From d5d8d89507e7ee680a3b3b62adc580ef63b24d94 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 12 Oct 2024 00:38:48 +0000 Subject: [PATCH] Added chart versions: paravela/chronicle: - 0.1.27 traefik/traefik: - 32.1.1 --- assets/traefik/traefik-32.1.1.tgz | Bin 0 -> 243754 bytes charts/traefik/traefik/32.1.1/.helmignore | 2 + charts/traefik/traefik/32.1.1/Changelog.md | 10318 ++++++++++++ charts/traefik/traefik/32.1.1/Chart.yaml | 32 + charts/traefik/traefik/32.1.1/EXAMPLES.md | 1007 ++ charts/traefik/traefik/32.1.1/Guidelines.md | 34 + charts/traefik/traefik/32.1.1/LICENSE | 202 + charts/traefik/traefik/32.1.1/README.md | 158 + charts/traefik/traefik/32.1.1/VALUES.md | 316 + charts/traefik/traefik/32.1.1/app-readme.md | 5 + .../crds/gateway-standard-install-v1.1.0.yaml | 13478 ++++++++++++++++ .../hub.traefik.io_accesscontrolpolicies.yaml | 368 + .../crds/hub.traefik.io_apiaccesses.yaml | 188 + .../crds/hub.traefik.io_apibundles.yaml | 125 + .../32.1.1/crds/hub.traefik.io_apiplans.yaml | 103 + .../crds/hub.traefik.io_apiportals.yaml | 139 + .../crds/hub.traefik.io_apiratelimits.yaml | 166 + .../32.1.1/crds/hub.traefik.io_apis.yaml | 190 + .../crds/hub.traefik.io_apiversions.yaml | 194 + .../32.1.1/crds/traefik.io_ingressroutes.yaml | 366 + .../crds/traefik.io_ingressroutetcps.yaml | 247 + .../crds/traefik.io_ingressrouteudps.yaml | 111 + .../32.1.1/crds/traefik.io_middlewares.yaml | 1098 ++ .../crds/traefik.io_middlewaretcps.yaml | 87 + .../crds/traefik.io_serverstransports.yaml | 139 + .../crds/traefik.io_serverstransporttcps.yaml | 120 + .../32.1.1/crds/traefik.io_tlsoptions.yaml | 114 + .../32.1.1/crds/traefik.io_tlsstores.yaml | 97 + .../crds/traefik.io_traefikservices.yaml | 639 + .../traefik/32.1.1/templates/NOTES.txt | 36 + .../traefik/32.1.1/templates/_helpers.tpl | 161 + .../traefik/32.1.1/templates/_podtemplate.tpl | 840 + .../32.1.1/templates/_service-metrics.tpl | 25 + .../traefik/32.1.1/templates/_service.tpl | 84 + .../traefik/32.1.1/templates/daemonset.yaml | 58 + .../traefik/32.1.1/templates/deployment.yaml | 58 + .../32.1.1/templates/extra-objects.yaml | 4 + .../traefik/32.1.1/templates/gateway.yaml | 58 + .../32.1.1/templates/gatewayclass.yaml | 14 + .../traefik/traefik/32.1.1/templates/hpa.yaml | 35 + .../templates/hub-admission-controller.yaml | 198 + .../32.1.1/templates/hub-apiportal.yaml | 19 + .../32.1.1/templates/ingressclass.yaml | 12 + .../32.1.1/templates/ingressroute.yaml | 43 + .../32.1.1/templates/poddisruptionbudget.yaml | 23 + .../32.1.1/templates/prometheusrules.yaml | 28 + .../32.1.1/templates/provider-file-cm.yaml | 12 + .../traefik/traefik/32.1.1/templates/pvc.yaml | 26 + .../32.1.1/templates/rbac/clusterrole.yaml | 268 + .../templates/rbac/clusterrolebinding.yaml | 17 + .../templates/rbac/podsecuritypolicy.yaml | 68 + .../traefik/32.1.1/templates/rbac/role.yaml | 143 + .../32.1.1/templates/rbac/rolebinding.yaml | 25 + .../32.1.1/templates/rbac/serviceaccount.yaml | 14 + .../32.1.1/templates/requirements.yaml | 29 + .../32.1.1/templates/service-metrics.yaml | 33 + .../traefik/32.1.1/templates/service.yaml | 83 + .../32.1.1/templates/servicemonitor.yaml | 69 + .../traefik/32.1.1/templates/tlsoption.yaml | 39 + .../traefik/32.1.1/templates/tlsstore.yaml | 12 + .../traefik/traefik/32.1.1/values.schema.json | 1665 ++ charts/traefik/traefik/32.1.1/values.yaml | 944 ++ index.yaml | 38 +- 63 files changed, 35223 insertions(+), 1 deletion(-) create mode 100644 assets/traefik/traefik-32.1.1.tgz create mode 100644 charts/traefik/traefik/32.1.1/.helmignore create mode 100644 charts/traefik/traefik/32.1.1/Changelog.md create mode 100644 charts/traefik/traefik/32.1.1/Chart.yaml create mode 100644 charts/traefik/traefik/32.1.1/EXAMPLES.md create mode 100644 charts/traefik/traefik/32.1.1/Guidelines.md create mode 100644 charts/traefik/traefik/32.1.1/LICENSE create mode 100644 charts/traefik/traefik/32.1.1/README.md create mode 100644 charts/traefik/traefik/32.1.1/VALUES.md create mode 100644 charts/traefik/traefik/32.1.1/app-readme.md create mode 100644 charts/traefik/traefik/32.1.1/crds/gateway-standard-install-v1.1.0.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_accesscontrolpolicies.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiaccesses.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apibundles.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiplans.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiportals.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiratelimits.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apis.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiversions.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutes.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutetcps.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_ingressrouteudps.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_middlewares.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_middlewaretcps.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransports.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransporttcps.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_tlsoptions.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_tlsstores.yaml create mode 100644 charts/traefik/traefik/32.1.1/crds/traefik.io_traefikservices.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/NOTES.txt create mode 100644 charts/traefik/traefik/32.1.1/templates/_helpers.tpl create mode 100644 charts/traefik/traefik/32.1.1/templates/_podtemplate.tpl create mode 100644 charts/traefik/traefik/32.1.1/templates/_service-metrics.tpl create mode 100644 charts/traefik/traefik/32.1.1/templates/_service.tpl create mode 100644 charts/traefik/traefik/32.1.1/templates/daemonset.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/deployment.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/extra-objects.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/gateway.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/gatewayclass.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/hpa.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/hub-admission-controller.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/hub-apiportal.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/ingressclass.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/ingressroute.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/poddisruptionbudget.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/prometheusrules.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/provider-file-cm.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/pvc.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/clusterrole.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/clusterrolebinding.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/podsecuritypolicy.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/role.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/rolebinding.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/rbac/serviceaccount.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/requirements.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/service-metrics.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/service.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/servicemonitor.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/tlsoption.yaml create mode 100644 charts/traefik/traefik/32.1.1/templates/tlsstore.yaml create mode 100644 charts/traefik/traefik/32.1.1/values.schema.json create mode 100644 charts/traefik/traefik/32.1.1/values.yaml diff --git a/assets/traefik/traefik-32.1.1.tgz b/assets/traefik/traefik-32.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..6fcd30db36bb492c0759c0c7515ed79406a17f1e GIT binary patch literal 243754 zcmV)XK&`(YiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ%b{n~|Fgm~a6xft=Mw%@)DarQCaK|~3WzSeEzHmu$va=>x zG1v`~7&UlK23WX}5P!J5F3BK%~ z%peoN63*jqw*CwTgTeEsPu0JJ!Jzo>!S~M(zd3mN{owHE>EYq?XWtAC4xb+#d;0|B0dD&9{5{#g0FXZ zI74%|Hw1tCD7)^brw1>AfNYAyh%x~}NC1pE1!Dvt;DTW?{ag2Mq}KreNDv5$-3TRo zZwS&Pf&u{}fgqycC1OCpDG(Gaj)H^WxvC2O)(vNrp(>|o-hO>5K_VggO~^oLOP!#BDk#5?Enx$0b@E1LMTLx6bq1K z2}aQnB#;S$SY@#Y^CX7L9)WW-1Q(`FBSx>6mE|wfG3qT4%av6*@9Rcc3_fZKNbHv5#k}kiBRv39bIF{Q3U>!ju9hBAPz8@GQ=f6 zh+s615$nvTL^Ts4;lqC4pp>+9a44ZoaEyliKI9w;-k0yVE0vIG=MpWiD2w>8({lv( zETT>i5G1ZByTr0+I!1r4yOb?Due*9Zd z3mB(}-_8WksQ(WR51&0B6!ibm;Q9BD`u{GT9qXacB>+q)vudKV11@Hm1Iz&g ze?5Npwl|?{4uwFG8vQ{>)(&IH5LiHl;W$QID(^7@iPQ@bz(i0W&^(EuK)lnzb2vpq z0CvD1^-Ka_6k#c+Fdi|QNM$SMn+c3L>d11vp3_>YGMG^=07FyE1(Ukf{y8)=h#r^~ z6&Xq>$AX$#_D41{O|3{XM71PSsU0AvrX1;Nto@=VxqU#=IR1Mz<|K_{kkA;161Ds_ zQa^^^bn>2x5knji(dnqF$5G@l1;lWSVns?E1BQ(D=*WqSlDG0BAA-+cI-Lk5F`Mm#q~1lc)v4p~D^~(g23|olr{o;T;+L32L+`t-@jji85d(Ar5*l&& zubBCmz%C{6QY#|F!PN{A1q-}*;X&KeJt1`!AA*B2a2iKohPmt~$pePuWMH^KuYjDY z#xT4DyQdRCr~n*^ecOTl{HBCk3NlARRzDbM)C(;8_Kn8y7SFM$=wVC*nj&Vp_h29EFrbd=HG#gfirla)sjEaqKi?IUEF` z$d1@F0gyz1rG#KIwS-F=ojmkCIms*qWl-S=F%GZ*Z~<{FMXUoP0cQwCOGlp~Pto^b zff&P)MiAo#B8c<8w9l~o3nY|@z^R{l-CFRCsyd>=??V#QPPbnY*Tpv}&+aYXSJE z8!DCX6bT_aB9Z@7vdx7(V0#SGNc01e7(#T6QJ6s8On+Thc1uD}j~&u~Q2`S6!F7Z;;_Apd`E znO>!k|Ho>Bp(Ydy{tBhM_2iTZ1!X{vzz{Nk$*(Asg{6Y?y*oKcG~!V+jgMl2V}T?u{Ziv42vaWT z+?1DS;%pi!V@POJ(}X$Vvy5Ij^CXPUk(i-W3KWBqU3&`TsQ^4pltf!|0+VR~J`kjQ zPN~+h&}zUKGBLh%N}{h#@NYkVcE$+k+L0l@bwL2We38CaLZjoAT$5v_fnD-*6`v9s zy=`KZ)T!Fp$#F?A90EF-#8e94)ONK3nOO=auJRE4q74!2Iz%+&K?DVi=ydi^K01-CipHpGHZKp>Q$$;o$I@dO`4YPtJ*g4*P}x{ZIGr2F`-U z=^VY2Gc6yQcfipV@kp0!mD)Jo7i6(XdS)Zk(uY0A3uBF_ob%!GL1@bbX;YRmLGhI%6bIhfo10V-{ zMz07MqnKVv0m_4LL`(ajtC`cw>hrEDp9!j*oEiFOikUR_CtyiaX+dba-@}VJm+qwk zeTL-ti}btUdj4%+1L`0B_&mqkGNpO(9H)Farq@H|hS&~}HZ+vx?Jr$EQ_>mA{|lOi zGtiggr4Pe73V!93{0|6ca~gr(0z4lKieKAGDHO0qK;5TaPtKuI6NYjYkrjCYLj?E? zGCh6BztBh*cyGTKe5Mnvd!+Jx_5R#A9|1T{l6WaQ>XVed_j(CN`vRXj07Qga&m^0b zJW#(#SRo}7JpKEw?YK*4+p2{y8cMrhf*2wp>Q51o6BLTPVm+AP{^B4w8uWJ(8byR_ zkiEr0FQg3ZX-ZDiOJ7wQN`6r;AdE5Oh&R$9Aiv~&v(nVp`WXKU^&|k^lY>LLv_0v< z^d(mL{#e7!hHnpyQf0D-3<<62kqBqXsxfx7Hy)(Cb&TA}dgrQI9-N##@C1d+Fh&5X z*^eu;z`S#9P8d2DG_jI|u2Gmtl_$RaF(!RqhIx!o0-g?xU?!A{a{-yKwI$DfMxvy8 zjDcd_DO2~y!C>HC&6Hgj(-6jPZjcW*cAB-ZWHZl^08nZJ=@p&CPz$TH{1O^Td#dn7 z$(;6qe~~PDg*i*r(j|DAMpGnOid;d^wCMMo>)cOh)QcSK-dMrzEe`s7orFdiR*iIx z#R}(I+ZS_q{gJqtrD5%$!F!lva_m9a0ETAi2}9EAfzCTV)hn@z{kc^i?0wjz^=4rK zb7S`!K;|`ZJuQd&x=TSPkSJf3qe%Kha-N>XbPVHo2^NQd(NrJ?_>u^Ct?Ha3D-2qk@JsmJ^}qwNu|jFWC$=M zXA?!fpq}k%mUpcT|1x%CX3LcS#OT}&GH$4JbXePTS`0Zo~5bmSo6rrR&xo@YI-T*ndQT+A3vr!%RWk#!zH zx7Tabd!A}NnL$EO{6eZX>3Vrn;$SkT5EU+?C#!K}vj4>j@ zwCm#S`8yh+TM#S{@?JJfrH&gqJ8xa@VJ(|bsnTg%J5iCcma+JAzGBg0EL(Nj^lexX zw!?)g{mECYqFWzKjYlaK5#+Nmg)H(+a_i9%>&mIpPEuTzDsvows>MVPO0}7q_q$Dn zAe61wQeC!ISKw*jS*}%83@dCrcsrlQ57aY_oQ|}|SYl0%76n38ksjR;jG&l}7@FYg z-A{d2<Bu2Gejv~F&mQWS@X8h+`qBIxxP2U*LZ(rIM`C8P^PnMGrR+G*;q`gS zrf3Kbtn9U{-N^zZq}EwG%1`>GE>bC^M9Q4N3j`(*$EoaVE7~SD$;KTi(VHQy>;UAd zf|fE<^c_!Wv_7U6W*7QDDZ zh~%2704u*a$wze^R7Q3ARe2hQh;!s^#tQ2A<1xn+oTRbDV}7mA9W~qxNFC9`QB|*C zk?#(H=ZL1lUmxX#kI2O28}UbU_kM8g@UpnKxBa#CDPV;kuVyi%9GolBQc}Vi!8j?_Az5nnMh7BjdBs;EC8ny5Tl9E z%-DB3u-knJO-R@yTil0is%l#$SxRe5q#R5bod@72bv$X9k=i$sE?+pf zne(bQWNhQP=T)nqDJW((wA<5S_oE?dBQh-YHgv%%2-PL_Cm1x2vf!o5%JOxmM7riWMr43 zBI&QIA7<&GyhmDAQFk?89Gf#*+zeF}kUmC08;Q!S)@xdFPSyLxILrsl*lhu++yZZ5 z%MJc+SBir=a$8;pG*P~lGefoBw#^k3z*NvV6gX5dRI2@U8BX`*)a=8nPencblPX1t zP)EN0di?G!&}Rhq!8AMgXS)?edtjHZj>vLWb6--?*NZO(ix(w$97QgE+w4eN4V=&@ zP!5Uyu6K5n(UYA`lvR>Au%{fud}x_I(*@Nc5J(_qKshklO_;+(pDB_q5O=QwLFchM z8hJbs#*s2a%peD2>B1@4DB4%y0BYk-Rp;ioq&=j)w99HU1U^;l{C`q=$vTvKAE4>5 zvr}14zVGG34it^@f08jTjPuivmITgmsG8Arl`xs+egxU_-is?V?tbblyomQKCR?fd zuqPSV*~y1Hch#|a-c|4Q!j@is^QwRQ`7=luCSn4*zvDf_qAm!|w4w==Df8vaw-vxu zSs%K7^A0AN=;TiT=#XtSAfm`h(?v17w^NMrH<8|^;XOG60Zh1n(&ke3knTbVVmjqB zoFqmwL*+)Rw_clVz`J>!4-sEL){p7b9S!fuQc@l080*;64ChFIU*u;q8Z*DRX2j94 zoc*8<;E-5&e@9o@MfBF#k zT1=U!YPOB(bSgQls_4*#SFc}w{COXYj^Cf2?1P_Zyhd?}M(^T^f0nT@E@Nacu*@f?f56;)(7j+?5# zsKe??`>AXUsxD<F_np}4s*c7LZd9w>k&FXhC0Nc z?N1XtVQNfrhpqou3}Xn)R23}F}tpFz0Vd9V15BBK%$=NGyIO+&Oq$B1G=Z{CHCo2A?m3Z)6vvLeF z;z@1P^2wR%g$jan0O#xfJ$^TO`}#bX>*cjMRTK({V|Tcsl3|+dXGk$l+7WKKLe9-q zZ-1p@H3qx`4N4*w(0?_fgfcr;e1z(#KDy8wb;SzuH5YK66e?-b-w2T$=08lR6x}lv zVTM9csFnF&Z;N74Jb;sXmo1~3@|p0fNS}M@sMd|qC$`K1es^YbXGglRYMoWOoGc9m z2llYI90MxJj2(o6S^zybRcR&6@+Z_V0t?ps9)j+{;rGEH7z79UoW6(Gg+47{tS2E8 zf$XDCQa-CipJ~d20e6s9ol_@zN8TrMia-Tp`SDB^K}h4+oE*rMu#GA55GVlooKI^_ ziZ5LBu!2`TF=kN;ZD+t2`6?B&U=DAq*{)1#amMqIVls)->u7wqxqMj=U~#xwy4)G! z;SYl!p8MTQFOk{4(XnGXEP>j1=Q8V9~I8hNNg@s+a z=7&jU?wjQ~*~cFeL@rQ_B>rX2^Q&8|yHj_t8sRNCgw=>{!zEOhu9FytSb#B2Ndy@- zN6%Dh!6}1tW&V^|`b#hvJlhAs;6VQGQ2ibgJtK7nHP2d_Db;(k9E_5Mx$UDDtWR|itJC(s=+h^1*Lz%j5;&ov$&0Ff*aj^#W@SlxS)OL-p+sdXr37JwHIuY&Cv*Zt5CaTNA&X*ZXP6~rdq7zw<_zgVYFI}ICi+mv`6W*N zj2NC&9jvcVcT<*xw>09XXQPvcH{f;1#D=5GomaE_z?$jVx$vNq?~X!?9~Ho(0=Pp3 zV0JflR1TvMlc^4CSZgy$=$d_rZh_HNzhmC4d%VML3!3U{>>M~~*wqjvmlX-DvA1U(u-kHh@8KFqb{^Rvn>X>+Xt=(29*t~oK+a~QMX zTdpp}=;+LpUKp+lq1A5#wIfZ?l}W?c&3%-D3kfC5IZb)W;S_btfvYvNKw;xnzvW^fCLmc?BzyVKa6pIud}1l6o)B`mtf3nbiJg(Bw!zc zPcszHbvSGsgI{L=l@ zsfvQuLAu3A=rz%G9f$%}+d;3hV>)%0;s{#RLw~f<9mX{Mhj%5@KRSpkhVE*q(T7+6 zcz^uvbq8o(|HSBAYb_OIb%rKZhpFE>mT`^*jG%xjtgQsW5T&?ydp{VU`J(%lk}Lb(WK>a6@x5~wo0cyQkqF|u5(+4IghJiRokZ_$vL#Kw5O4aPrsoXb8^d@SADHUYjpN@C{ z{%Z0NUO{y?j|3?6p-!c&&Am4|F*`w$_1V!6jV^a8#o;orvI8l)#Ve1lnR=xYQZ@r1 z<~9k4W}Xf=l91%5w-iS1(iRgIv;*GL2+8g;5#U)*$i|<)`S9`WEAalqg^hyCp97H- z6Y;h#y}K-2j>1#TAIU?d%5~f_7Fs50DmaczBBC%(xj@Wjf=oFApQH*2MXZqZCX`)4 z7JZWP8`_vClZX;~XDv0cc3ef}Z4WmyTYh;bvoOz{Rx>3=6=T4qUUYc~cP~yx{g1Ck zdo~WnqyxM-8Fjp@vALK@g)uw!0U-C%tYzf7fS40sf-wL-~5vzblb%-(phRtzg zb+S_j!{@NsUV^;5WmCuxyWV1kq=pT6`%*#6uFh zEP?i2e@8Z?}%EoJBc31r+ZwyBVT zY%6$ODl*5ILBf@U8mEEh!7J$h12{q|CqcPas@CQzJI7(tqs#uXEHJlEVKOz*ik`E_ z5R6<5W81;#YO6y&S@kt*<0wX(;*RkIov2$Qyr%p!MO+*!*Gb(Iw=rc?Tl<41&41Pc zb%{`N9ODIg2d~dGeSBC8s#zc8p-Jk7n-NybmHai$c{U&N#>Q-6R$R08T63q%-TdGt z&y9?vuW$mrb#lEchkKS^CM9H&xT$EB`>-Cd>&y)5Km-iuXuM3aY?bom@yWZ_FP9^g zm?OV)b2Q9WAT!1A=Hg=1KeBR~A<4?Bf+m?&mTAYtXeq#zSA%2#Hff-On}N7cF{_Xv za7pMD(TB=RK2M#fg)Pm^lAa%EQ@yJR+5>hn0{<8I_-X`p-$*ojfq}2C29~k_8BK|~ zEdz6Pk+xm#jZzrf^BzIDjow`)neh34nk&Daet-D%#~t;<+}hrI_QUr-J|BGl^q^_I z97YSo1a`V;&7o6g%l)TXb6Xyk&P3aLwAdakwl;(*IlKiyv?+zX9iVc4Ent(zdb=4R zV&V*O8ZQv@UPp8e)m=?~T&BIR6smjp-g$X!Dao6N?VKPlzpWQ<(W+`C7d&_w(f$AW z8#q;`4%I3e;y}+WAjag<<)u{1V|v4&ussJ!WU_ec{33tzepz?@;|We2X**MmQ1^G|3p=vS3HtSDDbIqaQ8_IJMY z?C9OYs8c~eqVp{(gH%ue7ZgW|Wibv-AcZspT`>Q!(BIyKnw@g<|GdJNxNrQ5o?5h& zc96E+xWAfy;IAawm1aVPTPgKcT*3 zQ_-A$w1*$vxkp#Y9LIOD4^kdIY)?K}{Mlt^#zDAL?)ZV@{rtv512B^zIvb+KQF1eD`edksfX%|=2 z+SmJl5@fTdDaC7le|)8)#keBMQL3{e`P(iPmz?-l0Vp?53(1&@nL{Ie1D96PyVowJ zX_P5)x6c&1n{ZZNQSPI+EwfCeBwpr$T%3$r!tqG1fb;QH9UNPy;pPIHrEu-b(&c1~ z?F4HN8mha;Tu_MtEm;|O*J4VwY*utsukL60=qNKjoq?|8AVHy{0hyGa7Yt4&IJDQS zooLOgio~9XoQ{T|dk`E3N5NBlfXnD;^+CN3)Nx_I(z%M(JX87PysNPfemo2gp8pUG zf`k6ip?&$id>IUaLI2>n8we&<-o&I*f)Ni)sWPjHUorDdxJ zMuUHgxsdQrM_?jLVmE|NM~kO&c=grd*W&q}Q40)BG81UsB^&9F_qasg-?86)LNRh@ zKYNM-|A+35+a-$C+*J-Hgx6aW*x3Q+YVE=1SLSk7uw4VP3omwD zbxWgGVJB7s&D)*gI8&>s6}m?Lmm3U4;i(i{f7JMbQ(z-9YIyU7HGwC4%ccJa7j045HR};jzTI12vmA`c0eKOP2 z$i5Lk=eUyt56`uTIKiuyyObl=o2EEIeFs?dOnSh6$JqFVOpEFqwGR98E^gab+d-e? zM>s{F046y{i&x#ZoV#TmU1KgC97VnH%e0;OPURXpLooUa!vcLEO0u}ht#xqt!#ga0 zX}o?4Yu$|Z*=1l!?&|iMiR=T3moAwkPsb|G&L}a%U!C<)nT?T3u|IYh-^|_3{)KkT zav<+UNqg+fR|}1%6Ab65zvJ<{=fHN_$XKo`JOl4^;yW~1CL5L#?w0w@mAdK{cY70M z=9BG!3knj3q^k!~!owMgQk`Knp%DjBsxrwa6Fa1FjMa7j`_jhqQ0o)6J4*8~q?V@n z9}f1_wUZHmMBtvB>j)N09kHm_6eDxFoIB%>ROFDDDOg?wl{^;mEX`ByK7Bue@Gm9= z=8VP&yo6HdkF~pVLZwF?yX>zqzC?i0*aZ5>zs6XteR05NG>s!klChdQYz)I2T+h8z z3cu8<;Xvhw=T}%K!evM*M}Ze8)?t>?|DqG{$tYaes!xhs|IJHH_9qGYlUKz5rq$V@ zLI+<4 z(3w3+qR?2_lHQZES70~8yO-TfSdBV32oC>Sq5ST<_a81^fA`%GeDa&~X&-#D(M)e& zYNmYmok<1!-FKOx9BPBkYDw+%+aVHxvzNyw*>te!I#{+y;$4|O zbF)`D?PLV{2YJjyqo#(5KFFhFyyLG~G+yX$veUs-%!vB`zxq=6`#T=Yo`nggQ--7m zbwS;%Yz-_=giL6m&f+VbQH=ykQoYOYRcN2d5iQg{uUV=f3NI0* zJ^RR(cd?hSs-#wL>uq>n57|#x+T}~P=}}Z{br%FK&2Y_4+f(+HUb36=Pt5-u22fi6BQ(@!ep zaEzE;b5gksOR{EvSoI`kn(b;_Lml5IGB8<^?!THaL9NVmn*mQ4f{{lVH;JdDiPqTx zGkPV}w2@O?7>0~;o?E5{a8Ak8ULw{rn?RBfjptm|Jjt*avU20Cw(vURZnHsGE7jE! zeM4!U!|U@)bTtGAot?H4s0vC=@R4vRFrQ$3&EYHho(eN~t(^Wcq7fJ|tj=huId#O4 zoX*?Fyf|&pLkp~=x1Z3cml&YE!~yK@b?jSZ?7h#=A-~v3SepIlS~TL%j33W5g9+|S zwWn?saY|c}vpDGQa06dyeRM5)2YV}zmGC@G(lSt^ZN%^b$7qUP^AN@+WwV{5Lzw8( z(AeHy8Znv-!7s;e-%5i^3axZ|&nOi?;TY+2aK`iSI>s^t+!aSw^TV^1JeIJO9P^(U zO_L#b{_L4rr&RCWQz9GboGSJ5BS*}Z>+Bet?^-bE96dqpW#zm2fCiHP*u4N5wBxYz?8j#%OI{5V z>mmrm1@CJX^^t6ZVw9?6v{lei??33ad3LT+Y3jg`x}BNf2<5Wan%M|svyn=egyOlG z{guTjZ96!bpiuZ3IbU(W({Lu)^(mi9)_9tuTz*gfspFiJ+?76^omQmQ&$j077sdWK z28Ihk$9`8Dvw+h1jc?L%VG*ZAQi9$r9rru4bnKS$)D$m$@^j^PeA08_C0c@SRc6F* zt(OnM0>(H3F%A(?liwvGfnAofckmpKPVMb9>HWtNV0u2Z!)>F{XhFq<6o2?Ace+38Hawhmn(UzrAGY>r`7 z1WjF{vR6>Ru^e{!(SS=?oH-kKnUoS8wg9 zRSIb_8q>|srYPS!3)+pL$iHRg++e7nM%r3x9S4=p_J1rebD~aOYDfhq7VNqd_BMoD z1#DP8IG*lRl2GEfp_|2=sAd~opnHwRC@9~>S%Jv@B=?3=;C)1#+{-+;mPNT`2O zE+G46aARD>#(gEvXEi*!PjJ+gCX2B=tE^5G&wDDY-xreZzNxR@`7q??o+(P%v>!1z z5&gr#;h=YL*f-@(^{O@Dt{z^dM1*+AuyOz-5;;qssMsQN>E>~E{6ufZSkQ?N@Ux4O zuF6A^E1(L=AuQ2B#^5r`Uh-wX3XXpx+-9K6vShh(z7bxX9BA!c*1*o94pxEBeN*3! zEnfLCM}bjx-BPJ9xi_0MAh+Xu8ywPifaw*k+kwwe8E%c_>p;KtddWDe(%(H_5&^GQ z_m?)^Z=<`i)rR%OE#t|F+rL=dmcqcQAs$qX*)2oQc6RFFHp){8dy&&k=p({U^!=Cj zgIw=1-az&$z-~bSRY09(H`?afY>D}98A?4yY#*lAW z<={D-qEQ;hdIfOHzzG(&q=+vuX)&nR8Fg{>{O!Kqp6ZM71cl2mZWtA}iF|koh}m^)!2M@fSe&1;oIpq8}zv44r6Gc0xs3P z7Hp|*A^qxSHkJ~B=g95aZnr1+3^FugG(;M@+J)M(DI*Y@W1>cpIz2o>46Cion~vEV zI|7I-${qj~XkKIduW$}j8Pe28piMtjw8qtSDG-}cv>?=#wP_SrmRuKd9z&xRsjSw9 zPsQiU%2G9)t;AfXF56*jz|;yu8FJ<5YJgNXCK}dxOghVr)`ILWz(9lvGq)T`+B``>}+JallJ!d?X9I7C9d3)TirppC9QjJ z?)44j;pQEezW`t@Kd6bi4Qx*D)I_}@QR>zlgtR>4tu`b4fWe#3x-Q&q`*Uv={&&B# zZx$Z-)$98P-|TDj8dM0_&1KjGZMJUuYIDjlr;Ty9(tfJ9o0>Y*28eF6S*@+ZTWghz z?`$uqtHxjxIvbsMH`r{1<@R-{3pKr8Roa@Jw@QT#di^b{a}xu5H*zZ)j7e8$U6Bpp z{Yr^CB5u!NHe3N4qTKF0;OFLIRU%$;uiV zg?6;tiCZ0jvmI)-;zq0$Xma~Qc?0kD>)C+wLc|{@x+1d2iEbsB$BE9Ndz|Q6K93V! z0rTTTx8;d$3%+ATGNAfx_@e0epxi+ZM#s0i!emm|UCbEbGa9#8ELiIx0VY^r7{5X> zysfh(+lqm&S_n;59@yJrj@eIn2=V)s%e|}PJ`{Vl5%3Y6ntcCj%!4ucJ}InEUxJ7?PuSm&8p5M+`?Yn6cNNK!r!-rz|}J+>gTjVTd%CV@(65g%}a!m zHDY32y@=6`>M<0-RR%-xsX1j^i(?bB2(&lUfHl_E>tV3A4N|JTj@9Kqt8G58hMl@D z6>aQEbCv1iFe}u19A=NhtnDz{iW7E|Wea^L*@IkB(FrG4Q)bkIM5lA~tQdUlRYE&> zs-&0fs_CiCN@1TB1Ny6qj+|o>nZ&hsvna-pU`r?jnkVaoWZuY#_j!~;~#arp&N1afC=WEglF$&e)UgvPY}d4)Sas&V5bE^~GD z2CH0cR;M-#ccLOrwz7QoI@>s0k>{pJ@Yiwh1V)jH$zs3R=GpsIf0OOI<6ZRYB*q~Y zFKJ35$XexY*}_)XlqKQzmqFXI&Q-XTD1CcG>R}vSxMyax+4FRTH(f4UtACLf1L+Qle~a4*rKPjm?CpH?dr)N3Fa$6*t^LxX;axM@{}9 zDchnZ-(bh6y}ewj+CFcQeOBi$vd`lTvjO(Im|>EX&(s3JqD8dA16n*z+~s+XOAzLH zT!Q$`En=6mM(y{8B`=vq$7Mvk93t-ZaH>sAK6}yh>P;(dN&^lzCtIMog zXn$Ar;pk@eK>C!23?}HJW%|7mB@fKZ-R{CxrvXZL5!>9 z#T6sF-ww19zqX&cKH2(}V!Y`<1NVcw_^9T7lWJ~4*%f3Fir%ygQC_>>9?FRn zmU4lj)6p%iQ{TJ%5E`LJ1^?A5_-1U^%Ta5TkAt+9jC&uX%xv6W&~^LqE~pcbP0>AC ziS4cA2cT{QgM_!!IqQzdON5f+7%$K}czuTcnIgVUq(|$X$(pk6VURWW@2cGOrPV$Y zFYpFe&)w=3-d_O&V?048%dkawudA}@8L%mXq1wRzu*L?ytG)SIrnURc)m*>-T-Aqi z3W{mXavX*z5kK1=SSN(SfqLu#_dNWRmJIQPk_eNj>F+x@RsQsh8UhBB4B(ngM_rX9ds+0b?V)= zIR+oBXy2iTooZdMrCH-qci%R)jdb@{5hD0onj@OFu+wpj`3%|nHMYMC@|y`Md0=iH z8^iLAp4)WI;B?B+6bjUETy~Y{-(6x%H(s|5n4^#(wKJWvP-R|hktec_9XIcF1S3ok z=OaeP6`uVzU2}-zl%b0mLwrW#7JOYRr5z?%U>LtbFiy{+XOhjX~somZjBgT;22HOYaYT_rTpEp5(r@e$2i7~ z(_U-iG-9;HwVzm^dCNI=ov@3x^WnXF1ya?0Ao22yQt=ax5npnFTI4*w#q^GKH{Ga1wW?d1eFy74#+Xe()+kt*AXhjVBHek~ju{y@rsDpg{gvNBb zJWr&laY6|f3}RB1z_|@H2E(c=Ah+t0N0GYBm%t{iyph_XB5p`p{xDber!1*gwd>Np zb{kxUTM4~>7}w`Nlp`pQSK&WI%C>kFetUV@gwV$;=i6c3&e3KeTC8q7YURzTn6=CR z;3_|wq}|{P@r?cpg_}#TY$FcO)(nBm`pz^j5qgv z=J5JFWz+W2iQ7HBfBzv9E$>rv<-cY&Yn!}i`VCYxE5Q(F&GR6&!0Y3 z{|*L&;=e~v51xH<@bvq^;nCB>!{^Vw85}%4IvRWf23w<`;YqoG?3=-jaTOc)l{}r! z=g%NGLotFJ1@GY;fiGXc6&5ofKl~ZSDdGX1!zl_Fnqn^45`6j6ulSfyjs;bpho#Q~ zPQkx{Nlpg>rG|pzMB2L?QzDVhAO~ZF2#8P;({@dW zNHFd<_%GSG9>5bvi+5Er`0~Ymg(Rvf5g4x*?4o%hmad2?SlNJj)ua41LHzWh4JT=Ia+CcrQ75Kc zfGY{mYIBCvt^^OjUumj}A;MFJKu8%wp~!($JqbxCM`-}g5dt$I5@!s z5^o1bv;B8)bT}9k?7wG+2ZxXL-(5VPKli@_3p^hJjs%$C7)ht_#ayx_oS`B3t}o3R zS*-K=I+3Q5m?33k0Xk8Ct3exdR6#kIA~eCIV4!tDFZ=47fXd>uDq5EOut1FA2!VeC z!BP@}=SS*KJU>q-6MPN2y$qNfw>?MS2}9B{)JjBAD9K$I3lnmXauk8_GNW2+mIm5Y zsSIDHLwiz%=GvhDw)X750YgbFtixMaEA4Wgpl~nfoK67K?vDoIW;9QZumD#$ zj=>md8G;-@Mf|GHkY(~+;dvwWqZ4^srnW#U8H#xZ>4_qL_@e!=^XSaxb_FHxB|2Jj zZ`UTUIHGdUG~RUvPTk*H{*L3AUV$*>g3j^3luu%n7$#gm>7gl&02Y!nO@qu7?^P?e z-Nt6+ekoUVFB^CU@LNg7=DHA^&mcpQZjDiV($TW#VNJvO-+>D`Ixq*206d?kLb|+q zAPx1%;WL`Xk+Sx}nKD(!NL)!jJx!