From bdeab0d64bae2c5bdef9725024382be8da12f504 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 1 Feb 2025 00:04:45 +0000
Subject: [PATCH] Added chart versions:   cockroach-labs/cockroachdb:     -
 15.0.6   intel/intel-device-plugins-operator:     - 0.32.0  
 intel/intel-device-plugins-qat:     - 0.32.0  
 intel/intel-device-plugins-sgx:     - 0.32.0

---
 assets/cockroach-labs/cockroachdb-15.0.6.tgz  | Bin 0 -> 34476 bytes
 .../intel-device-plugins-operator-0.32.0.tgz  | Bin 0 -> 9305 bytes
 .../intel/intel-device-plugins-qat-0.32.0.tgz | Bin 0 -> 2557 bytes
 .../intel/intel-device-plugins-sgx-0.32.0.tgz | Bin 0 -> 2174 bytes
 .../cockroachdb/15.0.6/CONTRIBUTING.md        |  14 +
 .../cockroachdb/15.0.6/Chart.yaml             |  18 +
 .../cockroachdb/15.0.6/README.md              | 580 ++++++++++++++
 .../cockroachdb/15.0.6/app-readme.md          |   9 +
 .../cockroachdb/15.0.6/templates/NOTES.txt    |  50 ++
 .../cockroachdb/15.0.6/templates/_helpers.tpl | 352 +++++++++
 .../15.0.6/templates/backendconfig.yaml       |  21 +
 .../15.0.6/templates/certificate.ca.yaml      |  33 +
 .../15.0.6/templates/certificate.client.yaml  |  40 +
 .../15.0.6/templates/certificate.issuer.yaml  |  20 +
 .../15.0.6/templates/certificate.node.yaml    |  50 ++
 .../15.0.6/templates/clusterrole.yaml         |  19 +
 .../15.0.6/templates/clusterrolebinding.yaml  |  23 +
 .../templates/cronjob-ca-certSelfSigner.yaml  |  62 ++
 .../cronjob-client-node-certSelfSigner.yaml   |  69 ++
 .../cockroachdb/15.0.6/templates/ingress.yaml |  90 +++
 .../15.0.6/templates/job-certSelfSigner.yaml  |  83 ++
 .../15.0.6/templates/job-cleaner.yaml         |  70 ++
 .../15.0.6/templates/job.init.yaml            | 303 ++++++++
 .../15.0.6/templates/networkpolicy.yaml       |  59 ++
 .../15.0.6/templates/poddisruptionbudget.yaml |  26 +
 .../templates/role-certRotateSelfSigner.yaml  |  27 +
 .../15.0.6/templates/role-certSelfSigner.yaml |  33 +
 .../cockroachdb/15.0.6/templates/role.yaml    |  23 +
 .../rolebinding-certRotateSelfSigner.yaml     |  23 +
 .../templates/rolebinding-certSelfSigner.yaml |  29 +
 .../15.0.6/templates/rolebinding.yaml         |  23 +
 .../templates/secret.backendconfig.yaml       |  25 +
 .../15.0.6/templates/secret.logconfig.yaml    |  19 +
 .../15.0.6/templates/secret.registry.yaml     |  23 +
 .../15.0.6/templates/secrets.init.yaml        |  20 +
 .../15.0.6/templates/service.discovery.yaml   |  64 ++
 .../15.0.6/templates/service.public.yaml      |  55 ++
 .../15.0.6/templates/serviceMonitor.yaml      |  54 ++
 .../serviceaccount-certRotateSelfSigner.yaml  |  22 +
 .../serviceaccount-certSelfSigner.yaml        |  25 +
 .../15.0.6/templates/serviceaccount.yaml      |  21 +
 .../15.0.6/templates/statefulset.yaml         | 563 ++++++++++++++
 .../15.0.6/templates/tests/client.yaml        |  65 ++
 .../cockroachdb/15.0.6/values.schema.json     |  97 +++
 .../cockroachdb/15.0.6/values.yaml            | 713 +++++++++++++++++
 .../0.32.0/.helmignore                        |  23 +
 .../0.32.0/Chart.yaml                         |  13 +
 .../0.32.0/LICENSE                            |  14 +
 .../0.32.0/README.md                          |  60 ++
 ...viceplugin.intel.com_dlbdeviceplugins.yaml | 190 +++++
 ...viceplugin.intel.com_dsadeviceplugins.yaml | 200 +++++
 ...iceplugin.intel.com_fpgadeviceplugins.yaml | 197 +++++
 ...viceplugin.intel.com_gpudeviceplugins.yaml | 214 +++++
 ...viceplugin.intel.com_iaadeviceplugins.yaml | 199 +++++
 ...viceplugin.intel.com_qatdeviceplugins.yaml | 230 ++++++
 ...viceplugin.intel.com_sgxdeviceplugins.yaml | 201 +++++
 .../fpga.intel.com_acceleratorfunctions.yaml  |  68 ++
 .../crds/fpga.intel.com_fpgaregions.yaml      |  59 ++
 .../0.32.0/templates/NOTES.txt                |   6 +
 .../0.32.0/templates/operator.yaml            | 731 ++++++++++++++++++
 .../0.32.0/values.yaml                        |  33 +
 .../0.32.0/.helmignore                        |  23 +
 .../0.32.0/Chart.yaml                         |  13 +
 .../intel-device-plugins-qat/0.32.0/LICENSE   |  14 +
 .../intel-device-plugins-qat/0.32.0/README.md |  50 ++
 .../0.32.0/questions.yaml                     |   6 +
 .../0.32.0/templates/NOTES.txt                |   1 +
 .../0.32.0/templates/qat.yaml                 |  53 ++
 .../0.32.0/values.yaml                        |  23 +
 .../0.32.0/.helmignore                        |  23 +
 .../0.32.0/Chart.yaml                         |  13 +
 .../intel-device-plugins-sgx/0.32.0/LICENSE   |  14 +
 .../intel-device-plugins-sgx/0.32.0/README.md |  40 +
 .../0.32.0/questions.yaml                     |   6 +
 .../0.32.0/templates/sgx.yaml                 |  43 ++
 .../0.32.0/values.yaml                        |  16 +
 index.yaml                                    |  75 +-
 77 files changed, 6765 insertions(+), 1 deletion(-)
 create mode 100644 assets/cockroach-labs/cockroachdb-15.0.6.tgz
 create mode 100644 assets/intel/intel-device-plugins-operator-0.32.0.tgz
 create mode 100644 assets/intel/intel-device-plugins-qat-0.32.0.tgz
 create mode 100644 assets/intel/intel-device-plugins-sgx-0.32.0.tgz
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/CONTRIBUTING.md
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/Chart.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/README.md
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/app-readme.md
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/NOTES.txt
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/_helpers.tpl
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/backendconfig.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.ca.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.client.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.issuer.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.node.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrole.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrolebinding.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-ca-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-client-node-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/ingress.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/job-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/job-cleaner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/job.init.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/networkpolicy.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/poddisruptionbudget.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certRotateSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/role.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certRotateSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.backendconfig.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.logconfig.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.registry.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/secrets.init.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/service.discovery.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/service.public.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceMonitor.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certRotateSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certSelfSigner.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/statefulset.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/templates/tests/client.yaml
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/values.schema.json
 create mode 100644 charts/cockroach-labs/cockroachdb/15.0.6/values.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/.helmignore
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/Chart.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/LICENSE
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/README.md
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dlbdeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dsadeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_fpgadeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_gpudeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_iaadeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_qatdeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_sgxdeviceplugins.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_acceleratorfunctions.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_fpgaregions.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/templates/NOTES.txt
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/templates/operator.yaml
 create mode 100644 charts/intel/intel-device-plugins-operator/0.32.0/values.yaml
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/.helmignore
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/Chart.yaml
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/LICENSE
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/README.md
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/questions.yaml
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/templates/NOTES.txt
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/templates/qat.yaml
 create mode 100644 charts/intel/intel-device-plugins-qat/0.32.0/values.yaml
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/.helmignore
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/Chart.yaml
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/LICENSE
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/README.md
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/questions.yaml
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/templates/sgx.yaml
 create mode 100644 charts/intel/intel-device-plugins-sgx/0.32.0/values.yaml

diff --git a/assets/cockroach-labs/cockroachdb-15.0.6.tgz b/assets/cockroach-labs/cockroachdb-15.0.6.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..8db8d149311b42c196b281eb65a95ece32e628ba
GIT binary patch
literal 34476
zcmV)LK)JskiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYgd)qeBD7t^^Q{YjuCvmSSTmF&s)votFu9LQYn>t?GY0utn
zPYjWegoGj(0JNh`b3gliFaSu91S!gPoU|36K8-~Jg8?v@Ul<HR7QW>ShqGwBbu`0V
z4i<PG|K(1f?d|RDCwqJF@Amd~_21$4)8Su+dr$YC?mXEU?(h9&d$_x|_v9~V`)<+j
zKber2|7H8uZB;w>J9%)DFo`8)i5T?|3bDj7n+`%OWlRQ?ZH0tOI-w*Qp%inO5biA&
zQIW=Y5hQp{M(D^=)w6HBrQc>_5?m23C`(4@(LWA`gRg__N8YlW!~_dsAUpKh!zumA
z!nhjtaGK^nclHLmgS}ovM966>;hlpNq5@$gLLB39Og53o_!Ye}e@o7iX}kzRmIx{&
zNhCV|=L-~JiN{!wL2t$sCNn8hG1}U?zP=vhSjBiO1|ggGXsDW;(3p(2wy+RHiY@g{
zY&ks`q{+0W#^R^?P|Pt+B&G@BV$=%|nPVD{(2T_MAXMvA{O@|B2vr72ed*N)POyxJ
z1mN0UOsSk@V+F-Uu=u-|&(?5%uswLv``m=Pe(vOPC;JM=84-6c0NVNglP6F2cdPvW
z>CT$}-^=p=eMb_)u_O_2t4;LmB|3R|fu27*z8Ii$;1nY?&S)HMNit7kEQxSQrS|~6
zyds>_hzKNS1Oa;jPK59j(?m#k9pf>HQ6H!2K(RcY5J`k$@R~pMQ5xfrM2IDbToJxN
zoM=9U<ctafHRMFKKLDm?n;oHkzvrL<&E>UKNnt8RXuNR2UC(GZLyXfYO>i79lw6qR
z<B<uPOp%d42q%%#wLx!^#c>@AI>%F@Bq=8;6I3$3DDhs0qaq~nbcC*qtU@Tw;`o%s
zG+d0(@#KWbQ%(d)q!NpqL?n?E$6|y&eC#2F&;!KDlnSX@h*<cR@BwA!OC|`{<NAip
zlGhO<=0l2wxMn;WslFsrGABJXbcazym6XJ>o+p7MLpV+21^f}m=!bmH@}X@Q)j>~#
zFo-@t^(j}HM8GB^G+zWbO#y|YI1`faM*>A;g0onnXD8<<VoDGWdJoXQScb%mWpRYq
z72(&MN`k0Fbb=Nvd&G&EFN`8OnGmkzHcQB6?*U?RM))-qq@)8ROi^q^MaY2Ou37R(
zqHD(A4tk+R<{7j;LgwcnW+9Gyy<W(Y$q4#(m>|X@!byZ;DkNf)S{n#U$>}%)x`jIV
zZ-hBPn2)LCm@ky-L6fOKA|)Z6EL3miIGoXhpb)2cOk*mkh4Q243!2mEOd^_uaTXB`
z2gme3BtkRHqifY1<0#4IW5N}#A>%{<xW{BL9iaX+&H9_D|9<!+>~E-s6!Kz(e)-i9
zP=M68{KquSdQks@NgN|V|3eT>(0HMGH(?xwIGho&iNp-6K_XWqQR{4?7AbU|pm`Qc
zn#Kg+2+25}5)_du8WJ%;=L)3ACKLMJ44BB$lyOCO8tKd7ci&vX`n()|N58q;FvE;e
z!b6fs1&&QnI$H=D;uy`zobd$;ae{Cx7#f?AQd+JBIoR3PZ~*@i+S&iB?&mp?N_PbI
zCK<XSoK6<NaVV@%xlnE4oMiOi%m@OOiRPJ*XpUt#Lt`SZ2}xjeX<96>xS|+cDk>Yi
zVKlk4P}CB`i9$FNBtlpq)rVs30yZ=ReI8xUNP-Ae;|%x#Eiw+E40fA}8pce{Hqi`U
zsUi|Bh(u$B7fq<N)T0JBV)^&C3A<J>X$cxSer6D5h$fP=C<{q36ne~Pq8N(mH77V)
z1a2!iRw<?&I0}GcsqPPzGcza=6-rqTOa-tF0=M%cv>*b8%`Ku?G+;>L7zRZUex=5T
zAv#SMC#C_n)+L%#0aIp|9!vxkXijh<fyy&M^mr>=6%$Gjc~1rWZMzRWSK0==l}uGC
z4Ihk;+Y6W;01M0-swn~MlrQMZzBN2@3?fjq1~N4y?)a6vhm#1PtTeVLWb-jiNVEyW
z0WIW|4B&vGfReH_0x=<3PB|zc*QJhZmbzxBJnw;)BTAcCkqi>%E*?WkGb~WT5SdI!
z2m-`6DpUZu=W9}d>CoT=$Aa|oS;0}ni4c|<vLqp)rVx)T(kr7%I2!+B5Ocu)B9g{z
zp@9ezvLq_owuz890lf)JOAd;SAdDuI3#k`XLN<YH)v%9A%&xTnlT4SD48G*ZSg0DC
z=Qx}pD#=_idsPl|ju#H?Vf5`kpPit`iZ&FpR->E{5|L;F^oJO%Z8Tm0I7JMnEP~~w
zS_gRpUrxw1irExsUriF7W*kOZ6^+?+1d@m(3R+}GUkj&J1AQxEq1d|G84iY97A^^5
zHWg4?ztX@JETtL;MlTV?Yef-!gbJmu_^W^g_2Y~r(hFh2_#Dd-dLvj8=yLg2L6f(o
z!a_!bbN3Ab-jIO4^~<y8KWRCgDr+5l7eBE$o0Fo(@x+c6tT;s!r<KA-F{X2LP2*V2
zq}A~>m&nyiSj|dUmz1hULQM+HW5c|t>h%if3R*^UmL(FUSk4A|#ZHyDO*u(P5|IcN
ze-7r-8TU&|h(cmXCRvOGkpozQdU1nO31;=ulBr@)1+dZ-4<gDhp@&)((-sVy0&2kU
z3=B>{)r8en0E2EQF%G@5qoL|L#(+y9N^csW;r4gbov4URG>3(Wx-_cMQH+H+0de+s
z_tifx2X19SU@`ZDesleP|8mn9L58&n6fF`wr(q5%<?M<I$`YDPOATa+!B0skGEe0K
zJvQUFVVX=>z12$?Q$&l!A&A^WLh~D|`{%6^UQptU36h}4({x8!iHAR*Z>s4|BFqcY
zWC{B2hv%E>EBasPWlEBBiNm)W7IhaL&<AYAb`uDMlUWJg^^((k$@r;(cKoe3gztK6
zRU^PAU#K;NrJ4ymW>>~$mNQPojK#24&o7=mKRX+sW6*OVtylD8Htj1>XI83as*)K#
zgN{$Wec3bS#(O%?=DB{Z%#KiLyZ8!IaHAFsL6UjOz@mw$cpHqdViysXSTQ@TMgQ{!
zdY2JS!DoOaBJV?@c*=}e^?aN~QzDH%u7rZ35iZ3hA~IBRP@4;EP9#+pevU$_$b}}7
z@HvSnmY_zcMXkOngsgoKh9s53SVKZrNjZ^Pvj!7pQ(H8-`C+Vs-5q0bXuWB72h0u_
z{fg0{+S4$st+M@BYoJ^JPchm$1B=KRI>nDb%TzqiFgFn2W{@LVXa?kc3R;FX2^<tQ
z(d8V!4`3P;=)g=Ls5efBd)l24V@a=wrAI*9;8ixu5SSN=ZB(%`D!caOX#T6(MIyza
zvRV`jrCAZBb%%ycN_LHTq>Pz`0RsiKU5aBlW7$-x8z^GRN>Y}jVHSW4XoM9+HjrSO
zK;v4)HX>fD&{S-qIex3=l^Zpw++VeJ0Bh6hG|og`M5|Ae`h<Z0z#-&(iFn5_pS=1I
zDlL#EfmsMFA?Pt3kO8`si<BJ9$^6nX*xW`c=%%kGyRVm<0;Me6w<MJXM2~r_jZ<1%
z1XXedRWD!gP&mOcz;j`HX>NqJzx$@lOmG~tYcTv+_!hCrL<udWC_A>mK#dU_gP~R~
zse7IeI29<SbE;$s7<EDmj*w$9QzSj737xAc23bzul9<jIix8U_>c^2*be)YKHHrgt
zoG8{TEb*Apy4HLKK53we5$V}rh!f*hViPpMG|sr<Q372n%M)vAnsD+iBS{E_vLqy2
zVw%W>=9oEF)(kS%=LwTwEdkZ$*nneUtnm=akYuiB!SIi=MPXc53R~?AL~8JwD&;K*
z$<oxIC+IwjB~A#-M7#jSsIWTob*a>Qz_OqYJ%b~(zr8&dWunO4Go1vCkt!fj!kCgo
zicJ8gonUItl==wHCo6Fjnk4}NP&m65DAGJam0TF|B4Gvw$4vx=<65hEseIz1>Z7W9
zqtwuecd=Q>j$5kmLvAX|e2xR5It}`Sbxgh`i$D`giYYgOS8tJyt^TTLH)T_f(^<~9
zj1O{vE{acOM<XzDzSx9;RNWz3%rlNS4&SOq=rqwv%K$yItSOUhj-~2vyg;0!v9hAI
zWieO8V3}=1VfPU{oNR)KGCn0$tU<{aO~eXU3bP_|^CTi_j%i{#HX|tIlyQe8TgZ!C
z0i6R2R{au66oSWBx2#x(5hl=EYXXF9t}N(@su&X?nrl15Q)mDhYw)2!M_Ly$@FGLj
zfGO10^e)htND0n9kRP_(gj}nk`c`S_@9{j1iFREhiyrJyK$i|OvB}Alvg9BW!8H+b
zvq0It3WnoNHLC~1oklnzws1lm5L||1UIjZE%w7#j8smh>1A@7nZGt6`gydk36Drvl
zZ-y*p2ioz0`C>C=*MuMJ_FM?o&v%w3Uf&2XH*Gt_O1{onWb_D2hDs+hHj!p^kKHd5
z97@K~0U8=z?zz&Ra{*!eOiITvoSrF3r@rf*Gew<aVtkH~o{zxihAMqo>V7I02iLKB
z18;vmJUcl)`EJyPDy%H+UQ%`lGdjTe#o@`b!xt}4p7*TN0UqDT<_qcE7~<!|=xrx2
zFVMFy&wfOQ=;+0(^NZ(agEF{hpg?J#RDqdd?kV_^^_&29bH(RTmcV*jundJU!8~4+
z0V)fX!z`m~#p}#IQN)ZX>lA$@GR1{9OHCVn2s{sZ!ho~TMCp@nvLwv?(q&+m)(Ihq
z92l|@BQ(6!x=k*;SV97&Gn6{@IOj9@!?Q$L-{|?yb0mpSHqfM4%|L-lIf+T2m_*43
zc|1W0O9C*@H;sj<X7ryg5Y8eh!Kq<gC;9e6L^)9e4(gneH&8YJXO~@ChMx3*DN!>g
z;N=#oH=KmlX_TAqoXpvk9zKjFnN+&Bi7FYOSAw9+fl}O*YMd%VZ!qO)IIub<yt@Q4
zBUr6S_4_`tnMs+}kWep!GA3o`7HAfZR||?LRt%e7fmUZqj!o?d2R{=`vRab4VL%l7
z(0vh_Yn;QUq3c&tZ93m}s^5Yg=j%!B>q)QfssfOn?&aP9w+E|uUTp)QGY)2Q9zQTJ
zp|w|n2o#uMn#6e8(;ghs;`cqtcQ;}1p}0_b7KqS+DYaw{z<UOEAVb)w*i%?NM!pUQ
z#!;Lla)gEk>Ur(}*A6kp(W5z;KZ4K7dK;O7XXIT*l}-vA!I*Vm>Zl*u!w7q+!axe_
zSP!bc-GMEbX`{h-6HP;h)!k*)H>(+r7f1=yM7=EboWW-SXu$rh*<M}%K)oI8BZZ$2
zUx1;*v}Ny%rY6)5L?NV_&MH+rfUW)j&j^l!m`#Ig90#_gf=Vuf(uYe+F78V^D8+uP
zX6q>yMrBlM&kM=Y%_$RtDr2P7MPVTi2k7#01U?zfa%;fMzEaU--d(*pXdBuYpi8TO
zT#nE)>z{SU*_PcMpi4Yw$y5`wxHM9}QXD~<e81f+4dZF&nj(b(sZ|IlF#saJG-Ksk
z1rN~P09`7kaqxHb|3I=p(1?H&;2%xcz|vC1fa3gUU}r1CZW0u`OxDkCO<~}g#%2O+
zygM`bTo|V?Py*2O{cN15C10KvQ5uN6bSFN#H`v{BDeOV+IuCGQ)B>2sTy4ZjRLo8=
zVZ6GcTDER}%tcx5r>V}MXUnF;R!zemNd+stPqMSW-X~e_ldQT=;wa@NK+ovq%5>Br
z3g=SE#pz;H$ZK@QVr4D8f&!p-MnB>NPl;03ZMfbk<~WW?+(TyHLPMD2_pg%Nf2Gs}
zy<1}(GEU?U_-v9Wh-pF)=F?0Y1Io0y#tBfUk{D(PY`8{Aa9mm-5Vpmq<*2P7SZY0%
zkt6RV$A~0Xl(S?G>=$#YY2RW4AuS;@f$BZQHLgmnn&SX3kA66Nd3f~w>*pum9iKdZ
z{o~>Pd42w`lcU$qUY#9Y9KSp<6)Z1C{hhs8zl_g03Ay4dI-b+A5IiSHtroq%VEn4C
zU20>B0G3|DVutlXvEl=|ak)ig=&&iF+uPDcn+{1ez^uP}tR=8637k<BkqgV#2^A$1
zS!sL<Eh<GG3SpLrR=jFKlp&j^EFnt$bc6e=jkm2N)lk0U;a~$4<lARFoJ?p!<pS|6
zHZd(CoRKI4he8uL#cWQ%eO1x~%iRHS7P16<tXn1RY6}ZNr%8~q2rS&K2kQR;Hpui4
zX!aJjJnr;ZnU29Ji*AVaonZ?$Ec~`8gAB%rq;4lt7S;N2=$84i(bplmbG*od4%u`X
z6XQ$~Cdf!3Z-p1GcW%@AjorYD>lstpD$z{SGa|+yH(uTOzzk+0X+EHi<}X>wVm4j;
zKo*W$$7-@iPJktBC&LyD4mlIT2`vV9>?S(=f5j%!u1<l73^f#|g%K)`{EP{ySeV5J
z%q(xOMs^%81)IprO>{ZKJi08j2yMYU2Bv1f<=Tk{o)PU@swt4B&d&sV`D$WxOTNl>
zbe=Jy?HA2QR3(V6uGCSDm^#-0euReG+a{!oMQSo*qTOd9ON8W@Dsgw;lns*zm_S^D
z`gv}C7Ci6N>>1>m8Jf~70ugde2;LAsg_zx;2vSbeG^_Uy?8{K0poqJQk`vjgM^e+Z
zWHHGt{ktAb*sBCiV46`cdk7W39BJ4E{59imV}>K41_J&U*o746Wf(ZbqMOp6&*AG)
z@iAAw&fk)2>z*mCO8cWCRR6;gy)>_9BzctxEUB1Kt-YOV$|Q%$;u<e>zg{Iu=~4`#
z?B*}dNPzNBH49|iXmK+#M-vW5_8wTZ4T0`w6e`YieDcxhD^Ly0eqaF>#}GPVHYb)$
zZ(hwgJOX>=x!(ezFwJ0*&hs~RlW~8z^CQiVoV?43Sf!o`PvCQ^HvqrmI3%ZpQx=`W
z9u92TflXumhcq#9t-@+45Id^1UjvDtsRA^~;uyTttu2huuH`;QnUHLbUZ^EZgfdjw
zm@FeviN#yt#EB}>%++2ue$+q>bTEPX3smzg4WJ#d^+4N#0WQjd57~@s51|kcwD_H>
zYR;^w!rxi*;z4dOZ_Nmf<*axME@@Rbf2H`UViezBT%4Ypw<h@h8Hw@287g~Ls62%G
zr2#x6x`Ur<0E+_pLq2k6_QMxDbmzK9==Af9T={iAZU(C_ZPWw_GZ1wwk>tIs`28i%
zh%N<NHHV@0$6If_+0YV-o11emiaC}FJMKi|STLS__+gqTlt(zEk+az{Bz>mCs!Fi+
zCP8h5s1FSg9Ke?f=%sP~7~ByyP)uY*kRL?s0ua1(79xdR)Z!prr3DQyKM+&%y_5&D
zWI$@)s#4Riln@p&1rO5k;g5(j>l$E@*ywqEFqQ_6ECp*pcC9@f$~=vtvRfoC=X%Pc
zF><$9d#C~w^o|E8cR=(fM253qP9%=7#Qh#@uIjUzs6WOL%Q%kd`>inJaq#AyDPRQi
zsAu+K1JoC@zVj;x-CwFQ3IqziNB{2sXxbX7ss48#1wq16&fYK3zx!YPyN~|eSBqt|
zwKaV5UxS_fy@C06%ObgDchvtIr_?4(IM~_V83x-s!S?Xqee@f8^A0^4JVO6K^=hx}
zo535w5`$-15y-cgUAgYOG{U_<+@AN#@2!aM4|l%)k(NGMz2fF@YD?Z!0ZKXL^oqu0
zN}fad2KUg7DdrxCbkK-6OP!x;#tvV+urE>zHmX2V?DS<4FU}Z~-_n?fg^*-kaGnQd
zS3<jg^m#_(R$`8i3Owe<X*I_*K_QRE1$h_lpM*+>>J@3b@GW8Ilx-*3pbJf(Y7U)$
za<E*o+-#xtwPs3H7g-q<Fj1dTV@Da5GBW%2x%&7omcdys;AxI^P2THW{~}aR{g|Ge
z9_jk<9u6Spr{EBp@-(#jH5P#VZ6(yslb!vi`8$ocs^>cFVgH?RY0t@0*Y1aHuS*MF
z2Lu#s*SO$wXsQ7SqPfiD7|iLi#0n4VueJpWjH^4WfRkhp&!_EA?U_+*DoczLR}YPj
zgv`&Iu_Skk`v*dAR6vC5v5=I(givU$a5G;HJOdXvLBKj5V$^WXr;fhT406ts?*IXM
zUvGcC-E-Rl)uK4bX9ll0h3UlSj2AW%G!OI3bGJZO6@8^lNl0vuogbg-a7dWIa$uq|
zNzoX`aHh@~Q5)&2;|MK%*rswPZkml_8oE0Qd6RX~+vq8FX~lI5uizN2HP-AIuD0lv
z<1i0awO~oS(1!&z_t1ex&rZ$}NhAc_=D{o}Q%gDz$#nh1B7-9ZIv!u2(AI|qiLMH+
zrbhxDpB4uz^Er*IYbuX&QZpBrnTwp6cFu39@|JFN)RPG!bBKs0XwHO0A?0B<Hvxp^
zIH(Tt9{ql2vbsuXGF9UW({)Y8D5Ha(c{l2LwuMXEcva|H$d~(MfDJ;uvzSb2^4=5-
z375efHrF_G-|SRTAu_^8C?-;nB;<=!niwS|gtmU|Av9w`+6}J<C_ujCNHTUy*c!Ex
zzZz`xw$4dCqf#Ja(d(t0&6QD+mB&Tv1s<!VQldKUr#U#pQl<AZZfEXCmQeN6<UO#$
z)V#jQtN_ox!tn?Vw>2LVA;&4XpmV}9S-gG$%A8)OWn}DLY{s=aJl}((`Ifr2at0<X
z6?~0K!HF^!NBW>Gx_EJ32_n<Rls={g*xBRnB#BZ+6XUmhIWb(-o5_k3Cbo*13hdBs
zjbk?6Qi|BtGZw;Tt8o#hbTE$|$XIA>G}%}zeG3MH%<`}iwa&DqW}Wxdh>}Z`Fpe%2
z`6)&1(nf9>B?7=%HR3@ISO+Rb!Hk9I(&|>1gPuKGqc@Ajg2kCM+9peY#+%ORf@#om
z?MfT|Y2zUBX7b1a6aEUDEqPt1-Z+!>4i5}<)-B)CIsAcH#aer{?(E|Ux~$i~NdQj!
zsbw`9n@*yb`uu<__eKZRyb;BD-tF&budv>47N>G&Q7XO|l{<-0fyfjC?w0W>h$RM4
zOLR&tHl?HZ?G`#x2~4@uu#}qk?LBZaEBy}}n+Yt^q6ibF3h7%skqy9a<Re%0i6Ezi
zF9=<)q2Z;H=~Rxo1}Z4Lz!KBJ2`j}WsD@SuO3<z8L=fXcZwx}`*oNFsXCU4nq@e-Q
zCkbM}?&klBTcw{G&!xMh&HIjbh}ue9ju$hc-6^VZo+WTVK2I>C7K%|binZphuYs~D
z)P#tcImh=dqv2a~%262`$s_Hmp-E=<?L;;w&L*94_!KK#@Auh*ttX7n^{JCZk=!gM
z*q+}P`MkpxqvFq*)KXSwJ=2j$4g;~>1NZNlO@a5%j7coa=}aA73(lsL={+?QYhezY
zno8C#S298S^fa2*T_Y72M>E1n(+*?9UZHjaHhBP1^X6oG#V=}~vD>Z%WE0C$bZSq1
z8WR<rIY-SNpB|lU<jKNPPUo0w8U&d+UexjgQE_TYY0(Vb;h9OX<Pjl-*bw%VBvkJL
z7}WXBkUc1;A#XU$@t|n17&BLexn1%fd)mMlnSw}3lc|71D0&A-e>pcF3cr@cp7AM8
z=zok8y8q}~#*P?IQGi}BHJuj(awk11f@g_7GE4;-#55#{P-@$w_v$gFGC?Z&_Q3z;
zY`>WVj`^FFIt$Ygs7CZ*oBXJh$l;lItr7a=#mn!GPc$Odt<{Fw4G_s4bIXw-Nys9a
zOb;GqauR&~=+~mmby6O))livooXBPb0Ql=`Drc{u<ZEW~Ntc@Y28VC6)JkNNs8DHS
zG$KY70+F4t>*5&N1k+e)zzKOTm4x!3zbr5F7WhWQ*8bD4|7$0&KL%`ynE{KRjgZ(K
zZEZPkAE4(sK?dN$GbbM(bD~$->lszr_F|({Yvp;i;{vA*G<JH#_1}S+W~Y&2;;X3q
z>XhP&&vL~I(4+s2<7>PSk6QaTAy{Ud4A2>z|8p}a7>C2<x36BjK;Il5{qX7(9lrSa
z@L%Vb4oD>k^kl0hBTVCk+oJ8LJN9=wV)=*qn7N|{8AV?6EI|k8QNpet{R+m$&vql6
zDT32-io^@!`v)(KPWT?`Ji9XXxVI1rS-LnP`9_Y}NgZcmF=p?3+LM=y?{6Tbf>Kx1
zYSQ132uXrDWpL&Vn0f@3aV!R)v{~K98ja?tv^Jw``7+Pf5#oA>zDObh8zG!2<A~VP
zRr>82V^Y^CxmN>KxB(;>VFetm3fCd1_YDw^4xzqA1J^1CA?{hq)j3v7?idXQ^43Qr
zGKmr{UYuJqUQL||SqI+Zq~^`ts>zh_($QfP5gH4NhdZ2Q1oD#z#i@g6?6~@sX=rEH
zl8-jlNjy2H(}eKSSt>Zp0yE^ogW0x$56v*^1gYVk0ZH5T5V)6;Vm=%6vSxTLo=Rp~
z9o^8M)_M+I{6L+i)5Ju@mKT!-8{$(B`I=3P8H<fJS_GQpvkyn9LJSKJ)=dG*dSOf+
zW}Mia4RGfaP1}if4)pv;6Ue)A<n$s}ks;K><Vtlrqw~b*rJNVGYxN4pRA>Aw5`fdZ
z|8w1*YVMgmA&Q>t>=lXq>}$xTTpC_5sb<>n(H$y-+1vekd%FPi{C!IK0$tN2V%I)s
zbApv!XiJzZ9ypX4juFwdsm*m|DhoHoDw9Qojzvee`ZItWp(lG^H}uTx(YEvsN>m2w
z=}t@kLJ!Q9`se^?>t~Kwxvx!K&Dmx{N7eUoH@|-Rq-`GS09Wc|UcIG{7N>F#hfka?
zdf8Ys2FNZSf_0(6*A|k+RHJAc*M+r&EwiMbF_n;Ls@PC<n>LO<?T3NPG>~Rl=jVmc
z5_5XW=9B<0;Q+l<$`K^K(#gzW+r`16VoF*xZLFcfN*TZ626#?2*gHWeWsyFpm+xfl
z%yX2^o8#KRn^sKN8#Z1!)(s(X6&lzcza`S=)JuDu;Cxd0dzm6slk;4(t55pCA+M-A
z=7bDR&@pU~>V#5un_IuqO0CX>2W`=0YU=CU^iHsdE31kl@&bj7b0SifM8)w#ZJnzo
z&WN)Gl;;d9VAXn|F|(p~%9&E7D_g(j<6D|UBh$N5G)Q$f9OM{&3nUI>q&sXgCTn?J
z(n6084gNO#Mx5LEj|_(8h4-fyO5#r=mBjB;EcNQjc9%Udk8i%T3AWlUm=~I7<K@O%
zFP~`hrM~@gCmS%IW(&r@33H=un7iGG@ovR{sx-$_f=*)`5@q5LUZjsG#BL@b(TvF>
zQEV40!_{0d02bFV+|n|EKvoL|To5{Am(D&ra6A*ay5hN$2O@f$d)3_ZGbEk_0&oj*
zqupHF(;p7@tqs+3aSuZN%X^S>dCxR-L|)_FJ*eUKo`gs>8m9evFc5_M<ndd`IZ<zS
zsqCrvJa@mzwTZ)!i28|oIB0f7t)C(f${nC%N#<tL3zD%4sa+A~rilE4o|sKxyW{1V
ziFGph{Iv;hSpl|Z={!-c`r@24jg`((3fFYP8cYTrh+lBxHsRnM<Qi7XfeM?2)(IlE
zzFqC*PFa*Mwfr@L^Mx{;y(q=-Sw~#cHCOt=qab>NlPOzT$Hwv(7bSg)8H6z0yPLtA
zjy%K;mq$L28(Vq&Q_kLyP{P2Ozk5BnnI_HjSxp?xX`*Rsf<uDFWJZ$+9ot)c4&k<>
zQ#i8m`1tU215&0iHjN27idhyZZYC#;&wCHtY|<un+C(|pAjL;pUp@M@M{(*6*L#4D
zv=^-e|K(vOXD;{9yM9DkeTYWpO~}oeWBuXSWR%pujLXM=W25K(KRCCgPmSEo9dk?W
zf8F2N-LBmKw?Ew9UElwAAJ2y#Lj8w&%KIZ^4<*56B!&<epKe7QPh_zDbW6W`(BD+`
zQmz)iq(t;b=mV_4zKn|>>gOUQ3N9O~CD`Az?>$xFJ!rqBSIt1$0KvCHwWxh-hYH_K
zs6^Bsp<nuD$@Vu<zi_(tf2~z&K?lBDIKGb#PGiPmf|Gu&%*SersD#js!S<Fk)29=E
zhn94BX_poLN~`Xd%<VSZx?rm$k00NLest+cm!U3o$o1|o>yx*ip2=?PS?3<O7HuE3
zbi-1OP8?ZVAVsrSO2QRZ{r~&RcJN=nel>eoC$WYOIY_xCZQJmE0=#ZK9m~nT?k;Jb
zoK8LK+%NBF_x)ay&x=#l(eh<r^W}_><M&>UNF$T)#7cWjzly&d9GgY#jfFN??6;QJ
zg{iMZw!~BQPhqFuKyo_}mq=Md3EkK^p57%mr-$93ddbZt*2jksRrA{kxgz{G*SoRd
zA>bR4Q_uZZ{r_X{<LB0k|16Jd{}tDJpS-+yem;=z<(;&##QxhGK7CrV|DNou?Z5kY
zN-?`S^PP4YnM;V_(DsK9Xz-J94%9RBm(IeYj~{h5X3{H?VLdxJHvv$b&Fy_=uoGt@
zX-B=@hY!fopHiT6svOvR*86CHK7I`Jaq59W=}h0uJ}B~ke*8EPSK**?UH3O6#98I?
zZ*!K?27U`U<>dUIFVHpB+l7*aEG`1xjS~w=)^o2!GVZX%y`;zird6$h>RbR9pfZ^c
zq>P0<7>7Q7?Dd@MS&C*^3b*H)3me1?ZY^e|TbafSyK`<bSijB2B$P3P_XSj<AmDR1
zzD&E0{++YmAOMMb;0-S=l`}Ux9e^mvznH$+ewEzOZVwAMdT;5V-*w70$_L6k?3bD)
zNd>aaq!t7Y;sd8U;$5sdoanem6a+IS<iQ=$Ua$A9qHnm^yqH7qFyc@a*I^ZNiA{!I
z@Y^af(otjQ|9sJd0-O3wY-AEoNGJm*M4=j7fp51-1fJ;a{DKt86-f}C^is@qE(CYY
zLG<weNRz}u<A1`Wxesq_){IMPROCS#)P|12%{iNZm!T~1%A173(%ia&ltM92r8y-7
zO9}8chh!6?PiDfE(OAcid3KF^5a6J{+FcUpvfURk-O*%WSDh;GxRpFN&||eUAM2x!
