X> zK@wF0uB07}bmZx9>_Qp6zRfFjc)C@1iYUENAHq#jql*+-FIv7Tr#vE=PwA+Di*Wr9@8#H{8M3VpJ+qZEt z4C!qgQ50sr9+PwC5w5HZ2>NnnifxH}pl4EF2Qun;K3j4fdH*=ek@SVP* zSS85(=qE@B%=AW$yb$q0mm(HwI+J^lm-Vrwl4lx-I%g#Qm|yB=ufcP!hw36eaDMuM z^W)CB%W3T!bt7J(IKUblna)DiFX!{S*H<6T-m5e@twtlF0gB}EY3;peZac+p2a>B? zTtMyFMv$@yd=5T^Mu4U`begR(*JhMt8Q_-~=6lq9k6&y|2|l55C~ zt?>(|u`08E(~bR)ob|M>c^&+4{Zq}Xw_5AsQ%y?OwN|Y#r?ssb32Uv|aO}K6LW{VV z*IJ)yDhRt!#Q(N-f4`Lh%=+vAbKg~idoLFo5-=R+GgrI6zr0`9Jk$iBX0h&BAh3-9 zJ~=)=J9_=${OI_HLZGkpH^{|w%8Wj248NwBE2-Q=U78BDAGsmZ%Ky!T#3qc&J+|(7 zc~D|2i{8#dL+XS!LK^T!K;r->f;S3+eFJe$`mvwT&{r2bu32a*^#Fgm zF)1sK2)=FHQg%b)zRq@FCcfdoYj~9r(s?U$vWj#g+HI(8RTW^oVo3HQfV%a)f{?c` zFu^d^z$VgxAD^7JJ9Y68QRLs?v9H7`KS6|XpTs`OOZ$lDAbqE!e%42Ciu}Al*GVji%@2`4zRR3dTnnyj z&KcmE&iGQV1_HL4nP& z>SL7`!Ml(xI91FA2wuU#doku{WLxgXSQ!4;Kw+qImJoFXu3A-C1il2$HS?5z`bam_ z@FskP7v2PnnAp%qoyM9y4*2?oH|cHr8FZ4QQKSL;#x>WsuDOjhb1gDbb)?YlryO&= zru6aC%N!UVk68nu;a!*nAEBG*FNb@3d+VOR`Y8!<17~ZCu1Lj>6 z9916GaoJ-F#ZMT$r57uI@q3hM4&fC{lMkj_W5MKxa;?qk@qER+ zYj|bb-;>O>f$1AXrfj8b{&+A7Ohw;9vZ$DruIdpamkWd$RKEz-D_F)JvsfjrgwBwb zL27tqJJMp10hvS6lU@ig zFaQ7ZopS!~z2`6YR{6h|@tFB;DeaBtIoAQ`|JzFe>;kC|Z#?g;{l0zBX+vvY9o22R zNPEEcjDoo3{g*n)8>SAve~X9!-xp+vX)5-gZJZzd*gpAiz6rif3<=LR4ERmc3(u2% zYh_CIKIPo=l9ctaZ6U;Ny%nEY{Fz4oPkAB0-230QC+>gS*=erme;Lo3&DUqFwbsO8 zJVT7>OGQSSe3+Te&KlJ(-3*YP_pNb?$uh@RIY88%as{7(%vxS-r3KeRbb~DqP`NX$ z2S8aNl^|sJo*s zFD}i(&@&`oN>~?PPNh4+th{M`dx8_WZ9@WV$Y!)CT&9BGtAM@Oa6hk&dGg=hi_-nS z+b{O^R`TCc9%bV704hzr%EHRk9WdJTZ2pFwW>ft(f}DEMG}jp_Q=vb=NPFK|n{@5K zy~n!+uQ6hnsap@*@u=Q@f6zHUI_$I$&JN#Rb=qe?9UZn04i8U09G{<`ylWrd-`5nZ zE)B;y)b(1N4!fAuS~ayt)z-ZkgRyB;78y(qW;*wL4BW3h;iYG)0`dt@fb-~ocW0+8 z|GnIOv7-NFJjL_hgO7iD`N$KRHW=FjS$09N?;D>jXPe8;b)R)ktc1KeJU;N5PXAAL z0-SgL+kLrPrvJT_{%1MQ8f32V3!DIHTy&+kM?&L&>7EF`@_}&LIq%mLvvJ9P{owS- zIq*$AMO7W);BR`DSN>_aydmEl!Pr#k`8lmE82%l!Z4_Rh|V|1aa2cmDewA8l68 z0?%~%x4i#zwLgo{f7$-`;`z?Y75y*c@qOR(CKCloa_{jU7)_HF#Ay_H9-l11()fUX z;Fy^*UwbgC=fTf3_tU3z0GN0FYi^hIzk4sXSNH!f<#|f`f9ATpOvR2hx>YN9>|rj% z5f(OL)ZVRkcc(&rs?|WA0o?Nb3&#N)E7!>zJl=oyY@=|EBOA^Sjoj#*9~{2B`l)@^ zIXXGs1Qn9S2jB-#`@4>pN^M*o13wJl>cId1kpJ(d|2MdU0Y)MC!Cter34i$u{9isU z6aQ((rQ)LNFI`~+=&Oi*xBw@jd(9}(W+ajUjEB>dr?MYfmEZDSt)-C)A$J z`zmu>3u^C`TRuiz*h+y$(hl2J-F3Ie#Qo(K+W7b;Mu22Jl}hsO(t(-z!{`$=I!2eC)=H9G*jQtY;AJa z-me)ijzZ(bjoZtSUbfB@F_5i*qCO?>)yxr_@5O-k{ge2Ovcq`)wFYN2ifAgJ-BGta zOqgmC8Y&<<&Bi`TlKrY-j!P;*9)4CEL_WKi<^4oR_}sFahA~Lk*?`aXDpE@{et!jOZ_GD z#n)b>tLKY7i>-jqYhw=oZ|=P)`+vXKd$BtIE#+Co|2`=GH<#c4AR)lh=>G}T|MT-d z?M>+aw|7?bzm#XL{=c;FA7llntgDpAd~r)afa(Dg^A!J6nsU_tUmMe_XZ5U})$`kW S{{H{~0RR7Dt6wevSOEY`r;xk= literal 0 HcmV?d00001 diff --git a/assets/elastic/logstash-8.5.1.tgz b/assets/elastic/logstash-8.5.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..2d44f76f3d991fd4d1cc8abadcd7b457d389fd39 GIT binary patch literal 14260 zcmV;lH%rJLiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ_cN;g706f2L{}r{Q_xV^i4_!|9)}B>lCGjMdwUV67eER%M zup1;1H5(lOEr}ER``f>Vs~dgrk|@P;h?y6QXq<(rLRFzqi0Ft5#K-M}F=C=MMU&`n z>rS0cr?a=SqyFu5I^};mFZTBS*4^3O-re5q>}+lSt<&A^YU70^i= z>xykz(N`6@M*`WlEiAvZOtDr#+wv=K+X1(dc;rnGi3K7tX1wS5fG3DVJ#d=*-@LvD zpr>qx?3Dn(Y03hu+L<%ltoUUSI{Er%^nZz>6!SY_0Q2d;ySw$GLjPMYHuQfl$@hJa z;Uppf;yvhkUK94Ch+c7+(i8**6o!D}DFiegk`W9^ggKBH+9_vkK1K{@Sk~5M+FlcQ z8jJz)3}0K*NdzbkWya2LTdjoAL^2l4y{6ZMBPuY6F%ob!#xc-K%oqttJSsHs9QqR1 zTVu*a4>~RNzdrCWO`{M{bcLoI1{g>jL}`dauPG-mK^GW8JVa?EAYpWXIb2b8(eiBD z2Wr?o_~WzJghG!!_$0FcF7ULc{{o0H7dVtTpoqp)Do)F-2`^2-nZQj*f+G^+`QWvs z+FrBSglEs5T_F}fd-e>(7&8on1A;MPVL(G1=JSxNBAXOr3}k{v__+lz1|ncc7#A5V zj!hpGXvkKwNs%~71^i(lg0FFq{{jf;WFi;)j0QACLD>Pk()P^126&pHI67 zC-1|5oRRNF@4x@YKYqFR{{6}6cNwXmgnU$7CM8=3JbaJBGx8ncC;vFPh`tqNTGz_?9V-1k_k0s%a<*LY1mirGdFdQMZYK9v6j!4s2g0!Yjyla!4mG&C#!R({gU@5!BLKO%@@gAYECqz8@e)(f>eb=A~lDY;0z zrx&a-q_h>$07VUxF+j{_c#1{$pb^sG0y9^n%(#>NqoE6*p-~SSO0qLK$7vKD(})Dq z9yHzzkEl3inB!PD-%lMp_7WQIJDPyxab8pMS0Xb|#34ch9C1(oqYKz!`~zL0cZqDO z;s0}T-5r7d&k6628lJ~+Ca3~1{CkSIP=5miNh%@L=}a2x_XJNUljH5~ZtuM%GBY9* zQYk*Oymv{Xbb=2eL?&l=l0-;gSr-KX=KL)U)gm=cFbaQVMBsOEfEypwxSTDj0~9DtiDB733{k|f2f#7ABmv$J0*N1GV3xlhX_}QYDQRG!ivu+C58WO# z6f$=kT03%5eNMiPP(OCDJ5`u-qq5q{K5QXs&!#dI+h{=>&^0iASap!-obbpAP7? z$uyE(56&Nl^zn0eoYi{#!SwScCgL9YGNKUSiaj4QLM3h=M2O3+S_l%4xYR&GJR~s= zfy7=jQfyD5z{l8(1?zvKS?2@QG|)zv(zMhL@a~} zMlsh)+902l>O)P6#?e%6!