(zMhMh$DSrf4Q3sR6v%dpO`;vphde>fi^%eCj zr)ugJdMGHEdbM1_1k90u5nRysMa>`MCyYqpz@2eGEN%*rFFUYi79+cupOQKKWlncbpXsoR{@Apfr z60n(e1fAn3;ss$9R09(fBn&MO5gf(5~IAJt6t#N zV?}^V=)U>TWJ_kG=b2fYEmkqLV)|&3sA^LzH@p)lW@==s9~BEF=BRmK{{6c;55vPaQYflL#a|>i010JN)-zlPIf3z>dH=P5;)Uk9-`-0qRLa7u{3|doX|o z%8}ZOCkCyYiD)npgce!;3q$;iUx8K4t$m7}!vo!Q6hh;K&8J--@#0I8Vb;=}Dye{p zn&j9FJ(l!w{5O)uPy=hN3cXGC3S$v=^F180Iv_$Gh3Hg?De%cJ1G%A;jtqgEF?tx= z6#guOqNL5vMn;($)p1PQ3(d!S=)6?(r78`wz_ z%hOYjO%%w?XQ#!NzOB5vjskvaBHKDK>Ntdk$%3DD73MYYMB$;JgF!hI6aubr&T4jF zQzq#!&d&&nvLjknhPb5uoaJe_}a z@>=iLci>vMUfl!4`IpTnLi~_gzz2k;anL!cHTsMHN>BVE;O|qjtc+R=C<$5HV4-U7jI(O|*gpL5}Uo%3q&V1k#K>ybu zY?*}FLFQQ_z60yGKuZJQh6uj1?JM3X1O7q~khl(4g>M=K-cLa1rOGOr8^bJnEIuJW z_S{pohF(plpDehg;Q!OugLTAg+O}8~cb*sVm-LMM=FgxumY{-l7VyokUNy~s*d$-m z2{4EBW4|WVR}-Lh4*cY}3H@or=I*zZf>i05p9QPKkJ`FvQwX=e1w|7ZZzf&)^-i*K zS{L@FI1D?`Fd;O5DN6qo+Evh?BO2e1)6=z|BZ2X|{g_fC_}K)YS@`)2D+Pu#S$E3e zkhb8J8(gtOTEK4w7nQ|+0f0fo7ZfjOeYtQPK-t8+G<}k)K)Xd`C$f4tgUI->6`-Px zhs>MDfRL=Ryq1=hGS}SzYK)- ze#>(J`KLm*2cMM+-}L&lAf5$p09+&%d~9;~x)M4d+abWCGPo`Qid&2}%uA*G#rTjN zR?73#oJPIb_Bedz|w<G`>gg%o40xv!`@q&PfO9!l zLYP-g0R_JJ_3&sbvRu-R5?GVmCPvzUL~Rl?`6kSWjZ=JM<7`oH#s2VE8%z?l|%2hI6g6w_JR^?i=Q&QYs6n4ts@Nv43;R#KkMb=%6Tc0 zSu(ZCAu{@IIF!n9a83Up0PR8TbuY$m3up62O3nEK;%#%>s?RHuovaG5XUc-0|)&d8>0%Kl8`c?f!5>H=Ax-Pp3#2e(REYU=vaq z%L>9VUk)12PWosSS?nm{hNvuw9lNQy!6zx|wibto(87D|as$nA0M7U#hrf zMX$6r{V{r4@^8;kSx}x@1$t|XE6Y&$dCzEJaz#H}xqe>u4omA{=sZRK{qrPiHEzW5Zl zUJls9Q~t!y{Qi2`pU<~J0G0mREh^wYomOB zeNZCSHfZVC+%|?jMUR4-zKZO5_z$EQO{v+k(rXw~_HWMaw%GTE$XBK8Z@Z5Yp}kFV zF=Ba?8H!p1E{MFPHj!nA@}eZ=Mapy|nFv@`R5|sZ`!)32n`{SKBq5 z9OYLg0XOc`u#Gum6c}Zq#ID+K<`}+bIAvQRj*~U^ItbSG>_L0hct;zSyd>lzoFdSR zp-}d>&&~_{uz3nnPeiz~b;GV@h4ssHP##+H0HpV& zx7I9rVnG)OHVqW^;oY_YV+xJ03;0q>0_v4z7WCyh0fKZ^x-@A+&fwc`|8E@~Rg&z# z6^zuvdW}X-ezl z6deMNRwqkOekCw_hiDlO1M5i4ApvSba*xnU^=kTlaLE68a@}LMCm2P(4W>s@@n}H_ z=#AbgL-e=Qk+ZMg)^=@yaBz8Awbds;WW~3wlxN_L(Jx!G$zP`$%bCJ#eZ(Wm8bk6s zLc%PO7*jHVb2Pwwz=H+J2ftyzDuhJhRhq%%$38~M$6orbp_zX4S0HloQxyhBiu+h&}!h?u7vC8;y?<+j4wCxY4z3a%2fGQRGfR%sD= zXl}isQ6isI8ymq8Fg1rha~2glc3)HW!2-4&~J7=#}Qvr zGM>LsqU|s^F~VQgJ}LoW4IvJy#RaKMEh(qhF8nkzzqYXZ@w3`K`2J^FVjS&!Ux~)H z4MUFYwryP~t7E!knKemKV%v@WFQ{LO-9OLqEhjTM*eqMPl?Nmm?Mv0i9yLhMRU+ni zpdyKnWQC8GWW3koG#j6;`ERVbny8=f^q=V8rPAV{7`3(*DB_f=2u??%R<`ESGWxvs z!;DFV6`KLeHVu?WhXm>Sr4pty5OGvmo24x97S1=5iG-Ci>2;SIuO{}6`yzG%1VE0! z$`Qq35`B0%i_)9h9D{#?sH6jDFWV5yBpOYkPGL!GJ<45c`7C?(i%zE{Zr!O{sddC1 zyZj0GO-x861?g}Dp2rP+Ca~L|HL53nwrW(3Hb-lw={MhMTuQFoSGWcc^;fFR-92nt zTSFWcy^B<>7QId41#Ek*3})V)(w{iknD{+UzAut7S4$ui`94T#CDKdQ=6TrC&ADM^ z3Y&hUWuhNQ%(Id3Fo5;&mMjs=KMmjlXj}czsUS zDiE1QfPqN}E-te93kU8SylZp z3roWNP+dNj9<-Y|)9a+PDXq=!1=Z~W|FwjlkZ|*f1Buxw_TM@CI+3)Qe;<{2T4e8*b|pt!+^`e>0GMBD4PNoMbn7s}xmP zPQRgSo6}Wkp%`DzH=rp}Jxrlv>{3`HH*o{?{vIdil!3&O#(6>I2G3}mx^8B+`tPi`T}Zk zhOpRZd`ynf?a9)!nQ^VZHvZPNzOd+t*B|+-(7x~@FOWJgna|yaj_XmzzF7w1Pzmrs&VJp!k9) zP%HToxVI>6%JAXRTuq8z^&;DOtL1L8)Y#a|rYtEnmarJ>BJb&l<{f|EayXVKSb-exRdqb0hmccUY~ z-aPXgQK=fmOuPB%;aBw zt3UmpIt{bi(v^u5d-yg3wVXDL*FVi0#D5wrl%isASYgEMtkXMeHErS`)f-2O4Jsj6 zyy;WLo)ML*BpRy_T_SoSR2p1xW9tpLS?no=_8V>VS4! zl@A1E!G|}taws39I)n+h!>)c?z2{7mVmcNUfZTNER+ub{za%W@(>#fl@t#&zsnj)< zDiUgi7!)uX%_gw0$*m$ADY8`c%4_5hUdaa3mAM>f>deNk5pB}7<<(u+{#VsnL8?uo z;8*jC;N>U*(a8L26G&j#+&OUMFM69ColspH)eMB8e^aI{4Qu11 zQzh+`tYR;JpuTFnbTlVd3!gwoQYdj4lox0zT8x=(DwQ-dxEM5)Y!t>pEjDA4KAWWx zv$V3|I1lJyv4%*Vg4zM9260;<)%=i|AKIyVPF~K6O(5Z@%Mtuy%tYNq>%3-`G4wwGOflb23^qm@nwaTp(-dW z6f5W;{`&&PNx5GRRYPm+PL{_h!W2r)Lydi>iQ74ij}ZjCq-bIrM;w~NMf{))V zQ?+uWQA(pWU>dhq!AGbOHIL~7;IFb?XiX0Ixp;6Lv$D^@Ta@Il8QGr&G(VCQDYdp6 z^tYKz)C#J!Gwt70H(^CBdp7yJ3|=c(k$Zp`<8|$emFK9c`}7<0+LV&cQ>vP(bgY+j znn9=g*wx+hD^TyKh4tH+wzTC?$ZmBLRgi&mK(7F2|yP!SDk64~S04(yLHkq?l z1s~a>&9!#9l$)ZxDPOi8R9%m5>M2WCQqhjtdz9{CppsJd_s+G2yQgPSYpmi`eLn1> z(>|_6u~WHKiKcKDCSyRG8~GY3`+$%rSIt{3r?gpOE;U5wRcOME3>BAKF;h7QIfvS! zJrR}fVK^v(ZDR$`b`fAZocotGz6^cv5nlJbCs-}x^lafA_YmH&*a4_ibxdOR+7#HO zah78`28{~sDU2B)#hA)Hz!xK&CLC@_zZ+3}07(U)Cn?fd)WEjce_i<7yuSR!bflZT z8=645?Sx9S8$}8mqf(9%e0PgvNhnK3zeZ9=qf=I3OH8!Mg*V_H_P_qAABR!8pgQ~U zvAcN-jQZ|;GmcA?s6WDHUu$}VVBg3_ZONm zPp0Q{7#AXOF83{8Z)J6Hb+$BOSUj-V7|n*4H6=TiXQVDvDYy%MplYbFhAMBYX7D7N zae#*>9Em2R`HtjmjL2O5DEFt*GPc%y z2W^;s#7qUG#a8*wJo9D_AYlelCRA@&Z(m&*N%yfwmR-+pm6PsZJDieH;97GtIn6#& zO$6`U!yKx61!x$5PB*F+d)YYHt;tl$Fl7dOL4(#xBb}VhYLFM|9=+q&J6O`IIxvMu zbFp0ODfS$19V@UhJ1i=z+*>T_y*n(jI9U&;Rcg6S`=CnTXtApLENWE_u+$qqX4=!( zCTOlEQ`z)hOMF~i2wHAJlc7r6*Iqu!d`TLRNDihSOOJMDTz%yVNF|v-3m6tG2lDLR z>L5_DJQuA%MasYatpPp_z1ZjF61^GW0gtl#_fwSnMd>@;bE!AEH=D|zUP_Ap zky%`rTLxteJRF4N7DXPkES+NXCULC1 zF{59vGO#tN%A#>({Hy@@Q*159710y?RYPM;E($9SUUSUbeO`X{dEGMz zSI({ZKd>-0&R;12=NGg6@~_Aad?D{vdNsRx-`+rBKE1JlpF-YaH+a@{`8$}_;}|D>Is0oz^6hN>6e*C=YvPQo5h z3zn^zP`;v`zrow2)Q>s+jd{ogrp=;F#m6d3474)&PV(~zP$SjRG**l+H1q1IAM0S# zkagfIKc=(&@myh?=gCh=5+b0xw!r9m?gfhV#bO9bU2^~dI~JlGpeSv3RTq~ZxDymY z{1f=GP=((9x%~fJ$|WYTHD6n+9G21(Hkqw3D9(!aXk=R+2kyaxv=JXs8+mtab-D`a z-JuP|1&K|;isOwq05V^Nj&Jc7+9Fik^g2)ZbCy053(R>CdBmNuR3Ri)Af_s2VBL!c zI%njNfau?w7ogc1e|NPiO|vD03jKe5E$g4NK3RAlmhzLHr*V-UbgqD_;&IA)`#a#$ zi7^l5st1pBm!Ir&2B(H!*=Jrny9YM?Mx+$+zv`NnXpFTm__BTIqxx1`IuoFz1}P&U9i|Lk|z?BSXD z2?I{jqhZWCBRDVc>&E=#3gDf%Z# z$$qHoI7NCtL%K9BAG`O?*!*$Tuv?X>rnTzQ{dL4+%gwag@_fwb^W}E&`~nyd(4Y4Syf~Tt>W)8l;7}-OZruxRXI>i5reg@> ze@;Y6aYz`1OVm0m>lw@V$|-2*mz_A?4eu zkvWQCQ*9Col7!+vx{#R@g3B*&16u;MtYQ3Y20J-9+B*uzh>S}Xrta5<8tPZc;&7mjx|mIqYNSW%zyL1>T(Jb##EO9Qs?%F zj{nU9`z)b!dhW65`C#)X1h_d-Q=K<%J2?!~f424F>i7`*qIWzq0RR<50p zG2jMcNK}jhV$5TLo8~GX zO^<>@s3es!5}>T1<5c_cj47=QMvc5OUy+_o!#e8$WL@x90Y;qyXUOs~Mf%dB!nO*$ zKFCqZw^E#DT0vZ5z=5k)#}*^}koqco500j00os-xGl6D%kApSIWHFhu;8EUQrY1aB zREn6nj&XakI_UXqVtn}6j}QIHhm=**9zf7cbqUK`$-y>FFB5I^kAwUwXIH~R7yaIvK`6+2E^BLTk&!Q}5vcIFZS zN;AY4S#L4|Be^l336I-SV(2->RnO+W^`QqIJNU~nO9*nAo-`W8wG96{0&&;OnWpP;xPq28P8s7hCx;b4Hx` z!AZ2(ixQsYeyU@dt3gVqLwkZ~9@Dba#4#6-JMU#@F^$J7COYuw z0DQu+C3wG0b(Ykjm*N^Nj`#Ao(!|J5RN6Uigp;@~gwTQ-uhg+6o5>4>^&xq0d@J62 zx)-YKZ{vDd=Q@^-nKWl;=i8lcz+uA zp-hTgVvr0ccz2OgP}_HedGB?oulxYJG>sd04)^p#FtweDMC&QR#;1 zq4e>3w;W7esExx|pj7RK@)0CP0S~#sr^2Fk2T%@8k7F@JBNgZZWpYEMD3g?<9G7ZS ztdkIrU4tP8`wWWYP!W(luFX@_v5g~GyL)qU)c%RbNmgETE4KXvrK50MJ&^STI^9yx zO^`n0mXjZTqTBpvW>I-jcXv{f1FX+A?6cGup58GHyC73oLS5!@-q zK6Aa_`ZQM?Bmo7DR!C^klqYxXhduTkrKlqGQs3BfbT4=4#ud~0-{yg(S1gBOo z0PsTPhr<25%R?!Tt%EYYEL0*SOp|>p2-*iHKN(j)pc3)6lYm0@o7RaGosbgA?l?s5 z-KCAZ<*5F$K&Y zZzI1TqkfK|MpZ@T+xgy;s?aj!&8h0{7Y}Ya+S#hB&kAHy>Sx^O`jzFc=s#eZEZ@OFPXmlrk)Lel-%-H<&(aUXV zwKy07XI8gnzRibTtVB^|ck{S{PYL@&MYHLUHN{s|;KNr{=gHN|t_>7vck`O0p5gWE zpM=`Z#IB@Q8|3!jY|@)W)FZlYgbzKBrm8$+W`AZaFjPpRhR`CLt&zTjPfNqB`DLok zyfUC>$91xp0Xqgof>}SYjft$0q>LyN#x}9@V7o5WW>E7!*qbCMgB1$8jkpRgQ^#A8 z*Y2oPelmCvAbn}PO-|krUx@#Dw!Bpw{gyBdOnLXlkNb7dj5qah+ezfNWddAXr&{y* zb8&smn+c4*rMLkyJj+e)bq@?SSO0i>%(y+g-I0dH+FVwS;aq{I*0`6ol((tYX=q`# zrE45zwuMudXZ;gyt!rdl>eU zCS~yHdbE2vWW&7K#?kq~?Ek3pZQcZ~U49aN+PY+)0P{UzxEeD2#u?SNbYhFC-j(Y5 z7N>T0>RP&bMyVf=*cx7jWTsIQ{8yIn)579RVwXJ`m@{F^+RQ~%%m&@{E@idqxO^owJ?_CG{ zIehHwK<1PyYBDr1ZL&e;&zmnI7<0-!+{5`yO~blGqBK7ZwlrD-PV-9EA_s#+uPao; z+knuB8P7NP=TrupS`y+X@riV|P1oKTI(?rkhSgrY3RMWFz^`B$nVBh z6N+-HB!>l$<7G*2nv}+M8Yy6P#;w=&+frPOWz^?)T!oK-Y{pNy-~~&!UFia93D*}8 zR*>>jpW^j%^i!Zf`*Q)%CjqhL^6XpLcuX5;tm>$xZ9p{z6Gpul0?y6gxUxM90UB;A z{L!{UFrJAiA2BrtE$82jmI<@WP18|v+5D7i=VLCyD^Jip7$>Vd1H8Czb z_PfygYW&NzLZ_n<$Go>r9_v19y;mN~Mk(&*dh5{Z@ie?H14ttjd*l3jj5`_P>Xlh~KrB=G)CIjEx zOmQ2aErNqBQ;p798AQ8Y!@`{F4-E*YJ|A4M7)RpNB5m9{H%abIBx1^x$J~%8RiRq9 z!qr)9D~8WhY3(PxazPk*&(NjlQLWT%;sBz6F;449fx2mmh#3Y^%*20&$&tORzQ%cK zA2IEZKXQ!nNEFki%8J#AwuhLkai(dq5B=rl?a5~y%j=jQ_s$@hw%zr9$pR7%*J6Yd zNeE@khPUE#2nbB|^ms<(lW^3D&!MZRvtF$7x!0opZGU*xQ9Lm}nS3wo+){^_| zj!HlJ8Nfv7%Tp=<7vq?`7|R@3$q?!l!NxxwRx1r?YvTzXd22`Hgktl%5~++sP#fj7 z&?7v08DtIUnvbd8vJ1?$a$uoxYK6BRhoKue#uli$QiEA#+>i`D5-~j5%V&$Xbqr%?GqFQm5Wco2s!TngpTxwZZFBOI== zgKYzTq#bjs$0JpZ=5C!AJ7)EZ1z!!*9?D7dJ-o8;U4Q7lv}wlz z);B*J0dL8(>4@fi!r1SBhdz-6m){Jhg;s(z7JYVFeGdM{$6%VM4kit3#fKTr8a5q- z8ZW#J-59sM2d$TB-1iYWn<$#Ns;vNyt#-{trEb}6xO-$X&tpkoB~OJ z!_*z^Hfce5xyaAwO2UoZH(_jh!i-o99c{fZV6iKb;& zon2iBRBe2HT3j4XHno-G)9Gq^8Lp34eSHA=KA1O?yN|1bs2{FImvZW)U%;{G(&Q?bxOh zo^bv2XBj3may>hO0GyzZm*%HvvMf$nY2od^L>6(v7a2z(RG{l$m2pRc8?yAF(>-SK z9kGnRqehI~>|>N*a!#?)RFlj;@1#P@JYIM^^?^VStbV@7)*#?I*Gb|X@al^9(8nWT zy6DM=k8<->lZYj`ksHtLfwfrRPBrG{vclLSR^kwT@%8p#??KAR!`@C~l?1-uGufZ) zwDw?iOY@uqW6}^FYwlu00i;pueW=Q^gXuAbu4|D`WCDuM3R8M7jZCO$<`=rg^wH zj>v&iETprue~MsWw=-l^_mTX{TnOvm2s_C-K?I}6tZ`8wS3&1S+Rf4$qJc(9GZOJ* z0;YMhKlfz?0<}twpJwAS-ayC2Zc`7DdONz?-d^Bw7;uf@Kt<+(%^cFjG=SBfji_z1 zSx`UGyCWK4`J?s9Wc6*oU#+PMd!2KL$}&r8F~p?Tg3$EmZDgjA%Q+B-?NWU&vg!8H zbMW)}D_r-n_3&%i8uOmd`3dnU>%-^I;r*W**sVz{{~O&>dajap3;%h7Z22_Y~K+k4W#N3?R%sxxrR)Byer(I%yAh z>6CTQ9er22(6y!vS^t}zbjiZc7v0}WS@A`tA{meAfn<8=uI*8Hxmkj(UoQb);A z*-U-jaP~5F686nn*V%hjWrS@@1NT44dI>E+6_q7rmVl1#`$_)b76)S=BrXjB4eY?b z*YPSec13sKPKCcGt&W41Ge-*3LU?yiLKBjWPOnLcz&{){Ff|P`j|Zgllb}EuVhY)i zQWMVDAw^EI>x^e*9Ln1s4TTwu-Z46EG{w8}co5hxbv=zGt+RoS8-w|bigN3_e;C3lSA^_SUAb9um|+$>uVPWpb9WZBaYSD9v8FleBMk(A zrNE`Ka5r~x51{JV)1s|%mPKe-+pXwdxQf&$+NdvLxG)yYPEvcbviYFAD?7tyT~Pn8=y#rBdBXF z7t7R(l!u@SkWbA24Xtod#f73J9F4t>wnG*s~|SuO8jQ8zRsuS-pSTfT#hSc=JObxoz4roUC< zR&!|&OuTGnz)Pw#sc3yB9d9=%269rOo6#-{$7$^Esau$73Du*?n~*^R5OX>*BG3xSAOU{9>?-Je@FvtQNg9&JFLG04!WQ3Vs@PbQD$ zz>V$&+h2g-(r2x@lcno6d!>?iYhHNC@9Iz29R4t|#9I;=*d_~XUGyuwPij_xui%yA z&#SvCt@A(oDk;5+cCAW*P@;pFcU#3*rgvbxPv+6jHl$6l%`)NF2uR|3w`M@yk8btK zMm){eb+{t{X>!_Yl1Lls{E&z!JJ_zE##Tvc{)arJqa8;lWOuFhqoUjWFY%3f+NSyZ zj21vVh>C4sDKXyJK=hmmBm2fx0UNvP9of+YWwTDhNyg~B;Oom#Ubi^B5!ZeZumu}W zNADqNuXL*DGZn`ykLZ##St2TdEW971J{w8NFPN|r6^}0|R`A8O%dh$f_uJWO2DaYZ z4J|>FE!2H^>AsgFT<4`Xw1zMKGC{W}Ov{=F;LhW0ql*YW-J=*b)9hrKRPF7=SdyH( zqJWs>r*C3zNZ&-lb;|(;(&UL3=FI#!GHsQG#|;@fNP~{x?OG@|Jy>}b+ZV&+ag(J-2tr=fY*#{Zo0fcUGG{v zdf;}jfvyKn#AfMR*;Hlj>!s#QkqUkyTPBNfx;w%jdZyiKPbh1vmhiT;#?Y&uVC#-- zQoaTghmBzGjI|^L3^HV1a~kl%NveF^t*jYc(9y1O*&Koug6lW+2EA8X#{ha`!ovBM z72BsBsfS3e9jCOR&5GaUH&PEAd-@}`v?+gxC!{KGG4MRYx&p|JM>B%eiP{dN9!NU^ zhoq}=ItJ2`><6jdv^6&i-}~8UV)YYAtHs!O-zF)594MHw{Z5wTVUd!Tu3ZddW%{-;n>U~_5 z%EEfk^on@=FPq})v-{^K;`>GW5t&81!J(|WMc%1mPaqRQW;8l5zkZwQ&FAvcCF`Rb z?@(!}+1P?iMtV-ZBO>x?t83W^Z?w`4QZV(DYI52v$)H`r*@I8&4%qzfRW2K7 zbP0?P;|3SxbuRuAdaktqy108ldUWo+Zl7}>`gmtdWArAH9eZk(TU*EKEMK<#7W97k zi#wcpC^&uD^6s;?M6l(5x`H0>8^k-{j6@*=R?Tw#Vao26Z3^(=GZvg-=m%GP?|yb2 zi9a@gIQ8@XbI0J*CFK1Q<2LaC4UQJ_p>O$|3}E~Gta?6k=~UW`J7WtKSg9E_=VEd>2#bJ%GszaQKo zGZm(tK0gC=hRXeG)AcrBLu$f?c~Jg{rFkRXz6*>{Zpzu}NUb^X zA~wSgRp1XHIFDEQN-9pafH{~mH7eAWP$+|Wzt~7$Ylu!0EAZ2$(>b_DD)|R$@BJ2N6^rQ#8Z%L%7ju(B5_8mZ z@JIg5V0&PjO!FWaIzlff5z(>xXk;%+Y717hiq3VUsyFX;4Q9tt#$UW3uI?VWwW-5# zvHWmAcA2(m-D#9WYV=Xjvn@&4A&84Q4Lce41sxky#i^!Tr;F<6eBrQR5m8CFap$N) zhE~SbQu(@Fd!&Yt%!<0?fJ}@#Dyev%@I(i5O8ws-3Q#8gm3-><3`sJb5uZ-Ed}r@_ z2=Q*`XjcYgo%Uqo#kK4%>pl(SYZ|D~P_GxO>n^I*Sv=?QmLB}eGWMS;t(BSG18#0l z(ydW^9!VV0rg(cyy`C3UJ22M@T<5$n|op!1a^vP_W3`LDA7UA%47*J-A0S`5vP zoiye5RW~**Xq77K2u>x2fwl^Xatr)X$S!1t`so|*SMprW3BE3c(7WmJ$G=@JMDLMc zh1b3fvN1fqFnffF`Z9g~=d#$J@AoHk#$fMd|8>t|u+?bf;zkTj+S(-k;dFc8!Gm-4 zaHv8w98fPHPP8HZeNRqlQ@$z{(@T5i>6xFh6mknr$mWJxmw`9`mUHliU^QD zf-d#gT8A8nhI4-^j15sM7=i_IoH?d-^33^OYwtvu2wBhj|IHR}GDUNZ^HV19_15oS z&hQ~z$c6xQbi|@rThuI-JBweP$u-0%j2ez>xH@BHIO057C|kA^Ht>@W+z`tUPx%A& z*z7MDl;0X7*MQo#m}%6gr7e(&>Q#}E9YAnQkRO``)*hjhHkV7R^LM5&!xtk;?O+N| zx83IL9x&)F;=|!c`A__p|C#z=t%PihzYXi*UEUuCImUSBW%cP)hSChF_D8CNSd^KE z0^App(8`=N@M-y~H|9w+ck`4&Gpi<~NciMjyJ(T`C3s|ry056)8xA7x>p+9ztblY- z%WjxYH-aOTI;6jdIZ~}WP1_kVT*`L}|5NBx?&Jh>ruQO?fS<6Wp0(tGpeRC zGi+ZbeqVTUHmDmSoG23aG|DS;?qm7Al!r0#Jx1{zO5I50H+&E#Jc{2H6aefL`2K0; zr+Th-dm8$zEl?PU4epH@>faM13i&;b-3?~L43kpZa0-8u7dsq2#O9A0xlRx2tBi~D z4)-JBCA5Zk7kcY+!YGhA5mzNFz8|$OB;ugbDx=WSOsHhkg5@Z_W(A^G319)jUsf0_oRj*1O}hSKBe~rbG7sdxHJE zF{P-qSMf7b=Uo!Z$K!3Hq9@I{4&yrUmc9Y{Y)w@-WRito895|XivaF zfRq3}&%WzWRMy~mH5w0L_#?ldmzgL%bOpXuzaRQIyT z$2Zbj_8RMmA^kUD4w^L0e-Pqosm}{dC~@DYY8||vmKVpMC^XzrK6ti{^R*z~ zQ^!IX`3tW%lARLRE;l7=>&DsB-zxgo&3*Ffe?^#5a6Li9e7gbY%=)`d7_UPwwE9YU zHQfj&PL!aU^k(gWBGmKlgM)*`_Oe6*8Y~*7CX|k4S}0o@l;Bu;O1e+cjV0cJ_?cG1 z6$_#CIm{|sUx%l6t_XV6IMsHqYXmDr)&o*T872M^@1Im*6P{E((sam% zU0YW5SQH!7;lv7n94T@+iuAjaxWY;+JA%>>tv^Y=sIX}@lAz4R0_1G9;Kta(nE&2j z!Sr#Gj3YYI>xrQ~t@z-Ms0{=gP((lRLGw+r3aWB(nR-R*<@=z^W7QhaC+zeG5SNMl zNOz|Mh(?sMM;1Ab7s%+$#fjul?xAHQCQu~4zZrV$B2?SH4mq>NG~`QOJh~xD=`X>9 z1}go9mV9TA&0ldwu+p=K^amn(6^tH(l3DTe$oC^+y6Gdc?W7TmkQ=VQf*)Oa)|7xq zHB}i(tG%oISATMlcBCCqp+q4z$V>z7zK;upm+>(k%n44*84f8JO%}w16ocM3piNs^ zm9vntK`f?hRwY%wPyZ4jyr5;CN6*X4dyN-kDklZ!C7}5nKkG<}tZKt9tIPu_wzU~4 zM95*Nw&Uh=O55F0C)p~=66-S}%j6X*r{@l9K}rLKx=jOS@q_lR;euCI53JtBmX6wQX$%S3_dPI?X6`L{!M zMpviuN2FBLKD*XPq<5ynd#ozZQVWg`CGAsTEGs)exS$*S^ngVr*3z)knC9Q&DdZ~E zP{RnVs2e12wuk+3nI2aqL&O0#!}gPBj@?X}%Z5&SBf7(OG&t+&1Xt8BYQys*ksmaX zy;QN@E64{0JQ!t)8nlGuAlYpAUrCLuaQ+_LRo}nF^)zm_Vs(x*TI2coCN9a$H{}*A z(1AA-@sjuaY6k@->!M1d!r~@SA4>Anbad*xX0ou+zOOXsd3osRANXM}=HK*ExR;R5 z^ed&%l2%fm0x1%A-(fDi_4=jA+7!x~>zhv&lbTYVV|e_mt!J%C_K`b1evaLBt051K zs`nQKP@Qk7VUt*XiI$EZCIYRc^3ASz9wr$(oZQHhO+qSvew(Z_++qP}%_BnBHy!TlZ^;;R4ImaBUE3Q$O z07XSrMt}nWcrjWU9nKbfB#D0XPArvE&vwwa8c;8Dn^aETrog3#xo?#HPzWm&n&~Dn zct$Z5p*~#kox`c7V@OMX+i8RLV0taXEjyX(LD!1fkZro_MBgcv|JN%L0j7jn35iE~3j#76Y+i%*u&M$EZV) zRjTG1P>yCRhO?&v-W_x!abe3y;#^;LQ`nH7U@)50-eamb!kmV0Uv7;eoTQdW(E}g= zIsPpl#>jS6zIyu_uLjQ-T^0Te;55o3G4V{g=u|_FBK4J`EMQGAKYbPoyc#T+YcRiS zWYv=bMqga0AbVTKnaR7_*K|?4kGQ;M zf3dVCeIHuFlEG52A0&80C?ok!UoyT>;eKG&Is!cO>m*oi3J=K>5r!c0VctrCMo$Qa zOmEDV$5Y|ZR~4@$FJfNVWR#nVvaz_KL!USS*-w7Q%vY&(3b|pInW-3>2t`&qThH_q zpg#Z*l_;CU`%g|h ztfgMgY(;}9jw2r%PyGr{wm$2~MUFbaMCiye{$&OAOwGMV;O0_fRMz&P_bYX98U4<2 z77dX8z$YZRR1C#3j5(Bkg4~etsKq|X<)HIz%*$q1VI4e!oLA}p)K2Py96pcai zb8&%lIpENk705@kXuiHttc+f?czr%JUZ?F9jWOloP*Hok8vj2Vbc(`c zqM+?RLw_5MCzC(h_q$OWTA`BoE4wF;jjGR!j*XGxgW*Y+QK9}UmrJLSnmw~qye{ZZ z6R<@alPQ$YOF&DeHZNiXYwB`=)71aGBEDt+gTyr^H`3#j*r2@DsDxH zTO^+25v;*HA5iIx`XW0Meo#zN$VPS@7A!x*A&g#$FO|uwlB+MR1~oC5n@k!SA8%zC zkw{q9-}m$^HJ|gGYF-I0qJMhc1)`J`Ic`6qs??9-)0x0GrtxR98dFkKrjt%awBJw! z4k1-)3ng5Ui|LcY_0nl-@jB~LY?q$_br-egMn0x1Rp?p$W>IyUYooGsvNjbk9np@T z$a&kx_B6rB{=l%QhCLgX&JzFqFKPH2dHH|nl6CD;g^g>sgmes`6ncOJh;lHqj#jPp|flHTY% zN}C~NDh2F`<=Zk?S4a}u`(@KWaJ8(FhO7)e)@kx)XEY+$1t6rz)g_T^{#y1;5Ia`H z8ScvKngP9kQuRw$4k-=0gT6_Xk8XyvKshW!L>&wC6OYCI8da}n{0VJjH8}UaounK} zR(K^yZWzbiy_&a_?Di8I5h2$ohA1tuFhRIQ_KlX5KJ``o1rEi(zo9kFqY1+l(^^p| zGC~drOaC#0d}V7B?XEUT1!fdLRAl#fx6cOpW|ca&Z=1aNl%(p%bf?-duPT9q+oSZY zsBJ6!kv(Kf2Kw6jqrAL3U{}WK;M+ZM-1-k6APf#3Fl@IHD2#+A9R=nHvx7cmp3IA} zZ*+o<+>w%Bn~e#^*LQ!J&|=GWF&|=tE-SWjr&!z0}wy13YU01-CIN$ z`*h$iNFSWu>t386Q)Kt3Ci(cBytO9dQhS|%b?%Lc6q8Ip+azvl^zA5!`|i9szYu2UunH5rji?XUq{dCXnV}(qX!`%!gFusuT54NU@NaWth;n`1T;25@(}og z(FDRA4v%56>a*F{+a&^(F=fP?0Fq=P6@~-jS@-;Vy>MfN$AXi^{8@QBw+ta<(-;PU z0MX*OfmCXQPi~Q>;iwS_!pCP%Lw)?_`m4c9!K70VEPT0Tt^YA>5Au|~$J2Jei#RIq^ z#AG}7<5*)p0FN;({Zo*t*nw~BVpx3os|HwS9AILUNms|S@?4ORF@3eEmKw1ZBE+Na zq!y6a(^gEyro22yAVmg0y)L3sn%V7{nn4{@jD$L#+LTkwd<9$$B4~hmd@7nj6MiQK z=9}yj+s;7j`h-|sE!POL8Y_DHiE;=-3j@Pxo(e=@gs%+#>WZx3ofm!4>d6FCvMo*Uoori?`;L;=<8yd{Ul z!JFfOw;tssrE6YfyI(&?BgJ#$ie~cm%gS}rwejM5iIpoq zcS**s*G1NXr7%AWb9N5m2wBURm6d1Ql?%%oG{GX4oOfJ&wiNU-hQFZrslFl-N4w=m zHw|s6s3TOWj zsnL8uc--5WSWQ83RkXdP!A;YV*59OkZ%&Ri zo1H7688vTc{wba{_k)vf&$7qf2Fk?|&`KAOa$T$Iz4U-B=t1r8^I1Vz5TXfSN>4q_FhQaGJw>ZVTB zJ~q)*QR3(Ql;D%Dh?){sr+d(F{HmJFiRH#Zzu!l%P=83QHJy?DmT-u@my=>PxytP_ zF|21mHo2%ynahdN82yKJUeoxB9hXB<>5^Nrcych=;bRqr^TAtY^m|`AHYpVn$>lGM zt^LHJBi(Kb2pob~QFMy3!OysH{jK0+7sulI0)O}th0YN=XK322OdQ@IBq)J@xOPux zI)@6KUS%`gsb!3q>45#Ns&@S6dLXkzbQVGjVag{&^@s)G0z^n$duTXnH&_Lql>tcY{(v&LdGLvtmTFz7ziVU=@DwMpDB(FRO_LcD!Hx2%i4UFG?%I<)eOo2LDlwQK(N?H756|LXZ2 z(}(}fTXJ@YUu6I^Tb=3_cWZZ)jw(IO9LKG9;q7S5Lrvz{**$%gJInI`HL7RAvnfjKkU9&C6UP{0)G1d zFL&a=z~r(F=DLDG&}#0;0m(}*axt17jC=>OSRm#SmyHpDgjZ^*t~?^WIOcHck~6=0 z33@L#^5I_CGe>;JP1-ZM$rbwZoZH?l^v;?jRIc7qs-GEtRi^T|tiZQA|7U&iSna}B z`AY_c?_#VBa?b+eq?Y}HgOd)^hh|0oYDe{`SxmR(xx;H}o7dvf#q0iK2-@)Yd?NmZ zTo#E}F6$7P<0npFdJMVeb&#GHF^wGP0rX9TBb1MS6@tMMn9uOwD>Eu2+*8;_<2}hA z!iN>rsox!@FzI-k@E!C9_u7IFH|KW>as^<>yaSpKP3GbYkQn!_M1`OgCTS7fj9@Ba zLrCEi-WHlf^kLu`sweAS*ROaBDSe zVQO3P;5unqVdd%)za!gqUgd73Efi0?_>+L^P2QBUIr_xTZHl<_iK%TUX?Q{KK1##7rtyb`h#Z}FJAY;}ER z>L8(F&MCq~c{%aR81&>Cz_EW;&mwa;Y?>?sTANA>hh&C1#_)^Z$GP#Wryu7kqbD)Tv&Nv5G>ds<6KBY?`k4Bh$kfX0mysU46oPI}f7aj@N9J&xrb0c9`Q! z*e~yZnDFti21DELRF}3l>q7wIw;59#l~_{?tqHm8$YcFaH$d1zt21coX3t_R}Khnc8;807d&vlZoZ(I-Q-} zOj>q-GkU?73p*R%hXbZ99hG7M)5n_EWFYIBnRb|Z(zhzujyY^h8MJsveyBoGV;Iak zCEtxn=tuvKN5#5wfUsnX;|#EqojCU)IRemi8>=4*S>R+g!of##U+CL~uc)a7smjSY zg;shXTccu+Y z#>u8bMY7F#@GaHhlR#L3ahZhs>eKt?WK3%LFE5q;ggsm!LjLIoMOYWMkW{ju`gIt4cnSeGmGbp}EPps2LC zrRkff*G`hW^a@0ZZ^7k*$S7xqkGKpKbFk&BB`u2cMiQQVAn+$N^%Fk4#RA6JQVgcz zVw>bJxV@x}@jN8Lv!m10^n7rb4%c+QXb9eX(Wm=FBG|tujL|ttk_C620ajwpt~{`I}!$wBKgrV)2a%#&&B zP1RddawoGus%&&j_%qV)d-P5f`gNbvSp)EH*Tx01n4o6^r=GHz3FXVtXU%jqhC1jN zf&-*+8b#UDEbw?PHx#g(2DT(Oo&${~`u)%$N;6;c=UleF(!640^;qk{gcqEyoQN!> zPNT=Umeh4BAA+eeOWK9#)RuHrJTY!i(1s&6`j1603eEH6p@c@HdSlKi=0()=Q03lq ze$w+)Ytdb1VLRH+d6gq99VzMCd4vup6l`}H_W~vYj369bJov^h=k=*+JPRD0>v6jX z3>rlHYQ^tCE!8|gTpa!)ZiQp?^z0CGpdD{o{CURCR5q$i#p6P=OsUF9Zvmy*U|Ym~ zUT{IA=%jcsrK=5fI+i`3ZGMPwXwfe{l9LBI!J|(9SH|q?y-WaXReO^JhI|xa*YqqF zSViAjfk-<6PG@mYQ2W}^nMXP(bh4JeX|R2%q8gd{;&drrNcM|r@zbHMbtE69661zb zTxl=;FehiYgIJyVg<29A+_nmK1M2jm#$@*+&p!E!Mq+{-Rm5A_BBR&4|ZgJ%Tw3JN4I6r2(XpWd6nylwPZ zbP$KT&5es@dw|>5N1KB`vG@b|^oXQacGbqq=+&MyNsAhEnzM->=lOVo-q@J)l~{;v!0aR^+l z6RafTcfNQB= zDVk(}ykkt#r_1}mjH^}c;loc`##$a@Xq~NKg#^ORqQycoBnM8Wh@(i^7XU`uQDIzA zX+HgGlat_A*qP@v#Tpp~lfkI=4MkfnTqc>9Ijpa*5{LH`)O>&Ma92-Q@^9?LDpBVa zupnU0h1#+s<*X*1$t;p|Ky)lL*g+jjj3_1$=jOsa%CDMyslwAdkOe{8r$-v)J00R5 z0?=2QqlK93<*i~I)5*H6U;~EhGk3xgg~k5~hJ1p=NMRtc^4U(!(fdEtgG#t~P_{2z ztkvu9lQkMtijpwQl7=n|05Kt7buejM;^SUDpARRa?C?E*(PV_EC^wC_ z#ClF~&;$)$dop1gA^?lwEoz*IGwrOmCsq+5OB3c(0*`fO1O>kZl)+#*5aymLM}yXS zEmZES%lv(JOM%HB&sTEskW}JKJ|vup&?K7PyfiC(RuKXAr&K2#q&gTyRmQtrg@=d$d&|Vmnq#X+QNj|nSwX>K4&vv>r*J8IB(o6SB3g5g z)2Waz*&{I(BN2l(iqvaptdV{B80e7TcoOX55&Wn|zS%RU3TrE@M2fbPr@IkG?Fk@ zbfo{GbMg?pOC}-y?eGN7`AuDhu%wKLFCmht9~yOChCUrE7hb%-cc^Zx6LrTP0ztg( z4LH#B0dEIRdfAR#nF`+MbGia<=ptz6Sr+P;72+$`OAmUfUX)w;aSBY4fU=|P4W zZy%YjTx+P-4YzgWLPD2vHLo|Cy)OeubmZ_5Z@IdySm1M9=~h2SM+eSqpjCD)sHOMa z4#zt(-L!exYIVQ;p5fiI;QEb(rVS3r@UFAe&0y1|EsZ%`0_R1?8?7=C90{=0I`iG3C0+lSAd zuHoGO;4G>{92`sfWRk+8X*bB0z=`vu7MqpTOC;Y(3KkTM)Ba}BJOHm-KD?mpZRza@l0pv89--$V_87NyH2_nbP{GHSU`GPY4V3BF zUJcAwkHn4-Cs$k>JStPc#f0L1sXD0(||m# zpOKuqrgu=4vIW9JHxZMSc+VP}+YnEb33D1|x3TDLeV;&SaiWM$Zq`Uq^4q`*z~EGd zVJ7vYvg7rBg!UuU-t)zlk%$2r@v>>K^oDXG=#~U2O5)!p9TToyk9A${&^Pzx62^P*H60tXB2 zV=>bHX^k|#>%lUVmQL%qew%S#YZojt6jLU=dJMrFf*KuNx>@dUWoZ?pWc! z?X|aVG>BwEs~V(Jy_6@@185C9!A>3Y=%kvzu{WAbxYP~(&{qM7y)e%EKJFS>m zI3uat?|mpp8bEiJee@#b{T|_$OEAw%P^GGn1b~P%y1rKU`zRdYj216xY-BI>v<)``(^)Nx{0> zUT5}rSto^ki#bELzS0OmPGMSS8|M%f{`FVgFfJY!1+`4@f?o;0=7V8FX8p_W*)r&NC{d}-s#)s{t1 ztxOlG+>T7%ttV9Yx29s}jeb6<$rxfGo2aWy@+Gs|p+NXWyZheifBts|vgW2r^!Y~C zqDk815tl0ZUq?q-4qz$Td{D{K$A`6`E zsVQw~7Qy{T2CI@M@`i+}0v$sltdQ@3H<$RoD-cykjA;`k2fK5!*<^49X08}l=`5to z?%*cuaV707pN1Tj0=OnQS(j7P1=))*Kf=;Y&mzGWj9X`3LM&SSAL=+FUNuG?`vP?+ z2OofZI5<*4myJ&NICbJpY0oPX@+%DvAj@nI$s6CZ~{I!iT1 zWreyQc^<-8-P-~4SOo{EtiLna;CJ6bkP5X@VBbJO8%(XBE3Z#Y^~|YG?#`6K;RoEL zFD1P$9sdaZ=1@mMFX#LFTOo7DJI~K+8@W5}9Q1(dA1rA>RVFm0sOJQF_V4FMAABrh zyRTPk5=o!l-Y(wTgLs*Te-ENsW%Bk_3*}qkNufw!(^K~!CAwKlBeD>fRXm>sd6#Rc zIpoMl_(Q_GiPVM*^+LYlovQwFmZE{dO4wLMIme|!%x_#@^O%&_xV=c2b|{;!^D;3h z^_4iKW{qwL^^b;w<&Srhyebo2vWo{%il3dTpGv03;~JMHSJNUs z!g-`1bzk{{1rN7uXQ!9zkKIIgf5`vy=@UhnXTJ|OHgFv6 zOe0lBqi)l_k0T%oO&=KcIc;pD)*9=2sj+eEw&EVKqml{8cQq?j1qQGI)(?U5<%_Zn zBc#Oz-x|UVk2ql`&T*fd1B3*1;8hX9qrp*xLjY4Ze;AeWp6k$+_<4rnEG+LLVtk|^ zx0K`0nvzznz~q^l1424ejlUyOA{|!XI0;T&&{Z33>mVaaj>fSJ{5?*(`kq#nVIXN3 zrk3?Gc$hQ`Pli^Qyk2JWik2sNi%gHrJntl_^+lVmqLGr+A>RnBpDnTrm;vHJvV|8B z*_|XSwv;vsDq!2M8n#2VO<{roE25bax@(S~G1TsFRz&;$_D>HO@&qL?8kz|HJ@@=s z*~;ckiy;uG}UNiihZMEeO;YnUARk1GoUD>)K z{$+V2(iz4M^9=<186twnFP$7ZzPuF2xlwOTKb+hSQ+2d-c6y|2|6R$i-`Z-qiP2W0 zT)3_j;tD2kJ{5uCT$Ua*L;?&vXEk6%7Z^vDPcrFwA8ZH?@pS#CVc7;3UMDibXcpY(Bje^zw4N;Jwl?hDsGk>)y**~7YcPneCT9BBQ2uoojINo5>-19B|^rnW^f zt7$@!++-{4xH(SK@8)R5)@Eq)g*ZTl^C9-&F1YV%CJsarLZAe|Q()I<&l^cniQ?ug zyRc@%wbOP4N(ffqlOVn^@^j35UnWh57715vl1B}*kpshceM%+iMh3kG9}->5e#n{y ziuXVXw{P7NSr{x~MkyZ}(zckl-0flrJsm%yMZrUplb^q&j|PTOJBxyD2)w-_m}pF= z9f1-xS6C{7POFRy?z{g#DA{3*QqG<1q|Y3XN2JJvO98-QlKA8>F|zq*c=7fi8e`g| zGDNp_|2{(#>1%3wz}bFa3~&Nj6ko$oG2~y>i6&;=!GAAkc-n?Ci-t;RA|WxzuD`8} z+Q$p8scSk5=Z>%`U3g-0(;V@-9?7r>AE#wX^rp{2*%`x!@WeDV-7*)3&nXp%wK=7P z_ERZ~0~xxiK+XW1uzU%#REg8-F2aN0nSI{!i5RV!NCke?5!U8$731nN!NXjdx!N5R znvv#MT4#sO5Ao*7D&M|&Gn6ziQQ>DU z!SrzQTSdUvXV&PxqW)8m4A(>K|4PkKoiwqnJBk3YYrhs~Tp*0GeJNWzQ)!>zk&Gs& zEUmy0h%7h(IyQG57`w>K2~@Q~Yl0%X+9N{L7`;X9B4LK1DBj`6-Pcl<(cqQ*g-wFW zMUUS7JO5278$yj00Ei~yWm2jlTQ6ie$$qKSsI`5$GOll4+dkadSw4JKgPgznwu0xa zY}2h0UE;EGiK)Dj24I?