z{-V~Qt61K~Mm}02bWW3ypcA*SbD^dV4ua5Q@VeU@@0@`!$KHCr;}e*ZQLi@~pzraO
z-DQO3GeS37KE2+~0R4!ij%KN(EYwLy)u>7KFFcPsj0E}(B{Tv0+*V`a4*$0_F<0ua
zoRL*`BD53!)p4<06ju%=j9+6OX?X$XoPd?vo5*y+W|rjfk)>;$9FncD#1iZvK}`!8
zbsgGmRZ{i;eLhxd!J^CjUYJYto5J?Vo&wwJUD&7;)m3MA#*TxMovN+^J86&=;=>0s
z#-pt*7#GFFMyp`5g{%O+CSx?_>{<{$&_c*ufTpjdhDeFT$T?@?Hc<-0h6Ewz$PnzY
zJQ65kp+H!UdL2UE{d*GY=l&kQ{{MPL;*@YPkZFATHrn<7-M!tX!;1d@WP5+D|KH2=
z;ltKfz31;!lTWJ@bq?_mgWgwLhOz4;0cD1$nPE_rfK&g2Bd7|=l5-(~=j7!T;haVU
z{e~pZk`V1bfj{Z|94^d6{h$D*cwC_6_|{jwBb(I6wgD$H(Yp-CI`R;wsmTTQGttnY
zyhKlSp(i5OX#|_QXL5~cLP;FyqZ4rW)LsWf1$u0vXN(yGL8>VUHwL}q3F2CQXdotW
zo6tk2-xXQGbOH*v>_s7Oux%aQLf+U>am0fCn2%~;lwnn_u~4U>R|=sE?ICn!bkKc<
z-P&|gjEsg<61#cX9QV@KWeDfifQz(!nR1%Q3F`k<1b-F%3S^B-XZVI5oBm#rP9es{
z>Ukn$X>oA;_eH|?-pm4sxr`$<HvpOIwMh~!p>{JGHz)e)Y&X^MXnntfWzkB@H|SFL
zh10lpZqw>2%gG@|C8<m{R7Hq3<6kbYw0*RU(p1S}Vyh$T&Z7SNC)46@aB@NQv;Y6}
zQU7)S=Ax`BZX1#bxAvo)s&~-1YTR5fl{)79o;x*`njhQyottc+jV=u&mX^Is$hOrt
zfAm)e*+@KRL}pwYgg8w(OF7*3jZ<o;Q}N)E>Ap<eDU~e%l?Gjq`4!<uY@RAs-2cbH
zaIhC_Z=$~+3<pnxZAD*BirRr<;|5GlW;LdU`sBSNiTWtEu7+bG@vy>}>Mj4@+q7r8
zN|Wi}?bi^Ecr~n3^i2od$@(akkhntz-3I*c!@+Rp#{I@=+BCw=rB@i3k{4Q<qhFi|
zh0hYEmEXu{IVs2>DvpyM_4N>=14P~x&MxN)N4U=OHze6P?E7t?{+!H9V2a#k=kz}y
z)XMHK2N+y9`WphbKVLWtw(Ww_CO9xa1_wPJN}keCy2!m&F9ngdh~CCTkKN7}2=(oS
zs(sY&Z#Z!1M2*kjkWa;cM(@#fS(?{cNwJ(Yx6((C4Hdv$ll^iR)w>P1@w)bK=k0;e
zd5oiISafoujD#V{CJfY+6z!;A2aO0d&1i*`O6}KMgd1i1Rp+Y%6AJjp0X|g+!l`AN
zHf@KBL4*=LHs{(j1{>%%Bp8>6aXQ23H}r<l1obzYg!ePOFx?z?23($Uz&S_l9B!aV
zn)!I0DgsfD6=Tn<^L3EOedpA|%GybRmJT_&Q^YjL;BN3MhRt)HykB1Pt{+v`Ddxpj
z-NWb~uMDHyoms!e3S3Swr%9>u=m5=Wf*y-(yrk)Rcv-Dww9y%c8}d}|!A2K^s<B+2
zf#?Qc87}onstseA?=4%;A!mt`!3XSfXDyop+;BD+j?J><N_|eIdY=ML4l1?XY+nI1
zkhWmYV*$zGU`q^+L(f?vXOIJRcZedq5SwU5>=`Gh{f3R<K0Tf#XhN=`5F(hz6!;0k
zXhAR^pkwuC3H#07HOaF;=;ZqFolUfVAF|l%>bBKuf+Szq#4tGyG|^ePF}lW!JU6%g
zrV8o<<&yQVKw-=TL8-kV+w4>m_mt!Seb27R72%tRLOPS8v;qxaZI^9N0ogjFHdY$q
zGng%VWmmyW9!fG#zlW((f@t~r!nY#kdSq(@V*uP>f=36a|CNI<&`JIE%=Tf<BDYsN
zd#-A%_ch<y;zhZQ@`yY$El2dK0hmV4X%4FF4!x~G*}PP>hX-))g#LS2#^cAlvpFW!
zcI<#SsF+&A9WOGbyi;<+0}N0yzlN>qeD!bD7D11#Zf&7#c&G6omz-a1f#9rHtJxgh
zMj{y4QWIuy8ykp9bKwDRsARiJWi2pgWn$_wUKZ9i`l~SiedU8$!@O;*+I0k*@Tm(=
z(3_-%LbF8E7_8Utdi}1~@7=B6vQp;ykW5~wJY!2oYfHoY$t0!HiUzGF&&m^|8r{ca
z%0lx@$WksX=g6i0I3_675z#jKB;NyB;!SMO7%W;p<=yrAbeGh2tB`lfYF<*&bhuEf
zb$-hJ(V^{bh?7UoK-9+2$;Z=2O^!3WvSY^HW-01l4g09C+wS}J6FOnNflAvKHO#3_
zk6xLl+MZP(RW>L(u8KwqE9s8Po~WyXegbPMI3{Qc4tuQ@_dFu$W<;kTG!R@hY_%iN
zF|NbvR#2}uI@fSV#!S9D?T~>hat7YME13|rJb7iRExIy=y^s~vf{nb+tu2JYcTnjf
zbjK#&gSzE=jba^Oh7+5053>B_Bh&X0_$~VTMVM2KgO#^Br%5KzryRrT-yQiy-IwF%
z4pe%%fiJb<jkrOMM*~ObwzO-#>9oAPzNp#~FJgm>W!`l)$MTLGYj@~ZyTNMHqN;sJ
zG^IO{)D;GJb4p*0xNA;9KV8?00sdZ(;HO*ww!zzwf3+`Nh~L-ID(RotBw?S5@bArm
zdjq1c(7b0X3X1uh^iC%_U$BkZma#C#g*ow1Y=T7PgmD$8v&|G)oG4gI&K=AKi<a|Q
zEx*=TwRP%+oZOBc>%q{buAXQ7LcYF(;_K<W@j1gqx{}UGliC6&J(e!A@}ZB`?riuh
zmwJuV)qZPM$iG;o54K2VN5LTi??Cv8VAI_CqM<pYRWn<<TJyct*y2@<vXFP%Zw0${
zfL4c7<;*vL;Z<-}hvSnI0}p>_3f?LuBOjQkHW!!ywe=M`jAM3f4q{wZYF_HSD!9g9
zXS@>wl(Px#8tQw`_Z3b7s5U4Lxw|V_@2)AczGl^bXb5@Q*%=H6J5}%!Pj3r%IM^8s
zcQ?`Bp@r?6w@@mfbH*-Z_vJrpjGv&GP0QC<E{j8C$z%|-sb^{VIa*#J=VG-lP4_R>
zd2?}7ow?H+=qP4Wok1Q>t&Iy#qcjLMox=IQTpYFW;_j$Dj_4HiCp0F3iK-BN)Q>3d
zyN;_IjvnHTnzwj{#VIFB!+30+l+INtZb)!5N)WemLxeU^b%<Y73Bsx%_Hbodn*%y&
z9oq)~Q&aGq4#~2&Sq?%rPcvC3v>6swH{0shBD!q#`kuRq0ExExYRGtF&5c@E68a6j
z%b08l4J|d$g4A-zU0im=MC0k`+m#owjykF?<6Lp@FJxWGQAh|V#lAv-)&?4G)R*zO
zgLjbwa;Q^ao0~wRKB~olEg6oV4_`n7?27Q!$Kx8ufvw#zEO2hXcV^M8d+Bu^E938b
zEYLt--SZeSRrX<p+V1x8oF&r$Mo+l$B2`!g)39-Mj}2HSUb0-hH2lYj4)|yuFC8H^
zK+oT&B$Onw`X8I1M~^nqBa5{9+r|2kQUo6XQh!(f|Hq>~s&t}==kxzI5s$h*<sor;
zRIzIxwh}3Mr-{^8s!pY)p(+g#Afp$ZDDEXRA+bg-=o?RfvP*XU&>4u1!_aA(>th0I
zcBx2h?xkc1BS9mgR^nUd{>3`yZ|PH=k93iBO|nf{;+3(`L$R^3QG@P>vINMj#zlcQ
zu|sn;^(0zptUlDjTzw4hb056?LLUG5-!Tr~k|fehY_P!dTb%-4lK*G8v%6n8|NC^E
z|L2~bigSqK)XmvaoVOUEFlJdam_mYLIKgkuNc8k29p7k@(KqGy=0xHMOFZh?8#_9t
zR50aXH+IyJpuwtlP};qRdPd^;K+Lw_bXQB0=JeOV@{p!v-HiZB__inRu6Ch}y|1qJ
z_C&#WQLb&yhm`^3dX$|(bIF6l3vDtFCs)TFss_f2l!R&!O@?aUg=h?Ca%MayPDXpf
zh4n`J$trWLsI7;<qsKCNPQnoy?rb|2_UB$4e}c!)|K00*LVQ~Ru!R5b><nxCe`kMt
z&HwM?Y4HAcbN08Nv8Y}7G^pRPR1-4gYoNBStax!QC%n0E2|{e|@mLF)6@<)EF|$n2
zctuT=->T%~7i=S+O6&+g<|HB4-@vU(E5a%5PHJFO93AEYuOiSqfNjJa)J-|P!jk+z
z7Me_OJY}59*?feaA3ZxigqMQ;hm6q9{u8)DcRpu{hHq{t6&a+q)d1Yf#d9ee6vsya
zUvmMQ{+zVnS{np7LTx5TFR_jlRbgAvT;A5PCX}ve9?qYin;HHIpAPb0C$YSR4zNuA
z?^osj&h~Kc$y)y3$8%fxe~-djF-eoma4o<;ua&sE=&lFT-CTV8qv`-&Ch(M)c@9uS
zr&Qt?LM-6gfAjt=Ss;>xG@TJXxA(LKc>>c+&e{d~Sy`NK?|pqY@_f0<QMtF?sx6Kh
zaBFqEq)Bwus-3G;Yj?Ib-thXNauRy2zuf<`T>k5+{e<#=xbw6o|97_c*7E;8p5Kf8
zZ}`crO#hrot#yaH(j8XT973!Iaz*R<55sT2v}Za0Pgq25=K)^A|978M`Ty|glb!uF
z|G$stcVz!5LR>TN-<jc8J4|w8v(I~~<n~6NARK~`w9$9BW}u<iRn5RC5kSqhNBum>
zf8V|t?mQiA54HzG`^H8x>u^bZQAww)TororLmG5U@wIF<w!nvrdv4xL9*d?^2tQ+U
zOq15ezv|lBG9aI5a17{AKQ2pEF-68}f5RWs-_W4{X=>ptzNP91&ocXeckfB{{)eaQ
z`@iq!S)%_n9FemJ-nyNk`}oo7ftsw&SWHTaBOl{%pyVy%Mlu#DhgVS;Yx(2X5oMoG
zWz^S6^^{b@Dg93IGBHBG^xcDwW}5rI0%&{vL9G~_CUEK0yNn1aOzA7a$GRj0hW9s7
ze@dkK=Nij!*8g=KNY>$5%KyhSiD+`GAmC;EfB#9%|GPUJuKE9cJfDmIf1}B2Ee8JZ
zVt~cOm<m=5w9ItRD%Y;6aKi~VX19?+8f^KFjV`u__lAvuYeIA-sV`C-HSmAVk~eH@
z<0a3F6Yn<>155b-{`UTMh5rwCch~Vh_wp>`|DDr<bV=N16F_WiEZI7AYU!-oN9r{y
zALuLJ?s0f}Yy^oIe2)d{kChg<bv4{N;w<?eHttv5)wVzppK5#qzC!w_OC^%kuqq9I
znS}Bu)L)CHRYj9^McY*86_nd@fE(oBu<?Z{Z#E+hNcD_y_?As3FX)`g5gMAevQ%C@
z?raw!&?Skf=-Hv<YRI&D%uF_k)8UTqyl>@ITbnpZm^2wvOAR|8Zr-{(ZpMI<m`i;-
z(g?vl;oVW4OlU&oqJpP+`{{;AdpBbeO2*4=yI($C`;x_k`=-eGaP!uYy<(1V;Z9Xx
zSQL0k&BYvV*w`t7bS4>n(R2guHfhY13dz;XZ7naGCz$#8akQ+o#8dR~W515oX%@$p
z%$DMp=7np(FrSu&MGcG|jmpa)2(jl?U^m1LyguFL#Fv$10tT8+R@M<#eIu*}Pw8<7
ztFp&36i#qN6Cy-#jj3FUT3-BTOr;NA%Az1kBSmlK;NMc1DT`h~jSF3&3YH{S)j8C}
zeSUFx@%-CYFV3G|ygoVn@p-8b(pec+Ihk5-K|wt~Jv?d#?Y&^!3+w2`tMiNJXRn{V
z{PFPkq#2-ZN2dg`Y_fQcWVWgz>rk6N)3e0>gRO9gytsuSxXk{0`gEsa|LqQ+JYCy=
z_wn35`(vA}cK4QAS3B+Qt+e&glTT`_c`s;L8*KTrHrUn%+uC63YOr<jEIPMV_^l@$
z7}dcVbAzMGIJn_P73g26<>)0z(~K2>zSk@Cr{OH17i!mjwVVko!!<FP^_Sf{;E!qb
zK<tQob7ZRrrWu!3%f3yPmO-wq`#-03pIh{P`wyaRgt&v)zrS>{|ElLdo@_r|pZ~j;
zr<(uGOnmi%fQKnI*ZNgU>JLRZri?$QoFUhN{*aebgbCILT)5aC*zD#hez?SzOo+T@
z{4GtUMeNAdvBtG#SNaMUsfcgb8d#t!HK}dZQVL|Z3VAO{0*#i-y4I~}&arNbl&;ko
zb4`qfynkhL!>|pGlPN(D-;%{9dZ;s}dg#Gpz<l@swUqt{f7`69m1vV(>uAqOs32Bt
zS>1FPV<ASUKMhI0r5KK5b{)*5Oh>2>iQoH;ZcoQYP>}4$kAZ>J#ToE>aRNNNofqI?
zn;W2k%M=E-Yc2T;Rbq@hXOr@P(}vb&Ot^k2L(b~0kB*(vN{FkUx}Q)Xm&iayxpW3*
zSXnQS&USQQS!hX?2T()9g>scqx6fTMKQGMYW#)G4Vv&*&I-aL7nUh4X@bi>}bV9>U
zW={b`XASORbu_#->1jt5E$UN@Qm$`R8*AbW`an~yuo8cD5H1i9kOM_e`m9L<DKrmo
zj_OHw#7vD-W;oG`ShyU!<%ff8uwF6i6|-J3OMZBym$aT}sq}~zc`56{vSm}(Z~wvG
z-|YiG&9lV*d-7y&Sj+#mz0UuAFVD*7|2=zxO}lm4H0iMER=BQi85miyS`d1GE@o69
zD$w-|OLJR^KvKQ5$Bhsc2%{NeZwKgSDrYQ{x<E`5eI>X7^@fcVq>v?oMud|HrI<^^
zChld@11Q|LO1=WyAEA_!0JQBm-c)~Q>6ByRh%A*2t_hvaWPgPEdwtL6h{QyaAO-Ju
ze*|a;A`3%8A`)%F&k3e6iGCke$EV+VEbjzXcL7(UMuf_PdYgg0i^09^0N;9$3(2<H
zMry<E*w<y4jv{lTebX*`reC`)I1LtCrCmcLs@M6|RKrSvf`kMKLpD!OIh)Y9q&G=W
z|N3WHBI%qw(>IY7J7PRb4uv^WGu+<ZE`N9>2(P@KG?zYM$r)qPN%&vWB^$SkSKlgL
zx=q|PFE`sA?zA&}(<Z$e!d*6ln;P`*0he}wrzBC}t9!s-;tuc~?*ICBf9*)D_kZta
z|M&N_(fcLu=~nhNJMC)Tcu%u^N3(T5(`(Om*wyU5r+H@r7PSdk1j(CXc74j}6^+T1
zJQpF3O*$*s2Pl;d9hXSe4-s*ej?gdt!xt}1HUi{ZI!m`|8&%EfHti>STI~Or;9DC0
z=2^D?JFM^j?mu1U|GSsxi?;tQ4gRtG0NR9K+xB;0+t*`%@66hFXb-Ke{<YP=w))pr
z|7W%OOY8{!Ic<Fyge<LFW>yV2=n#{6kA~Nu*Rp8|LcKTJX8kOG8tuP<V$^pN0Nif>
z?QU=H>{ac*;c$Ka^Io10AJ9W8Ot!7#gv#fJ^^6YmUGwA}dK{CaaN@9JGI+yivVpek
zW${X|y)TtOmx3nKn1IjhQs?{8O+CXBkFg-&dsPM_O{PwpMKlAII?bFZ<MPBJw$+dO
zl4eXqL<1|AvG@tcGy?W%SXN=ldJWy1=d@SdT%RbtWo9~{l^dp~ySqep9<PII-H%Yp
zge-yp)DJfbpxF~JLSx93AHXNbc1l^|*HK|8-mvkZFA96*8(Q0q>8eTm`OVrcl+iL2
zE7+j`_|sdTiurm^M^qKYE6tNijB5k+l~LDs8>=Xz(2YO31-s0keVKfVX>2cwP*l(7
zG=Wk4j^mJ=5>8okPC}MMqO_p_!`E88GWPCi46uH};v)Teu05X<wq`$-AlyN=){SDE
za$`>KZ{|zA8lhOj!&z#<Y65W(jdOd|zZ4sds?Rc7x9O@vE)Z}VLZBhH_k49Dta~0)
z&whE04Jc|qYV%OAbfG&^cT!ZhOIf;rG$DFg{CkWwU&0Em1TVml&F8op1RbEQF-^9_
ztm;$<D=+$Cih>D(yRpR9S7<9AUES%ezoBq8XA#=o+up8!{c7-*Ec(rEh+-U1Up{-?
zdh+yJ&gS*V=m{lpl-~vJ`F09{^Hz!va-FlyThUEGpikzVK<H-v2^cFDXLItSBKMjj
z$@<jvS?UVSs%NgM=@F|<r5~31WI{&TV7U;yF2-VQ<oWQ+{c_UecSthP&O{m%n@{Mt
zg$C}!U8{xjeLHEv7PV%beLSApCGOVF{?%HYWlZn^I?EE+s5I;l(FEZHU0%;<OhAdc
zL@{G28j}!bg6KWa|IvG%W0oaR37TXI5J6dL%oKo~UuX5~8+6JdfgVR0QDxOfr4ph9
zHZ_rCC1_J3(W%m9g(Qjm30AN`SV|nupfoyR5fK}kz@<b?NJ^6_+E?sH>02dWV<N8!
zNmO+*PbF;s&a-f)K1jlmoZ$q;L`nrhA$H0lG{H1R*E5oodpRQ@|MEeLn8GWG&^4w|
zpJfvLkXtT~P{NWRWXXh1Gp^WW2^@K!vPA14u!kA2$plRp2MmmQDh8!0N2Xz=a4X|b
zAVTGgaKP0P9^goEY?7)Yvw18wOQ2Y#(hLhURs)sSCK19hCpcOR+U2K_o?~2+pB3pD
zpnn7<mS~S1d7U?vz$>G7=yH!Y(1)6MD+u>*C}JMz2iK>m2}(10@bIyxgc4s81@HgX
z^L{KOK=GF*hktv^chje;PoTw15K(?mlR2#|`Oh{LaA^Y4nY06`2mO@`0C)Ac`udjZ
zX`QmIe@?-J4<7~}Ki(XpAeb>B54t+qwg;U`29536$K}$c+y;XwPs0ICB;g5;;T`%7
z(L_GkLrXeZI_^c~APspb1H)=HsW|0yj`^Z(@UAGAnOW+$AuR_^pqT99b~M&lVCNtI
zYq;TEo_ckY_sTel$U*<%fA|09DMrE>Lk~3*@WP=J^vf@(Z;JHM!T*N_U-b>+(VSEW
zMJo%JPxc32q2GS1RdZRZ;iNSdtE&F`>)(`YNdU?~HNU(=GUf!o_4Q>!eI0-v<_J@P
zl=-TgmJE%F+x8~nMDm3aTr?@fXWs)Bge=;x;}NlhR9=3p;^pw}ztu#5nd}D9u+)R^
zKKV|;tptUa&x?0)15K~a<Zr^_m#xC3?0w0?`#g;FZrNxMkoP3aBsuU=upI<*yxgqK
zbFKJoR$u&7&umiNiYiwS%`6R}^XC^fNLu}UaeVR}oEk2JP(3?9j~;ry{DwG5V;mCH
zAM{cGwGyzeZP>Me_{hg3P|GUwj!Py8Z|}D%(c0Uiv*(8w&(W*%=V$2nTXgdB0zLmf
z$LAO4&}UWM-lK_rKEC+A5su{oP$R`cTr=JxIn;A{cz*u#%d=-@6y3I7+i#Cr8*CSK
zr8bf*j@x0i2|8T}y<s##ebhI|vec7Ovi#i1G)IQ7wokP!)n&S$9bO!Mb9nyTGvyXc
z>H5@W6xE#PRXPkvZ6sH#++n5~EP~RAvg<^z9H)8ps<rj+&JIs5(BX?0=;cW<g1#|B
z7cb$xZsz01JE4L`oL?(7|MisPM84L8_-T3p48YWXd3tgD^5k~?Dv^$|sqNLd{>PB+
z`O){!pS^m~g>+xr9LCXW4Zel2zI}OyzBxSl;nnGqK{-CTc!?gBK55`e0y6aR<D;fN
zH}<+4>BH#fOJ}oxBQTvf-P!Y_S7&ER?s@ykmFmK^3~cAmzP>7z<C~?EjnKERUc9g~
z;zgqb=(cjgZSC;I&xijy?=pnTI**g6j<+Ss<}WMIL%tgHf;?|0kX0J!#A$C>bx8rA
zM)<$}u@#Z4EhWag+mtOfqb=D-0eOe|+kN!wuU=%7t+%RO*KUB--fA<@wVHCDVN^0>
zYi4qd1gln6qY3A<?(S--5)X^(<(0T`uKrg_N2hD;E0G&FS64fzmCh!vUxzFWLF0Cu
z?(`32;oXocns5fkL%wgxqK-*m5%0B3M8m85uz>6!`(QQ>^$m=k&oUA1cm{oaa7cSO
zg)Vf1Y3kxs`1HG*4an6u+3sYYvTZPa|2xuMW>wFqcURFnk>GB9M)?SRaJyX(HLAz9
zv`4jcKJ{5c)V~MbhLMbg$)0exD1q>LLqbU^@g9~YD@#TrUFQ&<iR;$9epZVHHWTd)
zA^=0TN%hQ|@eHC#2G68FONE7;__rFUB=g!K5x7rTvBVG$LSDxdnIw&kpXV$hBM6jf
zf(#vK0}b68aK_}V+IUMAo!ao1^S0r)5qtzz2%Q^FUZevne{4jfs-87RgM3)u_4a3c
z{O5m6!cQH4e(OU(OY%SL?L4jA|2=%VyR*GM|8pNtMZTGd*8xPXVACgHPTbF>voOs;
z{w0V-6%%~A!qJ(w2-fuhn%f+px#5Wydt4!9Q69Dj5aw8hvlpe~A-6vqa+?9G^;k$O
z$s~&fsh<yN=>HRMM4-vKtGgLM(&CZ^4_S=Sl&7H|k@E7eIeb<50-;ICu6=+GmF<E;
zmLw$9p0_KCQJ4wI<~j@hpk#-%A9Zmcg0|rR2Dm9Ffs^V4Mr%;&VP*Dn<)}^t1y-vl
z#3OT%rG_wr05~VsQ0Q<(z+e42VSJ9T4RpIL)^~Bh>Grhj&TMCzUP2DTJs))6sf(#Z
zk9`etlEyT|!tT{?prMb%AZYG?*tjxJW5%SA9H)Pp$!a*6b{DhM9PRC69g-m&&1r&O
z9fO|*qEI=T6FDQ9VI+-wZ6;;93SU#@D|~I00PMAma_5g<|4&&IQNc6V*coThl-wp2
zz!Lp`_;k0H|9yXZegD_JJX)_mWzn;IzQ2L_b`IG;UUEHzHWRn5hW!onSdjS@;YVzq
zVop&19|yz1&M?^SS1y76AsZ6|Wnlh=jULyg$l>-rG~D`}m#AHfb@L<nn%vhm#pkst
z#GlomnB(`a5`2YetZeU+U(jvCFy(S-Cs4Ahfb{c!&SHJxzqv&8cGrL`<Ny0lD)~Qm
zhI{*K|IfWVD;%b7+xO67<c!6n#Gm;XhXb6+8RO<il5^4Gjc?*#^XAXPoAV3y0)$fv
z2^qu){n9tvp3Z*nFMYkWA<U;M!pHC$vX_wlChAX#RR8G9g4JI-=LuA(z{hDSyloWx
zu-1?QU#<eQVWmf~LMpcoy-itE!@%^%boJLS)OcCK|L^1is3rV=XJ>n-s{iloKUwqt
z`*^-w{=dEy%6BQ$&iYcQwJ=-@!}W7VPqX~Lqs#w0*nhjb)%zdzclXx$Kkwyf4@~?7
zV!f5Stj)ULl_a}^P*a1fM^shA=o-Z4uj@^s+dR$ue@v5zCeu4`11{tLd;3o-_TTRI
z_U@Yh-^X+3_TM*}Y}RhTKd!uBF)^oUth{KM;vPbd7P0CSi){Rcgwlv74d}cS2MD;Y
zN;j)f&L3H#bmRZGa|15(|7};}e|LsYhU@+RdwITi{=aqu`rLrKYd7E@R2VkW`^`mR
z>xK4fLHMVBmdgK6fB)-nZ)aG&|L4im_5R<zJYD^NcP-Y}ZooghBx{-Co6EB9R~oDZ
zTbIYr|FxSJ68(@Q(rK)3E(n&!|2^HS#((VXukF8kd8$c-aa!m9`s{g$_1}iUt47vL
z{_`+-eJ|6?6u-+z&(7Y5{IaQjzeEZ8_}#H{oJgm~?>ir#p%5pJBpMT)kVHXpsfY^5
ztu7gIE~6?%JZnI&X;i+=z-|9GG=8#2lCY@Vf^Ruhf(K_);EwP%i5>j7o2Fd+3mBh!
z?f+#N|Bu=9w!Hr@9r*unf2Vr>|H<xJ|G$@~!vEoR&zMa=xey3qHZ}KStYyI$APa=#
zG?_j#Q&~(7to#xBtp>VEFuHiP!9TBJ{X2PD`M<r7?v_5FW&Ho?u$KR2e|H`KbuW*T
z6;g4yP4qD2`X=Uxh7$Foalbh5U%Nwb1NCV_O=>!);Ig|HH&AhlGu$ApRWNAV{l>Vy
z74tE9r|~Pbw}Bpd{8k(2aYDSMKYr{5L2&o-?4dGhK7253e*Ea(<5-q#4?m%3dw5IH
z)>6MD+8*9cwms}9+#cSEbStA0vG6V7T2j3cEXggPLG=ruYI4<He(2*&&P0Fo;jdz(
zfAmNFzl#3Hj~_45W1!l6&TV%#(BmT4?dY$fuc;f7(gL06pLrHqYa(nE#)98Lb+@5z
zZT#P4skrq9z*7BxyL$is)9vBTn*ZO&Q}zF}UAtf5l_frUuUFtVYOcMT<%e#`3*DG~
z*-6aotl=dKw)g3iFyAmsu`j)`M#0~ywPydvc$)aXzL6=SB4k(OmKMMg{=dJoUyc9T
z-d_9v@8>Z=P-emrOX3A0@2QYFl^TTFqh}}Qh$NCzA|O8$!Ql+0EJ8Ht>AO+S&FQmq
zB9X|#8Im(B)t3bdaRT8~@fFb(A#2+sfsRiRjv`KkAY#yafR3fURaF@TreTa?hNEDN
zW2JsZ$X*wEs;_^Yu`G_D{FtCjkO)PTlTgNs-UBpV7!R#LG(mGFBnl}Hv$@t~#h_Q(
zcf2#t*4mwQOLtbC`P|S1xI0&wH+t}uy&Jjs26rh(5rx0aZO1s28IJW8>}X74cJ17(
zY{Lf~5Z5%0k&ti!vy$GNh!paeBf(g*iN+9uNDM$K(3rEgaI>U=CD@#xE0duKv59jn
zu|<6*WhzEnTT?1$*?17L`BpK5?w?eMjEJrMub({Gfx32baGcI?W!lZX+9b#lxOOri
zNt800NKwk*_yFl^91+eWn`22sG-nBw3~m8p6NKX!S@IM5s^TIeo$4{qlEmJu@IZ|@
zTxad(4XmiOX_3&blC0hNLfMuGIaaErgKfEhP7MB9NGvn4b%nX`6=J-+A5^~JPz}Dl
z*RYmUsF`%@%fg|_l_}chSqd#j9ibC_pXUSgGeOrlkuVQ%dAAv1m&r?pX7~z7nDT;;
zqcj`GRLlq@671Qlvju)jY%FXoX{T<3T#>}NL45Iu6McE<CK5CW^-BP#+l3oVfsE8T
z!|_}7Zy{e4&WuNd>ymIqd48d_LGpyjGxh4wVn2etKFDZm(jBT1dkDW=RlGExC{M0<
zF(YV>X#&+ZVX2Tv$)V}l>5=&@&?ysg%83XjF}`9Po&WR2CW8AegM>wvAxMrV6B>e?
zgA3JP9NS!s#ib?Ag_-2NxiB;FW}(bU(p#r;$)>3zF`p87>L#$YE<1uAKU{WO=SI1V
zx3T<gpN3xLfLG{M)77Evy((qNR1>Lh#Kn98t=P#^Q}OB;VS%nm9IJn41jlj)^AwSB
zHbptpYnm@u|J^#|vWk{|m^7T_oN1p=C0HRjT4#Rsx%K2f>eFuj0iz6W>j7M1|LqNZ
z`Ty7FKkwx+_Mg?vsX%k0WWScLU{g7Ulo8?iO@P{JBkxnDWIuN7GqC?amCdz09LEc=
z=a8}I+&sj}j@0^cL?;u%6&J{Fs#OZYr!v<9P2+2;?T)NA!!o`AldYbepn{{TKeruz
zs{}>XjKO7NaT`6o%hh3RHW^OSAmvQ5ki}wz9)0L5WuZUne}8dtdftbtPTQKR^&O!x
zk$4csEQ<zH#-=d=`_aS-o3IgR$=puVAEAE7#n^yP#b(j&f1iD&$6I|bQ|nrvU+eR0
zeSWRaub=AEs{j9}-EyB;|KHuM$N%mP*YRKX@_f)&G`rL7k&O0BU^ao5iO|5=RIkud
zLp(v@0Um^m6DB~ZaH0%cAnVPU`&9Eili0}g8w%dD%3sBzrhwOWb6UFKR{lfYT(D%j
zZN>WwmQLr2@bcyA-T>7w&w1G#7a0C}vQy8hFQ(JUIfs))z9&$^s@U1;6}KUEPzm+^
z(N=8(si8xl`(EMLR=2-(TT2Rirp42Q-txMjbHcLx&{XNAw=r)ue~W%uq72z1eP+NE
z&tK@JP(EkSSh<~k)*9!Mr&a&M`egNOQvfcD|J-|0%m25(v%l8=?&G<m{7)@cI(n;K
z;h07sRE=Qs<^WjD$GgrH_@$jN^ExkUv>>iRGvSAw^t2LYt3q6kf3yGbk0?w!^Z#3<
z09<<hYrlH`-_GvdI{yD&o<9)(UuO#RWeObLI#b~1;JRx8d?x~Uxy0(i|39(+ceuM(
zz5n6q-p)Gy|6ZP|jqdF1RMKmiko>#h)m_tgt=0A~L2YlLif*pe#@)kZ&{h>3e{gO6
z?w<z!?@ZCB&i}c;`($Ugn*a0ZllA?t_wqFJMVr{ArmDAB5t4DzsNWYS2ucE@SvEL?
zSX3}D*Smn9E!gk&0U&oLu8NH}K>cJzO5h}oX^2HRqRi=_El`fx(RcNoOO7R(!XVai
zBe_7z#q0e^S){K-nv+DHf?d{#kf&^UzJ7OGkau-?x<%e}+~E)EiA!T}7o%{yaaeIA
z8pq=6GC*esuES>R4WPDS?N#AirEqC`mDcR?_679T5)0{cLCZW@ZK;XS<AlkU`^+|)
z3OKi#ZEO@>hXziwIM#_Wa`LOj+1BuIW++%O!D=*iQxG-MMMuBiCm*fbbX6f22!&mw
z^E@r-d2Jxd7RVCe(VlU-ORP3RG@<f{B@)wwaEBY&o`)=5=&t0S3>B3G0t_Wf7e~-(
z_+IBPB?9zF74P(>d09Wekj>{fiAK&Vh5go;CR<`wc^ib47yU3r!31qV54XNTTlx6v
zPH+7Ug|j(}(DvT;cKz#DgSTYScVLp_s)~so$J3Y3UY{KP`276z@aTD|1VUG;``>al
zA5}geeXQE#LHB+;g%A!aTZ)*I5<hJ;p2Lh&xlr>@-pe|1Xo@TqDkFm9m|dT8dPQS0
zCC^2OW8kYJG{LbTrLrMT@tDR`QX;C|i8xE^T@29Six;K0sckCqwZI9EUMBJ4j4}Bw
zjfq$YN#=RTOfep%B?mLW;%rWSRLe;C=dZd1)H7G*^#s%?qZvq`(^<8_Dns!5yYt1C
z--uc6l5<gJgNPgMRON1ET%7bkG%STzIz&`vAZ6z1#<9`RZF;+m?1vAPG;3}P?&Nfu
zwNCwQ>~T#n)nka<Lp%<m35&?#WTHl7(WELb{hmmgmnk$B^JdgVQ!An2bk2R>OcdLz
zsBcZ3b6Ry?-@MTV2G%%Ux>@Jbs0%-=)X^t*D%7DfeRr<ipJ5*Lt1I(eMmdR|Wt=9{
z^KeF@ET+lyc$%>M_4D^6%z%|vIEiE_i`jJX18FtM%BU1|%BUb~hn$yeH23k?YwmLw
zR!bYSRqU7IS<#XySM(9+*G;YX7)UJ0%5);wL{{h|<zzzmjR{3>x^|`!UA%r0D95H)
z#}|ZqRFyj?%%!BclsNC2JnxP`Z$YAsM7p!x+|n{RR}VI>H`RdwH%a&|a<wjI1({zF
ze#GV}<^=WsaWEVVp9I@|G&pi}$-xiVm>5^=!2DY@WGU=CRodYZON8W@ItoM3Ol6JK
zbyrk%duqA?72Q-jYHg}<m|dWA{Qmqcxz>F%Kiuy%4${CLu4g29l?W`Um{4W1=+d><
ztB_l(Hf4#U0O-D5*@x7of^f>f+KRCdCpyWeX|ndInaef-S*715eOB3X=Db|F*9bj8
zCk&#7AfMQbvA2*u%cw(}2&41k?=GI7{fN>y6FPI4q;tpvf#VpmI6M+Lumr+`AO+x*
z<4_@v#4M8$yG|f+7tGSYqE7gnCV=~Qs`M%0ltt%o4!7)Wht#I6#fvV5Ev}PjTz8rD
z-FCpg!AZ&lm5eJAAJslfJVhTr_B(n|y17g+pVq8gF(YwY^_GzEed(1xyPOHgp7k!n
zF`ZBnq01Q)63&+dlS_yu<5@^?JgQWF38}EuqzHsLNgl~OWmc?+Axk0XEK3T|7V@AB
zssi{j2;MN7T%w~F$7mAcsX{_&-XT*IA{ip@aVX;j+J)>Ln>OcN6~o~GeUGnbGA%%Y
za|T5uC2-{+VhOtR?Z;eJKq)>&7144!of3|+BqBo5xw6cqiLry+mI^8)9a9Xf4#mxL
zMg<Zfj!A^FbW73sAWx4bnf?STnq{&M$h51PE45o0TeLGkhY~5tBN0m=-wC2gF(OnT
zlCW$#gEq4;BtlHGI9}A7R253e)l7mn@bpfZ5H!^sNG)%jDb1o*2c~BZGP6+#Pvk_A
z5!zMu_?&U#?al509m_{R4)d4@oia4<i%lH2>!f{C1%|;Xi|QyC^u;E+p3#^fD$$f)
z5rHy+Seh~}Gth(b$;eWRa2*)%H)z(SgnWcJLBPo#D}1hJSduHk5hqx%WTV>4bE0Te
zVj2rX-lwtRNfA;*R3&jwvc(yR=XwKKY$@KcHT?R&{%iLEWLpf`d`=P>?C*d5^uP9p
z+dCB=@sFUQagz5WblhRZUo|C!PLL8A?@PD0pi4oMX-ptn#bsTg1riRNGBvPuB{r{z
z^t2yTzJ2iAIs}y4VDrJZ%gswqji6Sg8Kts=Z4*6wjYbD3OC*iat_PBX>QthK6m6?Q
zn^w&FD?I#gesOs5{M%PA&Yxd^2l`|1;e)FE@#CQU@!NksI{^vw(4Q%?CI5x5?Pk2Z
zE?7q$@ll0M5UzxQhb)4?EpVVjq7Qsdau3VUBPx_6Dgg<u2&WSof)3zqa%rtPZTfrN
z{k3WqM^}VPDoCKD<H5tnR!DC6Ce$|utvf=_kb=89qWr+Oo_&t)W?~Nln!r|qXTi3R
zLTQCzDY?fe4g&a~CS9-0(WQU(8yafhLyA!bipsrnpMO=&E~(z&Q)wHl7VypKTbo;H
z?09K>0gMM3i$}fi4SH4u)|tn2Umzh4XQYNOyj_Xs%<+4*#@`0Ys8>b{$5TJ^@s@1l
zLaXvV1)WVMg7`_X_`FJswx)O&2XiuKe9=V7<x({i{A)F4A&x6PdE2c0c4q^mu)|qI
zrD9gzF)Ec<wcYAE(LsfcjMJ6s(fdNCKc<QF0fOE84L=;M69^*FL)1UyQ_)9{^;K9j
zdf$fzJT(I#L82!#jI*dQG}5_fsnbxbIy2WehNC;|ittNx3C5IXg20u~9L4EEDFt(S
zkPia4^lhiQa`|Mnsp4kBU_xW!%E{u>R^|S}&a5(KQ^|yk2<J6!=6qYBdzvi0fl_?x
z5v`p^uQBeSs(n@(0D@R0KC-<9rSaUVg+Ws~j)Axe2ks<jo$ncglza`S9lbpI;q2w%
z(f6;9zCS!UdH%wWTj2r@lquHLy-Sj-yYlTK<YXnR_rqketG3ilf5=^Ar`1ICOZAAh
z<<SiGrW!?ysI)mNN9f|{)H_5bNuFnjR@E)*9lM!&x!T~}O2@px$hF08SmAk7(OK-%
zgOS{@I3p}^M0o{YZ%ogYYZPm$#d3x|e(YxbR9aN_H;$sAHo|Y!ei@Vpo9dJ_zU(T&
zQ^Exmk|gpcm_e^Ps2D?o)U;z^L9Q?ZErZ^<o864xm4m+8tzvJ}<;c`l3_3)N6^Jx7
z-+hdll?084UbIaZ7dKV*b@AY@q7TxjVKdz6hf{Zp$k6GQxdL))2`n1{Sc&=TMi9#s
zKHJ06UE#}Tq_OzjAX{CK9k3UxEV`xbc~)gRmsu9$SLY}<)@fRHTEk38Hb0k`%Pc+R
zY+NBH;d~i2;nNN7ib%)wiX=pcTGLB=^TMs!GK?JoEWz6&>6E7M9g)>o9Fu2GCo`^o
zb8`$g_O;bhDZ&|1qzy^LyO=^Wp_1bG8Hw>C-vQp;E|p2k`@{RoW=*YTdb4ReD^<P8
zyj384nu+^wxUuM9_@z$Zu=4~WP(LzGE@qsF8H=M4+G(HQLZ^J}b*WTi>CKI2Ke;DQ
zH_T059=Pl9{Pv;uylRvspDG|;%c#<kshe9W%{EGtePU`jA@bm5?x+A%OC80SR)RP~
z_3EUtZ5!5FLtw@Ps1D@@?b~u2snzqEp?H)#Ki7g=`kzrgLLXXY%~!XZLG~F2yakgL
zhrg5acw?n0^Ygt57K4z@(@gsOv$vkbr7t=fvDHO5&@nz90`Xa?w$i5{gQoUA-LQ4i
z%SDy8mYmRSXn46g&}4Xfdz%Awj^lVN>(<krXoZ||9u(`Ac^gVH7W&xj5}Z~=3A}7?