#o({FpVV0hek6&3Q|Na1W9Cod zk&iD)ps)pTPDZgWkxBN{Zp#1qwm(n)%15a8UOPIaF3FnrIlQdXY>YmNLtjENAGMSj zDud2dZM`@lP9i#$=&4bKV@6OEO{ly$om&Le5g(Y3A=1JZ0{LUn-{x?WS( zR{FGB5J4r4yTb}oCP$@=n>a>sfV~O2exH|6W+g}dkedU(77~6|iU29sd9KW$bEL>! zt`ndH4M;?kl|^mjA)`sY=kNdgvswbX37$|Yz9$jpQ!entY>B3;BO1%k#Z0&VCj3aR zAfghnC|n_;4aOE76#Ef0fe}Li9;Q(=^#o=U6068L&gDU0k+AC#h{0H}$+ zIBYL(-!oPoDQW4y6)DTl9)M(g1VyiLgr=uBpmE51u&vNIQA?g>c4eOAS2Pt_=B`A4 zM52`8voXVbOrx*|+fwvSmBQlWcBLX!gu|^yxpx1982@k?%Ir#Qlapjz4% zG{Vfv?NaZReEXd-hN?P}hAWv~M20w+29W~1($AWZFnlUB|Keaw;YS=rR2#fBFX!S^?sG6kaTs9+uUzSVf;mSct*tim!uQ;_XLMKx2xUb` z=80*7dvKr^?#;2vizo`eLy_Da*qdXcV>b0RYe!zUi&|{n?dzx?A5Xq{+Rjn27c6|31iV zBEb@jaSxugKY#XQDev$)F(+k8q_QW;%5|ybnR33dNI6ulDcsLLE9I}H9S$Y4fYvYi zq|Oz*;geL#;{f)y)t_W?nhuBL8XA7y7>+~rw;teuI?e!;^`R7U_&r6D@?evkNDaN^ z{fc$#s=SbW$Z2pG-~go@Yen>@+&ZErJR~?WHYs&7h4Ul&CxfX1#_OX~Syt)H2@aml zgG~zR514UU6$;!+uuoS!^p11T!O{({D`6aP66Gmb&gvNhy|G#*n$oWmPtE^si zC8ZXrED&ar#*|z-L^IYc}k*v1X$JPBuV6t9nKUpEBq?F>Xcm``6RTO#W=j zUM|(}f30dyP~z*qZtWAeNdDWa`2W7>zS!FE|NBTKwo`P8gU_Em-}lSjwihH0dvK5) zrcSUxArh#U9U(6x?iuXzz_=D@r4%Je4;stV*XP}8_t7<6_GLehF(X2qExHowsit%I z1iza}Pdwa-K<) zRel7YfW#q=1?B?DMY|2t*+-`(EWf9@sCqJQgBsd|K@~a zeOG}N(Es+Bg@fA*{^@C;PRPA+x(Cfjj@l;fUR zr!ZNk(;1zK$V@}%rLe_ZEXtbF%z1VjzI%G=R#4d%{<55$g8l6bQXhNfXPUBD{<|_K z^CRMB$uij246wKw70}=~RM{+za0UoH{BmoB$;e{uXX?+hcdy^|AjAp7$_!edME6!K zeABvCHI#MDwnB!*8V*Ez1$ar4@70|?+k<3DN0pZH@@MJ*+-{kQ!krQW6kOmq>{Sn< z-K^PEohRiJP{;v@)5!ocT`yx@E*_Y*EY4j1wQ%;%g6Uf)4!UJDQ2I;!67fdLk%>#_kYq#e`nb%u}MX)ouh zz_ygW=qKTz@zAtQD}R-}svWtix@?l`8^=d|TMmg}{IfId)h52-&0lG%=l|C2UX$is z+y7r|Z&&Pp8~%Sksl@*)*F;)zN#Ho zCn`(kisBaB#5`C-|BObrwfGm)BKfas|J!-d-JJj3ODfU7a)VhP$*bm2D#nzNe=DO? z#RPXkBfQA|_HcmXt?gPFSI95`$X|WK8Kv@DxdojVqqDRQN?{3x-|GtPh zHX0@4)(lWr%^X>cRoHKh4d4>9fiumN;|J(F^);j!{C_~=ki@rl{ZeTW|L<;hO8kFs zYiHyCdoSsW;Q!xgZ2Nk*0iF(i!+|h6fu8tj!P(TyZL%{aQubiYr;}a7s18Ek!*Dkw z8etUz3&7cb7lYgGUUSxT!@(b5s^S0o1Z#~Nz#{&?y|Y_B|KHl#+3^4SNG1MnL!#aM z*uQuP>9jY~jYtO~t7rbDn+A^hzl4@QPp~yxfGpx}0i{xfo#4?bTfw85dqMH=@6iRG zK8Hv8CPVKfJjy(W)NJw!s-$ull7H*+HLV&MyW*jgb)#G-boJ~2jtpUpxV@oagYPwL zmtNlgr!1I5qm`Fa`h=Ob3boPt0Sn#RCm8JQ;5aBB^gB95&D>^It2->zH>BSs==T(R zwMG7HBKv|KIB(HYseqGX;bjAenwTc%NoiQ{Vl0ci1b%(W|YNtE1 zk%IC0Hmr9c_AQA}hK0{YB^`foCKT64|Fii&(uSrrYy*qW|H}7&_Fin>|G1xYxAtF0 z$1fN=m)<&N89l3!w#wYB=0g8|*%w|{bC_0Kbh<7bTRpH{t8QuMUk8|Pnwa0v>Nbj6 zeSTv*zTZ^G{{<3wm_~eEM&SAUf2*_CDaZfX+uqvPfA1xgt+FUdcz!r{YEa>HmVI_1 z_j`D3a~T$RJL9a?2F&hswETrxYgAdcd#|psB!Keg!WLS1bj{ zRs*XjO~pdBo1OE3Lw1)@m8*Fp#GJ~y_+7XlvkZ>c2q5kd+}$$wiCKIV@0(ed&Sv-s z*32$%Y_H}*nsDApff*oJ35TKr4&DR{7ZUx-gufE;--H1y%>-(evPJ}3ZV1IEd)6}) zdqGggp&wEfV6I-8P%-#z6s{~l1dI`vs}+xMnBNWrsE}h_C>*oaDkm7@;DV#(6X4^`VMidZU{E&V^lSsD%#;=w6(j((}^2|?9ZHa@$$b;HuS+QW?qQSal5(C zj{uX6S!dm5$WB0^wT;+0W40ws*2*JwTpw;Wy!_du>M-5-fTJp)S5or zDDru+LTvd3yZ4M3ZH=esqb60=y z`p?CH1voGp3zox!l{jaCSvXKAyhT;d*Seim*k>&RDy-v8x~YFTu4^iFyikJ8vk|HsIC3f z`nn`hed}{1oSC6*3JokRAkCX_`5oK5VC99|x==gi+H=MX)i@?=>-8%Vk z(;{)Syw1fZHl3MQp59y;35re6#D&rb=7`qwQKHmNp%vZ8()bZnChpHSVAYwPme8d5 zEH%pAud*jiU42ev!RODta^4vl6-H5g!?|1||5&J4ddjTEW6dovYv|>-#;VPfUT&Mw zj^n5X_0DQgeJF8;=h|#yP>(T|8F?M99UGsDcnR)PxQtmhfAewH)Ny=S6lV3*e?I;A zkNscvKfXIYJ1y)C<^g?ooy)IlXK^^n062^?T}+$*DuXQJ-A=jfhj$^ z`D}uv7mnSjtq{a4wTY-H<*-gw~sWl~1} zZ_x!Fl4$M3zYP6vm+yaX?QU=Uzwag4Q}I@-ZJvE>2Xr!_acgq1VFO=(%IN>(aR2q& z!`38Re;@Pde{XB6Q;z?$wY`b|ct5F`hk5@IM-x!~cAj_spXcADBnp)WaLPYCv2XU1 z$*9H0>LJV)q3z#rd_iK~=IS+Y-VX64O}HPB7LE`XBxnV+{Tm&$&CmaqQl_sQ{P=%Q z5Q$s-a`ZHBe&zb@r*QtC=le{MAqoWi`2M?@W5scpP!fy3r!0DD%OF#8oDO7}0SZUB z&2U0F5tL1Bzs?X#H4+qDppm*Zg;+5DyR7@t*77{%Ql=oQ1`UJ*f{2X9LLYC#6`F#e z=ENvv7*HGnOJkrZ13Da%fS|}b&sOO*4K6U#CgKn0A6lOG3Z6at6|tDaqi4^&SMci? z$3TR7y_w6lSsKfa%8Tt#j|^z+K5t6mAwyiSG!QAn&*2JtuYh5>6G#Q++}1jXXc`vl zemMUCPYw@$dJ2fE9tN0avy$_W^O-1TU+-062&V!C7cK9V_X-XVev)&Q`qKo(Q*%sC zXpABl;1~~yP>y*ppkk~bGeDdKz95*X4rt1}SAb)IS;7d%`b&^l%14JDw)NWc|l7$V9A(AawgLqsARR=~qCnnaj$NRtsmA?DA4(I}G5+BUU+ zAb+l>p9W*^mHG!Jlwm#TUx^qifEeFY`=D+CJ`V0^2-vTe+G8KSY3;VU&%IZ0h1JWn zW29nf0lmabHAmwSl^K#+1ddT0sGcMcXZ9pliW;xS$s|>0_i`cujRhlvR8YoS+FdfI z6}Tc%1Va*|D4N1R4ks9sOB{Ny01YKj_FzI|G3Fr11h1bRU zp6ZJW`QHIH5B>5qNhlLIgftE@gTr?}>xX)^FPMh7A)B0s(+Tu49^*H?B~ z1+2wE1x2&m28e{!VY*p!jNyMQ{~i&=x&u0~%)RYwDs94fig~;HV!NwHAqf^jED(u! z%k%!