-sbg!oBug*|#i7TanUnE*?Iq?a6lXn^J*11Cb80H%6_yFa z39h06*kcx-k)W%6Bfc=QXwDCfzqV^#;A^?lAOgdTZAcDBPTR-+Rz$E%DBQi07TTZkLBtui|SHKIzf^FnO8_m zA@ATqKTVMZG#%SS9!at~%3Tv&YXY|fATS@4igh^JB7!9X)JkZDHvVx!@ptmCvb^4( z6n}3H#6C#Zy1Mj%e?HvW!6C65XMFDcV*4?p6n}_wi|=T@!nF@a_N-Y9$3|@M-ldED zVpd_1&!)v%70ij@%EQ*&N8_?LnU!rHBXVz7xyAorPA3;X8V$erM7RGi?(+sY*s_n? zysS;fwUcACfQ&Jw2?LmQot-Xn9jE8tilSELVkpXaUP)(~E_hKJ!(4vZTzxedp&r8n zH;`AE4H4(B=J~Lo{gFOy!ILhrW!(ld0wxE0j_D2&W2H>OL8|Dlv04xp%N* znoJ29*`2d`f&CQw!hu>qj4`7;c#Yc?Y!)=mILwnbzP9SU-L}`0eXIRK^A;z%IAa2r zGEOE22J5%P^sARnnxg12D^95(X9aS$=0vr79wann%9oLiXUSwyyyaH1y0Im??h|JH zQh^u>?cW=Ahho9=G3|2SPkN+owy5VaM7bdMqQJ0%Esd2R{YhmMQrPJdrRqzv=v9&L zWYZEavsbkB9bI;_m(NPGm&KyiAFi|342F#~cE5U)$Y)&9;;^1jo|P z#WzS4)SGRbpM~B1tufLJfo`vd^QpJB%tmUH2r^~aVcezBo}UfBkDi~NpO+s+3neKI zjJ})*G5r%j(eo5Q4x~RvPNJ{!xAFOm3l%R+#kvRyXEa09Td>%&>_5tNWD8U)X{1V6 z60!+m@h#$ttJMGI<)ILKohnPOiG|@-H@F_*;B?f|`L#8g=-2m;;pe=d=OvnT#?fDTi-b@B4hWZ*>q1Hc14~@Qk9;qG` zX_~e5im{e1f90#EyUSHiA}ne1HN9kCMiQbQ?vmxJeWOFXo9t<(*t6Tfvg@gTDCt@%lPl6Euu^9a2D~Q}3{goH#L+ zO5}mK>$Bh~0b*_wR<}Tj5?jWsTW(0zDN7|Mpl9gq@A$BO*!DW0Y#k$7I6vRo)^4!a zPNpugjY}%Xr;R09jf+eg+FMPlPOTAbLD*U9WmPlLe3L5 zw|!LZ&g~%DF&*(b92@s+(eYMiPUMaH83HIQMyIwoUFf^5tc(d~fU4 zYPmn^)(P_|^d6+`h))X|2NE-ra&~tfR|k+{s+aEo5_4{umWp9zKN~bIl;;@Q3?xhz zu%s~|Td6QIv4SwZl+oV_VxzwYh?|zlVoZNBN*%%3np`cBPOG#oQB}(&MVX6pcf>@`*2uHZ_jPaF&IJ%~&4#Wj`meWd zter65-10dn8ZH(sNg+9r^0b{5GGS1g;?iV58U$Tj{M%6q^0Z_G+b8?01 za-uv)FfbbsM`)4-b%|yz6XXGNg2r3bNFTcfpWllr*#e*toYUt?vWGzO1fu9{W;XOt zW09|-WYp=!3R=o7QZD8=Aq#y0{2(vq1Lne)(WpA1hL9xxxE`%EdlryQt^q*;KP={A z_AU0zd1|GshY(NSk&DJa$Z3e9n_52KrVsLsTGdL{qMFDfKNGSUS*_~(wR5bOCwwk0 zS{Ji}A?(<>!buc%?v(!-ubZM}dRP-Y_Ke1?x~yj^fxz-ND+V#+8}PcXicoBz#e_TR z+#)%Mj+nL7I=+dwaj^1rp%$$UE-a=oRbk7sX4Bv^mQqDRC~yuZQY(?#2$}EV^S(PboyhuB!DMm*sJ3B=>F=f<1~ z4y%(Gv}`wN=Qq3Mz~T+$P#r!RqjET1ZW`Z;EzWi%70l!Jl8_Dx1~3rR&Y8!cts>`s z454&Y;)O-clxP{fqfogcL%|p}LBTTfMYaV(m;gP89`dYEfI;UR?h8)1h*Tz8+2sv$ z-H_=YZbS9VmTl~m!`d47GDS~|tUBjgmxg}3E!Cura`5-1G4PA%<`hQSH3FCsWML%~K9ZNyR~_ZRr=})q_)jwx zPFqzecZP;7mKyE}wE_h3jgM}p+XiU5w?mEAUG+mceQ3g{KQEl1addXZbb1-64+7*` z6E%KI2RxtwvjZEee0CFcRhd6ig^<1uG2C4tgRgO`*CR;2KD9H|*qO^_HUvW#+!6*M_kLj57r0BCw0L#j07r2b(#jlI^}+>=D< z)*sxTD%eum29xTdy1$M~NExP3;fWXTyyAvfNPT+F)-9iHkviCEj$5|eM5Hi7I~>3+ zi}D+Yd)#SYl(X{j`wSk(_rep#H;oke)*Ru(vYZBREjYru z><=dCmVRQuTyy){(C!i^Pdtd1=py*8(#WB6B#;l~e>F{!Bb@~RSPLOrHGyAHjRNwE zrYXq*%C%VgWRF0!s>jP+Vn=#8iMXE^4t^PPiCgpxwdu?yf#HdE%|Vzj)yktw#TM&; z#6L>_X1+!cr9(hNC|~}PULW97)4xpElP6NKZWqBpJUlI3sow9#h6@g@Q{N7;K9gg- z_u{QIP=q(ey(#TJJq?o6^r<0!aDH*^|x$q`$3jZW8nbTpoT#YoFfHlamVb<3 z8O-6h;vpUNbuPr&#qD%eSh(HfBJ&P?4Ci#2T_y}~>y|=3pQ|&!WIkeUG4h6golHN`CM0cKNlET59|)JA5P7 zQg(@euY6aMGxmGY^ouq(9)=w$U*;Nn0#@(Ck&3Nw^u1hjxIA+RkL6PGUc*zHQoNvQ z5_9HU{ar`lB@Xx-(6$=B)g%!5pteEQxBhWrHf`s^Eox+obaiuLnse+fy%k5|MZe%A zA<2x2y@J3zAAYpfq1?8mgcdZXg!U^K>yFK+IzJNbEL2xXx$tqZW;a9Kn6GfOre2hE z1^%FfA|ObJ)hXbGaT8fkpg=4>xD#n)+XLQ<4e|6=q_+lZ3hQy{m60~vkfX|q^^v-B zSzST>iUAt7_S#!2EWH|yf71{rC)rUCAoyPwucN_@y;?5kxTZQbw3$RkRUbulx^C%& z^0w*tssE80C4VLJygCwqf9jdYeVVm66ft9F1YwZu*9j!IA(@<5`rteV}0C5>x#PjUzrv=KZ z+|>bxYVIr`jSYeQ2hGOe9?A3eyfF#V=MQ<0b*qYG?k}*@r;|JUH`WOHg zug1sfsLGdLwjObi(^C1C(xl-SYus!f; zl<29Xs@Vh)XrxJt;B}%Ux5_L3!q_aP_z&wuR|r-gB&-lxOk-3gn(EIvr(rDI*6SAaf!VJ<_?V8PPaNP`JOkM&62hY$( zGYoSjkW_;?UGByb8}?ml`-ZxgIO| z(N8b_Q?Y)QG}eR0cskuc2BmiWM;a!523oN~oOy>my??i}A$}bUu+>A&?1Vu4YSmsP z!52yIu-MDYRoqenR>_X2x;O{KMabH`8CO5bl<6?2(jGu1Y@kw@K6dQbYa9;Dt;5D> zkc9z?^PY9~^W{Pf&{%*DE?IT$m%e1B>2J(UI+5-4;e5b<1@)JB@InF8z*vvQ?4G_h z#ZlutdBibYR(U3IS4PZxH|Qr!@9AkEcl&^Ml19FQMaoG?0OMROLn=lU;R9NXGQAl3oa#2tEoF|Fy1zWj`4E%IK>ArW}4;cUx_J5ln z-H|U`>iH$Lb^)`Z3Hnhog)H``<|x7f9Rvsos42)$g|kO=ImIo3YGum=-C1#}8IZ(? z4dy3-&b^N3uS{5%X=4)NZ-7^l4B3zI+@WJCN_TFc_BujDx9QC=`SB3=29V=<(+_~ zt4x0W;*J2xoLaL|GMt>M2sD2KbKIm1_yn_%wGmsJ_AOi6E;6VH86oL$UlA0F2=_zr zc>v7L#$jrhP$~Nftjr*r4V0BpG^~i04W8LhT)bZbFWxs*K~n<1R=aO|(X8+!ZD@L1+>Ugt!oSLORlU|LRDdx8*inKeqwD2t|*zqzDO zm)90+#FmjLt2YUQLoWv0l6Q|_rPlw*xBWpBvre;cc~#R2iw(R?0XBBegPFdy{|h(X z_GxM&eKM5xw!h7f+L#HO>OKbShB&ZKH39H-5bcos_UuDqLtlZZ)PP{kHclikeV>Mrat{bW@Cn=ZwOdz!HrO@AxexD zD#{|sLS*+@ydN!&)-N2RIGo)u#8y%uMJInspvtcty&>!~v~g7U@Yx?)dsM>^=VFa9 zId9OvW^BssGFo@t@*yVH+1(K_8gzsI;Y$dUG*oZ7ZK09tO8zUb1itVWq`Vkbv@{TJ z3od~XMyl8de*59``dQv&PdtL$zj;T|UHsX>Od#M7bgSpGQY;@GT~sy>mX0i2Z#i#B zMz&9+2mruFr&MM&X^}JfXjtIlF|umu{_APE;hXkyHp8r!cR^hB#xX(8iQYRd^`|3MuJ=s^u-3iLOwmpuXP-kmL1RL(*hktz zNK&0XuHUr?tS_-VAQ!pRJMglz#`Q<20nLW`d+>ne#OjHR4u1 zUf;z{rczsGSFi42?mkl9LLXwRfn`7*WDALr{?Kr(>GGHeaxSH=PiF^P-zB3B;X7xJzgR<95_-~xY&ckWm z1H?%t;n3lSkfV55BcRvon!eaafR@7SmYDL)R)^y?Z-?deGOE*yg)D2PXzB^@A~3vs z%Lrzd?200Fc!;;BO+egA#%j}LXS4WrB?u>m@Igt5lb6UHR_m*&;ql4R&zb5^z{btB zg>`{NDj0eoedO6=c}OXhX`?Kl<0-i7kxed@nBxFK)WpBYE>*rG5g&u+GF# zubfnE_bJII?M^Gr`asibbD2he;@%1h82ztM+MoM&m(3!h)Rk7pgC;%-kztg?2^#*6 zzELMKv|tyaG7e&>!w^W<19g##l^t{EG&*4`45b9^W~E5z_KpkB8G;2u7XtRF32IQI za)N3TSOi1$6KOmcrdypavrwbVSS8$%j4;Wg^iEOu>KwxQ8CI8J$9nAzK6p01ZQg{! zFGap1^N;7UJh)%qG`h8nsj(W5uo&Xe3`x3Q0>ArCgc#@dBFsq&2O>OxUPAm20D(Y$ zzZ&7sa*!h>YH4_K@-q-UW#7Jke{u$=&{}bF>cg~(jPgB*n-;2DdO-{Q$0!d@C!sBXyV1_mnYt7iVG z(O?46zoX%x-J3K)G~SBDh)C4&z1F~%IBjh zqlh(^g06>7RFo1Hi>-NX26^w2MR=7YrWtpKJID} zpag%-av{K-S*5d$3C}h>``_A#LNKoXvHP1cvYmn~$R~ z-gp{Eb8!R|thP|_kvs%b+BX>w8e}ch<9F8M3nA8raz*%#e>~NWmJKguLg*{K{ux3N zdt87?T{RZ^u&BE>^V~ywA=kTbn2J34tdKiz90gH9^zA&cg+=6h0h@Z6Z{(&Y56>$m zJX{^nb;TKX`|aLAeRbGI%g4h@dA7+#cmnXQgTbI*omh=C{m*%&c=$B`ajh2YdA0bV zRts9F)iNO){{5RX>O0OUqV}w(7E;}?RVyMA2z({15B6Fp}&0H5E69A$jj)Ed*?uDT(kBVhE^MZ7xTT1(v zhR?m*lS(pa-l>O20LA`F_Q# zo1|bEb5$oe8bIK*jKvvz1eXHFmDjef!O$u*k?+-jjN!Tm_8shGWU!6XWFdgHD{SK> z83Zx$h42WPUY<}^mqKj=$lc!ex@`s)iWaE>Gg0t9#SdKe&FzxXf2pWs?qmHuw;pm` zG}UGumx~Bd%juuSgc6EXO30esgZ7v?eZNZp#|HDPhBipgen`wnyz4{ENcaSm#79Jt zgeK{sWw3XE5u24JxgWk9y;?;{NN$`{=66^5#%U*~622iY&>axRJav5+9@DqE4NhbZ zsTvGbY3X;sdP9J`F>;G`5fiBfk9Qlcn)5JRHK$%h#~`&?GQ9dgP18!0 zJ@PvhLDe!;TvL{maSXj`J;a6>kJ^2oIsGP1L&GF?im1gE-ZTBde!UsYt%9lh7u7UU zs3OHyQf-pGD4ECQ$8ct`mfe-}QHj{3d$dT&knS-~10FBayqHe9lLI@;V-WJ{tIu?D z3)QF$*Ps~}#oD;#ebFkzwc+hDSVv{JZj!7WPjRCG)j?+wZWFO-msMszwnS$_ z4&n%?2q2>D&RJ*)I##SXC+*1k0*q3iCD+@oQ+94IPu0-?e%Bi)az z?LZz|SxrVn9Xo6f`pg;lqxP`>BU)!u+a;uNu_Zs2s_)1V5+kKet<|u;woH=@`u?PK zhe2u!YZ#Tcj~_KCZ9(@RgtnA=yKaaf8$O$*WfJl%A~K|Jqr6BL8DGHyzEM$S`u|F& zs&Zbox}M*vKk3(=_+GE}WaxEUTb3zhWzR)IPIId2v{q)q%#9lcgQc&`XX#qw3R(T%Ll^q!q%ic(aWR%zp2-xgYcJpb5SIx~b#V6!p_ zW8qm+13m?jog(c7+zYbe<}5ek4Llpy(E>_uYqeXZyAao^Pa*>jRVfM3)~d41)6@gR zzne>AA{2Hj25@8CTn<1jRmG5k0V>rl#qs=yqB1wdXb5N6n6hX~*Sq-x2BkG=Od%H8 zI-pD)1`(xq@Mzu4j7n1VU9H^eH=HiF>2Ic7TXxACMb?$JN-;L}${R&(C?mC!)iz99 z)}6LWBmUQ3w>xYzuj|YI_28fKfAS~%8n&6=WakkEC($}61Fdv8diDAQJJ|NXxJTQ;ZU~Qi>MiTW__?Rs zp>B<^`+@eP+al~}qj;h@Ew`i};go)Aech=x`SbjKp5H&n{5F<%((9^#M^az0toQH8 z9T-y~6+>^(9{S7~`os31YHbIUj`tZ4zzMldlXN?6PJu}~vL2U_xa#b=^hg8iR!u!@ z-`vLa9dIQiY*I_rbsNvg+pJxKzCSi_N}OOP;XTmXd@DakHg_0U#m@XQ#McF#*>BR4i6ioZ9TvYJC@s9UBU!W=3 z_KiN{t2H2!oA1&2n=;Mm{TU3p52tS$*4E*8Jn5(ptI6=PDM*vNsJ=Mi8DCAA?{#;n z+-TCL#$AZS?@hjnib@67S-R#6y1K*i;|s6=5Q-T(Q6ey8ITINSC*ei}^-DKShj=%5 zDh#4Tgl@O9L=>~-=r zPjcOs;%v>6N>fCkY9CW*XmoMP3!z(l$*=Q*2N(An(*0pqVVF0JEoj%{S9W{rVaGF( z6wU8s&6?lL_+r5qz||0a-26bqJTD?eTASZ6QYSrCYz#zv5Am<21bCXW7*61wqt+em zN1?8R>BU{{f@{~LO(*Z&JTA7ZmUaYXXZvaV`JncEPo-^~f&6SZYLA&S9+0z?ik#ZF`JU+3!lKZkCyfML zQXLm_k>QcyC|WN?c2-6ZErD10`wcW*Tl3hY>C%B9EM(`$=#&qai01?WoXvP(uz!)!PJwx5X^c3D8gtu@cTY{g5ClVD1V$!u zSXPxsG$;;8mRXOn$i$q3G85c3_ihiI7=Ie9h;SBm$CJ6|^+)~5*ncoqL~qz_kC@X_ zuFskw%Jwop%rbs0H(=cj(5zRy2$mi@p0ilY3no@;sW)jpdihqiWgJ`S$ba5Eu%lF6 z)}mS0Qiu9iXjxJNf*o679qdh-UX*L*8c-;e`7irAj`&vyak`pCi3kbfa>fJ0T^mkG zUm<|mQ#t4~n*GdTSxiC|Rw8n?Dsun>Wp$inqzZ;05^E}`St*+_UyH!A161DfmC`54 zlxEixt62-dK0YyiKvsYrr8D@g#IcIwRH#e$ZSma@65boNdp+iidI#-Zw~^EJZ_|>U zef#din^)}ZyY~u7MlLRf$OrLcjDM;%b8{UZIx6u zy$%7C*|`+*4cis1BkEkD`V9jus#}O-FaOT=#b4{zgoDF0$`Y=#*s^=pZbH%V2i

z{)D&&^-Z0cY>o^NWUzTu6sI<*QK|k~iIM6CE0(+G8 zJZD!Tjy=1z&E~9|)a<^024D%;Gti$Ct3Q|8;%-0Hv?A84%E&X0Fxv*6$+R+-CSAM5 zUTJt>BVnace^Imt-{Rz(pnOfEqAhuG&*$XAauIZP%`JUgsR?zoya3~F8fpX#8tD4wq6atw$A z1az*=g}7|2__YqQg>`=^7i~C#us8f#WNgghl!t6qUncl^t~<>#)!tgfw7)A{f|yx0W;?AWbH+q zE4v?(O#1_Qew%cM80DN>`u#qHdK{lz4l2J!$>v3?<_I>6|4t&~LEYev$TIInFs-}-ECceqIro+c= zbUcaUymGFSb+CSa6=4KLo@#|8u;ToAkfnKEIlj8pyzu0xv(kB3!aa7P4%L?Kd4+_0 zxH0Jr6eZ1FZl|`X?#*cF3 z*;YZ#FwX3=yA|C>2Z%BknL9`Cf-H?izE@FwZe+Z~h1%t1u}t9qzw5|B*V(s(x|UGB zSY%?s3-LakvR|_n4_8srV!y%GdlTh=++iKi$rgo6m0TDw$7n{DE@~YxtB^$nn8DQ! zlCwp|6Cz0!mm<3+k;KR#|EUOyfvgWX0;{MBso6$O3}Yb%^+F%>nJAUN$pwtazljM{6Ifvveh!_P0rzW?>%vR!%~VI|9F)0@uc2O$p*e9t2r`oqa5 zz;rJEOqy_(twXW00OB+7)i9p2=0$FSBWr)TGf^aX;T_emPcZ8IxzFwV+w zAqrTNU+Je`!NVyTeh*}YMt#5SZ`gew(W2=*j^gh;y5jHLuJ}7Y9g8M{L&NcbEPX!~ z6W>pFfczPl_;5f>22BIv5iMRn=|283SiJf}*^%SH!L5t=gRD3|(SH22R-Ex*2%co4 zK3Z{XPqJNn$JkE3W3KTXd#7B-oCo@osi1u3vLkpo?D<%w18|O;_=7terrZYe(+>70 z=hIrPsN@Ai>CoBt_{2WmZgH^ddZULPZ@b>;`FPuOyzRSw&+QJY$6E!9DpeD7$fEO_ z2Lw1`>m&{Cl%<~=-K{^^hZ_|MkSz+0!G z?H{G!U140U)0i73)?yvk4ykmGvK?_0l$+cz39$yu-Ql9_LG$M)kdEh%Et^ zCZy;S(6{@dKOPIuqod|SPnZKZU=9etbmM&a=yWl)HGeaYbsBDAy;+HTX((>wj4;@e zEDtiij*`X8Jw>=q!#-z(x(vqYcZmRvSDtYqiY+29$T+&tW1@pdfuH^U_bRnuEw$gu zcP-|zKm6e{0Ju!U!`qp5Rc|;Z~+85?VLyIeuQ|s&rsf! z_4cHqr*(98hU-6r(m*!aDPwxmJxRgyi@c+c`0hFlU7gZ;u4?OQjxLwB92aVnclHrD zz4lm^QY<|A=iJ_-NKX|XML_>#Dv(3}mP+L6nx5JZ=V^*R2~z!)i21c{njyZEoeXys z^z?kssTE+a<{N98=jim6J%HZG)7qv>COAEty%k2uz(?oXVY}CF^1fviSZdr@l~tv3 zEzbb+v{)+UGl;#FGXR3(twY+8y7#H>^fx08S*}NAkxH#B0QhsfwxdPUY^opt z-q}7q80!Y#A*wQa@wbQHy&*{MHd~}-S=S^HFWHOy_SjzCd>vVi&P&XYvcYgf({Al4vpDYRDddQ|60`b4i&vo`!Rp$b@jMFP#G?}QgWuCz9lK29a%JKPj4M>=!77CBF-`;QiIteBVjX*XYU>KBNcbzb z5abv&w&qdBVA;aeV8z#Xo?oUhkcr@9uSi!hj21-T9!$pav^ex9sOuO!)W-n7U^e*0 zCeG$1t#lq7XsBf;7uSP{h~lvafYJ z3-B{vauy}*Tx*o)N`QT=JS#F@h{d&+rEwf3ix2SBTk(${60VW-E5VXc0wzniD3y~w zFQhu6g@>WOE6&B5<8drXfaJ#h=w$PxP>Ugoukq>u*1zx4B$AR$xKOykG;2|gDi1l> zf9pqDb^Mm2k6E^G3;}|t!IH^Y?H|8vItyS~>a3Bq|D# z7x2SXzv=?}p5OEO=E697NtfV%`s088@6eT^Cjb;!(dfu}$Wiv>r+F?!Fc}7(N5}dH zpXP_{QI|RRXY)K?Jxn&7QnjL8J$K8ElBM%`oN{z!L%vx&p&C2rkxmT`K`z_8D{JVnBzJLpCbx0&8ojeVA;Q~RSdd2WK zD_5L#l!y*|GW9(6O&AB6J+IdHLUXr(~lzu8=xb}j_(>wC$p{!2-U{vqC&GK%n z7qc?Io~0kBGXLD_WOe#yzi#DAm<)mZf035Kl6B+^?eJhFyx-<&^4Ba_uF{aXmu%GS z*5BI8MozwpgnCvPL0Op`=5N#FG))TwI9+)Q9Dq|c8V>utjh7z))vWgJ_H~LEeESjw zZ=EOXf9ElK-?^plott{zd4hg-w)DDlL!Ud_d)(RD-#f0lx;MAt0=-iba$c+4V2PHGU_@YIT{|_K_+FT-`)-5nKmAf~Os-^h102tut{}q-(2} z(WGqkuC>5)W>M0ySD8E(V$B9!vt_K)yZ~dmB}1-{--x0~{a6FYCu{N!wVu}fL#gId+6T2mD<=3<5FE0@Rf$ zA^9j4vA#dHOo2@oVM+CV4x?U0#efKRleb-w*#|vKUbDBv4UjQ(X~k<^3%BQVg9AgQ zhMS%YAlq{MFnP&S1rZys;EpdVV_|S->J3$~w1N~!b*e9?5QX@~IqVLzznqW%RtwQmPl znz47uE8wmtzX$LecX~Y?P_O|g1taZD5EM8Q1~K{z6I9<`iDH?CUr>u$3&N9wQJLLf z6OPJ$RNbX$j@kSBZjJ!XZQq+u8}=KkT{L@~-WAx_zQ@*=x0HT0?VNL`~K2fI`QmxX%8(Dh7Y% z<}Au?W?a|bG;yx$ms?raZ;z9?&UKxH=A8VLXw|FIKv7kSG8RCN{Ww}h zwwMIt+)dk3Uw)0|k$hTt&W_?pB*h2KIV}rkAcQOFoLf@STMc3VXpLb@Z)yyM!vFBr zkTr6FpJGa7s=hx&NbKLyfPjKkn{$&K|JKHA$ke$xOXtQ6_o@uaJ96g(<$ZV3_WcQS z`n>`CqsGPz(jYE##gmf9rx-;iMG`hgp*%VA%ALL8v_J(qO0+nQC67)5;KYC{A!+86 zWL|Nj{<0o5r6a*AC9{HksvJ0XC%UHeE|(qEK%8H7cWPA#b%rgI>%CalE1B1**HLg2 z@w%Pm8crMb(LsqPCYmTsEdF?f0r6V^KF!8|kaJ3*5$_ zZUk;&2)EeN?>(Y4b^2|Cslu9mV6r;~0k6LLOeeMC6w7cePb6}?era`V8Lm~Qn%KoM zTyIK+K{w+$opC`)(c+^VBwK>bP*LeD+9F$QCgg$z(Vyu2b4T$yy)w@<=2Ft$#9kn- zPgE>7+QP^z^-k6(OmQylCaliT^niJ;3O1x1%_k9kU| zxMl{HGq;mpvu2 zKn|;qA3qu?@3I9?qMQQpmLfB)r2L}uB1PtGNRwuZ>ahQ+3@${mQ`#AP`aEm?B4-Uc z4c&XnVDh`n7QZ+Ap@!MBKK2wNs2azxIgseExQ)YUb5Lz6^;LGM*3OM?1U0nsZEd0& z*$BCBqZ$eIR;-D*6XiUmYvPSpoRuzXbv?gT{oSwp_Pt)^_t5LM8W-lrqufL3+FYSB zuPw?99ImGfUG8*&o|-TWb86(51Vgxn5U^HpWIlIN25_wnOul#Qv@mY zLR{M=sKda1Izly7hz35j+O$L{Fs-mWU;tW^!>h#KVTOC|J=nHg#5uNYVagHdv8`cB z?sj{amGfg;#I)!J9jun^eYG$vi<%y0WpF1=%t*XR7rRmV7HzB|xk+`nQRo(ptRl2o zC&N#SmF(VQZM&UpW0=(}WmcB=wv{OvRcl#;a@x&q zX5>~ZXH5ckvz=KJ%C??8bd_j6qV2dq+}#>bnH4pAfO)rR5wPEB_49cpXDQis)vodc>~_tI{Nq{flzeTwGey`~-YfPyyI`My^1sQ3SJ9Cl zY{k>3lMOrGW>r76B~O>F$(Cmo?-N+_vP-b;2{gnlj((?pE2+q_3NOArikg z`6?=E6<%lQnlH$q7VDy3!R|!Z2j7Brf#|B`Ok^&+bfZu=Cc3&FqUZRjP>YrEJH_t; zHRpAUK?h^Zgx%6uDk(Aj&m_E=@XW%O$k34|7yot7`Bx_CK_ zisg+9mt!qk&dojLY+tgRh6T&HX}NN&#i}9O#-+;HSg4%M!QtGrNI7PSa_+Z4Iop;e zXUpQWL*-y;avB#VXWO#m?7k>DJ1t30Z9#IHmLsRW7&%Q#kz*Dj=U&T@)3gXV4NH*I zv;aBw@^hadjZ4qAvDLinI5#Xh&ekQzxoyF5tmVepX|ZvdmKx`Vg@%-`Z=j|M3WM=% zQ36?W70eRDG1NNrS@+_k8 zmRftg*KIY65}sY}ffX8C058Z+-o5(%?csM{W5f`kS-j5Dl@39In66VXw_=ju5eD_G zM8V}!3aI`~V$V(vj~+udM2X6Vua(-V$aShxom9Y3gH3nRWfYQ z&4MW$qC!d);qgfY*2&V%D&QEKa&(*41nK8>Nt+eZ#EOEQWa-CirkK#EhH}3GTZ00O zuq@wHU_jo~1ZwxJTusPBYj!38yBF`1gf&g{7q=J^8YfE;6U$g{()NK9ZY=+9kaAVy z&ZUS*}<{m@Y-V z^*-bCc@)&Z=G0fQMJ0KBG6l=L*Y^e*mMu`ETvOJ9H=c6Bx+MeWX7SEe;h=GuWM@D; zbPAxvRRlEupy&CciB!}&1`pC@{Rz|wYrw?X$4=9ydS)Q*5n2B##DOf5$|Rs9 z!MeH8hzOshqf0L)xyP^aP7=@d;PM39tTr=TM(v`@ML+4TKLMblvnW}_;!G;8ZH5GL zuSy=%gEV8OXhPKwX*@;i*L)SliagwwLm4QF_2UyZm!C!&PUZOIa=>^JcG3*k9L1Y)}h znq}j9?#pJ4ayey>Vjit52Zhb&@}vt81K&Y}_^IIGud=8R?-FDI$)n%NV?uB8U4-?Z zf>F1&5RGXv?6v(Kb0%Y-7>cOBiP^nQm$YXg0VyUe!<2`VVj^cpCm#UJcO_P7cC9Sp zsAkLO5Tu^l9NeGf7NWJcXQUfjrIaFaQo7*~w=U&G>~>e$#()`4S!>w+E~2NHSuIt+ zF_n+W96K|oo|V&(kz=xP>X|rAS?GoYI!rj&5ua8OxpEmwq5@Fi1G*Q=gQW<|SUCU` zHfKjp($WNoRdaHKNm7;~_onqJ-mHZ@!k@Y9UF5L-#HqpspyFEEk5&a8<@dWMSByesy@nRy>L3a_VRp|3dy!Nd9w0 zYLF(Xz<4u#D>>lc27-cnlMVEqo;l!PFrM+@$n%Io;GxU`y$R4nP1=6HfjFQL*(yq4 z0DhD4K%7*mtVZ1m+t?~fqE)$SU>#FdghYr?o%PE#jJ>Q(07{Iw$K>ktii=g6oQb0I z%1{c*1wBh+xn?PTGProuVDNi@W|qjk%TRE2>Dup|eN(R}#5$Tn3`YJ2_c%C16=IQD ztQ8~=?)Ly(mvA!xU`uH`L^CWhIeqiWd{bPqnlBwxR;_Qt41`_UPIOWQLA|{?2!!gf z4_Fa7OBZy<3=}9uN`jF34H%9M#iv1@^ES(JW?`(J-9i@Gj8KTSST|KHn#3w$C?1hs z;&yJuN1&xd#MhqG+I;^2wYE)K#ZSVjNTiDFKD3HX)5H6tsIo2h(!e>)n-nt*ZCE-m|Ly1E}g_w>Orm`v3TE|MB1c^&i-W^&;b;S(sln zuw(UsRStwr*)&Tr@W3dw(3KVDxGLqAO%;c3PfBzpkt%}axeeWIL}AkgwD5dng{yEhIH&Ys8I*47m`jq;ATCpoFc5=efuVbW|2|F4wisLKfw3 z%Q&u{KXzw68$9k|#P|A7e;DZxhO=2X@jN<}JoGT)cZXm=g1>Y%(E!t5!{l!Qu8nf4 zH(98R#y+bKM9)t?%LrGr5p}Mz&Jb@_34i96ZtGQg+w$u{nULH zZ}BMK%C%bYS!B04YHfUAI{<-Fjp)b2USI0gH{72~IdFd;rwcC@mm>b+)z@Er_@?#1 zn{^lByMFzfJqNDXorWuRr*;kQ)UUyvTd&v~#Oh1y2g-iZtLx#Y58VSA?#7X4LmM`8 zN$Qbj-@g0s<`sMU?mcPRHG<@Aa$7w$;VpZmFwDsS*0y>Tsmw&`%waZt zxqvFpacJ|g4{bgfHnlm4f#fFW{Qc2M=fkTLB55$;fNB2PXmblA@|tn)mvWkm(vZ9bGEDK^F?(1!aD>H^3sp_)7$85a6uw+cJk%mST9$vNSEofbux9@uw|) zlS~n!!`7%LLc}Gsewd}}Df{)|n>Vn)$X0xp#Mh^3TD*>8fq`a5+1qw@R6Pn@VP_5O zo%^iwv%kX$t$9|FwXtopIzaU@nLdv$MSQK!U@W~#M3yfjxCcSC^C1Fj^3aFKP+)3z zr2rw$!I4AoU`Z?xvbB+j2LSOgU$VdkoLo9)z-k1%n|Pm>7ioqh>`5LK(WMs8;^+e1 z8jdWt23bLrG_UeoTGl9kn>EURxHZauwnlBSMvdI=XwNn;)$U87U#h01T(FBtt`DDb zd@a|U@pYu0RlcuY3gd+>ozT>GunHGETL{>n&f%CPcqoVJ`5K<2NjM2r1(eXIDIf3rHBx6`~myrgCqFS)mgK>1vfG>cUCge`^mDV{rnD zc8=UrI7M*F-*Ahn7^(El`Z-^(mG|E{9(}CJ<5G&`{!?+bEj`*LSDe*4y#$Gz8@6Y%k}!~>B+PLM-X&KJ46(DwGZ3YE3z zlPx$+bo)~RIfT!tVV330Ey^T5*U>OFu~xjT0of^*8(0suWLr6E!lmdEZdW~?8c|8 z)v;pn*TT5HVQ{?lT4Y7#1BhBT?=QqPzIN2LzGe8r)%T4d6x;|{K_~`w zw1C&PQ;SozblP9m&B##hBkT?=^d+`2fYg)vhvd!%4oimdgUd zyz%uKyiZ||l9JdLUs$qU>H<8LJY4GHDB$^&`Sr4YZIsO(ic@wRoLf85bn82VVqm^JU zqC|N$y;MF+b=@3b3uL>W9e?wS<2P?u9xZ^QajsVbdG5!;F3W<2>6O_kK3Rr4`FBAZ z{0N-8oFBWN84i}mb%Sy~nRnFhyoHVLT9(QdB(ZGA77UhDX|B@}?7~q}q;}q5mNY@Xry_~Ot~uVp)*%Tf6j+5YiJ zbgr|%Pgw+RJG;zJ{#+w`zE{QpB`Ec`b-Tpn9~XccQDR&e+4@9WVfOGTE9X0J8pj&5yC zyS3fsX@+;7+nvg`irCqytipl+4KKtMzur|YeU2@Cboy#r28=B#f}2HWVo}CCvx=jV z?a@-+$eeEl^jZ^Wf%jgmAkBoe^q_sHg;U>pPHX_H>zv+@-uIOz8*Z!GvMcR&3nNcQ z(;Ew?+&g)uEJAVzSHpuKfT;nVLONARc?{5{Is|5@ETV+*1dWq=Q#0_GQ9=I2pj=EV z`vUH6RA%+YT9>K6ww&Z-Pq{0e@CCZs!uFrN)P5D#+0FD!bD}AWMUjgn$gbB#W!Xs7 z{0HNhrlWkXG><_)DM6Kyx%&}U^V47_lqA1g(%3VVMU zsH(~|r={EtrNWA+TQAN#I?ee@_8G6K7;2yLhy8!f)EELiw9 zwJI&lZFVJQZR08S(q6(oRgP?PJ&uaca)tA&b|;;4o4~0fw8xT*ke1W=+265Osr3pS zmQ3*!R5nkp!Oc-wpDro13ooZcp?ocv6*dOvaRs>lo7*PIDhk6`T=7iUqnVe*QY3}k z)|8R*mI<+&92{rnQyU57{hKp&TSXFZH&lm2+0xc-YZvOyNueBtx?XbCIVt*`ppcBS zBIAWvT!V?ef}2o%KdqgXHYH5iX&T2-viN|p9%;tjC9gy*aM~3Blvw!$E@tcpQ#C)U zif~syJ}a{YXvWp5sNh7jjhnE`ES(7z60>JsoXF?XiWS~i--8tH3&H(|BHMC3<;dQy zZ0QQ-8Z+WKB%t9>Y2Pn1kuTFYl%;OYQQ7;8lwI+tP?_Wf&oq$sT%Id2A5YmKA|AgI zF*kPm-p&~mS3)F}s)A^=H>|7oCVsc^zQRsS9!SD6ZD2qlw35|C^x?dW5zh#J-lL6R z&XG`zF3m+#??gqdTZ(8U(z3AH%-z%D=LZ@X{pW%4V;mS8ZYauuBA0K>uW9vgcXay7 z)>$EP+q&bdXieHBqd{S{wj$(csHB9ueg~|PDPm|Y}oDNU48*rJs5_jyl(R9-KENDwJxsfS&$A= zu|}vp&Q)G7>Z^*c+>{9uee{KK^KP$1u}s4+Ecgsni7ex=hw9d+Az1`Vj~&lhEan9h zvY2gsj)b?kh*;@Jc`^@-g$-?NEmF-|d)0wQz3?=H?@j~Zc?^8IF+h)wPt5sev%^i( zAx@6pYx{lX^!zbF=o%MhPxmTdpIv>r=nsk zdCq2XmjvM=Y=a{mIit^`MUHnlsur_rO_Czmc|$nlIg6vbKr>LAi3N~KH-$~g7HbkP z#qhtD>*`+gp!o8CveCZiV97e+b;4Is05xoxR8g`3K6U-eGY7mcuEY%8+P1ws-%}l^ z0z1_;0Fu|Zz$=4ja^{Yx1wM5-V(s;M<92VzoL;}z?tzKBCb6Crs?)+Zg+gGTM~mVko7ie_$+h?!SjDl?gVY4G~7N?7R8LihM zLk$L_edJTE_uMOSfgWUf4N zRYS>Vvb6${B}`n3?7Beg6PSa1y%tGs#q_eM$VEJ7FF@Zd*X=4^cUy``io6X@U}1Wd zwBh)drz}m-lCcnp$hg6*wXGV6`ndo!9>!TAK7#JJ;stwwewi=ZY*rQur+JGx`OadL z5jM_K#`6npvH5L|Q3o<*gz-l73(xy1AwHbK_f6IsD3G`mvE>{1_37!mQyrFe7{jgy z`gxo#7P1Q<1;V{R6n2}P9KJn1YO~je?+@R!Q9_&j>hSa}w({}Y*YCW_2L5P5(Qb$& z67b2M2K3ZD`99U2&()ct&Ipa~t9p*DAXM8BI#d?>DvOH3V!0CR2m>bGqzgG8p_`B1 zyaqPXya>}$M-@UDWqKMPQNsTH*}J!G7%0%$O}&iBtG(f<-Se5#8&29iK#suaq$OL7 zYndR9D}>202ctM$uo$3{w5lPu&I=*dGHb#grIV2?C|$Kf4#iTe40^Fth(yTJvRIde z$Bq*SKW72YMc%f_zhL`aWP%s*HCu{!tw5^enq{0BX61Yir?4|bVnu!w$oRFkF7LM7 zVE4j`*4fvlX&ux0y7r_7*Kl{iPy_s#n~P`$AhNtD^B@i7uGQ*wyX}6r>-M|qMxG(j zc6QB?ei)jW|-K&?xvQjzm&?&>ZBlaO#U?1!Da%ss++-sFnhhe|WuQja&fVm{OT= z(Lm1;r#DfMCDx*$+XUkoU1Y6+uGllsCb(T&fh-W14a=oeW2wF#eRsTpp(H<2*PAWl zJvwDc8OJTdS$BI5`qMjSf^Z4yp`J5e8(4dNIG`H|n?YLNnBV?2Z6@k6VyfQgHS|v8 zzSKWAG5Z26O?S}tedY|h2k5G8BGZZCgH{_Nel42m#TuoERb@SY^@Ku zU_qJ1*KC$46Phd(-Q!K!`BKCy97u7@TsIfR7p(@f$QQr24I;)&svItCq`xofCc*Xw zFx4Mg=Xuv+>Rgjdp=3vs>opn4!;iZ&4C3|zj+p;aW8fYha{slNlbE-Dcg6<@h4zShNc zNz&%WcD-uXND%F=P-%2b8mz~lEz0v$BF|UJXN46#%Q(btA%d{+bTRkcJP8%A1Ko$? z_?lE4gV%Fl(3k3R zk55!GX2(I+Lj{#9YLT)oY#UwjM`2`wt7r~-SiumQW@GBWMHY>C1yw%>W+=F6 zVQ;>&oAxopsbx?@zXFmB$R~Z{a^%Vqfxg@cV+;~Ks3LP3s3l?m^6QelXyEc;g(6P zU)?f^<#&H}v)I*EsoVCQdu}}Sc_UlN5~%#9rQW*+2oO*Tlo*=AQX^Ad12CYLayXzX z*&BW>GB&PK1Zu6s!nLBP%&PvQ=h3(C-=B2)sx2+T%FQ9Z^;2exBquf)uyC75CN)GR zYl@H3>F>jh31Y1qD3J-cBD+Y^s{~Ej6zG6%JJ~f-fY?f_Jm4T|;yld|snb6IjPy}& z*!DLTu`QQ%HTvfUI_t%2h4CTh`<)bf+6@@qJiao7T|#$iXtzh+OYj zFX;0@uifu6XEd0|zZ-q70*&Ws>JdeV7o@BD>lx2BU+ZJXJ3K$bq`zk0Sw8#nsFrL_ zK-oNZNTgQyn`e?00AO21cS_qh3oU`Frk$Vt9Xl@MK@iS7iino8I7%+GM=u;?noNms zM#Z2EbPlS$?)>cUtQPtNnNjN;%ehBhflK47$Yio)A=6!o1g+h-G^94knJ(B@&s+;} zozX3lo z{HDW@{q)n>FCGCBx@yFD1c7Rr{AF1({3o_#?70}8^-kSvWF|nE=kgW4f%{5@5WVyF zw=eqex>LkRM(!$1!|H-?Uhz{tZ_B>@%tD=(2OA38lsaUbQyF*=q*)jx3m~@B{sly& zKN$dK`aumdU0LK^c2s7U;-o(r>=~IRu1vPV8L&TZwgEnuO|b3Ati~^#$@Fo~ie$6e z`YCg{QxA~v8as?`t9C8Hu3=-*=r4{TRYd78B_TUxzK89s?pW3Q|j6Z zumsh`p@Q&4%H!%;BA1`d=dc5>q%yG&D~7jMxy;^#klZI`aec0iRBY(^chN@?D$VfC zS9JA$u1+5iwC>qg@O0-6D@a?PWmF{nRcb&;(**DJ-yfYIe-{1z@an|!6?tIEw4BE* z9MFx+Vwqz-`YYSp&;~Y(9XF2XmIx=G7E7JYhgT;i^uh}MkJBXN=FKt-z&7wHLe z+X0-<&RsR5>Ow2^i}u;f^=&SQIssZ-_uC5Qo$ix7mWEfd6K3Ogn@PdlI=BB>8|-QMa{E-P$`_N| z<5zhniD$42P;1l<_b#LQl5dtgJ*RV8h0h8eT(sEL24iaqZN7s$6z_ayh8{8ezt?r5q;OI|Jvb1wXGLuFsU?mTtAXCBvGYfgy`$d?gA1 z(aQ}{@0n3v_q70B3tam(&NkM(f6zW)&Ui4~94Pyh;b?ULzKGVZ`6`Md7&)vZTd38R ze?~3#8w}qdkGXHtEc%_C5%EbH9+pL#2RxPspxJLlPO zmNn4J_>6zFo*~uJcr-%zv$0R!tChl7o^IrF;@i*G8%Vzvmeg8gIoKcrK?=c%dQvcq z(~)y0T7edni8)#nrkzd|s3lB;yi?{Pa~EY4ijJ0BxD>6_kphgzs`4DoK{1u8tEDOC za!nHKT)yNBan7OyUZ09QjW59++bZ}5)b|}K<)G*JL#pMFMdpzz)@0YUVFmZ)niJ(k zlq{eQ;J62)WPH$`FlRg&&>*Qa5ljgzv!)U<$dd}Ouu&h$%NfO%waAA;hYsfDOiEA- zE43|#_`%^a)P3{rKIyEim77zAWF}MXR&xQYHmW&3Sb$A>-t42Yw&ZavfLw>p4Z+;o z?YzT-mFOVFQx`)=C*1=I9oBihJ&1UM88){~ zS5nVMx81Bva(()t=o;Y4Na#yr?8A0`1VI>!w9X(Fjg<+}R0H5YfYyg4#Ofm%LK??_ z&7QaAk<`kYoWS=9zyue^pZjguMu6B{M6RMCM+DIzU9ChSl_8l#sYmkE62X82VO9!= zJvLmy-X5!fS`s^y3r90Br=6y;U|(@L)eq6CbcA5ywB+YVij<`>IXcOI&7vfXl0|Nl zCgUNUn*6DxvuwtLW~@ONFty_xI*;aRCx+6uuU1%2+$`^}F$P?`Q6qEoS zuA+pte|_PT8e`sx;r~Lt7QNK+JX$33oJ;GIIxQRq0W4^j5odO@q*+5_X*bPJo2$)f zM!I^#CIeO~>(sz04_b|LAkj)I3L$I2e{X!4X8s`=C&xox<7q8)J~ zKk^6F3AAe?Z~9c*%*rBN@gfR1VkG0uS&~ zB;5ojNGT#OOh`wtF6B9~+g+hTGwFjuGZ~Cg_ivD)67?YwJ;G8-QN!+cQH#blTzr7> zv0>Mkr%-b^H{&LS0YU4sr~-evQUQW{o}5gFNvfb^tna`At0aY*(V=>d{WtU>9&0i@P<+?*bml+4UVC-y zM-1nmvd@11d*%_Do%a?abKLqfMD_W@A3n1LD}v2mi0f$$SyI*)-OsT#Wm9T4xQKcI zOas6tW;BXNNs~>8SES9Jp!U_c3 zpxz!Uj2vY1)^}%e6UIdqE6#GD7PU&36ULNOCuG89dL{QC8Y%cSZQu5-7~`unStxie zH%wPNO0X<9ahSUMtTy+yet)Mqc<)*G*ky6Z{=Ib?11-1Dw zh3^Q|=q={K=!cm%>bHAR(HalQi{uun+5KH-3w|kAj1Ni9izuH*2t)WPeVZ0%R6_*_ zj*v6p@~OydJ$OYwnAB15BnNnwE4k1Bghx6@y@+KZM&N`(wX2lt8DR0oJm~Giv)M+% z>+bK!!26W+yE~NNF?o7F1xxQ13f_J8$Q-;V@exULQQ)Jn=1NgD(%c7A1~+mLKVtQr zN2@(ZYO20=SdC~NBNc_R-Xs94QmJL7g6UjUMOU%0PI8FSzmK5l)CEWDT_T6r#SdtdM<#?y}`myxF# zqPFb_Sq~)Am5G!yCT`CM!}gFl2fp71wHUsAhgDYl@iASh%L6N)&qYww@Bs2MSjt8? zuZHoTLy^u6Qov~$i~M}gM$b36bqdUiAzHzEz4)i}36V;oGst!womf28@S(bR3ee!u z@%b%q+Xdb zzK%fm$=QqjNq_Wm?