z;8xZ$Wm$n&F$6Wzb%EaKrC8Ryepb8aDq#`vJ2rs8nnGrhYT#>urH;vk@%2<xFdL#|
zs3ddG`GEkvC5sUX@gU@N94%vP{5)q78KIs1Cry9>^A^Yuy?P7SZ^@z^w!eT6wx0+2
z=t#e-g(r8JC38X3k4^0_bzpg4tnSUakteImSokw8w6V!HmsG1esslQmR%s3R9bqhd
z67^=Tt<@x~ukAaPu6J)FeyAr$SZW$JnuUUdN<%y4Y(nFbn?m1X)<08r%$z(kx25F;
zCgMBJvQ(Mb+l8Ucv*fV(!z)3!@BIl&lo41m{n|#iE>xH5;*W2%mvL#TUv8{QjaLQj
zUD(8BBVX>iE;ht%Ov|8>Xr|fFtecs>#jwm$^04M=W}6!yn5u+#EIBUqaOrueT-9A}
z)A`O$HMtGikGlDqy*ubDbjh0wr&~6h)&tr_N*n+O=K+)u7bEmb|BT@1XHF$~nS`YO
zYni1j$Ju;<lT0;^_?Wyy{h+@hn3B=!e$WD<-*0go)QkIE8ST9=bh(m^R`{+Qg5l&{
zMnpAc!?e{EGx{G-b~RtR`PD7#u7+}zV-;M-XAXb)%;gWjOul&L(ST(uyD;2haM$a9
zaGy*1_DlFCns)ONt?JWvwmb(bEzcEJ=hD7^lGXYt7wgg<ePN5Y69smX{HuYvbIHGA
zFYc2~EXS;kZ8(44YyMw<{%5KBx}|UZzkLGeW%s{6-F{Nd|G&MvzW?Q39-Wu@lts5l
z;9v1zDdJf%!*Yd3B}85`{#Ku;FH1&O+I2-p)A7i-d3vQaUrSf--jgyysxN^#ah)d`
zHpjYcHh>dyMR>If4f#C%*+6fT-_xgU+-7^m@vT&_)5BOwO?el4FFEV=Y^l^Zv41P2
zWs5>1ea4vdyTCm=5pBB=Ejtj}i@&|Mz3qeM-+D0MG@s>+$s56~?<&;c*2~o3)`f6&
zte0*zw2gLYv!U9oS9h+a`lt}1;WOyYa(&z`&&OS@J=74Z-?9u_6Js`MI<+*eL3<K`
z0Eu^TNjbi&-a_V+;_R~*p-O-KF(#fP&!*dzVlyVB^P;ODNwaZG!^RU!r6y9wD^0YV
zmLc!Ur)6r!RDc5F{P_Rbd;jjXZDenJ|K_W}b@uyBoE0g_KjPHg<hhFNP5sody_T~%
zJx)#uk&uL%B3OWwqpkYhpMwEFf|4kamfP+<x7xFfEt9|p17I*14Cd4S?&=dd?cMg?
z_4;T1Z?`ZRZTs)!>hkvH{N2af^UL?%Bz!U(V<Z35-Xj11{?TFgPy6rp_&h@=EKWHc
zWRL>JDSne%SIh}|AW^_3<i8x}AB-bu>&#Fv#_@=>Py&+x(Kz5hMgZA_e0|8~=L$ST
zG<NPz#+a+!#FrN<a-!HHQ5s>c&W|#P*q}YZA|<@^Oi|pf=iHX+<t!VGqZt~qC}Ix+
zP~G*<KK$$Krl?xwy7L$xwRe$zmBu6FBsi6`(L=Jms-*%wjA<}NAww}s5grankfH$&
z?jJA@h18`9PANol&VcL>UH5KJzC(;VAI>kYZcGJel8F=zERm70g@`xukbmHHy?r0K
zZ`F?n{t5(+u3FYmQN3Xj1o0^>6Z{k7ix8ak5DvYL*YQ1c_7zW(h(OAmvM?5<;FMvQ
z^H?0u7653DLnzWpRn$UQ$k7%7m0~<|2Atq~$k3zfO&K(&l-@|TGS}Y1bN(cIYV@&Z
z)XiD%^uyUxYJT-utN*)uM@OAS{-^y;cmGfQ|9gD?{$H-^qW2^w9H%5iLmH75I=w=d
zSGVZw^!(OCeb|H@qd`Wa&~g&x!v(pn`__3@nwQ^^Xo5gRJI<Z;hmEQ~|9Ka=Fxy!|
zV!aV;p&(*e=*BpuQ-VUd1D0zQ2~q!_7jR@g0P<Al*)w#?f=p^Rl^4i)M<VtBc@5Ek
zQ!+$sD(x`xAhi%nAjx7pTGB5?J0KhcGKh(U1awFPM5SiT>oDoSl-kB&NaeRULNp#S
zK2guWV@bqjva*u$(`%_9<k)$O{%*wd@bKW}GKug&fW$%;0885-B5lTlF%iHl<XVz+
zA80yuEf4-UokVXP=Te%M=@_d;B($YuGD8a0?0v5z4g4`3jR{vmz2*d-5i}(NovH>q
z&P()tUJvSeubr3Z`d>(7kf2SrS!Edv36G%RG#+v+Ql15A#tC}C;%Fwf6PbWafK`X5
z{;r4aPFZkIIOL3bpm8YIcWKVUr8wAm$Tfy=+0}Bb)*wi@apZwaAqAUg?{{Ax?0U{i
zbUs8gmK6#AV0R(E;(6Y<ltF^V+lxMgsH$94M5VpMQG~QN3pQL?tP@qW&>hIQum^zF
zmxSts;pScMq`2H63hc%`1z=N_&_J~L00-?|*;TM50=zVe(1^%Ei*}?vGf4pdh|7kM
zuPMh?@jHlc&U6>s*$=G_h5>opZkLaQ07k&#fF!AC<AEH80oac6+my2?BD};WDB5qA
zsyV?^g3~9i=2=81RJ-<6m1-L2Z30ebWj}zpLS<bjqmjm=V~Iz?%Myf9IE(Rw1~`gl
zkZBO|Xs$}MsKzk1XN1*OCF5QgE@_&Z+*RQ?zVEB_pnnB_B;q7tQllViyykfYm7VOB
zbGS^}vJj~3Tn(*UyD6o7%gmT7tVK2UEE;NXIUs*BbM+Vg@iI75Oz{+2snElLf>bCV
zm?3h~h8gsxkzuPC!x6nF(JY^TQfYG<l5$U>1amwgDd7Uq7~QF?Hv%>X{+AclZ@a3A
zFn`%YjP#!z$6d@Zs$GwsIr;HSGA6kUR6GkK&U!M6m{bKweNmh&$(Gn%pRf>s+iJy=
zkcu=~x?cEVF+G&rrRgdZ0wvuC*^MfjWQYVw)%wOzw|!vt2zbDz#G)`)fGLYT^l40D
z#IrbFTBu~-fZ7rS)(}BVwd89O(SW8A<m1FsM#H=amO=hih0{~=UK1kY8-F1P%kOqN
z@2M{f2&uS7%Hxs{E=AYU`w_r}XKHIDM<L@VB>HDL)IhvaRR>@stc75mBKq<jwTaZ2
z%)uWD;FK{ho5WMfSuEF6NE0hk&f-xtv-$ygMj};4#0=qu!c<$JMjWGl{}g~)w>SKJ
z%>el`<j;uk+kVP30_jzieIdt_UacmOlo__~khFEd9?^5k=!eqev1ZoqWT8A0DM{Qt
zSEU`bo_-6?i6P|^B}A!mVB*N(@876l=9kjr!knQoP0<(&G$15~t#U-*kik}D5=4-y
zB~upaIG4Q-XK2GmTEIWRPyO58?Z>|Pwtw5Zxs|{5-k&*zS}e7_V;9tIcTJIcy2y|9
zNOw|IPWOq**?XdLq`2MtS3d<@zLA%6V&uM54y*~Ko-JmhIf#NjRs`fBbSlJ`>r~_f
z2V>c3YkG8AuRjge-gWQf{8sjC@8smH-$x&=PS5(#wI>(7^AG6y>f-$5hf=?*Kh*m4
zZ?A58?`2VaRcNn&b&2$FNv47O>frU!Ycd$R!~J2$?RLp)7Y_~x?!jKC+rh6%r?Y=3
zg(sDw?xs&yb`7UQ%G&zk9n0bne$pzeZQ_g93{R2bIK(_$YQSMvXq?|191aftNSxi8
zIKyxDI^iFPb8iz)ZLK}aXIxo-JI;BG7!TEcLl~=6KVh4N#txOwl-G@gwL)6JMMm!j
zJcFfH-93?o7Nr}jOq++sZ1xbC&{7d|0zLuA?#&*QMQQJaWF4@z3bj>jSQ|Ndp(VKM
zyhJC2r>>$V=FUs>0mm7RKrGMfceL$J%Zu`WjPaDRjJH5V<a^n;Xp~y>24u!8lgI*!
z!ptx*z;2Xqusns4xyt>JKjk@&-XF^L@uK5EMzY&l$Rem*7Ku@5gIVdhELAR4soi7?
zbpn6cD8^EK0tmm$Lf}pUB#g)Ugw}I@U>OQ<tg`%@VoKHPs*kI5rq2K4H~|j_rJ)>P
zeT#5u9A72)=Zq|Uz3|a1&ECFPQMNkVTv2{`LzqTlW!d|>?7bCbTlXIq-fC9%zMiaV
zSeh|v90gS9Ed5C$&EQ3`YZtcaQE4>FelO-~`2clk%6jMrZRDB_ku+yvw9&GoLVk}?
zNQXnh<zTS~InL5C(3PMeXA|XQiwPPKIeIgp#-p`;Wn7oe?Qe~q2^kUb^AstI%lLe(
z`e0PcqVug3x-EdW(2#PynaC2o1uD&xI7AV{uwj;)&6HI_!2;>H8odh#@vC!gY5zs+
zp==~f?nBD;-DmULWabJyByLDKkj>1TzZUuxp4D^54R9%CH~a+2kllMSd$UwdJHQZz
zQCXat)-c5%SFV}Asz5!3(TK!^)4*ONTwRImf0aj7$w0l)UV2h1i%RHnI6nq6g2cpQ
zCQ{VhJMubS$Lpes6;vI*um7tznYnq~S%XI**QnWe119v+Tm5?FAIf#tdTP1aMxCgo
zUZWG?Nz;j-yxyWqmXc$jml4_EClbgV6+|I`Zyhkg@-o0uBQUwT<nA5iskHq<YSmM|
zqP%^65d`R=5BOeI#ld$oQ&eB@ijIfKm!xGcR0zC#$hX~1zEQc0>Y}tFN?op3GPyGx
zOBG>$ALWN0gBg@zERU9k1%d}Jls?FY(-8rUQg)25BEfw5qmJ;(f4(O(*x2N~(2}MR
znac9X*MtPAGGA1gDU&;TC>eZSpc|L!Fc;K|U!WHGP&tNd={tqy-3);>2+~{;s^<eD
zTWC_8d0-xR@|o7ETux;`51rfsG9A^o;E-ZjoGL0H^?Wgd5+IFH%V){rt5`%!{R@NR
z&hD-+cl%$Yos~LyH!Q{)E!)0TPo7I7RXvYmq<*_0L-Ya*-L@nln9H$cFR8g}Zx<zu
z#>Ul#&C;X_f|V40QeHG5!qE$#o<I6|$I<8R`gyf%K`!fsI9(OMtGaJR&~DjqD~ILU
zo>}vj9>vG#?p?2c_UZtg#fs8NjlwVb5r{op@yI=yeR0&i<|U)bab35B-tI*C%(RQ6
zWQ_N9o0QBpwMmwtWK`Wa6Sy1b%QSWz<AQ*U)BIyH;yCw-<-PJOKSnUY4Eu7`QnvUI
z9=X6-EENp|B`}Wp3_&tv9Drg?nDSsKdK`%3$Y_+hG=?)w9jm<3mBF*PG>=@DPmoJf
z^x1J;2vB^p((w*|*Fno~AX*u|LE`7g3YpVkac|bHnr87>z3s8~tCkBNMtRDRwrXKg
z&_$cns0nS!QERg+%~cYo@LUTCW_hl)ZKvvqS&AMQzxRNf=}zu#>z_84!;B)9h1L;N
zyV#awoaloDIJ}4v(esoI)y}uroX4epmz@h8itq@_HEd~rEw#gwqSnw{oFr?Z;{*uR
z)CmlWV-ghls|?X|oW9(um|qi4<myd+4B100Ck*+KCBWVT%K<0I|7(zOxdZtzkIvHD
zcKZOtOeXzoG|NZT3*wEu7V^8_czgb?o)<qy&Rf(!yG17#AN#jwH}dD(^UL>WBQEp?
zJzqrh{984u&%RPMA$2#!Aqth>2NuPAHW#i&!14KK_4@ZTxJPWL4puTyAFy-=L<q1j
z#yB1sg%Xnoqz|%T;uhkH$wMtsrOZ0^kn=Dz8f(Q7oq@CYhz>M^9Km^j^cx$JRwbDr
zt~w^rZ7=p>%3i{p&)~=hBWd`fJI>Szq()K<@f8QXX_hihaa0`Wy4DbF53rztoBv6W
zwEZkgLWtjR?IYk_IVr(Hv<0ZP-Yh2WVCJ%zc#iX(vCHhPgN6(-jUc6bifBA#(NtQP
zA*>6s3$F`LwK_OLkdFerxc=A4uF+{Z(Hxvsz<@5Suur`U^bdXMx`mQVjODix8woT2
z5-g2W?Fnxok_O(c=bXpNo(-^&wwGKn)vQrgxCl5+Qqk6p`B7R;KgxbgrhzBMK2i^W
zr$D#YQoo+#_+EQM8OR;`;A0vP<um|VP-RogHjGJ>NP|&pMFUNh>N(B_7Sq&trc}Mp
zg_4oVzJbl!0S7mwa~-{y{g$UV#b2N3G{=0bNB6cl)mc&A{x+vOjmq0Ey<wg5=o=d+
zax14ww%dCs)*c(h4?o?Hn-us;>z_4aKx!<8eiAHBa5{eT{1=^`3NHTKz5Md)FP^b5
z;U4s_zwCTYcYgiFlSZRgTtT_(d{LJ`<OA`}ug{&eV_~IwJ)Z6zc>CVL+FpOun|qIb
zbAR)jAmSS$q<)JTpWw&@%&}N_=qe6Kz6u3wGGsheEVCxaOr%%`1<OS>Aso)1<!dHZ
z*_eF-csFHf&qKXSMhO$CtCdg-4QY%c`fp<E>i=+aIX4w<&K_m7d}~=5OB)cOXsV@(
zg{_F=oMuGtJt1t`>@4BtBvL2;^1Jc|20FqV?6eAFqBus$BNr^A$PR2m7g=ymmCu_i
z25IzwArd5Haskyexd;bo24PfC5Clu<AfzHdM(qm0GqY6BN1-a0wm#-?5C^VZdocsY
zwhD~01x2QmWg?f=vE#f~F)Xl}>r4T;Q(S5QfjEgn!WEY9NHketUgejE+@X%X@TNEt
z-fR+8+F9<`B5K_ZTmusweRk$(_A}zh1r(lnw9r)wtm9NAd$9Mv>ry!s<9Eel0h=T&
zhRd@{VO-Y{4#=YHSX{(q=(%kN`n}LY(yvmTettlLC!ih7;r{OGIj#mZR9C5uKUc`;
zP1)?N7Lql`S3Z|Z>CKXmPFK#Ad@AHKK(=6Y3-xTXMo2|V!P_nZ9FjLG6F30)7vXd`
zQ<FDl;C-M%7pfc)a&w)}8!WVj_fQY|wTwE7q_wC0v@MjX>lxB^)%Q%~tc8m}y7SAn
zudFV!9V-)QTPs$1<q(9eJB|da2v@=bDYl{vY)9cLEte9J>I)~P(-!ZU2tv@^M`QPv
zV)2TN$>y*oEwrK&T&-##kZIRjh_%*7?Sf56N+(3*H)mWLo2xSsu`j#y|9OFi1gDwQ
zzXOs!NJCgP&EC<N`!p)>Tt}g+R>I9E(^7SFwN?xBua#55v^0Sdc2yATiG8RJ!30)B
zrm_GcDzuk7KY^EDTj82|oGf4I(L<B+{CwZUYFdpf+PE&{b4Vk(%bTNXQ!i@znWIyp
zb}n)hKIS7!Q0-{=o-;?T`8=Xl*M0okr4pLH=gf0Ik>c$08`XM}ZwXERpI-J+sM!B%
zmEf07*6P--aOdR5O+YK$3$6wvi-AijtD_25;J*9Pu+}ne9WUGvcVF7nWkva1AR6l^
zW2DG@*W%tg{QsH*w{VvT$Lr$0)P};UQ2cr&_&YmW$-4%X`HEUk)mtlZgYjdRuo`#F
zw!-}rYc?lUtrt|l>W(8Ir*ZQY-foDooK_6^?Z<b-MvdQ}qYE|y?`t^}tVs#}FTZYu
zyMo+$L#-e1*CIk3CpgFh!^k9oD{mWdcOC(I0k<K;uKhOP1~wcLq99_*H!iK$;ez#2
zF<IxxKkRfSO%?D0Zu^=<ecW2*=`bqo!<U0c8e~6bgwtwGxV;`UWZliy%L_yQov$}K
z?hnj;xhDm?d>!sB^`Mkcq+)?;m$Oz6!ugL1nvGbj&J}l8;NDUXE^wLG#;rq{K+JMr
zKp7}vqnagbD{sX`+wg7lsdsaEe)(PvjNA}co5F;XAP=!OyFE@OY^tJZh8bMfG`k$|
z#Q2-Ye|=aD2o6n?ixyavy8k&X$hmjd08el_ZZ3Lzh=bzJ!{Jo445V#ZTY_I~HDv*H
z2Wv6ZZ65vFL;Vb%S5Z|9>*t~}ufh!;iN~vQEA4s%)pD6l286?<F)3{*M8K^vFwAR|
z;CHuMIu-78mNaO4d7PM~UzSn7gsoLM;8yqWw!;lcFMns;%{FeUaW~nuZI8R0%lk37
z?Q`V1Http??P7klM)KB&YAVP;ZFic~Z|OnXtG)?>g*(NK_YljtQ(SMUw{YttwPtl&
zxQhgIkCL~19VsVXGu-FHOO{@9B1jVrT;R46Vb&ktzDaWFw~(I+IW^!CbOM)h?cACv
z(@o=aic_NdXRGmDzTpkgC-tDuOFnb+DvH%&RI}y#k6w3d+z=H*`f%}fv}wf5(MNb3
z3H`h>Y^}Cjvv938l=9w@3)Rjs+PP5yKdQ`~wcW6UJ7M96{3v15aGxXpio*%r4Z-2e
zZ~NDn<0vALuMop=1!ZwtowhI&T4<M0ywc#agnN*MBa+IE=f@aNF@+=%RYlIx{c9l+
zo>IXxa4f%r_br=tL;c&>CpK=(M@`ntGe{qzV=vu^#spzLf;2L<e4JakfNb0(o;I;h
z6mAkv(G>G~-q?i_o(Q+igSN4}IqDUugv|A(l<6%4PICv!gh&nZ)Gjw0w>sply>GB^
zo8#eONuj{?{8Usa7SJbaj$5Ugu?&G+$t;iWBFXb+@Fm=K9{&aK)!OjM)*ZP`=?#Z8
zuHy}wqq|EuZ_qCwo<&4_x!e0v7x|OnPFPqQw#0oNr-ZxLEL;NLtpol^amOjGhkcIj
z<iqZxAnOuvma?bE?WHVX5gX0ECo9@8hdW=^BPtwRBDupA4O%S0FVDy^6KRc8o6We_
zZItKeR_=k>uo2b;+=2}o`^+}uejs!-t}1tqKEa<s%o;$m7R(|4%_CjPi~6KbBJerY
z&?lfyOi<J+TM!FDM{%WJ`RV2*r*L06=K@)4O`^N&#pl1=9ek;8&Th4zw{fQ|GGUT+
z^dQJv?$p!*uiqwUFsqIGY1Vn89Qp|-I6Pso+!D|VV`Yx+ZuRp>y@0GY%&<OOqZOY_
z4_4xqCVBs!JoqKtr)0zlDQ;2#q6wZsM0-r8B#vgKB$G=me<J(48utoKuJrdkfkeNt
zHAU;!k9<?^f@$?{7O$CG4RAk<N&GPuIHh7p)h=j`{C+SdVHS~IJbS=$r*_INS!%xZ
zVTNY*TPUzb(uxuuDepYav`ztYbYt?PnFIzZCxOa&Rzs^inI2T>M=t1;#6*Z|&Iapx
z3!SKJCFXgQ$QPQ_-yC-ZWVth^n=$8*Z-{#Q4}{!LF;BB(gOCfz`uWC)p9FGB_=Lu=
z(!A$5AlHOb7WPTN;&5q@&(Ur1I2v)CN{=#ih3Di3+~7sHX|gn;=g8lGyg{;o{$Snc
zuyZDII>CIVvIjtbDTlE3zR4!AvIKwc)!yOJqYk3h;a+R}*1!!O@M`dL<jeXVX}E4Y
zpRI)(-f>GgY;&1ko8aCB{7)_K9CrhGSK?kHb1iSz)Ym9>u<|r{<J;xL)3>+R8wI>n
zg8#bny7|Pc!d)*CuL}2uL0!fz>)R5yO6yYpuyu~ERZ1BRu+bT-!L7qo&#xOr>#V?C
z-?vubSWC){*?@Zs$66V8ec#$T$67t`+Zj?CcSuFRri9Pxio8PJc{!U!{v`4)aMu+1
zI(gRvzuf_GJmN%%hS4U-3OLav6#0p3MVp{415OO?M$T?jJx<PbD{7VS1oCd=>|VmX
zFiz@$e-hjYPREU+J?H3JzLKXmH1`A`omkBh{JZueJSHXFvbu)2?J;a5Y<#G72Fg~B
z9)mlL;7)UW_^WZJQGM)l<j1tx8EYl(B8Sh$u#ZaII>pz<_>--0C!9@4Iwo0DRha8R
zoTY4nQyQR&%9#L{?uKyFvWT>Y^jp_?Wr&JAiOL-5?BGps>vcz`X=s3bj!snSy1Ra<
zh?Qw=3hB7&PC4T%zq1qFl$c%GArW*Gdz0{)My!RjTlj6Hh7bYAi4?|!q?`sOL*!i{
zu`6BIZ-g@wguA1RhD5YSD)p?Zvsg&*D+*hRb=Km2%;L7HOSd*T%l*5dgzZf?gZpVr
z&U)aV5;tror**cI^F?$pdPzQZO-buY@VlMHmnT-^R+Zn<31Qj#eQXu(RJ~iL{%ut4
z0`4>t>W*qN6Ca3tN)ePbM$1!<lRS&vMr}Js7j#0?MRX}MnY4<Gc$Fn=VJaK?47vVa
zHwlTKquxNUC`*Zod51JXLNP2sl=;ScO<SJPRnUHHTIA;F(^x9$ob>5>p@fYsn5#6D
zPmFt0r1pFnXp_L~{0#a%-D;d{pjoMfTd|}x!TlSIlT9mU#d^8e7?mun3imc=Misa>
zt(@!D%X;9q+zQf$L1wFP7xD(`m;cKKcA!~h37cIsvbe=a)&loWY|wkkt+(9L<_(}J
z<cVL6dpmhI_7~K^E#+*>|2M&1JHpJa^{%%vJT6CCJwl!eccUPjyw=57oD$#-aX3$d
zyHPMp8Taa#mRd63($zs59`@(8ZanjcG>hiSzpSXByXH?L?<QxuIquCzyCC+TR!+)o
zk9JFJGmYN1?JAy`Ov2Gj@6wmJHCN$&{54>STif8h0B#w2D#y`g``f~;6ZT`sn*;=&
zx=e&sp{q;S!X8|KyY7*lNt>|}r#5cam#~Fh1xdzPGCP6n>u_18?s|C+H+vx8D2<UU
zMA3JsVQtUAO5B4?%m(c1Bm5_2+zk{<ZGFO$nPSoK7uxbjeNw<)AeO23HhKrX#+)uw
ziCP3C#+<SiqTULgCsPS}ifO46^h5sb8^%(@Q?LQ|`A}oE0kujFUnz8(as~KIiW2-q
z5|nyA@-l9<*4IGX5Vzv<umP{eT{{=U0&a^Cq8{$6d~lTcH>BdOAd6bW{S@Ow8p(a2
z2&=UY73$m0qbJ5Ji^7~91U3$G@GmlX35C0nXMHW?0AFvMpG#Bnq?gY}&Bu1q%QGK<
zo=jQM7L}0-2o&=a{52py&PlYcrJIKrOoo#lqGHWNIO(lv!XwtGYRD5B(@8dws{d5`
z1(%ARqYvsS1uC?&B;-WPvfvi{ss>U1l<Bl7j%cWoSZJmImBgjuKKC5?ul5d_r=wWY
zIcpoKD?PQGqox;VjK*?Y)~X-*2m7xZ0pA4q>}x{#>=Tf}FPAz;>hGF0-o`y4IEHk!
z>MsK_WSr<cwTP&<Xsn~e%}ZKM3<%<K`@0+-u3P!);Pq2>4$Ry29aQcdd#2azAPM_u
zZ(S~uM?tRcpcS2C<8IVJ_KRyfNe;p0eY2*eQoC-NJLS$P7V`RYXO8^WN3S|ffNzGp
zZtkq;oC0^FuE}2$8>i14`Q2AfIdfDsC(5|46s^4vg%=8?U96&mS;=5nfc<m^0XJdu
zpD<l>y$sV7PS^@IWE-8%K%f}L0ydFb5FE}BivwxfAo&%r&zoogi2e4^RUFOW{smR(
zuOYs`5~5s~H3PY9ajljjf4}LWWVLh>7OLz5YfdJcNN1!P^Sg*)Z?csXO4Md`Dg?t)
zQS2;{so6AKYal=Vm~aiznm6Jss|@^|TLf(Ipz%yVCs<q~mA)alA1bqq)!fl+!hKKU
zb;pDSZuwwi*pPBXGto8rY{b1Ga=yR~CiY`+TeIuYrrk2`wMOZGf;CzNxng1cA8d`T
zXz4nmbfY!8@ibRkquUy4>u|5=r9Z?ZEn3{5pEghWb$00ngS1}$v!(`VGu$iZ&^oI$
zS58l6oqCHcZeW~RzWUsFsh>X0_`J0)hFC`64A-pMwa!LLY5v_Yi6*XMM=7$WxrKj=
zgAdxT#$6|UT8<l!9*KR9{EqjC8`jmh>!eScqyAcm!NzQATjfhziMvkvv_CjsT1?Uh
z#_yGMo16mXVa}I!35$0<o>yiG+R}Mk#%+SkYh1UKdqtX(h>FxAE=n1~KvaiDH`gcX
zBHU6|ech6+&bC+Mu5pd-kHqabS5v|{)pUdA#)icQQt<Zsiih%^%-#T-$6YJ`@r$1)
z90OwK5-+&tIK6_%Jesu-MnCjETmTJ-B4ZH=3Fwf@$*eAKE4q;U9L~a{2@dl!t%os%
zn@LbtP7f?qsbXKzoT@8GqVzj92d6ufzgb)*Rcuj)cK7AWTbjIld5nHw89>WKS(0~F
zVPzH+plmrMBtapa5=|slB70rpVKJn~hT!e_H0S=YS=$uVuSBCcjd66Zi=?UYmDttL
zR3KmTqxmLs)hplGl|xOWBToANyg(0BorR?=U{XScDaUXDbMjm+@plh$SWPjfB!%1<
zB1_~jCg!k1)MCET-Q;S@-;mQO;X*U|pq{XZb6e<vJdc13F9yb6i{w|0<MQ;$iJl9B
z*(Aa<q)E(RGfq>4(SW9{f(0JEkUvH<AWG6g<Rk(5ttuidBi@`!-|%UvnYAE&H7g$Q
z0tG*uF==^7Dauh^!NXPJ+S9W8Z3y?Oc)l#cJ^BAnn8JXQQ#xUxnIP>YkcxO;JAGQ<
z^--5+u1PGV-E!pX;4(W#idajNUxzGyo&p0=o(xeA(@B!HP|9a0;hHso#K5V_8B70r
zE&5})E&mqvzq|T`PJ6e#cfI~u|6Av8?uyUfoVik~r#Qs}Y~nTM)lXYQT0e?lOePqX
zl4SH_fKzNIu9shnnMlcGL4jA4{bC<+_8@i}wDIKTtap2sw-OC-eE+Sp@NM(*ZhP-8
zRAHWuW)bKG4bl1Kt#f^I{-JmC1N#2#hZY*(2pA|&&rZ%i^e%Sux}k&y6`x=B&u(sI
z1y>98{;PNK@vQH>=<e+wv{1Lx>2$oq&hEF4ex=)FNSs}qo!p|A=pQ#%AIkOQ<Ku7T
zu|Y$*RGW6rS3f1Op}7IK`l%OP*}F|T_w&z<CZGv*Bli5$+_W(Lb{5~-F%))x64L)~
zC!_~MMgtxb9HnE&c}D^)O(VI0$?+o%K1Aan%0eO#C!;LF=4lj+NpQcCiB2=W5Ya+{
zP7;fj-e05{R$HxzF))2J@2#&0rF|5zD4WD^RFDmaG%y1{Bx>j@BTnNnte56$ry+1H
znyd%=1CCQgk*MhKAmnC|E3ss#$zKLUq)1s0DFeiYX1*6rXpBCdYoYc6LwjTYv0OWh
zu2mF`F!ajIz9EAZ))<ShL}rE+eo6MGK50NoGtM0{{(w0cK)}!n)(LRspa~AfAVh{(
zoSQj{Ze3YQ&}Y@8qf2IzE@q|&Pz5)qjjNh}^mXTTN2w`kwQJ83ux<{d+K7m?`LZP~
zTRx>isnNg78F<`oLxZIqbS#T)zm<anP(F|W8puUBpA?1;0D26^vyymKvS8r17cHQ-
z7X_<20`5#>3+C64fwWgM@>-1lG#+v+Ql15A#!0K70h|S6`d;D0{fU(a??Pd4u#lfY
z4sdXfvc$`GH$deHCa?){lGWc+HE3j$R!!PXRH{-TR1t7*rW1D~wBnw~3aZ#vO`_PH
zbu9H&-1N0s>8rTjEfV#^b*%CA-Uq4mhS0%ki@ctg|9_PfyS3im>r`^%H|qv7d0<&H
z^y?|8Gd&@56>7+v6Ba%fC}N|Ei6j3~J!PCb&-1=G=iOJ`&faU({pNUo@3`}gcXW8r
z*?Wb$5MEArJ7yvAM(p_T^(%z#;_esia90aF3DJ~dG-5(fX{&^eB0!W12xy*CbpoT*
z$S*tlha?yTdq?j6@YRufK#oH9o5Aa$yLS}qcQGd2qwv+vuNqsaJH6E{@wA2NiD}@K
zs6&-i>&WeUc&vmyASrhDI?&`J_wdjig?r(Ca5O~!jpWzuZl|qev3GR5cZgn$Sl2u9
z_IDjDwYx4w>-3HX{{xNgh@YclCsE!H`E$Fy&g||!vN8Whh)7z+Z!~$O1D&r&Qki6`
zE&t>|Nbg<ei+m=*>G)0gAxGKms)S-4NjND8B4uwo8q4|VF+#u8>BC<g`5rtkXNm66
zoD09?G<KX@hDZ%>ax3@7-C?9XsgR5>%0{qY;S@=Ok0?%qg$1u%w6rY?1G%iKz@wC6
zaWC4??-XteX&JOb5=592R|C-O%Fomxl{;gZJ0K$(@2VwLTJcq0_LQk>ByAOZ<SF)S
z3-Yw<9isnV{_{#%V3SN5{E^(eWIRSJUTD=|CM!&HXRIbKJ|*$Yhsz`CQh9Or&qJ3i
zCC6&HhUK3~qc9-mghY11k2s2cR4ahC3-Y2?YaU%bvF@=OSLaSlQcupqMQZnwG~fL4
zc}F|PKkppNUj&N)@aLW5&pTGLKJWbc>y8>&IrVtLNkD~ZLTgnYlur!cyk(th9&R1#
zKy8o`i=&w$%2aZJu{XhKpbXO7@eD7*H6x`j7kJAJeR_bUZR9xm2kRhHg}^8+3tb9c
zY0d2Io1LqN)H2SAp#RPT&GQXmY<_21h)6u8oT+<<FNintTIl`vXVQ2)`@X;10;gbF
zVg)zbV`=b)A;PlBS{PV}Od5f5aEbuS%?zwj`|{xfP#$81SKScTe|AbF{S|(6@GHtr
zT*dD5=0H0lGeNXdUJVC1uv=OwY;rT87v)=URFr1suDXgGOWRtz?u8~^wgqiDD`1Wq
zj|EQTcu?=1^l#7$%VXi16H9%=XgA+T$|W9_+84?zUD~_`!W<KtZ*4D#uF&809Oth4
z<ruBea{-G3lE9I&l{}-ZE~mN)3*kCS`<cqfDStOtcwHQaZYdkSbGP?2mC65FrS4m$
zE(C_Pox6ia)hR188S34H6EXoZpY}8JC8R8H?hb2~E_Fx5a42NS@E_MC+I9tG+IFq9
z*lp)8+kEVaf|JCR#ZQPg3AZY>{ONQ$omU43@NcKnS^T%#-9P$E_u%N@Xz$ft_we8^
zo$f*BRrfEb^Mn{GKbf>u{?ggHuEoav5BWSR?VV4?n5T}ja2AKrsg(r3|IZ6ZZZc2`
z45v~P3S^F3r9LbS4-cKEXhf%4vCCBjJeMsrW}N<;#VL-Ix<@$ROb9f|qLd~PQEQA2
zQN_^%o(Y%5NYiRjMRgp9D$k1C9zZ$*5=zTO8oFSUl$!$e2&?932F0^1MVu_8{NZri
zraY5qBK69YAk2d?O-Ybu97l*v2_NGu@=#xS2i2OEtJ?(^vP5gcN%1`qD3EK3c4K65
zNO&~UD`gUquQZ)`jw3B!7uI%&Jr{XxU{>qu)EWND6I}IvPq|)*J`zwal&~N;&=Fu9
z$0H(I;Jp@O%tN8yze-X%k&Bhu&!H@(5&gFkmnKWleTc#N9TKsfZu;}{=jYGQpPxTJ
Uzuo8m1pom5|7&O0l>jIM08cWF;s5{u

literal 0
HcmV?d00001

diff --git a/assets/intel/intel-device-plugins-operator-0.32.0.tgz b/assets/intel/intel-device-plugins-operator-0.32.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..61f93a0f5fd4b734695a1194c42e3f7627ab7a4e
GIT binary patch
literal 9305
zcmYkCRa6{Hw}8<wXmA~z1a~J8T!Xs=26xw>gC!8$oeWNJcMnc*cXuba&D@;xpNHEI
z-&+0c+Wk;nyL;7MMHvaehx_M(F~TvM$f<Lf$tm$EdJFQJa%*##Yw+6WYY6hGXlwH+
z>Db$vIGTHFsyT_sS=c+ko%+9euJYAdLC=f3N8D6S1#LY)rR+-Gk7wn})mHH}mdBe<
zj9S*BW|Ujf(!i6#85}RJTP;~F(XSu|La3HN>gIZgFD7O1*pymdC2}v#;#E=AL<1SG
zav@SSaz792kOWeq-eS?GeRBG?bC_vRu;nbUy0SC{dmASC4BLua+u}F)!0u^ef8pSC
zcJ9Z$>chF}dxc55UNmE&!9=&ef#I~4D$-I#XQGham%zbv=L>k$-46fyBepQAo7R34
zG1Xj=YEc$-KLNq1f)G1i>dSnwz&C&QyaF_Gn-U2tnbOG>#ZrApmxAmh1c4}Y%KzpJ
z1gqV1@ZX>eSkX_HMA8+TU;2!5z7^U&k(upy@0@@y8n%Az;IxP?_K-!Ven6fB`^F&C
ziR;H>=?B$xkEWc#aYn<HihU@J=KO99=IE9P#79h~f8&O7^p5A05v|>cx|=I8sSfE5
zM>!$<AtSw`gm;(?Ist-d01K%c%istrVP`~lPhhCu?+VznToSS~JkCRcOCek(nu#_#
zrW?36)){zucH_fYB!FZX*(ZQ>iz1Qeo+MukWprtd<>R~AkSCS4VxfWBQ)Wl0qzms*
z1&$cK&83$skpI;j3P*B;XU!w&iV&XcL&MA|A|fu%vn-oX90wz8zVpory^Z3Kx9dW!