{KYbrg&-PEwAf$ny0gP}gxfKrK?A-w*nwBpxPC)Zd0b|Kk1O*gD^a@ZasJZ9> zzW++M`1;+^<1;vX{pJkLetdHZr-uh;Z{8g}hc`#3XNUW*;pEUid4FX4JbMT4k6-Vf z9jX>Q&xi99?eZo&9I&^B)^eJokx|W*# zd&Q~sw(#q6$|*(6FwB<3~Em@jtpnqTXQ z2hPu@29*zwUau9A_0!!%2_EL#*}H>YULe#0j1&!gAIE}Cl~iU2;rna?J`vzw!lNh2 zRrs{0PgGa{zfm^AC=MA4QQMTy^cL`aP1@l5G4%xz5jND(Y=TQ2o+lZ?dA?l~7F9_! zHH6=6LQX>RXZCv~qVc?Eupfp6=H@bDS+eK#$F>%rFa*P>!16Hp)sc||G)W>Y zMblvk5w%EacK4Ly&_nuO$`CVkLN3LCsgn9o#HlI*BvwlzX>+1zSzx`tD(RANJz|N3 z^GirgC6@>8fAf|=v7QB&cL&=Cl3T1GGh?SxFyc}s)l2Wr!0>r*l173g5w_IIwGcWXF`1yq zYHSiD8Pr?TNz^Y=B@Briv7t&eB_hU{N%TYclen5~di|ouL|?6`_VU(kQ&q7ZDw^~5 zGcTULSFZisO5IRvACRMbEMP*ewc;%CfrcCq_d-0>`Ul5Cl8gaH{Xhbg%5^M(MInbb zp&=O(&3JTV$g44luo-*~j{%88U$3!TQH~~9ffAm$`>dzf7vXR&+2@Dz4~ms2i-uHa z8ByG~IFRSim-}K%Kfu>%ssHtXk7*i(mgx_$<-VaOs6w5L^(2fAB$`rop=h3AE*J^4 zR&sWB4Ex7#vywz%lz3gzOSxpu zSzqUJLO|jq6-M6taQ@-B`fS;y+3^Zevgdt*W5mz|OYT}upWrp-0VC=)ugcf2Cdp~) zWnWOv`{d6~^S*sWY1wIh@;*U-#!a3+d{QFEx%}?i%Vv^v?3Ez6z|#*c_%4?@6sJ*w zN5b%>4 zv&o|*!Eu;Zw*B||pm%32Zdg&)ia>V-Dg~_b4+}wMfmQT->dyxj9ZEfx7?XbPs$UDm zzDS}z4AVIHg7=8kfu%&aN-Kx*QxS1i#F;-0UzSg+1FLv3q;FbTh*^D7s`mi#Yjt3$ zn+;|5FGWMd7@A5DsbcymNJ`W?cM8g_@M}pcVV1oF zS1GU69i^g6zOGe%M;%d^lX9F%1lkCyW8!ElqEuo`$gD3meS-eCd!5d55`5`yWI-q$ z7nHU0Qc;OtI!@L@PM@IvW_U!!F~c0kRh-Gn6@X>#Ks!9^plI==%z>9FEdj=<#yVpL zSJ;LiVdN4C$=ODP3pUNI&e|yXrKFX}&>k_(Aj5j|t3abW8vDJcPtezgYm3Tdz^W@b z4_IGO`UHJ_%I$hFW}dd$>8l2o4kcIvt@3WD3#y~aB#DTYr%)8-@JwjP|BU(GDt&_f zAD@>dLv8D>Gtm@*WeQr;xqTV{P!M3QbfDbtH8+NT@#z!P9S+o#Q@jLRty4Cg}Qoj4lz0 zq&QVz@amAY_&ryi?XH;65JJLPs*m{xX*j}S!P%>$ovWj>F}hUV+*GkT6hjx%SQ{~> zssrQdrp{eQjHbz2fwfT8$$(XB_=6hbpLR)7c0CEG6-|Hrf;sOCN-G)v-1w3uVEs}+ zp>wsa_VhXPQ+luhmPsp-p%WytY$+`POVYzv2dmY9@ixEL1FS zG9-a@0kKxBOmVc{rC&%|4YTq2TjEz$!WQBx@-&K%NAw&Y*-E{6Yt)%W0pIRvF zhDFSBo^tq_>@=(Ltn%9~_W0h}{#{eN^$&Nv!#Qxw2#O-*Jgt=>TTG1cM0uMchN1{Z z8U2beo+<(k2@ll$N9Ed0mFLmDrBBd5HY1x0G7GFySpFFjyp;^jOW`M7-_QqmlD{e$ zT3{8=cj^u-%##I3LB#?M5*;(M;P{7WR%YymSq*m|bm8`((n^?Bcpa#C zU~%L!cN8hY7dU@v=%G?xA+5yVdCA4WX~n@Tj5vv=x#*y4X=@bX&V?w-lvS_=-&3aS zh4$K-Dk?uc*V*ZCNUovZl3587K) zRaZq#SulwuPI%UsR&osCwc`5?CHODOX?wY}8qdL0G@XEyly@3KJ>OVXin$hG`ebB@})t`HHGTlm@++`W3A2UJj&nuLa}%Dpt_ zUcG8s#~v|EHM@x)sv=o45UQ8OvH)EbV4dj50`JvK=blK{ys2yLSykOoG5ESyc;!de zzNNJ6f6>%}OUDC1;crrzR*t!XssKt)EQtHtogYXao@TDQeN)8I@QDssfSA31jUXgL zr8$bM#XxE8D`3{LJWE{#{(k@ebX1WgcZ+;;UGKS$oveo&?Kl6 zB~P|gij?Ph`vrfH+>EXIS2wRT(A;5^V{2s*JK9v6N@^!-qw{#)nNoaBAU(;7bzrPTn8EfW%oL6Nab~$i=6rNK)Znpy35lWAXMiKF2z` zh7C4j7nj8L(x{-IBLxX+f>>y1sDc^>Ovk`einLs2h7nhR9-Ku`jHTy!-4>ipZExl% zn?yuR3&>%_^^ji05kU7Mv;z*<)k%ygNEOdGp=-vo}XS6hiV?=Q2}M@(pG*gDL!;Vy-rNPe&_}IO9e* zQjFBZzDXDjFy}4Lt5ukLS?HzW-RqDBye$yF;B6F6NKE8L=bH_$ow;iH_FlQ4HObpe zeZV+%^86uXenLa;6^@eT_8!nUz=_~(dMR-eU$w6&yCCt%zanDn)4^{z5WMZQ*Y-*` zyO(Rf;1}9PoRd*32kXZ)#O1K#BIDYj%eC`%udc3Kb~{Q*h}$@J+#+=prnatcA3Pt6N!0wPoBpV`3okoK z<3`fpg_E@9mRVwtWOXV_Fd8Xjby{pU<)TlrGd^D(X%N}J6Jl~M;DU&zp-*G~;v3!; z4CD3$DT>h(@Xl?(v%m(N%}2a^%ig@}_)Ac9PQG%&88@ru>(|ZO&HMw3BL4zUeYJJ@ z2_lU9B=%8W+DANZ(su^xXJhnc+zMY}=p>d@?}tbr-^3GDRI42UYrAtM*wk?pYX{|P zyN*wXzTAZEW1x8?v!yA4)7%7(ncjl$)~!EE^4kFhX}wT;41MJ^DLL?sVLI;Y<5^KuRxWGr8H4X=vBqKqiRxo${ z)SjQ-EN8x3pi?e@a3z6o6a7{GorxZ8ujuWy7D-3-W?J-gptALB=Ozosml<2F_v>4d z0iS9${uVhe!?)GDEw$QZKg6yc;;w$ExWV5n&W3D z&%Tbq*7lr(!<$S-3qO89CrPTgq7Su{-@n^8kDk&R&1-xRY|;B) z+q>oWe|BHI*u4LDFUhQSPZ`2I&v_0^|KC0eX3?WHx$wM`!=DfLPYZ8{_S3;^Y?^dA*Q-bu3i%C!Io*n?D#4}=L~3Q z$^!WCxM2>L8_;y;bY&R5yvM-+w(bFPY*$nUD>LP_1TDx;iF3LmA)f|>f-b@K;E z1mlmK{2QxJTf5bdA&$^ge%d( z!8tU{QWrk=zTN6{8t~!q3;<-|7cvk?klZ^A8rlZ`M?~E1)3`WNnrXrXe1rqsA94dsg{>VO`gv1ul~Rc01+wpI>zMHuB%Sr1k25 z1>9M;7U=uN5y+8<)}b2y$3;58frzXR;iE@SY|aP^NG=2LBm2VFOQ%Dhs%vx)TDe?A z|Lf2K7s-D+ovjl6@4a}jk^k-`HSHsGhGv)10(D6GfW|QnbUg7w8}Niu!l1az!(7*ckHnDU7GJ;lsvi^L%bFzJj z04&YRioUJLFM}dM_}WngzSUxEkg^CIp?9m(X@3lmXq)y;>uc6%3nNl2*Z}SZdS;Q_ zD_Y>)s?WvF%S!Ybl;;^e-K|djkkV>vaq$4GF9Hb08 z0ACC(xpF2h#vgw`>oC4-9saz3diLhv^l<;=;Kz^ePY+Ly_TL`D=g(U4P7vo;l!Y^E z9Pgi={`&6ZbylOeA`Ocqjk~tuWY!8}y(m~Tma||~pE`7`4^OyPy?D{x?Em+YoH%fj6f=II2;M8kd3N_x#r)ut zBBClwQrQcbQQo?Z^()(VIgn}oMtni@CS$TSq+V2;Y%aiRj3cWiH!4}{@uNTLH>iv` z0R$+(+N%6`&dwss@OFS&0TX#$yS>%+Ww$n`uNrn{zGr-Ln5jcXxNg|L-HM*ZxmA ze<)V}KO690NUEp*_4$7NZ5jWst+M>L^Ww$!hW_s(HR0Xq=_-`+nDdnIYY_kA>%dTV?;Rz3uG{{ohO4*h&BL{$Cq^ ztq0_Ud zni;Ok{%Vc6uC9xg>2dCY*0?d;H%_x(TUt&SzFi*+UZx$*JP|b5q#u{+y@VI7Z(E)JXlCbs`c)3|*w+8( z&p>QE0LZ0YCT5J8qh`i6|fX?T7m5LUZWn9QUa=&}k3) ziZ0~e>H%f@4v-ZlDc zVQyr3R8em|NM&qo0PMZ{cHG9bH+cT$Q`9ui8cIo{N$L_ST#@I{l;ZHSEc1x6GiN+r z>T0068zCBnpa4=GAJ3ZCnAe*p`Bv>qT>x~mDbbFdPd@9!CK{;gu3h{3+o>*1TO6J( zW!