{hZG1it`8l0W_NAOBfNgaL!-F%{lyD1;t0y~a^<;Q0?7HB!X$ zsM$Vh26EI$T}JlWfBx@`7z@fID&Voy%F;MW7M0Or+oWUcbsh4+;|MOZ@^S{8d$~#( zC86@WkxR$9b_qV0UkF}Ijly6KuJX*P-;*5;{Z=)Z95{zdjaAv{KWD)boJ0Tg$N&2O zvP4|T6Thtg-sj3~O2_80yj(*bd;1n+JL;cwn%a~4MHtQJd-8wGbr(^=xV{%ARt3=h zW=&7`WX(Ua0}+URx9@plzc=m&0rR`v(O|IWx^A=+9{*+vQPMzzI{Lm|0e~t+i@eg`l*Xwyc+ef2Bl;cegDAMZ7T<|PdifYm%_r3fw z@W^&a)=ICIRDQX-_QE9hP>PqA^Lg}9y(d3_s$`2`(4rr;2nIJkMuI`cZXpq#d%UpR$BBlgRF4(A4m~g#%N`hYyLaw^?UB)2 zdf+aR(Vwad?%N0T7-fBU>v{gO8t{Xt0p0Oklt)H>0c3qv^@3N9 zXi0QdWKp2kGh(v_f1NYf(~qL{Qeq=L>okvwG`l|60n{*L0ewOq zBUxB#=BN_aBM%I-C#P(G((QS4a`ZuGeD2>*-oIe&`_mu))4#A|6#;L07j@QiMX9fm zX0#3XMN~jvN2@gt3KfL2IXYh6X;(Vf`9?_fhryVSJdgIXhi+qjd&nHWEl-DgtXA|oPql1$IQ*#Io3apE*o#uU z$5owT-6OzZ5Tzm|h@MFh-NzT&U7cbYM&q_WXgI9axGJqqvVGq4O=yH}|8(0Yciw!N zUL|<54XS5VhJCh@I%^B>23_mMumwphyF+9Vwb6+nD--luxAKPj&s;M~oQfEf0eC!Z z0t3+ZNAwp3bVifjP-)wD7UIhJ>VmaJ$?G4C>Zi%gN~==SX>`hFWqv(NKTdtGKQu21 z8hFZn-O87(Hfy5BA#+bJ*{Iv44?f2ivX|iga0>sgr*8em z9I0zXl1-8q=Jj0)_1CIMc8MA@-EeZS&i&1otChF)d)>-Q`}UNncQ&g|g^k~>#DSRS zRh}An3&xjp4Hk?Oy*l-@(VZ(VmhYhFEVPiKZg2r*uJhU3` z+}%chnT_(ebV2@r>vgR``&(`ElLu>9lV=TUtA^Dj4eOu&g}vrcTvJv~&Q9cE&zf16 zzSkQ%?8W}1>)%ann(Tef&cvE$ybut?t?`QGq(cZcsafS~o?XPUOURn828YaZ_)=@+ z+l)Bl2alKW^LW`ZUV5&7r~AJHZ!Ew5zy8JUOW)iH>X0wF2_qi291NLA(o4KyLFlW}ZhH_=6Si z0bI?1cv!>IwyOq10w)!XFTqk|xew^!?IGsI&I2|Hahh0De81@KWrxv)1QD5Hy zmC&i+;jgl&5bqKUB+rp1t2g;B!gB+KM^e~+i~RKN9Qw*09{OtSnA>blqX(~mqvsWH z`wG~_9rOSAUtn3{dX*u*Byd&%LK3;wG_dQ)Rcdtb5`_Gh|C=4J)>(Qf}YM-thKB$ht`_bt(4|L zJxwxdU47pYQ5*hw!8L15x$8|ny{7!bXsA8c@3~#L6_uJFImd#@9**Q#1!@xdNNR-S zod`o|liMNR@@19Ak|)M{>9YUyTFq=c9`+AH&m;Bb!CFms40=s>TscnTnGa5+G$Wg! z{`0-cV^~!$`?R=j?mX+bTtrE(PwDmdM#cVy7vhT3p|(F5%PqSCsHi{J#G zX)aUCi=vSuRe?;_`B9BPrTkafQC%=mr}hv~ZWjAsSb&28on*HWo^JA^dL)CRfGKMM zW2IC_rh~peX_-83;d?cL8W>*jqG7wF3>(oB($uUs2++-HB-GonCPLj_&(bmpIUq5D zWi-l*bdm8D+|kr3r>?xe(rL7-3v*ek>-nwf?|$XC@AWFbhhDc;=|g24QX8Svun9qc zsye&gV7$Gd!&SKr9W-S=Pt&Q~o%I8B7RSptT_A*~zc0J4EO%NKy~q%~5S1PTwG&mnI~X4Irzd zXp$>j^-G?!BxM3){jQ9&*W&c#NFKV9d<_unR4%k$&C|4V=>xm0u!^SO-(`6Kg08|O z00n9o40q@tRSeMi)HqNF1zBlIZkY|iBnh$fa00VWj)1cO*NSXbCSfc*Ei>R#5ZEcw zPQbk&D{jheUC!btuygfnzd4JIzpZUSGTnu^R{dbz@>``4^1PwSAr)5uoxZ6gSp;^E z3vs<$5v0Hy%K)^Wst8i-g}Am$V1T^vlxy{ULLenP2*esNd#)=zv&Qqd85QV|&oZ&# zSr}WJg93s882vzw``naJO~$i}NNQlw{JK6ZpNN0k+2G#>R_r_TZ^Oyd2V?YbK*ZD4 zqxLPL&)|j#sz4!J|5@CgQiBiFWcImTdUo|ZdPeE>%=qu%R2GUE%yKR zf3jC#gq!QTY|F$P<;u~Q>jbwp96$Jun%Q4k-oZC{oK~Qc2xtoR9l6C0lQ91%XAC( z%9<%y)59pT8O2+$6N;Kh*hD|X0byOg@CAt^tvL+^|j>@c74NE;=Yz{q}GeBg8 zyW$C7fS)D$?q!;^#kO!;j&F^LrZ(Cw-qI4_WKy|I*ET7AfwEV-o|c`}^AF^4wx_MMUbvmY4Wl{xvh=6ah@`sU+Ch1?;xcl5EA-DK_pBY z^H#i=!uQHLwoxE)DPjinIiMkZeR}%t)MJM+T$_QLSDY>YK?Xj>V*)VDx7o?z+vB4) zdwux+@J$<&w%M-^Pv5q|j&l6=^*g;i?3S?}7LS)dGzO%d;wR?f+$b-a2hm!G?44+| zWhWXwcqbbE=yoFC?bGe>fBj$Ot|FJ*c@&Eisl=vjg zfY(vL^==_E1&79D0q}6(LBN(GUP~!z&HA>S0Y>VA&Tq09qffBl`@^|En)E!6R{n=B z_&p!+>mB<0<(F2N*e`9bSA93;R<9ym7_hYJ*-o#QJnO{iLgftjY;WYZZpAj8+s5g1 zCKW_gLc1H*{gP151Y)q4ciJ-NUqXXSyU9(`ChOisFNH>>@`*M=*??${q#PC zMARrz!v6i)ySK$Z+-+JTzpk533Sb zPm3@uEjsG^)y^?ijK`?n4Z49YpB|Q=>@l8SC&4mHleEm)oaak4(I}4Onl@kS72A@R z39_f4fg>qbGm)`$E;C~>*yYr;gEQxa5NlZmLRX%Nc}jgC4;GX`u@oyq?GuYY>b+@M ztjofy!=70-Cb$D!NWCw<#(iZiGH8_~5QchDZG2PKs;{Mlx$ed3VzY}Mr3oF|IP@fK zsB(CsMx?=3soj)Wbd0Yx&(v;v3c=jN*0Qfjs&q9TNgNvU;b(3Lp3sGo7iAu#p~$DK z)$4ZK{chLocY7`KO(u%$niqvwt&7|?hA<$CO+wl`WJ9cS(-KmzQ@`#}e1IB{l7(9= zg*yjnQ4+*uD4)?)h1F1yoBH`w*-=Bvm)gmpx*swVPrU*+RykhHD>yhR!WE`lk;1dp zQBPZX&2wgdeiTO{DL&-#NC9y|S*r6`R=Bn|ierEJSjCYAaSsF+~&!k%I@shE*X$vhIHGKm+t(5+HY<9nK3yw0jxAbu1)W-Wv(fHkek(t|;ts^IDlQ8n{I?Ge=50=8T>x~0*w(`iLzJOzRUj;eIM(zD2HR`|w7m+>Qm{_Ue z&_Z3ig_?mG1`lqb!H=xYBx7R=Y&tMh{QmIrF z!nVa}pB)vfv_I|-U#eDK@e4r+h4QdDk3Nb}P28t9mWjbZ*zJX$M^>|k-;T&V&L@ZO zWjRAKk;D*NILxKA?TDCahM4?LjS-5Ldd!(9t1HQjW6Jf;+6HKRSK2krvRa5<_qL zLKBj{G_=;CKthQsfa$m83@uQ@0r)@5zXzk*ZOIMV?Vj-wgr=8zK$tG*m*r>Y_r_k= z>w5ll;`fI5I!fko`7xYrer=rcCf&(_dTksP%5Y8A!;{JdtcnksT^nLN{Lbip`jU2b zt#8L#W>idBQpPa`ftZKZ#lH3d)LJCol4~ESdTiuW4>YXD7H>a%DHp3e)GgB3B)&%3 zxYbLs>UF8EWU2v`Oef(X2%YLo=m#z{>{ zY;`@q-Szry-|Mx}`;d{{15!^}tLqKhzSnK{ykScV2XBlOPf8x2q93?XU!y{epuA$$ z)3XoTiA9MPmu4Y43nB6=T;8IOAYlek5?L2B=DyStbBpB|)q1OBmcNpod>ekU#(znU z)os2@l-}j?1dJgUQLaYdrsr&RO1Es6DS^##$>WOWo}Kx+%$Hj;H(hACFV-9z`?g~v zI5}lvE|ujJ_tG@e;sbQSiqgay8!B4ah==r65ZR8Nz_kIqzr!TE-7~m8%WihS-o;aR zYcaP>GziX73-molloD|3V5%+nmQ$=0@an72bW+QWtqj*J&ER1C((2eUT&qs4?HF~b zFz9Advoox6T6~m)WJ|CaDk>cYYj23ngxn`1Ky(Jemph8r=`{vRQ!XW$&DaZY0Rtta z-WEn?sf}!n!qz;`uhJ~sO_=(+D(qhKUJa2uPx-?Qyv`STxD|Yn!%Yv5W3w+?W1dnf z$};svZrhhr*+~TEXT7QUkUy^r;jH)Yh2gSyx3ytp4Y%|{BsfyhUmj@!6A^&liXPgR zJ?;7}Q%u>%j~|VcciDm`QI6*gam4Xq8>GZO+5v8h_zJp|5BH#%I%AZ)kHP-is#w`H%&B~BJt&)!xe*X zu4J0I%zmnk=#SOHC0h+$zQ`p?&bJy%Bd$?$^%{PP)oVPT4EWgdXc>Fx>NW2B?LPbe z*n79-#*s8lu&?Ws;(5+G=_;oPd)=34~(+P!cOU zUtn$T=5Ec_=6c_59%0RYKfnPxb%MlDQ&D9WOyP_l?!W)X?{oOiU>hmt9Xyswj77Eq zn!;(c#Ji{TbPl12`57oZ?@hhg*$TzK&(j6q<^m>G5jELo!u zC&%wUoxg`qefIw7-N*NM8Gy|!dCCfrzA6pWZ)^cH+0^JDRu}sH-pPgxlv1DnD6BnM zAtM9~hwsAB8V`v(9l97xomE>^dB7jcf5xKQb`t`+9@g_SQ7N|`My0%sL)m#!M&?aT z@9;a+(DlyK>w4!_U2kYy_jPI9j;0vqM!L^pRa;kp5y}=UnWG1Iu0|oP4P{zeST9vp z0%{8QFOPyC6SGExZUUNA6+u(ewwk zinsur!?ni*osxWU3h}=;U)uVdFK^L*{6~2oNy0C0)r+3XwhewG$hFhJ#2GU~k=ADs z58sp$k)NW8uIaQ{fIPg#wuUkA#AQ9SoVUfDo6>U&g|jYUE%kNU|M=g~J7(-cYqm1S zwt^NS@fs3{5*vkUd3X^~DL`|ecBoXJRFJthySpEO%q_lF1(~}ZsJ5{lSb(SZSHl(1 z5-DA>D~cE(|0)XvU9W90B35wf%B!QD=&Mk{4e6vlH=R1CFSOLFr$CRZek zxRfWTBR8I}(m9~oo-9svvN#C1O(*EgyfL62m!Cwc)#|gT&H8D|b2kdFXw20i zH|$bMf-sha7gH)>m~o@namu$BGuR#D4(`3W8Em&v{(w?})&1r=W%2wi%KVfhRAas6 z41Aj~cv~drtVPzH?hd@Zsn_#ee~Pi3wDrU5vU`3YBUEO1{Sl#cd(7D=m8>MFTRPsX z)6i;@0eo^GVN+Uq+rj2xssz4--d!WgT^z(;2zYDw#s4=Ux8a!UIB(dOG*}x5<4CaC zMZ|~3jtTlNZfPI!MT?p|M(_I@o5I5sj+lDW^1u}7-15GQa7o!JpP+uGvjSo1cy*Tr zi&A+?QNr!tqfvn;2Sb3bohpQ} zio?8>^Cg*EaBG@3Q6iy&EljT|iTwpl+raS3PvvK}lT{S8U5{UU6T2oT0o`3qS?p=LxWcC9DPz z>%f^IU_MJAaRGufTSbbUdO@y=02M75AHoE!Xk=UoHif5YJu#L>8Gt%(D zzzV8-0>Du%;^Y9xggopu6|$G;(M@Q&B(X@(N@oIHg~W_5V*x8HDUA8A*Ao=RvgS(O zrG?y~2b5^I({_R2n##7(3fOQ9x!A*9+!OlumzW|pL+4>UkLY<${L3afg)+u>D-y{K zEJbI+1lAi>3*_U^ho=dXpU5(d)~YAPxQ=+f4`G(`8=Rb?89y@AG31les~#e8&}J$B z?}5M-GXP97JAw(I!6kXtRz?>A6q;hHK7^nE ze~8jw1Mv{@QI2Bm33BB^;-Jtpx+n15EbKc(=iD++NJ^G8r)h>rrU#WeR5+*V0@~9R zfkfRgtTrE7Y5)(dbY;SUPpDts5*ah{9HJm+p!XE}lQ^n6^7RfwaOkh-fQ#&)$$th1 z2yzYDn)#Wf;oliw#!p#rB!P8kDys-^sr=a;ZOfnT<&xzMOZWs5w$&_2F&ppS91e!N z!005tPlufz#&YedyJYnN$Gz#ndLP=Pz@dnPhh#qz2OOrm#YC!;8?4aiy;bQS@!mefhuVa^Hm(vNEiU) zamQ77qaV(Z#>pcQMkf-{pKo2R@)e1qHKI3uw95E&5#SH;8VPJ|MV2aVVT24VOm>Ho z4dkG0@PQwDmL*Tc$Q6}7DsR|Oq=g+ZJ3L8MnMc`q z&iF$L$f;S%mbg)}Q8pYbzP!L%uZ`PKrMka-3~y+l7~nqqC_m>HB zTwURrU$bIFuvld3FOE;e8Yut%{O%Mik_?`yfbkOxS;;u8rn*f4bCM)cDDWGmj8AlV zo6qk~b&rmTavrf&pog{uhzxyctG+c?m@ToM{aj%Ne1$oqGXnTP{Qg}K0Au>DCe$Z(T{G_++$h zJ-ZG?0Y1>1pZQJRVtM&6Lj>wtNXk}mAS#^0OqS@0g@t=mB_F5sf<|bu81v?T z0#07m?hU=(_z?c^*^*1G)gKMVgU+z$ii^q#C(%JS?F_Vy!?*H@w-2Q{AE(Syiz*LU z#;?s~JOv7!`4?d`MEEm_d@Bm*EQ~`9Io|IG&Ztgb#CaZL7`&_%*i!$f7v&-D;Qs4b zlx3vyfBe5PQd!8npyH{J^x%-8KPX1mk0gw962>&m8ifF@H9dPQzzN~A{Yc|5^pwE zj-vnqD1>FrtM9R}1i#GZ7=ZU9jZdP+ku>gPWIz}Ts)GG+FmiX1GA85B)E{6h-H5v0 z!=MWcRpRG|9}tu_*v3fbK#X#y|h&!(!Pu2@OauMGrxziR9v-_!<{a78u*Vp z*bF4p&7YzTue-!~VRezxB9E)iSDP-_r0CiyJ8bA8U1fRk#WdRlGKK(p^Iuy(sUuqd z{I;N;seEXI*Dx=$#_H{s;IQ#Dnk|-!WfSa)pV0_co>rPbpPsM1I+x+2~j z_I3hMGNj#Zf7-`bE*-TyK)Mhh=RdtcwUfcb*OsBJP0VaD0dB+0u0Uqrf|zZB@S!{K zwGRat$-|md99hJ%*`(rZZBlVIn^c_p)%;5{GsmT&Mszx^+zJvm9|G?!g9{IcMDJoN2UqmJ6Q*{GxT*cx@p z`)qwQ+gfs}y(nA9sX3(XIWE(cqTbTqhD4C@mihg6>^d$G*SBINJr z`|m~9qCRlOzfgZ!+7@k0DE>cR!i#LkQGM_$nu5!HP10CW))il;LSAj2xLPhrx}Kl| zRjk0@=Ad#^Kr=rL6Y-4?e)|pm7x9!hVFCL6cfLLw8`bFHd%_F_aKQ$DavzZ1RXdPy zzsST~N?(&dE0)s9EaV2!ndqDTavDY~mtZ6_5=B$uUmhi)e5WtqqwZn}?Q~}Wp#jEn zEv=nm?ls*$az;H{ju|~?VZJrVY%k1jsXE`B@ww?!L{L#6i7!WdM4+S76QoMY6?Hrb zV|0AdK7J?iK>}hR!{|MpV{~xkPH9eDXvp0Bs8HY40wy~@53fj05sU(}+N#k?_@;@y z%|IeTAIOf+3pSre>LTwnxxAz{k$8)>`GN%e@hXKn zkYP^+lKR_vG4@za|LcGLkN;bcNs)y3VGf`T(gp>3${DN$C}q0=TsL4&1N#dt0%LaKp6F%FwP-U9BnuNt%hbl)r1VWW_a0 zR{0`^fB)X*LTw)!7i}3ACG&Yo=Om{W3@W)vunc2a!>vOpOjQ69bXp+8iIQEA1U&YAvD#^NQB1 zVJWM9FX_CZRcctIk_5(3&ZHt@aZ!|0s5_0cBMQ5?uE2$M0;_x%g`dNbOMJJFv0T#X zuVnq^kS}Diern6YveR{?b?dsKk8J6$WLs(^=#Q+|)T3X6MnSB7O7%?^Bo`Hc1#PeM zHP*MUv78u7hXurP-*v#8k?7Z$<`eW22_rO5iBD&%h<`Z1t%rhD1$id{?0uG|)X$?e zO#ESC>A$K>Ku-d2kn}R5*`%BhP^As$NlHm@%;GFh3BVU}k?kUFJo7!jJ9IIYO0%}E z97Ece|G52)Iu}cs2Fh7PQ&q_M*MDy~TZJNaA1b7CnM1rqh!C9+WwM#Spus9q)Hitr zb&X$?#qe~QWOs_0>;f{6gnDUpElKsXQM99KVoC)&MWGBylKWKVh!d9N=KPXgOBlI( zR>O!R`ON$rXCx1^Stx)e-mybP!k@}N5Z8b}mM_rq zmI+G*20N4;pRxc#^w4jZE1~i0VpD0ps+grf-AS2X0Fz7A#fNhf`-H{li_XG-5nUN? z4hQ{RKz{c+9pa4%#&Y`Co%P)j6t{_=jarfI1@rQN`t|ZHnNzS7^*==wy*x+u1FBY2 zB)j^~XvU%|n!Zl5ieBn~F%uLs%UpotDzKL6KWELnhBXIE&@>7aH%a?<|i1G7+R zBwfA|Bk-c9V_pM22ocfASxTRrvsnjOJkvSh+sHsx?|+X-yeP`6iZR|0^P_3 zkdmLQCg`Bs=`0V_CT>(gO^(~|d<+i^S{x;ygawGidDv1hhzA7(9vKce$&FlO!3AH+ zeL@ijzimpdXslpOSUihDKKjcslh#JSqsDu+9vkR@6QAJSpx-EA!BL!tYJg8v7m`|O z-mTIwp368z7|$gNrr7-chWaZgvMQRFHbO9^wkC+fyuV5KawW>U%3V*WC9qfQT~yVB zxf@7j-QY>QxmOJLjeCgu+!6ILPr7fQXG56I;bUa!Y->StwzZ($)%tbc7PNXTWajzz z64`xXkcAD%*Py{`TZ16uCk6_-lvEKS83ZnwCi#K-XxT^p=5WyOzBN|v*VBV9r6#=m z_fU=(W(AzsAHY18VoFlRpZob&?QY*2481YNa`~p&xO4OL)0|13d;*1ZvXN7BBaGP z7;<|(G3d_ya@B?q!%SzZxo34BalW3AMrT;=Bqu0eCk*mdQ@S8mAxpmqTG7)ZbmbW` zdOcx{4q)QR$iB+#ae0{K?>R$Xt~}AMP~{0$lH}gJJKBLa?@fcgI~!pv4TRbe|IrAj z5csbLWxhn>@`mwT;#9O0g_-p86}W@)`wch?;WYTks&IuwQP9y9P05^o&cjF=qZ2gf z6vn?es^pc3n;K`BJBj^zk9%Gbi}*^93`eMOq^}0Z$nV&-;o2c?n(A}^62<|$KBqp5 zgKUDj9plLo7KJ_lSv!S`EuQUEhDX%@U_2D%3F35`hER(oEODiLD=#i*f~nfoBC)P>BRs4pk`W%hSdrw{ zlw9g%POJo6FoJeHVApXTF4g$r;tS*X4sc$3J)ZR^-dcA-i(o~uyYS3% zoR)6Dmom|rY+RtBU*fi>>wcxD(`!Wscdfl>dp)&vvD#4(pfB_$PsuML8TUm_T8Ow1 z;n73MHRPj$1@nvi&GS!of9wsW!5CvX>+9F6j+$NM@E=jJlF174W7$jIC^Zu4t$gTa ze@xjbnTXm1$Uku-=slO6?pe#3tbqaU*A+#S|3KLX$+$};L*sAd*(Wi|*pecjWHbZN zbO3t+1q+30RK{M5ru`86dm@*eK-|pYXh2-FcRuSmzmHk z&)V?u#h2hmE2y4^V~z?4lbch<+8DF1Q>Lqu{mPY7B})bN4fm6cO2_Aq_m2C+UT=i4 zoFTR2z2hOod&k4ASWg*=YlAkN*vwKp%R_f|XA* zB#^aH6vmfmO7m+=i~D(@_^2{8)orO_OQ!Y*uLIF+J$OpGTo*|hV${b!$cMrXPYtR*7xY57_ zVdT?7(%oJQ_*7LbPw2#TQIQSkZ$jjW)D$=3yp%!;AKYKyAf;d;Jo==xwlh5-D_(>5iLB%qP*& zoW}XjEXyaz^#Cg#yPF3{Iv{T_9v3_3ALtd0CIC&Wwu&1at#WpnvRPs}wX$pXocq`y5(5+HZ-mZifl!*s zW6o)MMbpn`A9Sj%KuGNmhoiPSuzKPJqy&8yXL)tkDM`t4f?V9OOS}5AgHczDeNJQ7 z8~qsO6@JAeWeJ(f%%^x4wTlk`Dx-4({P`1PX1Sx;f}O1}PzMKL1|KQU=`zXBsL$e< z8f{GIA}EFOCP246~tL#Qn%1St0i_|SodOjeI?e6gVJI&dUcD@jFMcy zUqs=I`fEQDHeHg^EN6*eP+(b}WyY-AW7+Y&JrVjK1T!NDv&8dyUmor@3Wzyhn2Fo31E*opBK z^g6EVcQKYrLG94m5KzbXk3bz$p|zrV^>~$D(bMjz*Fbrc{gM=E8R#4SaE^pDNU9-( z5y=WE9iP3+HX4{DV8}IzA?cXW91&d~XDkW)7I$Q1VRt)^vi708K&x_r_abc$HMyF? zSCrk#GjzGG{QKBkl!_`~Z8=W(b>KD)r$h?uaLGv->HN@=gt4AMnWF9&J;Y^Pr;Hyq z6NJ4>n%Ovp%{8xQ>lNJV`FFmW&uNw;5+f2pxEIjVbXR~P#CiVONq6SaQ6FPDBkRYw zdm_f&6UNw65rpYbpYtrG0M3(^0+=3++v#i)s+n7#C;(obPnJf*eVtE(t+m=CJZu;; zvGfm)aKElh`Y%u>uC0Fks%S<6+4N1>SX0`)y0YoLK-q}ah&yD{Gi777oI7=8(|K{S z8OiW~l+Ed8-~J*BeTUWNSOe-5*prE3An29nZ2 zWr&u)BXr5)bGi$Mtv?*~$rNL0FxD=g12fT;R$?VsF2ZBQ%ZdQ{r`2-GZJn9GCt@>E zv{s1Z4WQKlvy`x>Vz?6e{(IwEP%M{HV4uolCyse-76oV_mO6% z)6FYC&S-A10ZfOJpCdPhTx9{EdZh7}=n8(mc?TXp~&?GC1HXNa*J?6pB8#2Dv4o*3i> zNB|6TODX*!%2rc>+k0>TsD{y6fcYZAcO@iWC@Vq23IM3H2(Sc=hGSy4%ffl6bfI}h zV?SLdML_jXz_>0*6w!FDD55ju&+z>MyTo78wz?W!k}#TxpC3xyP%?ZQXUFPRM&R}k zktk!3xi#B=zB3T4%dJDJIG`z?appCkr7t1EYKS2)D?`FrTb#ZmiJ)@gr}F*g=?{D3 z!vYn!0GE)PCMXE!VNN3EQxcb6GYHUZ1>rDO2|@>4==w8|3@i^C)Of-m&h!O~%LFtc z>mR{%IbKlza)P=BK1QlXjR||vLI5*?-SWl}hX1RLd1QQCS*az<9r8S}eRq>8{otBT z4~kK_6tqcvH1OdrFw51<(NG{cO98370-P_2F!~NU_UQjqtalINO zP{5|D5kFV4#0}+oP#Eih!~_*spiu-CaMt8Ts&Vh{#R_&PTik_>{;zHm5ewug;I{j0 zxfGqR{1mWZ*p`49;6Xjf4DjFuN=AWu zh#m|hVhj&#%ES^xAK?2x@)ntNUz|+3t*&bsEdfpV)QbIe+2E99 zqLj>lA3&ex%uv8ArkUW3p@Gtuno1P~%!e{jX`mJIvxMIFT7GBril({UogHA$6ph8i z-`5FvM=W_`)>&4vJsmZooJV>3r8+2K8&-ULMN6Tq%;$H8Iv$x0J3Wl0S5!YX>WSc} z_b`Y5HisVF?$A45#i7?0dkY=N5NfFy(zO=Jzlw3bf%dd6(4I2c{;d!KpTAVTKXctq z7h^fnYY%W&^v=5-iLZ5^9_%VOmh)h6ET;;N<=DZowqZ;O_^C~hDaQ^n<=8-`oQ6}u zz_LC>_gNpJfery%OvVbRLEU4{K5J$CtC)QokhBh1WvihbqEX(_)igsr+T8sJjbXa$E ztAo_-0O0BfD-(rU5pRE1+|oH1^PB52w>QTu5G;$(dB_r zm*84UCQ?clTPI4cv_|{wWIQi~N|yF}gTDH6bFQ9-$DERdMa7m^6T<*{uo9 zyzQ>)Z`(y1(%AL98OBm&)zwrZ$YPJWviBj37~sch==;*k&M3)ODa{&{j#Wn_0=p9h zT~_T~O`_F2j5pTo+j?7}HKQZohdQ1We&|B=9Vm5*-dr4?wm-i+mH2Xnn!PwaRcFN# zaA$(LUa!|xfh769;(OwP?-;Vwl5>Smj*>v&t(8~=E^Sn>IelWe#2{X?74o4V04>NB zMFf3*cWQJWiPSZ4A(EwdDQtFlbjzK)J7A|bR|snv@V-uSw~FWm2$0E7WEn=`F5sfO z-pr?i8OCy|*Y0l`3}6xs2GX(C4Q<*ib+L!LxYy8twrqyZ!+0Li^PKpXO>_!bp?511 z$qg)3Q$ugW(l-~PTAxCx{lvVEFkn6amF^6koT8Z&s)TDiIlb!fNz`U3|L=joX*38m zGCQM&&tjh@dDfP1mbGNQpO5iiMWPk}$FvXCesS62qv|L@3!b6$*MMuoLv$=~2YzO0 z_;<$V{wWKNBx?*!C3ZIEhnA*}wJv=Br_O?;^iT*7n`+%Z~K!J$wpzv$z^?UsR z#&TlSMoob=so$~Ifukp*bcZqcIn(rug;xpUm0%=RNtZCUM8p}YQQmzzmmM$|9RXZ* zI744HsBphX;IBASbNDz~WjRfM3eznAOPDWy7N^{e5@SvUYZ>%jP6bz1CjbLksRBqA z&h4N{)*pJ~P9I}A`s-Iaj+$;4Ir8_1AIgN!=!vM7k(Fv0)uLLyjcEB+n&pCGxlD|_ zolE)3#-scI2IUeNuuQSE0=6V!jHfgw6_(+@vzVG}SGTYrTi&$HVSERnv{Pk9E8&uAQwn8oWQTV>EySPlqV%Rcvdh}uJP zJ6ILV{`jLpd#>f#JmgMyG{PeJvz?yfUtrj4hNP zz%*3d{UE^fc45*UEZ13ij|r|XUkzO=`#|B<$nJ*1OIWiN0NMz{nyaj0P+)VGSc~oY zbt{1TFRcRDZMj~{g9_juSIb0~x0kY{eWMK6T4~p>3ysi!Y0wBlE}b$u;MUY17t_~F zmJY|k%;WaBR5m+w8Erf40=fgWgq#x5IR(wSsQ1$FCV}%o)lg2g)*x&nO90 zAr)e=(G=d^VJH2Nj@{8-{uxZAmgY_J|IH@4DAd1UMc`V#{N@y z0|7b%4A>w%PH5_L6LP+b>;vr#`hA}p#A4Fdj+S~5H{w5iE6DUygc-MiQMc}kMSY*c z9*Wp(HTDnf#JZcCyWM}1$A|He$++umZuI*91W)%lqosOyjAUrcRD8;A{1@cmE@~U5 z0{R!^Vt0gZ8s)0`^4xqqi?f)UTT+2CzqNyOAoYhXw;bintPgkCZH|y5ek$2OL(hMH zcWPDjiY4n7JueMNJL#K2`PQmjn#Oq=Dk@6V7)yen@DkO{xrKz$u}G-%wUUH!Ca#yS z6WT5RCt##3T1M$yVG2XA+cG!PuZHFKi0fuN+tEte^(dkLS>dl2Dr_z}ToNcWj-%C+- zT5i_}jsO&x;ob;FMA?-iofM74G2KOqa@HBpsXxG2u5f#X&$ctS)wwq=+JAP(&{`+| z8Yb`kBb(^>?A;E-n%${C?e;qu%gJ1O4vV^ZSJlmL>j61Fd-o_Pu?IywzaCbYwIqMP z2YPt(#!rK{Vz4J%pNTpJVM6jjz5w2|%qT{06!Lm42GBNn(e#+6`RB6}qsmTDBxV;W zi8E20uEq6=^r)xo#fp+F&07f0T7VjMLD}2y&H6KnvDBqcp+ZMOg^F_DXVIZ|YDZ@m zStI9xoq>;h9+OKQ4_?RA>5OI4`KRzkyIRuSKZ@7KQAlGTYmt*8XXxU?x!_+ZH3@ZX zKwbMPvF=??d)JVQ1+1%Ix9zU~(%SAoF0N*9vgj4HVzIcaoOYR=r(Mz?jxmN6GI7Sm@hLbTpWmJ8M3Whj%V3@@Fal8En4R{>$Y}a^<(g;O1ld?F40%s*r@z zPAz`D7Ldgr_J#)5hs_Ur1u`?4hTnoC0W3jB1z(z?2ogK4%c_n6Z?v)u`w-$Co4i`5+Um zgb1qyO`%NW_@sUOPAoB!cN3%cT)`e(xl@`G7n(RWzl20w+}Ml`4xsMq$j`$oAixVF zmZLDv>0HukC`6Bv^0c^k`#a#Fi0dP}qUcm(ER|NvoS{<|m`c>*+wHG>z^758b-G$| z-$gvFArXs@*Tdtw0vW$Jc?=65k1w;uh~YOCKzw@S7~-)yF?%c?1HKK-QnI9i$(S3; zNy?Vy^x8oJWk9>b4#8Ni8MT9VBhj8P8Z=#4Eh08A_@G5h?P!%RSSrzsCn!i+Qa<3A z#W{`h)&)2*my{-rhGQ~9Zz7cH2GtTQXtMdhLPlC|QbA!z?8&FJSxmaE@f~0s2c-11ibNi7No1xEB{w z9tqT}mdX_yMpnmeMC|37Ah^3{l;m&bq89V*gd3qSAZdmYl9DBAqa^e%jYePSvWL8g zD&c(owPHM-jXRWJEEkR1?cSiMM!n{EOS|`G=k>$esh#I*r>>|PIgtUfPTeAm5s4Y- zIUVF~>hNWl3t%ENr4hT+qbp_0!Gb5NFjlUN1N0m!reUXDEuFaz8127As)Ho=T-NEOQ#E6uXqhcni~J50C0fWAqZG(Ki^1xHKfR z4j{T{d00os9?PTJv_+DT-sCifae}T~vCvET*cq+%Qa%G258?9RI=Z!_IpK~7NJ&MN z4?cuhejvMW3@N>qS=BF!EKwG6e*xv|ggw7`GVONAjQAK!JEcDKXSX>-j`;cE2b4~U zFWYWUW{T!rP-jYO%zzne>1@^+iv+kW|BoNTIDje%pskVUxH3- z>qpKmXvt6N zMMpv3POy8wLjP^81<&25B{!X%3Rv(mbDb`xrg0#+NXk>*TAsDXL!7TT{7?;M(Mpv6 zsj}*PM4$fo*w6!3b9j%1bg@X;HKJ+CQo)@=Z@AwP<|rcE{XsdI8{)Cr!22nljw2%!1SS~B|(PIUhwI@kT%+=%&9nErC)F60F(1K)W zN@*-eN@&o8rgMIP2=`^&U1u7Zc)FIrh5U#wL|1_8LXj^h3bS0K44a6~;jWhBU^^6y z=m*5JFrx4eUw6K5iw9^2>zFJicUtJ!r^RlxtT30+_6( zQRugPn&yIj!r*5)X!FgPtX1(~VfMVCm790G{@*-5oRdN_)0okMcgJ-u@YVKtS$(Ok;EGF3o1~ME0aomZdjYRyM4R%+0WVLiTa9pN&;F{K!Zjh5~~90 z*A+?s#fs$EfXCzR7nlk=;8~{~+9zX-rShrYl?goSUB$CbB<^My3q$NA7u|UY|2UZ- z8Z~J}a6|2)akY0-=aEdByF-NNO_=3jJU@;|xP-VNS3dB8KeB*M&>1DcU(ztAzr-Rl zoP~d<6XbfMkD)mcd-ia^9*??Ncq6M1vQthfU#6jwKbEdR*}Uj6>F&Q5C3esY^a3Y zu7yyP(?SV9_uCW|5<-cf*}NiYJ6*+X(eTjX{z{tDwBSLy^T-Wg`Z&ywMZYplO;baa z%W}unK(|9AL)n5|$HEr|Yo>e+^Cd496deeEwPhgW9l$B7PnxFO!BSL--1%Cw6-rmJ z@X?KXhgrs@U)HYHHGPk#(kAa1Jg=c#tO?JWkR81j2-%_ddu3|Qh|jA^a9ws##1+i+ zT|{=kA=vNuWIFC~2MlyiU6nI*xh*twC8?>(d2Uql-%4QbSV`P$RQLkO=@t?(F-a-h!m$SlcdEQn%Au0lcpnx6Mdc(6BY2CUGWA~*wjGdP2 zNd`w*f_`**qI^d~7#0g{uZ6K`v33pD*|ROP-MWy7-IoT5DCE%*gCk?n6-9^LPPZwS z1haQTbRo(*L16!M4QW}F&0b6Egq!aWPBVKLc1ZX(=#Zi31{llbwtn>jH|*VxXp;k~ zrbz=GHmWv$xiq15ABcX<$AYF5(Gao_29a7xZjOZqzg#3x$T4%l2c_U%<1-ux;82<`tp zC)4j2EX&RLWo_%;>-lA~WV($)9#%`HCJt)%rQx80JUUR2c`nIWOPwjo{ue6)q{|`N z!!(it@<~FbVHD%!h14}c*E?6!H(^20i7)$+K8wUV@ zE=LOI@=5TXD}|L#{W8ycUhzStnj%cPnnq!^puu^GfNmrFQD{AiTX3qfO)YYIL9t#HRcb|Pb?MvuCY?tqF#*v)YBqN5}Jy(ae7`f*zucR2y6W|8h}zjgI_*3Q zo3yC`tUkzIj&yINMmhlZqLe0#D}G^a7jyr$cp)9h#sJ6^ba@4c3(Ew!(4Kqd_k7~c zMl+113aD)^Kuiz<9Su}@bP0v7`ixY>5S5qTMhl^w%;ndX?S|qq!b;Ge6-YAqk)rY_ zSw)eW|0lCgEI&%NYwPQf>+x-)gHJj$a?8fVBc=}?~CPouOu@H~v= z;Hx|4ye^oi{HN<~R_oseD~L8>1?5?>EL)$TuGi~zRr>XuirP7ngPmGPQy16Y4lY_vo3$o=1w$N>C<$ZQh65%p?%=*UfTVN&U7hwilW9! z0dINO7CV4U$y$%>Y^z6hHtUg{d)6cGS(UN1muj!I;~7mN;!|Wmkiuw_xDHe56Fvgj zjBAsW`X!huYoFD=iVIS#7XrbSsuBX(g}$3^t3DY8BT6uq>qhMY<3V$X9Qbz&Yzv?L zs`Xn@`ZQWFXfVK7YLVLEs*wm+ja&&X@t*;}_Zi`Iw*mNC&~zQUt9N10 zOcHqy0a_7cLOreo{weoOQ{v}hrRIkiWe`WFCz`xeK56NzG(~re=y~0^p8)R&jG1d~ z>D=p?EBh((qOj~r1o5B0>LHj7`=p1loUBij#uz?P8l$6A6+#~O&sJFbV7qmja=I_A zDaRN@-26F8^Ki!J>CdYvqzAJwXXzRh!1iIJ6NT3P#(fo$tH5xlDZ7NSM3Uwx^jVBn zX;g^BYBcPzNCf|O&LmrNrBWHOSS><3s2(4Y)f@L6+D%Of07@13Q^EuYRO5Ien z4CA9>V+V}x&lxRcXD~VexOfQ9sSl?5?f!*7ENUCo!{}d-i`@~vX*lH^kMo@D1Qs)W zD?35MkvSskNd_eKbL4caJ)2%#=xOhzK~KY6cXicOOs@qNtzj`(`!V-b62QISFIY+^ zXvwa?HRM8J>72xp|8)m}h4HNK`Q0(bQWw@X6rdp!{@u)B{pU|MNTioD8bMVEY@XPZ zle`04Wm;6?8tuV&=&20N-Pchk+b&XpsM&nmqS95S*QTp%J!Ll&7k6FZ0*c)}TP{f) zOweBsvIXSVeEzS$Sh4`M&aTj)(-Gyd?SDS_ce8Kp6)7*#rX}MGx`>9)TM{THEKJ(ZlJmNBE4EQ@egz8e-exr&`#ihS0yU6*~XGYD7 zPdlgtbq6kSdl<`!Q@gGSs89N;W3QT+D|gR5luhB@-E)q;d+v_9PW=(gi>nWkGvu>m z4K(hnOw{Y4pWt&(ig0~fj&Vq;>I)YX!(t*_l#2w51Fbnrba&3Om^#+x*L|HjZc$tP zksFc65Q-xO1sb}NkYgk4c5TUk9Z2T>C~sxScv>>Ru|*A`yacgNSMv!vUQquMrXy&2 z5xO!YZi$?Klla3W?rP%3h|N(%uV_?GC>kRFIu_~viF_o8-QpajGze4bgGF{tr_vBI zS=^o-H)!Y$2eTo@a<#5))Q(1A)WXk3w+1)K(3yN`(~&xY@NXFNA=Ly!)h97pl1t&J zl9(FO${@#V)VyOWdWg|DU~SAui{}t#uG(Q+u7-I2TU^ki5n5MErpltd!1^)_vAntM!l+zn< z4wocHZ+x~~viNNiO;@>6ExPzQ$`~TqrH(THEfY;4{7gx&DgTmglRR-I&2xVI)(3*s z6ueW=@bAygemTSFC<1O5K7Z6`6^Dw(sCVyw{QSozIz9Sya@<5e9bFuKXo^#t=r2cS zpM+daKK=BIS5n1BuzM@z*8rLFr@BtVJlC)b{OyiGtb900 zUj@B6{_xXVY}}WhB)>}-qyOXlmrqUjKp1sBE{O5W2cUpaH zsL7O_MJY{03Q2bJX}~%#w19(0O$|tbUQ(LyXIRoDOV?;hXH3c+3Z_(lAYB$&(un#w z4G>%9$tuU_Bt{uqQsk42W=-J_%7@{r={%(*kJe~GqePJik=UmNcTnlwCR}Z)JwNHJ z@BP$<7-|5v(LU5EV{tX{r%pSI8wlUmX8~7i2VSSs>~=b>ZpS+)j!9{ru1TKLWs+y6 z`!4fqfz&1Z$(LF2=zRIHwq4xs@uP4F-=LK*Xln*n3u8Z81$^6rl0dc>@HgW-bugf; zuu#!~xC8BgpCsIFH)7d3zWVHyDBS^>jy;U!WT_7t=n2q3Pi5i^t12myu7;JR z%mQU)ZJG;$q!hL)BSxKga;lB9lNpq=LBEEPNCW>#r@2B+gKn zf0scA8jZO-!(v3DNF=?Xfn-K}D%*(F_LI{LLn3}j){sEg-WU_EJvSM}my_mVOle?t zN{IXMo9S9yeKU12!8_}qTX|=t+@6cXwNL}&ZwZzs(gIsBnYk(R`~YAcrK52dW2pmP zSRHQPsKW($+}nH`+mlf>8TGt78TIyTcn)Q|yP^)w%QeS4Xr~y?rh~xwb^*Z_4) z1GN930cy3PYW4?uclHPF-2m-CW=E8cmI_Se;+v!_p{Y?)3jILBNZ&!K$D>^`9AYd7 z@{^HCh%SS#4^{KDmBo&=vRDVtpQW<+-W9?3t1P~yC|IMz*o%Vo?gthHJ9f|0+2VOR zw|btBcMPqNt=}}-BQ%-{m~6~hGz)Kb5HslqGjHr;ER|Pnoh8bc`*(LH?1(!4!8)+D zO$Um!$X5MWXEJ>=51wW+xspB0yJl$n|cQ(0T~CgV1%)pXSJtS4@`pIOXin) z@Qm9!t0VyG<7U;+9<=y2s~$G129mBocI1FH)6gRRW(7Qnh`oU!Vsp+vyMpTUXJbmH z7)wo6TS1KhFirgYCqX=FJprx|QMf|R%K|Ax*DMiCQDZVP*=ItkR2mo zNp8+p=^Xw9%y>Sricni255C9f{&F_>*~-O@s!q((4`w^?o_$fzguqx#vcb2N_Gu=W zs15%qyg?}?K?`_++xaqSXhDC|W=|vNq0(l0jXM4Fv0}u2bLjR*Z+8Hv@6CEMzl*Wd zYV||1!T}rfgn7dk%*-cTqXBg3NiG)ngb#sC5Qy;E&y5;xBH)JFMPmuzX z7&WGPt9oqJ`(1gMQH@9WN|nN*(ni!TyF(HDDVHx-YHjZ$2ZQVAae}B4Cp|4$O`))? zu#evq)*}>FM;Sk-?|u|cr-?+yNAeDkAV#h?9gi@Ux~zVaspv7aWE>tAI^0}~TQ=v! zc?hoCLy*kO0sn1yvN^V=MI#2g!K4_g6-KZyf{ZX@HEJFt@n(8P0Obfp~Zn zBNA_b^TT~M!TM2FG;y2JF5;&wGeY^I*5*Y7{T*A--+7WieG&Dq2I`%M2I`$>3e-EQ zq){QOZsIyCvIhGy!NS1j_gm1I-;eKpTTM)CtPX{q-2%M&P0v0|&-PoMGEu9Q(fs=Z3p>*HzqMMojDu#Y6|p%6Xo&9tQR4T5 zFAZmhPk`mGACWBkUW%#(S~Vt-{rRjkQ0TA!-e?`lhVNT$cmQ$KyN@=iT%+=M zfR~5f$5&y>V*X(0iliYQ7L~D8Af6Os%T$fuOwcD$jRoM3frqY?pb4NQyBcx-o7|sH z?mvY$iZC4DOcIikB_OCM#lDL|7BZz?x7)*5u0~I=2mx_&N1{c1TZW!y8OpxqI`qJm z2Hk6=X&I|TR$eBY=U6}xjj!PGj6QAL`=-(AYqVau*3oFuyb=vy&mSlp`u>o*7)y2b z!dl=ur4~5%ArKpORNR_eJKmjKJ9{@mJqT$ZM8}UtudWfs3gashg#nsH zWS(L4=FlCuJ4nZM=#UUP!&vIDCn#|pL5Zui!u3VbXhYL#X;wk0DgTEr``=5**mkgv z$ujhz8udVsV;{6yd6eN&IUE1ur!eB@(KOH6a6p>ha>gZHS5LU4>w`uuI&X8HTEorX z=IP_+sW0t}BxQf2evXnw7_p2c3&H<9Uxfh$_|hV_VvT8ilmCO|uaVS}G-PR*uc4L` zc;^2gSaSF_7U%S42MN`n-zU8e!C30f`h7xfvx^-5BND1Afhsx|Rm*zL5*D%f`cHH{ zK{FCYtCY3^wj^PUr!*&qO~60L-&sr>P?vTt$w0;Bau(54<){Ao?;`tm$^ucb4^?_f z${2RZKTsG4LT`cU4VMW^a}xW&jRd6VD5a4=Z_XKFkj>@S#SLfUv&j^kbBNAqu9Us( z^;X{#Ht`SY04Q;~iYo^~0#dM>g0@F)$LopmOGsD>uqh^3RR6ZhAS=o*Lo$>ymN%Tr z(1BE?PZEK48)}r-AZ5t}{q^X>2LK&NDG7dwqxBhMpzyPGmeXa?Pm!