zOa*t>-Wi1QFI^b@8pi)55Ecg*wz35XKR=Vl)(R2|A~Yv^z<)$3;r0b0ee&ju5ATz*
z)c7;^(D<!a7ZyQn>DL(B*cj#%?szPTW-7jxTe_0SqAoRK3w*tCJ8*R>csv0~WJ&1;
z6K8dH2zOrYMt_zZAgq8L_!`{ac8RQdJi}fKexnxYSP!UoB;zpA#n4Dd-dxfCiF)*k
zFcX7_`gW}EAz^<d`yLvKWLU?8HVKF`e+=<?B{h*yiRKZJq=AP-eRty1s#@?JMxCU}
zpdO*45;iT73OkVfCFyiYKo#%0W*KD@k#GHNnywqyoj__pL@<aXW0Udc8yi57RRjmh
zoT;{m*n*Vuq}17dJ_(v})Qp_Z@2V(pZ2jpIyJ9l0ebD0x>@jk!;$Z%1V|iu8?F9Bw
zeNK3v_S9D(8E;_t!iW2+vUA3>+r7+7+PXS+To0*(m=3GD&lXgwTPzdqN)iEw(*3+#
zPZf37;xj!<gnDNJvP*L_8@40QubZO3q1Lk9x;~&#p>44EyIO{r$ET$(LSOwL6{jWs
zyWB$WO``CoB(2f>lJ>%=Zech$`>}Q`uiw2x5mRztJWP_Xbo@PdDXQG1jtSzofC}87
zf)pYZdxN#paLfB|HFBnptGL8xth+WYDuyn583=H{gj}>b{5pL1U0e=G{~TVV#-l>>
zi|)*duOR-L)<b4>cSd&6c53$2a-EuX6ER)Z+US1xP)6txc3q)9UiTbQ%|)I24`GYE
z76mVXDZ80tj&5x3QmhfX+vNI+oEZ4>4#&Eh^2Ho&n<cuY7oz+Q<AoWn-A5K9B@=Tu
zJB%Er=<8*yJT)a}rK0XJMUP<H{crNiqjb%M`zS1#=``&%+%R3`s!ypsX{x~Zji9E)
zAvPz~-<8IA<7`bf)~PGI^}iiP=6^Fwb=skl0=`=;ix(>BB}yd!dgH-lfjOc%LaJGk
z#LJ+b)KFgbO_BF7e?T;rZSkI(E9FX{aCw@Mew=zVpei@}gI6u#%HXNBEfFaWDK_bP
z$u{9;an?}!Aa0JS#6Yda)VnN2c_eBi2ZKnP0V~a4(KjRn31-ua7V7X`Efro)>r{eQ
z(hxhzhSg5S{DY;TjqI-RH@ri({NCP_l3HV9{9KxtIb7FJPlX6`9Wg;g)X(fKgRJyH
zG~};uIyKA0!&}a(lv$;VD5G?%z<-A3`%6)<33~*iw44O>_Ay$*RQKZQkEa-Db1f@v
z_J1v!q6`o+la30LFe~qQnzrJ;mT9{v-}5r+88ZG}-ii&2>#yyiWJ=NB{~@o7&2&;I
zlMRTa8Zq3AQW(z*z%@a8ew+Y&VS~ReS|~TPhhHkO>bD6;^5d-xbxDVuxF6s#-l`4a
zpXFb8dj7CVr4>f<F5<pc$a8(H9mUY0F{0<JG~qEhJwCT|v|Q$!x=`8|x_)`6i5(*L
zz8K>z@OZZ~SEWDOEd<DqFgP@w!1ITGZvObJXZ6~icpB3XAWFyqLu<Ygd3{fOwnzTO
z^ZPmLR_F-l^20+FX2W7%7vJ5~AlTtW78*993C<{=fQUM=WIcbN$SwA6gHhkXBw4Pa
z;5u2<M02Osu~cDtSE+e*rWlhs4xD9X0VPi{RNog_-Y{L*sZ}wK0B_b>7G(`EO`?+x
zUs}0#_ugcGn5dIsn$ck_ZD{%&3E1n^ve}z6p_uV%va-QX4>kq7HfT!=CMi;kEE!7#
z>0}HFmyb5Z@;!Y;&?fs#i2{#84Xv%Z*^}{=_78_Eb4CzINDTP31UN1Fw&9@HP&Til
zXO6?2-;xSaBEsY56)d985jE_w$9t6zp__z)QoNfF8GK9C3s6!;{t#(>;*I?XUazL8
zobpaCAGuLD66%ZxQeIYbO8fgZO8BQs4M~C}AaT2NG7#){Ja9}?US+X_hxJShGHkIi
z8xSA`q$A+|c=slCCWL>G$O<KFkYL+7qH~vJy~>=1=RG!Z`rPc0Xs>H6s9dRP5-4pL
z;x0yJtEGE7C%sNbo;v}td!WeAijc0`cr5Rueo7)!d-OOF4^oxjJtsQh3)6JxGuUP;
zm5Lt1X8^bqrN}1}kKlSE*D6D#@GOl}<}Yq(%w{pVR!YtB6zF=UaHMo?fHH`M3SP{-
zxSOHK(o1*M3>x&#wSOjOHR?QM`K*i$_PV1swQil(KPkl%j8s})&XSdoeok)0RuD)W
zwVL|aDlA+USK!(?o@iuw3K57w8z8!6LU**&weUUn6y$MCwe=N<SiIFc|NA@o7*j3Y
z6YWBmqdqf;N)aC}r%s6@0dFNQQXGqA)K$65@Uf$C>NJb<F+qyTQbOW$(3<(2x(`(?
z?b!PH`L#paX_DHU)N{z2Kr>PL?t8tgESDl`?*<c6w{zjbgg$4@EHlN7T88MY=uX5E
zS0Qad87mC)ER4#|vdrmjl;yl4lMNI$X-N!CM|20<#8UBEo*6esoli-5ytR|1w$f+a
zp0?TZJn(^oOMCsyG5!K4x^KP_Vshv5;hA(RC#PHZcbLGR=4X$XPB23nSt0`pr%3Zk
z@{XAvv+1fG)aUHGCgbN4Ti~0XblJQeOI^K`K5^&dZF3s>@m(()Kwp;dG+=DYmt3$K
zB2G$Kk<f5##!J)RJOx5i=^g4x1|@jW$f%4+{s}suzOzE_WK3guK3<estSZe9M6KEW
zH#K|ZczseoMY-LY*IuvRC+p&pLf1y2st{BSjTSy~^vGz^da4`#ON))c*BUN2q5XIR
zTJ(2KYpE&Gjo8#(eCsR=4>{LI5W83>nH0t9V%xWOv<R9RB$<pB2<c@J1VDW6TMKXN
zA45^dBFsNmtOm@l^;RK{w-xA>6cT2Nc}bFv4jp|3eF%Np9v8MrkNwf$^;It&;E~(K
zay@^QLPu}_17fc>I@Uz&TejFb%8T)sKa?rMlRhWRa&Ut?HFsyZ8ZuioE;RuJEpd^z
z$8QrO$LyX4$EBaAzu=IaJ-tncbr^~m9G5!@2IEjx9KTJ7W>ro58%K|*36IpiMH%iV
zJe@W>$V1N1>ys{f3fVP9Up%dGn+oP<-Okf`6?d&cCVxnF;|$r=&k{ss+}T5Jmr1b+
z;6C3gE)|-!$4ac_Kb<$13qe^5?{aOmDwC~93`Is4r23VKi~%Q6JStYobis*$^k(A@
z`=KsHc3UJy?vmh<uBiVDWvUKM=EB<JyP|RSE7iy51S`{HVZ66VvCL2Ji^ln{jP+VF
zyiAYV|50U+^hM*MS7MLN8DW1%;s2``ied+3uL?nXAm*`H*rpOy#P^SU8+ozPS0GQw
z#qt%T5p>%6@b*6bM-Dg3J7*?$VxloycM<pq8OHAj5|T;AFtjkL_H{gWL28=VRl2w|
zG5lN(Q`(UD_dKgoKpK`|{Q7~PyJn;}Kd8`hjY1A>ewipb{t;k>?WBjTPg{Q@o>M8M
z&P5W403cT#kQ=_ZQj>)JecI4=n%WKY5&=0h@&^&F;3O<#>%M*J!Y>Cl#{GUv>@^XF
zuOY-hMrs0MQgWZ=n|iLJuS{Hrbl`Lzzb+-#JY~Az-a%i$J}Q&Gqo|*dg#?8NMcB7a
z|E|FaTKLVNlJO-c5ho@;!tPDGNx=02>?E;wXC`vT;I78_)ycuZ;0n}u*XY@}_S6;Y
zK9oR0za^D-wsm(6y9X;Z_eu`nr995FjmJQzz)F5O2v79zs^nM+7x^Jb&v=JUzP(25
z%x_f{5I2P|k{D(5hTo5fkFBg@i)az>)#gQ8!Im;>@cX}5Zu6sxsUMLv(BP~-#K}o9
z{L#yjLeij&8i}(wF}i^0A==Y%<^pIT@3{L0=JWw4lWuRc+eL{#gFwEzvD0S4K&hgX
zp~CgiQ}Spr0C{AzGhos>Wl#?&9Z2IBO)M+03m1eM`n6IpUVjIbFJ&Q3lATJzl}o`Q
zTI}&>xY!(86piB4Ko7D|%c7Vl@N?E@`#WfW>*I#ghGAY8Wfp`o%jgFXl+$!@czJd-
zHM}>xGJ}3|_fAOQmHz2!_r@9zJ|1rq;D}o}FfKq7;g0>K13ggxz|8WE2GUUk2c`xP
z0c{CiV2%v#a`YpCe&h+jlLV=blbp!pq)g%Z7WR16GnHw^j^#Kvi0}&YbE?XPc{Lio
zbot7w5F$0tO*!92GIp%1RA`-0JA(sCLH28u7!ow}M{?P}N9R<00jr!luYa;ftdbAg
ze#OY?Mq?f)(~jB_mn8sRTV<$7Ak@Ms-BY)r4|qt6kllDxrH!FM{AemL1p?1IVjM>7
zwxVR0FCFwMlO!k|hyWV#o2SF#V_scBt7lgh<4$5t6aiI~QmfJ+4MI2{RNW%rBo0oe
zdK0(%)1ROAm2`@rIMpvC@~C90gkoU(ALl5KGa<z2sD9YNr_41e*cidvn4=$y#6=07
z3g3~)PE4vOqKFJkO^EOg>QIf<Pf(i#TjTzi<UDzOI;j#NmyMVFg^h)<V<q;;F$Uib
z%qm^s7Y1rljGC7JoWJp`IDE^$S&Tbb)tUh}`ue@3g6vhx;fb@z$BqC_sDK5jB`^u^
z@&-e>mLZ8CcP^fqn>%M5`Z>vcbx0jhJ?T<;ZS^ND85#4BTq>_18_)X;+GFW#$N&yj
z|HL<3l^;1?@<T3gOW~0}rdgh2d}>Y2j~fvso4j}+$s$NX;8s@5nc$?Nv!}UQF3|uX
z#joa^k0PMiR*f6PsJW%<0^Q3!Ayu=hK01(cLY+7h028c+96}$kWCT*~4mSc9tem8x
z?WTvZMdO#C5)ciIL~*;)MH!L=_DOvriJWW2dCqwKm>(={44{2~y4>!}kYXamcrzl?
zA8#C9%#-?5TLDVGEp`BjggGIjQT^=?+@cbH4G#$<&Yh4wyY+$Kj=EsrKG4tLKFvPQ
zPG~&pbiqpQQD2w8gk0&|puT2QG^dc_hP8gvO6w@sXU(|Icv7E3y0kb>*GaYGjr5}M
zaO7RBFP-`j%sDk+?{<@Mq}xXOOglh>k4>J6T*gWlvDhFcb|rTq9woz#8KfE(RgV1D
zP&tXZqO??Kfi7Yc&-get5u3S}<g2{?w|Z?FHPjNr-7>@of}vInvkHpVnOAV<>%p}c
z#&UK=*W$v%TD-}@3V6k!O_CY<e77EX@L?R<7CVcvA+{-lFjw4RNk>*;bA736sl*CT
z!emAgDkfqvXMJFL7p#L*ZFcBz=51i%Ok&V2)DC_8t)J`dU4QKuxV_Cgz#<^c!_|1I
z7oZm8&QVXfq5#Tdu#roD3zQw(N;e>p=;is<uC^*E_rMZFLmG=3tJQMANbpRe)4LzW
zqOkL)cALNFr}ynFH|JS99MTqcR?!vU;j3s6RWuJ*MLV_-msYLt^>~@BFc{KOp;x-{
z0R=c}>!9UE*pL(m@-=9fkK^;Nz@5p7Ta`MhU1m0#bV9PJ;Pu0nsAyqPHg}mbKMx8O
z4QdYW?ZM4Kv7*0#fM#oxB`W<0cQv|(WE;(YN``TnDI$KA?N52@?(Dgpi&rvgP{*kS
zdaJDh?11*vstJaNs)^5PoASXJo#m5~_6`~sL~~I0dm6a9N1A%x)h%mBvLPH1ETQV?
zuLtC|<)JaPT!-f-<bn3r(36zmB;yo2sfXko?QLlk(9$Hy$Y>RDW;lz5%Z|`rOMj}$
zsFN}#MlqpLVSPkreC)6`0D*ogdo;V2NGCGW%4bUM-{r2?*7gbf{HUhDd}gsBTw~j1
z@|473`TWzhdyJr<7GFbQ*FMLCoTM<prNd2v2b=D+%ndVsv+Q~qj=rFZULyLH5Jd%T
ze6H1j1ue1uPCrOQ0m4Y#ucwjzUDuhqsdplloeiCYD~n69B;1||jL(ZoZU>^mu^!bc
zUqK?Ji&C}0(s&{y`|gfk=H?0YN2g0)JI!5}n!OT^+;`Fu$UVd!#3na|zaM4pCz#Sv
z)QvFk+=SR#NUkf0^LDDB+p&(h#Rq~6T$W-2lis5=RF<P0C)w)21Lis}rUg^*v<Abq
zaNv4{tyzwX__)LTEr?ctCv+4e2w$>TxO3Xqv&2ozDa2fZEhtDsUmPpi+Fi`ntGMRF
zzg8tvu@WDjl#}98VIE+7?<6Qi#xJS0?BdL&Q{M6CIVD#25M@hz{SNUd%^)}2t~Q>Y
z-&HPCW5OLTqJyjOlgp9{th`b@I;Mfz$sDAxao5P}<}|cnWjHRT8MA$_!l+=0(I!eH
zMaR&~eYdY7&B{SbB|iVEaVg=%jaS6=Q1vCH4UfHMJGf&h%~9>M-v(Xbg6<r5-R};1
z8vgAlN;uQEhAANqHrywgfh?yn3AP#5aSD}IIq0{C8GSUk+uD^A8@h_>#h|rJ^_M;8
zTc#x3GRC8^r6dNm9PWY?%SJR_sT>bv(iv&jyxsk-O5;WwPq)eD%r2TUq-hV=H1VUk
z=c<>gF23RqD!1w8KGy68F-%M(e%LfTlhiV!3jEys<izQ5&_2mQ7aA*uH;P|}r;SQ&
z_Xw#cW;W=>u9<}ae9<d;)fV+%vTI*LtG|y6L<OY^E(^Mh#6)v9mSwh(iWM@at)-ZX
z{$k-T9-FN)wk(jcO8!-NVcd}W0phO1ktx}Px3k;9)e&rKRfnG|K(LG?*hwuB0UHIn
zu~1l;xYe?`Q5+k&Ma+o7vKC$?d<fzD9OY-XOAB~*u(c(hwau-`W%@(uT2LzvCY5+z
z?^HPjXbrzf`794ossp_l&`S!2&1zdyzkBPtY)UE=38>5DnIC3I1;u*jXc<@zqFeUC
z+a>RqEic(tIw_b;62UjOdjHfS;reKhDP1VFAC%}gT=uE0hiRtXXTc=nMlGVxm_4$1
zzmYj{b=+uCKu4^<bVEu}IS`bH>kl9Qk&k#*^RhgzC-U|vmomc1&cV}Dw!l`_$(f43
zj;zJ+%KS4^>PwnS8iK3}Vi81bKge%C7lxeGkhL>nUTvW<M3n2<7c=_?;VHyeH;3A%
zG*gl;hMG!Og2y)n{AE(={Yk=C&K=H_<)P)3bY}K5%QSf(>m~wRa<sBa`my-&gm3m%
z4uYU$Mvb7ohJ>N{9m^8*KQs3LG;+P65hsONj_sURqa}SkH<7WLr9Tp*f<IV25~jz?
z3C7i11I~E*WrS4c&SEvbBJv1KL)u!ZB}w_-c<F+-5oSsJFn~WHn3dKg(?00(6;8H%
zB-|Ug$A3^7u%0$g>FytQ7mAm13>1~?b%7&*?8xWy&#d%j+<>!(IK?9{!pGSx<tKF_
z=QxYfx{qPy_A}PKg1&I20>xaH=`zFlFz>57_sa;2j9EWm&yf1xy(CRMQ@;3avFE#>
z&Hl6mPQXzzwL5qj+F~c(VGiuU)J7>&lBzAtdba2Co{9*bQ|>!{$V17frpnBD%*fY7
z!B0`5M#hgXQ+8;`?P%ZQ5LE~E9$+^7ZCljm1~{gf;I9iN>wK;t>g9YxL2m+R*NRZ{
z#GeES`WC@Em`UjsqOMhMYd9kDf4iT#n;<*1$$mp_h(p?qxhzB17Nw+nIr_VLf}80I
zbDF<i5ssJNFCqP{IvOEj>o<mDG7;Rv88$Mno5VV~@9)`+QL;NHqp+@tlx76eiudLt
zJqg(we7e%|9pn|Pi(#w`F8c9vybM#}`0V)PesTrG)r^;nK_@-DJ33Ddo;39Sy&jyC
zL|P&APhB4Ljz;G#d#7V%VxTCbQZG*3FoYI7-^Y%!L@Xjfj(J-RO4WMmOhX&ZdWR^)
z{20zNVf~jLJJ~70JzJ?dVY$u$@M9DjO~D8#teUYU+11<2_2!+9ro#Lbom<6pCYnzT
z<xT-4y(FQ(?}FEQ))my&jcZ@HSJ-&{E+(#}TuX`<D&LWuvM;2<IOcE8Yvq@z5`}!o
zm>ZCEybz%1`*8>8M>5u$$+cpZ-!tM}LYUN|FzXn0%NVo5GEHiOPe4O+Q&e)1#G4t<
zDXJe<l1<?7^lQ`sdGHVycSg9BO0&fPlzMUE`uUn@rdyXOs&OjF1;5N=0WD2);-I3;
z(;e=vZO0e-O*)(HHAc%!%hr^zbWP8$Dc&Z=o1i;6F6yKiW}z%(+h;xzlXkdsP<5Xj
zX0X{+eo1M!)79wJ)R_6e9tP`5y@~s~Lke6IgnrueeyH-X!Gq0VfHiu-ya-T%mj$yP
z@Z7t6beP5PAnrp|WXRkVhzJD>ws#4_f_Z@3pAsIbTKDx3U|Qf!qbm@mgJ;zPdnu$&
z)-q7`sh{$&`P1n7Dnpo4WkVH7*HfHChGd+aGoHB`!<0re(nx@aom-|HF3!?TvjE-F
z>afTcx^#-f<sATKSx>r<mHYgc?sBT@d$Oz?P2y(F;IBg!!6_sj;g+l{rQ0-RsJ0IB
z<@JDmBsV~eu}{W8q?lWBsikM(@4WUH&H!{ujT!gMEJZj}pib&GP<~xsK7kx*(s4i>
zu40!ekhR?zTMPx>9lN_x8Hh9~4i_H+7hs4jb|TP$kL28e*AN0H1jzXp+5g7>=8D6S
zBRMlZ2>^_L{HLnbhsEI*<WF{Bq?FOeNN{YwU=9u!x({7M29iXuGoxw50T?gxX(fCh
zd!jQ1!X%rc7~D!{rglGEqaVw75F8~cV3IHf3*T5$im(?B^rJ(c9OWmatC$!HlDk;9
z@6H?%62kJb6({aw!1l-7KvvQ-_`cx8DCxXzgXEgc<rp74F}xynO^-NN^3R|OLXkSV
zfhwABh(W~C1^wAq$vrQoge-X%WDUM{)1@PiCN;zwS0x?$X@QOKLr(yHkzM~jYR!2I
zogkyqGSwA$;tGkdkh)A40Rd(~;AeDpAlCTSCJ?K#0xvAYO+aAR*%?HDRq2xP`3<1y
zJZPGF3y3@ZFO;!R58|BvLleF~5SLBmzdN0h-8g49*39`q*jITU{wtX0H_Vrf^~jC`
zESMMN5&YkoL-1U<?9!1JLV2}H=IaLET}D~5RD-o^LZG>_h_7{Y`G}8JzXwe>H_Ga~
zn0KJF+*o%9#$c>FFQ@jW;A+uN*DNxxdT&{LWz9@CJ4}+~ii+ySuTB?jY3*h)c-ZRD
zgM6P@9|P>}Q)>@b8dZG;#_$su!(Rx+x%_JkOI0xYG_-zxB=k9SO~Iy=of_?a<uM;V
zoB(HaoOJczhpk;r%0x*|HXC-Ke>T_H5+&9(e{=5RaaZ{jrI<Zdb)X*AOlRUI87GFT
zn$Q?*de}LFPeFq{-Gf~5t8bM;!Wmn7bfN8@Br?1!1-4&aR+G>q*o<$*Yi(WSx=L+h
zYlVQ%AsUVTK~hf@UQRJ7M|(i0TSw~xDfFL?O3IpnkxJmaBq@}@;pjK7wa3B_E*osU
zPAuBe?>{Khgb0*~7(7F16<<>fx<4vZgXi?cR@(L4%;OeNngSE&H7Ai~sC16aV*Kl<
z6bdO$d?HX->q+g*_2}e5E?S>TQqRctnbfo{$Gqi}n6Aah+LnTf=QIRWT)@L}DTSA<
zaw%hc<iQKnU;aaryiwTZ*=hejg8vh&5n!~!S&tFurL+;(dm;2v`7g480SjAR<o|=$
z-(q=j{PCY^QXk&(GHk7?{|HUpY<q&<k89(>+RiS!?h`0DpiR`qUePd-p6fiYej(;d
zm56Y@9{Nj_*6C%};nXIWb@;Fww*04t80PC*?X#+K8`TRFda3G#t&>%CQb8A{g(I)J
z<`M5nZt6<LI!iCWsl84xsMl@c#`*L5C*`M;-Ztpf#{EY@>*r3d!LatOY4$Ivk;7XQ
znGQm$`Mo0l!7Q;I>wa-5@*iQA0(EeSy$kw6vbvLDWg6z|-YoksJ_!E5j2-nGm*zp?
z|CCu_La)d=Sf3Jh5C8i^1gxd0ZJ`_1K`ivL;a`9f1+xPz8t%ZL-}Znn5Uu5I*itVy
zX;C*!uOAB*Mu7>PNQlCEfv{4tK8PA#IH9B}8TU><bafT>bqQe~3k0(DKvW59oaYfx
z%XxmZxB%%U#SzHqF73jQ^hc~Y=_Y-Qmri1-P%C2u(%GW0y)-p>5Io&IZ_EM!sEVCf
zCn@k*T=I5;gGmuCkAdEFz}E!ad37#wym=MBX_qt`S&DUdjM}Vz#E7f!@!s889}WVZ
zgnPv*d1je6@$>G@Xx~H%!->w@WttqY1>Lis)YATWZBR01@-@L)n_Y*U8*J@yXx!pt
zz%L`t?3703^!Ch)kFtHAw>lX1+PGMMfYzVA$%}pI$jq$FJK)c@=$Uu4T2j6@`>@h`
zel7$tn3?*6%~{LYDX3(YFHR(Xmub6p>h|~`bF1$Hmy9Ms#!?X&i$O-VOQ@tV-6kAt
zm&Z(w+ic~w87bRYfi^-(@aTCI?Rh&??-siC(RiL$%p-H5z7v;s`$@7<uo9)&6JXIs
z5~kXiAj!~l`HMP<Tw;kjX+_8dU=gM&gO&TDMV;gTTjc`m@fx~g<(^`X{0mRlf8u|0
z|G{42;STnQ_kU_np>Qxv)rb<t{44XHSKZcTw*?0MG!27wgxv&Qbz#D{*}Ysyf8j=f
z*(LK`cHLc$KCxbQY1j0^@?=9`4SzpuFuUJ_+Yb<;Drk+w%Y?$2eV8YwD0w%(3fAVc
zE?j3yqaMa(1BEU$6BZC!e3{W_KGo3UQh1!*hoafaassQ|L0U)t)>M)PGsbW_DY5?=
zdyn_FT}kA$L3A#5Qt+n*A`gQzUqUVbKla8)r39`d*7^-l=hVa&3`W(hD7@wgepxnq
zrywGASd1vG{}tKMiKNg)yUfqZHlH{Io#S}Z7pwE&A2d;@k^4>b+#e73+ynjC{}%tH
z$n#AHhM&_IVspra;KPr9kq!K3(0_3HTl^1y`;PxpRq97qJ@<~;Dc!K>L~I>raPo7M
zi-Lb$s=FzyQ!gAwc7A$_arOY|?QjT#wZ;COKX65`Hjxb3vsH4VF%)Y=24oq1JdJz5
zpq?M}YDbo#28TCbVWD$OYaiqBj-z^S2^XllI3tconP##WRol+{t->OO<TFE^`R{Jd
zG;O>5JfF%VrV2ur2pR6sso!-vD6cq#*gu2gb_C`j+N{AE+HzZBw$iRtyeR6=%VM^y
z$5M!MT(TKri>Zt;?%eM~LBH{S3yoX}h}Z~Xztb%(Y>0*4tMo$en?<3IJ6@R|dMCig
z9PA&k^>H7FpR3*9PBiJ9P+N*e{w}m9jTLnPpyo5zFIy1UDd>48ljy&*HTQD0nSPJC
zzuo7TZUB0__emgj_FXldsXgUaSB-l1U}mSQ&5Y1PyL5w<QrPs}5@oh_6Kqa}HV1ta
zO2b+WgLEy{?!YeW&&~y(VIQXv8)0R^o(6R=3*2qDwG@l9RAfxru4!<XLzS)Wy#M1Q
z5y$cGVfW=f%M7xXp@s4mpJz!FIhy9|&J$VeFT>@i1veL$PNZG$TI&|N_<TEN@zF<b
zYPW0WA1NKgy_Q-HJ<nQY?7vF=UalP1_ZWVc+L?C)L;QP+2!_M{nF%ff9`64D+{+cY

literal 0
HcmV?d00001

diff --git a/assets/intel/intel-device-plugins-qat-0.32.0.tgz b/assets/intel/intel-device-plugins-qat-0.32.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..e14bbaef566821801afef44dfbdcd41c72047490
GIT binary patch
literal 2557
zcmV<Z2?F*XiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI?AQzJL>-`DyS{WmZ6p_m670~`M<cSV4`xGrasHQ8KhYip5b
z+A|6oX^=Dq2e{92pXEN;m82Ow7#ucXi(Ky9FZ>|2S}jdK{L~sI4Dukw8A~uId6hAt
zgEMNP{hTTj&S}A)J(l7)j(7Tf_Z`Ra@^`$myYsBu-|g@Ac6#0I{<FBd6K}=OAb#}B
zpFov1R6UCyJ=gN${vbq!kcJv2g&q)qgc{0a7ADjfjv<p#g37Qd!*l>8RYst?mn~(w
z<a8bgTHpYN)~evUy<<3VmIdEB%er^uX*I!MhDtLj2Jrk(Uv|Up7eV~|US@?Hsm6Mm
zRmMwb$=)>*XFWp8^5$<GZuP>Lq^J|cO5@u0;A`XsB-Z3%D%DE;Sz_6zjN>4RsMct7
zWZQJKN|mq_8L>-zch3qRScRFFH~?CfoF(oNk=fEJ9{>DT`u~jb3iW3R01x?pe`|Ny
z|9d;#wf{c_c@sRN#+!h*fI!ot<VXlBXofZ}<kh4$R03dVHh@lt5GI%z{xVBirl$vr
z%}@<sHf1s>6Gl!^3FPmlzQYBc0Qwgf7qhAV*^Axpf?kZO!n>dzK)3graG8CBGvov4
z6Cz}aW8|0^sjLt;dpJdEDuto#4Xx`bfd;h=A7|7I;JHy1J}1OTj;aZLPSzVg@@>U&
z0G8`BIM{zUt@M9`Maii_9gU8T567XoFu!$<hx|X@?l1ZO?sjjT|DS}8b1F_@E-RP!
zn9zoD&O`>6mk@dkIHCo@^>z5)?+pKg^a=iNQOu)Yzytoj)!Sai|GV4$-L?Ne1zlbS
z5WON3sxbvANQxzw^8$s@kt}U~lq&LYKu2wi@Nw4txC9%Vm5^7_^)<PLz;E&R9G%D_
znsv!36X^iHqsHg>8f6z~Xi5#WDc$1}8;st0Kq`DRA^`29i{&u#M_TY3##T36fnXv<
zVW4lv>Jk%&7aVqhPD{LN3iE0L*Vi?uKclAhjKLj7Lo>L76sNS}rU{sPH^&XQzV0|&
z(%_`qb2ZI(=d)dj6oxW^YH;tEPn)`pzgl7z&3-TML1X~dHWU>Z-V9q}^J6Vyv!a`S
zb{L8j{Qo5k*V5ruk7r(>yEbFf>UnN~zFU^j>VT`p9F`tEKpXZsU7PW(j+Mhn5Cr7%
z64(^*?AFXJ?C7AQ<!(EHn5N<BYaM8oIVd{oQeNh?@qy885%>5&9jQxaAKs;I3|Uni
z>xUN9>>clDXVi3DI{>E><TaP2&ZofT&Hy@gIgOBlnk26kZOICt7Bhe{VPUNv+>je~
zcu^|Ux~VlRXoezn4^x%{7>Z4BhtC1L@4Sv*?{q#~-{SVd@8jOuO<s34q0|4OAJ^Z#
z`nz9$-;tJZs`Y)s;z>VlGq;xL-5}(WrkEBowGZr5*XlO?qdSPWIS((GHu}1~y?bKb
z-q{sf{wp+kNGEVdvyWxM?p5knDuIGd_;1!CxU0qGrHd!m*J}j&*=Z&I3v=WJ%Y;<;
z*f}0L|7~w=->Luf*7)y9Xal~b#-I`!j0FF@;XFqHlZx@wo&-ypoYD++NH*X&XBu=>
zmQooFI!DeS<8tC%n~7`_6mn|V456eZZ?#jAk_`};xfBa8N`+H)fhn9blf(bL4B<%d
zIY{9~T9u$g1)K>CNq8{+I5tut*?@gn6jH#u{V}9WX%c44MDEk8Pr}L1DsrDqL!L$U
zqxq|6B3cNV(B!l#T~$|;SD`*H$*XWePsyv$6!y1NEF-V}K{ntWRZLbIh6jh5gr$-{
zVPZ(gQlyb*SMnzk&U7MEjQ$AWYNh{wGu%HMjSoM^91r+^x7*uV^8f94x4-uPr=WdV
z&K1jY1HHJn^{;>Wn~!~|O6jpM8Gn25_uw0rpwJi$Efi)`W{(qlB~5Y+dSOgR-Je1w
zQdD4ath=G^*@Wg?(hFmFVHrAgSLfyblew&*pmPw?K&26kjWgCG0WT6P4KM+TEK1I(
zNYIB2vydK=A8P?}V$V!KA(7=A<h0EN)DVX_a%0Lt6rG=+htz2qN|i<2bLqzP{mQ-<
z9JL08XBAVJ!erju$V@l_r{^FQ&`cqwE`ka;SIoGGr{&a~Q-vgD+9)=u%&iS-v|<|C
z3{n6U(AgWqaNL2f_Qu2UCi!7_{PofI$MD16+qZk8<Kf{Lj^4ul(db}!JUkkW;ph$Q
zjedl`4o3%@fXw8m06o&O3NpKOn1*DGcx&>h^vc+i1e>x1I2Bn%GlWdePzjd+P!-H0
zHW$S?D_C=~zO$TlneY!qE93v$!@YyQ9fn2v_&FY`|Hbk0{onT1_WJ(sNoZr$UAMmy
zcU2`qHa6fdXnfOKETv{fsyPhBRFadE6JpN_ps<uc)6^evU69p-$QQLNI?Jm`$Yf-B
z19#P~qt?KxOsPR9%?0y>3cw3YDuZz1*fdg=<eu9JJ+UdFpuz=SjR<AMIi~&|U&DLp
zuJ<Yb5V{o{V2L6{kucPR++A?$`n3(fBbg%9r(HN;I<c{E4lhP;4qk>}W9aD3!E^05
zq`owP(nihqIV$|{qFMZ+p5hBXi)|1x#h^Yq2Wc}!G>gM-FIrS#-FAh!DfpjrmgU^0
z>Mw2E#)9W%2*atn!%3yfpyyN=yC*i2j@}&Dq-1*&UTK4B)BbtRIfy!ECAll|*&u$a
zhQ@?zd+%Qb`0%3jO2A8>oQ?DV-;L8gE!&Ot@x*WYu-=}QJ>8g0vvrG-Rvm-<177)7
z1-zefn&}VTTsAh~`!Z8B#bx<b-TZj@qEU5u2C;GtH-q=3n6j*D@Dw7v-><Zh1^d~i
zSG&hfDtv`gd;A*S+`=sk$(e!9qf{pDWfLW%N;8ptv>nk#vXB>;9KC-96DKcN-0Hmy
z;n=&1)i`PNvPi}|OZ^N}G?Y14l7+hq7!bRfL<%iA`jzWkp8IN<eqc8jPHhny<ywNO
zMB~*9F(=mb9P)GOKi9QOdY5%jg{CR<PTeRR5^_~iMGG{juDm3;B3D5}i(f%-MXuoF
zro?{&_MeX=tsX-&*V8n%tMqq=wCnNhVT%g8Yi&wfb?;Ik-Ld!=AWk;nq<;UQ=Dk%X
zcbwhc>$<Ngje7xg<5D@=^%+%R-QB8l-zfZhr=d0dPP7vLomHs4gFX5cu!rh@TRZXc
z{jY_DYy9^Fbn}=8B!C%J%qD{YEQJsP%|+t?rj%>j;NMQ1NXd~3QeQ6(;Luh7S0Shx
z@YHuvPHgKv%+3!v{xbM-hh+zRFx>=y)8G(?RoF|lDb=M$2Ys3e-3?jTSqHi`t!Yhb
Ts_EYW00960Dp?lH05Sjoe0lbb

literal 0
HcmV?d00001

diff --git a/assets/intel/intel-device-plugins-sgx-0.32.0.tgz b/assets/intel/intel-device-plugins-sgx-0.32.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..b2cd699d571429bd70d23bb51625945c0d9a08f5
GIT binary patch
literal 2174
zcmV-^2!Zz>iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI=)ZW}ie&)<BCIr)!#Ap0TNv3q;C!@0K83YT*V%S}@hMNI9E
zR;;-sOLAqYw(nW)S?<XWBzNVN62SpnI0&HmLm!;s@N4Eb!yywEc~szx<rpbmmrR(*
zl=I|hO0|s_wBk=5N@<#=`+Ix-J5AH|?{xoQ|4D!EVDDhCKj^>Ody@9|)4jbXkUn_i
z&!E~^s-L6}9&3GZUkOnmq@|WgVKM@cQ%kul<D6Q{F=jH!QCl`)SY)86wgUAh#R_H=
zr;A9?3NsiwtAf#Y@8Q^67X08X>yte%>oG<%)P_ls!P9^Iy&w1g8l_J^DXftrHP{TZ
z$#@A>>|LvIHXu}~<=-^k9mFXq(Bzsa>)Q_Dd*l`5&g5Yt^~U+L+=)*Z$1F*xF=$QV
z+Dx)(DzOqJaZ7yni51?n3cFC40ac2#+#eB{t*zqW=fBbaXO!1y{uBVX&;NG^{dNBz
z?7!Oj|6@=vK~v6y2?Ps>46PJLLRdvhbht3B$Bm&9087gZdObo=<ebj%4Xc>Vpx;l4
z(sIU}iFVq!EZ^V^c?Nrg2wC6=Ip$Vsr`YR^CrE9rF?QV8d5ack(KwGc<vfF@R@eBH
z5Gy(A7OlLl*P-WG%`pQf^`$rTE2EA6Z?RIGS~Tti9tH#V`2S${;9$-F5BAf+*8d-a
zuCF6VUXU?0Sb!9yK*i;vLSaoJm2)<!lK=-M>0-o(S^vWtY<MdnFOu6^vJ!z;WP-!z
zvPx!sa>+!I!Kj>vFxy1g3N0<Dr4AngK3!i!{4N9}*8sP-1fZL`I0-9%rWIcbcGz$O
zf{6l!g+15TD9k<hczA<eN4;-~r}Y?aZ=0ZQ%6a1%*++twmT&_FPH4?7#35-uT&5dv
zd)p%bt2o(F(q)82tpjLBc$F2z@36Hi*|r9m703m5;LE-2aNwrhz_rZ+=%VgQ{|;kg
zcM?SrxxNNA0sMVs<PLOu<aW|svk{XbzWl~ShLt`N%=(n8DQ&IhbXCPCtfs*><xeme
z;qvHp&CzGP08t~}3#MtxdC#{4a5_fbNIB|#PPFP}&~wXamEhc>D6lv~BWs;wN1sF1
zJAXixXVCj+uIkueUTbC-ZZa{dywz1vn@^iXcl1QiOeq7`J6AO;mdvKt$y{kPrcLzk
zX!PCt46dch;AGB>HMi^BH%A-zYs0pa{_K(c;shOYce(H*49&T&@slH5x?Oe~B_^!=
z>>=KNv;X1a1zukRio)63mxkXjP8;KYJVjoyQb_&al<L0x|JClRkMjS$-EI7T4BCMo
zsI{nt0V^S#H(X6oz_@0-V4?&?^GjNyiOCL}PniKzD<!oxV5Z19lw6L38!}P81dW_p
zHbYR<PCM;X6l4bkmOfy>Go^9D=2*ZLvs3uX^BCR=z5pqFPd6n{sDU$qF^P{yA4XPc
zBs*{<t4a!ZcQk^6X+z?Y*~EW_>63W;hfe%w+b}H?_tE|}Gm+dW8q@r;R{mCR$cxxq
zDe@v7(@XLqww3!WH7m)B|BxMcM>UhRf#LCqAub^QhPfp%E088ZT+81`JTtj0F!>tL
zWuyPU86KUSj!yoJG4ApIet)pL=Krty{dDX9k3mOLEi@~q76$2H_kaHlm9HbIl?<63
z8U1klK6=A)6b7TAOYGQ$q0Zn?(R_;0AWjKs_yyFWKn-?^4I3KHOK4N#L7c)fC(vtH
zz2|=;3t2-&7a*jC+8|hmGtMIc=Q%11Oh7Ix#TgYj2FS2?+GFx_qd<-=WdbPVQY}DE
zx>7(b@!7%DT9qZq)zwu@{VZdt%Y+9h)0%!**^h#wF`)7HnrSRxyl5+OV~)V-6-W)V
z)QE*gPytt(S&w)|PV5!cND5}GX5-qfY*0HZW}qt|1yBLK!x0QeJ^1!;G#tGoKMl{n
zfBWM({B(GBc6fR|JQ=~;GdOyCdOSQIzC9hm+t+Y-`ZN4%czXO2kl86}z>pQW2{N~J
zSj1$6xH9-ehRL|Rm`zv?oQkrhB|<4@sD%#zs4Et-E05yb-9MVN|D)x^UjyoGsilqh
ze|B<s{O^;vDjq(@efWQ{{}KN09&F!#9))%`y>)~q5ns?CWM>DyLmQgTP)WnA)C(Aj
zi6j>n7sTBaK%<gCiz3{+J;<6Y2}Kl_olWbpyCOT;$Un81q|>oh1-0n4c`(nZ0Gwl9
zTZ9WQW{~Q98l=6_3l|b9Dm?HSL{K&7ScG>R1HVZByhHh~v0uSZ7)v?tE^Ik>*6{8s
z1&uR=kv2Z>z%LU{OY^JOw6g<0s#4Pe*VWfe^MllT{i2=e`Uqm<5|*8h{N1^3<2oYz
za#R~DEB1$jc?aTND}0L+cMWJZjEVBsXYFaa!D2H_3Yq&yFD;YWFj0PRjASRj(-+w(
zhI5X_USGtP`ku#d9*)e-IB)0WB5F7^6GD7}mNI{&vhp>_jJVb0QW(iGtlUiH6@=HS
zdv^2AxLl?{xsjl2(OTD?nhO_$eFoyE|I|Q%3Pph;XJ~xLq(#AkakUeU3As^J(+Vx>
zo1h79$W7GJ-LELRAvbWbEHz$$`xh*_!?CpVoTjl`EA;LCe%i2BD}!sywixJ}_b%XO
z#s4?r|L--Lu&@U|0p9!mx1X-p|I@+t{{JYnJm!o<Fr%6|C(K~2K1-mjac3~0+_;AD
zIz5(>BNe16mS%9`3wpjf3ylUiW+r#p<f1L-HI-Gbw(}0(`)P_|Q`cvwuaBSmWZ6Ga
zVDS<{@zBREH{qbwL79gnIDLJ*9MIQ$<K8wo-O`q}w55jr9{>RV{~hM^$^a+;04o4A
AIsgCw

literal 0
HcmV?d00001

diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/CONTRIBUTING.md b/charts/cockroach-labs/cockroachdb/15.0.6/CONTRIBUTING.md
new file mode 100644
index 000000000..e248d72e1
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+# Contributing
+
+Contributions are welcome!