+5Ha#j4>{r_`xbaeEGCr{wtM@L89e?NMBbo_6}PaZ#h`uOS5lShyL?dbT?lg}Rg zn>hLz#?t$zHI1zQ?dYTX>Q3%A@{cS_-N+`_r8(IXLe@<_mua(XXOmnX<}0~S=0yDW zo)AJLqLeFjB9La_kr438iC9Xr%u`)ghxqHs@#OgN;LshTu_E>-XzJ_|KE;nPQtd4>C_xvJu^`o-PsN`v&dl>sa_op zzP_oggge{4J^G|G`>Iy8DwMQKG@8r8s8RnVlP}7z)S4G*o|g+%S9M-CC*thcXHSlf zkN(2pJ(EV+4*XcF zMfL7Vt<6N5bWey>HnPx*Nh+JBfLBvx$Cj(?L{zeFN>vZOmgS}@* z&%T+@^E8(Q4)DwmPypB7TWZ++A)4FEQ`-XnR?C|SZhmW2ZO@b{n~ijExRQB!D2-8# zIkXK;s&cVs7vQ_W`A2g!x~)@XPWFfH>XS6BGDnGtl4oKXm_J%c520XA%Im z-v5uE9vwaUL-+pw?8&G5{}=gZUz}dcypXd(Sym}ms!_EOvdl!YRCz5jHJ5GC2&51( z*R}nDIZz66svguY%BdL|1i ze(a04OC>Dd5vsIf$}EqD{}4tsOaLgRBgGz7(Psk+%`Stk-d0*$+O@` z-=2$`yePy>aqAQDQl?8kGLgzs=xbHid8VM*W|SLIlgI+#1O%EQP@)5yZkZnk#4*il!iPW-5J)g*Z-awBT>_cpIpHWsE$mqHpb zTSJSqI%0~8GNIv2MWbQ0CVPS>eF6{m+;Vfjg4* zF28wg&&f(QQ3o@v3nfeJ!M=2Y1cL2f!Wt-1)oPx<7p+kl95&lwt>`+n&D)p$qKXxr z9!qDmhGU{w*9eo@^iNCs0SO}@EqKqvaeDT02C8h~}G!+lF$i#A?%H|Ny&0$*P$-IyYv;PjiefZFwV;X@a@!YP4S(m9@ zrdqF{Pa0ZYHd=hu&Qx8hMj0IHQeLaEP?N<3&q$u4R5qbMCc%1OKTei`w!eS*zEX7# z@_zAy?P{Jc+8UUh5@$tg8dZx6rR)ldxspv=tBH7n2iEY|uC0XkdzcYENxph!#P!kS z$B%Ot;RV$eV9osG?&j|<^ z?@V5@M#Bb392{>LED?>%e-49fjeS98tGoo2CkK_@Z7cSw%VOH4fY8!Tf_Y7XOa}O?VnO$3j&UA*= zTbd0`6A8pk`xhJLyp6q(hDqY*8a_uN^61xd0-wM2)p9&N-%%s=(4Wm`cKH$Klg)# z@tlb7e_-ZTHlVBT>A$_yf{6)cJ65~o0S{w2GT0Rtv(WSl@C zvkYDY2_P@CJe3WLjceTkIo54i+5ymfgArODdi;BFlQ&Btt;m^Y{kNbiGVDxffWg6F zUYMz>(CdI(S%IV0#sn{qt<+N}VV07v$9*Az-{^U~9WcYrg5Ac-fhuu0{dFAR=ZZyL zJ_5uK=oRXX3Cv5F^fog(H@%5C+q#nm*@kH=OJXV$SqmqQTE=5Rz4pFN!M+#|#7fZ; zSD>vHwak>z6`wC4Km3utK<4DSAG|-Pd%HOH2=T?$84j+Vn>fDeN4U}%vH@MDbnM)# zODkzBRr+c0l+Tv31Sz!Xw|%4AB4e3d$WpXrLJa`#l%iJd0g$t8q^&Y(*BPV}>g8+N z&Jk_jXn6BQjsx$XJv>`I{vj%z;R549fY~=1yG0?;b;+yj*3;cqRc$x0$rau1^qlW% z41`G+nrOuSSKTwzCt*m;T=I+uHulW;}_Z!a$I(hN%KQ9JwM)cXk{^>A=+-1@uEr_B${wnfT))nUm(ND8fyjnfWk94OiLW?V^oVWL2!%BEO5 z9=g_T?X(PR0LF&e>wCGX3KXC5iQkcZuQ?r0j*r0ovCmGFk$2}DO^!zK>%pBo@MX_@ ztK93NSwM8+(t4hG_^Iy=aT#66c5JJnx*cb5C&Ypm*Q$bMh#ri%^GSPEN@rvBZeBLOmFzdbC;Q_H}wS)5_S^NYJy= zlDmV&jfBevyFpVSN(X6M*T4pm+;(sx9p=Wg${Zd)d-@D)J#OwNB1>t3&T#3BRlzL# zwPKPzxNU9szS2dW<_hH|P=km>!kNbgUw&)0#?h1QZr8&LJ+2Qcoh3Yqgr0fB?uE`S z>BkEiVPs(>#`A?tuT+^i+P3S;#w_t2TA&TdmdL4Q^hIZiI@0mF>Htz1w#Q^pDwTow zu$0$5LG`q4mf~yGEOj;(Uw!uo%}igNyJ09RXDeq{K{c$*u(495${1O%`So$IO_uJo z)%JKBsyerG(L8FeXZD%uuoM3V*TC9F?QU2oy6@RSpMz1D_P0~_9W1b!*vjd}xv**gIhwG+*Oq;H zQI52+xvp21sfrO$L~?cgC|OwL*my^Q?f9`Xe6?NHBU?015wFYUgS+4_%!FbDD(~5f}9M4O($ZZjmaya z%CugiIsHn3&n_?da4Kg##Ft;XcPE}`rg(D&EmN>cDjOx>auSwUdQH>9;lIvQ-E3|2 z>@;e3!#JD5Oj3DkW0q2EJD`(*4SGX+GA+y`c>66_WqVD7-JCv|tBh?w&S#k$F>UHr zP5sttk>w_}@{}`s1T+vyGZDRvEguRMMzd5PX&U2$w)Vxp3-FLNYE@Y|OC*U|>YD^C zU;NM6`v{p(SBTS(&9K z2hsph~ zJO0I(TsVS0#hz}VPP!!%nHEW2=FL?6P0z*@wSv;63r`WJXRnMf8im-^6bWe0{$9hxejT)x-nbwVIYFUk=8(i0c#TF;@L6o~;t?&Q7Xy%QJ7Nex zTxX}^ELffgZ7JJksmcca&K?e2pWc?zyOTTY1LBbfM+L#6vVZ_5ib9?KZc2vhym6g| z@l6;mAr~?)O+y^%Du0oHPI+^Hi%AB=&W+-? z)yGarBP7O|Cq-T=a{hjd7utZQ>(IY&JUS7hxz?ktZ#}Ya&1C%nE^50Pr$c^fVx?rF zM-k2&Cn=00Hutc5CO9!npOkA3D9`ZYTGQ)i*_NK<%t-1zhbW&=m5e``hGS?j<7o$ z4(XqDEmj($#~PUzW-Kb)BJds9roZn|a~cx;58LtrdK+nnQeEYC*bn_M?9+>{&S|e;v~fht!{b`0IvcIQ4h(rV$M!u5?b_&oj5^(}zK?EGfpL#7qVwq)S@E z9h6OvOU6OqLF`KZ$5<`^hUiudd9)V~@aq3D`b$8Vl%3eM}gO zCTI|(bWn~kcL*J*_Co{CQB>62^%Q7|t`Sm*PJ;Cabsdrsko907k!h9b4GMz_UHegM zJd8>7bVzm-9jOK+NB`5WXHR1B=$^L(wVa)IgyP}IycT;)f9_owQk{S9qhlrfUwWI) zA|pa~r^G#NRn!dMO4#Rp9im^)-rOHs+pszJ%-L)gQB(Q7Y|LJ`6)wB-zzm0JOu~#* z`su?`Qt9J|53$KFT-Nq@pl1q%a=GSjhy2~3a<1f>QyAmK11o6C5-c=6s4mQHuWGx3LEXjH&MckZ7-k4P1=dL zCf{l|`(T*chPSb2%>HnW6qkbDC`#wTCge2+PUQxTN_`td*A4(D!M5&J_txz<^L|}M!$*g?GaEY3jZ((^hv2;{b2#dJ#`$#cql2!r;x<)n9m z?l!C4hWXeJ?l7I8_rQj?FHS{~8#tXlvsceWTbZU-as{{uoJEcv-8xJTN!!|>Q=wKy z7uPBTQgH0vD0WxcuNV2XD(%6aCfIhzCK&=|jkTEkk@3kc_}x!V3_fNQ8dxMppz)LJ$xS0=$$dLpMB} z^m9dg<}*(s$P;-F<_fELjdcSq8V}7LaLiM^{z|t8s2$udHUKs++$fh$|3GKkT6AL-WKA< zp4_!=!6gLuPns&E@;#>)MX&^daUqKJ7@`${V1*o}{_Q#M#YWr$hrB=& zfARX#&V^6&#`QVB2)OhAT1#|((On^TWTwcF-s!ek=)7D^{UdDU9ph0<$9#gz%)OJB zsb1O7$b*9OfUIY$o3tedo3V3>&{;67J77Ya*q(5ZNT}MtIlzpav{s11WA6=ZZ;%%C zV(=vk^*%RE035;43DoF-4{0E~#{m);VD-98xY;DeSs1zz1#x>1v~??k_TDD1pb+vI zzW?^^1)_jZ6w1H{^)XOXj81b5m0^-0gQ1_v_RyG# z(<^cly4Fp*>L(&>@quH|%oP3Sv-NO%5qH+hT=UfWm0GhQ$)hL5w(gG!!x)ZO7`DW1 zFpqv@A-M-x@2k>$H`VU8!