+TqwJ3Zdes0kx9eb;%Ww z+;d6SjfNwoAoK~hS2VKz8J$hQGtrk6yIM< zdIH&M%57QjeR{(k_&#pm>vqRejOFC2Uy3LIAp4%=c&W6vSXxmK0s=CHLbHv4T#AOD zA`uaFLtVC-@+*ijPtl)+EQQY`>UY5XKbe`8SA6)3BBXQ`XWF@v)C2rL6w4!xj$v4b zlN1Ok&??US1r1g(PDGhdu%ZT*XB341|ID~}>Db28N;e@A|VX%H36>ArFq)QC+ zP>-l8K)=gM<)b?Y=m*}oHyvUu=Ur_~VpzgFSM-2vl)74&4>w@DjOtl?#aG#;R<#mP zB=J^U(K26eyN&!1#T_&WM7fxEx-Ne@*?c1YkZ>UP=^r-d*|%`O6V9`AN_-SBDv0F4 z*Erx>@PMm*6fhscOeLzgEeO)zzQ9AjKnEIXXDs4gAH?LRG|N$v^5^vF4v+!pz$N2Z zfU#6+^_veNJ85Sz-_T=+=#ys6ft6P-{zkeH=qi#Z^hw6mKuhW*sgjBVx9GjU5jv-7 zizPHAIZG8nQPCsub_46^DX#hTkefsxM&PwrKEiE{6qdE7r5AxGT59fCRi0|`+E`Q6 z@-f_2y!=ghJx+OX+syoGP+7lAYs~EjuJ83Rma43N6cc=(u?3Fpfs@C1mdSJHP`}lD z8g8pl{Wks|JpQ}3Kme@bk~w<#)lw(Bmq)kNb#3yXH=^?T*=Oj91!I8u(;bs)HmSKLVG2_3Mx&AcudY7g2dlcZ8h2C$nmsRaEurZ5pjZbPke|Nv4cKtD`+x zaA%=SOGy2_48*rgOzrbuKED6;&qrrsE0P~bB+{1amKh~49RaDr;sE{`TTf97bnC;x zcbEX zr^e}!yHJS-YwDt$yfAYYMoL6xHn^0l_dkDseD?lg+b#9SvfZ+j0@<2^xg|BC6xv`L zmckw@G`^~mA|T3V==Mg>T_B8;DeZX}OI=q#;oypdgDd(2pQID}Nt$Av+nZvY21;oL ztH0spr}V$CXr|M72>Hosf)3nHXL(=@<1KIndpwL633>j(>CO6q+x0M(qqM#eC~yMY ze$(@+R^UUdJgCjRrv>L69yXj35}gHY14`$@_{@lpiEZS@*w&F70j)cedbuU3{X6>x2R-Ml5s7~AE#&*aMALD6TSF20uI{#De4 z37#!`bZSwJzCisVK0>$rj-*XZ84Z@fQQF_werg^i(}F^1d+@bV4pwb(B1)g42tZZN*c0S@2axl%5!gII&ewUC zobOl4&l>Z zWSyZ|%9a{8jw=v9UqKrz-@5~r;c;i`O$QiD%~3m|?Ka&ma>UOMKh%w1qi2g>|Mold zRv6)IWQ`c3JHy%Nj&OF3Xm*RLN2T|9NPD1p^OPd2Ep)u7De1_fl4=Y@rLQgo-t#Go zLVrC`V1w!?GiP>kIzb0Axpklp@Wt`45BA{x0k=A~C)-4&;!`H$N*en0SSq5f{Wzi| zUL`x|10i%uXB1G8zX*F^ktr zw#q(dKm;rH-LDd(N`%w;x_mTTcD-(MjGXSM>GrtjDqXwP_FTAx08*1dKAmc6G@Om> zq$72>9k<}1x}S@eDDkeicm>8~qh-U20H}E+u;$BbLeGOH;XFH<1bR_u5;d1*KDY*5 zzHq?5sy|Cv+gsKf%R*I6qc&Pq@~G$Rq7rLYctv4LlCmkynrOPpfe?aENZFSe=9wI6 z{FANODn(Iv8OC#v#JI;LF_ttlPr~)kvT-&zyP$GFhhUXr&0{e}j-a!slOX}jkBM0E z=K%dNL4P?q`=rwSuPNf+w-Zbe^TnR<&wt01s?|j9YY3uLQsKlvD=D;980m#BZ_$7TXfwf_c*&syIU@z z&g#Nha+4@^;MeMRK86R4GERzfs60Idz`H4n8B2YMUm``%Efj{5Rc<!4}M< z?ur$tiFqUqLpixW?BgNOp`D%k@_L6T+?KV340Yo<*TAd@{LG|9U#<)A{Yc!CCDS;Qeg66Zr$)*rhS8$4h4Ub-YJ$FgtZJzti$1^ zhrCHWxs60}<1HRSB8kwG(n0cf8bN96sBiQ7tDKPHodC^=mfy_q>mL~^u*L)mMbfq5 z!|b&p5rolTbO=vk7vM)-x8ECa4Fam9t_JBrw{=f;TbJXuc5vNN!1U2!(8ojG)(c1? ze6VYP+vg3CmL}jUss?c71f&7?f*IGAXYY^ReSF{0(s)HR03eOilm#mhbV(@*)`cWq zk%b46_{4JP!(eHcQAGSD<%_LS)&GiIB^qlh|6YrRuUQghY$;e5l_Xx5npOR6pkFi|JYp>wFrt2Yx|BN=)@S1Cj^Q3h#PNgo!T4UneSqS6YQ3&JI z?(6*RcS+w;ZRembblxV4Eq$H0q(3buZlpiCc~@zR?7ynIT7g~l zK3)KFuZG&40)58Tav(lxBIaKP>^eqa!jA=fjU8D2qv@2=4#rY})YThf@G8f$Uvih# zShrSN6}WL5DPLzx$`^^0FWN}?76bcLm0^j2Em9UbA!ab%K`aQ6Gg*|X|Jc%QKj)>#!__p=VSEda6H;UXW?k- z&3eHUV>yMM5T3@0)0>5VrxWCQqmSYJV0$fX5qIRq%+d6U;umT((V!4|Uf@4Nb^@a} zhofCIta`-j_j@yp<@l=K&(jsP-d%|}W2n;YilucZh!7rLq~+8t(sFiRq~&bk;&CKL zj>(V1Cs1_7y|jp8;x8$d^YD9^b#2)6w+xD5A?XTvZTX_;;=?&AvF$XR(mc1|0w6?S zu6$$xwBVEAFKL+5Ut+j~ysurAzT6jFlMQ>Zj=zi-3)xx6-v?UZ3VrfyDopEn` zd&xIfAH5x@kAAP?j=CPkQjgSzvxas+uhaCpHtMYV)WmZ|A|YIEt%-M@rzYO{D)e4= zsg#G&dpQrL_u6{KHhM3|3|2XIdM{@iy_Zw84~V&8UO|e~cDC$3aBSTN&NHXIOr`eP zJW^n-Dph={8EN$6zBwFqccHN;nGSnXjHT+T?SVopMZ)jP65UE0^W(dgpRDB8v6tN5 zuPC+{y00mi(t+;UkKsI(I5LnHzUp#^k1wrUBHgc65xZxIxL(U0K_Zi@|7;;-?Jr0Q zdcoD={#qq#`zLMyAfAOc6O?m99P_^@$tP&KS|-{Q5%5Va?n1yEoU>Bj8CPYZ$^liX z93U>W*^tLSXJ-d$e(L)@Z#KeM>iZW4fZ~<_P`Y;lpp>98M3ZXmMW*4H+TYox{heD{ zBAiFHt*Z5;yRC4{tvj9F*EXFyeLbBGlggT{#p*zzUgdPf4gE>1p}23KPPZKZK`2(M9S$1O4EZh)b@FxC{mOFKQ-`Hfohvbb~Q`V=1A=wq8`-idtC>H&&C) zj?>D5R9TO1zW^*ePr2@>Wyh$(w8E4;2};Q(1aIlG{3%14A$V+s^+2HLN~Rv=Q^K_| zI)>}<>*pklGq@ao_$JC^H$CLm_)J#U=7W!)tg2e>S37-IQR=pu)Di^Y-4&^og4D)S zm7_jYHEOjO)n1F*Pz7U^da=VswWg?CQdF%ds$geG=nT-H%dmP%*LI48+bE%JY+x-| zp%z-LR^w=uvpJ3VPOi|oQsO3wG$6RlxT(Gfvz(=>_~Wm9F>8q>A!75w)|rR-Vl~A+ zTeg?{su_*j4|Lf7m(+}^@@iKVwdvrSBy1;Lz)2aOShwiZR4{mSR z@wz?F8}$F7<9fY*=O0k#$)CjXzg3o#^dCC4?^S)d|0MrAL?_ZvBN-y-9idAWpVPe2 zP-d|*Mcs4kpG;g{x#* z({cqoWdTY^N|rRIDS*hK_cu9>1O7m5n)~eq%W{D)lm=O&aS}rq%viHX#%;4TTYVQr zf+Sz!_|uy_CF)GIE`2F3`UPsr^vbO4X}L&ogR}8((%RGhEw_4<0%2Kx6ovfuh4!#i z$mS%w%-RyEsqL?_oGrt@(-u5Ki$6kZ#?lsd8rp9s+azk-jsMv~VZ!yM2OOfUzf zTrWth@QGl_18^;}q$()TLI*R(aKwBP9q3I{lB!MoW0k(cyHDp*0w8~u1_INlkV;|0 z!@+#QV{z$P?G1Do1}hOrdHnHUvcB=Xl*3Fsrmd%!D+`^XoQjZGa0R&EtXMoH=~ zsBu!9xj4J>v9t^n2#|RaKWw?iL7ZW6KF(INS$NYB7)4@DDlQ04WgM_PYn0%MxXE!) zIgAEz)=?8g&Dk(U1O+sJGQXgJ_iCc+Fkgsul?LeS$D`w0CbTq+TG!k>=f}!9t%@>J zn&oNe=hA8eTCd_>xcCt1l=#Y9hJ8V)c1b@rJRDi&tR=b88jZg!Xe^8rm^4419^GTI zq^r0^67ZD)es`fM+4wYRDe^Vie%pY#4z8GTu90LC^!dD(k%QyY&j>Q>8;T;Mc~L

*TdTeWZ}*8Qw*D_fyx!w6=TU_Diwy(1}xd8kz`WOZDJRe80Nf&!7gW^ zenTbRH!&~^QaK5f1><6(N3ytt!TYB75DO*TNRRC!;WjEYTiD2a)UZ`9+$a9Q!o1M{ z<5w7P0i(hQHXK-W6;N5$W;~2e_~J!xl89^bfX}H_lI1BSOZ3-(`4DP=rz}Qfz6QFU6-% zIh#i#3dVaAg|Q#4U?^ua&cZyrg2)-cjmAliGP2GPi82OHbYeb0li#Jli6c3RD9MyJ z0n#e7Y6^cv06d5<$cO*MVwE-dD{@VrQnXw}d6+~LUGrP#%=|F=Q(*KHONCB~x#A*F zwoOfeK@319E{jk2#RMn)qTmh{+?$?@RTTLOhLM=| zTlVG%K4`K~E!fP}Kks==0u^bG3yR(G5?BMYiwHO$yOpkzE{S2X*p zK!I#6w$0w?!n2zm^kqD=nP-(sNy-3mIo!9`2G=$af}~(NeWdQy-*0a4B#H28WQUII z>#exgYfL*)6?ihu#pLa%w-Y-s-Bk*}fEcMoS>s0TV=L zmlnBnhA^K(`N1p(YEwHS#K3~Za~aDFmmLgW{W=A6W`IRFtHkaq7d+Rw1^=Z9nYYZW zKlMD9t)q@KY~QNud-k;3)WS~c=w!4)qwcD9mN^Y*2ksY3`T|!97CHNoO-9;sL3a`o zNKEyFsMuklN;OgGh+XWTw#n$@E%0mK0xg(HEhn>C{Pt6gpa(!71y;#>LQHQ%1Df9$ z7DL!=V>=>~8V44@k+(oTtdEeVvI23`jhess4kiSBh-$-024}#qlO2-|c}52*$Rh49 zj9b^?gUE)m2hXtC1?=3@LRcM}{f+tLt;mv5?ICMqrU`!CWTrNpIi{_r&7%$ML!jwW z8Qc5z9OQ4S%Dl`tNalOrp4&VVYgJtnl^Hoh5AEd``ORpb4LA6$j@j|7kD7vN=X*ts| z8PGaA_umh1cH`Y4CXTR^4FDf*q+-S=%Lq)>&Ie?R0Yd|8AQCqE6{jD`ys6$)8T;DM z?L8yl&QRTbbZRe3y6rq-0Q7jK)C>+10Fv2^w9t^5FQS@c zGT*4QxZ+ndqpdKyz6%xpAg{KH+g0Z5l0wanPR&e-^!*0Y$*zc&ZFS877sNWa+`)eQ zQsjIc5pVJkNQM!2ergf+*Iz8ZhBrs~F<*#&i@p+Z{<2BeIw)EZB(iuD#Oj%&afxFg-5|0a+y`C((Idyi_>!^vPrQ7BT1kQam-c2 z$%g0osbiDy`wjMu%+TZKYk-cu`~-G1v&Xi*VLabh-!b+5LXgK@`^J!q9cRlVZ1tKO zr@bg0nNJ-b)Xd zAW;en*CeooGRN#2%+(mMV8l_AX4HifXSBkE9>bgpR**PzCZ@K7S)r=jCMoNb_Bz?8 zI`{NX!_=Cql*)iwvSiIsIEtrEso+HxFXW_9T1`tJP$G*eJ>;gVA%Clfj{4Sa#!)Ai zbf3HNfy{(~qrpzt*+hi1#nRf|zBUgKG2e&+d^>rdG!mt-X6u3V&oDwhF_|v~7`KqH zLTGtafD5M85SVp9hF&;`!gJOz9I z`TFeeYX9ZY;qk@Q(Lpbyyg&YkeO@J*zM9y9uLA4$l}reUo&B93?w=iA_&&cX)MDh6 zC6vlJIK1{~+L?q3131iLIbxGkimddn>LZ`O{_=eP?CA93=;V0id~`L|lS1a}rf_k1 zytf7=rO0?zuKM`w@ciWU+5X|x*JmfMPrG}t$L|V`A9Pc<;mb^x`_AE~e$!zNr6?E0 zLSo4(LJ~#~uyLiAWA$#7@>1y1k!7&ijo4*h&-(+`k0$1SQ_Z53v*DjusjA7mxnuss zCi8_#Saica-rjD$B{K^nh+e5G3-wY#7A99+E?8)Il&j>NGBKO!igz&kss0+t(#OxA zL+Mv~un#&O>tEYH$j3k^}Q!1O7m#hcbHp=_j9k zy#2|uoh`Jkd8p%FGnnQ^$%Ogwy?dk3~H50-L|*v@vmv%Bq5`Ue?wj?BCl%bqXjkOJvLmd42E3d%>XH~(C({CbW9=_ zUjye`A#!MbaKh#wB%=*lGb_HMY_mS*sJ5#S80Sd#jo?Y(om>VB_oT6K3~}WYU-$T= zaf*JEQR&#(Jkn`p4gyI*)@Kb|HmAz)FzCSsLK_tU$qPOyCBzlU63ZHM%`%mtcNG!r zLhuC2D8R$1Ood+RQY_+zH!-&$+|K1>4n}Ql!5R4AbP5NMWjifq917oBLQP*=+ZT12 zg}P0&n1Hti+!~f}ThqDsP9R`_qST~#0sX1W^~NseqUgSA7W`c*3NcnyF&oU$9y4P{7fwM?=gyvO1{~NcjC`#jHgwo)D$m= zq}N7)O0cfwzvQ4u$DI*D?FE~AkPigB)6YKM!hEl)Fyx`+GBu*W zNj7me8HUP2sdJtz2SFGG01F;B4d3N}`MJwaqGq2$)psbM;X%8M3uN9vN=9uW$i@2ga&V>@Xzc`>CpuuToyv zi^`IDJXJhsz)JO2WOx#T-G7b3^ELX&TP}fJp9d-Wuj5|t$&>R^rAUM61)m@j3fXm5KGo*MM|=WbO>pu@DKmnKwrC9O2&S5xX#3hpwm^ z&?`ca!Zx9=kdF*P%9mt%duQn9Gu-M;ZC(uwurcBgP%;3Bz%Ar#Ug}?p=8(xaPiX|d0pe{{N zp_(SZ;wdDaOjy*=PU}CadwB3%!p3TibtgRwsG3`i7VURCKk!Ys4%0|>cuU`FA%p%p zR`XV-$%Ge4M97U0xog%nEN9yFbyTJrV~3A@2z12y!RqzxvnO%mDR75{LvANZYx^@q z<5NK6Tuk1g(iwsRsC;xYu52di#4yV0>f56!9p3@ecrtubjg;gn0cLb&SYl9bDoCm0 zSULyQGXvFYZFSiYO8N4f86L)bz@9t_^2-|rvXQzz znrqXBaBR75d=3Uky@318+$v5r0`e(rLC|oj%uCTWEs(jAWY$O+1^J1%Td_^6d)tC8 zknOe|;F;1W>$-ed1gsH%6^3MX420W&U0YS8*G!N~TVFGd`YSUxQXlb*@nS5?f)`81 zv5t{)`MLDKT5}RixB+R%Aif;oC83fnc%I8__9r-0Rt5<(B7mq4>N9hTx58dSN7okI z)((VNaQeK?Knk!~wtdrWs1DjRN3Jv68>f(=$$(nU1sc%^^RsnIC;2YPQwYLE;qSm9c9 zvs25PrJ>yj+tw%Nu(4GOp2?}urMXWOh_PKX&#-43?3}a#PK_cKImj*6Z#!-g$bg4L zpRhJ5wA;ux8dA@qa4Qlgk#pjegfTM z>607)(LiIT$RkhdSA%`mJC#oE`gpUm;Q35_&rN=8(qha{lGFX*w0j{ z-Xwwlh{;?raFoF>WL+&B&g{mncz+kl7a<-Bkt;1r%vxdjYR9iDvUPFj%+oO6H{g2^dZ(pB*m3>xB{pE zdp0XX&Z0fG^NdAbvZw4Dmk@;*M3?3PlRwbb!VCi|PxMsTMHsdZ_dMtAgB@UPc(Y4~ z+yir}l0BQ7rAt~XFzqWw0r-6s9QWi}vOzI&dsFT6_00 z7TS^8AE4W<)PV~O=$Bl&GEW<07d>We2o!Z~n4BvlTUVhkkwdb}kxOIoe-$7+4;JfFO~P zufkVzE9~|n0X7Qxs=d=AbcGMtDf;%6%485%-0s3=QaTf``(!o?xaWwW(c~p<%*(4Q zb8fG$z7G^HT9_jP=`8;gJTAmcyc@CqGfgXzmB|%S?JHgKveH-MYC09g)uu`lq09G~ zxD~qGx{Cj!)&tn0K{L(%xD&kL6HLRD6e{o8#`lBYknbx`@~(1~px33D*aN1u89&+j zWAGfgq?agOm<~;U51I_Mpf^9LF?CiC(E!f!#xTiGx2^hpt}<2FIl7hgy9pAbtl0sz zXjt&HOoh2H==dL~+bn=ryvvIbtMVUzP~#VlRs4y)c)`N3i>blf^F{EaDVs5j_W&(? zM*x^vf*Vml;?!GSWHxYvu+|mC1|L<61qU9@Wx!CkS-;jM5zdJly*K}eu*JDb*iSzh z;ubu#t7+aCVFtPjD39MwHY~@;Z@u0Lu~Jt4&BQI!B~Z`clbQb{$XzVT(u$d0Z0?{Q zE1WF}jxHV$0RNnb)fc_q=Y+5?zV&1Z#~CorZs&?Gq?0U0xsZq53)_1MNq!#c(S^;7T( z9oGdFzQYTR-mf!HtP(97$Y{xk!QerLho~W@AyiH^)&gW*G+VD3#&#!=?dY|-m^^b) zY>jlD5%m-&YVuZ44o}mj*9dKcb*~dIh`z5Kca*RX-|PyA;*w=(}(zwy<(bQDtuVY z$LsI$`g^?ops3G>`#`kGaG9GWkO8~7=Dgy6qN zru)Cp{6$tRMwfkz(CH6Y9~?&qkjwu2KjBq)iQaqep)*F?&+tk)pcSQ*=Va)f%0icR z6$eIsDnPga6knTpUiZ$eTHNr>1*UkwO@~lIWvt9OKk-7aL}kL~CzYAmr*@R~AT--+ zT#9e!vb1h%hfp2l);)pfF-W2bK?kJaMrP1(H*8;J){d_2T{)SnMILk#h-g3l7%@3z z@!xP`{qz$&5n1AVtuG*YlpqbKr08orsm70Y^RbgVoI z{#xL60yF! zI|}mj+o-ETXtA)tfR?XL8fos)bV`}>Cn`&-iM$apJC_TY@*-UhD5Mp*KGSVD#6%T^ z(7DP0ETAOX;>B4|R}Asrnpd%u;pNf(;qm$5uQJB^`+xW2o##&*_y5i(JG+nf|8MbQ zcm4KqKA8*lQcgsso9@B2ABiSxH{Kqw|IM??(4XDy?Pn`LvdX#J+nB>J;7pz3P#VRk zi^H>5=WOrzfbE|g9~@mAogAODuTIX`>+{0_J3Bl*J2`m0Zypbz)xpvE#o5u9ugw$a zU?;{Jn$ni3z_I%@qdwDfo~95LN93SbV5IiMQgXa%DlG=A5JA}ts~E@ZoDs)>x3>|D@&wd2bBedes5mdk0vrHU3{6O}K)E#JoL70g_w<vT##43(UAKU!GH0_DU}(!`4vH*cJWZ(^%rXG4B=C#8v}r-{f_6DR z4bWInp)ma?qM&%-KtEEb)L!Piqye#V2>1+mx)Tm zpzeo2-C%=(J^uj%0`cV@bWEhv2AyY1d{ziurEosbHAGD2Jd+b{4@g$Ra@IggU2OWIZ{|binoXSHUY;Al^&K0FRNZcQEF1`k;*mFk8HDJ5 za|f6)x^Y0Wr=Ac87Vt4A2jEQ*rwe&QVkgonGZZYBISZJ}z!L+JNX)0p3UMPT)H^WQ z446pySQYj!8w6WFP0sftH%z&a$G|J}cCJ!56qMD3ryXnFrpJ~}O>4)0z?$eI?3vw6 zYeznkfS5wKsx;P##OxG<7nsIE6e3+38R#t_ZY(p{Cs;6v79G4ircke3O$Wgp>5$q2 z3JO`NsbBSdL(1un?_BZb8E{877|$WlT4?Alb#R!@YHI>}n0&J>N?}&K#IIDb68J%I zC`uH)d74_Xt*h}umP9-(-vPS|AlI1N#)C(tavE%fU1hlL*4`E&qhhEs3=gIsG3V)& zsp)Fw<$kw4>$^Gioi~=b?;TlIQwElfLS=F?Fsm@;DeR-$!hDwj^HF8C6p^;xmdtJ? zhbV(5s5wf91@Ny2Yp)_lyTUQBiW|Yi7F?$2YOhN@2(K*13ZYA?4oNs>J}|5X+>z7* zmmi9;p&P2@wL+v10y0wD1p&69_L|g_N^7gulMA4i#72G#6whBx;+;i8eXe#tPE@9I zIjK~o(}$hT znPKi0t7+T_VE(AIN%GuQx)Te!^=fk@zid=TUDgV ztu(wwrm_fDUdtQ!6B205jNqh}JS~^ev=CyzWKoD4H8F&|b(@p?N6B;0Pkmt6!5red zo0QIz^Sm0Ta*{61M$J>c9QY@>DDbM)@PrtPP;Lv^d`F9cS#FKkah(Hg!3BC6EYK;3 zlqUc6S7%eagJO4FGhN!lNP%1+5N)v>=Nhcug1;35it^)$umFJ^t)^4Vucbwr4(Na7 zB3DI;3*+bjG0Mah0-3QhL&d0BBReYEDkdftjW|(@vCINrXCaH`2X;bMT@4$sRK(=ffukXA z%~IIAE@nqlv;IyN(xoiTo_32;${Cf`n{o3Rh#U#-oBqObymg_pjsRh18k7JL|AvGo zDZkZ~EWz_%%7kF5Wlq+LX-`^Gf%rl zJttRf;Y=%CVzjvd59N(QOk^&>Vi&T$PC7Kd)%2W;AxW7I_HMe)Aj+tC1_X4 zMNv{gR6KDI22z_z`>L)ZE!i?e%dI~NerBor$0rv@`-gp2ig%dT&m21%!?4`JIN|9E zNI=I)X<-)DD|D?Q(GwF3f{f`mo#;fXb=?ZlPectU15N~{Ft`t1LvNr?40qxcHk&Kj ztg=u`ZQv4jQXKf9bwnubYneSmrAVFGOxl&4f+=5OvlM9eC?MJI~9Q~_)& zDC>~{Xehpdr7)eiuy_x$Dp(??5IPuexg8w5SM7C}jIf))R-~pK&p zClbvHfg9f@GzW=Hyc3gv!~@}V2r0yja!t2n53&V(9J33{fM}{9Z24&C-~lXmU=cEi zx3LnyzF0E`UkDv=GkIbn-r3pS@x{^MIXgKE&GIK-vAyH(*k6y14+cy~v;e=$p#XxL ziCmC7v6DLe2?9MSw{&XBZV^==5EX3_tETMY=;Gz!fE}M4M@PqBogE#2efa9|_+r3b z9iHufvv+*4_vO*cql@og3w?ETaeR1=?gM+&$LZeL#nJxjmwRXI^!3^4$@wAPwrDL( zMY?3@IfQ=B=;(-2VST&sJTFvUNW-4Pgs0@U2>Z`d+(2K7+D5Ib1;{FvTuTjrp$mx&v*cMTlaN2XW`%Fc2wRIvA;AVx=+Sx7akR{`j zQiFB8`+OkvtX&_fU}L*vsl*)gs1bmr+sFj)+N9@2T(!v!1^o`2%{g+P9>eL zvOpWeSDF3bx?sw8}hl1D9ZjCkQwz7Lyu2aA2Xg z2CxqegWgocQ6Em3&XXGnM$##{Z)hzE3D&uRy2lgnS`X8xHgT2Yt3zz3!TiBLM)WXixI3+C<@GV0_b|8r->_!N`E3JGbb~KR@tj z$Z9~}LCWR?)L1$jugDkv5R|t zFd#RIx;DYG)k>zKKqp$1<_2DpCuducO;QN_8!y?o;FGta)U1E`ecuZyDWBNe&gHZM zs!CE{AW6q;^FU=EIe&rRjM~osu*E=H2Qk%qPdhkBItZ@qz%~m`;>)b$@0=mjrnp@2 zGG^ZjEOb*)Eg#a8S}G20ao=c-8SOyq3St+`4Nj)jvG6V{=oD{FgXY72UPw?}8yeg< zcSYUuNzN~jCy;CD?D2#-Yj<_(8L#Bv#bhpTET#0u#NF-PZAK}pRi!&#+8BKXLDe_YAaoC9o2G&Dz}$j#AXYjtWWgor1Vj>3FEbKKfl#{r z1iR&3Hlmbgvx?6Io2eTCi9>4aC+SW+_paOX`tR*V|6lfJ{r_DNm|tOx_5S}m&!27Y zHvIp0cbPv){9OEBuXjoR@=;_#1lg7?Je-Ik!zg`FooidZ%iM3Za%AY)X#@=j z$?suFX39W|Yk!wc`@jrh`x_mjBU+j-7L_;KEETd?&fK{JuDQ+3qzN6Bdm-+DU#tA z5Nr66Cb0!YPoIz)=2lC|Ni*6dO~TFYC-J+mewNL^mP17aSfUhzuP{Kd%5_-?zGyVO zGfprOc_EN-7*c*gJ=|&~u#2fs%PUF6jW8sXA|-dBqRZ1e2Ls$KY!}0u-KbR2&C}r) zswE(21{PnQ)Dp%a3b4{9mU7u(r*oMqt@8O21JuIcRu@@1Rg;PwZS8wsvZL1sJcX~U~-ZZFpb#-y)_JHmh@avB3Jr}Sbt!^7&2g5rKomenbq>!8`ta#$eSJa zdV7Ybf=-N~K8 zTQ@I#NFT7V(yyY;fr$kt3@)y01l<)Z|B&*~fT4W2wbk2=$&)%rRU3|~+2*xPagV}C zG-ZpWX#=5!*IT{bC56RyhxM*0-9)v|bSaAA;otXOoxVIgj~5ASW-2>ZX~Wv^!qsm| z;#w|!l?mV~&6-?>Rdm1KjDw7*y3{oFAv6NmK{u~NxGNR#HBKy`>{hlo zM>5yz9aI?hN!7A~X6@UxpS|zBr;z=d z&*I(fc(*nKvjJAme#P6>2s1DJcso$8G@Sdo57&*i2Fzf*-Q5R{_fSA^JlNajO0&DU zb?tU-@4eF_1|^ol*3b)F#@9g&wt8_ksjdfMf^nOf3cmHVi<;L)jn^6khXCsdnd5TT z-mk;dcpJi3UyfgVdv~s|-N9?uYV{)eE}ynH&Dt(kZPK92Pk*6(k6R5hWD<&(uVkJ9|DUYWbwiT~h1G){#aVt^B8;@Ez=p5_DYSJ$sF2 zR)!f8xJ@{HY43S+KiBSjf4}eBva5|`#2L8T`FOM-d9`#I11{}pFvEvTK#&iCimA2{ z0=!L_IAJYf|G)qD|M|b!lPBL|y4EL8Fo(Edt}RP{3&!q+y74+qytwRbhjbE|gV&au z_Q?yOnlZbb^AfBq*45EY6-&0IY8KAZJ*29!on;{*DI7xkbb#~(Q`Px^Pz2OKL7qRD zEiW0c$u!3Cp@W0wBAMRSa!g~P%PUt#c!;~{%GUS4@*zWz0A@t#a7XMEgdHq7f6+PcM!u ziJxh~i^&|nZf+Sj7GQg`L9Cy`tU*N(8%S)?VTCd9ObhWSqAq|_|(4B7oSZu@Fd zBzoAhd(O#X^;C#!H~+D?Wefg;D%@VSfuP#Cn^RS0^ekWGyaX|9TnLO6#_f#Kp$DbP z%^kS=N&NR7){6G4r?R&6?XEc^31p<*#aiKISNR-Rba{ajw(-$|ppHMdDkYX@CEk(h0K8^qWAEd^>Y;H&_E^BAxp;DSvGHk`o zQGtEg`6Pa4@V4`5{I1tKm)S(Ho1LawC}2|-qA-ln#XcsJe0^|=NeqoRuAqi@HcJKD z49nPWv1`hfcpdj%hN>)5S1sf_tUn9+53wAxzbQ0974L47Z+-7_EJ{ux0}Y=2na5DG zx;@r$oQS-1rE_%T^C#M8!;Mt&ByuoD2F3_rbXD*ph~D0cdwU2bT8fPTnJ;?&=_j9ky#2|uovj}1 zHIE9Y>(a~m5#pT<175k)DrNKREzUZZn2 zS-UZN5mZ9Ee)jAsmh*!V1!yM3jl@_<#GM7pw6KNhkoE`YHhYh1>|<%3Gpa^!*AoZb zye^AMT!T)e8}e(rK5xa6UDq-LUsK111A!u4zI-}PI?OhEjWz7L5BbM*$Ug}W`6rD- z?tIs(4C6X5)oNgqzO0ubNBeA}dg{6}r*6#V6SqS;aCopVrGja;Sf~uko}tbK^s)AW za>dv2;(?24v8XU9G?>B%6xBs}ro293yzB*#Lk?V#E(TCI=&nr@BC-)D@yJoj19pT;}!$9D|kKZvmXoul-6d+yT0ls#*W%)Q=|C*P=r$oWi+ zo;>lk<@7V!KJmz2Cd(Y~j-#3-Z?_0WM@7lRn%qmP({2r3K zu=nix^80J{K6FOrt`TxpIoD=~c}2rVnvG?~izTRxF85y^u`^rIu4Zf3p|RZ+y&FPs z^CYTSV26`b4!5BC$)qY$^w7j;X*0epFH8nIr^$@8C|~qDCivpVC~{s9K|Mq|95MYD z+#_E!OS}%EC{?pK6*nS%ad7zM>#u+6U$Z(Y|EAJvAzm4ga4j}(!gf@lnfSTD0FGx4 zhnRw5&};xoqV}F$|M-*X7D5$`+Ta~YmV5xic0dyLJT*8!Yz^S^qvrdXof{QIso2FlA52j zX=nM`!g>B+M}>$<)p1s(;v7AJ-!sf}ZMy9D0S7@*LUQFnYkUf-JSfOsSVv+riJ$2T zvyqA0=;mpJJw=%Uc`~y0KcLJ`RtpN1@4M0>>kf%8K*Bbmh&G@XiWo9Aou-QXZ)74S zywF>#$HQZJj}sXdzNA1|)G(OC7eEb0uFmN+K=6s~x>w!~A2|Ai-}rg|z{N}yk*h{Y zvt}~;!DhN?jGbf}%c^!A5_BxfRl+V0j?d|Itkpw!O6@}0Lq9T}%i+yV{B(P`k*g%h zG_leUc0qTF-eDcv*F$H3L+3DX*1lU55Zg$_MM%0WQV!UO5@W!We!P9aM z<|qA)g6+}-aNQ@ThD?T^WHP<$oAb$B08e%IS4x+AspPt2Hxt?}O&i9s(b^>~xqhpM zq{1CK%VuOc(9u+;BATiqG8f3OwSXYbo>pmkE+&QOxbDn5rr{;*;HfAl5JFtGZaCm0#yg%wa+) z*MPBw6aC^vaBw@I!}PS@NL{L83GvBY6xk22(uB>iH6{ggiE*InxY=rBK6%SFkEWFwmBa3yedIQ4M2+Q#$OdY*mOKa7%^jZA81aZ+ z;VA#vT7&l%25e>4?)#*>yy;eLsMYK*n7O-jAdMX~uq(hF$+BRD1G)OC^%?bV#kfEE zv2V*A_DB8xpzjC>a{m2MR;B5nZ|=PQ=+o`(?Lpsq2=qt&Z!RuQ`#=4J{MJ-vf(3(h zfdG~kJ7O2(k`sPy8(itjZ|Kj!g6YeP##+v_tqmDyt8y_JZmg>!8QX5R) zp+2ag5?;2%?m(MTb)JtbxLli^eCd{H;3_&x?~F+9Eim`%z$^={7}mNR4hGcw z7dZNu+2p?D0Pl)#Cjq!nZLg2L6kk0USHC zvq~8`UA7DyVQAX{pEnjL?NEZtpm{2$C6zHUdl0w(yc)+mm%i>z%oCFIi7f3UNzt(z zz7^wdlzPitbA~>QM1>5?0A>L%*7nh7d3*HPXV0GY?;ajGw-p?Fps9A*yjDOIf-tYf z5ub^yj0`8R5{NaN;5o_}uuf2mgdAq@6NuS(^W#H$ns|~{ zx)ep%RYsg5GlHVBc9iw-LoeJsn4|a{XrCB1>{5@qjni z=Fq*Pl|i7bD~=|&mJF|=aGcgK=2+jVBIy_f?kD@26!jplQrDm@Q#7^%ckO6eWTnhR z8e?psIY;erQ8L7dnHFlw7DjeOI}!ncm5o3wOYPNoW>ZYudT+^dJL0{-T7!+#1}0F0 zhu=Yo4)bqH8?s4d+r3{F7KkJqIjnBo52{LwV#Ss5+P?Y)pt8fPhswyqs_I&|3wlGP zuZ?hTcM7Fa!5mSweXrXCq&lAP&J`%*y)`!gW*fSr^`kKhl(V%f=zYcj)6l z+-^;1CzhcftJBMIskZ9wC>-kvmBDud_B>aAb za-?qMvVI-l(6O}+hP%BNc*ery8}1ysKGt_%7Ryu1Y#8e|WCA z`m_*J`EK)i=vrTIvG+*9-8-Jk>n%rj$@v165ryfsM%G)aiU6+zPbNt!Zh5iZ!J*b& z_>D(aots&U6PGY281cvcTbU*OQJ>B{x$O5H&EUEGi}j}J|Mb1Zh<)UeD}NwD%FZog zE_0QK^nz^DWQK;QJb$Zq%s#N#|Bf^(gyQE@t)LfkLdP8ltq=6e)2|SO-Za*H^jZl!q|ZcOQ!l_EJEkp6Q(E%nHj?r5(wSKz`)jZg5g~*+8!Uc+( zW_XoAFIZjTjv=T~izFR~r70-yaj7sbYI_-|)4AYD+pZhTqCe^V<&W+_ex6Ev-S)vfCjY zcCF(GR)<2YnYa78V{)MDUU^#l2BjR)AA)}Dp$)@AW{J(zx9ZLcnirxhmb@&*A}>2> zO6v<<^0Lws&`z%#z#fFDOvMT(vkL{ukI8${oLfr004RcjXx8fNdco^F?igo1@>8OQ z4@dh7eA{s$2Bo3SI{xYeCKyB;!x@B<&89v25J2F{fSv9gAMFp=S9=$GF9+=K?Cj)h zz`or(JI4Ixo?a2e3;2m|%2_n1Q&%K_L8%v?q` z`6_<>G44Ts&$Gv8vvy00J{Kt-aA|kh2S69RY8h10$as+Q7Ke*k4UF`}7PRaHbJIQt zk$3&O5O0qG0P>JEySj}(&9Of%KS$qT{rQROb3oVGzu3PvK6?dh=p;322EGXrq zUwI@R)iR@g!S0gn^f82p(^{9dWz-w#5)}pNQ zfRv)WP_ba_9+U_bqfiV8Zh<)c&rcu+(tl&2O^n#J`+tg)mqFfh%Ls&y{~cyY)2~Z)Ch@hZ{KY0E)eKHj^LQqlX(4_x_@~Poz%%Q5 zmh_dzvx4-v{h@o5nhS33F}R2%wLz<&1h#5t5)oW#Rb}m7&+EXu{=j+=?0z|IQ~UBM z&)_r-aBqsJ5+KshJhBL-TfTv0zVI%Se9I^AUQtga?+mq)D%Q$rR3UzGF(T61ydCMjA?Q6Gpb!3RJ z{#>Ihc)o@eo~vooJTZgas{%(8B+;eCSxg|H9M)$9b3jK{Z4ZZb| zcDn7Hk(kMV4T*Kl20_HuQl~Bbz}lZ|53d!KZ1aQ9%{p((mosGgio!_P+K5}>B01?d z1Io9D1}l6PbSbZ>NQpS=Z%6bMOI)SegaWO>U;N8(9r@t?ME?rsd|2^iyMl}fT4G~4oApom+M#24oWl1Cs z6LOMyMqZ~|5!IP{GKNINJJf=DJxgfI%#DnjSEb@v*(}|xyFQS5R|TSp%GHJuJBgYn zwurQN8**9HmPhp!7+|cWR$T@*@2P5AOO&`FRW7a0|LX>_l7{q*$K$v1J7Q*o?gtI4 z5S!XCJtLY_<{66QUxTy27OTo}OZwuwrX1TNOJPI@v}0v5{-@1LrmJ&mMHGmB6E4K8 zBb9Po~bjqt)LJ1 z8q)M97th6la2K$Al7}a>@S-pzqw^pBbO_oX1zOCazMjBE>>Jr4dr~NH>FWMITSDHQ z>oOE5In#rim-&jg%?iLVR1Hk={)j4Z8;)i}zj;P!xoGN(leZm4IWtjR-*9D$3Kl+& zyWF#dd!jpotj3^$;n{W+vn|Y7#5`)n##&E9pn$E2rS<|8<~ZlS^M;uY*A;;2ZzK^X zm%mtS3{$j+Jr0?7B##NUpZu>A91*!T!?C*v-P$b<34i)9$E#DpULj9eQzmuA%sjwl zzcWl^Pg$`*yAZd1_emA&TkpQ0B|+ULyzniK*aPWv$z}$+BS>93;5KXh1Lp{x6s}`| zdeo0v+wtfOP0#1dSomB^5j&}iZMej%l3R(cy{nlaL7D;?Tdm3KoJ94DJ5~ANPbZ`2 zY2vr0AO)d6{1wvc`F(MZeGJzvw)r-}d9v_1w1#%au^hhRKWhMNh@J}`5TC3MNI6Bx zc@)%-u7oE6cY=Xj5V+4**HH~6*5I7CyAlBtD8s7QU|m{Ij|PN(?R?_Q#e=8r@%s-b z5r(n?S`jxa?)q=^eYfw;XB+Pn<^ogdwhH!~=?t{n9~>OM4?;=$ZIK8yf%w`9{1?3$G&ezlN>p815*kc`K*DIW*2Mzn>pZATH`3~LQ$(?NmgE{5cW zv9sr$ml=cin@o&flF^$I(F}Z_)>~%~y8CVh?n^{Yqi+g+K)LOg7kj7e#WCde@e4{h zYk9$?plP6q;`R@gT&|gXtEgdDO=zq2qS5J<@ z(6p#n!C+i}^Dz?zcj}El2{WdDIFbpML#t&H@=xf6tKS?Y@d|?~D>k`y5{_d83GF-_ zx_j5@C)HgBOs6Q2oJI-RHpuz9XF4c&PG4^_ZH}fypLks$&drb04*^;-5NLj47N$TPwx%Ps?=Sa15rlmgW;S#Uw52C%I<~G4mNHCeJ<)kF< zKu;Qc69RVdOZC8do+eyXafB4!76uKQVz2GkYM2^Xr4RuF_cXLH1R-YhYCDvJ(I%1| z?9>#70(_dF@>W5JC~{_AW_TCc790pdksnk}3AdYwtJ&LgBw{q+C~$GsNKnV^lpX`zL}9hrLWR}PeMb@{{m zq2MJ0rscrzMUF*=6MS_URFJ~CcaUblfUG?bwceNRfR+Tk4=RqGWQSkhtL<`3M(DVGk>Dbv)M zRqxZf3oFDhP&dbrRj)S)V8oW4Tt=*hEuY4aEW>sGy_?16D69@oIwK5rJ2xJ;@5}8@ zgLg~1a_FLGwZmc&$+qLTsHuzsSs?$~gan$oAqw?A0n5WX;#w|Iqi_AgWoin`jvRf zITg!OZ1fKejGGhA^0QN>4dCZGQ@-5)(Ks~R_lnd8L80{iY781l?=@--8jk+)5?CWv>X+0l8sM9JMx>feKtezVEa2IDbE# z;hdkr>i68(e`vgxuJpPs73qik_S0yv#e739r2utS+}%C z?K)lm3K6X#V`dkGVIPwapNV+Mk*UsYw8}Hli*?Vl!=<1l>}g!rBv324d5q_m>k+L} zFm1iCgVs@PqiKMi_kw2o)No(Zb!EQncjfh_XVp8z=$4wS8d|(+GXat853~L2B}ik)F&1%GFEO6CnmLUN zytuH3%AT-=3u0U>wFJ?6htO`-L(p(U6&&C=OuVpAXlz+|sB%h$0QBhI<=S3nT>D;h zxO{5*8r77t_>aydGX;gJrB|jPm6`xZagK`_Q_O*y}Q3!*6N~sL1F24lOLC3pF*}Kp3i+n!X+g~frwBq*%Tvv&n-N#(#*+1#=h;#n2y4aibUqs9|>{5R5y4ZUEIX}EVO?b^VT}l1bqotR$*-f_bijxK*)3NJay=@9F@v^67nw!+T5Ha1n8xruEEi;GXpiEBh zF*CuXm-n1McUQH~Hn1*vF2t~>$HAa+FMJ}7KkT+(7_0IapAkSzw zyh>+Yhs}SyvR);9aN4hOvB1qJEh@+T(|(ZJU`D(n0*!tC{F|KPiFE~40_z*0UK*uS zl0+O<`;uTY?j^Nt`|x>j^R)eG9-8|r(L$qBIgL-oBT+1Yfme>KiG0s?uHY+%xfK8a z2>LxDe0Fws>%CoF-YK-^32c7?a?JB=t^|BrJKt{Z{MWZOw|qa}w^twQn6`m+3*?NS zwr|0sR`Qpz%U!m*LtfJ1H(3>&LeBX`1L%ztzlQ)x5d$ggg~J zSPfgjX6(AAIpl%`x=-ytDgdCBboiywCkCVqqBQ9q=Ff-`s~XXKseD;5b)zNnds|`A zFDk}!a#`>{4YYHE|1#@?^&Lu1eJA2=r$ARVF`GzJITr@gzPan8N8$5!U5I&IGXdd_ zz;Wv~$5mws0?cVzljqpLUe2vqeWzl@dc@Qe%XKlqEZ&4n&Ou-*k zLM#ZPL$ypKcfq%F^kWZKSVIi{LVRBO;$C+jF-;=o=y4)Z{ub2?nO0UKt<+L}DA~;j zcBYQTyWBNuD8eQYwHFI^j3w5B87Tx-HK{lEAuyXhblvp1ZFnO5&-1z(4aO3NUDsT7 zNQJDOL0WzdNDQzCQTgl8DKoW+=vNK?k$bTNBa=ncdmOT6QD`N_+4p7;+kZX3rCC=# zkhM+Ay0YVOG#8DO)yfK)6ots5FMOY(i10`J#eDoF-4kNhT_RA9Ck5?4Awxp38DEc2 z7?VDMPfPV2DZajSf#;9$I_o7{N3u&DtVUySKYxlSz`-hO)IUCRpU=es!9#wS5@dQH&j*)}L46@hbcHyNDWg79 zD#g(c+siTs%DU}CP|4ZDAJhB_n_Z*x&)B7PdVmySL2sBIK4f=_Qo$p`+%Uo&!X4w^ z`F2V|SMAQROM#d{J{i0`$Xt7oG(IG5*sK?XeY$^?xoxkNAF=16#9;Y!i`&3DbFlT! zNZj%odEhAc;FQv{Mk$W5jJD)>UWpZ+zzFJ9pcgpx$sjIgMTXT{p0?)|zo7 z-;}Yz65OMOLKLQO1mYnC&T>!ZQ)FkEdRg*CRMbqz^IK?$ErEg)J2+l!54>IyO4-~Q zn`_e(g=m|7=iCgy5|gT&tWabLlQ4WHqeWNSL4#y!41(@?R-|j1q}tRzp9sheDr4p& zPPC>a;L6Ae)Oy(xT$5@I+<+6lk*zHlL>Cgmg+s`kl@zQmI{4SZVhpccP|;=V62&zw zqw}4pt@>y*)cEt?<|Y8Uk4c?%XJ|*g%hB?X73UoBw*N8tQjgK9-ij=C@(Ja3YhsAYds+xQF3_?1J|2K_E{b;%q# z6FvLxGZJbTmBP6zaA(8fIpYCVP`cW=WUddoNzg^EScAu9lmmCs;=4<}iZMI4R!y&* z=+yZ_VMM)hAl}bPUnB1|^vav(+em18CAQ9sy}nNN{PksHFce4j`6t*BDYaGZ!JEsy zb{e(du;z)4?2*Sit74raK0LyLYV%@fg|OfGAGU~6>fXIZWaYH=O?kn5a8puM*T59Z zs-UTAjozd{CbDt^N5^u{SQmm4bk->-*j?1JUOTCP!!B{pz2A)jq{9Jid&lx*uN!