+
+For every change, please increment the `version` contained in
+[Chart.yaml](https://github.com/cockroachdb/helm-charts/blob/master/cockroachdb/Chart.yaml).
+The `version` roughly follows the [SEMVER](https://semver.org/) versioning 
+pattern. For changes which do not affect backwards compatibility, the PATCH or
+MINOR version must be incremented, e.g. `4.1.3` -> `4.1.4`. For changes which
+affect the backwards compatibility of the chart, the major version must be
+incremented, e.g. `4.1.3` -> `5.0.0`. Examples of changes which affect backwards
+compatibility include any major version releases of CockroachDB, as well as any
+breaking changes to the CockroachDB chart templates.
+
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/Chart.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/Chart.yaml
new file mode 100644
index 000000000..28d71424d
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: CockroachDB
+  catalog.cattle.io/kube-version: '>=1.8-0'
+  catalog.cattle.io/release-name: cockroachdb
+apiVersion: v1
+appVersion: 24.3.4
+description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
+home: https://www.cockroachlabs.com
+icon: file://assets/icons/cockroachdb.png
+kubeVersion: '>=1.8-0'
+maintainers:
+- email: helm-charts@cockroachlabs.com
+  name: cockroachlabs
+name: cockroachdb
+sources:
+- https://github.com/cockroachdb/cockroach
+version: 15.0.6
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/README.md b/charts/cockroach-labs/cockroachdb/15.0.6/README.md
new file mode 100644
index 000000000..f65e16f58
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/README.md
@@ -0,0 +1,580 @@
+<!--- Generated file, DO NOT EDIT. Source: build/templates/README.md --->
+# CockroachDB Helm Chart
+
+[CockroachDB](https://github.com/cockroachdb/cockroach) - the open source, cloud-native distributed SQL database.
+
+## Documentation
+
+Below is a brief overview of operating the CockroachDB Helm Chart and some specific implementation details. For additional information on deploying CockroachDB, please see:
+> <https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html>
+
+Note that the documentation requires Helm 3.0 or higher.
+
+## Prerequisites Details
+
+* Kubernetes 1.8
+* PV support on the underlying infrastructure (only if using `storage.persistentVolume`). [Docker for windows hostpath provisioner is not supported](https://github.com/cockroachdb/docs/issues/3184).
+* If you want to secure your cluster to use TLS certificates for all network communication, [Helm must be installed with RBAC privileges](https://helm.sh/docs/topics/rbac/) or else you will get an "attempt to grant extra privileges" error.
+
+## StatefulSet Details
+
+* <http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/>
+
+## StatefulSet Caveats
+
+* <http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations>
+
+## Chart Details
+
+This chart will do the following:
+
+* Set up a dynamically scalable CockroachDB cluster using a Kubernetes StatefulSet.
+
+## Add the CockroachDB Repository
+
+```shell
+$ helm repo add cockroachdb https://charts.cockroachdb.com/
+```
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```shell
+$ helm install my-release cockroachdb/cockroachdb
+```
+
+Note that for a production cluster, you will likely want to override the following parameters in [`values.yaml`](values.yaml) with your own values.
+
+- `statefulset.resources.requests.memory` and `statefulset.resources.limits.memory` allocate memory resources to CockroachDB pods in your cluster.
+- `conf.cache` and `conf.max-sql-memory` are memory limits that we recommend setting to 1/4 of the above resource allocation. When running CockroachDB, you must set these limits explicitly to avoid running out of memory.
+- `storage.persistentVolume.size` defaults to `100Gi` of disk space per pod, which you may increase or decrease for your use case.
+- `storage.persistentVolume.storageClass` uses the default storage class for your environment. We strongly recommend that you specify a storage class which uses an SSD.
+- `tls.enabled` must be set to `yes`/`true` to deploy in secure mode.
+
+For more information on overriding the `values.yaml` parameters, please see:
+> <https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html#step-2-start-cockroachdb>
+
+Confirm that all pods are `Running` successfully and init has been completed:
+
+```shell
+$ kubectl get pods
+
+NAME                                READY     STATUS      RESTARTS   AGE
+my-release-cockroachdb-0            1/1       Running     0          1m
+my-release-cockroachdb-1            1/1       Running     0          1m
+my-release-cockroachdb-2            1/1       Running     0          1m
+my-release-cockroachdb-init-k6jcr   0/1       Completed   0          1m
+```
+
+Confirm that persistent volumes are created and claimed for each pod:
+
+```shell
+$ kubectl get pv
+
+NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS    CLAIM                                      STORAGECLASS   REASON    AGE
+pvc-64878ebf-f3f0-11e8-ab5b-42010a8e0035   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-0   standard                 51s
+pvc-64945b4f-f3f0-11e8-ab5b-42010a8e0035   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-1   standard                 51s
+pvc-649d920d-f3f0-11e8-ab5b-42010a8e0035   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-2   standard                 51s
+```
+
+### Running in secure mode
+
+In order to set up a secure cockroachdb cluster set `tls.enabled` to `yes`/`true`
+
+There are 3 ways to configure a secure cluster, with this chart. This all relates to how the certificates are issued:
+
+* Self-signer (default)
+* Cert-manager
+* Manual
+
+#### Self-signer
+
+This is the default behaviour, and requires no configuration beyond setting certificate durations if user wants to set custom duration.
+
+If you are running in this mode, self-signed certificates are created by self-signed utility for the nodes and root client and are stored in a secret.
+You can look for the certificates created:
+```shell
+$ kubectl get secrets
+
+crdb-cockroachdb-ca-secret                 Opaque                                2      23s
+crdb-cockroachdb-client-secret             kubernetes.io/tls                     3      22s
+crdb-cockroachdb-node-secret               kubernetes.io/tls                     3      23s
+```
+
+
+#### Manual
+
+If you wish to supply the certificates to the nodes yourself set `tls.certs.provided` to `yes`/`true`. You may want to use this if you want to use a different certificate authority from the one being used by Kubernetes or if your Kubernetes cluster doesn't fully support certificate-signing requests. To use this, first set up your certificates and load them into your Kubernetes cluster as Secrets using the commands below:
+
+```shell
+$ mkdir certs
+$ mkdir my-safe-directory
+$ cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
+$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
+$ kubectl create secret generic cockroachdb-root --from-file=certs
+secret/cockroachdb-root created
+$ cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 my-release-cockroachdb-public my-release-cockroachdb-public.my-namespace my-release-cockroachdb-public.my-namespace.svc.cluster.local *.my-release-cockroachdb *.my-release-cockroachdb.my-namespace *.my-release-cockroachdb.my-namespace.svc.cluster.local
+$ kubectl create secret generic cockroachdb-node --from-file=certs
+secret/cockroachdb-node created
+```
+
+> Note: The subject alternative names are based on a release called `my-release` in the `my-namespace` namespace. Make sure they match the services created with the release during `helm install`
+
+If your certificates are stored in tls secrets such as secrets generated by cert-manager, the secret will contain files named:
+
+* `ca.crt`
+* `tls.crt`
+* `tls.key`
+
+Cockroachdb, however, expects the files to be named like this:
+
+* `ca.crt`
+* `node.crt`
+* `node.key`
+* `client.root.crt`
+* `client.root.key`
+
+By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correct filenames, when they are mounted to the cockroachdb pods.
+
+#### Cert-manager
+
+If you wish to supply certificates with [cert-manager][3], set
+
+* `tls.certs.certManager` to `yes`/`true`
+* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+
+Example issuer:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cockroachdb-ca
+  namespace: cockroachdb
+data:
+  tls.crt: [BASE64 Encoded ca.crt]
+  tls.key: [BASE64 Encoded ca.key]
+type: kubernetes.io/tls
+---
+apiVersion: cert-manager.io/v1alpha3
+kind: Issuer
+metadata:
+  name: cockroachdb-cert-issuer
+  namespace: cockroachdb
+spec:
+  ca:
+    secretName: cockroachdb-ca
+```
+
+## Upgrading the cluster
+
+### Chart version 3.0.0 and after
+
+Launch a temporary interactive pod and start the built-in SQL client:
+
+```shell
+$ kubectl run cockroachdb --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host=my-release-cockroachdb-public
+```
+
+> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
+
+Set `cluster.preserve_downgrade_option`, where `$current_version` is the CockroachDB version currently running (e.g., `19.2`):
+
+```sql
+> SET CLUSTER SETTING cluster.preserve_downgrade_option = '$current_version';
+```
+
+Exit the shell and delete the temporary pod:
+
+```sql
+> \q
+```
+
+Kick off the upgrade process by changing the new Docker image, where `$new_version` is the CockroachDB version to which you are upgrading:
+
+```shell
+$ helm upgrade my-release cockroachdb/cockroachdb \
+--set image.tag=$new_version \
+--reuse-values
+```
+
+Kubernetes will carry out a safe [rolling upgrade](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) of your CockroachDB nodes one-by-one.
+
+However, the upgrade will fail if it involves adding new Persistent Volume Claim (PVC) to the existing pods (e.g. enabling WAL Failover, pushing logs to a separate volume, etc.).
+In such cases, kindly run the `scripts/upgrade_with_new_pvc.sh` script to upgrade the cluster.
+
+`./scripts/upgrade_with_new_pvc.sh -h` can be used for generating help on how to run the script.
+
+Monitor the cluster's pods until all have been successfully restarted:
+
+```shell
+$ kubectl get pods
+
+NAME                                READY     STATUS              RESTARTS   AGE
+my-release-cockroachdb-0            1/1       Running             0          2m
+my-release-cockroachdb-1            1/1       Running             0          3m
+my-release-cockroachdb-2            1/1       Running             0          3m
+my-release-cockroachdb-3            0/1       ContainerCreating   0          25s
+my-release-cockroachdb-init-nwjkh   0/1       ContainerCreating   0          6s
+```
+
+```shell
+$ kubectl get pods \
+-o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}'
+
+my-release-cockroachdb-0    cockroachdb/cockroach:v24.3.4
+my-release-cockroachdb-1    cockroachdb/cockroach:v24.3.4
+my-release-cockroachdb-2    cockroachdb/cockroach:v24.3.4
+my-release-cockroachdb-3    cockroachdb/cockroach:v24.3.4
+```
+
+Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade:
+
+```shell
+$ kubectl run cockroachdb --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host=my-release-cockroachdb-public
+```
+
+```sql
+> RESET CLUSTER SETTING cluster.preserve_downgrade_option;
+> \q
+```
+
+### Chart versions prior to 3.0.0
+
+Due to a change in the label format in version 3.0.0 of this chart, upgrading requires that you delete the StatefulSet. Luckily there is a way to do it without actually deleting all the resources managed by the StatefulSet. Use the workaround below to upgrade from charts versions previous to 3.0.0:
+
+Get the new labels from the specs rendered by Helm:
+
+```shell
+$ helm template -f deploy.vals.yml cockroachdb/cockroachdb -x templates/statefulset.yaml \
+| yq r - spec.template.metadata.labels
+
+app.kubernetes.io/name: cockroachdb
+app.kubernetes.io/instance: my-release
+app.kubernetes.io/component: cockroachdb
+```
+
+Place the new labels on all pods of the StatefulSet (change `my-release-cockroachdb-0` to the name of each pod):
+
+```shell
+$ kubectl label pods my-release-cockroachdb-0 \
+app.kubernetes.io/name=cockroachdb \
+app.kubernetes.io/instance=my-release \
+app.kubernetes.io/component=cockroachdb
+```
+
+Delete the StatefulSet without deleting pods:
+
+```shell
+$ kubectl delete statefulset my-release-cockroachdb --cascade=false
+```
+
+Verify that no pod is deleted and then upgrade as normal. A new StatefulSet will be created, taking over the management of the existing pods and upgrading them if needed.
+
+### See also
+
+For more information about upgrading a cluster to the latest major release of CockroachDB, see [Upgrade to CockroachDB](https://www.cockroachlabs.com/docs/stable/upgrade-cockroach-version.html).
+
+Note that there are sometimes backward-incompatible changes to SQL features between major CockroachDB releases. For details, see the [Upgrade Policy](https://www.cockroachlabs.com/docs/cockroachcloud/upgrade-policy).
+
+## Configuration
+
+The following table lists the configurable parameters of the CockroachDB chart and their default values.
+For details see the [`values.yaml`](values.yaml) file.
+
+| Parameter                                                 | Description                                                     | Default                                               |
+| ---------                                                 | -----------                                                     | -------                                               |
+| `clusterDomain`                                           | Cluster's default DNS domain                                    | `cluster.local`                                       |
+| `conf.attrs`                                              | CockroachDB node attributes                                     | `[]`                                                  |
+| `conf.cache`                                              | Size of CockroachDB's in-memory cache                           | `25%`                                                 |
+| `conf.cluster-name`                                       | Name of CockroachDB cluster                                     | `""`                                                  |
+| `conf.disable-cluster-name-verification`                  | Disable CockroachDB cluster name verification                   | `no`                                                  |
+| `conf.join`                                               | List of already-existing CockroachDB instances                  | `[]`                                                  |
+| `conf.log`                                                | Logging configuration                                           | `{}`                                                  |
+| `conf.max-disk-temp-storage`                              | Max storage capacity for temp data                              | `0`                                                   |
+| `conf.max-offset`                                         | Max allowed clock offset for CockroachDB cluster                | `500ms`                                               |
+| `conf.max-sql-memory`                                     | Max memory to use processing SQL querie                         | `25%`                                                 |
+| `conf.locality`                                           | Locality attribute for this deployment                          | `""`                                                  |
+| `conf.single-node`                                        | Disable CockroachDB clustering (standalone mode)                | `no`                                                  |
+| `conf.sql-audit-dir`                                      | Directory for SQL audit log                                     | `""`                                                  |
+| `conf.port`                                               | WARNING this parameter is deprecated and will be removed in future version. Use `service.ports.grpc.internal.port` instead | `""` |
+| `conf.http-port`                                          | WARNING this parameter is deprecated and will be removed in future version. Use `service.ports.http.port` instead | `""` |
+| `conf.path`                                               | CockroachDB data directory mount path                           | `cockroach-data`                                      |
+| `conf.store.enabled`                                      | Enable store configuration for CockroachDB                      | `false`                                               |
+| `conf.store.count`                                        | Number of data stores per node                                  | `1`                                                   |
+| `conf.store.type`                                         | CockroachDB storage type                                        | `""`                                                  |
+| `conf.store.size`                                         | CockroachDB storage size                                        | `""`                                                  |
+| `conf.store.attrs`                                        | CockroachDB storage attributes                                  | `""`                                                  |
+| `conf.wal-failover`                                       | CockroachDB WAL Failover configuration                          | `{}`                                                  |
+| `image.repository`                                        | Container image name                                            | `cockroachdb/cockroach`                               |
+| `image.tag`                                               | Container image tag                                             | `v24.3.4`                                             |
+| `image.pullPolicy`                                        | Container pull policy                                           | `IfNotPresent`                                        |
+| `image.credentials`                                       | `registry`, `user` and `pass` credentials to pull private image | `{}`                                                  |
+| `statefulset.replicas`                                    | StatefulSet replicas number                                     | `3`                                                   |
+| `statefulset.updateStrategy`                              | Update strategy for StatefulSet Pods                            | `{"type": "RollingUpdate"}`                           |
+| `statefulset.podManagementPolicy`                         | `OrderedReady`/`Parallel` Pods creation/deletion order          | `Parallel`                                            |
+| `statefulset.budget.maxUnavailable`                       | k8s PodDisruptionBudget parameter                               | `1`                                                   |
+| `statefulset.args`                                        | Extra command-line arguments                                    | `[]`                                                  |
+| `statefulset.env`                                         | Extra env vars                                                  | `[]`                                                  |
+| `statefulset.secretMounts`                                | Additional Secrets to mount at cluster members                  | `[]`                                                  |
+| `statefulset.labels`                                      | Additional labels of StatefulSet and its Pods                   | `{"app.kubernetes.io/component": "cockroachdb"}`      |
+| `statefulset.annotations`                                 | Additional annotations of StatefulSet Pods                      | `{}`                                                  |
+| `statefulset.nodeAffinity`                                | [Node affinity rules][2] of StatefulSet Pods                    | `{}`                                                  |
+| `statefulset.podAffinity`                                 | [Inter-Pod affinity rules][1] of StatefulSet Pods               | `{}`                                                  |
+| `statefulset.podAntiAffinity`                             | [Anti-affinity rules][1] of StatefulSet Pods                    | auto                                                  |
+| `statefulset.podAntiAffinity.topologyKey`                 | The topologyKey for auto [anti-affinity rules][1]               | `kubernetes.io/hostname`                              |
+| `statefulset.podAntiAffinity.type`                        | Type of auto [anti-affinity rules][1]                           | `soft`                                                |
+| `statefulset.podAntiAffinity.weight`                      | Weight for `soft` auto [anti-affinity rules][1]                 | `100`                                                 |
+| `statefulset.nodeSelector`                                | Node labels for StatefulSet Pods assignment                     | `{}`                                                  |
+| `statefulset.priorityClassName`                           | [PriorityClassName][4] for StatefulSet Pods                     | `""`                                                  |
+| `statefulset.tolerations`                                 | Node taints to tolerate by StatefulSet Pods                     | `[]`                                                  |
+| `statefulset.topologySpreadConstraints`                   | [Topology Spread Constraints rules][5] of StatefulSet Pods      | auto                                                  |
+| `statefulset.topologySpreadConstraints.maxSkew`           | Degree to which Pods may be unevenly distributed                | `1`                                                   |
+| `statefulset.topologySpreadConstraints.topologyKey`       | The key of node labels                                          | `topology.kubernetes.io/zone`                         |
+| `statefulset.topologySpreadConstraints.whenUnsatisfiable` | `ScheduleAnyway`/`DoNotSchedule` for unsatisfiable constraints  | `ScheduleAnyway`                                      |
+| `statefulset.resources`                                   | Resource requests and limits for StatefulSet Pods               | `{}`                                                  |
+| `statefulset.customLivenessProbe`                         | Custom Liveness probe                                           | `{}`                                             |
+| `statefulset.customReadinessProbe`                        | Custom Rediness probe                                           | `{}`                                             |
+| `statefulset.customStartupProbe`                          | Custom Startup probe                                            | `{}`                                             |
+| `statefulset.terminationGracePeriodSeconds`               | Termination grace period for CRDB statefulset pods              | `300`                                                 |
+| `service.ports.grpc.external.port`                        | CockroachDB primary serving port in Services                    | `26257`                                               |
+| `service.ports.grpc.external.name`                        | CockroachDB primary serving port name in Services               | `grpc`                                                |
+| `service.ports.grpc.internal.port`                        | CockroachDB inter-communication port in Pods and Services       | `26257`                                               |
+| `service.ports.grpc.internal.name`                        | CockroachDB inter-communication port name in Services           | `grpc-internal`                                       |
+| `service.ports.http.port`                                 | CockroachDB HTTP port in Pods and Services                      | `8080`                                                |
+| `service.ports.http.name`                                 | CockroachDB HTTP port name in Services                          | `http`                                                |
+| `service.public.type`                                     | Public Service type                                             | `ClusterIP`                                           |
+| `service.public.labels`                                   | Additional labels of public Service                             | `{"app.kubernetes.io/component": "cockroachdb"}`      |
+| `service.public.annotations`                              | Additional annotations of public Service                        | `{}`                                                  |
+| `service.discovery.labels`                                | Additional labels of discovery Service                          | `{"app.kubernetes.io/component": "cockroachdb"}`      |
+| `service.discovery.annotations`                           | Additional annotations of discovery Service                     | `{}`                                                  |
+| `ingress.enabled`                                         | Enable ingress resource for CockroachDB                         | `false`                                               |
+| `ingress.labels`                                          | Additional labels of Ingress                                    | `{}`                                                  |
+| `ingress.annotations`                                     | Additional annotations of Ingress                               | `{}`                                                  |
+| `ingress.paths`                                           | Paths for the default host                                      | `[/]`                                                 |
+| `ingress.hosts`                                           | CockroachDB Ingress hostnames                                   | `[]`                                                  |
+| `ingress.tls[0].hosts`                                    | CockroachDB Ingress tls hostnames                               | `nil`                                                 |
+| `ingress.tls[0].secretName`                               | CockroachDB Ingress tls secret name                             | `nil`                                                 |
+| `prometheus.enabled`                                      | Enable automatic monitoring of all instances when Prometheus is running | `true`                                        |
+| `serviceMonitor.enabled`                                  | Create [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor) Resource for scraping metrics using [PrometheusOperator](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md#prometheus-operator)                     | `false`                                             |
+| `serviceMonitor.labels`                                   | Additional labels of ServiceMonitor                             | `{}`                                                  |
+| `serviceMonitor.annotations`                              | Additional annotations of ServiceMonitor                        | `{}`                                                  |
+| `serviceMonitor.interval`                                 | ServiceMonitor scrape metrics interval                          | `10s`                                                 |
+| `serviceMonitor.scrapeTimeout`                            | ServiceMonitor scrape timeout                                   | `nil`                                                 |
+| `serviceMonitor.tlsConfig`                                | Additional TLS configuration of ServiceMonitor                  | `{}`                                                  |
+| `serviceMonitor.namespaced`                               | Limit ServiceMonitor to current namespace                       | `false`                                               |
+| `storage.hostPath`                                        | Absolute path on host to store data                             | `""`                                                  |
+| `storage.persistentVolume.enabled`                        | Whether to use PersistentVolume to store data                   | `yes`                                                 |
+| `storage.persistentVolume.size`                           | PersistentVolume size                                           | `100Gi`                                               |
+| `storage.persistentVolume.storageClass`                   | PersistentVolume class                                          | `""`                                                  |
+| `storage.persistentVolume.labels`                         | Additional labels of PersistentVolumeClaim                      | `{}`                                                  |
+| `storage.persistentVolume.annotations`                    | Additional annotations of PersistentVolumeClaim                 | `{}`                                                  |
+| `init.labels`                                             | Additional labels of init Job and its Pod                       | `{"app.kubernetes.io/component": "init"}`             |
+| `init.jobAnnotations`                                     | Additional annotations of the init Job itself                   | `{}`                                                  |
+| `init.annotations`                                        | Additional annotations of the Pod of init Job                   | `{}`                                                  |
+| `init.affinity`                                           | [Affinity rules][2] of init Job Pod                             | `{}`                                                  |
+| `init.nodeSelector`                                       | Node labels for init Job Pod assignment                         | `{}`                                                  |
+| `init.tolerations`                                        | Node taints to tolerate by init Job Pod                         | `[]`                                                  |
+| `init.resources`                                          | Resource requests and limits for the `cluster-init` container   | `{}`                                                  |
+| `init.terminationGracePeriodSeconds`                      | Termination grace period for CRDB init job                      | `300`                                                 |
+| `tls.enabled`                                             | Whether to run securely using TLS certificates                  | `no`                                                  |
+| `tls.serviceAccount.create`                               | Whether to create a new RBAC service account                    | `yes`                                                 |
+| `tls.serviceAccount.name`                                 | Name of RBAC service account to use                             | `""`                                                  |
+| `tls.copyCerts.image`                                     | Image used in copy certs init container                         | `busybox`                                             |
+| `tls.copyCerts.resources`                                 | Resource requests and limits for the `copy-certs` container     | `{}`                                                 |
+| `tls.certs.provided`                                      | Bring your own certs scenario, i.e certificates are provided    | `no`                                                  |
+| `tls.certs.clientRootSecret`                              | If certs are provided, secret name for client root cert         | `cockroachdb-root`                                    |
+| `tls.certs.nodeSecret`                                    | If certs are provided, secret name for node cert                | `cockroachdb-node`                                    |
+| `tls.certs.tlsSecret`                                     | Own certs are stored in TLS secret                              | `no`                                                  |
+| `tls.certs.selfSigner.enabled`                            | Whether cockroachdb should generate its own self-signed certs   | `true`                                           |
+| `tls.certs.selfSigner.caProvided`                         | Bring your own CA scenario. This CA will be used to generate node and client cert                                  | `false`                                              |
+| `tls.certs.selfSigner.caSecret`                           | If CA is provided, secret name for CA cert                      | `""`                                             |
+| `tls.certs.selfSigner.minimumCertDuration`                | Minimum cert duration for all the certs, all certs duration will be validated against this duration                | `624h`                                               |
+| `tls.certs.selfSigner.caCertDuration`                     | Duration of CA cert in hour                                     | `43824h`                                         |
+| `tls.certs.selfSigner.caCertExpiryWindow`                 | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated                    | `648h`                                               |
+| `tls.certs.selfSigner.clientCertDuration`                 | Duration of client cert in hour                                 | `672h                                            |
+| `tls.certs.selfSigner.clientCertExpiryWindow`             | Expiry window of client cert means a window before actual expiry in which client cert should be rotated            | `48h`                                                |
+| `tls.certs.selfSigner.nodeCertDuration`                   | Duration of node cert in hour                                   | `8760h`                                          |
+| `tls.certs.selfSigner.nodeCertExpiryWindow`               | Expiry window of node cert means a window before actual expiry in which node certs should be rotated               | `168h`                                               |
+| `tls.certs.selfSigner.rotateCerts`                        | Whether to rotate the certs generate by cockroachdb             | `true`                                           |
+| `tls.certs.selfSigner.readinessWait`                      | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true                                    | `30s`                                             |
+| `tls.certs.selfSigner.podUpdateTimeout`                   | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true                                    | `2m`                                             |
+| `tls.certs.certManager`                                   | Provision certificates with cert-manager                        | `false`                                               |
+| `tls.certs.certManagerIssuer.group`                       | IssuerRef group to use when generating certificates             | `cert-manager.io`                                     |
+| `tls.certs.certManagerIssuer.kind`                        | IssuerRef kind to use when generating certificates              | `Issuer`                                              |
+| `tls.certs.certManagerIssuer.name`                        | IssuerRef name to use when generating certificates              | `cockroachdb`                                         |
+| `tls.certs.certManagerIssuer.caCertDuration`              | Duration of CA cert in hour                                     | `43824h`                                         |
+| `tls.certs.certManagerIssuer.caCertExpiryWindow`          | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated                    | `648h`                                               |
+| `tls.certs.certManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
+| `tls.certs.certManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
+| `tls.certs.certManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
+| `tls.certs.certManagerIssuer.nodeCertExpiryWindow`        | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.             | `168h`                                      |
+| `tls.selfSigner.image.repository`                         | Image to use for self signing TLS certificates                  | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
+| `tls.selfSigner.image.tag`                                | Image tag to use for self signing TLS certificates              | `0.1`                                                 |
+| `tls.selfSigner.image.pullPolicy`                         | Self signing TLS certificates container pull policy             | `IfNotPresent`                                        |
+| `tls.selfSigner.image.credentials`                        | `registry`, `user` and `pass` credentials to pull private image | `{}`                                                  |
+| `networkPolicy.enabled`                                   | Enable NetworkPolicy for CockroachDB's Pods                     | `no`                                                  |
+| `networkPolicy.ingress.grpc`                              | Whitelist resources to access gRPC port of CockroachDB's Pods   | `[]`                                                  |
+| `networkPolicy.ingress.http`                              | Whitelist resources to access gRPC port of CockroachDB's Pods   | `[]`                                                  |
+
+
+Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively, a YAML file that specifies custom values for the parameters can be provided while installing the chart. For example:
+
+```shell
+$ helm install my-release -f my-values.yaml cockroachdb/cockroachdb
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Deep dive
+
+### Connecting to the CockroachDB cluster
+
+Once you've created the cluster, you can start talking to it by connecting to its `-public` Service. CockroachDB is PostgreSQL wire protocol compatible, so there's a [wide variety of supported clients](https://www.cockroachlabs.com/docs/install-client-drivers.html). As an example, we'll open up a SQL shell using CockroachDB's built-in shell and play around with it a bit, like this (likely needing to replace `my-release-cockroachdb-public` with the name of the `-public` Service that was created with your installed chart):
+
+```shell
+$ kubectl run cockroach-client --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host my-release-cockroachdb-public
+```
+```
+Waiting for pod default/cockroach-client to be running, status is Pending,
+pod ready: false
+If you don't see a command prompt, try pressing enter.
+root@my-release-cockroachdb-public:26257> SHOW DATABASES;
++--------------------+
+|      Database      |
++--------------------+
+| information_schema |
+| pg_catalog         |
+| system             |
++--------------------+
+(3 rows)
+root@my-release-cockroachdb-public:26257> CREATE DATABASE bank;
+CREATE DATABASE
+root@my-release-cockroachdb-public:26257> CREATE TABLE bank.accounts (id INT
+PRIMARY KEY, balance DECIMAL);
+CREATE TABLE
+root@my-release-cockroachdb-public:26257> INSERT INTO bank.accounts VALUES
+(1234, 10000.50);
+INSERT 1
+root@my-release-cockroachdb-public:26257> SELECT * FROM bank.accounts;
++------+---------+
+|  id  | balance |
++------+---------+
+| 1234 | 10000.5 |
++------+---------+
+(1 row)
+root@my-release-cockroachdb-public:26257> \q
+Waiting for pod default/cockroach-client to terminate, status is Running
+pod "cockroach-client" deleted
+```
+
+> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
+
+### Cluster health
+
+Because our pod spec includes regular health checks of the CockroachDB processes, simply running `kubectl get pods` and looking at the `STATUS` column is sufficient to determine the health of each instance in the cluster.
+
+If you want more detailed information about the cluster, the best place to look is the Admin UI.
+
+### Accessing the Admin UI
+
+If you want to see information about how the cluster is doing, you can try pulling up the CockroachDB Admin UI by port-forwarding from your local machine to one of the pods (replacing `my-release-cockroachdb-0` with the name of one of your pods:
+
+```shell
+$ kubectl port-forward my-release-cockroachdb-0 8080
+```
+
+You should then be able to access the Admin UI by visiting <http://localhost:8080/> in your web browser.
+
+### Failover
+
+If any CockroachDB member fails, it is restarted or recreated automatically by the Kubernetes infrastructure, and will re-join the cluster automatically when it comes back up. You can test this scenario by killing any of the CockroachDB pods:
+
+```shell
+$ kubectl delete pod my-release-cockroachdb-1
+```
+
+```shell
+$ kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
+
+NAME                      READY     STATUS        RESTARTS   AGE
+my-release-cockroachdb-0  1/1       Running       0          5m
+my-release-cockroachdb-2  1/1       Running       0          5m
+```
+
+After a while:
+
+```shell
+$ kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
+
+NAME                      READY     STATUS        RESTARTS   AGE
+my-release-cockroachdb-0  1/1       Running       0          5m
+my-release-cockroachdb-1  1/1       Running       0          20s
+my-release-cockroachdb-2  1/1       Running       0          5m
+```
+
+You can check the state of re-joining from the new pod's logs:
+
+```shell
+$ kubectl logs my-release-cockroachdb-1
+
+[...]
+I161028 19:32:09.754026 1 server/node.go:586  [n1] node connected via gossip and
+verified as part of cluster {"35ecbc27-3f67-4e7d-9b8f-27c31aae17d6"}
+[...]
+cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257
+build:      beta-20161027-55-gd2d3c7f @ 2016/10/28 19:27:25 (go1.7.3)
+admin:      http://0.0.0.0:8080
+sql:
+postgresql://root@my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257?sslmode=disable
+logs:       cockroach-data/logs
+store[0]:   path=cockroach-data
+status:     restarted pre-existing node
+clusterID:  {35ecbc27-3f67-4e7d-9b8f-27c31aae17d6}
+nodeID:     2
+[...]
+```
+
+### NetworkPolicy
+
+To enable NetworkPolicy for CockroachDB, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `yes`/`true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the `DefaultDeny` Namespace annotation. Note: this will enforce policy for _all_ pods in the Namespace:
+
+```shell
+$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+```
+
+For more precise policy, set `networkPolicy.ingress.grpc` and `networkPolicy.ingress.http` rules. This will only allow pods that match the provided rules to connect to CockroachDB.
+
+### Scaling
+
+Scaling should be managed via the `helm upgrade` command. After resizing your cluster on your cloud environment (e.g., GKE or EKS), run the following command to add a pod. This assumes you scaled from 3 to 4 nodes:
+
+```shell
+$ helm upgrade \
+my-release \
+cockroachdb/cockroachdb \
+--set statefulset.replicas=4 \
+--reuse-values
+```
+
+Note, that if you are running in secure mode (`tls.enabled` is `yes`/`true`) and increase the size of your cluster, you will also have to approve the CSR (certificate-signing request) of each new node (using `kubectl get csr` and `kubectl certificate approve`).
+
+[1]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+[2]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+[3]: https://cert-manager.io/
+[4]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+[5]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/app-readme.md b/charts/cockroach-labs/cockroachdb/15.0.6/app-readme.md
new file mode 100644
index 000000000..8fcc1fd6f
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/app-readme.md
@@ -0,0 +1,9 @@
+# CockroachDB Chart
+
+CockroachDB is a Distributed SQL database that runs natively in Kubernetes. It gives you resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location.
+
+CockroachDB scales horizontally without reconfiguration or need for a massive architectural overhaul. Simply add a new node to the cluster and CockroachDB takes care of the underlying complexity.
+
+    - Scale by simply adding new nodes to a CockroachDB cluster
+    - Automate balancing and distribution of ranges, not shards
+    - Optimize server utilization evenly across all nodes
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/NOTES.txt b/charts/cockroach-labs/cockroachdb/15.0.6/templates/NOTES.txt
new file mode 100644
index 000000000..13b421f62
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/NOTES.txt
@@ -0,0 +1,50 @@
+CockroachDB can be accessed via port {{ .Values.service.ports.grpc.external.port }} at the
+following DNS name from within your cluster:
+
+{{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}.svc.cluster.local
+
+Because CockroachDB supports the PostgreSQL wire protocol, you can connect to
+the cluster using any available PostgreSQL client.
+
+{{- if not .Values.tls.enabled }}
+
+For example, you can open up a SQL shell to the cluster by running:
+
+    kubectl run -it --rm cockroach-client \
+        --image=cockroachdb/cockroach \
+        --restart=Never \
+      {{- if .Values.networkPolicy.enabled }}
+        --labels="{{ template "cockroachdb.fullname" . }}-client=true" \
+      {{- end }}
+        --command -- \
+        ./cockroach sql --insecure --host={{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
+
+From there, you can interact with the SQL shell as you would any other SQL
+shell, confident that any data you write will be safe and available even if
+parts of your cluster fail.
+{{- else }}
+
+Note that because the cluster is running in secure mode, any client application
+that you attempt to connect will either need to have a valid client certificate
+or a valid username and password.
+{{- end }}
+
+{{- if and (.Values.networkPolicy.enabled) (not (empty .Values.networkPolicy.ingress.grpc)) }}
+
+Note: Since NetworkPolicy is enabled, the only Pods allowed to connect to this
+CockroachDB cluster are:
+
+1. Having the label: "{{ template "cockroachdb.fullname" . }}-client=true"
+
+2. Matching the following rules: {{- toYaml .Values.networkPolicy.ingress.grpc | nindent 0 }}
+{{- end }}
+
+Finally, to open up the CockroachDB admin UI, you can port-forward from your
+local machine into one of the instances in the cluster:
+
+    kubectl port-forward -n {{ .Release.Namespace }} {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }} 
+
+Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser.
+
+For more information on using CockroachDB, please see the project's docs at:
+https://www.cockroachlabs.com/docs/
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/_helpers.tpl b/charts/cockroach-labs/cockroachdb/15.0.6/templates/_helpers.tpl
new file mode 100644
index 000000000..3670fccc7
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/_helpers.tpl
@@ -0,0 +1,352 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cockroachdb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cockroachdb.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+    {{- .Values.fullnameOverride | trunc 56 | trimSuffix "-" -}}
+{{- else -}}
+    {{- $name := default .Chart.Name .Values.nameOverride -}}
+    {{- if contains $name .Release.Name -}}
+        {{- .Release.Name | trunc 56 | trimSuffix "-" -}}
+    {{- else -}}
+        {{- printf "%s-%s" .Release.Name $name | trunc 56 | trimSuffix "-" -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for cluster scope resource.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name with release namespace appended at the end.
+*/}}
+{{- define "cockroachdb.clusterfullname" -}}
+{{- if .Values.fullnameOverride -}}
+    {{- printf "%s-%s" .Values.fullnameOverride .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+{{- else -}}
+    {{- $name := default .Chart.Name .Values.nameOverride -}}
+    {{- if contains $name .Release.Name -}}
+        {{- printf "%s-%s" .Release.Name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+    {{- else -}}
+        {{- printf "%s-%s-%s" .Release.Name $name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cockroachdb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the ServiceAccount to use.
+*/}}
+{{- define "cockroachdb.serviceAccount.name" -}}
+{{- if .Values.statefulset.serviceAccount.create -}}
+    {{- default (include "cockroachdb.fullname" .) .Values.statefulset.serviceAccount.name -}}
+{{- else -}}
+    {{- default "default" .Values.statefulset.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for NetworkPolicy.
+*/}}
+{{- define "cockroachdb.networkPolicy.apiVersion" -}}
+{{- if semverCompare ">=1.4-0, <=1.7-0" .Capabilities.KubeVersion.Version -}}
+    {{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.Version -}}
+    {{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for StatefulSets
+*/}}
+{{- define "cockroachdb.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.12-0" .Capabilities.KubeVersion.Version -}}
+    {{- print "apps/v1beta1" -}}
+{{- else -}}
+    {{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return CockroachDB store expression
+*/}}
+{{- define "cockroachdb.conf.store" -}}
+  {{- $isInMemory := eq (.Values.conf.store.type | toString) "mem" -}}
+  {{- $persistentSize := empty .Values.conf.store.size | ternary .Values.storage.persistentVolume.size .Values.conf.store.size -}}
+
+  {{- $store := dict -}}
+  {{- $_ := set $store "type" ($isInMemory | ternary "type=mem" "") -}}
+  {{- if eq .Args.idx 0 -}}
+    {{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path)) -}}
+  {{- else -}}
+    {{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path "-" (add1 .Args.idx))) -}}
+  {{- end -}}
+  {{- $_ := set $store "size" (print "size=" ($isInMemory | ternary .Values.conf.store.size $persistentSize)) -}}
+  {{- $_ := set $store "attrs" (empty .Values.conf.store.attrs | ternary "" (print "attrs=" .Values.conf.store.attrs)) -}}
+
+  {{- compact (values $store) | sortAlpha | join "," -}}
+{{- end -}}
+
+{{/*
+Define the default values for the certificate selfSigner inputs
+*/}}
+{{- define "selfcerts.fullname" -}}
+  {{- printf "%s-%s" (include "cockroachdb.fullname" .) "self-signer" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "rotatecerts.fullname" -}}
+  {{- printf "%s-%s" (include "cockroachdb.fullname" .) "rotate-self-signer" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "selfcerts.minimumCertDuration" -}}
+  {{- if .Values.tls.certs.selfSigner.minimumCertDuration -}}
+    {{- print (.Values.tls.certs.selfSigner.minimumCertDuration | trimSuffix "h") -}}
+  {{- else }}
+    {{- $minCertDuration := min (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h" ) (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) -}}
+    {{- print $minCertDuration -}}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Define the cron schedules for certificate rotate jobs and converting from hours to valid cron string.