}SliAM( zxf%WaS~sNf-zXB8aJ6iA9Fl*7*ltd#*hN!dyh(_?g3RYIx^E+AjCp!$QVZKv)fR_7(onEEgTd=kzau@ zx{_ClkrLxTg_&Awfc-9cO@ofV zauMSd(9}O}o&aLm02hLVHdlEC3+o0|L5BW3G+H33vt`cRFnN>9BL4^O?{HF}**-o4 z%h?;I8w(^0-v_VjEcxVTWp7(M>q#o^9LOLY$BUUH%A(ghz!Cz`+faOk9)XYoqQ|eJMoso_RiMB z3uKq0QZ?vOwy~h`z$QZy+y;gj^-bCLM&yf9*Osv6Vj3Sn(9O^q%ATa|I^4$@?a|dg zLp1rILG;eFOY<5al5IDGKmSPee9}u@COwqSp?&NeaHrL8Liz-{fVaU`NolZwzQ2px znjstl-+v%pMG(6YfFrGeX^`$pR&9_Ys`nPm?$3A$|qmXBD;CSB5*;xiJA;K7dIcwV+Xgt;WL%o0D9!-wS3 z%u6A~h0Xx65mzyou#dbROpcnCI#ZXb0Lgm#A!9=%(xlQ^V%s|0xBqLXMRr;ga;A!n zi+}5~Lp&OGv;t6q-7>9Mw~s=t13QEZvECQqGH_J!zLf=4BPa1<$U0q~2)WAs@MME6 zp-;eZ^V>AaV2^-ro7-Y5yn+d~0TO~pmkVPRLBm%)MRMZmVNl#o-nH&ZRPKULXL%{> z^+dd|R0Qf{Bfyr5z?6nULZC->IRg@(6orx*0c|-5V^|oKO+v#mnisMAuxrFZ)HM&& zO7enq*W3#CSxbTlS^ypuTnhq9INaU{DR}t2}{MRM~CsW95~Bog7jI?<>@0h^hxKf{&DdHcx9)|Nc_I z_r4}j4QD868(nCbIZt;MT;>S-`unjsp8Rq08J58~o;;fzKZ-oyv}>o-R9LXa+Zh7j zs67$<6$C^C6%BF|Y7H!X`>zs6pe+;ukozB~HA~V^$6_HHbtBi{`R#y`?~AXaH$tb} zaFQM%JalFfg?xm*3Kqb|Vrob7C3fTGGVssFdE5M(yT9!aKx`X`LwNT4-GVK+a1(hh zNqQSN1)&S3r^=xmR2j1LQv@s?)Kpqx3TezlwqOHejJ)TCU;z2(5^`3&arVj(OXxGeA z6{{oylAzK*VVj{={Ac$V1KMu^*&mqIMixTvz6dZ^V?WMdJYCpJ=L`lYiPJyj)#oRF zvSjwT^Wr^#fb^g`9nO~epCf@P3Nr}PQf>5cSDA7 z?b!SR)Kx2#C5Omz?8v$i)2nCZ)FpNPMVn^IA^e>*(-2Jc;+)+jUjOQK6X}%P7~fsB zlIapt?AQv^3EAKhEE@>`+YQoHBdbTFQDrret;B@EAwjqm;e=-S9Mo$*sBUb!^v0B6 ztW=N(IP*XVh<)?>VGvr8h2>p+R%172GA$166ce1H31s<)v0VILx&@{dM2$J&6Q%)7 zVhWBqxFx1`F66_wt5**i5ZAf73A}fS7JoCktYou%KKgOOWm&%eKOX!CFp%fZ5B?NM zk-#nv9{#|u68hv%qn$p)D=iOc~}yt}VFq^Gv0(=4Ty#=sb?%2Rj=|A96V#fI9LFib$1vB=;B16Kqy1R_3>mym!~5vFVO$l=ZO(klFDG% z<1k8sPZVg*rqZR!Ir*DcXr<}})Cc`DL?ps0AKFbg4E6xJOY>LhwRh*~hjh z#wca;yW&Qd2h6BY81DRf>*H5d~K08|RBN+M6cTbNte0NLn3*;zKQ5#p?0*$Bp{iDbyud4NXc24ie z+IGr0VMGXOA4~OnD1Cd8%O(eCtF>6krq17snQCs7PbIN^!`vpFvKr8qZFr5%CbFpV zpq7TOY1XZ(0nMF=QMZMY>*L9z$CKkxEWmgGA4a|JLiJN}!W)%|zsN>>Q>pTDna>+h z6|%AV%fuHC2|jc6EqJUZ`1Jb8BXFk9JB1A&uQvOh`A)g7w$1{vPmESCu-ni|W#aSVKihA-km! zIN)D2dT-z9Y(6F$yFc06+h%cb739dq;qM8*rLc%$+*3R;w*4OT>n!@51Pla`u1F|V zt_CY(pfWXD{7r)@C>?|*S=`7nQq_7UXJ{P(3hACxk}kr+9z99I(by>IGCE>!5o3FR z0y*T@E4@SiJ%G!!AmQHBejfz=fSsqR##l32T%p}HNl5YtemkZY2RF()5rp=wLb zLeCwgyPfK2t5~Pc>ZPIq@obY~%1IfRvt}h5v+qAn;A6~Kb2$uwwQREI{Ql-dJl;Ib zAhS`uuN=%`jNb=QnY7)MgacSu+ylK+ij_8vNTpGos=UqvXfLd>Sn3;PmpF%=w}M%% zU}FYC82`Kyrgx}UczpKR63N`5yOuD z@8C&@{e}S@x3n;K&Gi86&M3mi#VXj3F!r#Y(IzfWUweRVuDpDs>#GgUjsUuQX33HdB;FJVoXFQ?LaUHua&4Y}_V`FpP4nmUL6XYn19==^cA=2zE4A*v z!U57E$6;RNf)sY3yRGF18`&5|aA#`w>1Ljl~Fo zbw)oRmP3S}OTzlaSLXn41Hs#b+B<-p+sk+YNSwoH<);&rVLO+(r-VgoZy5kjX;fuG zfD+52Nee2XB)quh-A;Myh$&ZH<%t_!+SV#*3KRI?Z+touYeEgMtBiSGFoJH5+GLOOT7AmX-J-27UVbf9nd(esLwUTr``ZyS04#MT zjF>)P$PT*{Z!XRRDr(X|>d1xtVSAS7Og(gLy- z6hX*?Nl_!v1@9A@6~BbhotD{~i!&I_bnFV8gm3U~%#pzRL@mLT?7q(nS;Aja)NsHm ziGV(qUI+mjhHGa(5tlh874C28(|%^$H&B`R+2f;QEV#C92uv;HbTweugqU^+J^^vh zwggcj!;3MT#$ad@1D&B$?*M+^;Ei~7`kHA1)@MU2%<0ml2J5e;)^^-Q^7wDuNawGR zy)5H_K{~cK1PB3A8@1<%dTeF0AbyE8$)TiV9Y(@v6sS3V7CLtWEb_D=!F~vH~$d^`-KZv=T8SH zBR4QL&Ya-b5V-4{o_Y}_e)kATThk&T+S#U(}Y%7sE(d$um+ijsGnL)Y?JDjS&=(immN4kU(~&Xj@pAlpAS z<WlxK&;}juLlbBd7}z`|F5GT>2Wxp&$b4nuYY0H*c^i4uq<&8AHOc|xQK)!d zi90av+=TlAJW~c9+5LFiGOY-8?|p91BP_D*$;J7gn5;|1=sE;z450vTl*|tQ3MG}^ zww9S~MKdN#+#%&?$TC&?wUSu^MVXQYT6ie9$R{V@*`6-xUz+zk=Q zr9C7vXk>pW>+D9>Dlz##@^X>Pb)7_#v3bbaH%4yFlxaj&%d|nS8|3#8-eC|_jv>!b ztFz4;x(xOOcLyB6c;JG5xuU+rX97BkjeCp)fVa*e19LFe=q3vs8G|2A#3cm>F`5Yl zhwY1ZNSnHO*E#Pfmm@N0Xk|h6$Kn|@>QS^vZfFez?UGu82uPDCLnH3XC-)H+VySMp zc8}$*dLCyc58;V-{fhoBgEk?MY?@l0QLu|EqDSlIy~N~$J;ib@C!6EzHy0lX z4O-nYQ#%(H;Sh#_p!YbweW0+&E@ee_DJrr{(2X3bBf{9BF*)30BNm8?XnYxLe^&JE((JMml`M8xs7U0sg396BpZ@LD3P z{P6mC^61IoKF_ZXnoh2dlTCX~QUQ=qgG5R|G~rS1YF_0L07 z?!_CwA3J~dJI>$z$ccM!e0216?oBG-#kCKenZ>(*@AhSAWa+!CI}YoPySnSFb}nb= zlYP$Uakf3;lh{#x`!|jlT}6G%{nh)Xdr&JY*WQWJx>n!sxg!1<_VB|tDr=;<^7%Fj zl5Cs|e&`DC(_jxDGATi)Arx>F^j)`r*I4Q@skLs#XeDfos>S&WF+GN8o-z}QTDKKH zI+~*Hi$)Yb&j0}3GIMCff6PX&I0P~a{9<9IMLrK}v^$qB3)sZ2gJjW}!aDK|o|&*` zihzwT7Uul+{Y?( zB;YtI4XO3Wh_r6RJTExu-t@nMNGh2@&B9x@g4Wl4dpWcvZV9_SRR7&@#LRGD4SB-5 zVwg){<_O|c)>a!MVk5u-ApsZ;>``FlwJSO3-i^{}E0yN+TzLi6=V|VwSKa9Ps?ain zM^rq(YFnr<8r2-``>a!c$&$#9@_Rh)i7&oFrSXcqyi!@n;v!7}$*;_|MciCHGl!Hd zwU7S>Si49l-{=#@ak-L_C*mmBolZ{Zh0b2&rfvbI{zi9CyYxq9Blh?HVqmgk6;cZHpa18#8RuXi;d} zp$Tj{o!ArKU?