#% zn-vs{+8>zkw|qD@@qTStwG|(2IulOD16Nde>vV86NJP#N1!!6+IMbz9SLWx3*waJj zhNW2{G0M`lbVS2IVa6!4;PumXHdZ+vhGTqN3N;o6 z5VlON{mFOkX-gtfNPGk{IZGcL#%8jWok9u5aYA`_M5?IwZ7P=}JLIGH@@IQ9o#!9{ zfu+tc`Vpw!i|*X-+xO7ta$n7gDD~gEke+=_A>Aj$5#NduiCrgesJw6Q@!4s~FSJTi zLk7dQp}4#OsN33-7Y9%9O1D`#t5*|e z#0bAV7oVPS%R@tgrY1S{hTw7Fk?)S>hzl;8{>n<)zk-Mn4-$i-czc7qBX zgWf4Pmh@fhZS6GO{K@{W^N zw^u77HHnDTv-p&AZ&Vh!AFxcjo?2_}f?Q9zR942j?>ud&SVO49wp1D_4U!7Iv5yRM z$CV$CCpaab1M~oWgX}P+8q85z;1iZn+{8aZH1PXn+di zD^pC1H$t^!0NPa=^PTOOHOa;WfS_?bVZ3)@rQn)2qGFMJR>+p~f=KL?L}zK{G9cD6 zmB&YU%a_<)R@~}wEg!UOX{x$4(`z=dmiRalKJcj(am(U%$dI_qbHi1_MBU9I`9_kP zN5aPYVunfMqdM8s<$NF74*Gofjya*gSp6E(M9qW+Rg1bz8Dp1OWS&5vnc$D;lVs-D zK0gwWx)h&b=MvdjP}8ep3Nn`uL-iY6tB>La?r!PBAQCCWgUAgW`? z$a_kO4RB?tb?sgPH++kbQgD=($s040~#OF9H$$0lbUFEiy@^|KTg zDf0e6lC?pK_6dB*;g1%n*vGcVb z%Y_7XAD(x_mRpRZg$PB-a_Icxv51~&_5H0#|K0jG*&3QjR$ANjl?mB{Z z#dYdrZq}MSS*S&pM%TXV7?&MP4>^EW6L$}?C2ed+l7#` zMF68UOR=kv>P<+bww;&FsJTZpF^Bd?b-z%XC777dXAt<0P=(3{-r-i`s@&I`GRgP@ zue{!-(Ob=w_j%iw|Bej5c)Q6K(Wm3q_x~FkJ|D-ex?lVq^zI}F|I_-r&)Nsk<{#q! zcWAiY{m*j=KEHcv#JwK3p8J2l^gD8ry-$KlOZ9^!H6 zvsB*C>VqMhgy7d>;Qi8)TbrkLK6^SoKl6*9>G_T?+Z^93>sFVLT?U1LuVX{gr}I%a z@_8ZErU_TBmm9j9Elu>TVNJ>(*cs6$mSW-cWTI5|)!^j?PAtwXmicdX`|;sPrLm>- z*RHHi)(5oLh&)hG-p-PM;*vsi(R_#k0>z1GKFXB*2b!%rw)XW5O$ZnXJvk4@)io|x zoM}sy;~F>FsE-FVHLDCZvf@{a3S;}6hRViA?T&#LJtJE6ho%XtML@4Rf|ISKWZ`2N zD%5K>O>RAN>Z^H9m=GJ#Be&KO8%g#_JEOLsfUuc^4BSg{#W+w+0ufSsS0JOpknoft zJSWTKir3(&%NtdfN}+W|$>lfBp^>3mQns)sc`mcz!<~qmb?V7L@950w>RO+8z?E2R zEDC3#rgp*;*pgdLNK(En)NFsjzh7V_01<$pH;20MiC@{Urwmb#sEn&*)tlB|d{)E( zil*0@A7%1fG@BC~n6DnK+f}mJE*=i}SdR>o`(AQeUWCObU&qZejhy~Mx*G0%O{Sdx zTK&!A$L!TDqwuFYRF#P1!ew1OHlMe>*fvAUI|Fp;Y)W`0+-t;a?e!B**-4(B6j$n; z#(eTyKk&MedKji5Pecv{fb|Gknh45jLp+SUVWIkEGwFids#8U9q0Rz zQ0ISvcqcsZSFvU8(j|1^o)lHA1?NX+QDmB~YKIApOd60ak``Xv`31sAn?o4A*D8jZ-y^jBWJu; ziiUMC`dqgy9>}QCXq+p>5--JTzH&?ZICY;8!DK;)Cu)^#BKYRqQTYlc>kdvrJ-#N{ zy=H6$a^GEb_F7d(0))k6Q(?h7S1+1BE_h|fi+wCiY159*36bD6v^}m_xWvaa`<2Wc zQeV0wpY!4FVE*Dfap#jp9EU4-U%H}xa)`Y@v^^nmep^&OpGLe!BWoK^bYkFGwL5$L zL?lYiwZ5L)b*%3j5omjr70*`NYIVyXY~ydW9B7E94w zD=8l2`11bO7sAr}SC1pv+A^(Om)J>8b=ySE4(gBM(hmSUNNxIx{U}unI7u)nPFj1H ztME`r3=8_to#sStS=6hSt{F}y!=_4=)@XS*BcuVKHhfaiqozdl-aleA)ySBQa`1fu ztzGmUSi+pp~*Tpjc4v6Y`_FmMO(TZK&S~IQR%hTqKm80j? zNiErv1QK8jMnnGGhDi%OMq{R8pDDDvoM1ga$(xm5YwDx1k2+S^+mP8m{K1w5l2hwt z3qCh;344n!$e%zR8}rxs>S{sw#q43}gE5_PPFW_09UXkO^>wpPUKZ>j47jofcxjMNi8{|60@#{pi|hL z_46fRCgFZg=Kk2^tyuEeo5(lR_CC}TTyELQ8nU+d5na0=Jk{_!A~joN|Y3we$s=M~;hd(o{3$p<9gbuIQX0t0Q9)gVs~c{LU4r zUORPc7!f(_{TLnLXZEMJoqfp|^RvuiVlO%MiZVQcQ7w7Gt9k^OnN1LY=JVHb+4Hhv zxfR(8T_ZUu))<(*pS#ceP9o3lSmhdbG;+f)!T0@hJEg@z$E+)7S#q z3acX*U75YO3&zqCp<%N-spx5_*8;eK+Vi%D-LccKpF%zqx;BZ!pW3W7!11|iA+7QD z!*gsKia(ji?bElz*&6V76fA6qD?;5l>%$=7hx#x#m#PQNzseXT>HQby z$*W#?3pBMN+ciPz!@FRWgD2hhKp zmRHFtQ0I?`F%zuh;vklaem zqpohIFoq5K(_)anF&a5kIUG-8mMbP|Yi&u23EP+VW7jX*ZieX1)|d0cu;aNHIrQ!M zV|R7BGhD8=!yqLbv`{C#rfLsr+U9dqSnA)pTFn~m!kP9ZfRpU|YG*Q=!GLq8=7*nF zHwZ9)IWz~G5b>5l`cTo9i&5%dwJR|KC6wP{bPI^Jg` zI0%q7ugJ)drDl*|(0yh3|0(T|_MM-1q!O@P*GNHgJR?`4x90bZdtNr66x!`ELY^`d zue4fQPB8qWU4dwqMh!UsW8W&wtN}Vr>uikpSjmh;54tH*zi6C$6i+Xea;c)JaOrxN zYGTR(o!m1z>z&6tjY9@J=b(*p;37NL^r$VaW4*SW6QWj9+BqwM(~^CCzg;ND18-?S8-$@Vg2o12BLUney!!he!u^!~-pQqLO>btXHzLl3) zVjhx3BgDjSw)6u)kTmbot>C4=u=xgb@7cO52v1sLYs-?r?1`=uiQ>GFWaf$bQ?LHpa@!D5s~VuGx!PW?R*@+N<4&uWw7$M%6qa*HKBXVQ^p} zQnERqxfCW(9)X>|^13nN=1#-Xx)DEgNoeI)Fp5Nx@4{nH-K~F^C+ka)AA+UrVSwpEnUnu}- z7`$q)TT>>?nRd*E^*qriD+rx`kWSsyJP2FoM|MvyXI~1Y#Uhh5h+aL{34&srG+)Wm z`fb)qt#JyD3ovlu>^ScA>VLm^0>lY)&k3TIWf@q0_Y3?!AYm%7#s8_6wI6=thMeqm zySc=UWdR8fm#;^p#y5LVqnXc8G}%IP%4kfwU8u&?7)IE1SI-fK=s>`8!@KFQHKOU< z&Q^xef2;6`J{99)BzzwM+*EugX&u5N$lk=U%t>$(q3l}Kw4u}XO+sWZB5RzCb?+_s z{umKut7Sq=j^3Hj9{LzOgD+m~-db`0p1l^KXSu{g*igL8#d|W5T(q=;8zUt*jo8p_Kl-C$poL88CYDU1Ogmzlh9|`Wdn( zQbfT9sFB1}xRN=(iZ~lac29$|2Zntd?;IOCU5}3U6R-B~-t^Dk^e3b46LqSeCwbR$X%K({V zy$IFw4tjhr@FtoQ@n$JidZ(dtbN!=yIqQL$qv*AJbniJiPLF7N=@r(GAwT#y1{F~$ z@5cNQuWrjNMh}S!QD1;Fhvmsh()CR{5B$QSEZMmaGN41g8(TfQ+JQyk6egWPx4K;llAz`qw3#ejE zpoIclv0fcci-|OWtbx)*0IBG$-IB6Esia6ZJp)Vl%V3!cDg#Jn56dR6o9qFQ7J0B$ zWnvL6F%?z`>CBkzV#K<91iMl~fS+PFeIdFpuz1$N11vHFY9}&7KGe^~CFWpCL)}BX zI60$Ov)A^`&uuG)jYxJxJ3$5!9KFXT|K`K;*B?W0BeAT7rOtY49fH)8!LJM3a{`vi zc_*}_`!8|JmSZr+b&Sd&?Kwx))EWLXrT&oKPTn`GEWKDzMd`(oKIAmI(WXnSd#of6 z0&pPcO~GA z+I2FrzPSrg%LgLTVc?};Ok>oa3d8c?7Clb_rJ{_(bTKhddsljo?!tRu3Y5e%1NRKj zkQZ`oo=nybd=pLO-gJUOY#839&~XIxI6|xtXr|(p*nxmlq7EN+`J#Kd7!vzBSi(l%eW?NT2aNGG@TlY!2lz+5R$G6-&+q@9=RzbkghN<8Y&Gtho(cen2_Cl zO2Kc;@Cq;-Wd6v?+D-L`k-~+VwC8PhwXzI$X{#pO-OVc~KFxp+1*J;~px2zw-d zBTo__w4vtFiLgemxfLn5t)X*Q`DXsRJ>*m{a;=+#W&9`&d=)eh4I#5BJyI^$ zXbdwDIHubt5f~vrhn(qxKyX^?^HEkwMwzLVEWKYQqs=S?on{Y+q1`uR7mcSGLPKhi zuqLS*LF1DeT%z&{>PLsbpM24!TQ$=Aoof-w4IT8^(hziLC?z-N4?rMUVr$%8ugarZ zWngYr(4SPB^*o`(&SIH2?>@>h1KfLcm#J?0bYGclI%ft%dlb}#=y&#wdJwpIBYtb; zkTP#+CO~RBDpq~SZQncKef3M{s_ndqZJ~a$qG@$md2#4)#QLN!1;H-SoDns9wlH@> z8UuPl>3ey+C{Ye7w?og-tLH75oscFF2aIuvcSa?zZCnfpa%nDW5C~ z?=biC{0$JW@QD|i2{%pDx(_|c5CVSK7dLe!bc!cIlTUs9z0>*2ffLJ|J}vPoBnCZH zLU(-`sZN}dYxDEZjXRB-uAL6=&uh>Kb(@f$lqt-q+_1zoH~pIHw zTPNdiwyEpVW*p^1>9!)>4{ioS8=pyGOIcwRT+#y|7zh~2nnU>7C7NNv1$DPr)I}Nc zjPDV(iyTV@$c6b$qVXu55X8fbAzyl%)YS+`yxu<8Pn9^Fjn~36Zf#t)MXOQFho zqYb@Q5tx0kF*?N`f*e>nsjN)v1h4;Aje`pnFE_h=__{ZOIe&9ZNQVR)S!Cz`(qv3q z^WN~qK-w9$cZg3g;LufI92dmNmCOnV?Wum)ee5m4=`BfF>}y)D(5#&|ZasF*WPf@D+xo5l~x$E-rs4 z)=@N;4A=Qbp=1K{_>WdBJNT33`Aw*70$p9GW%9IPOs~=8;u0;#3CuC{LuG6jPIqI9 z(#F+3hW5i@5xqP2CxL!n8%ljf{pf?>_Ami!^)pIXRj_NMe+$LOd1OQ*c{SR>swjjk z0)vW<)mZXrf(4n3bXDgPSLN()DTm zUZhU+UTKhzi)Ob>3^&Lwbe(JGulM8*+tW1)p=7fYx9G_Bo7Q$8Ghzw>^Qk+-MNhqm zNS0F$qeD(I@3I3kvhCSm>A&eAD!14<>+pG_c@37TuTdvU8U&{hvA$Uy4dK^%bM}l?x6hG9U{Gh@t8@$DuDdHbs-z%FlQ@jLnFP zBuOCAz_kZ1Bb~C41^_Td{1dyBJn&9*t?51Z)KaF=GCZDw$g0iV*c19NA$)3?XY46f zj=`kti;OlJaUY0n`fRQg(+rg>^ua(fiHjETF$)FoTl z&Q5P|)kLmT+5;Aw9;JC1#e=;1)E)aj=`pKW(Z)%AX>U}5z@IH^7m3comK_zg#v0;a zl5AGFb!zmL{-OlXXO>8DgRjAH6lMu4%IJa8&1WvEg$?eq$Q^In#oJ+oAkxNTE>)vY zePKZ^&jG^kExSmoeDcN%3Eb=*d4j#s^{dZbdnzC#x9M1Q{%Qbe|n2P4`Ogj+*V%Mgg|0L z6x~~*Xr2M2`&E!Hcw_VhZA}flCSsM2znC7!H3Aki&~bzegMsLC(Og<-+WwVYT%hqa znmBs|OqfMef=9j^;_$t{Bt1GdEqvL~cZ}LK(vo!oNE->QIF33tidyKE2Civ(ZYwNo zXbegd)%T7MkgR$)lw`Niy2`@IO;>(T%s^UcWp19$OAJy$*^G%S@kRF+wN9c49>z;W z6l#o6!o)}IWVY%Mpb$NDdRSHX`RQxVoT1|$T#pb-O+F~YrwgEs4M#hd^)S8ag+xK; zQ9xN_Y#4K*+K|arGScl>_|g(0H4wQiFb4MrtqB*c1aISScXTHJLMv(eHK0I#<_63& za=_*qwOCsAKV$LfmMRjJ`Ih2&6~=KWx>-Q5fg6$ukyf%Bxui7e9&Jzv+fsAzY9FIQ z^WP-y0ghNy&X?V>KMCgGI1lrS@U@@E#6a#GW}4*4e5m%|%;@~N^z)=y6J2)wB zwd>96JGP_v(kSR-+hJW(Ir<1CRx^i@tU(b6Uc_>Hkb>@|mqAPXFvKQ+uDi0U93bxHE&Z(Dl zB1(fRLvd#~vBdwL#Pew1zMkO`u;%gxaQzvKJ#`@SN98AbDPydG6#5xdeGMIpFvQ{uh4CdEJG)%_8&Uw@2i`giMdUI7J2Oxq|Ymzm8rE&BZeMP2_AIDm&rq;M5LEey)dRCM$L zmb9u=x;|x-gih^rh41wfhOJ+F=1LBdleRrZ*WKyS@Y{!dvKFY-4Y_fqnuGLf9T#u$ zpKz^*x@i!L`Sx2B`Psn*v_`WIz~custtcT`K}khmGI!CN*PZi7zeWPpj9+-hUSr-c zL)ZMNv2^6;)p@|j$JG{qEuG)PiC~;?HI<&_hqA0uKq2~MF$59C3M;isb>l!W*M=96 zcaRh!t=fZozW8U#J`>lfrq4uF+KKxcg=)3)UxyH(GY-8)*N@R0dq##Cw-KA8y|p!Y z&G7oWkMClZJdvsmX|?otErFI#X{~<0js8>Dk2#R{f~xhGNMB5w^OY6di^D}84GPrX zJiR{i@2p^A8ox9hK4Vd52<8&REt{-ON1Vk>U zYX;Zs^MRfD+l>QGTlOb^;Y*=qCyjZ~O9`2D*9|g5{EC`qg6+z6YKwBSF$gp8S9d*V zf0_BQnZ4{T-7^RV2|l$#@4KFBv7+j+iW5Z4OhZbSJe$NROzfY;wf>m~N=^&RfgKx1ED<0>WFtbAU%$b5R#<|Xq9mu+20 zXeA1tuOkCMfDLl$MC_bu3P#co@c!o3cnA#@>KaquOOHkRdVUKY@8A8mbG^5-gY)@h zuny$v?Ef5KoijbI*}avt?~b>_7(JI2`tezF#P;LS7c_r5F?u>+`RgwJUv-iOra_Ii zvE`UV3Vy%F#`FrN1;CYzgb&sj^4&h@gyR)tar$qbOD+3nB zR|^~JjY`pc!TNK6>pH-i6Aw$*jdrE@*N}yyl{B;YnNh(3EiT{XX9bK5NW2zlH-*Q+ zrZ!IEici}rhEHgP*y1m6BGxT=eaL<(!K(=?s=>QOX66dMy~ zp|T@V=8n*lGUJ+9?95?S?t_CbzbkSb2d^$PWc+Pblr*{CW)p9ENzB!iVVT_;_e48# zgra*jMP4{8Zx{m(nb_4>x8uvM^WEL|jB!ekh{?8$ z;^c;Z4>qZ@z3%oBx@hi!l34YD1kUVXgs<2^93)0NLiwj6;;%1Qd7n&Wyeoa6$xsn(QU!PQGj+xjfn4HiD+f!6HEdV&c2b?av_B0`!%nfn zP9ph~exz`tJHU)t$80=ynYeUPoRY9Shr>}LL_7D8faySm8sS0Gq}{VlwM$!lZCbJ6 z@vHVq6wT|Wph2rC%HN>RVUMKpI#LJ*0z4UOJ-N0wrn%kkW(b}71Rv6Wpn;x=yYQPU z42H7*g9Hd8tjV!#UF5?J1TotFY!iA$7u3UFCN7`uPd3ODBEReCDP&~k>i9TjpE@^9 z_tao#v>Hwka~uTU0h3ogJf0Lt8%6}79tUf`RAV|=j?KPX<2hQEh@Y0v$0dN#*^PW< zHNm+J=motai(-6DkDUS{+V+mx{Bslj7rK(^zwHN%wC%n zp_mY%MT%i_^t~INw}9UJsmM|!b3(#6q-5jyOpWni-+^eFBp7(qKtP<~t1>&W^gTx< zt*qEYm06uWZl;JgQR9GbWr2Oxg-!0@Q~&B2`TUR*oVUNaYFa^JWiUHRW+ku0w~NOx zm!Wo7RT0Yba@~`Mz1Ml7SPj_{Kc7Ax65H#>ja|dvAQ3qsdk8ZO+KS1Iu8LwD+M6D0 z!KuCj1W-LH=S2!ePpfRUu1NZL#W|Q}l?4bN3IYq;1R4}Hx|VvOvpn{@-;>fV%=n}q z_7!NA?y?3e)>G5`mzVCR$EIgBYwx!h&Ze{K6+DV&N9`q6&rq#n?w_Y&c$h^tk8Ha6 z{8%$>tqMlM_oY*er_uOaYkF|?GB=a(enPn$D!YAL3X15Rqxpbw0{JtpF7OETiz`WK z<9??jZZ_JVEozNpCV-jVt^Qr|Z=kp-UhkshXoYQNdVy-h=l<(F9ZlPi&N6g1s2dtu z&HNkx;NBGgb-w~EKS59itAqmE2&i-#GsU{hN6p3V!a~>E*Bd4qB-?O~jgdhYJJPGu zK=B;L&aY~iMM2e>4K7&lp;%!r*8?N zg&3pXW>(!|1=`ATlPXFn;q~uMQoToC%iBNPCsEOGjq6uTt>AhSF((7I(?#J%9LO?C z-e1B9i882^P)VKzd%i63aHLCDiAQVv%qBvt7?sUjU_L4!w$?+;8cL|b(n;|oS8&Ip zcuvo)P^pZ1gf?L?hFG_qc@63PhTML2q1QFF!#h;H8;5+ZUl%xfw=8xSMesdxeZyJZ z>Z1fx?~}fSzdj@uHK=>jrEcsVe#2l6;f;IJ?M!U>){gNWvNSOj@%XC&u`XTNdNrQI z(b^G^uWdu8o%OlyaZb*UF?C{}F|_l-)ObpD`an%F@e2yZaA?U$IS!CoaLnI=7d)}6 z>o+$F@!kFux^uj+T4TUNX=A{G@5yb{z8y}M%|7W^cV_Mr-mvXW17tq^r#d@D08y=exdr zu#qrgD#`s>LeM59kh}M=bwjBhvyFefTFs&^7~otzJnsMb@QXrs+p9l(ZfSIWbsuu$ zB@<#ke;p`3Wsm1B$sv`5?2uh^XA?+SGs1E$WzM% z&t7lA3JjDW3q(bP^KXu}t^vaDP~ab{d&ARRJ&u{gJHgqWn-Q# zBQ!{V`1k`0iEDIfj+_gYoDeClHI3%jG!rTUdpHv&iQ-DKGw)KFM{M0%9&n zWH_A2$taCQcje&3ra5~e-gxI(P<2^VTZ&e3SIz;^;u)E;(J1dY85JHE`kzAd(B|xW zp=_)Wo{{L_;L%r+8ngW0>a9ZKVk&Wj5bUO0$LrP^Wj<^5np5x~KU!oPCrJ_cc-eOU zi?w@-&LnKt1RU#&tqwct*tTukwr$(CZL4G3R>!uJ$=?5(nYHJ5>aY&$psLn;U(fw) zZ-KwaC%LG{Y0O8pedZ5FU^uh1LK~*;%EqO;(eutLV23UKN#qZR1TO`-*J)8zxRl<) zG%^N~A5$IC+cc_7AlrvgHY+90f%&OZWGC?s)xu~-a7C%sNfZ%f^@m~SnJ~+XT|>@u zXq$K|KYwO59eIcp4iqxO%IiU=B)P-Mk27e(xkt@~7P#p~wk{9z69=oLY|l9q(3XV8 znU@vnDscN7v>Z$cyPM`;rFtveqVnFR@i!(wMx2>K8o`|%=6sbJzBI~J4STV>wS2_v z=)j^sX3v>#ZgZ;vu{vSM31jOiSSXu%LeQ2{uwXpxGk;(?uB?6n2C0$lcSTnwHAuDU ztp@%ok^do&OSn?AbtL$?WtNx{$Ep<)qx|pnm%L$s#t1Me?3q$+*zDI4EY-liD6hXc z=mhQdU;pCTbWq8euqpUN$Q1qa7x_tiwJSZae4d{iM(>n8`E!a$EoADfls;bXm5eS) z&z;T@I)z6Bg(|xQg=!0zIHd^-e4_61UR?T*8c(!7_=I4lYTf3_sDTBRl||qD%&x%o zQ}CBN`2ip$r-;!ytk1#JQEKGD71OfLiHzckZgVv?;RxqmWj!pg_;|5o0Ay89;4VLk zlj$KS9CCtoY&P)lAkDMRi@XpaMW+Oxs+SHFF-1qT0LQqhRD84xmlZahwcv>GUSLto zNGHq#xxwcJiJ~!HR~+WhDh#?@v^Nw8zK&2lpo0MzD+lvIa?IT|BtQw|@SEG*n<{83 zx6#1fHgM6skcD!>w8G{-?Ii$o_EdsAmvtf8FJuEoP>%TQxwUaq9_J6V62$w!1lGSk zXp%-E8tF!50L4`os$=S_6r-CkXPD*Tgu=~uL3$sRg3QA*V*a1WY9fu% zxA172bUSl3)X0h%ky0o(xHC63%E;_mNVxF1-QXhVsXUW+h%}XxOO_YrC{q4$>ZaCk z9!sU22-Oy9?jRN1b>LO=AcEmv)Lvi~+!p;LGFqC$Ko+Y>Y=Bu=@fFb6jbSYj{Oj7w5RNVD6b?R}Yofy~4CA-HG#YNo+=LNvPiW?B z=78GY#Kp*%ic^-XH{)Bt#Xf|2@_oQoGtXdR548ol`TdCeo;RTyDq-zLzUnhoU8a9n z^gVpvM{4y*xN)UMso$iI&XeiqWL9;Psixa_1Qo?Tu=!nqeUkcWd+*-Qvx7{u$x$^< zLhU&IJy=t+!o6mmUd-za;vbk?_CZ4>~I8ih$O=wAJHj@@!$H}`Qe-xN? zlc&Bk`JpNsB{aRf9NAEqMc0dtRt$!wh{hC9e|~3px!7$#vJ6hj~FjmEAr}?zyt{|LVzdPyh5o zjJFobMMbDS_V*+44#EVhjihd(5{f*@{giMZ2Z%tT|Wsb$zXC%xsVU?%1wT z9a*(~AsA%CqPfzb@D8vizVlB00dCB_(-y#%tuqr=AfObpi`^O@!}ESXSnC}XEw*d9grXe*W4C^{| zu*nH%`%0@;J9cGO)^%GL3s7S+JNDhTBMNF*@O+rwcBEu+rQtzkplt)@HurULO_-MF zg$>uyENHKMI1hn@SKLxTTS2_TM#W;Q&2a!C}iNE5nJn}5;bQTxIMP?yWs^Yde z9^`H6UXg{hn{3A~Luj?BHIMT3wgHPO( z;t<*h8QVw5&Le85OLsT7)?@uC^Fasj@!VvmPpyT`DD*BE^u_m*E?&O(hlBeKMjTBO zA?ULG;eWkkj94{At)C$`$dw=DDGYNz{LhW$hNs!5$04iMqA}cl8G=(5Atqj2MxPVu z+UohK+EBcy*#0Yyk5LtU3(p6!?+8se-;iFoGFHh#57y^1L0Bu#9j_w$=Ep?s0@Etbr1l{4blZ+9ug;hx*lzH+-w56<;QcC;&QB?7RD@k3>n<96kB za#Jvoa5?m730Ebt#*^{zT+2=DGV8@OM%xgY*4iIN2B@RT5?F{fay=y*>T{(7WqqU* z5|e(n#YnGcG|=h&wSg+O2@^G;wY{#|hmnOmf%0O{CZf=Fe2=})8*KWxBOL2Z52 z&~a2b>f+0;;8BwRs+Yf@o=Nt?DN9c^?lCV)UkB8_ruUd3wR=dJ&w|mK;jqkpZH4$T z_b)!#TdcygaR+XKnu2X15Cikxrbvd?ok9<%0EzySZAbPYw%{B9p2j%pt+c#>w&}Qs zs0i-53!!N0i)Wm>F!LOnlgD$Ppem9pcXuWsxKI3V?UDYl6Gc<&YAX5z)hUur-9c%@vf?2^<2Mt zB=WunSgVUo*7;yxxDdsMp-V2f@K{Jk1g|f^8z$eIVdl_UMGK4G0VU_fufb#*;8bj+ z?r*fFSma5ToFS`)mDIeFVUXi=8oQpoEUNNw+45thF=l()6?0?s2J-46Sk# zU_LESx*W5JPgr;IkM;6>i~`0Ggj&yFktyYd-^NJYk|ya>XG*xQQVMyUXX^iTVg(q9 zKTZsT{69_%%DZ5QGQ{Snkbi4l8#x_L#4jg1wtrls`<_-OEB0zp{|)w8lL*$NeIQuJ+G}sA-3>UI7~`HRPA@Z52c`MTM|RoS8T8 zKUJd{D5%1J*ejGw(`IpIOr=n{tC&7I&r*F2Q6|D*-OHMJ0|SLF{qD#rjyJqXHBr)& zRHz}zr(1Pu^B5*|tK84M9c16O0Iy(ih?d-<26Vk{-3kYao&^zCnjBN{43d7{#5Q&c zOCyX}d*GBUs;bF=B}|y0@fAw);!qIP;A1fqwqq zJgfs)n9X{sN#ok95yY6}IHOUwE?v!n=O4=ihNBMkWaj8>nl9+0%W~U4cbO@ zbhjbCpg*d{pYKY^f~!wPeY~Rb7!~weTXUvlH`>*Vhqt=HS0c0G_fEXuG$aJ0*EKl< zb;g*t+-L?fcbQ-wib5;{GV!sEjHt{rE&pX%ry6Z<27Q7~l!JfINH$u>z06#^vZgGQC*Zx|D=KOx@yw>G1z1K2J`9CHM2-~KX zF;=vxA{oNF&()1ixd%8jqvh%nUDI~%%dg*k1BEl^|B5jEl77W*8)f7Eeo@EvKkn7R zF-Q|B@_i2==*4$fhnLSWCG@|*+*m=!Q*>arOmh55$0Ssj&55akt??5>?xBk^7~$39 zScqp9+K;`goy;a@F1nbUoz?X}MY39|??B!x$86l1^P#q8|FE7`q-c337xrn}0}SKK zIFbo;qP))?0T>JAqpL9;3^Y`To8SOweR+(TX+1KZ?+>a32vh)84ZmE8I3z1og?(~2 z8M~q?L>kT-u9K-+xrGuU@K_hPDT8+Q+J@5^)9d50!{i_w!>{v7OCo0F)R$+8fDydf z?ElAvkxNyONF&dd>eNsZf;(eL%h=*F$ztj9PW4$W32cQ}x|6CElXQbaU!xi9r|ZQb zf<{o?yELbqU1HCJU30_tHmBY|Q~6z(!Vrc&NZZg-xKuoJr;iyhZ5jO4b4DkuSp$e0 zZ73rJ5o{BpJ0sOxeP!XVOC^!J7ni#Z{!bEiRO{Q+Oa#t~(=jk|nGUO^|Jk)c1W)4v zKV(6Qkv?`KK?&&(ZM{KIzK+Wq)#{nHn2DO@sE+#IE-V|Ui6_Y{)lzv;7vh1DB)4<` zIW<}9M}?_H909Yn!hI<2xZ?mD{hQBHSiSbRo)Q9WVi7{BV?yPH5^jcoG-VahAS=q6 z8kH7~7Os?S$Tx8ka%sQ4Vr`Px(G-)Y?kMa(T4|qc4VFJR_Z2-~X+D`z?LyBx$cl`T zB43i%7dt4qrt(qPsNkPk$H2F>{&B5VZto?$f5xxRR<5JyP;PIg&H0De2^XES4! z>=A%F^u>QkC_|2v&pc4AWI5W%z>yg;Wp#r~4#jLW7Cr`^6w)^f_rw1e?$7R|U-(>D z=KbEur+^mC^doG$Pt5ssjKamiESfo-_K+d;c95ZX6CztT_`GJD1o|)ByCY+?LD1rk z%+wVx(!Y07p86{}dEQcOSBQ!0iS*GX@BIdkeTWFdWuGy@s0qZnLz}6e6)YC2GK`$Q5Xm&$&i4p2-si znD_i0<)M&V3Q|a=h~Z<5R)JBc-7Zznmu=+78U|01f;HY>IPaxB2rn5x8qJVSet14NMv4bienciuD%rWm#XZ(s~)4n=U|3ctEjSJmi zFxS@@hlp>5ISKh*CWl|ey9s#?{@RC!_!I~i z@TDiX%ey)t;8#buunGs>-?7K1#w&)n3_uTh4B$PdJaHMHsETEpgt!B$&GI`lOC@Ut zc@F*K*l`GJA;mYNonf9)wkDd{u>XjZJ% z|FNPoA~oDOS#v!P_yeX9syX0`ePp_E{uQN_!?9t{mPUcJku;+5#?JCNI!my7iM39M z2*Vd=RsJ&Ja(GNfp#Dnj*4(PNN$%0TWMwL7?$1SgsNss5qt&J{LX;#Y>@8OW_Ovg^L(YW(8^SZMAc7e$NjfQx4-y(3E z<6k@Az>{+BM=S%B--vMxuqit(X6K78`sf++u*LZwtmA)x|3-ng=yFUrjEQ)pA(2Hc zd%>+be6GnjpuE3%L$~uGuUUP}tDU=mL*;^yhy3gi=0VZs#EB$9&Z$o97y0}T>f(Zb zJWj=H5U`WuW}!<#!PT#O2K#N8!=$BTh7g5i`jc;30pUM(*xx(M&?xn{D|Vqk5g@vv zZPN(408(5H7M_=uyUxDWCh8&fQyV9XN*>xMo#^AmqfSH4bu}WA?~@IwoR(Pu^)+X0*n>z%`#*&mt{M;vb7sSjhQ=! zLoc1Vps)>Tb`;WW{Owxg&3CJ+(t&-L>*3;|3sfoQ75a_|Oac2Gz4aO0buEqqI0RrK$h$VP^`Z z{|e|XzuCR-C`9cjjGOPSS!oAGzs-NY_UND^AdEiorOAv*a`!3l3eqT5BO-M+74a}-OQvBItS^g@*Vf;1&;gAUK zWrHM6sf9Tt#l{o-=0>eCtwnIEp@%Sdlh&}XJ~9fi8M-cMh+U08AZREZH4JqGOehF+ z6u<6-ftSUy$C};C5lsCqrPOTV>2@h#jXV1^6nSq-=SW4EsE%Qcz%*w6v}$X)*Al1m zYs>oYSl^JboVJ6yR=z8jxJCwAX;2@RK8>@#og=G>!JkODiv&v@szqjB*K3r`5tseP zpH?}ZG|Q7llV+bUT@s*cJ{oOo>QzwR77I89ey7nFSizxs4L0qsAd8;5ss^0y!tHRl z^)n^QW#&MD%9Ea0FQveeSBj}b<9IY$fU{$o$lnKz+X+#L>v>goK78*dQqTiD^WzN1 z=nxEBhMA!*WM;kns0R})tlTO1))^zz?&umYTDYJ|xCc&X%2V69A^ZffSpOqN8xw(Z}X;xrOr7gw0%3XEPu!w0>mVbkW z#x-Ha91@eP0_$MLRL9xYSvQ(`+T?oedx}*%l#As}H6!IiW#FktHoVdfE-mZ5NX{AM zs~bAdBYSLG<8kU!fPsJtC0gjODckANNjgZ~jq*=KtWvoeo)AMuCfxMnK{`6Rg}>bP z$l#Ksmb%o;{5Lqua$0_8y1ba}=ZAQ*rnu_$s5EP}Ye2sC)Q1<+M#qGTMV8oRD$tdt z<(N41PAl)A%MuH&2E)=lGSkxiopc%GsAS5TRQ@w@BR6s(;|K%)#o1PI5$*(i$-m(2 z;9{Y0Z8XHCD_9d$^~CkN^P;#3qYp_;A#)3lJb|)`_|Z1(K#zN> z&tA=Uc5Vt6H}_U1xHWT-8dhuU`w#uir?6b#uuuttd3 zS1bdkvAqQ64M;1!hF_+#B6jcUyEzZ|z#F#6c=d{oAHv6v-)_v4>I{l=))4fAHcDE| zQeXQt*>exSjXa<;^7dqo7GT1;;~;jrtug1^#P5>i!?|7 z!llT0VLA}TM0ZElCJ1c&rCcNX${}90bvSZ}>TR;Du%Y5BLv$0eD6Om9`(cd1UCJ&u zHx)%EyrK(@+{FBaPAm(y2)&*ldcl!8EMBvA$P2x%kN|2o0}sEO64*-9*1q3O8Q)6@KJ>r+p>{=G%ugDDp+H#_&?c#?`b?;nc+w>dbi1aW zWcW}u1kTgcKE1w+yt(tf>uB38ozV?}rQ}^oP#|R4zb6=(V6ye=O-*`U06ZE+^4J9) zML2GGQ5Q3H2IBo5Z{p)XZPh4`G2hFJiYFj_DLnXPp3Fc(Y&} z$JseJYA+)qKXNF~mBz#`r&(DgM3Ug&|FTr`QLu}jJvYhg)onhJ+(2bqC_@(js?AfL?QhEh3O!VLHdbQ886HB|Fb-ZQhY z^IA*0Nw+JYeKmO2iXB2;&Tu@1^*wli_-R2|qXb>@=LPcM8V@pW?Z~ya5t%LZefG2Ca0v-S3(pT41mb7|`c@ zv=#iN*F!kJ#caN2(H-C|;yy-bT{TrGfT~d4NG{VsNk%GQOruJv?pHiY;Mz==D>E$v zN86>faxMYHLE9Uz?%{fCFz{lLqFvqS0ccw(=lGS-!pKxI7N~Vwm8K?3l2=F$e1@$+pTbEBnkO*XASuMeW%;j zoX+#+A6o)v9i^s`P*K_-kT6+_I5d}3jj6(knsKnWecNM|Ylt8ejry%afw(yNh`wE2 z{Yw%W?ZWkwbeY<5(;k%nvUNwv`CBaKe+{!h5yqF_C@@O6DF?b=vZQs?~JDPo=txh2=CCCbfC!NI^;dO)c;BdpEYfuH8*^ruBZ((Scq*4V&77| z53**EYrjLy835q#7GFI`kMry6_8BrUaNtLH4fXZWe_Z#rRNK1*eg>Q7P0VTz9L8>Y z;BS$~tfl)2eQ3^@3thZ}@MRKXWd5|89OI9vlhpp{(P$o?kBcT}4XAC)tfic_ITzu3 z0rYnaUN)fD^-$iQ+k%=7>PsDCy~VS;>T1$UH19q#pdh|A(7-;)=S>%_d<5I?0&UiC5=EQH8&rvSszKKYI>YVDP@qtnKXgUP&M2uzoOdz|d%R)GdpVhJ z)^2?6D6RBNIsoXz=iE>MQvJ0K=8W?2vooy<%Vmc7X5?sTk9vyi09f8g3RFCvv*9+U z?=6?t>$hdyG+!>gi@%wltcj-^->)mW-xGz|TiqkQzrHsX4m<}@e!DvA9&RCs3 zyDnzue?#We!BW91ml;Ub%j7R{HbHk^W1+JcK@q+m0{Is_t7vjA z)te>~2S_0S++nLyZ@dzR{kYM2x-uFsGnW4x)<{ z{6iNmwU1RH!7KXnJ=3RPXM4xA_Lqs)w&}Y+qT4AJ602U^ene>y>mJ zba&)x=3IFApeG}CBWoLf(7fmwTpw6B7B|L^jSL&gjJKp$JGKRuzbNKG@kP%p?Xa$m zeR;s$8)uOP4xIF@61Mj?$gOcJ_eEg29rk=Bq1~8rOFA3LRVg@P4OMKVr2VcaKh2EK z%&pft?bcq-WYy2T5y_3+iK<&6UdBAV%|voC2fn!y)WMCE^B3lVy1rwXT<8zbew^qYCvxswi4P715h{YXBj^|w}CsUt(ITFDgsl2 z18W0TK8%~7+TYRQ2VEPj=$ zv6SdGPN_0fhK+NdgW@?MT;*ba`@A+tyUAV%0#l&+`VHf+gZ`Xde~ImF_Y>PHO3R{m z9W78k$2`hAzF(&h|7IB0tDRUx^&zHA0q&&_MUC1MVUT>ihvVd8kS`$OyYcn#Q-tnng`P5yl!v7kWQwU_Oh9v9Tw5ZN8}#z;Kq3z_?KyV& ztMTzO>)=MFW9o>ptMWPm_1U^7c<^LV>M4rkeqmoX{ij`RhH&C(-k-4fm2Xyqcra7? z(&FYL0(=+VcqrLH-;8f%AMZ9z2~!cDwGJ5P)Q!DU<30kT84>VcAHL+O&wY)1cyxiK z8~%Z%S`etfRG`ycRUa0yF0BKP5QCg)1*8S}r{8DY8N0sq;2;;z^INJd&lR~Lu6inY z*rxb>{t#_si;iV&n6{!B)6nm3bu_R(T!KQAEJ>B;3v)e;H+G_+3S(bPL3!i)Ww|KJ z+Gx&I6QPX8k|cbqb>_g+fg!y0H30+XNQ~Yhcs*2XX;&#mTv7XMoXe9e?eM2HX=X6% zr!{G+p<{l(kj&KZsl!ZnS%PYXeM4EG&YTd#;JsvZ;N1@e87ZuUG?3LFepCX`e~O|L zPI>!tF8gRTg}R}QdUkVjGWO~b0`IX?b@tg^>+wCzECs(=Rz1bL(s0C1xm<~5ko@-gRVB=;(W)_XEKq)k zEwx)em}g!`pa|-1OOVQqE6JLxJ~} zT3}4nW>RJ$TF+RsW{VNYz?_aw_(IR1c)Q;H;jaNdZ7~QiH-WlCCWC-L-$AL(@f^)r z@k+kLa+!T^uHV`xyVcEY6hNID* zS=pcr)AZ#MFy0#Y6csZemMfD6f?)t;z>m7EYKzu0JLpHpfeI38WBS_0R7hk8(JE$T zM7hv5)219H-r(D5Eby;LHM&WoV{Aas9K2HI`0yJ^_zvw-9~D=wZKq>SF(M(tXBqgs zsZ}KYu?i3lnXw*G@Sp_kdXlUwAOR;rsi-<|PXu?QAhQ(ZhPesf`axF%R5Ab3gR0l= zM_N@s**E+B0?$scP{_c$b3k3L*Tj{s0?pM&>X-ud=5_w9~ zaR~_L&`b&4RtXVGrhgXHEpN?|UR>mcQSPGPBq48{6@EI_2_cKL%!>M}y6%Gc} z;8S%=@v8agLl97P#|W{GtH~zDxwG3~GS~`D2_6NP#gBF&KK?fPydhRFA?{5;9bZF4 zQHb?H0LIl5OaOB>24Uc$KS@ovzk&rX2OIzPoPSe;%H%a2+TVsKzZbDqNtsdFI-XpsU{RqPSX@_ihD%C*<#q6uOmlS&W)Bqy1`z& zty4kg)J4EXF6;w{qh#<;J;Bjc&u&=XSYk>CBx#!2qIfTt^`O;SX?j3avo(R%EkN-{ zacaCkEqW{lNoKXRL;)|>QP`vB?5co2qq7m!BGmO2yK{7vOvt`Dv5m$^^bJk8hbMyWFQ(3#h7`M}{tg@EOAeer`utB@x-sAf)!uy5yCkEcZ zw}l41J#8~he+yRzp%n5L{#32IeAvgTN#&fSJhaUqgYvzyc`BF?*wK{9htC3zv@G~` z%2;Hb9gfh>jcP*!YhCcy9OIsKK5sXVCqxj4&jRGZ%+wCE>)NVu%|csb!#KjivCY7Znc>P_d=PcfHzF}Z_1nW{;{HN>$5Up2y5kepecPZO$KIKkMsT-J=|8w z$QoD^uu%3e7%{4rt$ciNfYVjC_@PnN#@^O|IyAO+iXc0U!&_>E$T>7zDn~zU!%nVE z$9TVV-e}5Vm;sz4jDRYzzei$j(dA)HVa+;W ze~PR9QRc=WcS&u=?zNCcV}!Mt{a`o3Ov85GG2S~>ODFbi9zKKe05v8J8g=m|H==M) z>XG8s<-?VU90iol+7N>v(oV+B3?cZ6$Nig3Ct=K*=WpFGn#iGKIr&}@K>f`Ail_oq zyT5R8*2Jtnb-K@qFeK=2dnOy*RgQ613XdjjgN-_uX)h6Jv$2%AKc_ z37Ny0olhCd>j~I9VJBK<83P5*taX6p!ZQ^NkcBP?I%sr`eN2v$(N60~&pmaMRHyAUix=Pg?MgPbSUEQ&9eOBd=&?URk`b8UzSBl8&sRWrOLpg z{Z$|E6tQcyFyG+ETszGq?@uwP(DB zv@1i`v^nkP80Er}6bC{f53p@gTfd_FJe7?@hFgFma` zeX!z8+e`ck%m)(bb&Jv6sKx7@%KM>pk}NVWkt6`d@V^nFk{CSh{3en29wBw<4mbjq z!ilE;UzZ4+RS(VDgSc0;85rR;L7iOgNF}igx)P9?$EO24QB}!-I}LQnvh^Z+{s~ht z<$~vD)|u74y*U(wIlOKQY7i>9Rbp>@ISXLvh=aKJP(>GylB&BLLog9Bb5|x~GQ0~K zj}rCYo*mpajb8M}O96*oqz)~fuWlagp->h_@@oFU*8{~OPkw75#?8pD3HHJ?)5#UL zLr`BopUw{_?GA?7L)IwcF10pg|4imI?4ckUrujV(dlgh|gAJxuOT+3wl_!&;_}r51 z`;nNw+blPKW{+*!NAEpP60HpO`(*&!S&OMYN)jVw7%W$WAMmXoPqtne-$$TpH%33U z6sxTR)>(Dc>fyn#Z2m7y%$I{$p0nLNd%wPp$2@CaEqF&F9~ZWxWRtrXz3BWU8gxxZ z`$!v2j}^g4#iw86ExT;ERj(Nsk@m#x;L2NO^@z>o+A}CBc$?)hEgArQ+5mp60ZaMh zWGLVgde{Ml^Fszt+YndaL`paP4C0LL&28;PZ#TR$TvBV#40?%O2Z}?c8!5n!2Mvp-(rUr*O_h1;F?4&--=4vm?&Gr)MfsrNC`mo=1NY>mf^oJ3Mt5SdI!hhA zFQ_P)+$n*HUTX3EVjPA%Rj$An_7=mU;a?a6$Yq%_759=|VC8r7CB-&_SpqZkZ-|AV z$ga#W4$nq2r0gpo1YdtBZHbtUueH;-19Gv}R zpuMzI=yLwcPMldyJ6?#nIWn@mWlGz=#d^QI;}>GSbfh|Math~5Uk|}GwYcT&|5|PL%ri-&_u9Au;2{ z-0C@Bk;6*)Q&+`Lso>D^gTO#_rY|iEBMmU4YSp6AOQvZkq-+nELHRcimj{DM7I(-v zzUD?~0jh_Gqf(p~ofhU57Q0eWxzNbSzXBO1+};}nM*8aAX`68okjlW2%+|E2XsZ-(B-Lrht{K^0#J6@aATxK+!INPt(|dP^qR=i6!0^QhdZg&e$W_F8&@6xI}f*K8{23;53@PYAh9Sa639uMS7u(e+%TB{P6e?>bm7m5e@m-(FE?P zdp@%%;jns^MwA>4TgkK_qyG(jnJ>_ANjTWw>_}FxqUUfrmqdj-8Rpi~ojF%l2%(Wv z79nbBv#azI03fgcSeC@+;L==}=*s})kboOZ$0;J}o!8|=Dpg1&Rn zvGUu}wRW!X1fNE~Bfz;+$_e#i@O~3+7Ct0}^~_RYLEIv4wW{E4*uYVLUphzeVqYU% z43o6$5-3!!p$^V?te~EckexV^nv0K9P|bSv1Q-!}#k}GAG&;{%0RN^errw1bw_N2j z4acH0bXyfEUZf^y4pzABV4^nCT4OHd3sV$^7I( z`l7=yew(j2uw(BTKUT8Nu#YE*W5Y0`%Y=vnr)|5dGMYmEE@I_Jod5&)P{%jtFdav! zwiUzR~-^9P6?8?UDYRm3AG+SG$g>cz`;=Ty4~Oe=~`0+vnvkKf)r%E zVWV!o8l6^5UPzA$%{S((J3EuJfb_rv{-~ZD5Oo2?urK{o!3h$OamtC0{N@W_s0shQ z*7A{-6z8W{?I^9BbLv4_gBN?bjK+6|3oG{1puS(|>(Zk~AA^aZLaPN=<0;gxE!aY1 zhJ=zbArly;K46JF3rgVNw%7E+b1aBehFXW;(0*G}#C1u2t8Su?mr363p|<|GEjeO{ zkp-V2%;IN9H}yVC*m@TyE!