+We assume that each month has 31 days, hence the cron job may run few days earlier in a year. In a cron schedule,
+we can not set a cron of more than a year, hence we try to run the cron in such a way that the cron run comes to
+as close possible to the expiry window. However, it is possible that cron may run earlier than the expiry window.
+*/}}
+{{- define "selfcerts.caRotateSchedule" -}}
+{{- $tempHours := sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h") -}}
+{{- $days := "*" -}}
+{{- $months := "*" -}}
+{{- $hours := mod $tempHours 24 -}}
+{{- if not (eq $hours $tempHours) -}}
+{{- $tempDays := div $tempHours 24 -}}
+{{- $days = mod $tempDays 31 -}}
+{{- if not (eq $days $tempDays) -}}
+{{- $days = add $days 1 -}}
+{{- $tempMonths := div $tempDays 31 -}}
+{{- $months = mod $tempMonths 12 -}}
+{{- if not (eq $months $tempMonths) -}}
+{{- $months = add $months 1 -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if ne (toString $months) "*" -}}
+{{- $months = printf "*/%s" (toString $months) -}}
+{{- else -}}
+{{- if ne (toString $days) "*" -}}
+{{- $days = printf "*/%s" (toString $days) -}}
+{{- else -}}
+{{- if ne $hours 0 -}}
+{{- $hours = printf "*/%s" (toString $hours) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
+{{- end -}}
+
+{{- define "selfcerts.clientRotateSchedule" -}}
+{{- $tempHours := int64 (include "selfcerts.minimumCertDuration" .) -}}
+{{- $days := "*" -}}
+{{- $months := "*" -}}
+{{- $hours := mod $tempHours 24 -}}
+{{- if not (eq $hours $tempHours) -}}
+{{- $tempDays := div $tempHours 24 -}}
+{{- $days = mod $tempDays 31 -}}
+{{- if not (eq $days $tempDays) -}}
+{{- $days = add $days 1 -}}
+{{- $tempMonths := div $tempDays 31 -}}
+{{- $months = mod $tempMonths 12 -}}
+{{- if not (eq $months $tempMonths) -}}
+{{- $months = add $months 1 -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if ne (toString $months) "*" -}}
+{{- $months = printf "*/%s" (toString $months) -}}
+{{- else -}}
+{{- if ne (toString $days) "*" -}}
+{{- $days = printf "*/%s" (toString $days) -}}
+{{- else -}}
+{{- if ne $hours 0 -}}
+{{- $hours = printf "*/%s" (toString $hours) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
+{{- end -}}
+
+{{/*
+Define the appropriate validations for the certificate selfSigner inputs
+*/}}
+
+{{/*
+Validate that if caProvided is true, then the caSecret must not be empty and secret must be present in the namespace.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.caProvidedValidation" -}}
+{{- if .Values.tls.certs.selfSigner.caProvided -}}
+{{- if eq "" .Values.tls.certs.selfSigner.caSecret -}}
+    {{ fail "CA secret can't be empty if caProvided is set to true" }}
+{{- else -}}
+    {{- if not (lookup "v1" "Secret" .Release.Namespace .Values.tls.certs.selfSigner.caSecret) }}
+        {{ fail "CA secret is not present in the release namespace" }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate that if caCertDuration or caCertExpiryWindow must not be empty and caCertExpiryWindow must be greater than
+minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.caCertValidation" -}}
+{{- if not .Values.tls.certs.selfSigner.caProvided -}}
+{{- if or (not .Values.tls.certs.selfSigner.caCertDuration) (not .Values.tls.certs.selfSigner.caCertExpiryWindow) }}
+  {{ fail "CA cert duration or CA cert expiry window can not be empty" }}
+{{- else }}
+{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (int64 (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
+  {{ fail "CA cert expiration window should not be less than minimum Cert duration" }}
+{{- end -}}
+{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
+  {{ fail "CA cert Duration minus CA cert expiration window should not be less than minimum Cert duration" }}
+{{- end -}}
+{{- end -}}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that if clientCertDuration must not be empty and it must be greater than minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.clientCertValidation" -}}
+{{- if or (not .Values.tls.certs.selfSigner.clientCertDuration) (not .Values.tls.certs.selfSigner.clientCertExpiryWindow) }}
+  {{ fail "Client cert duration can not be empty" }}
+{{- else }}
+{{- if lt (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .)) }}
+   {{ fail "Client cert duration minus client cert expiry window should not be less than minimum Cert duration" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that nodeCertDuration must not be empty and nodeCertDuration minus nodeCertExpiryWindow must be greater than minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.nodeCertValidation" -}}
+{{- if or (not .Values.tls.certs.selfSigner.nodeCertDuration) (not .Values.tls.certs.selfSigner.nodeCertExpiryWindow) }}
+  {{ fail "Node cert duration can not be empty" }}
+{{- else }}
+{{- if lt (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .))}}
+   {{ fail "Node cert duration minus node cert expiry window should not be less than minimum Cert duration" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that if user enabled tls, then either self-signed certificates or certificate manager is enabled
+*/}}
+{{- define "cockroachdb.tlsValidation" -}}
+{{- if .Values.tls.enabled -}}
+{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.certManager -}}
+    {{ fail "Can not enable the self signed certificates and certificate manager at the same time" }}
+{{- end -}}
+{{- if and (not .Values.tls.certs.selfSigner.enabled) (not .Values.tls.certs.certManager) -}}
+    {{- if not .Values.tls.certs.provided -}}
+        {{ fail "You have to enable either self signed certificates or certificate manager, if you have enabled tls" }}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "cockroachdb.tls.certs.selfSigner.validation" -}}
+{{ include "cockroachdb.tls.certs.selfSigner.caProvidedValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.caCertValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.clientCertValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.nodeCertValidation" . }}
+{{- end -}}
+
+{{- define "cockroachdb.securityContext.versionValidation" }}
+{{- /* Allow using `securityContext` for custom images. */}}
+{{- if ne "cockroachdb/cockroach" .Values.image.repository -}}
+    {{ print true }}
+{{- else -}}
+{{- if semverCompare ">=22.1.2" .Values.image.tag -}}
+    {{ print true }}
+{{- else -}}
+{{- if semverCompare ">=21.2.13, <22.1.0" .Values.image.tag -}}
+    {{ print true }}
+{{- else -}}
+    {{ print false }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Validate the log configuration.
+*/}}
+{{- define "cockroachdb.conf.log.validation" -}}
+{{- if and (not .Values.conf.log.enabled) .Values.conf.log.persistentVolume.enabled -}}
+    {{ fail "Persistent volume for logs can only be enabled if logging is enabled" }}
+{{- end -}}
+{{- if and .Values.conf.log.persistentVolume.enabled (dig "file-defaults" "dir" "" .Values.conf.log.config) -}}
+{{- if not (hasPrefix (printf "/cockroach/%s" .Values.conf.log.persistentVolume.path) (dig "file-defaults" "dir" "" .Values.conf.log.config)) }}
+    {{ fail "Log configuration should use the persistent volume if enabled" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cockroachdb.storage.hostPath.computation" -}}
+{{- if hasSuffix "/" .Values.storage.hostPath -}}
+    {{- printf "%s-%d/" (dir .Values.storage.hostPath) (add1 .Args.idx) | quote -}}
+{{- else -}}
+    {{- printf "%s-%d" .Values.storage.hostPath (add1 .Args.idx) | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate the store count configuration.
+*/}}
+{{- define "cockroachdb.conf.store.validation" -}}
+  {{- if and (not .Values.conf.store.enabled) (ne (int .Values.conf.store.count) 1) -}}
+    {{ fail "Store count should be 1 when disabled" }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Validate the WAL failover configuration.
+*/}}
+{{- define "cockroachdb.conf.wal-failover.validation" -}}
+  {{- with index .Values.conf `wal-failover` -}}
+    {{- if not (mustHas .value (list "" "disabled" "among-stores")) -}}
+        {{- if not (hasPrefix "path=" (.value | toString)) -}}
+            {{ fail "Invalid WAL failover configuration value. Expected either of '', 'disabled', 'among-stores' or 'path=<path>'" }}
+        {{- end -}}
+    {{- end -}}
+    {{- if eq .value "among-stores" -}}
+      {{- if or (not $.Values.conf.store.enabled) (eq (int $.Values.conf.store.count) 1) -}}
+        {{ fail "WAL failover among stores requires store enabled with count greater than 1" }}
+      {{- end -}}
+    {{- end -}}
+    {{- if hasPrefix "path=" (.value | toString) -}}
+      {{- if not .persistentVolume.enabled -}}
+        {{ fail "WAL failover to a side disk requires a persistent volume" }}
+      {{- end -}}
+      {{- if and (not (hasPrefix (printf "/cockroach/%s" .persistentVolume.path) (trimPrefix "path=" .value))) (not (hasPrefix .persistentVolume.path (trimPrefix "path=" .value))) -}}
+        {{ fail "WAL failover to a side disk requires a path to the mounted persistent volume" }}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/backendconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/backendconfig.yaml
new file mode 100644
index 000000000..2edc88619
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/backendconfig.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.iap.enabled }}
+apiVersion: cloud.google.com/v1beta1
+kind: BackendConfig
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  iap:
+    enabled: true
+    oauthclientCredentials:
+      secretName: {{ template "cockroachdb.fullname" . }}.iap
+  timeoutSec: 120
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.ca.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.ca.yaml
new file mode 100644
index 000000000..4043fafb0
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.ca.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+  {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-ca-cert
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }}
+  renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow  }}
+  isCA: true
+  secretName: {{ .Values.tls.certs.caSecret }}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  commonName: root
+  subject:
+    organizations:
+      - Cockroach
+  issuerRef:
+    name: {{ .Values.tls.certs.certManagerIssuer.name }}
+    kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+    group: {{ .Values.tls.certs.certManagerIssuer.group }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.client.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.client.yaml
new file mode 100644
index 000000000..dd0272f3e
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.client.yaml
@@ -0,0 +1,40 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-root-client
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
+  renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
+  usages:
+    - digital signature
+    - key encipherment
+    - client auth
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  commonName: root
+  subject:
+    organizations:
+      - Cockroach
+  secretName: {{ .Values.tls.certs.clientRootSecret }}
+  issuerRef:
+  {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+    name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  {{- else }}
+    name: {{ .Values.tls.certs.certManagerIssuer.name }}
+    kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+    group: {{ .Values.tls.certs.certManagerIssuer.group }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.issuer.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.issuer.yaml
new file mode 100644
index 000000000..5cf579ff9
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.issuer.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+  {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ca:
+    secretName: {{ .Values.tls.certs.caSecret }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.node.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.node.yaml
new file mode 100644
index 000000000..05e909d0b
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/certificate.node.yaml
@@ -0,0 +1,50 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-node
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
+  renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  commonName: node
+  subject:
+    organizations:
+      - Cockroach
+  dnsNames:
+    - "localhost"
+    - "127.0.0.1"
+    - {{ printf "%s-public" (include "cockroachdb.fullname" .) | quote }}
+    - {{ printf "%s-public.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
+    - {{ printf "%s-public.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
+    - {{ printf "*.%s" (include "cockroachdb.fullname" .) | quote }}
+    - {{ printf "*.%s.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
+    - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
+  secretName: {{ .Values.tls.certs.nodeSecret }}
+  issuerRef:
+  {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+    name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  {{- else }}
+    name: {{ .Values.tls.certs.certManagerIssuer.name }}
+    kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+    group: {{ .Values.tls.certs.certManagerIssuer.group }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrole.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrole.yaml
new file mode 100644
index 000000000..6b8a3dc5f
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["create", "get", "watch"]
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrolebinding.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..3c18694ef
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/clusterrolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cockroachdb.clusterfullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cockroachdb.serviceAccount.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-ca-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-ca-certSelfSigner.yaml
new file mode 100644
index 000000000..4cd53900c
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-ca-certSelfSigner.yaml
@@ -0,0 +1,62 @@
+{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }}
+  {{- if .Values.tls.certs.selfSigner.rotateCerts }}
+    {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+    {{- else }}
+apiVersion: batch/v1beta1
+    {{- end }}
+kind: CronJob
+metadata:
+  name: {{ template "rotatecerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+  schedule: {{ template "selfcerts.caRotateSchedule" . }}
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+        {{- with .Values.tls.selfSigner.labels }}
+          labels: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.annotations }}
+          annotations: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        spec:
+          restartPolicy: Never
+        {{- with .Values.tls.selfSigner.affinity }}
+          affinity: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.nodeSelector }}
+          nodeSelector: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.tolerations }}
+          tolerations: {{- toYaml . | nindent 12 }}
+        {{- end }}
+          containers:
+          - name: cert-rotate-job
+            image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+            imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+            args:
+            - rotate
+            - --ca
+            - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+            - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+            - --ca-cron={{ template "selfcerts.caRotateSchedule" . }}
+            - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
+            - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
+            env:
+            - name: STATEFULSET_NAME
+              value: {{ template "cockroachdb.fullname" . }}
+            - name: NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: CLUSTER_DOMAIN
+              value: {{ .Values.clusterDomain}}
+          serviceAccountName: {{ template "rotatecerts.fullname" . }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-client-node-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-client-node-certSelfSigner.yaml
new file mode 100644
index 000000000..d500cbeb6
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/cronjob-client-node-certSelfSigner.yaml
@@ -0,0 +1,69 @@
+{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.selfSigner.rotateCerts }}
+  {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+  {{- else }}
+apiVersion: batch/v1beta1
+  {{- end }}
+kind: CronJob
+metadata:
+  name: {{ template "rotatecerts.fullname" . }}-client
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+  schedule: {{ template "selfcerts.clientRotateSchedule" . }}
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+        {{- with .Values.tls.selfSigner.labels }}
+          labels: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.annotations }}
+          annotations: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        spec:
+          restartPolicy: Never
+        {{- with .Values.tls.selfSigner.affinity }}
+          affinity: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.nodeSelector }}
+          nodeSelector: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.tolerations }}
+          tolerations: {{- toYaml . | nindent 12 }}
+        {{- end }}
+          containers:
+          - name: cert-rotate-job
+            image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+            imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+            args:
+            - rotate
+            {{- if .Values.tls.certs.selfSigner.caProvided }}
+            - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
+            {{- else }}
+            - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+            - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+            {{- end }}
+            - --client
+            - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
+            - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
+            - --node
+            - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
+            - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
+            - --node-client-cron={{ template "selfcerts.clientRotateSchedule" . }}
+            - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
+            - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
+            env:
+            - name: STATEFULSET_NAME
+              value: {{ template "cockroachdb.fullname" . }}
+            - name: NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: CLUSTER_DOMAIN
+              value: {{ .Values.clusterDomain}}
+          serviceAccountName: {{ template "rotatecerts.fullname" . }}
+  {{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/ingress.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/ingress.yaml
new file mode 100644
index 000000000..2fa6373c8
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/ingress.yaml
@@ -0,0 +1,90 @@
+{{- if .Values.ingress.enabled -}}
+{{- $paths := .Values.ingress.paths -}}
+{{- $ports := .Values.service.ports -}}
+{{- $fullName := include "cockroachdb.fullname" . -}}
+{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+{{- if or .Values.ingress.annotations .Values.iap.enabled }}
+  annotations:
+  {{- range $key, $value := .Values.ingress.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- if .Values.iap.enabled }}
+    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.allow-http: "false"
+  {{- end }}
+{{- end }}
+  name: {{ $fullName }}-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+{{- if .Values.ingress.labels }}
+{{- toYaml .Values.ingress.labels | nindent 4 }}
+{{- end }}
+spec:
+  rules:
+  {{- if .Values.ingress.hosts }}
+  {{- range $host := .Values.ingress.hosts }}
+    - host: {{ $host }}
+      http:
+        paths:
+  {{- range $path := $paths }}
+          - path: {{ $path | quote }}
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            {{- if $.Values.iap.enabled }}
+            pathType: ImplementationSpecific
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            {{- end }}
+            backend:
+              {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+              service:
+                name: {{ $fullName }}-public
+                port:
+                  name: {{ $ports.http.name | quote }}
+              {{- else }}
+              serviceName: {{ $fullName }}-public
+              servicePort: {{ $ports.http.name | quote }}
+              {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- else }}
+    - http:
+        paths:
+  {{- range $path := $paths }}
+          - path: {{ $path | quote }}
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            {{- if $.Values.iap.enabled }}
+            pathType: ImplementationSpecific
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            {{- end }}
+            backend:
+              {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+              service:
+                name: {{ $fullName }}-public
+                port:
+                  name: {{ $ports.http.name | quote }}
+              {{- else }}
+              serviceName: {{ $fullName }}-public
+              servicePort: {{ $ports.http.name | quote }}
+              {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{- toYaml .Values.ingress.tls | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-certSelfSigner.yaml
new file mode 100644
index 000000000..54ed2cad3
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-certSelfSigner.yaml
@@ -0,0 +1,83 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "selfcerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+  template:
+    metadata:
+      name: {{ template "selfcerts.fullname" . }}
+      labels:
+        helm.sh/chart: {{ template "cockroachdb.chart" . }}
+        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+      {{- with .Values.tls.selfSigner.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.tls.selfSigner.annotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+    {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+    {{- end }}
+      restartPolicy: Never
+    {{- with .Values.tls.selfSigner.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+      containers:
+        - name: cert-generate-job
+          image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+          imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+          args:
+            - generate
+            {{- if .Values.tls.certs.selfSigner.caProvided }}
+            - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
+            {{- else }}
+            - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+            - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+            {{- end }}
+            - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
+            - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
+            - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
+            - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
+          env:
+          - name: STATEFULSET_NAME
+            value: {{ template "cockroachdb.fullname" . }}
+          - name: NAMESPACE
+            value: {{ .Release.Namespace | quote }}
+          - name: CLUSTER_DOMAIN
+            value: {{ .Values.clusterDomain}}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+        {{- end }}
+      serviceAccountName: {{ template "selfcerts.fullname" . }}
+{{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-cleaner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-cleaner.yaml
new file mode 100644
index 000000000..1503ac459
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job-cleaner.yaml
@@ -0,0 +1,70 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "selfcerts.fullname" . }}-cleaner
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      name: {{ template "selfcerts.fullname" . }}-cleaner
+      labels:
+        helm.sh/chart: {{ template "cockroachdb.chart" . }}
+        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+      {{- with .Values.tls.selfSigner.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.tls.selfSigner.annotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+    {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+    {{- end }}
+      restartPolicy: Never
+    {{- with .Values.tls.selfSigner.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+      containers:
+        - name: cleaner
+          image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+          imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+          args:
+            - cleanup
+            - --namespace={{ .Release.Namespace }}
+          env:
+          - name: STATEFULSET_NAME
+            value: {{ template "cockroachdb.fullname" . }}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+        {{- end }}
+      serviceAccountName: {{ template "rotatecerts.fullname" . }}
+{{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/job.init.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job.init.yaml
new file mode 100644
index 000000000..dbc1eaa17
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/job.init.yaml
@@ -0,0 +1,303 @@
+{{ $isClusterInitEnabled := and (eq (len .Values.conf.join) 0) (not (index .Values.conf `single-node`)) }}
+{{ $isDatabaseProvisioningEnabled := .Values.init.provisioning.enabled }}
+{{- if or $isClusterInitEnabled $isDatabaseProvisioningEnabled }}
+  {{ template "cockroachdb.tlsValidation" . }}
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-init
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.init.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    {{- with .Values.init.jobAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+      {{- with .Values.init.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.init.annotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+    {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+    {{- if and .Values.init.securityContext.enabled }}
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+    {{- end }}
+    {{- end }}
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
+    {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
+      imagePullSecrets:
+      {{- if .Values.image.credentials }}
+        - name: {{ template "cockroachdb.fullname" . }}.db.registry
+      {{- end }}
+      {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+        - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
+      {{- end }}
+    {{- end }}
+      serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
+    {{- if .Values.tls.enabled }}
+      initContainers:
+        - name: copy-certs
+          image: {{ .Values.tls.copyCerts.image | quote }}
+          imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+          command:
+            - /bin/sh
+            - -c
+            - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
+          volumeMounts:
+            - name: client-certs
+              mountPath: /cockroach-certs/
+            - name: certs-secret
+              mountPath: /certs/
+      {{- with .Values.tls.copyCerts.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.init.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.init.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.init.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+      containers:
+        - name: cluster-init
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          # Run the command in an `while true` loop because this Job is bound
+          # to come up before the CockroachDB Pods (due to the time needed to
+          # get PersistentVolumes attached to Nodes), and sleeping 5 seconds
+          # between attempts is much better than letting the Pod fail when
+          # the init command does and waiting out Kubernetes' non-configurable
+          # exponential back-off for Pod restarts.
+          # Command completes either when cluster initialization succeeds,
+          # or when cluster has been initialized already.
+          command:
+          - /bin/bash
+          - -c
+          - >-
+            {{- if $isClusterInitEnabled }}
+              initCluster() {
+                while true; do
+                  local output=$(
+                    set -x;
+
+                    /cockroach/cockroach init \
+                      {{- if .Values.tls.enabled }}
+                      --certs-dir=/cockroach-certs/ \
+                      {{- else }}
+                      --insecure \
+                      {{- end }}
+                      {{- with index .Values.conf "cluster-name" }}
+                      --cluster-name={{.}} \
+                      {{- end }}
+                      --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
+                              :{{ .Values.service.ports.grpc.internal.port | int64 }} \
+                      {{- if .Values.init.pcr.enabled -}}
+                      {{- if .Values.init.pcr.isPrimary }}
+                      --virtualized \
+                      {{- else }}
+                      --virtualized-empty \
+                      {{- end }}
+                      {{- end }}
+                  2>&1);
+
+                  local exitCode="$?";
+                  echo $output;
+
+                  if [[ "$output" =~ .*"Cluster successfully initialized".* || "$output" =~ .*"cluster has already been initialized".* ]]; then
+                    break;
+                  fi
+
+                  echo "Cluster is not ready to be initialized, retrying in 5 seconds"
+                  sleep 5;
+                done
+              }
+
+              initCluster;
+            {{- end }}
+
+            {{- if $isDatabaseProvisioningEnabled }}
+              provisionCluster() {
+                while true; do
+                  /cockroach/cockroach sql \
+                    {{- if .Values.tls.enabled }}
+                    --certs-dir=/cockroach-certs/ \
+                    {{- else }}
+                    --insecure \
+                    {{- end }}
+                    --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
+                            :{{ .Values.service.ports.grpc.internal.port | int64 }} \
+                    --execute="
+                      {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+                        SET CLUSTER SETTING {{ $clusterSetting }} = '${{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING';
+                      {{- end }}
+
+                      {{- range $user := .Values.init.provisioning.users }}
+                        CREATE USER IF NOT EXISTS {{ $user.name }} WITH
+                        {{- if $user.password }}
+                          PASSWORD '${{ $user.name }}_PASSWORD'
+                        {{- else }}
+                          PASSWORD null
+                        {{- end }}
+                          {{ join " " $user.options }}
+                        ;
+                      {{- end }}
+
+                      {{- range $database := .Values.init.provisioning.databases }}
+                        CREATE DATABASE IF NOT EXISTS {{ $database.name }}
+                          {{- if $database.options }}
+                            {{ join " " $database.options }}
+                          {{- end }}
+                        ;
+
+                      {{- range $owner := $database.owners }}
+                        GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }};
+                      {{- end }}
+
+                      {{- range $owner := $database.owners_with_grant_option }}
+                        GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }} WITH GRANT OPTION;
+                      {{- end }}
+
+                      {{- if $database.backup }}
+                        CREATE SCHEDULE IF NOT EXISTS {{ $database.name }}_scheduled_backup
+                          FOR BACKUP DATABASE {{ $database.name }} INTO '{{ $database.backup.into }}'
+
+                        {{- if $database.backup.options }}
+                          WITH {{ join "," $database.backup.options }}
+                        {{- end }}
+                          RECURRING '{{ $database.backup.recurring }}'
+                        {{- if $database.backup.fullBackup }}
+                          FULL BACKUP '{{ $database.backup.fullBackup }}'
+                        {{- else }}
+                          FULL BACKUP ALWAYS
+                        {{- end }}
+
+                        {{- if and $database.backup.schedule $database.backup.schedule.options }}
+                          WITH SCHEDULE OPTIONS {{ join "," $database.backup.schedule.options }}
+                        {{- end }}
+                        ;
+                      {{- end }}
+                      {{- end }}
+                    "
+                  &>/dev/null;
+
+                  local exitCode="$?";
+
+                  if [[ "$exitCode" -eq "0" ]]
+                    then break;
+                  fi
+
+                  sleep 5;
+                done
+
+                echo "Provisioning completed successfully";
+              }
+
+              provisionCluster;
+            {{- end }}
+          env:
+        {{- $secretName := printf "%s-init" (include "cockroachdb.fullname" .) }}
+        {{- range $user := .Values.init.provisioning.users }}
+        {{- if $user.password }}
+          - name: {{ $user.name }}_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ $secretName }}
+                key: {{ $user.name }}-password
+        {{- end }}
+        {{- end }}
+        {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+        {{- if $clusterSettingValue }}
+          - name: {{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING
+            valueFrom:
+              secretKeyRef:
+                name: {{ $secretName }}
+                key: {{ $clusterSetting | replace "." "-" }}-cluster-setting
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tls.enabled }}
+          volumeMounts:
+            - name: client-certs
+              mountPath: /cockroach-certs/
+        {{- end }}
+        {{- with .Values.init.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
+    {{- if .Values.tls.enabled }}
+      volumes:
+        - name: client-certs
+          emptyDir: {}
+          {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+        - name: certs-secret
+          {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+          projected:
+            sources:
+            - secret:
+                {{- if .Values.tls.certs.selfSigner.enabled }}
+                name: {{ template "cockroachdb.fullname" . }}-client-secret
+                {{ else }}
+                name: {{ .Values.tls.certs.clientRootSecret }}
+                {{ end -}}
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                  mode: 0400
+                - key: tls.crt
+                  path: client.root.crt
+                  mode: 0400
+                - key: tls.key
+                  path: client.root.key
+                  mode: 0400
+          {{- else }}
+          secret:
+            secretName: {{ .Values.tls.certs.clientRootSecret }}
+            defaultMode: 0400
+          {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/networkpolicy.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/networkpolicy.yaml
new file mode 100644
index 000000000..d41afa32b
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/networkpolicy.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "cockroachdb.serviceAccount.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    {{- with .Values.statefulset.labels }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  ingress:
+    - ports:
+        - port: grpc
+    {{- with .Values.networkPolicy.ingress.grpc }}
+      from:
+        # Allow connections via custom rules.
+        {{- toYaml . | nindent 8 }}
+        # Allow client connection via pre-considered label.
+        - podSelector:
+            matchLabels:
+              {{ template "cockroachdb.fullname" . }}-client: "true"
+        # Allow other CockroachDBs to connect to form a cluster.
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+              app.kubernetes.io/instance: {{ .Release.Name | quote }}
+            {{- with .Values.statefulset.labels }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+      {{- if gt (.Values.statefulset.replicas | int64) 1 }}
+        # Allow init Job to connect to bootstrap a cluster.
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+              app.kubernetes.io/instance: {{ .Release.Name | quote }}
+            {{- with .Values.init.labels }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+      {{- end }}
+    {{- end }}
+    # Allow connections to admin UI and for Prometheus.
+    - ports:
+        - port: http
+    {{- with .Values.networkPolicy.ingress.http }}
+      from: {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/poddisruptionbudget.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/poddisruptionbudget.yaml
new file mode 100644
index 000000000..f707e4054
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/poddisruptionbudget.yaml
@@ -0,0 +1,26 @@
+kind: PodDisruptionBudget
+{{- if or (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-budget
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    {{- with .Values.statefulset.labels }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certRotateSelfSigner.yaml
new file mode 100644
index 000000000..f0e2b90ce
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certRotateSelfSigner.yaml
@@ -0,0 +1,27 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "rotatecerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "get", "update", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    verbs: ["get"]
+    resourceNames:
+      - {{ template "cockroachdb.fullname" . }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete", "get"]
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certSelfSigner.yaml
new file mode 100644
index 000000000..1cbaab3dd
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role-certSelfSigner.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "selfcerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "get", "update", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    verbs: ["get"]
+    resourceNames:
+      - {{ template "cockroachdb.fullname" . }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete", "get"]
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/role.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role.yaml
new file mode 100644
index 000000000..ebe5ce8ae
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/role.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.tls.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+    verbs: ["get"]
+    {{- else }}
+    verbs: ["create", "get"]
+    {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certRotateSelfSigner.yaml
new file mode 100644
index 000000000..c1a45f797
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certRotateSelfSigner.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "rotatecerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "rotatecerts.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "rotatecerts.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certSelfSigner.yaml
new file mode 100644
index 000000000..5725d02a4
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding-certSelfSigner.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "selfcerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "selfcerts.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "selfcerts.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding.yaml
new file mode 100644
index 000000000..00d9f9a55
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.tls.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cockroachdb.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cockroachdb.serviceAccount.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.backendconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.backendconfig.yaml
new file mode 100644
index 000000000..61103060a
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.backendconfig.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.iap.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}.iap
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{- if eq "" .Values.iap.clientId }}
+    {{ fail "iap.clientID can't be empty if iap.enabled is set to true" }}
+  {{- end }}
+  client_id: {{ .Values.iap.clientId | b64enc }}
+  {{- if eq "" .Values.iap.clientSecret }}
+    {{ fail "iap.clientSecret can't be empty if iap.enabled is set to true" }}
+  {{- end }}
+  client_secret: {{ .Values.iap.clientSecret | b64enc }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.logconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.logconfig.yaml
new file mode 100644
index 000000000..40b929ae7
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.logconfig.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.conf.log.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-log-config
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  log-config.yaml: |
+    {{- toYaml .Values.conf.log.config | nindent 4 }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.registry.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.registry.yaml
new file mode 100644
index 000000000..a054069fb
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secret.registry.yaml
@@ -0,0 +1,23 @@
+{{- range $name, $cred := dict "db" (.Values.image.credentials) "init-certs" (.Values.tls.selfSigner.image.credentials) }}
+{{- if not (empty $cred) }}
+{{- if or (and (eq $name "init-certs") $.Values.tls.enabled) (ne $name "init-certs") }}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" $ }}.{{ $name }}.registry
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" $ }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+    app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+  {{- with $.Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ printf `{"auths":{%s:{"auth":"%s"}}}` ($cred.registry | quote) (printf "%s:%s" $cred.username $cred.password | b64enc) | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/secrets.init.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secrets.init.yaml
new file mode 100644
index 000000000..4d13a35ff
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/secrets.init.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.init.provisioning.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-init
+  namespace: {{ .Release.Namespace | quote }}
+type: Opaque
+stringData:
+
+{{- range $user := .Values.init.provisioning.users }}
+{{- if $user.password }}
+  {{ $user.name }}-password: {{ $user.password | quote }}
+{{- end }}
+{{- end }}
+
+{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+  {{ $clusterSetting | replace "." "-" }}-cluster-setting: {{ $clusterSettingValue | quote }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.discovery.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.discovery.yaml
new file mode 100644
index 000000000..8fe2a427a
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.discovery.yaml
@@ -0,0 +1,64 @@
+# This service only exists to create DNS entries for each pod in
+# the StatefulSet such that they can resolve each other's IP addresses.
+# It does not create a load-balanced ClusterIP and should not be used directly
+# by clients in most circumstances.
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.service.discovery.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+    # Use this annotation in addition to the actual field below because the
+    # annotation will stop being respected soon, but the field is broken in
+    # some versions of Kubernetes:
+    # https://github.com/kubernetes/kubernetes/issues/58662
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+    # Enable automatic monitoring of all instances when Prometheus is running
+    # in the cluster.
+    {{- if .Values.prometheus.enabled }}
+    prometheus.io/scrape: "true"
+    prometheus.io/path: _status/vars
+    prometheus.io/port: {{ .Values.service.ports.http.port | quote }}
+    {{- end }}
+  {{- with .Values.service.discovery.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  clusterIP: None
+  # We want all Pods in the StatefulSet to have their addresses published for
+  # the sake of the other CockroachDB Pods even before they're ready, since they
+  # have to be able to talk to each other in order to become ready.
+  publishNotReadyAddresses: true
+  ports:
+  {{- $ports := .Values.service.ports }}
+    # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
+    # traffic and the CLI.
+    - name: {{ $ports.grpc.external.name | quote }}
+      port: {{ $ports.grpc.external.port | int64 }}
+      targetPort: grpc
+  {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
+    - name: {{ $ports.grpc.internal.name | quote }}
+      port: {{ $ports.grpc.internal.port | int64 }}
+      targetPort: grpc
+  {{- end }}
+    # The secondary port serves the UI as well as health and debug endpoints.
+    - name: {{ $ports.http.name | quote }}
+      port: {{ $ports.http.port | int64 }}
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+  {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.public.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.public.yaml
new file mode 100644
index 000000000..251e9ab08
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/service.public.yaml
@@ -0,0 +1,55 @@
+# This Service is meant to be used by clients of the database.
+# It exposes a ClusterIP that will automatically load balance connections
+# to the different database Pods.
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-public
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.service.public.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if or .Values.service.public.annotations .Values.tls.enabled .Values.iap.enabled }}
+  annotations:
+  {{- with .Values.service.public.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.tls.enabled }}
+    service.alpha.kubernetes.io/app-protocols: '{"http":"HTTPS"}'
+  {{- end }}
+  {{- if .Values.iap.enabled }}
+    beta.cloud.google.com/backend-config: '{"default": "{{ template "cockroachdb.fullname" . }}"}'
+  {{- end }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.public.type | quote }}
+  ports:
+  {{- $ports := .Values.service.ports }}
+    # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
+    # traffic and the CLI.
+    - name: {{ $ports.grpc.external.name | quote }}
+      port: {{ $ports.grpc.external.port | int64 }}
+      targetPort: grpc
+  {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
+    - name: {{ $ports.grpc.internal.name | quote }}
+      port: {{ $ports.grpc.internal.port | int64 }}
+      targetPort: grpc
+  {{- end }}
+    # The secondary port serves the UI as well as health and debug endpoints.
+    - name: {{ $ports.http.name | quote }}
+      port: {{ $ports.http.port | int64 }}
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+  {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceMonitor.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceMonitor.yaml
new file mode 100644
index 000000000..42f2390b4
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceMonitor.yaml
@@ -0,0 +1,54 @@
+{{- $serviceMonitor := .Values.serviceMonitor -}}
+{{- $ports := .Values.service.ports -}}
+{{- if $serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- if $serviceMonitor.labels }}
+    {{- toYaml $serviceMonitor.labels | nindent 4 }}
+  {{- end }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml $serviceMonitor.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    {{- with .Values.service.discovery.labels }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+  {{- if $serviceMonitor.namespaced }}
+    matchNames:
+      - {{ .Release.Namespace }}
+  {{- else }}
+    any: true
+  {{- end }}
+  endpoints:
+  - port: {{ $ports.http.name | quote }}
+    path: /_status/vars
+    {{- if $serviceMonitor.interval }}
+    interval: {{ $serviceMonitor.interval }}
+    {{- end }}
+    {{- if $serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ $serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- if .Values.serviceMonitor.tlsConfig }}
+    tlsConfig: {{ toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certRotateSelfSigner.yaml
new file mode 100644
index 000000000..a27cba921
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certRotateSelfSigner.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+  {{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "rotatecerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+  annotations:
+    {{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certSelfSigner.yaml
new file mode 100644
index 000000000..3ce2d63e9
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount-certSelfSigner.yaml
@@ -0,0 +1,25 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+  {{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "selfcerts.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    {{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount.yaml
new file mode 100644
index 000000000..3af9be9aa
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/serviceaccount.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.statefulset.serviceAccount.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.serviceAccount.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.statefulset.serviceAccount.annotations }}
+  annotations:
+    {{- with .Values.statefulset.serviceAccount.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/statefulset.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/statefulset.yaml
new file mode 100644
index 000000000..5be883940
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/statefulset.yaml
@@ -0,0 +1,563 @@
+{{ template "cockroachdb.conf.log.validation" . }}
+{{ template "cockroachdb.conf.store.validation" . }}
+kind: StatefulSet
+apiVersion: {{ template "cockroachdb.statefulset.apiVersion" . }}
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  serviceName: {{ template "cockroachdb.fullname" . }}
+  replicas: {{ .Values.statefulset.replicas | int64 }}
+  updateStrategy: {{- toYaml .Values.statefulset.updateStrategy | nindent 4 }}
+  podManagementPolicy: {{ .Values.statefulset.podManagementPolicy | quote }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    {{- with .Values.statefulset.labels }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+      {{- with .Values.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.statefulset.annotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+    {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
+      imagePullSecrets:
+      {{- if .Values.image.credentials }}
+        - name: {{ template "cockroachdb.fullname" . }}.db.registry
+      {{- end }}
+      {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+        - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
+      {{- end }}
+    {{- end }}
+      serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
+      {{- if .Values.tls.enabled }}
+      initContainers:
+        - name: copy-certs
+          image: {{ .Values.tls.copyCerts.image | quote }}
+          imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+          command:
+            - /bin/sh
+            - -c
+            - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+        {{- if .Values.statefulset.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+        {{- end }}
+          volumeMounts:
+            - name: certs
+              mountPath: /cockroach-certs/
+            - name: certs-secret
+              mountPath: /certs/
+        {{- with .Values.tls.copyCerts.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- range $ic := .Values.statefulset.initContainers }}
+        - {{- toYaml $ic | nindent 10 }}
+          {{ with $.Values.statefulset.volumeMounts}}
+          volumeMounts:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }}
+      affinity:
+      {{- with .Values.statefulset.nodeAffinity }}
+        nodeAffinity: {{- toYaml . | nindent 10 }}
+      {{- end }}
+      {{- with .Values.statefulset.podAffinity }}
+        podAffinity: {{- toYaml . | nindent 10 }}
+      {{- end }}
+      {{- if .Values.statefulset.podAntiAffinity }}
+        podAntiAffinity:
+        {{- if .Values.statefulset.podAntiAffinity.type }}
+        {{- if eq .Values.statefulset.podAntiAffinity.type "hard" }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+                  app.kubernetes.io/instance: {{ .Release.Name | quote }}
+                {{- with .Values.statefulset.labels }}
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+        {{- else if eq .Values.statefulset.podAntiAffinity.type "soft" }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: {{ .Values.statefulset.podAntiAffinity.weight | int64 }}
+              podAffinityTerm:
+                topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+                    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+                  {{- with .Values.statefulset.labels }}
+                    {{- toYaml . | nindent 20 }}
+                  {{- end }}
+        {{- end }}
+        {{- else }}
+          {{- toYaml .Values.statefulset.podAntiAffinity | nindent 10 }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.Version }}
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+            app.kubernetes.io/instance: {{ .Release.Name | quote }}
+          {{- with .Values.statefulset.labels }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.statefulset.topologySpreadConstraints }}
+        maxSkew: {{ .maxSkew }}
+        topologyKey: {{ .topologyKey }}
+        whenUnsatisfiable: {{ .whenUnsatisfiable }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.statefulset.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- if .Values.statefulset.priorityClassName }}
+      priorityClassName: {{ .Values.statefulset.priorityClassName }}
+    {{- end }}
+    {{- with .Values.statefulset.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+      # No pre-stop hook is required, a SIGTERM plus some time is all that's
+      # needed for graceful shutdown of a node.