<2XgzAH0QSyDhYFB}0zAb%y9OO*l?bHOwW-PD9wg$bbTDV7KV9lL& z+~z?d_)LlEgYxjv!{m6{0rq3H+XPsS)1&EtVlJ}`?r-}s7VT6~*<*D}>~trl^*yrHw+Ci2L{V$XXm zZ&p|ivo0I?J{oEtraq?Q zUabBqcJA0wxt;Dx!^~w~4eTj9F{na+qX!NsVQ)kx}wq z0I)J!lWQf~Z){gKLLwCORjF@Eh)5p`)22|VpjRP8*W$||sC&bSefuHiLq`YT>7xj4 z?m|OoyL6gWB1nH`L_MUZ68wIQgQseWe*=97a#FoU6;jqq(3lY(&V_8olw+sphnI+{ z?SCo~@pfG~vkh+O*g3d#2|tZeKEWfqej^<8Xd=$gtz4SC$* zxN;qAyTt;bbmrlFkTk;!(72*{6qb`4{z^0&QyOvj-KwL&{Mle=H3)*5{}bdHO`}oU zMYf|3qaX?3d*K2`$=)uyX|>UHW?K?}IeT?Dz;CUL?3_GS5`=M6qoAlw6Z|5{@_Oo` z_X9Xv`v9$?9`H$4qq&eBK{n4zc!eiId&gA$@T|>xN_tKPI8zZRbN_i{w2> z@J|edcFPENqcb`rVltV8G`@L$!BE^32P|~3f%AD@0uuZ^;9qcKfY%|*CQtZ@7ZoEV ztrLkT`B)-evaqba2=zKE|A6ji`=js=XnB>F`3lU;b#AWQ$s+M>rVt?;T!oxRBhmMn z8&QC7JP?xD^HaAa3f@o>xl%QL@*u(ow_8Sf``3Ay+vR&W_A(YMIX8$-mmL`-ubsbP zE1jK|O@7KhI4;Nt7B9eGc$qF$)>_r&9IXZT_~m<*ww#sE6$ujrC~*iK!A~egHRnga+_;K&U&A}C;BD(C?y!EyIvl2scP;de zvXf|bM+geBf#B1h9Uo`_9cUk3;I$B@!V>PfG);{-O5Le?cDiAzq3JrB@07c_gkH{k zCsQ2p?yKPK8+J_ge-dsy!8s(s91b7)wYa3U2&8WZzxma(OT^whekLBwR3jf+ndEqK z{73P?V3hif%xmLJJvU3Nl6HBeZcfCpJJu0V@*f=-qJQX8xesoZs{FPzvdPUnM_uoQ zeytliy8gwDd~PF;yDNXY18*DVYsjg#EZu0d@iPAf;H)ArtKd?;D?HT>cHNj;X3SacwcXKN{6PF!DZN;vLhj`>wUi6_k6qOc{`bJ@Hn4!bL;X{1$p~X*kK1; zM1$!f&ftLWeJCeAU=#0OqqIIubuxoZVC^O##a_p|fHjN~SAC9DcADGR>-?{@%)XF? zEK^n63+=Ve)P=5_&GE+gApFjoQhDui1beZ)a)aZp*}bG6Xe#`thpIdqem~fl-m-u{ z0rsm092r_bv7}4~r}9I)GrRU@?x91Y>iI7H+4t_DyShqu>8-BPd+2PjV{ePNySp>9 z`(S6kt&p0_IHIVkb*1WtV3$qIpH74Ia_ENfU1&UuyX!jm=gE~?+xZ1gU=KffvR$LI zDzEcegAgXJWu0R&MRN888G7siWi$%LqDaG}PO9xyv>7bp`?c5m99AZTK^D5ru*l!v zbdF|rig6oTg#$7%uX^F6mUGV3GA}cs5TyV)8lnz_A#KGPLof2CKR_QqpSGsaEB1F+ zvX(2=bVCaRN#UhmtM6oOPQa2s1R&7425;Ev>7w$3K>HwV#9wlgJ-Q0{EthmoO^my7 z-oC;p=w+_B^xnQ0K$`PVgh8P~hi$gEFM<+F0KwiZrZDx`(L6LfM#iOoZ3ZvsK`1t| zxZ+dPo#|xHU7!8{;Ld$qVu0A@47@`q2d5>e{dg#__s&(OO*2sbbtSJ*!tB*% z^En3r=mO_5`}M%deFt?*c>C!5oL`u+uM0W0J8~8un^1lPgFPf8^y-5dWhuK+kh@># zn=pKc6Dn+T(_kF~2t>+?pxL{702<+SaLG;HqaLP#BNfDb;cPpGAI>gu$>C$nAfeLg z4mXY>@8Rp4+$=eUo~KG9W~cvP<-Cnxf$(i;|K$R9&I{EgO~thp^Pm>X^Y-k}Y6wVp@c0|I7XJiRl;$#nh z8xSgn!F0&zwFOY8-zn7e>UK?f&pSSr?^uGx_2|eL7WVGO5F)e$Ez7wlx>>WGq6s=%U^6u%i3JVzNy#mY%>oX6X)1HN=AQ#{EorKo1eKSzQD7gD^0NQn2?CN-(-DU6L2% zdc(dsXwn6v4pC`z2*2>b*$2496Sf`uM@*^|DW)=kpqI@sPqCl8;QhDv%7tu}gQ6;N z+#oVoAetwL-UVd4LOBii3`Fr~Pmdm9&^;R5@<`bUgD^p_DDuU!Db^U&;jWgkn6-@{ z_jP38po}_}?L(|od%1kA8X1JDORIp+@}@>`^hUyJU8(gU9^^{qklpGkBYTh<+ZsB5 z&31^!P5jh0@Xq%6kQ`lhY$qJ)kYFg%zyJ7`Z!X`yKK=S71{K&fO7e<-cz1sB(*WFE zSM3jMo5Xz%V(fwlY{PTa++bXfzsU1B_z%x7TuwxYw!yVfT)=9rTc2GDfSP?*h5cwV zf=4KRLNpzq3z&E=GP_oFlUtqm{DR48YG-tQF%`A+Xcp5-XXh8wE}%sh%HqCKCW)hd zN|{Vm9Eft(mu&8oQ7Fz)FGUr{(VJa9)Br;N=WjNVkI3g!BHyP(zF&DFUqq>&68X}; z{`O&se58bTD^|H;boPJFKBQrp7UyN&Z@DSVN4DG)CTN*-(w{Yfhva~JOyG$X?@tLl zAD6)6u%mw21fGFSq&@kR!1F1A=TidDrv#p#JAubX;a?6YKU7_2du00dAp9T(oukEF zus9GRO&0ynWbcHkiNP2+Z^jwqooS<13t49cyNDp9d2lzPD19F-t}FXg*C*oT``i!< z;gIQpxc)HQH;i2N(&gPFmo4``5%(Nhy&Jpz*pTR*!=X7PW+RzxTdP3HzTXAgoLjcr z^7XT+Y`gcFN)@i>TUD=2oM#1x?&bTcMv;&3KYF((#p01>6qU0z0k3SGE zv@)-C1LtDvp8Hk!mk56k6~*o0?{|*{-)1iPt;d3IPX^d-D5}+>EoA*$O$zuFIC;;3 zlN(MKd)QvQz7!SW!S4o$N;Te+QZ+ZazRJtRVOAQr3FtTE5GKLLwrQVUoW_z!>k8a- zy;7w?l=_f1mfAG0v0FEfo23F3P1oRzxIu$5xYGOxU0{=*d(>vK^R z?IJHBSjejMq}-sF!G6rb@lqOZ(9Ks4iO1DowPOmyM1jv3k!et?wOHiW?B9s2NNwre zFtG=aW+j^1UKVKtAP&uUVgjuk#oqwhQLr@VjwyqPKl*`6iG-{LnXX>V0Bji5g*Oc|7}#0(2s_?y**vj3FTE~|Lx2>#Es)w?8a>4Z~SFLh*sai&jFla2Q23) zE2nT~-h?0BdgFAv_NVLnm%hOLH)XN@f#ZrWoe(YKEh6``UDlMcGD{tmy&5pP70l3)e1|AaRF51twwX$(o)rV6FU(@VQ?JkCs-Dg z#4yNApdmxG*TJH310hmFVNs-b!DSUK+or;BqF+WTUT&_JMQ$vvK=sJgSG5~@ZRMwi zoGOiG2sPK1%i`Kxd~n0|?dR0~Mo%HXa3YSEzHoUUs_J^69ECrJU2tqye4crC*%OYgFoy1{F~X3!pV_r#mOe4P+8 zG?8A)R6q#>B|^dxU8(hkI#nA6Wk0yDF@gN*YwHh%1Ke3f85+^u0s~yX8&bd6LoYhv z0fU;%t|0=uXf$z{Ksbz{B_7mp#MW?u&azdmV#Ci+S9YjA?9&gdEBloE{B}s+R74jS zFTYN>qR!cAR6))c8<|0LwsM~CrnVPg7KGRH0(^_UjC@Xh8d-|V$4OB0h>`5U`Gn!W zMiujfl=6NxA8I&|S2l&6V1RoVagx}7zIgfN`D=0Z^3B`xKcAnSzI_Q#-8)~OpPzm9 zx3ja;>T+><_8@1%s>ne_dL9k-4#0sCQD)jFTQzsDPDi`wudmu>Y$Z=tx~nOFB+Z6HPn=G ziCLzxl;m$r_n8z^)3mb}P`Pc2@>0+gGAqpWg5qtmTnh!s5hr{5w~O8~TjeF7b|$o9 zpbw(%3W04D8FIMqqfG38s5T%N4BN^ywUR5)8M$)Qyw+6y&b6ui~$382xzG^FDIZpvK)%djfIg0ZOlz|}_62eIjRg)e< zbJtd)n%kpmmBKkxqj1&#C)+0aMxoLHAhLl1^{uxU0F*DVjyTIcDuzOa9synP;g?TB%WVzMzGblD=Rc%2^+SfoL_it z@bzVw>Kk&v5Hr}vw>j?M9O3B8|GvuJ2|q>Wu@W1cU3K^ zlx?