}E5|AZlJ?WPvRLY436LjO}XZ?Jk^rg}P{1c7rlWwsr< z^no~e^uyUWv1AsVJS=TiWjNA{iU;{WaU^0`8~|PB3Q?*gHB7=)LY<_c(tF@#;u}}m zc>;<2+OF`&XEBG8E{;KNHW@WTfe)CSaVg&!6EHuM%FUI_ z_m;!SNJZwUF>+0;*;|o<0=r^UEVo*&`TS!d#4YEAu)@i1Rf>tx#j0SNBVpd>um=)D zoom0+AmA@MccO?h@yU)|G`#xpwOmFV@EgW?5Y3HkdS4Y8Ru!SU%06<>;>26O;8urtXCY^*|9AFfhqfVniz&GFjg zm)wvDTyXkfFH7_a#n(=c9A#zy!E2EJp--(u8>eD64}3__%Gj+zCGR%0U6azf&y-TB z2nQHQ*$$`V*dk`FCp3l0LjqK#Qi_Y>_-)7>RWIu`XUk4z9(%<;8fJ^@w03)(Q>^mT z>KseoVe*~-c9-u2mXk5q^qt?+n0aHeb$Ic+ZeFCFME$OZ8d_!(PFX`V3b3K~x4$Jq z>IzmSl+zEZ7pi*Hy7|NZ4QIvOnbP{cHlJgEJzFxp&T7<5xst5o1*8b}<9ySOv%?t` zdqi^)By-tp8rm3Sa4#F9VpJlGn|+i_xn@|YgAG-;fjqbU<&*^!XWXSznY3jcIbrtE zRo+UR>S*lurnXs5oUF5hWm7NYWEbMQF|~O|Jtw6#n_O_t_AO(wRlBZ5mmZ37gE|np zsf}`TGVrka(Q?y_p3wtP>s|cDKKj%ym_M1zorr9o{O5FUpTn}>I%#{o?u@BgH8=`=Xu}Ru07F+ZtH>oR3+3? z{QEjqs~%a#rVDLP*ejZrGa{8&?vKsJ(v6T8+k3J)z77 zUa-ld{ZWmbR^QLs^_PA}Ca=P}_2Lzu{xz$yc?NHbvx(*>)lhaSvPxAzJ99W_fCo+< z8-+$gQulxv4YdRRLWNeiT4G2Rl&nf(@1GOEl{x-#cZ=*u!JJ3Y;) z`{$MO^NoPH5p_X6U*I1`%n?nGWK8Rf+8-LU1q zl1ZCCUEJ{*P`>A@=5B9`(t)}N(gA0BvYV&`D(lzJ`2&D& z=2h$_sK3>Q3%NiKfd0Tg%qEfnPap_ZKVa8VWi~ z)iSGEduTwfB)zPsA$~Ab z?-I}7dleRwf0+H>mgxRwOo1lMvX)Xu?%Yu6s`ghzVKp@&lJIqpfecol(XvF_un?9i zzS+F9hr}j|N+2)2(a+qE^w8RO8dnStGb9?rFWv<+krDEc^vG-uXf8n7OI5F+>C!Z^ zkI}>b;_Iz)^@Wsq&@y60TyuNTT<6>pJr*b`WFGi0^mZJQC1ClL3e zQfWOIc!l>@ARwi(sj^(&G!*B9J<`Pg(+Zz2kNwExMzeHY@t5v;un21rj~jCk#4pZ9 z4s+8aLarG}5^GzH-`Dv8eHRQxc>2U;WwdUEwlqCF<;`p$NhwP*IRT%c!SCP@|}5w^u1j zT(kwMAK!Q@LEFLfUSJ+{zFoIvRn%#6wk^k)Ue2v%Gf8sy=CNh(Rg1)C3sJXhmT!G< zYUo>&mG~z}@Gr65MF32cJWUJ#r+{B;sbfP?@uE|HlZe9J#RG#^UiY5pq-xI)A{wOz zr0P`-Xcer}+**A_wh%R6Do=Jf-Vr&ECwn!{~0m>#*Lu30wrQpgWz*y8onE&bvws@sq-PCO zaCZ6PBVA4Eqn4iC@z4Wq4cTKAhKVGTWj=|kijWVG(d~q!*lc8CW-bBrVRd39I>rZ8 zKQaI7dE;2(4*q9N;eaG<#q6~~Nkn#sJH0ibeAY*4@Q~zTBoR#PnvV0Izk* z{<{I!8dKTywPJ7eiUqbV=ZVHn;;5;a^`hzXgIW<%*k=I{1aC&p~*&ZI(jkXr#RI9!f!rtlz>kgiMX@~yfL1zW}i_oTZn}9Ec`@D z3Jg{VFL6hSEAcL|9zxN!n73%PGzu0JAm;$pv_N-8OB;_o@Q4SYMjqAg8k2UD zWUyKObKC|dN4Aivy{%8ydqag4)}b47jsXowPe0>T4|flsi;P3G^|(D$4H0Y}6s=x8 zfK=uVw^OSdvRkPFxmB`ycKz1Ym5c)S+l4MWGauzvQK+S-CM?; zgntX5P%E!=O-58waI$k=TJ@LEY(0NYFuKMC%J_sW7hqIUKI-uX7?mWZyf&-3^m2QR zoZmICK)hg~v*@%=A+TfXaf&pRs7exN<;5?JNonq9Hm}F1;2@GtL8|-vQ+#IJ?(1_! zwajfdv8&+Uz#>DKp~HdbD|q1duCh@Pd2bD(Nn(Uws>6|VfomL+@zlWp|DCw|H2v!# zSKY}_WQf%uuihJ^UbAUj+TcT|G{v19mT<-ht=57|>IBG{7;O8+w?z3>p$_ry#^Lb5 z_}-z|REJizgVC!UdGZl0N_T!@(-YX7vo3z<0|!_m8QQ9IfXKNB@xJFYQ))69Qi}3u zeAihL9I{!mb~1lUK4!|Hl-NG>6pxK@OMF!;{h_Cg1G)8;Rs@%Qy;!t{RW(fh9ldT) z7bKLl0%6Fp3!eGNu)y#OG>WGf2R>cdYsFyi*#ho%E_7!a`msniWINHzp4EbFH-$@` z%8AiQ(uB1jPkdF`(+Y!;+Mo7cPCQ!ZBw1kFWpU3f-z~G~Xq4h0Jrxv1)heAGXB{*u z>Vd?V`>^61)1^T(B$xw&jRQAE0{?cP!>?#Om}FjW@4ly0h4m&X&>n4T($y)$mLvy0 z+FbsOPQoqRy707OtdWfR5}Fdl<5mFGEauZk-<^8iDT@?Qtl z`4Ey}{gW{k#V|P}vwa<@TaE6vedYk z(+-`(xY*N^@Z8u_a%dMsno>!!B`ipg#7!ATVpc9lRr^+V#L!Sgqen8FykgLe!(iQR zgk3yAcGKhY^!ZeA`OF-6s|A9hkP+jJR=eAo6@xJJezfikl-3OOZhs-FXm(ucV%$D{ zTyIcc|Ow{I2Mbj1MO^)~F#A{{IE5Kvcg@CjW(E;;(=6FaP>z=kagf zOs4<;+c)ojckuWB`RTWP#Sbilg%B)w|J6Z1MOMep|q2{c%eFv6);V%e=jWk?3-a2YgleX~W!N+nkE=5CVx zfQ$Myv=Wp+tWg!NYwJe2EmB+zpy~EhQ^OE4Z+uFjA)m6h!I$w_@5V6o0$c{oOGL0; zCHi;Ta1IMz^Sa{mccOCq!$Qt24{`Ln!{1pR;){Vi#HSI04p9oa!qd`+VP%gT|W%G&1H1$;UyG@kny-s%}n&+a1 zgtWI+R*Oc)KBo!sscBQ0a}Vv!FP@rwc$Lb41H;A;~N2EkR7 zWU7fMxDcwQL>`#y#JGN{G-QciFrTce2!q$?vib-Pa!xwKK#ciiDEI1uhCj4`?8WlpNVRf)wNid2&V024=rc!_8w;03zGp(08ikO2)#ti8YAyt`tx|1Owb)J z7Ow#>*jgG4Y{ap_a8C;Ar@-@BE>=SZvvrRRk7|xqIWWq(U+s5M0S)q@XMVPw-Qshc9dLbh>2d%T08&AkJv+2sP3)?I=dUn@BV{x}NXjK@P@cUydHFSa{^}fp zzpI5yeaG_bX4v@Ux>lNM(}bEtOn|+l7-j{k5Zxe~uXDIl&HV?&J?npG=wg$Bda-s> zOri;>H+m4nR4Tp%28F_0^`C=G?Ycbs;p@rK!O`L5=*!=Kae$ys57Dn`_6ETKtCGjty`@jP~IZX3#%j$w!<*=x~gGnM)#*;F(DxY;_i-E6Rb zV|NLtVRu*IeUQK!c2^QS)ZFtyf^67*ZoE4#!<}am&-4|w+G6yVwSb$f8F7wgpwx7u0>KUHNHHhQ!{|D4;e1P1GdknpFLndd%%A7fc@+N>y^)e#GeC+)8%s@alCvEBuSOX(iSY7Z zi~4VS4dh}|3YINIQ9G|ElitMG&n4q!nQx}-gq(lTqvz!86g_KHKaW9OEonV+u9Qhy z3b#fjgzpWG`I6Le&ntQY-gL*5UC1^lHjRL9p}Dl%3>#eM8$p#a;?Hm%$KIc9G9H1i}o=N;0v&3Lks=OuJoE zi1D~1&qF_z4!2qKW)sC+t}A|p5o%_x?wZAA5_6D0wz;i9D+mD-CJ9)vU^WSw79Ffp z{f#IVvg#Rw&(P^lu;sd5SHdO9R@d^DmgYuOR}j>h6)p)fhuF_y0q5KM&jhu%SWd|K z1WAFi!p$lr)#=&P_Q{{pY`XY^=DyP{Ltsi*dgRuaJU3@AyIvzh5IPI8OHCOsEu)K} zqLIY^# z1V$+sLvW4HS-;5=#d_7xtuO2j*YnfB{WRoDB+I?N@J~Z;-l!Lw+?P3?K&2fo4dBV{ z>b2^5t5V*$Ujv9na&`IjQ?|1c z?9$H8UYFDB(5dT_G1U}Jpu^c|ygBVZZNGltd3*ZM^A>cXeYib$C!!SEbfJpwy6Zx9 zeTeBBzVCw7-FxFb$lN`B@VWERs=OT+*iU^nVS~!`ypf{R4Zm;BQG;gT3lBJO$BQm| zU8PO1uZN*c!BIbb+M_oQF)x0u(+ArRgZPc@?cnz*v>W{DA8yb?_d-i%xz|=mjQHu` z5%*U1^;PlRjoI?1J$1D=B#u(_h%UhSgBijqc9&!3%~trL-kU-sQMZx(|2*x`DmMm} zxH~??$buKaLk+D53{GF*n_+g%j|pz`;oxirg!6wq$eNzATsJJuARwAy%m1OlW(L5^ zJRG3R2ZxaP@Srgt946)i1H;@C3g&}?zkFc0m;Pu4y^X042;$O{D0REjJRmg70P5X) z$_9+H2gJ%SqWV!_RPG3z^6{WjJ{~yAhlWGB2LMWc$deCFHtq;y((@p7gOvx~py4yc=5kf8YXO`pj(vYutyj7^p6B$FGJXjiwL7e91pz~Q zC>s>AnEWg%N$3S*!eZ7;t7cf`N-$BXEZ5Yu8y;VeSG?!*+MgZcUjP*^L@CfigHVvm zO3X7b%=0czyJa~h##K$t`WSF$R*Gt_U%L{`Eck){qc<2C`HNX z9f)AmLpR)|6($dw*qrsfe~hyhxzIRUgXh1+%QDaK)HmHmz~wl;7k~j<=Sg>u3r*0M zOEIrO#UU%rlW5}Y#TXbL8*-XlSDHo1H$F9pA3eD1=Dc9@YhGLlBW9rQm^;x+Ar_jN zvBkPF?od20uQ^ki%%_I%%&BE2=(WWl95z$v#MSVDYmktpgK5gkbHYwuyl6N!I*%;h zqb`(%1(u55N^D~5Oc|fcNtYv5+^euhl`YLn(^CwOd?8UIyyjX|6GD+sUt(CT*+?zq zImWP<<%e`QWJ72r%^^m>P5rvag;GqsFY|1k)p^{KlNF0>&TA*|lFcg7uhS*tMVmR% zTiWXbeB89v``DmB);02tTix!_fzXGXNe4U=c9jFK*B2}g@Bitf6s(2OImvsn%z zz`C##5v|-TBV?j!uqtz|B{oRJZ~}6=SX_F!EHJo%SPD#F5pCp>5?gE?0nKgNR!+U{ z6ZyL|Dp}nI?t(N~YkFaVcUy92^$`6#;{Eyy6!svKAG1M)Bd0#Sy;UtrL&M4Ls^=sZ zdS5yUn7T(Pp4Ri~V|lg|^UXXL({>+l-B*GawU#wFdC01CmJLYo1KjcdW$*33+qkW~ z@!$JbAZ*tX6_T>#Cf#b+-yGGk8=uCGj;&_Tw#r%%2PEh5aArC$l9^5SZ~q?Li?L&le?P zcq3*V91`bEMP4t}gxeEB>uSNjG!++$s-P8{$NU<^|22k92CrRkjZnrg&Es@F;kwTC zPAIkDsfinoOZQo0s+>;2dxc$^ujRXR_cUJgV^}R2{FWx|ovlv`)fvC&y8((|pz*t; z`LwBA9E0Vm;0sy)AWrc?vabQ-NmNuiNm(@*PMYI0QM!;lW+ouxd`0xM5suyOd+zA1 zV4I|JZvUirq_1a|nDCI^$Ik7t-;6GStoDzay(IwJ?3byfG28MXdl%VJ2H#v?U%^Q> z;PYd=VfXzqjHx^*m~zL790F#;FSLHgsTu;8a*!y!$L=A+KiPE(uDHSgfP);%0ct!>@z(3i`k4RW`j8j6lquj z5Km$ge=e9H0+S&Amk{QcZ8%>%g|a!%i!V`b_yPEMMk-NH50I$+7{DfAGcq-nIJPP&-p3xqKo<<-*#exEs zw3YNOVJ1`;WekwI%$FKdgnfiO#(HIf^|$GCBHw*n&~zx1jwvXCw^4w?5C@B*W06M1 z%XQ~xP`z3Ey&}QkYZsz?fFQDr(|OVidSqz?@JP>hT1hRdM>Zlc(Ajb`@E*>uMfO0J z@G30o#_O{W2QNX!UWXqS zj|vCF=IS(JMFM#CrZxzfl0rB;0cStfLD@|X)0CV@EWwFCCpxH88B~`f*@FmTXoX~t zRJ@gaW;|MI&Ryr!bk2znv$yiy4BoNX+pM}`#WJoc77Y~PM|)yz)8^6AwiBBY7DJRU z(z5E%kKUK%(bd?7PoviNh*$Pz%trGDZ^$|Z|0ITsfHHzv==l%Q9mP4k`XlEFrnJu%tH z63A#H`s5iTr``9vd9bqaaqsr!%1SUE7UhOj^t2Qn=Cpwc+>kjz31HO*@vhj6?P`5*<+ac8L5bE|zQjUjEH*5K|U&{}n zZii4eXTyi9_~9zvR}NS4!&Tf;4p;I1uOF`BzwE2Hr-0yV0q=yL_jLFg^8ZIHtu&gV zndAYUqw+jiO~|Ey?;&>J^6E9dwNVU&)cAf0iItk<_u8oGoy|c5-7}DhrASVvAL*Qp2%F3&WMHKf9Zbk& z(vJyihrJ2hC-1i6q{ov@B0|li8vWM6SiQGCp0H$#eFDRHvcaU0rK7iP# zUZ_MfDyxhX1s7Z+hlzr@-m^5yT**UZd2Qx&8L3OBEEwGaMsZN2E7 zgJ0OmFtyEQXbX?SYg-Ls9pm$D$7p7c+QCeEp3mzOY4*c5k7mWY7-Dl4z0Hb^C($v! z=KgTxT2>u_w?(K&NsdQn0k1N`yvY(xxs*bltn1W@*_2g(0@-sx*>48x(D zcRLQNy4_|V=(^oHzY0 zvD)u>L%|v<0w0ks-+m2lpgF4+y{U84Ozoyd@>z7Xv|L9pTi7bQXT_?aPh1UM71^g1 z$qMpqMkDekn$UF03Q}ZsweAI;vy>H(0~oM-N>1IbJLp$l#90wn@sFq!Tlwg<@|YHJ z#fq4YU>U?|4GFconIEc{l@s!Y6?644FODI|ta`_)2gXvPo8YrmiSZl`+N*+1Sp+^X z=|V)bkBsp_%`1RF2`%P)M~QIFZ01_}C*;L~7IX>@!Z?)=;(P>YmX06dB%0D9B8#l7 zFkEMYnzs6}*hm}w78RQ7rvhUkmUhn`r~tZ9@gol6pxUl)q`xXhx&!&z%yrfuv5FN- z@a4xTW^h-DX8YD8K~#%tny(j(WJ$yq2EN{?RX;75aQMbcR#tSGy99QvSiWeUGYXW4 z2-M)BPx1x5V^ut*i5P;@GdlQR6;uDuQ~38koeVU#IWTx0v0vb7UCF)&=kgO z1)6#yJU2pjA}6mrNWI$8FwpJbo!*VbijQn>(9TDKb%sGYgW;TkFu|R|ID_zp{V+8w zir>-a93<@x3E(xY*M;tB_%^&|t$`HP{s*5a?1u+n8GDa#Oy041ozUXtr@UZg>Bn9h zG&|nlS`T1tOSAdOI}}(O4yp~@DFNd11=4!qMg0J@-r!kp;H)obc2mHt$KW>u%KF&W zVTbk`sL@a(t^0_uzE81bX(&#RY+RCAkzS&&22tw>>_5f33Uu&LeQ8{b+#AE++VQ)N zY+~ztZz=&HpSA)9K_zTf30~x^AQ_U3kNWPUY5>Y&E`#V#FDsHT3Rg<#rR1#Q;ufFnwG@BPk1KOG})eEXg=={euuq@^qERs7eUGe46j(BKK5Uk{t8 zG4(W!PP3xdeXC20P#DI6*1J)q)CNl9`Ed#N^9UQwwVQzCIBBN3vGcaq?6UrFUqAEE z*Ern7H1uA<-bTh|l!6AN;JXy4An&qj!MFI4n6M-M;StX2k#~9&Ka`mQnkbYBAMViP z3>3W>lAnIkA7XF%=h=s9(2#&!qA*Cfp$oqy!Tc~&^~%!Q^0D%%{Lk@M@$hEy)!*s( z#}7Zi{{^~NLGo{YG(7oT-<7X|2{q)m19*0h=qoW~t@}%FDvnK7Yi22_W;bJ{5 z27^J^fChuXuz#xsO_MbFdS^+`LT?A;Rs6#b@*gmOpL;&ULYLDaj)TT*baZ?da`(_Z z`fBs<9p7-@X`D?s?@e9xcGM`+@HD>KIL6;&HYM|kXj&IQCd_{eW{-MKYM#j5Mt@Fu z1r{CLZ$Vt)Pn)zkSfAzxCdYMI(BN=uklS)aNdT1Kbu#hilO6T&$4hIkWo<!UAd)Re7`K2XqA9ID^)^lSRzqQmn zr73FPJj?5Z%cPN&49UG!Qnd1PZRu8!1H`&c1yVe|OMoTZF11U^Da||j>|C{^5O|7p zL-OFOkzS_a2F3r=w(1y7&4sa`r4SrT<#LWBA*@XMwpLH)8;{TR0fdPzb+*vt6@!Y7NC zi7VKlkc_6RF@r+0YD{*}S-*I zNd&xh8>9kgCHFGWcwfH#8h@<^XlUXEWB{7Y;%Uq`ES*kS>4+t-P!o35hOkA3!XI2h zt_T(l))MEr2QcDO5~l*N@vvYbHIBJKadV0W2*eWd$wXc0YC-fH&%lSp$~9M)#EATE zKDQZzi)VzkJSN5rcUF#IytveAU3FeB^X|S~Ly|>WfDcAO-{6U@6p2PV=fKRuP9 z@O3Yt(~lyhlbq)JxQuZ#jYKxabehx=w(JBPn}8}f_k^7QUZhX3i{!cJhsuhDRs_>q z?R%rIQN~c6i_PO*ZQM-j(p4>l$KtjjRkjO^(?DrSjieD7QQ)BEYmA~+%v|9gR-;zg z2k&GWj+=Bm9^a&pX1J`1+Ua=!xft0KqqyMxs7qj~qA8l_L`(y^<#X!fGMWgTsa5Kv ziCel!;r~@I#jmmqPe@0NIEw$}zv2IRdP?4DN-o~7?2cb`wc$g_EXy2Ql{DozF>3xx znmwepF+gu=;dDpd3@-6tO4!X{L~aIGMK%YgQaa}!a20hk_?pcN8nNhRpxbp+`gzVT zjBi*mXMbU<=e!?AfAO#HtAbW+zIwjoU-PS$pK;f#oIPLC+^mp){)Xo5w)9c&sPykY zELlbG&n9}w-~PWcOD}E)T9l(~$+u5lt!@US(fx~?0S>^0ooa~V;${Gy9B`wj%I@mf z#m(SuRk3n(HY!*?;v4?CZu@3%E0>>Z9#IrX$%1q&{1^Z1?v~%nQ9{e=x}X4;$kOY$ z4=)qusa~&LJ}mRU06bP|Jux?x`nCk2b6q4%A}~TTgx0$oMpdIyy{bE$k)T$$IbG0n z&Z3F1oOJ5nk9_Bi&?3=v6wqr`qoT)=)qwE_Mh zE3w{(Yj5n+8b0ucV+|DiFuM5R#Q4wNbb+3#)8-#id@H(=J3CN)FhkNF))Up`lY_$-_wjA(!I1G?`}0 zQ}y@0y)Yj4LbGVPBKj!7drf;g^A2QPTu`|8MD%y;@f87e&)5>H!OCHF3OUHhJDn zL&f~?_p#P5lOIloUm1TJ?m*l4uvV>KMI2uiHm&0uc!oN@P`X_R+tXz7N0i!m&&EVcT&1tm|%S`$k(K);p;L%xo>+z916!=g8 zPA||NXcuT2&QiUadQ=KsMw=o_rTg|pLQCgcz)Muw7i1uncgm_$@sc>!wL61EuOVWV z8_vqVC*iQ<>+jxNzJ5yvrvq|zdHu~uc!tHt+(_deI|Hi_W?>}P1(#^&*N-K&x?W0? zI6IB9X?Z%$QhxI;PqTYg+{f(U^dT!g#_4>_B|XLsRh~ivr@w{&aWb##6;p~(clkJJ zNCA8S4@C?Hww!A7m%@}}X;~M{ogZ7q$yAv%h-8cUi9IgbD;YU=8BO8#r<@b;97@t| zzR4s@=d2(pn{tI$bQ-5#`Qkn7QO|tU{U^-LsXjt(PH)DO5C8XXpZ)I1(ed!)^U;4i zzvzy2={-<#`CPWGw$blyYdfAAe-x3{{PrZT_70T!`ZF%NqPreDyJpnKI|yleU52JY zxe9&4b&J?9q45Ra?yINR&jRjXl?$5&!~I}Ut5*#3DGaC)k6j~lvY$0D2)Mf zlZ!{jKI-%n^{#&`|6wvX=S4P)lb%dQCkmH;{DzeaTLmNXBB{%Y6|b-4mrH>0^r5lE zTEyqZW|Dd?%@#WQz3?r$_M@?CzjQ5HPrpg?thyZkO)T8Y@!!M^?t3hHu9Iv^ll2w^2Gl(* z4cw7X8_MU3P!GPDlx0zphebSH5OkTSHl1zUWpx_S0(h5R@ZXJfUkwl;ZyKzJl) zktmK5Dc>O%>=C}67i^j>mk8vk&{DqTQ*=w}GyyDA52=GT%~gg2GeHEPr*Kvg!ky>I z3b9^FE%Jf6^-xK&JkJDU6IH@JE{Eh{k(CUp;QuAwq!m~IrVoOfu6i3uBk~?|y{YSZ zi|$Y5V?Z2zQ#Bf4nJgjqBWxzF0^Ao%j zmPaLDC=$7=Ae0u+te%NJ14N+iCxVL8qsOvWQrWqM-nsr1vR-LRo<||56yc5N~B9slu4KxL}59?P_KFLmc8Q+=r}+#gLjMwj1;MQ2*CG%Hb62Jq&-* zM|rR2-{VpK$ZocsJ;H5y`R_w*ILW1Y01~dc$E`sQn(pyjWgG3FMVs|#;o@2>1c zQ~g?7U;7Y&xX4$5A5>WZYzO+2`c54nvSESRBmeu)-|+S$mKSVFt42-o!#GR-ixw%j zY7jPg24vOeGBZLWz+Few={kvaFX#~4Wp*#`_Lw%46pSldsMx29T)(&?$BXl+X+lcy)x*QXq?k>| zEQ+hFm}JHLw3to#|Np}mzkm8$VHJ;`P0ogv#bGXK$1;JzKz0#`#Y$Mz0A(HrcjouQ zj&)|#8nEK})>%Vs`L4K*b>>(K{R_^z%#0dQ?uOL)bhQMpdte6-(LDZM5b-w*7Pk+F zAH~96FsX8c4Z#lyIHncwP(?_gddOycRA~6LZ-wu<4W!|Bm~9*1CFW`TqpG`9ue1EL zsPIC|&quh$kI4Ef$daxE8vvvM_b8S|c^0PvV3h!SL|NZ0(O7wtZc z*9}25viRSv&^5~IQ66oYMtW982xqZWs~BKS>Jw1TaG)D$urxcAIoH-OACqm#>{JU? zVjJcOxzu9-x!>~h!VHVLl`=Et3nO}Za;b?FOZSYh7<{`8B5A;ss9k}sI{sbb3wC#9 zgEGd_+pHkBCykG6E6_6VlSd!5b>{MedYL}G#ZiH^{N{!rmT{+b2$n2aNA1Nx>b_*`6&$erW+4KK~LAS zS^P;3?;3w*~IcU{R}f#*;zJ^{lE!cd{j9MZW0luJQAZb-lLuY}>-JL}6HO zzjLLJ*~jegU6Ie49c|Q(>7Py#!;NrE&eia%7iUkO zeSzTjS1OF+XLeCb(1j>boLI75|XMT-jl zlckYzN}4~n)~~9Zkhc>2lGo|9sujzSV*&R*p!YnS8^j1VCpVMfS9^FjcfOZz#9MAe zviACCKDYG9h$CsxM>8L`aB%`W(Dv)K=yQhmdSzKm+N`>=#b^yslQI^ScGhqzUe97p z7i~a3u+eG8cS|Mid$QkxWE3tj9af%vnUw8|*4mg78$YfcMz2m*?23$@GrIx}zc;f; zhQox?Ym!|Yy3zp(olNSQj}LYmZpuK?LOgd4MB z3ByN5Pl10lTq#|sG)NFT&iP^bkx6znxN_V=0Q&8S+;Z9S|5dA3`ce1?w;(QS-FJ-C zY5b3xNwy`LBzk~qFlL7M&O69Txc?WhS8ttw6F-72d z4~<`STxqf;lb)dtEB~aUpSK41{uVo6Iqb#Do^?!X(#1eBRyFIkFN=;&an;bL)>#T>EjAlA~HgLQdM;j?wP77MGWMu%QRn};!W8@~2?r+;2 zA55Yop?TSn1f=DIEcv>NTL1)m)f&nU6v|+F(F%qjPpxkiL|0~1pS0lWwtA)BRcUO5 z@zH$S;ce@)Re%6s2CObu=woj}l~#l`W>aYfSQ|mqBTJ~Z?To9FJq29vD$LrZg!d9$ zZ4ar|;nby1Jhf#GxAO6*2^SkpQL6$UJ-2|YnjF^%jLB5Ho8;Va(mQQT?c^J=w+*G!9_XC*NaeIs8YiEi5wC!e$DnTN z4FYjdHhI!D`L4H3X`1##(X=f+)4r&gc1z3TLrM}%8@M4AQ}1GQQ84+gvTdlBcDA)W zBytjebXOpNqw|e+M_*F9_^PSVZT&I z`=vSBE5*_7>5Y7;jeKa0yeN%&>5TfRj67(Je2?XQ(--ZNx@h0DMSG?138X99CsonU zG0ts|!ma3u_DD_SdGzg{l4##_MEj>A`V}0pZVIAb^bzaS+Iu=;AHl`6cbcJ|%d(pS zsDoN)_tZY5o%IO(J5+$P*E=S&x0Y;%;(quDMS)KEZwaki!!%4W!0He^2 zzN!;;L5@n6%qBERj`On-(f@HiBKg?_pGlrSC;7Sf_me05bH3}X-NCQIbsE13XB>VC z|9tX<93LNlwxH#4em42=L1~B&AM76SpME0kFY@}1j*gCoP#e~D-l_|J*ZQ!l$50pi z;@H|R-i*DGCr|9I97~7WKPJN=`HE;!7;C~M2y^KuF+6{+#bDMWgi!XFCt3tZ1vMNV zg|1$KD(hOhuuQFOZ?SaOS1$V$msR;8OWChs0q<`4{w#~PDTqy%Z&L`HF5ad98nx)* zw?A%v)3F-N9}b7@;lVpX4+{SsyfyGE09C-IKLhC(ga;Mnh|C1F7a*{a*=61C+zRTV zLjQPg8gvmQThg?Or}!MAc))0b`%HO#t(6;TIFCil({N<6ki``_7GoUZYr-rm9%vEi z)Wz7072QqRXq-D_GviujxCuhS`2DuG`#oqnnM(Xh#eK7WH!s9~X!e$Hj6+PH2*xm{{U=%c2?;%Pd~z zz%8F)!H2KT8b3RDS@M*jgZoF9=W1!BUwAM2VmdrS#jgX!82 zOFa*^QA+nTAeXATNHNUYAvDR_0|_!=T|-DWI1C=*k|9SVatXo{L@IkAw+g>%Ih_9j z0(&Qk3|lT0zM25S+E`<7TP`wi$+ubG`bVHU4`b;aL1*O{FuVD}YLf+24_SvG5U#@h zQPYGxuz0?xLre3S1yTub^gVJ~2$U6^oEdCt%Hig4V5Uxp+B+lHj zb+)_tj5Unn0ab~9r`Pcl)q{g3A2Jmp=%n{n zzc?yM_K+fi<9I&(&kP zG5x@;hLMbx4KZ2+`M>|>yT5+>wWE8Xzr4H}Kl{V^mpvVx8Bv91 z7vnNLs+tGW8WY9ke=Ax%7eBbr@caP7x~oNz)$;|3D_Fi5Pd2f-^L^@9^(s%}J560{ zB8g0cRz-dGi$^hyKA@n&O$TMUs^O!u8ZIuZ3|*?if&=;1Q;2-sGIi9`FlAA3?vz(SOWMuDc=w(m@3d znMoOrNL@0I{!94?U70qo;S+b3)*kZ!OW1rFegN#6vK88t;Uct5c=%*+eMF+Va0L*W zMNVD@wo{&^B_l~ZW7E|%VUu=G(2(US4Y(|5iV+~CokFQu1e<6^*r&W;Wn(llM2-(5 zLZU(Sn$tQ7ClGwu+nNl{lnzeoK$lr$P?)QRTqzS}p*7cNl{}@&s-P8{L)01n*Eorn zkdj_pp@l9j7c`I4`Gj0vz3y#dUQ=$)Fm`I<%VWKftsp;SYvGgS&eP(nkfb=pG&@qW znww zW(l6RzWnTFY0O)HM37&l8*PaV#2qM^z9dd&8G9dGW77Hd+Ww*=N0eE5@Dp|N6LHpe?#VD-f}OqS4dl17_p!+=xr zGKzRJ;*^Zgs2kf|2O2X9Zqf z1zj4ullK+%nUVd2U#9pU0tWDnUgvO!#oQybH2JRHy|U$k=qi6WfA-Yh)D6{USVBw% zESst}EL|1`7q%23QbphscQnDDD5OC*4Y{jKX~{^Omi!V~#rJGNj^8t;vZhp7mXwp2 zRWnG(w5XN|Om4@mk$ai|R9r6}|9&KGJ9wQ9)%nwKYZ!}h1-Tsm4X=rx{q}eN_T=c~^PBPH ze?HuN`ts>d|M$b^zSj>d!Iuy$c>ZjzV7><}Dij8))NB^2nu%7=P2IBTWd8o?A0KHp zHxhfuJqL^T)kJ}yNnBRrCC$el*~dJ7!r6V_LEb?t)*Fa=RE6VO!6?_S6xRVdUF~YoFoeuYOer*EYW6nyGXBlGF-*Mx zhe7iYVdS`E{+*VVLqscD6?FQM721A?vZ=Bm&c8hSQrQr{540hEo=eaf-hwvx<@p7< zqyCd&{PG$9<&S&4d5PUa{;uy*XM>S(vwAl8;g^3s3KDVPy=a5O=4VpVqNmL7G%1<) zJZ-8p-?Iu5(moV%#Tps=v?s*WrcGzg7T%j*yf)dtOC?}>$!=XLzY2HC-qgjxjiSoI zjdF0K9NZ{<<={p+xKR#n6!Yr`Hwuez_aV>*0O=au){fbV29 z7z9^|BvVaB!HAWWNaTUJP9*fRbW@g?1@p=3iZFOh99EA2kkkGluckyk!LO()shTu3x+fFP>h)+)OyuH!~4D<8?ihlk*tP}iilzmFN<{SqFk*Z zM&p~cS`;Y>1OcXsXcE&En#+}?5kRklkPb3#SC4W;V#xi;&E9)BZB^j0Y@w97u1go~ zo?ml8et;&Zi|;VL3+@=1WpyfvjIEKiIyqv%-61NnJhzemKz4#@mR3cUB$5}5rDZK# z9L*>d@Ah;wOJ<~fl6hN2SXY&iTm0mLh)l(pl^Ie=&fW`JX06X+yDZ;-P_-uG`!Io>)G zblZ#KYrq4x$|MIi^4MUwrwHm7f#-J#TZRl~?Hmh_YVNEuFv{7l_Dx(sK^S^sW{enw zcpta%8vQ&7eDX*re6lI*nEXs=e6s1aGz67T%#|khS;$W}Uv4r6pc&4r?Y+*}0J#8z zS~CIy!hDNgqjUiJs?+5FEdZo~lxsG$UastllqPR6g`>!5f|Qgq^q{)i`TFg9 z2>vc2o%)U>@qO6%v$`s|))oSliI{+UsU(;cs6cjucv>fLrpogVlzZ%dX7Hktff})P z6HKBBtT%iR!l*3i3=9+z=F0yW^wiGFi|=2K&!3*3jnBXM!|$IWsZ$1|C`hmzXX$V~ z7+QqZzx}S88OK)SRj)CHGAT{yI%x8F9IMKkWModLkj)}ifY zgZ_P`ncj4_Nu!d}^f+k<00t(SMW)asI%sVe)p(K{P7_sN4KZc#f0TsQ02U6BL9!Cz)8 z+7n=oC6=t0$lYW7X#`f7!C#aEZ&65-uhz5cjn<{QjOPn5_aaur_olZ`3L>acbxn}d z18k(-b95$M*C70$V_V%ZI!4E~Z6_Vu&K28s$F^8FPBYa!yT|sip z`lN2B`H;;bsp?p6ZM3j)0uC<;aML2;87W zf3e-R(O6rzbnBIw&MX^)cg5OQ5oy4ldl{mhhPe-YpK5@Ldm1>><@NkIq9_3JOYI8a zSF6GM^g(>HkYU5uMSxra1z9*Og!py_4D8O^g^O4v%=Qf#4+4C6uZyoY znMW)8^6emrwP}NR^_1YP;{9;GCZFoBQ~zJ{kNMX$r1|y3^M0$GuRo*?yr(3GV}i@OvxLaekN_|9VJTNnvX zMk{D@GBi}PKOdX2UHpc5$kv(BCOsNDZ8Ddhj1`L&#%THh4QGb*m(?B6pbOj*A4|!s zQdOsY*Y$8>{c|WoeW)-*D@X1A-m?a`(GZiAa%TQLDtjh_7Hr8NEk_xyu4D+uc)TkI zlWb;bP(2tYNKIFVheP>D(VR928vK+%Q=8je`YUl>i=7?&!ADy_=rE36 z3B4lgeEF;G*Gt%W?T^v(=ZbwJu;~k{am&1Ti?9jh>4MS;QqWy3PoQMVg4e>mzxS3*ZKmNyRtVYu`Fou%!rdTRDtcJVX=oz`io1vwtCi|I72 zq5d()mfCwn1M4zch+3J3d0pksR=%K$fQ59!()=yV>)S0PcaB$p79b5vBXCJe#C>-l z=2z4aNIae>WGQP#L@)vMD<9V%UShdVqE|2O%j++rd%()^K+kZ>S5=zrI<@tLyy@R= z&Q01p{&8dh(({ZLRWoo)vnV5hA}EN${QgRs29=ex{3Cm8gWTXj2D{cdHJJ;g*Fp@e zR^=v%YqtHV7R`mH;3B%OUxEC-*VIXL9677KT?m~{8X+`+F8}2xBLxm}At$cV$ZkyT zSsJ_{3<#>%NL+hq1YC$DCyP9fn%EMq+c*B$cZDyQbv#5g9d5x-wIf4<%!|7thOr}o zc+=HnzzJvL9QT{@tut$T0ednG)*D`JBntXom&}3#@N7|3*Wq5yZt9KAO*71>ap2hB zCEs72iJNpE%OVmd2v8K)5J#F##&L-G^o1yygITR{cg%SP@;}?s1b9X8=)^ArV zGR?Gy+1=ag8W{)ml$n?(kRnz+HUa-YUA~F0Ncr~fj0d%q@+AG=O^GOMJh5vjdu7Qt zmE$RWL5T4hGNAG~asyQ*@!Om=UUQ5DU%~JPJfceDq4tb?$y>^_%jY%`TOss#N-B$( zF&JS=Q$n5}*NGqHmwJ8&VoI`}_S;f*%DClsp>ALQ1Ewv3&MBVBj{JERh zuy5$&x5NWloBk0%drj`t-oVOa(oKU*Do3?gY06tWL(o=nHv5)+n4;kkKvD}}EON04 z#c(Z+xPKfKQe%&O3+zcNv4Vfha<~ns_SIvBobdN#o5a%oByUc2hT9Hs8VyIP7y7cf zG)R5(U0qCyqA0p2{H~G1`;D7l>uu~9L&6gaHC5e`zQ*risy^gj82SQK&oLL8tHi=p zJ5`i^?Zz|^cRTf_6k9*P>y9mOJ~q&ta8n;P?2o5t5YYyrx|qE`L6(qCArz%V5BI(p zXGCeL1t?rQ0vQ`D((9J_D1MPXA~PYR7PWjT?sZ+m|k z@_5@RTNFWMGZu>`?fvp}LqnM;@q=bVt636xU@?EeyTV?vZx*|VJGSo^vz8PJv*{!7 zp~tX^`gJQf8szd!x*;g?o44Z|IqlN}gK(DS-5d6()HZ7Zx$Qy&r)wr#FIL~JPzdHm zuo^^ApQ}R5q6E|Sga1^E`W3BIe?Sg}N&f+TC-}8j#P7In^Dj{qPcM1Pnl95+Vc(7- zPVHj06SzC$v5-trsBoqIJL$munP#0U0^=Q1SpvK>U(DV3be7+7fcC}8n-J6FjmDJQ zk^*B;x0&LJKanR`0T6v=-sOUfmLM&!3>O%8@FW>eV-S@BHN>ie#AWHP|M;50;YPVc zTKs2~=lI9*X$lD`XWnDAed`%Zt^|JR`>v5SlsEIMp_%De17K)F$SJ;?WpPo(CKm4L z4bytbqZ3x20s*>U&6Y68d-)2ceABihuq*#NvG`^6E8p25ZcuOX-3*DlpsriaUHQp#ptQsatHG*jc3t08%ue8sU-F_4t&z-Y4U6;?fp0qe<2%Aj{;no`9O)1FP2o}q$ zgEM9vIk2Frl{5aTjlQl8P38|OX5Y82(nXIqrj0VjYycyHBx9Q06es)Z*kl*S?Nj)# zs8Oa{NUC2^L$oLpRJBNjW8hzlp2HZZ0tTp^$ZLZLD7k>CW2q-SX8q7*-AE82>_nix zxTU^K7}DS_;^0pb|7Sy-2@IKRi;3GEiFh1OAZ}c?3!>>AE1BR{Yl^kOU+bX3)-2ol z>;7lVdy!SYd{;#nPq_LIEyp2>Z$uO$JN)alH4C=Q%rEciaFAy|Rx0;5=4v^b6F)&J z_c+$u{+7=Mi9=|hWeS)yjq^>ybQspiRD+pRxiDOxXh zR*Kp@tpxnU!w;s~b;w}!!&Sou=A5}rSC$_=iHQ(}b!b?FZ40_JkKu|YX@d@HvE}Sp z*=!=1Y&Awf)r)Qzt6>jNJrXX54D{VXs*3gB16(i(B_0}0<$6c>QX=NKg;I$T$6-l~ zs%z#$Tz*44XwMEUfdq+&+X~1YG#j6 zjRDGNFNWhU$U~fv?pls=ly!>hWh5a(may5G41qsU1fM4nd%*X_R3}&_LbEo^#EMEx zwO?doO1IzXJu3&W_&HlVFqc-SR)?2{3V{keO=qaC*16Wzo%a>^_al;o*Ojp|KEnyC z4ZEL~lhnU{iO^kOLAV3}h$p6Zn>?Mv0>eW}_MfOsOcSdqapCDyz;(JMiIED3Cu zG_x(iIcAY`PeN|zs@GtaW6iQD3e^tW-Zq~d$*9rDr<`czf-tJEXa38J39)JoCoa}P zYVd<#D9I@Lo@&ig?xUfr15*QmYa*2oPD7@oMB@0v2~o5;Q|b!k@Ry_IZy*^Zim@85 zfqG8-3Q{xHe2ca%&U}io8{Uza2a4ZFT5*>IxPU}e=}MqNJkF;miO5BU4prBbbHghw!pW=OlHP9oEojn#|Hzw*Ky@kS3B^QD~u}itr?^*e64e~hLTF!cWZ4ehM z`>R;E(~(a3vOJ26YFRI{i!Q^0&eY)e$dZgWOr+C+9lsQVVmf?;f=H+vY;ov!j&8*x zRRn{|4WgQM8k?3d#iC&I5N;ppTCE;@x43P|&rP8V#LcY1`+5=q3XK9R10*1d7uIl1MeICKZk3AUg?Qwxzj}nMaRIt)j;+RgQ^rLrcXZ!pW2TY8P%%D z!!EJ1O~CXZQv@6DLIU&eYY@I0K&;+<4A~hyy@SsiO*)UGo&R>d!;Iy2U2qXf_uBBv zV2UB?8~M`F@w2Q1*JY2wKTmv_XnVK>4kfbIxjB@J7|kaGp`XAbJRa7TD|3m=S-y7f z*6A8$k;tV^6J?bh=!$V_ZjmO9`EFc4SZ}I*51pz5LC^v$k(Ns!b%Yw!ohS>U9SzD& z!UE=KiHr+@JX?scQeX*BDTnN%^YR1SWW1%%{W>)@Xx$FCFq{}9Eo-q>dUmf?l>Jl( zp8%`$smr-eba5Gnw=aUJ?^WZuYS%P@OMir{YxQ=;9KtVMyPlk)s~Oku=><>NzvDPL zO#DgKjz=5<@&a(;APL|;fLgNx$G4yI-SA{OzhL9^+8iCMNA{LjHDW=wST#|dQjF-&u5saWC1l#TS$kfEaal}VRUhEvkg!vU%_KA&|p&tme_5vEEyT5`DKiT z>|CtJvH~=yM=t91N@FBOVpbIe!z&=XD1s<0Tx0Wj>GKuJ9^5x%s{%v2MDj)(b^LHl zCQ5{?Pu3U}T8m=<=vvg&i%4VW4I>w7)n-R1Dgr7(52ivjzJRpp;I|M`#`GFrRJE_l zdOn9#hG2U@;Aa`J3XP}mF9{g7%6&?2L=^qX+-~KZ1wxwDgat&Z;I`@l{O48&K@>*& z{%ybeHMz#Z^dT8aH>yv3s^^YKpDdL0ID`BiN^}*_eGnvD5RuM_^Z~NB(D<_aVQian zgqpw7niD^uT&uId(tZ8tr1$+;@%U2ncY|0%3hIJ~2q`IH7nidN$~~!=XM{V20uEk^ zyHtbo*J~jtylE8Qg8f*F8cuPJD@S53csrQw)9*#f^!kwj&$gjhYf3rG9ZX_~^E;^r zr(i^C$kzcrl`LlSGBBjyJFa6B(6kO{e6%PNX;TlwLG}qin3|5_0DPCKXfmdRfm?Us z@Eyy5bVnp_$NZ*IyfHGk^w@t7reztFqKU<&*`5iEPt=Z6~ukpSS>hg63+7dyA~|+oN-t z;se8joRuXfn2LHtn!?m-YABtv7xg!X6ByR@Zx$A#~VbXkq@C2b1nCh*&S^GL#l?Kt1DL5R5vfVfDVI%d0L zcfeJund1x9e|8%~zitDo4r~y8k8`%rCaZIKCZ|7WaMv_|$2;$ngM`v$!nau%5!CuA|bO(m#!R*KjvDE@i)in=#Ibo^lhGT`E|p zVTYm+<0Kg<=OrDL^3Ab>yvkfxfc)T8)WOCedK|cFbb6~GO8de`Y2v&?h2`FSvQTMC zz8GwjqJhM_xg8wE*xohCqxdhgqoKs%JqgHewRWiJT-gXIeUcd&q?vwq*IHn&f3nITFZFW7AHCHnBZCH;o4QI8e^)l^0R=+ zpJ>1+hFZ(iuc$qVNza14T>NX@_R?|t5ey5wNudpUf;br2K!s=n_X;!bf|k-gTpzNr z8Hw?ee!?PK9raj?(eaEaw%6P>0LlOqpZ0G`oNXz9`>&dd*S!c=UOpE}(Qj#Za5A2Y zETm!!Pihi+JnwapgW0nuM<${foX5`lWn!3vHXPahxv&2#z z8)`GPQ>(zPXrEVpZxFCshZzXfQ~M6VyIEfinSX2stZ_L+b*#L(53;N|V;iGPxGSi% z|6mGb4;`v^fiY9OjS&5~NeFBCre z4BKigFp4QNJS(y(`p6}+GpXczQbEvOi3X+*=gG$w;A-}LC0Xu{;==bHIS{au6)hpP z`A+632>~+$)0#b%*DFf?pxTp2ooNPC_jdPo6v}Nl0}lumU-kmDpRjljD0!+O?b0(g@t-n{)5|a9FTXQLK5Z| zwYck!