+      terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
+      containers:
+        - name: db
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          args:
+            - shell
+            - -ecx
+            # The use of qualified `hostname -f` is crucial:
+            # Other nodes aren't able to look up the unqualified hostname.
+            #
+            # `--join` CLI flag is hardcoded to exactly 3 Pods, because:
+            # 1. Having `--join` value depending on `statefulset.replicas`
+            #    will trigger undesired restart of existing Pods when
+            #    StatefulSet is scaled up/down. We want to scale without
+            #    restarting existing Pods.
+            # 2. At least one Pod in `--join` is enough to successfully
+            #    join CockroachDB cluster and gossip with all other existing
+            #    Pods, even if there are 3 or more Pods.
+            # 3. It's harmless for `--join` to have 3 Pods even for 1-Pod
+            #    clusters, while it gives us opportunity to scale up even if
+            #    some Pods of existing cluster are down (for whatever reason).
+            # See details explained here:
+            # https://github.com/helm/charts/pull/18993#issuecomment-558795102
+            - >-
+              exec /cockroach/cockroach
+            {{- if index .Values.conf `single-node` }}
+              start-single-node
+            {{- else }}
+              start --join=
+              {{- if .Values.conf.join }}
+                {{- join `,` .Values.conf.join -}}
+              {{- else }}
+                {{- range $i, $_ := until 3 -}}
+                  {{- if gt $i 0 -}},{{- end -}}
+                  ${STATEFULSET_NAME}-{{ $i }}.${STATEFULSET_FQDN}:{{ $.Values.service.ports.grpc.internal.port | int64 -}}
+                {{- end -}}
+              {{- end }}
+            {{- with index .Values.conf `cluster-name` }}
+              --cluster-name={{ . }}
+            {{- if index $.Values.conf `disable-cluster-name-verification` }}
+              --disable-cluster-name-verification
+            {{- end }}
+            {{- end }}
+            {{- end }}
+              --advertise-host=$(hostname).${STATEFULSET_FQDN}
+            {{- if .Values.tls.enabled }}
+              --certs-dir=/cockroach/cockroach-certs/
+            {{- else }}
+              --insecure
+            {{- end }}
+            {{- with .Values.conf.attrs }}
+              --attrs={{ join `:` . }}
+            {{- end }}
+            {{- if index .Values.conf `http-port` }}
+              --http-port={{ index .Values.conf `http-port` | int64 }}
+            {{- else }}
+              --http-port={{ index .Values.service.ports.http.port | int64 }}
+            {{- end }}
+            {{- if .Values.conf.port }}
+              --port={{ .Values.conf.port | int64 }}
+            {{- else }}
+              --port={{ .Values.service.ports.grpc.internal.port | int64 }}
+            {{- end }}
+              --cache={{ .Values.conf.cache }}
+            {{- with index .Values.conf `max-disk-temp-storage` }}
+              --max-disk-temp-storage={{ . }}
+            {{- end }}
+            {{- with index .Values.conf `max-offset` }}
+              --max-offset={{ . }}
+            {{- end }}
+              --max-sql-memory={{ index .Values.conf `max-sql-memory` }}
+            {{- with .Values.conf.locality }}
+              --locality={{ . }}
+            {{- end }}
+            {{- with index .Values.conf `sql-audit-dir` }}
+              --sql-audit-dir={{ . }}
+            {{- end }}
+            {{- if .Values.conf.store.enabled }}
+              {{- range $idx := until (int .Values.conf.store.count) }}
+              {{- $_ := set $ "Args" (dict "idx" $idx) }}
+              --store={{ include "cockroachdb.conf.store" $ }}
+              {{- end }}
+            {{- end }}
+            {{- with index .Values.conf `wal-failover` `value` }}
+              {{- template "cockroachdb.conf.wal-failover.validation" $ }}
+              --wal-failover={{ . }}
+            {{- end }}
+            {{- if .Values.conf.log.enabled }}
+              --log-config-file=/cockroach/log-config/log-config.yaml
+            {{- else }}
+              --logtostderr={{ .Values.conf.logtostderr }}
+            {{- end }}
+            {{- range .Values.statefulset.args }}
+              {{ . }}
+            {{- end }}
+          env:
+            - name: STATEFULSET_NAME
+              value: {{ template "cockroachdb.fullname" . }}
+            - name: STATEFULSET_FQDN
+              value: {{ template "cockroachdb.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+            - name: COCKROACH_CHANNEL
+              value: kubernetes-helm
+          {{- with .Values.statefulset.env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: grpc
+              {{- if .Values.conf.port }}
+              containerPort: {{ .Values.conf.port | int64 }}
+              {{- else }}
+              containerPort: {{ .Values.service.ports.grpc.internal.port | int64 }}
+              {{- end }}
+              protocol: TCP
+            - name: http
+              {{- if index .Values.conf `http-port` }}
+              containerPort: {{ index .Values.conf `http-port` | int64 }}
+              {{- else }}
+              containerPort: {{ index .Values.service.ports.http.port | int64 }}
+              {{- end }}
+              protocol: TCP
+          volumeMounts:
+          {{- range $i := until (int .Values.conf.store.count) }}
+            {{- if eq $i 0 }}
+            - name: datadir
+              mountPath: /cockroach/{{ $.Values.conf.path }}/
+            {{- else }}
+            - name: datadir-{{ add1 $i }}
+              mountPath: /cockroach/{{ $.Values.conf.path }}-{{ add1 $i }}/
+            {{- end }}
+          {{- end }}
+          {{- with index .Values.conf `wal-failover` `persistentVolume` }}
+            {{- if .enabled }}
+            - name: failoverdir
+              mountPath: /cockroach/{{ .path }}/
+            {{- end }}
+          {{- end }}
+          {{- if .Values.tls.enabled }}
+            - name: certs
+              mountPath: /cockroach/cockroach-certs/
+              {{- if .Values.tls.certs.provided }}
+            - name: certs-secret
+              mountPath: /cockroach/certs/
+              {{- end }}
+          {{- end }}
+          {{- range .Values.statefulset.secretMounts }}
+            - name: {{ printf "secret-%s" . | quote }}
+              mountPath: {{ printf "/etc/cockroach/secrets/%s" . | quote }}
+              readOnly: true
+          {{- end }}
+          {{- if .Values.conf.log.enabled }}
+            - name: log-config
+              mountPath: /cockroach/log-config
+              readOnly: true
+          {{- end }}
+          {{- if .Values.conf.log.persistentVolume.enabled }}
+            - name: logsdir
+              mountPath: /cockroach/{{ .Values.conf.log.persistentVolume.path }}/
+          {{- end }}
+          {{- with .Values.statefulset.volumeMounts }}
+            {{ toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.statefulset.customStartupProbe }}
+          startupProbe:
+            {{ toYaml .Values.statefulset.customStartupProbe | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+          {{- if .Values.statefulset.customLivenessProbe }}
+            {{ toYaml .Values.statefulset.customLivenessProbe | nindent 12 }}
+          {{- else }}
+            httpGet:
+              path: /health
+              port: http
+            {{- if .Values.tls.enabled }}
+              scheme: HTTPS
+            {{- end }}
+            initialDelaySeconds: 30
+            periodSeconds: 5
+          {{- end }}
+          readinessProbe:
+          {{- if .Values.statefulset.customReadinessProbe }}
+            {{ toYaml .Values.statefulset.customReadinessProbe | nindent 12 }}
+          {{- else }}
+            httpGet:
+              path: /health?ready=1
+              port: http
+            {{- if .Values.tls.enabled }}
+              scheme: HTTPS
+            {{- end }}
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            failureThreshold: 2
+          {{- end }}
+        {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+        {{- if .Values.statefulset.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+        {{- end }}
+        {{- end }}
+        {{- with .Values.statefulset.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+        {{- end }}
+      volumes:
+      {{- range $i := until (int .Values.conf.store.count) }}
+      {{- if eq $i 0 }}
+        - name: datadir
+        {{- if $.Values.storage.persistentVolume.enabled }}
+          persistentVolumeClaim:
+            claimName: datadir
+        {{- else if $.Values.storage.hostPath }}
+          hostPath:
+            path: {{ $.Values.storage.hostPath | quote }}
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+      {{- else }}
+        - name: datadir-{{ add1 $i }}
+        {{- if $.Values.storage.persistentVolume.enabled }}
+          persistentVolumeClaim:
+            claimName: datadir-{{ add1 $i }}
+        {{- else if $.Values.storage.hostPath }}
+          {{- $_ := set $ "Args" (dict "idx" $i) }}
+          hostPath:
+            path: {{ include "cockroachdb.storage.hostPath.computation" $ }}
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+      {{- end }}
+      {{- end }}
+      {{- with index .Values.conf `wal-failover` }}
+      {{- if .value }}
+        - name: failoverdir
+        {{- if .persistentVolume.enabled }}
+          persistentVolumeClaim:
+            claimName: failoverdir
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+      {{- end }}
+      {{- end }}
+        {{- with .Values.statefulset.volumes }}
+          {{ toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.tls.enabled }}
+        - name: certs
+          emptyDir: {}
+          {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager  .Values.tls.certs.selfSigner.enabled }}
+        - name: certs-secret
+          {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+          projected:
+            sources:
+            - secret:
+                {{- if .Values.tls.certs.selfSigner.enabled }}
+                name: {{ template "cockroachdb.fullname" . }}-node-secret
+                {{ else }}
+                name: {{ .Values.tls.certs.nodeSecret }}
+                {{ end -}}
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                  mode: 256
+                - key: tls.crt
+                  path: node.crt
+                  mode: 256
+                - key: tls.key
+                  path: node.key
+                  mode: 256
+          {{- else }}
+          secret:
+            secretName: {{ .Values.tls.certs.nodeSecret }}
+            defaultMode: 256
+          {{- end }}
+          {{- end }}
+      {{- end }}
+      {{- range .Values.statefulset.secretMounts }}
+        - name: {{ printf "secret-%s" . | quote }}
+          secret:
+            secretName: {{ . | quote }}
+      {{- end }}
+      {{- if .Values.conf.log.enabled }}
+        - name: log-config
+          secret:
+            secretName: {{ template "cockroachdb.fullname" . }}-log-config
+      {{- end }}
+      {{- if .Values.conf.log.enabled }}
+        - name: logsdir
+        {{- if .Values.conf.log.persistentVolume.enabled }}
+          persistentVolumeClaim:
+            claimName: logsdir
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+      {{- end }}
+      {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+      {{- if and .Values.securityContext.enabled }}
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+        runAsNonRoot: true
+      {{- end }}
+      {{- end }}
+{{- if or .Values.storage.persistentVolume.enabled (index .Values.conf `wal-failover` `persistentVolume` `enabled`) .Values.conf.log.persistentVolume.enabled }}
+  volumeClaimTemplates:
+  {{- if .Values.storage.persistentVolume.enabled }}
+  {{- range $i := until (int .Values.conf.store.count) }}
+    - metadata:
+    {{- if eq $i 0 }}
+        name: datadir
+    {{- else }}
+        name: datadir-{{ add1 $i }}
+    {{- end }}
+        labels:
+          app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+          app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+        {{- with $.Values.storage.persistentVolume.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with $.Values.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with $.Values.storage.persistentVolume.annotations }}
+        annotations: {{- toYaml . | nindent 10 }}
+      {{- end }}
+      spec:
+        accessModes: ["ReadWriteOnce"]
+      {{- if $.Values.storage.persistentVolume.storageClass }}
+      {{- if (eq "-" $.Values.storage.persistentVolume.storageClass) }}
+        storageClassName: ""
+      {{- else }}
+        storageClassName: {{ $.Values.storage.persistentVolume.storageClass | quote}}
+      {{- end }}
+      {{- end }}
+        resources:
+          requests:
+            storage: {{ $.Values.storage.persistentVolume.size | quote }}
+  {{- end }}
+  {{- end }}
+  {{- with index .Values.conf `wal-failover` }}
+  {{- if .persistentVolume.enabled }}
+    - metadata:
+        name: failoverdir
+        labels:
+          app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+          app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+        {{- with .persistentVolume.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with $.Values.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .persistentVolume.annotations }}
+        annotations: {{- toYaml . | nindent 10 }}
+      {{- end }}
+      spec:
+        accessModes: ["ReadWriteOnce"]
+      {{- with .persistentVolume.storageClass }}
+      {{- if eq "-" . }}
+        storageClassName: ""
+      {{- else }}
+        storageClassName: {{ . | quote}}
+      {{- end }}
+      {{- end }}
+        resources:
+          requests:
+            storage: {{ .persistentVolume.size | quote }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.conf.log.persistentVolume.enabled }}
+    - metadata:
+        name: logsdir
+        labels:
+          app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+          app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        {{- with .Values.conf.log.persistentVolume.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.labels }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .Values.conf.log.persistentVolume.annotations }}
+        annotations: {{- toYaml . | nindent 10 }}
+      {{- end }}
+      spec:
+        accessModes: ["ReadWriteOnce"]
+      {{- if .Values.conf.log.persistentVolume.storageClass }}
+      {{- if (eq "-" .Values.conf.log.persistentVolume.storageClass) }}
+        storageClassName: ""
+      {{- else }}
+        storageClassName: {{ .Values.conf.log.persistentVolume.storageClass | quote}}
+      {{- end }}
+      {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.conf.log.persistentVolume.size | quote }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/templates/tests/client.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/templates/tests/client.yaml
new file mode 100644
index 000000000..8656b8ed6
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/templates/tests/client.yaml
@@ -0,0 +1,65 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-test
+  namespace: {{ .Release.Namespace | quote }}
+{{- if .Values.networkPolicy.enabled }}
+  labels:
+    {{ template "cockroachdb.fullname" . }}-client: "true"
+{{- end }}
+  annotations:
+    helm.sh/hook: test-success
+spec:
+  restartPolicy: Never
+{{- if .Values.image.credentials }}
+  imagePullSecrets:
+    - name: {{ template "cockroachdb.fullname" . }}.db.registry
+{{- end }}
+  {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+  volumes:
+    - name: client-certs
+      {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager }}
+      projected:
+        sources:
+        - secret:
+            name: {{ .Values.tls.certs.clientRootSecret }}
+            items:
+            - key: ca.crt
+              path: ca.crt
+              mode: 0400
+            - key: tls.crt
+              path: client.root.crt
+              mode: 0400
+            - key: tls.key
+              path: client.root.key
+              mode: 0400
+      {{- else }}
+      secret:
+        secretName: {{ .Values.tls.certs.clientRootSecret }}
+        defaultMode: 0400
+      {{- end }}
+  {{- end }}
+  containers:
+    - name: client-test
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+      imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+      {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+      volumeMounts:
+      - name: client-certs
+        mountPath: /cockroach-certs
+      {{- end }}
+      command:
+        - /cockroach/cockroach
+        - sql
+        {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+        - --certs-dir
+        - /cockroach-certs
+        {{- else }}
+        - --insecure
+        {{- end}}
+        - --host
+        - {{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
+        - --port
+        - {{ .Values.service.ports.grpc.external.port | quote }}
+        - -e
+        - SHOW DATABASES;
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/values.schema.json b/charts/cockroach-labs/cockroachdb/15.0.6/values.schema.json
new file mode 100644
index 000000000..b23c47974
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/values.schema.json
@@ -0,0 +1,97 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "tls": {
+      "type": "object",
+      "properties": {
+        "certs": {
+          "type": "object",
+          "properties": {
+            "selfSigner": {
+              "type": "object",
+              "required": ["enabled", "caProvided"],
+              "properties": {
+                "enabled": {
+                  "type": "boolean"
+                },
+                "caProvided": {
+                  "type": "boolean"
+                }
+              },
+              "if": {
+                "properties": {
+                  "enabled": {
+                    "const": true
+                  }
+                }
+              },
+              "then": {
+                "if": {
+                  "properties": {
+                    "caProvided": {
+                      "const": false
+                    }
+                  }
+                },
+                "then": {
+                  "properties": {
+                    "caCertDuration" : {
+                      "type": "string",
+                      "pattern": "^[0-9]*h$"
+                    },
+                    "caCertExpiryWindow": {
+                      "type": "string",
+                      "pattern": "^[0-9]*h$"
+                    }
+                  }
+                },
+                "properties": {
+                  "clientCertDuration": {
+                    "type": "string",
+                    "pattern": "^[0-9]*h$"
+                  },
+                  "clientCertExpiryWindow": {
+                    "type": "string",
+                    "pattern": "^[0-9]*h$"
+                  },
+                  "nodeCertDuration": {
+                    "type": "string",
+                    "pattern": "^[0-9]*h$"
+                  },
+                  "nodeCertExpiryWindow": {
+                    "type": "string",
+                    "pattern": "^[0-9]*h$"
+                  },
+                  "rotateCerts": {
+                    "type": "boolean"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "selfSigner": {
+          "type": "object",
+          "properties": {
+            "image": {
+              "type": "object",
+              "required": ["repository", "tag", "pullPolicy"],
+              "properties": {
+                "repository": {
+                  "type": "string"
+                },
+                "tag": {
+                  "type": "string"
+                },
+                "pullPolicy": {
+                  "type": "string",
+                  "pattern": "^(Always|Never|IfNotPresent)$"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.6/values.yaml b/charts/cockroach-labs/cockroachdb/15.0.6/values.yaml
new file mode 100644
index 000000000..17bf8cc63
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.6/values.yaml
@@ -0,0 +1,713 @@
+# Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+# Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+nameOverride: ""
+
+# Override the resource names created by this chart which originally is generated using release and chart name.
+fullnameOverride: ""
+
+image:
+  repository: cockroachdb/cockroach
+  tag: v24.3.4
+  pullPolicy: IfNotPresent
+  credentials: {}
+    # registry: docker.io
+    # username: john_doe
+    # password: changeme
+
+
+# Additional labels to apply to all Kubernetes resources created by this chart.
+labels: {}
+  # app.kubernetes.io/part-of: my-app
+
+
+# Cluster's default DNS domain.
+# You should overwrite it if you're using a different one,
+# otherwise CockroachDB nodes discovery won't work.
+clusterDomain: cluster.local
+
+
+conf:
+  # An ordered list of CockroachDB node attributes.
+  # Attributes are arbitrary strings specifying machine capabilities.
+  # Machine capabilities might include specialized hardware or number of cores
+  # (e.g. "gpu", "x16c").
+  attrs: []
+    # - x16c
+    # - gpu
+
+  # Total size in bytes for caches, shared evenly if there are multiple
+  # storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+  # A percentage of physical memory can also be specified (e.g. `.25`).
+  cache: 25%
+
+  # Sets a name to verify the identity of a cluster.
+  # The value must match between all nodes specified via `conf.join`.
+  # This can be used as an additional verification when either the node or
+  # cluster, or both, have not yet been initialized and do not yet know their
+  # cluster ID.
+  # To introduce a cluster name into an already-initialized cluster, pair this
+  # option with `conf.disable-cluster-name-verification: yes`.
+  cluster-name: ""
+
+  # Tell the server to ignore `conf.cluster-name` mismatches.
+  # This is meant for use when opting an existing cluster into starting to use
+  # cluster name verification, or when changing the cluster name.
+  # The cluster should be restarted once with `conf.cluster-name` and
+  # `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+  # have been updated to know the new cluster name, the cluster can be restarted
+  # again with `conf.disable-cluster-name-verification: no`.
+  # This option has no effect if `conf.cluster-name` is not specified.
+  disable-cluster-name-verification: false
+
+  # The addresses for connecting a CockroachDB nodes to an existing cluster.
+  # If you are deploying a second CockroachDB instance that should join a first
+  # one, use the below list to join to the existing instance.
+  # Each item in the array should be a FQDN (and port if needed) resolvable by
+  # new Pods.
+  join: []
+
+  # New logging configuration.
+  log:
+    enabled: false
+    # https://www.cockroachlabs.com/docs/v21.1/configure-logs
+    config:
+      # file-defaults:
+      #   dir: /cockroach/cockroach-logs
+      # fluent-defaults:
+      #   format: json-fluent
+      # sinks:
+      #   stderr:
+      #     channels: [DEV]
+    persistentVolume:
+      # If enabled, then a PersistentVolumeClaim will be created and
+      # used to store CockroachDB's logs.
+      enabled: false
+      # CockroachDB's logs volume mount path. This gets prepended with
+      # `/cockroach/` in the stateful set. The `conf.log.config` should have
+      # `file-defaults.dir` to specify the log path and should reference the
+      # mounted volume.
+      path: cockroach-logs
+      size: 10Gi
+      # If defined, then `storageClassName: <storageClass>`.
+      # If set to "-", then `storageClassName: ""`, which disables dynamic
+      # provisioning.
+      # If undefined or empty (default), then no `storageClassName` spec is
+      # set, so the default provisioner will be chosen (gp2 on AWS, standard
+      # on GKE, AWS & OpenStack).
+      storageClass: ""
+      # Additional labels to apply to the created PersistentVolumeClaims.
+      labels: {}
+      # Additional annotations to apply to the created PersistentVolumeClaims.
+      annotations: {}
+
+  # Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+  logtostderr: INFO
+
+  # Maximum storage capacity available to store temporary disk-based data for
+  # SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+  # sometimes able to spill intermediate results to disk).
+  # Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+  # `32GiB`) or a percentage of disk size (e.g. `10%`).
+  # The location of the temporary files is within the first store dir.
+  # If expressed as a percentage, `max-disk-temp-storage` is interpreted
+  # relative to the size of the storage device on which the first store is
+  # placed. The temp space usage is never counted towards any store usage
+  # (although it does share the device with the first store) so, when
+  # configuring this, make sure that the size of this temp storage plus the size
+  # of the first store don't exceed the capacity of the storage device.
+  # If the first store is an in-memory one (i.e. `type=mem`), then this
+  # temporary "disk" data is also kept in-memory.
+  # A percentage value is interpreted as a percentage of the available internal
+  # memory.
+  # max-disk-temp-storage: 0GB
+
+  # Maximum allowed clock offset for the cluster. If observed clock offsets
+  # exceed this limit, servers will crash to minimize the likelihood of
+  # reading inconsistent data. Increasing this value will increase the time
+  # to recovery of failures as well as the frequency of uncertainty-based
+  # read restarts.
+  # Note, that this value must be the same on all nodes in the cluster.
+  # In order to change it, all nodes in the cluster must be stopped
+  # simultaneously and restarted with the new value.
+  # max-offset: 500ms
+
+  # Maximum memory capacity available to store temporary data for SQL clients,
+  # including prepared queries and intermediate data rows during query
+  # execution. Accepts numbers interpreted as bytes, size suffixes
+  # (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+  max-sql-memory: 25%
+
+  # An ordered, comma-separated list of key-value pairs that describe the
+  # topography of the machine. Topography might include country, datacenter
+  # or rack designations. Data is automatically replicated to maximize
+  # diversities of each tier. The order of tiers is used to determine
+  # the priority of the diversity, so the more inclusive localities like
+  # country should come before less inclusive localities like datacenter.
+  # The tiers and order must be the same on all nodes. Including more tiers
+  # is better than including fewer. For example:
+  #   locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+  #   locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+  #   locality: planet=earth,province=manitoba,colo=secondary,power=3
+  locality: ""
+
+  # Run CockroachDB instances in standalone mode with replication disabled
+  # (replication factor = 1).
+  # Enabling this option makes the following values to be ignored:
+  # - `conf.cluster-name`
+  # - `conf.disable-cluster-name-verification`
+  # - `conf.join`
+  #
+  # WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+  #          CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+  #          Don't use this option for production deployments unless you clearly
+  #          understand what you're doing.
+  #          Usually, this option is intended to be used in conjunction with
+  #          `statefulset.replicas: 1` for temporary one-time deployments (like
+  #          running E2E tests, for example).
+  single-node: false
+
+  # If non-empty, create a SQL audit log in the specified directory.
+  sql-audit-dir: ""
+
+  # WARNING this parameter is deprecated and will be removed in a future version. Use `.service.ports.grpc.internal.port` instead
+  port: ""
+
+  # WARNING this parameter is deprecated and will be removed in a future version. Use `.service.ports.http.port` instead
+  http-port: ""
+
+  # CockroachDB's data mount path.
+  # For multi-store configuration, the path for each store is evaluated as:
+  # Store 1: cockroach-data
+  # Store 2: cockroach-data-2
+  # Store N: cockroach-data-N
+  path: cockroach-data
+
+  # CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+  # Uses --store flag
+  store:
+    enabled: false
+    # Number of data stores per node.
+    # For multi-store configuration, set this to a value greater than 1.
+    count: 1
+    # Should be empty or 'mem'
+    type:
+    # Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+    size:
+    # Arbitrary strings, separated by colons, specifying disk type or capability
+    attrs:
+
+  # CockroachDB's WAL failover configuration:
+  # https://www.cockroachlabs.com/docs/stable/cockroach-start#write-ahead-log-wal-failover
+  # Uses `--wal-failover` flag
+  wal-failover:
+    # The value to be passed to the `--wal-failover` flag.
+    # Possible configurations:
+    # 1. ``: If empty, `--wal-failover` is not passed to cockroach start.
+    # 2. `disabled`: Disables WAL failover.
+    # 3. `among-stores`: Enables WAL failover among multiple stores. This requires
+    # `conf.store.count` to be greater than 1.
+    # 4. `path=<path-to-side-disk>`: Enables WAL failover to a side disk. This requires
+    # a persistent volume should be mounted at this path (e.g. `path=/cockroach/cockroach-failover`).
+    value:
+
+    persistentVolume:
+      # If enabled, then a PersistentVolumeClaim will be created and
+      # used for WAL failover as a side disk.
+      # https://www.cockroachlabs.com/docs/v24.3/wal-failover#provision-a-single-store-cluster-and-side-disk-for-wal-failover
+      enabled: false
+      # Mount path for the side disk. This gets prepended with `/cockroach/` in the stateful set.
+      path: cockroach-failover
+      size: 25Gi
+      # If defined, then `storageClassName: <storageClass>`.
+      # If set to "-", then `storageClassName: ""`, which disables dynamic
+      # provisioning.
+      # If undefined or empty (default), then no `storageClassName` spec is
+      # set, so the default provisioner will be chosen (gp2 on AWS, standard
+      # on GKE, AWS & OpenStack).
+      storageClass: ""
+      # Additional labels to apply to the created PersistentVolumeClaims.
+      labels: {}
+      # Additional annotations to apply to the created PersistentVolumeClaims.
+      annotations: {}
+
+statefulset:
+  replicas: 3
+  updateStrategy:
+    type: RollingUpdate
+  podManagementPolicy: Parallel
+  budget:
+    maxUnavailable: 1
+
+  # List of additional command-line arguments you want to pass to the
+  # `cockroach start` command.
+  args: []
+    # - --disable-cluster-name-verification
+
+  # List of extra environment variables to pass into container
+  env: []
+    # - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+    #   value: "24h"
+
+  # List of Secrets names in the same Namespace as the CockroachDB cluster,
+  # which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+  # member.
+  secretMounts: []
+
+  # Additional labels to apply to this StatefulSet and all its Pods.
+  labels:
+    app.kubernetes.io/component: cockroachdb
+
+  # Additional annotations to apply to the Pods of this StatefulSet.
+  annotations: {}
+
+  # Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+  nodeAffinity: {}
+  # Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+  podAffinity: {}
+  # Anti-affinity rules for scheduling Pods of this StatefulSet.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+  # You may either toggle options below for default anti-affinity rules,
+  # or specify the whole set of anti-affinity rules instead of them.
+  podAntiAffinity:
+    # The topologyKey to be used.
+    # Can be used to spread across different nodes, AZs, regions etc.
+    topologyKey: kubernetes.io/hostname
+    # Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+    # disables anti-affinity rules).
+    type: soft
+    # Weight for `soft` anti-affinity rules.
+    # Does not apply for other anti-affinity types.
+    weight: 100
+
+  # Node selection constraints for scheduling Pods of this StatefulSet.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+
+  # PriorityClassName given to Pods of this StatefulSet
+  # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  priorityClassName: ""
+
+  # Taints to be tolerated by Pods of this StatefulSet.
+  # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+
+  # https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+  topologySpreadConstraints:
+    maxSkew: 1
+    topologyKey: topology.kubernetes.io/zone
+    whenUnsatisfiable: ScheduleAnyway
+
+  # Uncomment the following resources definitions or pass them from
+  # command line to control the CPU and memory resources allocated
+  # by Pods of this StatefulSet.
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 512Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 512Mi
+
+  # terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
+  terminationGracePeriodSeconds: 300
+
+  # Custom Liveness probe
+  # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+  customLivenessProbe: {}
+    # httpGet:
+    #   path: /health
+    #   port: http
+    #   scheme: HTTPS
+    # initialDelaySeconds: 30
+    # periodSeconds: 5
+
+  # Custom Rediness probe
+  # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+  customReadinessProbe: {}
+    # httpGet:
+    #   path: /health
+    #   port: http
+    #   scheme: HTTPS
+    # initialDelaySeconds: 30
+    # periodSeconds: 5
+
+  # Custom Startup Probe
+  # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+  customStartupProbe: {}
+    # httpGet:
+    #   path: /health
+    #   port: http
+    #   scheme: HTTPS
+    # initialDelaySeconds: 30
+    # periodSeconds: 5
+
+  securityContext:
+    enabled: true
+
+  serviceAccount:
+    # Specifies whether this ServiceAccount should be created.
+    create: true
+    # The name of this ServiceAccount to use.
+    # If not set and `create` is `true`, then service account is auto-generated.
+    # If not set and `create` is `false`, then it uses default service account.
+    name: ""
+    # Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+    annotations: {}
+
+  # initContainers allows you to add additional containers to cockroachdb statefulset.
+  initContainers: []
+#  - name: "fetch-metadata"
+#    image: "badouralix/curl-jq"
+#    command:
+#      - "sh"
+#      - "-c"
+#      - "curl -s -H \"Metadata:true\" --noproxy \"*\" \"http://169.254.169.254/metadata/instance?api-version=2021-02-01\" | jq '.' > /metadata/instance_metadata.json"
+#    resources: {}
+#        # requests:
+#        #   cpu: "10m"
+#        #   memory: "128Mi"
+#        # limits:
+#        #   cpu: "10m"
+#        #   memory: "128Mi"
+#    securityContext:
+#      allowPrivilegeEscalation: false
+#      capabilities:
+#        drop:
+#          - ALL
+#      privileged: false
+#      readOnlyRootFilesystem: true
+
+  # volumeMounts are mounted on the same path in the main crdb container and all init containers.
+  volumeMounts: []
+#   - name: metadata
+#     mountPath: /metadata
+
+  # volumes allows you to add additional volumes to cockroachdb statefulset.
+  volumes: []
+#  - name: metadata
+#    emptyDir: {}
+
+service:
+  ports:
+    # You can set a different external and internal gRPC ports and their name.
+    grpc:
+      external:
+        port: 26257
+        name: grpc
+      # If the port number is different than `external.port`, then it will be
+      # named as `internal.name` in Service.
+      internal:
+        # CockroachDB's port to listen to inter-communications and client connections.
+        port: 26257
+        # If using Istio set it to `cockroach`.
+        name: grpc-internal
+    http:
+      # CockroachDB's port to listen to HTTP requests.
+      port: 8080
+      name: http
+
+  # This Service is meant to be used by clients of the database.
+  # It exposes a ClusterIP that will automatically load balance connections
+  # to the different database Pods.
+  public:
+    type: ClusterIP
+    # Additional labels to apply to this Service.
+    labels:
+      app.kubernetes.io/component: cockroachdb
+    # Additional annotations to apply to this Service.
+    annotations: {}
+
+  # This service only exists to create DNS entries for each pod in
+  # the StatefulSet such that they can resolve each other's IP addresses.
+  # It does not create a load-balanced ClusterIP and should not be used directly
+  # by clients in most circumstances.
+  discovery:
+    # Additional labels to apply to this Service.
+    labels:
+      app.kubernetes.io/component: cockroachdb
+    # Additional annotations to apply to this Service.
+    annotations: {}
+
+# CockroachDB's ingress for web ui.
+ingress:
+  enabled: false
+  labels: {}
+  annotations: {}
+  #   kubernetes.io/ingress.class: nginx
+  #   cert-manager.io/cluster-issuer: letsencrypt
+  paths: [/]
+  hosts: []
+  # - cockroachlabs.com
+  tls: []
+  # - hosts: [cockroachlabs.com]
+  #   secretName: cockroachlabs-tls
+
+prometheus:
+  enabled: true
+
+securityContext:
+  enabled: true
+
+# CockroachDB's Prometheus operator ServiceMonitor support
+serviceMonitor:
+  enabled: false
+  labels: {}
+  annotations: {}
+  interval: 10s
+  # scrapeTimeout: 10s
+  # Limits the ServiceMonitor to the current namespace if set to `true`.
+  namespaced: false
+
+  # tlsConfig: TLS configuration to use when scraping the endpoint.
+  # Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+  tlsConfig: {}
+
+# CockroachDB's data persistence.
+# If neither `persistentVolume` nor `hostPath` is used, then data will be
+# persisted in ad-hoc `emptyDir`.
+storage:
+  # Absolute path on host to store CockroachDB's data.
+  # If not specified, then `emptyDir` will be used instead.
+  # If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+  hostPath: ""
+
+  # If `enabled` is `true` then a PersistentVolumeClaim will be created and
+  # used to store CockroachDB's data, otherwise `hostPath` is used.
+  persistentVolume:
+    enabled: true
+
+    size: 100Gi
+
+    # If defined, then `storageClassName: <storageClass>`.
+    # If set to "-", then `storageClassName: ""`, which disables dynamic
+    # provisioning.
+    # If undefined or empty (default), then no `storageClassName` spec is set,
+    # so the default provisioner will be chosen (gp2 on AWS, standard on
+    # GKE, AWS & OpenStack).
+    storageClass: ""
+
+    # Additional labels to apply to the created PersistentVolumeClaims.
+    labels: {}
+    # Additional annotations to apply to the created PersistentVolumeClaims.
+    annotations: {}
+
+
+# Kubernetes Job which initializes multi-node CockroachDB cluster.
+# It's not created if `statefulset.replicas` is `1`.
+init:
+  # Additional labels to apply to this Job and its Pod.
+  labels:
+    app.kubernetes.io/component: init
+
+  # Additional annotations to apply to this Job.
+  jobAnnotations: {}
+
+  # Additional annotations to apply to the Pod of this Job.
+  annotations: {}
+
+  # Affinity rules for scheduling the Pod of this Job.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+  affinity: {}
+
+  # Node selection constraints for scheduling the Pod of this Job.
+  # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+
+  # Taints to be tolerated by the Pod of this Job.
+  # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+
+  # The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+  # quickly and doesn't continue to consume resources in the Kubernetes
+  # cluster. Normally, you should leave this section commented out, but if your
+  # Kubernetes cluster uses Resource Quotas and requires all pods to specify
+  # resource requests or limits, you can set those here.
+  resources: {}
+    # requests:
+    #   cpu: "10m"
+    #   memory: "128Mi"
+    # limits:
+    #   cpu: "10m"
+    #   memory: "128Mi"
+
+  # terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
+  terminationGracePeriodSeconds: 300
+
+  securityContext:
+    enabled: true
+
+  # Setup Physical Cluster Replication (PCR) between primary and standby cluster.
+  # If isPrimary is set to true, the CockroachDB cluster created is the primary cluster.
+  # If isPrimary is set to false, the CockroachDB cluster created is the standby cluster.
+  pcr:
+    enabled: false
+  # isPrimary: true
+
+  provisioning:
+    enabled: false
+    # https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+    clusterSettings:
+      # cluster.organization: "'FooCorp - Local Testing'"
+      # enterprise.license: "'xxxxx'"
+    users: []
+    # - name:
+    #   password:
+    #   # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+    #   options: [LOGIN]
+    databases: []
+    # - name:
+    #   # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+    #   options: [encoding='utf-8']
+    #   owners: []
+    #   # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+    #   owners_with_grant_option: []
+    #   # Backup schedules are not idemponent for now and will fail on next run
+    #   # https://github.com/cockroachdb/cockroach/issues/57892
+    #   backup:
+    #     into: s3://
+    #     # Enterprise-only option (revision_history)
+    #     # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+    #     options: [revision_history]
+    #     recurring: '@always'
+    #     # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+    #     fullBackup: '@daily'
+    #     schedule:
+    #       # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+    #       options: [first_run = 'now']
+
+
+# Whether to run securely using TLS certificates.
+tls:
+  enabled: true
+  copyCerts:
+    image: busybox
+  certs:
+    # Bring your own certs scenario. If provided, tls.init section will be ignored.
+    provided: false
+    # Secret name for the client root cert.
+    clientRootSecret: cockroachdb-root
+    # Secret name for node cert.
+    nodeSecret: cockroachdb-node
+    # Secret name for CA cert
+    caSecret: cockroach-ca
+    # Enable if the secret is a dedicated TLS.
+    # TLS secrets are created by cert-mananger, for example.
+    tlsSecret: false
+    # Enable if the you want cockroach db to create its own certificates
+    selfSigner:
+      # If set, the cockroach db will generate its own certificates
+      enabled: true
+      # Run selfSigner as non-root
+      securityContext:
+        enabled: true
+      # If set, the user should provide the CA certificate to sign other certificates.
+      caProvided: false
+      # It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+      caSecret: ""
+      # Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+      minimumCertDuration: 624h
+      # Duration of CA certificates in hour
+      caCertDuration: 43800h
+      # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+      caCertExpiryWindow: 648h
+      # Duration of Client certificates in hour
+      clientCertDuration: 672h
+      # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+      clientCertExpiryWindow: 48h
+      # Duration of node certificates in hour
+      nodeCertDuration: 8760h
+      # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+      nodeCertExpiryWindow: 168h
+      # If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+      rotateCerts: true
+      # Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+      readinessWait: 30s
+      # Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+      podUpdateTimeout: 2m
+      # ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+      svcAccountAnnotations: {}
+
+    # Use cert-manager to issue certificates for mTLS.
+    certManager: false
+    # Specify an Issuer or a ClusterIssuer to use, when issuing
+    # node and client certificates. The values correspond to the
+    # issuerRef specified in the certificate.
+    certManagerIssuer:
+      group: cert-manager.io
+      kind: Issuer
+      name: cockroachdb
+      # Make it false when you are providing your own CA issuer
+      isSelfSignedIssuer: true
+      # Duration of CA certificates in hour
+      caCertDuration: 43800h
+      # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+      caCertExpiryWindow: 648h
+      # Duration of Client certificates in hours
+      clientCertDuration: 672h
+      # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+      clientCertExpiryWindow: 48h
+      # Duration of node certificates in hours
+      nodeCertDuration: 8760h
+      # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+      nodeCertExpiryWindow: 168h
+
+  selfSigner:
+    # Additional labels to apply to the Pod of this Job.
+    labels: {}
+
+    # Additional annotations to apply to the Pod of this Job.
+    annotations: {}
+
+    # Affinity rules for scheduling the Pod of this Job.
+    # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+    affinity: {}
+
+    # Node selection constraints for scheduling the Pod of this Job.
+    # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+    nodeSelector: {}
+
+    # Taints to be tolerated by the Pod of this Job.
+    # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+    tolerations: []
+
+    # Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+    image:
+      repository: cockroachlabs-helm-charts/cockroach-self-signer-cert
+      tag: "1.5"
+      pullPolicy: IfNotPresent
+      credentials: {}
+      registry: gcr.io
+      # username: john_doe
+      # password: changeme
+
+networkPolicy:
+  enabled: false
+
+  ingress:
+    # List of sources which should be able to access the CockroachDB Pods via
+    # gRPC port. Items in this list are combined using a logical OR operation.
+    # Rules for allowing inter-communication are applied automatically.
+    # If empty, then connections from any Pod is allowed.