@!FzMO0dKt93qaiVA*}Ts{`ii*0pww}@5CI}p%7b6$ma+#*#i#& zI*LQgJHVpDsRhV`Fh`DDzdnZ8UFj5x=QJ@oMl_r@_i!psVXRgcv8Yeki>hkiHsH8DTv#fQyz}z2&Z;k?l}%9cu~O1ha|^$A5(yn*qq4` zg)?<<7=WCLfmw2eQZT;3j4{KOW=o%vky$}Hen9-b#s_+CQ$8K(QkJDEwk=ar^cE>v zj0ElP39ZKj(hP&&L%XA09Q>QAI1lp5&H~v11j};^$0w@#^>h4=X#^Q(mYb@OYhdH5 zsq@qY(c`hFhrIqTF$-|(S0FU8Zta8%4+|IhXdpO|`82iVd9|y0w}JZ%2(_IyVkYGW zae*iX7BS(mWung0G@4q=s3{o3BQ0 z{zQzb8cI5=);Oj)lSX~}<`w%n?0=GE=U*ljW$b(!p*;WXn^%*cY2-9EWZ)-+D@y7w;G?*2G3YD2T%^e*5OtTYl}t%k1VJdw&;+hO8mM zeb?2kQrXBtLll0>xiP>;?cZNLy9`~Rd;87;7GyHiZ7F8CGa|{tC+`bgi?$4ZE7szH zYpl`GgRbFU9%99A|HH}NJ{w1QSkf4b&8Jw3AWIxB6<2E~%vC?Xa7I=@XeqlDee=05 zlwAjE{(1bo)Xm<$7n`gi9jZ562-Rxk+68oDL2<))^RSk3Z$BFPWY4bk8SVp`Al_Qt zF{(_ggQVza&nBqvY0Gag0?9KwXe(C0H{oY}5bVSz#2pqKokyBzYf;P9j@T1EFT5xS z)W8{E^AhMq5{`#$9rG!O>?Q#yP{?jL1AuNU5^y&q3SB*Ol3ilE*th?a;Myf*RCq{0 zgLp~9c5sx8$}zdaO6;->Zb>*ZPRwll{RK>dZy29z?wmcn0LNRR9^DcmcmkZ~(Dg~H z>5g5ToJ2FsxTH5)?}aW^awFGnu8qcz!x0a393*OUrvdoJhjskbv&*p8O9%aEgfZo)iIB%eonurAYw zgXiJunL+&^JQJ@-WWIW4&@E6&T1!}CPIq^6wJgBtr!xMG!^bFK(SuW*Pivd)a)$b-Ddn>DQTOhdR(ZX5&%Y| zr9Ym0_IrZ%IxUPIcc6{1neZgAXvRui+IfTZq%iZcJDAX4LNIc)u^~HeH0{Gc10KGy zsFlptm;^JXhVlUUmi^vQnmD66SdOsD>ss4A`s&#w@B*){;@n<9{<@%5rf%GRwYtcIjTYZ09ikm0XJw%fLdlF!1{0 zE&{dsF;uL|)5f^fh-%KtYn^8}4OWW@f7eY>tPEl-HMK|r~rSJi+$Ah5nxTn0)&Cu=>(&I;EKKI^T2lCaOvrs1M3L{ zN7hb|&5a}E1iPU-?&pB~_*O2$xx5H+`26S1QZ;#sR!kgf*Z48OJ{uiw|CyDH8F&C1 zLP?~|gsXl(h&fm&c}=)~ejTe?UFW(r1)78ovW-V4*mh_ntOLIiav}3lv}Hzx;Vl6$ zXXi1Zn@P7#qUVWAgu-^%!4;KIpM_=(QLB}{#-l)TtflCMmnq#4m+LYOm;g(< z94!dZK2-YD3NA?PHOVj_LC74u-fW;YWe}2k>lR>ko{3=lsG2c)A;AU8dAh*rEOYz?TF%Fz#31MrQyp zG8{ogk)}-!5;#M{Z5$1Nmr}l7J`aNqJA!qmrT&4Oh_Q2#rE4fV>Lg!n!@s{4Y~T`98^3)!d}xi$wMl0~;MhwfhkUKh>~A1Ge}`QC7F zpY|YapWcFkyWtBI#M!TkY+BesU#ohijir0Q2%Ly-2mvlrvvx5Wi&0+Awf*;vtjiHp zX&Nc3#gB#wve1iHwk5CFe>33Db@|CrUNi|jXmkNebe5uyk93;`^4B_V)Va%l-WA)W zznA|DmwW98zx<1V{Rpww6TF=d)g`SlWL^%1e{?5J z#_rAr4lG;(7;Gv_r(hUV>3MkEYM>3<4s;97VBc~W`VtU9K)r8kS(-|M_3r}Em4YIT zY;1$uJZ7NZ8fS4LkR@O7p1wYw93M@N5-YnM{~lsXd|%Mj5HJUNWQY2980Bcp491P9 zP#i+$_uqM#tcG!;gevE{P6I;=hvo-DycKJqr-kM17~M~ym+#jbqAKy0f@4c{M_g5V zM;nt=uMUGjC(z&s#b~#$*Z~dy~?OAK9gRxs#{H-;7#M%h{Zxy%dK5jw_U zn5>9%M1!dF#j=TTd%e$tYiB~&!haV0}4B%sQ(kuOKRDcUN|@f?!4ob8XiN)YMpD5tvO)L2+f#chFuu+V+v^k z!i_re&E1lTxRUSlRl5rA;MSu=k*pL}XlMdYIIB7xsDV}0g0o5n@Hw5jgM6V=I6m1@ zrw_`*M-P+ZY2bVf^RuIdplwSxg)A2>)szs!d4gTEuE7%jjI~|nj5T-LU1>Fo zGT(g9G4rfFSb$yiwu;S*y^beL?QeoGk$#;?^pPNd{6Jj)?MYy-^a8azcgkp2sG0+h z<{KA8KvF2{avK$9uk3+)3ZA)6se~ud@>N`YP}~5Z6POY`>R)c$(6WiRT$&MP7rWS9ULCS89%n)FTZ-Z6;-9ozsSoMd3_>AhfBRu0slOl%sFa&xMwxO%$ zFfDWZcE@$F)Nf^_*XNzA2$+6x_xTTw@wIAbjH*dtjHPNOSr|!UwYS!Ec7sU}dhrB2 z!P?!9_XeaLMzy-VMEx*b%DkjZp#7kupvsUG1Xp+py1BAS4fx!!z{wdvo4g_GN$|si zvo|jucEe__K>Mp%tLnn?{zItTQw2gsA5MWNBUsU32!*;31D< zHx!^FQ_!ok=)1gj-Gd|Qu%)k+Su)q)q_~Vi{rmu@2UpL`+|)JkW5Ld@8_O^3I8`zF455!(PMbr;+_ zJn`?p#?AQ8HczjR(!Xr;O!IOTXLDt+m#1JK-c9-~QVh^bVyJ*-v>%gsR6bqqcm*$COn zIdmqhf)!-_cF?Bcc2q|C<9Wk%M2rsFkzu*lz$C*;a^og+l< zG7dfmvmsjNy`+V!0g;A6-<0CQZw{~8trKOtPIsnmdti=#YfZx&5|6*rk++@fl#xGd zWAthD9oI%@`6>N$`{Dy>0_Zp)P}J87b4+j|TQ(q?6kC=%Nyx=Ih&sGRGqcdOSb*?e z4@~fDT>MxZ>P!^iSUl+R2Fk-d5?C^^R!v(6#tDR34^B^Ruvr%;V;Bn?(pfT!F0%K1 zk*AH}ln}Nt1%|f+Y|2El`x-XkYwQqEmc*kYE*?2N!+>Bhk2I}ir95M-^=fRdVwORe zzwWaQG13=2Z?adK?O^Ish+^T$5w}-tx*W)f9aLu)&2+yjb@Mwvehz`E!^LsOlBeNq zuWy4gCqWS|j)>;_WzgEodCJsk!t)z6*ZYONgeB$ec(idltUCSy+rhSAX6>7|LpIAz z+p&~oR`}|mun%lO-ElV@#PmOFH)wjh?FJM`A05)iqZo{{lE&Wki+05j?cNEgGNHOu z3ebmn7JmYbfCtyUO_M~((50#a(4(81n+d#xP9>HF;n5+MJ3I7|42NlvV@$wgAx243 z=tY7yIS8~631`hGOWh>30_Aix=yQc0AeP~@UYNm1>$_&de?SeO$p87T7#_fyW(4*S zNStH3wb&L|q(=b(Bu+TuIlsdl75M*WmT7%B03slO>9%KW=^^$kFAdhv2$5ApS zU5dS0nzz`S9OU*PCbA^5ZI&hc?>`RJ`$mNkm)a#--X%)*Lgrzs;s{dV-^akvekke2x~9V&iNOk-!q?s$ zbxLlkMrN{+6YwE9w}3CYIeM*|^V0umJY(6J*cN5H=j?of2(_5$NV82$Rs0v`&_-N#`N4S?_5 z4+2s6wL2AIBfb)mGmqMt?)*g`V!;#jSkEL$ttG*mHB z#{e;@%F!a_5ehQ&Yi%%qhgkH)6A3kd?7?gfwnyZDd+y8&&UnX(UIz@M)Ezn6w+g*L z4}Iy-UD?=D3bm@5H7|Am(!#cAOxG&3|NQNemHnj*%NjY5gdkyHzh}D{0xM4o`~P69 zNwDUvnJk-Cu|Lbfsh2?c3MVMu)>P0;c$%Tb28&rHIh4k2)`@JII-j*%Ic(6teiSn=Vl?-k@8tNBY&VJqC!~Jx*u6FW`~;>@PwcA!R*E){GN~Z*+YH+M*SQO<2d9 zqB(=CzkZM^f)>HIaEIwk0T2~_H%fsi+{V!m6US%G}FfvIc8v;I@7H)@z*_Po# zY^3DirJ%6>rD`1AdA%suAf}@8IUIm7l?rCRD?1%*Tj+=J+ZNd(?ywxnsL1CVt?