+    grpc: []
+      # - podSelector:
+      #     matchLabels:
+      #       app.kubernetes.io/name: my-app-django
+      #       app.kubernetes.io/instance: my-app
+
+    # List of sources which should be able to access the CockroachDB Pods via
+    # HTTP port. Items in this list are combined using a logical OR operation.
+    # If empty, then connections from any Pod is allowed.
+    http: []
+      # - namespaceSelector:
+      #     matchLabels:
+      #       project: my-project
+
+# To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+# make sure to set ingress.paths: ['/*']
+iap:
+  enabled: false
+  # Create Google Cloud OAuth credentials and set client id and secret
+  # clientId:
+  # clientSecret:
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/.helmignore b/charts/intel/intel-device-plugins-operator/0.32.0/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/Chart.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/Chart.yaml
new file mode 100644
index 000000000..79f56a937
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/Chart.yaml
@@ -0,0 +1,13 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Intel Device Plugins Operator
+  catalog.cattle.io/kube-version: '>=1.19-0'
+  catalog.cattle.io/release-name: intel-device-plugins-operator
+apiVersion: v2
+appVersion: 0.32.0
+description: A Helm chart for Intel Device Plugins Operator for Kubernetes
+icon: file://assets/icons/intel-device-plugins-operator.png
+kubeVersion: '>=1.19-0'
+name: intel-device-plugins-operator
+type: application
+version: 0.32.0
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/LICENSE b/charts/intel/intel-device-plugins-operator/0.32.0/LICENSE
new file mode 100644
index 000000000..9aa5290eb
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/LICENSE
@@ -0,0 +1,14 @@
+Copyright 2023 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/README.md b/charts/intel/intel-device-plugins-operator/0.32.0/README.md
new file mode 100644
index 000000000..0fae0970e
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/README.md
@@ -0,0 +1,60 @@
+# Intel Device Plugins Operator Helm Chart
+
+[Intel Device Plugins for Kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes) Helm charts for installing the operator. Operator installation is manadtory after which each device plugin can be installed via its own Helm chart.
+## Prerequisites
+- [cert-manager](https://cert-manager.io/docs/installation/helm)
+- [Node Feature Discovery NFD](https://kubernetes-sigs.github.io/node-feature-discovery/master/get-started/deployment-and-usage.html) [optional]
+
+## Get Helm Repository Info
+```
+helm repo add intel https://intel.github.io/helm-charts/
+helm repo update
+```
+
+You can execute `helm search repo intel` command to see pulled charts [optional].
+
+## Install Helm Chart
+CRDs of the device plugin operator are installed as part of the chart.
+
+```
+helm install device-plugin-operator intel/intel-device-plugins-operator [flags]
+```
+
+## Upgrade Chart
+```
+helm upgrade device-plugin-operator intel/intel-device-plugins-operator [flags]
+```
+CRDs are not upgraded.
+
+## Uninstall Chart
+```
+helm uninstall device-plugin-operator
+```
+CRDs are not uninstalled.
+
+## Configuration
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments:
+
+```console
+helm show values intel/intel-device-plugins-operator
+```
+
+You may also run `helm show values` on this chart's dependencies for additional options.
+
+|parameter| value |
+|---------|-----------|
+| `manager.image.hub` | `intel` |
+| `manager.image.tag` | `` |
+| `manager.devices` | `` |
+| `privateRegistry.registryUrl` | `` |
+| `privateRegistry.registryUser` | `` |
+| `privateRegistry.registrySecret` | `` |
+| `pullPolicy` | `IfNotPresent` |
+
+Defining `manager.devices` with a name-bool dictionary allows enabling only certain devices. The following will enable only fpga and gpu devices:
+```
+manager:
+  devices:
+    fpga: true
+    gpu: true
+```
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dlbdeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dlbdeviceplugins.yaml
new file mode 100644
index 000000000..bfd11bfde
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dlbdeviceplugins.yaml
@@ -0,0 +1,190 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: dlbdeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: DlbDevicePlugin
+    listKind: DlbDevicePluginList
+    plural: dlbdeviceplugins
+    singular: dlbdeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DlbDevicePlugin is the Schema for the dlbdeviceplugins API. It represents
+          the DLB device plugin responsible for advertising Intel DLB hardware resources to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DlbDevicePluginSpec defines the desired state of DlbDevicePlugin.
+            properties:
+              image:
+                description: Image is a container image with DLB device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is a container image with a script that initializes
+                  devices.
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: DlbDevicePluginStatus defines the observed state of DlbDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dsadeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dsadeviceplugins.yaml
new file mode 100644
index 000000000..f964961fa
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_dsadeviceplugins.yaml
@@ -0,0 +1,200 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: dsadeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: DsaDevicePlugin
+    listKind: DsaDevicePluginList
+    plural: dsadeviceplugins
+    singular: dsadeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DsaDevicePlugin is the Schema for the dsadeviceplugins API. It represents
+          the DSA device plugin responsible for advertising Intel DSA hardware resources to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DsaDevicePluginSpec defines the desired state of DsaDevicePlugin.
+            properties:
+              image:
+                description: Image is a container image with DSA device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is an initcontainer image to configure and
+                  enable DSA devices and workqueues with idxd-config (accel-config)
+                  utility
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              provisioningConfig:
+                description: ProvisioningConfig is a ConfigMap used to pass the DSA
+                  devices and workqueues configuration into idxd-config initcontainer.
+                type: string
+              sharedDevNum:
+                description: SharedDevNum is a number of containers that can share
+                  the same DSA device.
+                minimum: 1
+                type: integer
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: DsaDevicePluginStatus defines the observed state of DsaDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_fpgadeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_fpgadeviceplugins.yaml
new file mode 100644
index 000000000..b4e6a99f2
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_fpgadeviceplugins.yaml
@@ -0,0 +1,197 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: fpgadeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: FpgaDevicePlugin
+    listKind: FpgaDevicePluginList
+    plural: fpgadeviceplugins
+    singular: fpgadeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          FpgaDevicePlugin is the Schema for the fpgadeviceplugins API. It represents
+          the FPGA device plugin responsible for advertising Intel FPGA hardware resources to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: FpgaDevicePluginSpec defines the desired state of FpgaDevicePlugin.
+            properties:
+              image:
+                description: Image is a container image with FPGA device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is a container image with tools used to initialize
+                  the host before starting FPGA workloads on it.
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              mode:
+                description: Mode is a mode of the plugin's operation.
+                enum:
+                - af
+                - region
+                - regiondevel
+                type: string
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: FpgaDevicePluginStatus defines the observed state of FpgaDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_gpudeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_gpudeviceplugins.yaml
new file mode 100644
index 000000000..4dd89c0f1
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_gpudeviceplugins.yaml
@@ -0,0 +1,214 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: gpudeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: GpuDevicePlugin
+    listKind: GpuDevicePluginList
+    plural: gpudeviceplugins
+    singular: gpudeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          GpuDevicePlugin is the Schema for the gpudeviceplugins API. It represents
+          the GPU device plugin responsible for advertising Intel GPU hardware resources to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GpuDevicePluginSpec defines the desired state of GpuDevicePlugin.
+            properties:
+              enableMonitoring:
+                description: |-
+                  EnableMonitoring enables the monitoring resource ('i915_monitoring')
+                  which gives access to all GPU devices on given node. Typically used with Intel XPU-Manager.
+                type: boolean
+              image:
+                description: Image is a container image with GPU device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is a container image with tools (e.g., GPU
+                  NFD source hook) installed on each node.
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              preferredAllocationPolicy:
+                description: |-
+                  PreferredAllocationPolicy sets the mode of allocating GPU devices on a node.
+                  See documentation for detailed description of the policies. Only valid when SharedDevNum > 1 is set.
+                  Not applicable with ResourceManager.
+                enum:
+                - balanced
+                - packed
+                - none
+                type: string
+              resourceManager:
+                description: ResourceManager handles the fractional resource management
+                  for multi-GPU nodes. Enable only for clusters with GPU Aware Scheduling.
+                type: boolean
+              sharedDevNum:
+                description: SharedDevNum is a number of containers that can share
+                  the same GPU device.
+                minimum: 1
+                type: integer
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: GpuDevicePluginStatus defines the observed state of GpuDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_iaadeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_iaadeviceplugins.yaml
new file mode 100644
index 000000000..beb5c64a7
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_iaadeviceplugins.yaml
@@ -0,0 +1,199 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: iaadeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: IaaDevicePlugin
+    listKind: IaaDevicePluginList
+    plural: iaadeviceplugins
+    singular: iaadeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          IaaDevicePlugin is the Schema for the iaadeviceplugins API. It represents
+          the IAA device plugin responsible for advertising Intel IAA hardware resources to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IaaDevicePluginSpec defines the desired state of IaaDevicePlugin.
+            properties:
+              image:
+                description: Image is a container image with IAA device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is an initcontainer image to configure and
+                  enable IAA devices and workqueues with accel-config utility
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              provisioningConfig:
+                description: ProvisioningConfig is a ConfigMap used to pass the IAA
+                  configuration into idxd initcontainer.
+                type: string
+              sharedDevNum:
+                description: SharedDevNum is a number of containers that can share
+                  the same IAA device.
+                minimum: 1
+                type: integer
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: IaaDevicePluginStatus defines the observed state of IaaDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_qatdeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_qatdeviceplugins.yaml
new file mode 100644
index 000000000..a9cb80dc7
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_qatdeviceplugins.yaml
@@ -0,0 +1,230 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: qatdeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: QatDevicePlugin
+    listKind: QatDevicePluginList
+    plural: qatdeviceplugins
+    singular: qatdeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          QatDevicePlugin is the Schema for the qatdeviceplugins API. It represents the QAT device
+          plugin responsible for advertising Intel QuickAssist Technology hardware resources
+          to the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: QatDevicePluginSpec defines the desired state of QatDevicePlugin.
+            properties:
+              dpdkDriver:
+                description: DpdkDriver is a DPDK device driver for configuring the
+                  QAT device.
+                enum:
+                - igb_uio
+                - vfio-pci
+                type: string
+              image:
+                description: Image is a container image with QAT device plugin executable.
+                type: string
+              initImage:
+                description: InitImage is a container image with a script that initialize
+                  devices.
+                type: string
+              kernelVfDrivers:
+                description: KernelVfDrivers is a list of VF device drivers for the
+                  QuickAssist devices in the system.
+                items:
+                  description: KernelVfDriver is a VF device driver for QuickAssist
+                    devices.
+                  enum:
+                  - dh895xccvf
+                  - c6xxvf
+                  - c3xxxvf
+                  - d15xxvf
+                  - 4xxxvf
+                  - 420xxvf
+                  - c4xxxvf
+                  type: string
+                type: array
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              maxNumDevices:
+                description: MaxNumDevices is a maximum number of QAT devices to be
+                  provided to the QuickAssist device plugin
+                minimum: 1
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              preferredAllocationPolicy:
+                description: |-
+                  PreferredAllocationPolicy sets the mode of allocating QAT devices on a node.
+                  See documentation for detailed description of the policies.
+                enum:
+                - balanced
+                - packed
+                type: string
+              provisioningConfig:
+                description: ProvisioningConfig is a ConfigMap used to pass the configuration
+                  of QAT devices into qat initcontainer.
+                type: string
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: QatDevicePluginStatus defines the observed state of QatDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_sgxdeviceplugins.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_sgxdeviceplugins.yaml
new file mode 100644
index 000000000..33823b089
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/deviceplugin.intel.com_sgxdeviceplugins.yaml
@@ -0,0 +1,201 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: sgxdeviceplugins.deviceplugin.intel.com
+spec:
+  group: deviceplugin.intel.com
+  names:
+    kind: SgxDevicePlugin
+    listKind: SgxDevicePluginList
+    plural: sgxdeviceplugins
+    singular: sgxdeviceplugin
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.desiredNumberScheduled
+      name: Desired
+      type: integer
+    - jsonPath: .status.numberReady
+      name: Ready
+      type: integer
+    - jsonPath: .spec.nodeSelector
+      name: Node Selector
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          SgxDevicePlugin is the Schema for the sgxdeviceplugins API. It represents
+          the SGX device plugin responsible for advertising SGX device nodes to
+          the kubelet.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SgxDevicePluginSpec defines the desired state of SgxDevicePlugin.
+            properties:
+              enclaveLimit:
+                description: EnclaveLimit is a number of containers that can share
+                  the same SGX enclave device.
+                minimum: 1
+                type: integer
+              image:
+                description: Image is a container image with SGX device plugin executable.
+                type: string
+              initImage:
+                description: |-
+                  InitImage is a container image with tools (i.e., SGX NFD source hook) installed on each node.
+                  Recommendation is to leave this unset and prefer the SGX NodeFeatureRule instead.
+                type: string
+              logLevel:
+                description: LogLevel sets the plugin's log level.
+                minimum: 0
+                type: integer
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector provides a simple way to constrain device
+                  plugin pods to nodes with particular labels.
+                type: object
+              provisionLimit:
+                description: ProvisionLimit is a number of containers that can share
+                  the same SGX provision device.
+                minimum: 1
+                type: integer
+              tolerations:
+                description: Specialized nodes (e.g., with accelerators) can be Tainted
+                  to make sure unwanted pods are not scheduled on them. Tolerations
+                  can be set for the plugin pod to neutralize the Taint.
+                items:
+                  description: |-
+                    The pod this Toleration is attached to tolerates any taint that matches
+                    the triple <key,value,effect> using the matching operator <operator>.
+                  properties:
+                    effect:
+                      description: |-
+                        Effect indicates the taint effect to match. Empty means match all taint effects.
+                        When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: |-
+                        Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                        If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                      type: string
+                    operator:
+                      description: |-
+                        Operator represents a key's relationship to the value.
+                        Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod can
+                        tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: |-
+                        TolerationSeconds represents the period of time the toleration (which must be
+                        of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                        it is not set, which means tolerate the taint forever (do not evict). Zero and
+                        negative values will be treated as 0 (evict immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: |-
+                        Value is the taint value the toleration matches to.
+                        If the operator is Exists, the value should be empty, otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: SgxDevicePluginStatus defines the observed state of SgxDevicePlugin.
+            properties:
+              controlledDaemonSet:
+                description: ControlledDaemoSet references the DaemonSet controlled
+                  by the operator.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              desiredNumberScheduled:
+                description: |-
+                  The total number of nodes that should be running the device plugin
+                  pod (including nodes correctly running the device plugin pod).
+                format: int32
+                type: integer
+              nodeNames:
+                description: The list of Node names where the device plugin pods are
+                  running.
+                items:
+                  type: string
+                type: array
+              numberReady:
+                description: |-
+                  The number of nodes that should be running the device plugin pod and have one
+                  or more of the device plugin pod running and ready.
+                format: int32
+                type: integer
+            required:
+            - desiredNumberScheduled
+            - numberReady
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_acceleratorfunctions.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_acceleratorfunctions.yaml
new file mode 100644
index 000000000..b0bca116c
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_acceleratorfunctions.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: acceleratorfunctions.fpga.intel.com
+spec:
+  group: fpga.intel.com
+  names:
+    kind: AcceleratorFunction
+    listKind: AcceleratorFunctionList
+    plural: acceleratorfunctions
+    shortNames:
+    - af
+    singular: acceleratorfunction
+  scope: Namespaced
+  versions:
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          AcceleratorFunction is a specification for an Accelerator Function resource
+          provided by a FPGA-based programmable hardware accelerator.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AcceleratorFunctionSpec contains actual specs for AcceleratorFunction.
+            properties:
+              afuId:
+                pattern: ^[0-9a-f]{8,40}$
+                type: string
+              interfaceId:
+                pattern: ^[0-9a-f]{8,32}$
+                type: string
+              mode:
+                pattern: ^af|region$
+                type: string
+            required:
+            - afuId
+            - interfaceId
+            - mode
+            type: object
+          status:
+            description: AcceleratorFunctionStatus is an empty object used to satisfy
+              operator-sdk.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_fpgaregions.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_fpgaregions.yaml
new file mode 100644
index 000000000..061863672
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/crds/fpga.intel.com_fpgaregions.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: fpgaregions.fpga.intel.com
+spec:
+  group: fpga.intel.com
+  names:
+    kind: FpgaRegion
+    listKind: FpgaRegionList
+    plural: fpgaregions
+    shortNames:
+    - fpga
+    singular: fpgaregion
+  scope: Namespaced
+  versions:
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          FpgaRegion is a specification for a FPGA region resource which can be programmed
+          with a bitstream.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: FpgaRegionSpec contains actual specs for FpgaRegion.
+            properties:
+              interfaceId:
+                pattern: ^[0-9a-f]{8,32}$
+                type: string
+            required:
+            - interfaceId
+            type: object
+          status:
+            description: FpgaRegionStatus is an empty object used to satisfy operator-sdk.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/templates/NOTES.txt b/charts/intel/intel-device-plugins-operator/0.32.0/templates/NOTES.txt
new file mode 100644
index 000000000..7b8b5d604
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/templates/NOTES.txt
@@ -0,0 +1,6 @@
+Thank you for installing {{ .Chart.Name }}.
+
+The next step would be to install the device (plugin) specific chart.
+
+Friendly note about CRDs. Make sure to manually update CRDs if
+they have changed. CRDs are not updated with helm by default.
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/templates/operator.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/templates/operator.yaml
new file mode 100644
index 000000000..0dfb3f8fb
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/templates/operator.yaml
@@ -0,0 +1,731 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: inteldeviceplugins-leader-election-role
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: inteldeviceplugins-gpu-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: inteldeviceplugins-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/proxy
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - d1c7b6d5.intel.com
+  resources:
+  - leases
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - deviceplugin.intel.com
+  resources:
+  - dlbdeviceplugins
+  - dsadeviceplugins
+  - fpgadeviceplugins
+  - gpudeviceplugins
+  - iaadeviceplugins
+  - qatdeviceplugins
+  - sgxdeviceplugins
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - deviceplugin.intel.com
+  resources:
+  - dlbdeviceplugins/finalizers
+  - dsadeviceplugins/finalizers
+  - fpgadeviceplugins/finalizers
+  - gpudeviceplugins/finalizers
+  - iaadeviceplugins/finalizers
+  - qatdeviceplugins/finalizers
+  - sgxdeviceplugins/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - deviceplugin.intel.com
+  resources:
+  - dlbdeviceplugins/status
+  - dsadeviceplugins/status
+  - fpgadeviceplugins/status
+  - gpudeviceplugins/status
+  - iaadeviceplugins/status
+  - qatdeviceplugins/status
+  - sgxdeviceplugins/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - fpga.intel.com
+  resources:
+  - acceleratorfunctions
+  - fpgaregions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: inteldeviceplugins-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: inteldeviceplugins-auth-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: inteldeviceplugins-leader-election-rolebinding
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: inteldeviceplugins-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: inteldeviceplugins-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: inteldeviceplugins-manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: inteldeviceplugins-auth-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: inteldeviceplugins-auth-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: inteldeviceplugins-controller-manager-metrics-service
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: inteldeviceplugins-webhook-service
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    control-plane: controller-manager
+---
+{{- if .Values.privateRegistry.registrySecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-operator-private-registry
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registrySecret | b64enc) | b64enc }}
+{{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: inteldeviceplugins-controller-manager
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      {{- if .Values.privateRegistry.registrySecret }}
+      imagePullSecrets:
+      - name: {{ .Release.Name }}-operator-private-registry
+      {{- end }}
+      containers:
+      - args:
+        - "--metrics-bind-address=:8443"
+        - "--metrics-secure"
+        - "--health-probe-bind-address=:8081"
+        - "--leader-elect"
+        {{- if .Values.manager.devices }}
+        {{- range $key, $value := .Values.manager.devices }}
+          {{- if $value }}
+        - "--devices={{- $key }}"
+          {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.controllerExtraArgs }}
+        {{- with .Values.controllerExtraArgs }}
+        {{- tpl . $ | trim | nindent 8 }}
+        {{- end }}
+        {{- end }}
+        env:
+        - name: DEVICEPLUGIN_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: "{{ .Values.manager.image.hub }}/intel-deviceplugin-operator:{{ .Values.manager.image.tag | default .Chart.AppVersion  }}"
+        imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }}
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
+      tolerations: {{ .Values.tolerations | toYaml | nindent 8 }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: inteldeviceplugins-serving-cert
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  dnsNames:
+  - inteldeviceplugins-webhook-service.{{ .Release.Namespace }}.svc
+  - inteldeviceplugins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: inteldeviceplugins-selfsigned-issuer
+  secretName: webhook-server-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: inteldeviceplugins-selfsigned-issuer
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/inteldeviceplugins-serving-cert
+  name: inteldeviceplugins-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-dlbdeviceplugin
+  failurePolicy: Fail
+  name: mdlbdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - dlbdeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-dsadeviceplugin
+  failurePolicy: Fail
+  name: mdsadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - dsadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-fpgadeviceplugin
+  failurePolicy: Fail
+  name: mfpgadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - fpgadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-gpudeviceplugin
+  failurePolicy: Fail
+  name: mgpudeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gpudeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-iaadeviceplugin
+  failurePolicy: Fail
+  name: miaadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - iaadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-qatdeviceplugin
+  failurePolicy: Fail
+  name: mqatdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - qatdeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate-deviceplugin-intel-com-v1-sgxdeviceplugin
+  failurePolicy: Fail
+  name: msgxdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - sgxdeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /pods
+  failurePolicy: Ignore
+  name: fpga.mutator.webhooks.intel.com
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /mutate--v1-pod
+  failurePolicy: Ignore
+  name: sgx.mutator.webhooks.intel.com
+  reinvocationPolicy: IfNeeded
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/inteldeviceplugins-serving-cert
+  name: inteldeviceplugins-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-dlbdeviceplugin
+  failurePolicy: Fail
+  name: vdlbdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - dlbdeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-dsadeviceplugin
+  failurePolicy: Fail
+  name: vdsadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - dsadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-fpgadeviceplugin
+  failurePolicy: Fail
+  name: vfpgadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - fpgadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-gpudeviceplugin
+  failurePolicy: Fail
+  name: vgpudeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gpudeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-iaadeviceplugin
+  failurePolicy: Fail
+  name: viaadeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - iaadeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-qatdeviceplugin
+  failurePolicy: Fail
+  name: vqatdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - qatdeviceplugins
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: inteldeviceplugins-webhook-service
+      namespace: {{ .Release.Namespace | quote }}
+      path: /validate-deviceplugin-intel-com-v1-sgxdeviceplugin
+  failurePolicy: Fail
+  name: vsgxdeviceplugin.kb.io
+  rules:
+  - apiGroups:
+    - deviceplugin.intel.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - sgxdeviceplugins
+  sideEffects: None
diff --git a/charts/intel/intel-device-plugins-operator/0.32.0/values.yaml b/charts/intel/intel-device-plugins-operator/0.32.0/values.yaml
new file mode 100644
index 000000000..0cd35585f
--- /dev/null
+++ b/charts/intel/intel-device-plugins-operator/0.32.0/values.yaml
@@ -0,0 +1,33 @@
+nodeSelector:
+  kubernetes.io/arch: amd64
+
+manager:
+  image:
+    hub: intel
+    tag: ""
+    pullPolicy: IfNotPresent
+
+  # supported devices by the operator
+  devices:
+    # dlb: true
+    # dsa: true
+    # fpga: true
+    # gpu: true
+    # iaa: true
+    # qat: true
+    # sgx: true
+
+privateRegistry:
+  registryUrl: ""
+  registryUser: ""
+  registrySecret: ""
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 120Mi
+  requests:
+    cpu: 100m
+    memory: 100Mi
+
+tolerations: []
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/.helmignore b/charts/intel/intel-device-plugins-qat/0.32.0/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/Chart.yaml b/charts/intel/intel-device-plugins-qat/0.32.0/Chart.yaml
new file mode 100644
index 000000000..619ac5357
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/Chart.yaml
@@ -0,0 +1,13 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Intel QAT Device Plugin
+  catalog.cattle.io/kube-version: '>=1.19-0'
+  catalog.cattle.io/release-name: intel-device-plugins-qat
+apiVersion: v2
+appVersion: 0.32.0
+description: A Helm chart for Intel QAT Device Plugin
+icon: file://assets/icons/intel-device-plugins-qat.png
+kubeVersion: '>=1.19-0'
+name: intel-device-plugins-qat
+type: application
+version: 0.32.0
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/LICENSE b/charts/intel/intel-device-plugins-qat/0.32.0/LICENSE
new file mode 100644
index 000000000..9aa5290eb
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/LICENSE
@@ -0,0 +1,14 @@
+Copyright 2023 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/README.md b/charts/intel/intel-device-plugins-qat/0.32.0/README.md
new file mode 100644
index 000000000..04b0b5232
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/README.md
@@ -0,0 +1,50 @@
+# Intel QAT Device Plugin Helm Chart
+
+## Get Helm Repository Info
+```
+helm repo add intel https://intel.github.io/helm-charts/
+helm repo update
+```
+
+You can execute `helm search repo intel` command to see pulled charts [optional].
+
+## Dependencies
+
+QAT Device Plugin depends on Node Feature Discovery (NFD). See NFD's Helm install page [here](https://kubernetes-sigs.github.io/node-feature-discovery/v0.12/deployment/helm.html?highlight=helm#deployment). If you do not want to use NFD in you cluster, you'll need to change the nodeSelector in the [values](values.yaml) file to match nodes with QAT device.
+
+## Install Helm Chart
+```
+helm install qat-device-plugin intel/intel-device-plugins-qat [flags]
+```
+
+## Upgrade Chart
+```
+helm upgrade qat-device-plugin intel/intel-device-plugins-qat [flags]
+```
+
+## Uninstall Chart
+```
+helm uninstall qat-device-plugin
+```
+
+## Configuration
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments:
+
+```console
+helm show values intel/intel-device-plugins-qat
+```
+
+You may also run `helm show values` on this chart's dependencies for additional options.
+
+|parameter| value |
+|---------|-----------|
+| `image.hub` | `intel` |
+| `image.tag` | `` |
+| `initImage.hub` | `intel` |
+| `initImage.tag` | `` |
+| `dpdkDriver` | `vfio-pci` |
+| `kernelVfDrivers` | `4xxxvf`, `420xxvf` |
+| `maxNumDevices` | `128` |
+| `logLevel` | `4` |
+| `nodeFeatureRule` | `true` |
+| `tolerations` | `` |
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/questions.yaml b/charts/intel/intel-device-plugins-qat/0.32.0/questions.yaml
new file mode 100644
index 000000000..74461ffa8
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/questions.yaml
@@ -0,0 +1,6 @@
+questions:
+- variable: nodeFeatureRule
+  default: false
+  type: boolean
+  label: Enable Node Feature Discovery feature labels
+  description: "When Node Feature Discovery (NFD) is deployed, enable QAT node labeling using NFD feature rules."
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/templates/NOTES.txt b/charts/intel/intel-device-plugins-qat/0.32.0/templates/NOTES.txt
new file mode 100644
index 000000000..c5615c64c
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/templates/NOTES.txt
@@ -0,0 +1 @@
+Thank you for installing {{ .Chart.Name }}.
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/templates/qat.yaml b/charts/intel/intel-device-plugins-qat/0.32.0/templates/qat.yaml
new file mode 100644
index 000000000..b569f3d28
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/templates/qat.yaml
@@ -0,0 +1,53 @@
+{{- /*
+based on
+deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml
+*/}}
+
+apiVersion: deviceplugin.intel.com/v1
+kind: QatDevicePlugin
+metadata:
+  name: {{ .Values.name }}
+  annotations: {{ toYaml .Values.annotations | nindent 4 }}
+spec:
+  image: "{{ .Values.image.hub }}/intel-qat-plugin:{{ .Values.image.tag | default .Chart.AppVersion }}"
+  initImage: "{{ .Values.initImage.hub }}/intel-qat-initcontainer:{{ .Values.initImage.tag | default .Chart.AppVersion }}"
+  dpdkDriver: {{ .Values.dpdkDriver }}
+  kernelVfDrivers:
+    {{- range .Values.kernelVfDrivers }}
+    - {{ . }}
+    {{- end  }}
+  maxNumDevices: {{ .Values.maxNumDevices }}
+  logLevel:  {{ .Values.logLevel }}
+  nodeSelector: {{ .Values.nodeSelector | toYaml | nindent 4 }}
+  tolerations: {{- .Values.tolerations | toYaml | nindent 4 }}
+
+---
+{{ if eq .Values.nodeFeatureRule true }}
+apiVersion: nfd.k8s-sigs.io/v1alpha1
+kind: NodeFeatureRule
+metadata:
+  name: intel-dp-qat-device
+spec:
+  rules:
+    - name: "intel.qat"
+      labels:
+        "intel.feature.node.kubernetes.io/qat": "true"
+      matchFeatures:
+        - feature: pci.device
+          matchExpressions:
+            vendor: {op: In, value: ["8086"]}
+            device: {op: In, value: ["37c8", "4940", "4942", "4944", "4946"]}
+            class: {op: In, value: ["0b40"]}
+        - feature: kernel.loadedmodule
+          matchExpressions:
+            intel_qat: {op: Exists}
+      matchAny:
+        - matchFeatures:
+          - feature: kernel.loadedmodule
+            matchExpressions:
+              vfio_pci: {op: Exists}
+        - matchFeatures:
+          - feature: kernel.enabledmodule
+            matchExpressions:
+              vfio-pci: {op: Exists}
+{{ end }}
diff --git a/charts/intel/intel-device-plugins-qat/0.32.0/values.yaml b/charts/intel/intel-device-plugins-qat/0.32.0/values.yaml
new file mode 100644
index 000000000..98ca374e4
--- /dev/null
+++ b/charts/intel/intel-device-plugins-qat/0.32.0/values.yaml
@@ -0,0 +1,23 @@
+name: qatdeviceplugin-sample
+
+image:
+  hub: intel
+  tag: ""
+
+initImage:
+  hub: intel
+  tag: ""
+
+dpdkDriver: vfio-pci
+kernelVfDrivers:
+  - 4xxxvf
+  - 420xxvf
+maxNumDevices: 128
+logLevel: 4
+
+nodeSelector:
+  intel.feature.node.kubernetes.io/qat: 'true'
+
+tolerations:
+
+nodeFeatureRule: true
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/.helmignore b/charts/intel/intel-device-plugins-sgx/0.32.0/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/Chart.yaml b/charts/intel/intel-device-plugins-sgx/0.32.0/Chart.yaml
new file mode 100644
index 000000000..caa52fce1
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/Chart.yaml
@@ -0,0 +1,13 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Intel SGX Device Plugin
+  catalog.cattle.io/kube-version: '>=1.19-0'
+  catalog.cattle.io/release-name: intel-device-plugins-sgx
+apiVersion: v2
+appVersion: 0.32.0
+description: A Helm chart for Intel SGX Device Plugin
+icon: file://assets/icons/intel-device-plugins-sgx.png
+kubeVersion: '>=1.19-0'
+name: intel-device-plugins-sgx
+type: application
+version: 0.32.0
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/LICENSE b/charts/intel/intel-device-plugins-sgx/0.32.0/LICENSE
new file mode 100644
index 000000000..9aa5290eb
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/LICENSE
@@ -0,0 +1,14 @@
+Copyright 2023 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/README.md b/charts/intel/intel-device-plugins-sgx/0.32.0/README.md
new file mode 100644
index 000000000..0cbd391ac
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/README.md
@@ -0,0 +1,40 @@
+# Intel SGX Device Plugin Helm Chart
+
+## Get Helm Repository Info
+```
+helm repo add intel https://intel.github.io/helm-charts/
+helm repo update
+```
+
+You can execute `helm search repo intel` command to see pulled charts [optional].
+
+## Install Helm Chart
+```
+helm install sgx-device-plugin intel/intel-device-plugins-sgx [flags]
+```
+## Upgrade Chart
+```
+helm upgrade sgx-device-plugin intel/intel-device-plugins-sgx [flags]
+```
+
+## Uninstall Chart
+```
+helm uninstall sgx-device-plugin
+```
+
+## Configuration
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments:
+
+```console
+helm show values intel/intel-device-plugins-sgx
+```
+
+You may also run `helm show values` on this chart's dependencies for additional options.
+
+|parameter| value |
+|---------|-----------|
+| `image.hub` | `intel` |
+| `image.tag` | `` |
+| `enclaveLimit` | `110` |
+| `provisionLimit` | `110` |
+| `logLevel` | `4` |
\ No newline at end of file
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/questions.yaml b/charts/intel/intel-device-plugins-sgx/0.32.0/questions.yaml
new file mode 100644
index 000000000..402e94820
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/questions.yaml
@@ -0,0 +1,6 @@
+questions:
+- variable: nodeFeatureRule
+  default: false
+  type: boolean
+  label: Enable Node Feature Discovery feature labels
+  description: "When Node Feature Discovery (NFD) is deployed, enable SGX node labeling using NFD feature rules."
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/templates/sgx.yaml b/charts/intel/intel-device-plugins-sgx/0.32.0/templates/sgx.yaml
new file mode 100644
index 000000000..5fde596ad
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/templates/sgx.yaml
@@ -0,0 +1,43 @@
+{{- /*
+based on
+deployments/operator/samples/deviceplugin_v1_sgxdeviceplugin.yaml
+*/}}
+
+apiVersion: deviceplugin.intel.com/v1
+kind: SgxDevicePlugin
+metadata:
+  name: {{ .Values.name }}
+  annotations: {{ toYaml .Values.annotations | nindent 4 }}
+spec:
+  image: "{{ .Values.image.hub }}/intel-sgx-plugin:{{ .Values.image.tag | default .Chart.AppVersion }}"
+  enclaveLimit: {{ .Values.enclaveLimit }}
+  provisionLimit: {{ .Values.provisionLimit }}
+  logLevel:  {{ .Values.logLevel }}
+  nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 4 }}
+  tolerations: {{- .Values.tolerations | toYaml | nindent 4 }}
+
+---
+{{ if eq .Values.nodeFeatureRule true }}
+apiVersion: nfd.k8s-sigs.io/v1alpha1
+kind: NodeFeatureRule
+metadata:
+  name: intel-dp-sgx-device
+spec:
+  rules:
+    - name: "intel.sgx"
+      labels:
+        "intel.feature.node.kubernetes.io/sgx": "true"
+      extendedResources:
+        sgx.intel.com/epc: "@cpu.security.sgx.epc"
+      matchFeatures:
+        - feature: cpu.cpuid
+          matchExpressions:
+            SGX: {op: Exists}
+            SGXLC: {op: Exists}
+        - feature: cpu.security
+          matchExpressions:
+            sgx.enabled: {op: IsTrue}
+        - feature: kernel.config
+          matchExpressions:
+            X86_SGX: {op: Exists}
+{{ end }}
diff --git a/charts/intel/intel-device-plugins-sgx/0.32.0/values.yaml b/charts/intel/intel-device-plugins-sgx/0.32.0/values.yaml
new file mode 100644
index 000000000..5da974c99
--- /dev/null
+++ b/charts/intel/intel-device-plugins-sgx/0.32.0/values.yaml
@@ -0,0 +1,16 @@
+name: sgxdeviceplugin-sample
+
+image:
+  hub: intel
+  tag: ""
+
+enclaveLimit: 110
+provisionLimit: 110
+logLevel: 4
+
+nodeSelector:
+  intel.feature.node.kubernetes.io/sgx: 'true'
+
+tolerations:
+
+nodeFeatureRule: true
\ No newline at end of file
diff --git a/index.yaml b/index.yaml
index 942734a52..2966ddef7 100644
--- a/index.yaml
+++ b/index.yaml
@@ -6612,6 +6612,28 @@ entries:
     - assets/cloudcasa/cloudcasa-3.4.1.tgz
     version: 3.4.1
   cockroachdb:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: CockroachDB
+      catalog.cattle.io/kube-version: '>=1.8-0'
+      catalog.cattle.io/release-name: cockroachdb
+    apiVersion: v1
+    appVersion: 24.3.4
+    created: "2025-02-01T00:01:49.027707406Z"
+    description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
+    digest: 2907478e8dd26f3845ac03b175178ff0a1f1986115f26550f72f5d3c92bc6d9c
+    home: https://www.cockroachlabs.com
+    icon: file://assets/icons/cockroachdb.png
+    kubeVersion: '>=1.8-0'
+    maintainers:
+    - email: helm-charts@cockroachlabs.com
+      name: cockroachlabs
+    name: cockroachdb
+    sources:
+    - https://github.com/cockroachdb/cockroach
+    urls:
+    - assets/cockroach-labs/cockroachdb-15.0.6.tgz
+    version: 15.0.6
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: CockroachDB
@@ -18872,6 +18894,23 @@ entries:
     - assets/instana/instana-agent-1.2.60.tgz
     version: 1.2.60
   intel-device-plugins-operator:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Intel Device Plugins Operator
+      catalog.cattle.io/kube-version: '>=1.19-0'
+      catalog.cattle.io/release-name: intel-device-plugins-operator
+    apiVersion: v2
+    appVersion: 0.32.0
+    created: "2025-02-01T00:01:50.031539943Z"
+    description: A Helm chart for Intel Device Plugins Operator for Kubernetes
+    digest: 34fa2e0464af3ab4307475b456017902fa4fa2590d957ab2d17f39127272ca5a
+    icon: file://assets/icons/intel-device-plugins-operator.png
+    kubeVersion: '>=1.19-0'
+    name: intel-device-plugins-operator
+    type: application
+    urls:
+    - assets/intel/intel-device-plugins-operator-0.32.0.tgz
+    version: 0.32.0
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Intel Device Plugins Operator
@@ -19003,6 +19042,23 @@ entries:
     - assets/intel/intel-device-plugins-operator-0.26.1.tgz
     version: 0.26.1
   intel-device-plugins-qat:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Intel QAT Device Plugin
+      catalog.cattle.io/kube-version: '>=1.19-0'
+      catalog.cattle.io/release-name: intel-device-plugins-qat
+    apiVersion: v2
+    appVersion: 0.32.0
+    created: "2025-02-01T00:01:50.033435395Z"
+    description: A Helm chart for Intel QAT Device Plugin
+    digest: 40e8891ee8cd10bac8ddf39b52c305cc1d921fb2840e5ce62e38c331a5cb21f0
+    icon: file://assets/icons/intel-device-plugins-qat.png
+    kubeVersion: '>=1.19-0'
+    name: intel-device-plugins-qat
+    type: application
+    urls:
+    - assets/intel/intel-device-plugins-qat-0.32.0.tgz
+    version: 0.32.0
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Intel QAT Device Plugin
@@ -19134,6 +19190,23 @@ entries:
     - assets/intel/intel-device-plugins-qat-0.26.1.tgz
     version: 0.26.1
   intel-device-plugins-sgx:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Intel SGX Device Plugin
+      catalog.cattle.io/kube-version: '>=1.19-0'
+      catalog.cattle.io/release-name: intel-device-plugins-sgx
+    apiVersion: v2
+    appVersion: 0.32.0
+    created: "2025-02-01T00:01:50.03509248Z"
+    description: A Helm chart for Intel SGX Device Plugin
+    digest: 3b51b3cf5ae1388c3a132cb35d4c44eb479c4e18182e9ec2de07f5c02a3e6a22
+    icon: file://assets/icons/intel-device-plugins-sgx.png
+    kubeVersion: '>=1.19-0'
+    name: intel-device-plugins-sgx
+    type: application
+    urls:
+    - assets/intel/intel-device-plugins-sgx-0.32.0.tgz
+    version: 0.32.0
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Intel SGX Device Plugin
@@ -49053,4 +49126,4 @@ entries:
     urls:
     - assets/netfoundry/ziti-host-1.5.1.tgz
     version: 1.5.1
-generated: "2025-01-31T00:01:45.881547877Z"
+generated: "2025-02-01T00:01:48.430240952Z"