{O1 zq2cn1RBZx|*y)`=BPY(?KE#9bAzjj!onG&rlwj{tpN#ChZjfpayfjqU+Z%ab7l7T((yQnG*TsKExP0|IF+&1+>k)Hwh|98*WOU>1=!=5?D)T>IG|vOK1BizL;~^Re0UU4e460Q z1Z;)R)>CF(-DA7;gE-C*Qm9CsZnVQ>k&$I)Ypw51CY;;42&^1;GK2hcO+z0Xp!tjI zor_wM(IukEkARhA718lT(DCgEj4I~h0oa0^Wnc&G@u9c5ocrW9n$0(tmt&7*6O8YK zEsD#ON|g6hOLTD}Z+b@%)uWO4kqnj*?zrPB71DPly{?p5m`e%yd5n_&0P#6^VGEuo^UB zInZb$u$Qp9ecTk~piLR8-@ftum6q8Tvap<>p1M?gMOeh*{K5`xsZB%tz_lg9-Y@{k zrR9JNb?tkCRGA$H!-&*=Aohtkzrf@}XxjzB!U6}waZQ!36{ClqrXWs16_U0nb{LjJ z-S*>}`e%0<+lG~h`(q?%B#mxNOOHN?o|gBRY&Ol;Ogqp>=tcWWq-?XjZRZ$W24>i0a3)gR0ivep3LT=6wQditqYIGrHzt*J1Y`#S zPuwc*AB;B4RPvk>qeQv@Y3vn*y`9&Z#aN=0&h^FRe`#=kr3`2v4lG@Ry0+(e8!{LJ z_u~g+q25nK$fw7?LI5^{f>8KMpFG36f%k~AxucXkB^p^TRCCd1Xd*l*&hlel+(09? z;+8`4k$ezOfxiAVmXzPDGFuXI@r4ytx}mu;Wg7}6*wCS~=Ui4Q?SQ>TK|H){5LWL} z{KIT7yCKu}wP?ZPb#WX4k=mexXNJDf8st}NfBckw^E{}9&dXQx3+hcCs%?H^Quk|ND|6knx8gYMbf#vLZB^+R7$YgUP zGF8{>=`4rD>`waOIk|NM?CC{TRnm zwZ^mY>vA#eum}uiV5jjBE8tvDALV7+IFnnJVEYPmlKoJC6S8db#M!|q{Z2GDIyye+ zZ%5SIeP`)__;1U#>0miCAN$*&EoYa`RoNiJ1Z5NXXJK>*XvPmhS~fYm1;RznYn8o#n8r(&a*Qde^!O#9Il2%C0Tuy>)^#2Y_k-vs^M(J& zsyY!r{>XT@9=IA(?8HR;^i$^xLb5y&qaS}1lQ;O+1hNr+`f1d8In}F5m#S<|L?|}| zZ#BBog>4z+%Y z-|6=cu><=H2{W~6z{oRkp{tkzOMT{*A=!)F@f-cd!IuCbN zceBVevIAueVzum~i4?H4WS!wfsbAhEc(`&J=wU)4Yvd9fHrob;Ew-9%7lUToj^TE|`g*d-@+yJ~st_iMmdLIh(zT0KW!Ji; zxmV901)gJ`e!B37J%4!a8(#RJX?X&BkZujsN{emp7{+%qv@ zv4{YuA#aRp?DEZb07+A4!DjZ&%Druj%12>S-7WRx&RgNF&7zwDy^_`E{udX|`TdV* zTz_`->}X7e_GeF?JpSni|MCF-G1}x!s95-R0lSsN@`cQWpW zhO1$t)kYKleHr;TcDupQKWu;eFbiZ?2D^h1(r>}W?A8z5y4%c=yBQ=qJNqF!902K~ zvBt?P-BaT*^M8gi0bAhy@ySON3ix=N;?7gvYFQjuk)bu&XkQ#Kul3huvz4)HW&032 zTZpDGKo)FyyFaVj$JpKambZ+YJvL@8{8eOaFMBj4)lO2Zf9fM2bklA z`O%!i!w)joHpxPe0A@9= zKp{cq2_KOY3>1*KxN6-s;IH>zD)Lm7#)Xb?<<)^HeEsd^Tf}c-GLNQUh;rC8)mfho z#MQo+iE=}gR_saR<}llbDymSOQ7QxnwnT@Hjy5vFPy~oLE})B$@*qW#R2!HR$s&ox z752q6us?q{fJ``KQ#546Bx@8#vq%bB2n~zS0$39}M{oe$jcgl>z|d>2p%PeAm-BA5 z);o4nE_Sil553;A+6OOvtmS^Fsee`L{lHu!3;w{`f3o8LYgzG!w|KiH|I~3s^}eYk zfsKPquwwg-GW}3x4lc>qB{JOjk%8H} z@j&61P2xev<{ZtO@HV$ulZH0_lSS#1Md_18={Iaq3J&#e->S5ULw&L=eX=aw%J)4tU=>-yUTd071B zeY2nJZJ+FI|9pGf(0$aixecMf*^NBCICqKAkZ?wUUb4y~l$5_ha=4`}NZnM$N~BB4 zv0YS`ZBxS@Fld8)=NxJ&5+VwZP*yq5C+WaoMKN#Cd6^P~@nGe|JJw9ZD`Io^_lc!u zKaA^{Z`d$rdZ1N>tJ&44�QL)oQPv8S#K2dS_1Md$=bEIVcO82r}Jihh?V=(}Ast z^RFSZGAQJO;f2AdEU|1$lJ8$l(@>b1?k0WT0i2!@U;-TdK%=-bg8rRkfLd+ z-9Z`Mv`}$0vBQ80sK=hV$zmhI!^2QQd%F?nA?Ux+i$$RfL#+5ssGD%^w$3}>Vb+4anRP^@P!#$0TcQxk{1lw_ru$f8n(fh9G!DDl9K4e4_!;iti6*g4Md{5Ic5_K07~wy_`lzU7YTv@ zAKfk4vYWFeR+B)XPyh;rLOtL|D%Rz6s7nRdgWyxCt zN~s@MWnfgPAnoUrZ_Ibq@MCq#caKSx=!IBj(!Uyy*P=busfx=$M02qDzpg>P3TZKjKgrwl&`{EtamZ zJqE$DSp_@CU??Z2IKf6}hQT?(GsLDSFO*<{WTQb=e6SR%B4050$)i!NgB2mfNTKyq z!Edx-gi5CE(6bilF~F^gX$b*Cl!?7+2Ge-Vf5g;?Mt93`)Rq`R=c{j5M+4OZ>0T?o zDU@HR>mvoZ2zq-xi^bTgtwu+e7v?509eh{BzEd$nn;K`D164JOe_KD_$fL~U^o*bz zZ{J;>UX0jBwz@VpH#ax;cX!3Vo12^VzgxT8dw<*7-PzgO+1uRR-uWAUv$_2@u(>)E z{7+69B!Amnx-GkNkK`F#PGR~%c<)P>Gr@W|r}zodX?%=HrdZ+sGZ_3Q&WX165c~+v zPy`%CAEUwG5`zRmlFBrg@EYebx`V3zf^#IX;Xjc)i89D?>H-Gt?g9{xtMBEV>8DR1 z2+Au|yRt5HcLz`!Ny8P@+ysg2`}f`6KwahF)I9E=n9->Z1`T-%_@d;y`NoG=)C27J z^_fg!f>M4uX#n=&mH2-UCh=gPIw`{XkK~=~s4@2Hvk3#w5|kFD<^DMm7P4~xehzk? zKj+>42Nb!z55S4G30Iq~Q5a-cr1cPYUr|g+o+*V=aV-Xpj$aqjEV#y)QAS{vae&2r zwU%U+I&TK&K!yt)=PW0Do>F0eJ}x0Kab*l;`l)dehm4K{LDZ;y?nU{4PmTXyO;M5| zLPso1R@6o_|KHi&-+yWG|GllPtu_CDi0AHZIJ6{`v@C7H%u0nVn2#wP-l`P@p?FBC@SVe}y z=Ob_-vpYzZke~?+=K?Pdu`oT*8F7sp7jeNS8JTEY6&Ve_-}v-Nta5pNE9@FI&>;v^ z0nYptldH9;%Xka?B?-hy!~cwD7x`G^ISR@KP(qQ}iixk?fcdR6Z2jYjsCIBzjO^%` zAC2Tzr(1CLFC%fv#$fnwH2601ml&34HoA1OYG1|FDd~O&E7~MNda3kik*J|08-_q)rmseg{~h ze@3}ZeLg;V(EiF!hKR6uEc4IbN6+MLfBE{t?%my8;i=`Nf;I73LPsGyMuhci8IdJs zQdPu}|8R&l$%n@L3Gr-((<{C-4pqf}qjD-$dsJpgy5rV;wcnVgVLt3dw(G{0s9h74?VXaNwIP7rt^K)wJ^LMW7*2ZuJ? zc1T>fPM8AKfcWzcurwa+CHdM|QK|Z}UpagD8O_&g^x@WMM&cXD(A5Vtzn5{XxGVod zYN}VoiWT+c7y5S?en4p?H;-z&e8cce14ACNNn8qnBaWeG%KRG*R9k^e`i#j?!R$95 zDi~we#Q1VHbI+)*V(qR6^)oJ2bt(O@>r^#*|Kq6|3e<(!!XsLv(igo@YuG-(D*cv+ z^uCv=LvE-Y?ORBy3R5A(*0t5@RHmt(;1DKLOxcTnqk(Mw#rGrU-=lw{FDgH(-$wK% zd{KMx{irH-$zD|dOI!YW=9kr;*FOqz?YY#-w+U7!Z!b#8s^j1|YCH5uC=n5J6TcPaHyWS|Lom&Et0OV>k{O`Jy+FN-SMVP{(hIHLr!_& zc&C=7Y3-^_K6&-{xrqqF1l-BAl@#2`z%AfV zG;-g>9liiY*@tR$#iROneG_~yV|rbIzR-xqY0P4nT**uH+0w)7L}`_D-uQlSffyB* zn=;uwfx(#IS)gLDNxMZbjuQkjNLAc175NUPkxY7>Q$&IK7K!i?AVndf6q5OX=GT