->$U6pRQUm(dUS%9~&zO!eD|rJg7;~bial=V;Z``GI_(k&0uOkB4B5o zfLhL}rO|@62UK05;DZ`~l61Go8Eop(CDGElExu;Vzy7p(~#NH`C&OzlCAb<>9xei_oq(0mZ%eawb z-8rCh3XGlV0*vKtRO^C$3nx*ipv4nn}X#L-=@=rM8OGdGR? znj}$71bsTGqdzqV@E~ax^aR&$GH;AylrutCnwRVvy==7ZJLT7nBlCEA#Y4SY7Zn_q z*%k*SnC0K5+ULc$l6~W~dkW*pBt{m>z0A&R*H&teISz{VR|E;=>DSs2?VHBW%CVWS zG#~W+pBgvkaVn*0z@`qLJ4W81Hopt8cbb~8c*!8vj*4qq-JEQHHEAf7eNT^oPKs9gE76YRiqz8I0{ za>YmB0%}q$r?>;U7FW6UufcH$&tl1t&(^5xgWIz=1Rba5s4ACGT#TjVCMpM=gt1R^dtA^WbWJ^+wtUR(+uGO^>_QoQ1#I@k+ z^`d8bEZ)qQ4w9ETnCZY+&EXDUYRyT!}`l3_LCNbxme!AOh)u^QdZSth# zsr4;Pwr-2|;bjjZ6m=G;u}kQUC1caxmKB-s@IPTQ-u&?(v^5Mg#}hGib#nSR^YFkh zl)x^mOq@TyD&75xlml;mYP1+sCMLWJP1l9Gb@{4GeYZ}L%5a{QrRRC`D7zos3;Ig_ z9@q@zm}2HGQ#w^a8cYh1I(-7q$d06qx5DUoU{rsn%^zh=m`ulM&yS6W&Yp+~$l?DuT2A)zm0$uTI^^5ceVM0AC5_;;^vc1|UWN<3{zKg{gyB0ZR?6Rje$) zP2f+OE*O$O?(m42nt4XQLRNYJ!xG(3uQ^d{BaU=DpTM6s4^G|>ti8DuW2Jh2X=O>O z+>Gr$_SV$W_WFgK@%x&dW#(ycqKm>`4RhGBn`GtrUSF)dB58(rLORz%Jwv)SezR?K z_KW;H(z~;I424G7vg6r{McE1@6i#&=TW@>)89R0Bk0+ed;+Dpi2h!;hK=SjUE?jxb zrz25QUjVZ|989!jP$GpRT+Z>-iwb)X7oN}(R%m)BKm5iS6kC^O%`iOkwUQbs(A-8# zA1GGoa6xdN`=#Uf31x3z5*3{``<1BD`}w|V-05!Tz{&XxxWk*IZPC|qLx|VpPO>bu zylY)ui7Xtz6Ut-iY2oI|`su-N8z`DPN=U>rI$}X0z;Lo&KCwy4l+wHv7 zI)1C}jCe8LKsjdjw<>nljLBWGG%P2(#dC0SoswL=t+%U|0(73KC&*Shlxcs`gL=4N?wLUZNP*l zEkL5;-K1=VRx4~_)_R7slxENi1?JK2jiuhHzjK`irLun&qxgFbVJl&rhsyrMynkU| zI~dsHerr5>M<)(pFT#pl?H?jYiEqh1uef0ur^IP92JK)zz>YE!pw7f|fj7;BbAHyO zhHCM9zma4xzG;z`NEzcetECIq0d3@CygBQytAGj)rGb~>rd|w%hb$Cu7yN;nCLYH9 zR_@tgfX2HTKt9JSs9Qe8tUXZ^^6YT=;3qcTn8jM3wDi>~COZx5;^*bw(ud|$-Ok84 zcjOaq`h2g17$=E$#t5XuHeYxFW%l%54BdGwapujs^}xD$=Y+nyd3%tEnllLj$8%^V znH@^58pQoBDVm~iU2<)Szu?;uw0~n7A+4&;!28dPY+O-gDc@hmJeEIJJzk$X_fYIk zosW`a@fnWVj+g~S#EG*swznFIQS z55dxmMoBG16@Fw3v2-S6W$g?1+ICo!e7$a2hf&wxh zjIq=>XA%gh=rts3=kBQbEJ4x9ih!*Zi{9s11@yja7kT!3baT@8P39{2$rf_M5Lovn zd>zm0{#x3#22juH&Cp9w!Fcr_7bj0FOctjP0*3CSjRYCRFHPvnscWb5*TNLfFg~ls-SY#Pigo zSsF*#XlQ@D%Hl}d72|sQmtNSO%B{bk-9wu^ml}sR_aB_}Xe_l-x=$;1E-Wl^3*ujZ zrA+7bAtfp)>mp-5iSFJS1mm#sS3_LI^MePQj>ffQg*?d+$;Ra|$$q;IRlDPo9~+4p z+`YE;d`;Vg_I#c-MfwUlN)f3G7N*NsRE{1%jqggno3@q(0%` zZO1xFV8}><7UjErVyukYyL*fBdIMElV;h=nWsg8+W)=-2Gmb0d;z^}3Nv-*&8;dW* zjp1wbrd|_XO3t^UBapg|Q1?c4kkd7&eJEj7f-w}YY>|O>^6VlBD~2f{YJ1<V!^h z|NPv@psQZNux_eZZwsx+I)L{Sn`Q)Pr(EPp8fe$_?%ZC_Mxs$j)kM?HY8#4mODVbd ztGG+$Pn84|8lMo(=RIu!D9_m!2dPpf3VFzv`Vdn^w_-@zk(Q)iwLRs|~3s z;xVP-3|MiVt;Qe*ZkU?rJO;$eAbpf{zY-*pHk#_bpoWSExa(GZ>ntwd4{Mat^yFcv z5=>^tOfS1-{E(a1Dk&sYrynBdLU2#rO8BPDq0U5mEbh-7$If(8ySchy07hiXZhj(? zUr@7OBfV?p2yJWuP*G8n%Md=xASpED#GBP?38rK&Kk-es+lK)aqtCL%dRNvmr83?~ zWvc$zxy-(VKMOA?Ks<%iWuZ<&nE|NiMvm6Orzx7MwfNkyLhP^$KHIcpG z!DFHzf*QS=AyC2(7E1nPGD%$|9VjjOw8)R&F|@}|gn9NJ+81oC^HkC!E5em4@dP7O zT9dxQ{GLXsa4K%6A|S+Pg$7(=-6o%}!_wue>9-%G5B;V(wnsddn`++zl^7ePky`a0 zPAEm>Q1JIzjt*DZ>GG|9(u|(m;=Mx%?KD%2S4kp`X~b6U(NG9=!KQUVCPxY=yFBK$ zUZP%4vR7Q~YN5VvD$4NVKL0CsSW|^@QF<@sa&LH%g|Jo zsUl9pgi<>ig>HUJjrmQ+Nt%l2ws;u8Y(#06jo`w+AT24stl{-R-!Q#~P6%tBbSGy~ zLKPM!l=gB7`HXb_LT>ZQ==4$+V}0|l2p#4CTtm0Sv(ecYNU8m4lco&)iZ~^vmN@e; z)#xX-R`a*Doa-`}nT7zWQFMp4Do>7?=resM!dRo?`!OV}2EloTW6T459I+jW+bkqb zs6F!5`NswNi1DB6utZ1E#2<;a zr8-AqDJjC{){ZcZxSb?yMkwZ84o;Jy{s(NI4KswH2Z@uQpy)^Sc|rR&21fC_J2l5Z zMESYAA|tKI8Cg@PQLUmEM+pnn`dR`N+|C7p3BKhCE;0myTCHjaycI_xo+TU3B=nA* zS{6czPZ7TrRFJBSInO1E@Gv$6Z-Tn$*w3IBOna>@sv)q>-5Xb(4O(#Q z39@2AJ2G}+;rdYWkod&nmrxI3G*eBCp$Gqxv556xdnODrvE9*WE}(2@-9tybBKs{0 zmd%N_>@rKKF4@})NK07qx!p^3dyQHhc@r7juOQQXmD*SHOoZ`&c=yRzQ3#{cqf%)j zK{9qY!aD$bvu;pVdVb#Qlta@`kTT>&HDxAp*)@_x30k9X&Gnv2Uz-F8CcbUbg-Ycn z8sA}>9))TSNoIl>JK363U^`cO1@dlz?T83Xh#0FDMedsOMZoDgy9Y-BM@jv!x1g3h z5TV@0E?CNsi(+X7iVc|M1gP=@IWy9|u;#q14E@wAE&_wXg;<-^2~EVqo-hl-RR@;u z^OJie9@FZtF&o0HW`iV@RG>~mfkY`ooK+Bo_Ol~^%;Ndz`;?d^zmT3`y}BCVTPw?_L1h_R zW_KcDX#J@SNtKucTbKUb#U8HwZx>4w`#)W5>hnJ?_B7{j7d!O*|D%hwn)weGi!U?3 zu6}~qJe)VVbT9-O_fyP7+sQ!5gl$*6<6;LLc}cr|034KzI$68UmtaWYR3pGOp1g#N z`mM5DyVzMt8}T=Q5l_%%^~C}WA%zZ9d6Vd_nngf}(g1B%fssf#qG&FLC>0;44eg5Heracw`81}WJEyfadaX{+fL?&>bY#)XqY8AA<)M&tSD~*l%6NSRA)82h0{pmY$`RtC5=xsGz1B@`)}`+ zL&XevKASb{l`ON!jOW_Son>YkMXfQu9^^xur%*Q=Jd6<48pEf&gQs66aTs;B(Yx=5 zFLUXH)2f6c$b@5vNYe61^00(M(1u@Dw^?&1d)RfKr9l`~0)G0u(Z23^KC=xppUX9& zZI0qLYjZ|*yxX^(rEMC1uF-V*5-p4$--L1NrK`Kkh@25MB|l88&e*Ft*_Sxj)SqQg z2Gq?Cd3yyp5l5*s185{?`MGdSsPCtEf0z<}D=nLN9#A(D>fI(@GxC-@64sfAYQ+~J zkuX9@B_4cU4nF#1#fy2f@SP-{%#3@}e0v>6`C!|;U%1#(*=CQ}^#29V6X3<|${!gO z#iKEG!^)Eec*5cxU;ir`M!t>?iy%{`Xp^^0IUZ7t3*tOquR z;>es-BJ+FC@#40l0YY^@!Op-}t6$fGggz(?_`RPrV` zQfsLeEHpH#wwzL8^vI1MsEv5S!MHe&J{qgFN%2{<0MhuE9Ilzcriz3RI^S(?(<0|} zKWtbn5D+$yEPet2yLIQp;ZQZ1+HB?MT8~nk!4)R;O}@Obk(EBrUVIBEe^@R`FSowv zlSC1S25>2eQ{_()15#EyAT(~FhKPFcMwsf@ZS6Le(CQomiB#ol)J)@W-ZpT#XgdK7 zb7o{}To@mLstmoW5K22LaMr#y)rSNeEE*l+L-o#Yq zbxD!FS_LiUk=I0{uzlaUD4h6*&Ehft&1R+K6MML<|6#MMwj#1%f3ev!bVRH{Dd&IK z?AF2GY}Sw}1A03he|(Sm2wg1h4>66<7Vsi0(X^Y=)G}2@Xjnqz^`XvzM5YcXJI>Fg z`2I&guIKe#F>HOhQOs@3K9@d4pCZCi_%B7^A4O33LNA~_VmyS_u>OT#^+HRQ^%=H= zr58O_Pq0kjsuUk{eU%(z^rq?sWMexZXK;Je1A)x1)H(Y|bdsph#x#=qbsEZpzk0KB z0RD*DcxDu}D>l5d1HgbI8>%a|MzjsS=z!{V7Sho~ud18Klp5QRU2gvz{7NNm4LlOQ zdf9SAIX6nLnQX6GV7nJW4H6 zEY-+H!+QzH5ccHUihty#)ivNgTzJcKr@`1ya@D8ipy}z4eS|0WIH+a)s~~pdUCHw% zrG0-(&IuQQ;G|Pco?wWO4CBfZZy{e43X5(C7QY)ces`3Bpi(mC@1wvb3MEq5R=cK%s5#YS~gOU63!E9 zOjuWCkiZVr-y7DqsbwfMNoddckt(Gp!z4t=SP*n%vek~SMv{cd2KBd{bx{2;cD6eD zUv`#Ejl=0~{0qnXK`C}e%1LU?ZN>{}oG_Fb^L zbL5>Uc0JaAy|ypQ#4vLS6}H@kG(6dW1PH)IJ+!K?8Ot${6vW!M5DcV*_tc&nRlL4? z#dFZGq7?)Do&{1rmWL{mN0TD*neXr4Aep9eAHtz!9OdIpVle=#1MDQF24ktLEry_| zOiIrCx1{C%ThcE4S4j(UAP&dMY9fxx=3*`38^T0%rl4I_LywKMG8lwJP@3fyV3r<$ z0*QTYDFvP&K3L|MMS7cWd(>igILvQeF-zepouI@=$sAB zX-KgjtC5$FzKU>-QK*&jhPF5@tl_EQ6Pt=VZe(51RE-lsGPw34x^rc$Kc`juFH1N| z+rQ!32HjL(63T#FAN=y%@i{dQRm7`|@uEkAH9m%3=1{r`iJht$E1*9g<+eoM=RtIM zT#wIwxM3eRH(oe*dcGYsw__h=X!1+XkODYD(vHq!wz~2esi9AeV(>oT&5U~s3C2$} zZ3WgJ?ci@Mp7eYDUo9=05FzyclC*cIb&Rep8|`jLvb%T_nOyfQjso>qiHHioqXi{! z5=j9*Y8;BtF&tvucv4qn(9u)lL>Cka>I}$*B%OlF*Ia4QyN}_;;lGp;N%o12<}G5; zZfAw+C8fib<7K+6!3K=qEbK0bO{+>!uiZKl*gljLu zum9DIuoGTk`~5u&1`eI?ZbwO%$eK z?1H6r8RGlgWfs~gTwY8%Z!Yy0r+xU2{E*{RZ-UAHj?<)|P}?Y$du_cDaU8BzF5n-t z8~g06t`3h>ZlW}GETU}kN-$C|63F^_b0%RZ@WwqA_~c5%XY2yAvXyj*u^0Iw6L>vp z{FcOXaeqMKgz((jA(0LzJTQK;ycMMLasN}a&*w1*4n8eYOe!pcp>sCRVB@x~cm^;@ zAu9A$0uRl6k7X_cQ6Y^volV2V+VgtF;FBi7`qF=uHS_s}Ie`~^KrvQoKYonUkjS6b5RC=Vu?f(&idL3L!|LW^upVu2Z@mt_hGQEv3E51Kq^GIog*07e_nwe{i&KK=eR)RsZg2@AHQGd=*pw z)6sr@Iog`2|8TTWdES{{j&{6=*Ym$Q+T_0-?FZBz>;K)+J}ZE8Qi#I-_{-6LSO2#7 zm!swVpN=*~`pePE`+YC{!$~;F@#ScV>;H1JBe?%Bj+XMvz=BIO^Bvt-l>D z!oM7?-oG5J?B9;|<}XK^{%?-fG~^#gtMiYe-Tv>6mYn&Ob^RYloAh?AqJ22ra7X*| zyBg2@*>TM6kFXtIsdk5Z^vORpSeZf60MGCdM1TaSQ*nq-^)wLASx0V&;Y64RPuu(F zS-ZRY>QD^J%jYY(Te1N$8!^dhoS1f}?STmw3r{r{dn_4S+I3qm=@e=;_%tkbJXK|F z<~yg>Jd1aegTlAL4X}r0GJWVH3CFKP%k#edLg7KNE43l^`^|b+Sx-uyo|y(b?G@XX?JybI11~a z)eD7ICD7d1iE#s@AxIc2}em?$lKxDboU%h(W zg@dUeVg3_kBr$i^+4)ig8WC_IN{czx+WJVBye=hY^IB7N2k+U5+|Y31pPFkhLEdK* zK#Pgue0)?-w+V^l7r05qe#Cpq08i03!7jrnU- z(nY$>ZNVjXWXz^bM3N;qhKvT?q5Qoc8GcN0{mhKLyyBE5JLOA>HomzIezjMiavDg7 z?|igDAJ3q!#rwTNM_8=3nFw(WUWuNNCxT%zPlFI+UNe&rg!?JC3?DYwiS{S6gQj>M ze{gki3q8hqEqnF3dJYj6KAfI&Cg8C#UMH=-kLc`eI;;B+Kv^_)ikw_#U!%_?>1C91nt&Nbu4RuRa9>M> z=AsqQx+-KEqZ-9&^(b5x`7J%pLB3TwS-fHi^f87)9{ z0M{;Nw|66q!EC*P)WLC()9+M5SxME^88zYif=Qru40jIS>h<)z&Z|tX+t8&Qap|ft zF24IR3+VSXwbfV*s%Oe8**ucITOWv}l1Il6Ex#bltUu=jT;Pe)8N&;#~ z_g(Y_UF`8&kOjGe?=jkgU3$LO*)XnJ&;2MMc!b@6){z5U68HnnoJT@hfHd9jTa5or z#qKm|pk9pO!*-ig0!q)Mk-t!?Q56iHoh2ELz@EduzsSpcdYeips0z7WBlsl=K#-UZ zl@$fnem2V5txQDx`U@9AlszHs`Dsk0?~>~K_*R|wH=%CwTP>u7R!y3~^*0_}76?I! z!1KL9;|}a0V%=VUGfJQ8*(Nb~CC}oD#;zBMC4UvKR&?DHq-v9&J&dToOE?9PNFT96 z>EMpKe@uGga%Mpw9CdSN!XI^mx?TN!&oL?MZ~C)m?gLgRIW;pIQep8I>Tm2&y5>nT zJ^8OUEqT5^aSLk{-yP17EN7O{9X@mOb+=+nms`i>hqb@UlKTy5ng!TCY4$rZO$E-~)*W*bB4+Y2sZT`G-JBurlU5bZX7@)Cdtl4E@>f z2o2k#OcVmd&6>m3&(!G^oC*JI$F}KXdPdde+8UwU5tUCxB=VBS^1s1J?B{%>G7(1P zODMkEug<_nl0eg(ti?&x5eWE0T-(Kj3VrOabh%uC=54CM0C9tZB=F|PeT0NOw$zuq%JXezga zQ<)}s5ZUTnxvKS}FIDm#ub$wx^6Ce;v52?HdM$4(&ofal8jo#_G|abv<%QIuIb)f; zibqTc|J@9&s0l#FIg40w!wAKTF;+AR4KD3Fu(aQx(!&Il_8m-mU*G`WV9*Jv)gC;* ztc#Eg=@bv)kS{c%t=Bg{UcR_Q^f|BBU9st{S9@NuHhHRs(wBB^CmR%_x`o)MO2;JG z^~V&7`fDNhqUpd1)~|pi%J;Pe3ExFBdUqI3ZgP)oj{#BF8R20Obt&QsDLBjlX14SU zFtY>9Z1*$3%nmTKozDO>JHX5iFteV|05f~PJ_eZCra6SQKfuiHukit9*6*VODar%P ztlu-h%nmTK{qFk#X4dN&U}guH+2&_}nH^weKMI)H0DS8r5ztV8tGv9XkwC)6R*h{_4pjpCNP9G<9@z(#08}qze&L zQgy2xmrGNBvVFE^x;@=D-D>fV_Q!KO1rO9QU0p-Fa$Q|peULAl?`oU7H{=aN!j!QyRyfWK->|pFZ^%%^vAu z%2{u-gwHl=JovnWiW-?hx3I+)Aq3Km?3F}29&o0e{jg61eZm;%Ui7g6SbGyF0pVra zjAO@BCrWJ7`t*` z@3q7&GkzL8WA6+u-@L8eu3-+@U(!39e4BtXdRY`}FyUgVKtN>%wd$+L}irq z7t52WNZzyKZVLSQX-Dj6X<{vRojzt(dvWP$YIWLGZ>wc^w3o>^5$Ao)!`T}9n!M6DB${pVh{51m8KR^8ks7i`Ti$xM`(gLH5!5dEJeB%-OSFn5~WcyAcDB$_s5t<4P164vz&;_{cRnCU| zPY(>eXMg)<^62c*!^xvR{PByk+EOtm)0XO39nI_1X6hctdt`wLj>s+(ldSjx74JT@-nzu#^*5&L{s+0_lA64di}`Kf6i8O;v?Ik8tQKx6GmvsucBmaaQF5tMo4?CxRw(bJY(u*~Z52z^vF)kg zgr+IKg|YgQ;z$sFn<>N&h;nk9mlE`fVV*~MXdUfu7r%;GL6bC8ko~%1qfw99i@@lv zt{S$7ppt4icPD0|NHSamwOU<0cI- zgVODEXsaXAy6&>(q1h4mu=Pu}5Re^p zf_H;sg$NUUv=riOD1m{QQ=ZY`|#V z>zqXiK(Np*O}iRYivn9r_4+95J0)wDNAk66rtyLZ(ygNdO;J;|H)FVt?4KK&l80w! z-N(rD1tvD}%;*kf-%_Kg)SZz$kf&Z%Ir z=BtQj1$zg&Q|?m{c?SXb@C+V55!n8kp9t)ZL+gNr^NKwScXzn<`HfJ;uFXQJlh_Kv z7D_1l`7xO4z^n)6r4#b>DLFG{a4>a%>07nkWkYv@F6FSg!Yn;JNL{`og_P7pGvD(^ zgLf&YBlPxJr)(=nLmL{*&t`z? z#=!Hoasvg}Npj|AG^!doUY`FuiI$uTxP{muz}%o?dD2LYI4aV+G0Bo_k&Y3#hET*BJ#~6tPI89N?XrA7g z`%VjeJXZdB!hk5MTsV6Xr8lzUvn~8E;p&M-Yh}saiP-GK!C7P=W)Ji z>;%%6@I?w{GH3#odzKYRuDdq*@eV4S+o3$in;C^T+Mhd>QlC}&z~aFH+!As$x}bTH z&@{b!j_r)(242Wf5J3P5Ej*g8D&1qIJxuyU@*mA^dO|F?{SLnUg+2D|R zu6DXX>@JcO6I!3Ol-y(~6N0dJ>okdyqJ=w?EKVX?Si4PkvG4OVHDmyqzgx4YK#Id2 zDJSYP8fkD<_73bfiZdHKaNK=T2d;Nzim^ibaLnc?g_L-0xg}KY2UF4mq{u2m=oC8$xP=8ZUMK_J7Riy?hIckA~WqAk$oT|w<{QBaSnKbt((Kc2-i_` z!T)M+03Q^>tWL63Fp8);u(j5vRGgHgNy_BLP}ni;(W4q@#=%h}X|iC^U6itEbqu)f zD@Ls(3*X9mVuHfJQ3m(nC7-=SZ4OKOoT-ij%$9Ek#P zQ)5;;Im}3oph<_p+HI0_Q!M36k-FL!IW5?A!o--!|C+!i104u1^yXSh*GYCgmEyY1 zW3L7Isf*Q`i1yRZm70x&_d>{Wqucgrcr8WXCBQ9wjVa*Ooox?1GZ?=T2qPrH$m)=! z9AsdOjic3FE*V*WkYpGd(A9wxoS+(=W~>;UOw03gaZv$CZ=qm%B}a7h5ss?-8jTA& zD8+PIIiclAm^ctJUDqjmy1bh0o&s-BHjh9RvJ*DJAp=oJufZrJ9MbS`K`A6GOT9Zd zg;ZBthm_nmbVNQQbCQkZ`Z&=fU0?dU(?}?o|Pz-{%4L?vHtKA=RA&O)1tP< zYN;@w^}6{&HP#ekeO?f{Ub8F)zXZ+h2n1eBbz0%RP$77fcm${tU7yO9UImu*!<`8z zK)74&yB&%ShLjuhVh3`s5`#{0!SS5F_bV_MQd)2ygdMBVb$;qyP|&}WpsGOSHR`S+ zg5IS8L!pBY0nL5z5`e!#@xQ~D{X1;IzXO!|J7AH&@bZ2;752Ly{`!83`31vm1r_k~ zEZr9(3JGF2hZpVJtz6#@YZOS*5cD$d>T>=C`GWAxf{O5kl;68g;XO~H>|Sh7)m!gD zf4+p4Yqe(+TnHOP8+2=w;@4g>)a*CaC4^;aG;Zj^m88=WsJK>;J-UIfQS6q*HS@`+ zkdHovV_MK6r_o!M+p{?4kvWeaefjW9a~^-;eI6f9b$^Jud(bxlMe%L5fBDV(z26ZO z*OQ;D?*DK!c5VWXM?ZgTO1&rfytVltQGP(-sK(Wa`Q}wnK3r^Fv4Zd$mV?t+xc7Q{ zr*`F8*%YwT-Tx!o+x=Y2z3cz)d{r}LD#(Z)z)2&v<~<;Yb6R){m!t45>0PB%Ac ze|=ogY*L}k?!l6FKA{MgQ&0#w5ul?@KlC2F|Y~za=a13ahqpK1$o)xg*cJXE`XuflONPO$KQWrB*Q* z3e!2HmZT`>bFazydhMnktFTcp1wwvZ&eK$55}V2^jEpW-@$*Zz5Iz@18^o+)FfpG3 zgP5I^#Y(9Ym=9ERQ9;IDho2;mNzBCVHd)N_6hiXL(ja6>a%Jp z!QzpD-l;BZ-LiS~bl-)|G{ztn!nYs+FEQUy-&L@k4GOiwN{shUg!KKi5Y_Y zAbf?wB2sDR^OUXpCa`s?fbOu3k`UHdQ!WkYC8pe>J_9;i4l_`AMzxXv7&iOCx6>w=#5>T# z18z<~y9xh;z|U>XC=7DW#u4Y$-J+&m=i(zTcz6N<(h+;IcAk9v)6BbSPntRkt~> z6!@j%X>!$_mqo9Se77YR#SW>SUWd;2s%GB-qqlDcjwra$BkDUD0z^N}_O;&|;y;0=uGqczmm&u-l6;v~r3mIWPTy`moldOukJ@ z=PdQ@O&!~7-2Q1&kU7fs+3Ac3Cgp#@m7H~KIfRlTr%5XLMZW1hI};dMVkbQWL1w3P z9?i!1zo#=qe!_pmY%x=7N>g9+ms$j~J4^?2?OByGhaY3zdd58?R7m}2qs-qgH!zMgmHOT$4RLnJi{pqRo27{gpe0y6P!;Uh}v2>*AJTb`sWYirQYcm{^!!feLhUu{#p9Lvw1D{;2$3_ zgF!zZh?GXo%lN~oZ!CYWCsH?-lbyO`-5xKa&d%-iaAKs;paA z1#@Dp_?5!o)rO8-b9`k2e&&21>wSe#FdR*tts$ZFF5iJukzoF`X`DFus#H+jtMfYA z?m(Mu!$}W(tVEz=Vq5pl^%B6tISzhC5Cbb`({Ji`-*t(U= z-MGRJ;bielF330zsT4z_no{mI_`6QI)sFLx@YfC&JWcs6SnW3{6KzEw?DIg5&Wr&Z zeN3e(OiFh4x>3r%+_E&Cfa>EHULwD@(2F*apfZN3DzcD7G)?cwXjv5N5ro#u2L9Au zib+3^QVa>=_R}xEcs#WkIOTbpqG8~%_S2W_{Gt7^vEH!^YVPEP<~I%5uHrf8J|(U2 zX<8(&1ybF5P3DC=ZcpZJj8>J(`*vIkZlEK*_k4tXdGA>^hdK?uY<^C3m%2R+gp+E& zRQSOeeSEuQI-<2ec=>|mE5K~HN&FZ>j?vOF=LL^=N|cIzg=+_4EGOg_n#I3B?~1Ga zn89Z%SHJRHJnZiRE24zWNXbZc^&{pQoJRijUf z#v!a3{aP~Gtr-1CCO^B!1TbqnU+ZRs0GkF9^BIr5B$3LWdVJO`WOoo-W++;8!2zuD zg(LZUS%`(H+{4amdp?<+=M^pHyXzjGb)V@IFLw7o`Msk$k-7UUT~OCUVC@2IqNAtq z;stxg%NPn6)I380gU)9tV1Unnn%MmesEN(bfSNdJ@l8&zF_1%3h8cKlf9f<~j%s2l+*&}HRiu!FGa(H=gfTd# zH!O>J-dWazAo?3qNp)jA9U_)0=#^(TEWZXc`XsZE1r$K*eXCk*vze}$QPI+pEJ`;* zazm0?8gpQr?oPHh@>J2*0=$-aPWB1dzG~jx^Kc^SZMZzLp&a)mTPV~xGLyn>=D@XM z4oWw3yN!)th|xwAeC5w;E|b?VF|wC#wG!KdTefqYxHzhOfI6|nm>uT2V7(D`u zxJ3}k6u=|G*0IPHmcG7B$agyW0A2mn51_A$x5;`f_4VhOC>V{$wrU7QI>Q1&kp7&p zOkOV|CWOz9gzwd$q05{_EV*HXqDqKW0{nx``U^DcE6A+x0JHvr%XUvp?G6!}klHi5 z^P9S;D!-2K0Q7rTWAb&p{p00}OGNwWc+nMT9$IMUrDBt(s^fj?qINn#acWx_ND8by z$*zCBptM7x4B{o%37@S%OUd`O1q0tjLV0u*LQ1kz4E2EhSO44-`;Q{}g8~B^!0`rf zywWp(;|<_=WB|t-!0}q10UU1t$7_8CaJ=1HAHeYjaJ&H=Zve-udj@d40UU1t$8(|?bg59FGL*#n(5-wt$1y&$Ad7VqmEPR%vBw2Kx?y4=l zHKZ02>Z(%<{n@dz)HN-fm`Y;M*=Oy7L@skpBS%Lk&1)P=A|pcDDa7-7lDM?Eb9}m|Ihs<1ds|G8K#RuZ)Zex& zsD5Qn)2&@puUL`$E^EVFpWc72Hk4!!tLhaHv%R2p40UU18@>P3$}8v@zq9k=HO}kl zz2?Q-Sj+n_nrCp*_OiL-s9QL<;eAZ8ym;O*RXZ?c#GyWD0D`18}o@T<}^T9nKE&ZAae+~Y*b z2Xb#KVYp2Xo&34&KH)KRC#Z7&qjnhE8F0g}RQN}e#LxhwjZ^B1n?oUH;}BY2Rhi;V zUNB!*(@Pc5qQm*M6GGLc1)yS`Jq$nso0JiHO_NL%rsi&A>n=Eon38X3v{XSKi6BW9 zvo*_NmK9@?OxYBjLb(Zru$haE9V83#-~r9<9y}mCGp;HfrIQFEXpsnc;I(;v%Hb~b zEvulm>-I`{A8q+vvsrV2h7KO`VH1lJ06|$TZz^QVw#E!t!41phN!$)qpgX>K)cju1 z1a2O+&q0#1edTP7T)`E0X$Cb6@?tu=G2RCp1=P7n@i15#VvQXM%&8c+*Lf2 zE*3G9Q=F0WS6|Ck3OP0x*m9;Q|AgE;YUZ0#%izsZv}>c!6=Mxp;g!%No{=TLh3qt? z=X9oJA*mgS0d82Es&xM9Yw-161Ezo5{=;e`dY93hRV$7t!HTd*9g&pi71xs*osPyT zAahBP>I~7@`NB#zcEj>!UT~#Y+cYk6{_aldcP}`N$-mK*W)aIt&Nsz&rs6frSPu0> z07}X%N3;JMa(~u&!tCj)KOiGKIo;QB6Q(r3mfK%d_23H} z$()8i%pP+F)&)c2l>JCD!tJdGv6F~q{`peSc5fiYPzQP9=8 zZPi|z7!A5!Gm42jfI^aFgr@5yowFi|XsV{rn&~(CPeA5a(}?}+6#n~PtwGRrYasbt zcAZ&q(z*cTI;UBi@~rmix6d!HUfYI1Lpx3~71S)}cA|r5al@?`GZCnC&TpERTCZZ; zR3W@M<4PczVb~Mhrd5hf6fq$dn>4*6v?!?59=q^U)--2X;k1`XRc{5$ne)|HCt7}S z_C*QpUsEw>#U{_1@ijUikxHuisB$j5abN44#Ysd9lOol^PPh&>2bB|w^7l=qkqKYw zt!iW8+k&s8tSBGpMr&tA&Zg;`j7i;&V&qbhw?b<`BzCfZW4Q4D9Q3aT6%n=73DXe>c1Ju_q9?l|66PCZ?yW3uXHylzjz2Q_+4a_)L9tPqVgSEUjMUUSdXcI%OLbi! zsT8vI=sPbYwa}1K3$&)?i~N4hgi-%-jC!-+`FLlguDb-Cy_v!a?XQL8;Q8XL?GkHy zP<*umW2^0is|GUCfU9}+V*%Li2dw7ZS;9o$plSyKRCB@9{1z27BWfz531bc=Rt?mf zbu5o7&s4B3{0%}ur2vt!OoZwgVHH-jFNkx-@@ROz% zVQDM*1Ij0Ae5{KfuAcvYV{-BA@*5&$j!CPG6DpMyKUu~Xazo2G5oRVOrsM*%TXII@ znoN!(QL&kNfG!c&bb&ge!QE0r_SxvZ*%lM;eK6Tx)qU?_Z?MZSpi5t}hk;y%16&5m z(g4!=W~F#xH~N8DdgrZpgIM|kSndj5=`s1;Kr2^Z+}-D;Rhf$`ch;3-M3x6ddmGh! zesp8ORjlF|HC7B4Dn>oWyOFD!`A`6vrLl_D^W7C=LXF$8jD>=Zw$Z6_F(pD? z0dA7G>+JEja`-94MjiHEj$JfjUws&80q6M+1yhw0Ja(qyr?u{+4tF)`TbdB$tbK11c&k3UrRzFDYpBiYxLcYLIu|^Z zM>x;~Pv(QM&c$J`RPctbu>P5 z8$0^hBQJH-B5P&IxxggcS1Tl<4 zXhcy1+P4#|NshI@y>lr4_xP(PKTV7~>va0de|`4b&yS8z9{hg%f1W=1e}4Y()9-%% z>1^`9>11&}`S$1keDtrA-~YCIodKZqgN$5aeEN|_ z)!A%?8~GEDmKy7d=P5y4dq(!GH~E?imfn$+Eef*9RGFwT5#auhlLgewDM(BUO4cdO zrwa(<()kXCy&SfKBkFoXb3fu2 zOSTd$y^*J>T7fk$SXLx7H7pY`Q4g5uQCw_@eEOIppDKrSa0rxEXg>ZhsEYDqLZKQ) z;3p*S8w%ysiw>9CITXsTmrA(Q5DL}x_=Z9`d(2NHhZg+}2gx4dp*-A-pIkhY2O%s8 z{?zbB``kOa2ywf1gPR!Rqpd22xBNDz>zqb!Sr%WiMZMh9wi|nCnrrT(`3YP=m!C3Sc$ZOlyL7^(_&cz zIoqT+!zDGn1Iy-C=^a0u$1P$T>S!z}O&x?S`h{mq5~-d>4deX$^ZNIvYd~uL{Bu(O zr#5qFGpKHBZ*_paCr#u2iX0zXW>Z$d6Y|+p@=!95WhwQipU!?(Q~L0sp~iz+g^Ou z%u&s)cJP@eM`13!BZ9~1b!roH4P$C$z;0G+I%t9!aO=D$SRtTdZ3w*lZA6q;S6J>yrOxm|z-lw#Fmo_<$ z9T|Yl*VzNRJm@a;Vcp;T{SD77$WPM*8wHWeV9i!dw;Zr)=tvNHLz5K!k+4H)DmW1v zI5sLx9|^*5n~lN-0Lr2jWifCT%UG`d+y&gFfy0i3T9r$-aFd!c1oV;`oA&-8xT11a zHa3o^Yi2LMO|lq}ir{NIK}QlxW*3{qB8d_J!208=lCY^YaD785s3jvKUE6MC z$)(b#+9xoUOOj*??CN%jHoNi$#m%XU=Rq;-|3Dus)<|ybL5&;Fz}w|r+ghC~DOVFr z;7l%A5L%FwQHWeKt}(U3jg2FmS>hzqo55Q)ZywugC`m}=|GSumR4^e)mb2zHSkXIu zGPISQiV-CxrO{hx+Ai}=A`;w8W97ZiqI45u&#lO~E^3~wkWER(vkCCLWWsf$q}pyI zQBo09Y_sp3vBsRCI9Hp;yIH7(X+ZfJn}yg2+%}}(d%=LSr63KwSj-BVqO`4)o~asjo}{I z(&SXhOe<2SWk_ZXmGw;G5Ao9!x2FGa8dOql=th=ZGdFe~=>T&FE`(ozs}b2nb_xf(lp04QHZBYLHlCG&4E+J77xIgL-4|3ZrJ{J9 zQ-Gb~+3Tb$crh&OW4m?jf0lm%3{)-k)Y=s0ZH-$jWsy>eKndlA2fhJ{8Uqw*4e5^l@uT-5%FbHHo%^!EI)Cn8;TRa$)@k(9yPu~u6G{a6 z-{ZOc<+9kH})34xvpv8cm}sRu(T;_TuIwTsW5~3W26HD;SG0zO}v8*CsZ~ zo*tAuqbrs^qk?%!A|=G|RB&!WAj`akSZAD+cZAed^y$yXHVpNb@spn)IRE_lp{QYu<~0pFm=enLiCcxS9QRi4C&ZN0S;$ZIHz zA{A$2-!p(`U;ps({P`;YE4w&<{ry;3hSkqfNs~XfV&r4`^jx^<$k~Xjy5R z@Y9$_;xyu!ym^aLe#7#cgx#Lr^89U*T~8#XC%B=+DRgl98~C5r)I-ZLLRCl7&Pj&~ zU<)>_HH|sV<(^*cEdZ90Tu89y#YHgsrN7@w9o(2JwSA&<}lv0!=LmD}=~8&71! zbF>BG=#IrES`sQ$M)2rLN~4I4&|j(tebRoB!CC82V)kyGCQ(wPci1T>qY*iF?PHxu z)Fnj3HVdN9b|g?PTZ~j%TsP=?!ab^30SPyG)%b^8P z8HrlM(x)>*8kz;0?PfrNYcjWL*0hrTXOu8iDg{_WAZHBh=S$M zFZ9a-!g#upAr&v8yAg~ycDl({&f}G-8Q0vR!?jO5;;nD}Br4)Ch#D=lCVyK7QOh&U1swyd(OiZ7xea!hLi)jvs3eV(s6FXKXh){M7 zv3jVwBjy2WoA#J$?TDr+zr|=2!B?yR@D`;Cl_DarRp=WpXMF0q?%VBPTJq__tmoLP zieW-CGu%-w_1wP8X;x^sWkG0b^WZ5-A_CDUW*|H!?Kh@Te^p^sYYzSJpXqREx9B^VHpL5TUAMI zzbaK*R&4=)q6-gPg>}j=*j=KO(Y)hK(fAN#$!|}Sg^>r&2JhOF-zuM|0x<%&CS0Y* z5P1fX+Rz2q@r;+z7KJ6WV_WjUFonJdt6VB$f!+VTak4g)>b|SS7GiEC0-%Qja9+w2-^f|E( zj~}(G4jAe12}soRqao|pfwsEt+#s*V7Owzek~r+V!x#tT^U*VevmSVoP`)f8`0 zKU_VEviPm-eY=4PoJRkv@hgnf#Y}npq2M`U#+zR@b92JzhE-S}`Okm-FWCo;F&v7f z7de~*&v?37=`79(`47Rf3o1EsDu*-G0!B{>%--bt%CB3@Q)pS~<*gu78=|UCNL|#4+lY8}!*VoeU1!OA)3z{XeOfS4pe7{A2u6f7z>IXk86WC9b(FnMeh|Hf?Y8u_v%xwpNm?aQOxqEts!VN|tQ1s#lj`OVd9 zt1ZDw;i5RX5KZeNsR^EX6^)}0V3x&eo@B~1pF-NP*vwZ+AuN|}XHq^hs0fJGu;u-K z?u5l2c&)%ZHUST@&uVEI`K0^kK*XFjAd@wVN?R;uA^`<$XBZQ64D14AVonP)Cm=yI(A6z^JeDmh7Ji;8leA7*S+jh>^Of9CRL?bw$uXVF&4YsO4y@xz1P&_I9%6_@O-LUR&lbt` z2J?7MaOex3-_ktB?WUU9WEzY_OGAa8RImU34LpV_x_iNMXF261-9Y++Yw+^hXXN3- zM~`u(6C=3mmQ6K-u@a9+#v%WXuy<1RM`Ve*@jRT8=NCc+$`#r#S$DyFG$rS@8|4nb z!mT)`I2UE4l&PLbU)02N%*sEc~y z4yxkat()cpa&G4Ubf3xN*G*5DX_`6fg^~4UWc5Z3kQA|&<)V5fe z^tgtg=+&PsIG=74`?j&}15Hz1z2gUz!f0q)(kvd6S(((bgHq!eE7}^DG{weix%&I^ z*(C*%mvDhM+kMy+j>yfzKIF ztwVBE+0ogcG^;ZmIbW8E9&@`&_3WuFKsBxEVk~7dUm|6)X~qt6i-{FrTI+C~&ub)J zEko9Ap&GVzfvg(}+VrtHG0AvVd*;9r7*M$=PYRYNl+Zc9VPg#vOx0W zdYfB#?eQzfF`L#Vr}7(?r*yrRZyPCMie|}mzJe!zln3E%{4f|OGU(1UNqGai` zL$e^b7-+vX4LW2p(RgjU`K3Mv>05cK-Za%VX}1&K3l#2qM^^+5bCafb#AFz%7-z@pN4=oJNCQ!5Ve=oi+9#rM-8(eNU>pvlc2WZ6x_A5p1N~Jx;b7F=R9N8gOZX z6#v@BV_s}8AW91|s-*UgPNa%A($gM|odGm7ZUk0I<6dnjp++E@RbUA z+m$T!@a*v)Fmm(TXOg?dgpvo)_yb%Cl{748Etw++w`YUWw_eh0vw~1grwAy|$)I$fHGvNTeRb^#7-kFcT1rzNqXE0ArG|qy74*{-gN(}x2i+54&1Rm2GsbCaVR?V z!yO8AtP@CJ1F6d;#N1-IMZNpYMoO#nskOox8EJH3MW7WE%UX?2#ZJ_bSxyNiKawIs z?pxKWrMt6$YW&k`gm`UC1e`_I&L*3?mghQz;W{i?aGNVLQ3VU-w`(pCqqdeoz}>}a z$f2mDNeya_t+MD4Q|V+iZMP&K>^()l}qZDac-22|Fl_(iK%u$9!#k(;ZDsIQmoPMfUl>Z^=rjct~QttgIJvrjQCyqbF;5n7(Bi8VF33GsvEtjmb>XR{pQy zUTsj2Kg^noUd$QUWXV4_OzZ44P3;8DWYqH3I4w%#RQ7--s-hi3?moaP=WE3nm=?Yf ztReUY-nJRQ=&N8@K~IZC?FB<|rm{@o59sTtx3!f<0D{I2TKO0yBVbtt0}Bk91@*cM zU(G?UM5Vpb{um8rTO)M7YPizy71Jh?1}*iK!M* zHVfBZqqRzC18&r%$7wiMNn)N#Wo<_R$?*3{g6|{wy=Qf^Q{hA?A7{NqQ@nC^EhS>ksx4V$M<=SAn|^mG7}1JNvNJA;Z@S5S@JM>VBIyx_ zWUm+`J`vAe(awj!9qEi)AP2z%=^qQEM;ws8F+c)0*8U__ zFy==$vR(_;hc~ERe;6P8#P{eA+oN|}kNz+{`o{C<9m}JC9FKcqc=Utc(KmL-J#jmF z#q8)AucO}t-+pmA`o-wz6`y1O*c`sN96p#FUU(dxSRCCr93B`PzQ=Ok*c*M~ZuE`0 z(JS^uAl62oI2*slJnwrH-V0l!M_dihqpyEFjlQuo`p41u1diBt{EUzKh;5bHJsq(J zFfsLxk;U@?Z79@j>ZUw#RSV-huu|%_6m?{Q5Nc`lNN%hZ z&r1d;Wj2Eth34q1P0F5-Bf-+el&0zN`r(+^e>@tK^}{K;NuE9>>qqLpKmT0*E_Z$H zaPU>QPUD+!#^JB{^0|uz9`!}IyyQ!f!46C zN0qkVyULGEBZju%i{sjH$!_X9`TX;GQ%=o*s~?k-6Y>?Yq;PnmjSw#D7&1J4YRTZX zqlh3n)Duergf}@kISS=o6;;;6y1=Hjecyw1w>cNmQN%AiW1j*8?~i?d73M7yVpsMp z6Jb~8Efb*Bik*J-=kl8^+~9tAa#Ech_z~)&@X^Ovx05g@sQ&a?(_-0l-^7FHf)>jQ zNF-@^4b=Z9WV@Jj>Ardi{tv8QuY;`sRRM>Wi!oU!j2wsxj}UERtI_+VSm|^xIU0jl zA=rv$MG~QV#!1900R_iRuCkzAj8r4LDJY0leMS`7KS-P0oxBn?O%7TLVlI z&)}Z7qS;+(n5ElsLsA7k=5tK!Rv|JiH{At!K-2Vr8{Ay&Sv6y_jFqbp`~(@-+n|{w zWpI*2sKf&)8OEyjBBzT*5~+)o&GDBnOV*dyfW{7T7O~_;Zqz@Vo#|BDh{vr?mMg|g zim9Ejn`dYeI#3coIqF*sCw+^!F_50t*h8gdkHvr+Io&flBn8sBnLqpZHceo z%ARxZ3qY)R&PLeq)e0eM zgFkLj>e%Q4oApsFX;vFz;=%)sTMM03f+CbYkO*U?&^9|A4C6*^aFf{Bil}S8I1+^4 zW(dHg%ul71yr~iUn+F_`3_9cQ9Ft z^VjVXM`|Gwp))(hmJY58n#DAa$vI|D!XoK*g~<*}GV<4NE+&uv_~^@y0WX|fNOy>d z$c~EgNmk7reR=-x22ijKl2;uJ^2Ecoi)GF?*GrNVz`mFTw=KVY+c)hR`>2X+xm%ax zpIoii=t!o^kb%Ym&KYVMyif;hafoZmIN)N=&Z9zwEn%%qV5{~Rqr2F zSd^sfhNTWn{Zo`AT^A_qmTlX%ZQHhOSC?(uwr$(CyNg|RmruUm-usOICRb?1MUIgp zBIla(nPRj)6C_Hl$zduc%e?4=8%rVm{1m~nS!Rgtk@mpA+02tZl9)8@6Gs7b?rq-l z!2XM1ZFFqt6K15D6aU!5Qd?)IHJ`10tVa>RfeRYZUG2cR*h=Wtl)c&c5~=i*0y9T* zdgPM7O0i~TX{*Or~I)^ zrl73^t#jCx$&M!1r`&o@%{An^z54x2v`l1VvkDipV6#pSH#d@s)um}WhV)-FnY=>V zEd6uh9%bqu=v1l>KOtW;i-*`6oTM~h3nQ6zuV*$9khs_j3!Sc4Y{y3{cgR=8FX3ck zkvKz61%d?7W)7aL^fQ=>-5SEf2gJc<73mlx-1fekY=61$OccMpVf2CxtzNv)*yzMC z;LMqTq*^td$dFZF3$z1d~3;jYi+96E$HXOK29S1 z<7=agw>axB_w}qt0uj|f*8&D%dXaX5B{xzI~Vk!3wjhBx?j>nUkQ}CU(TC7*t%8FH-UD6Qm?3UkNHvTLvDn!y~oxt zwxd}%7sQj$pGZ>M9Dr8;lMO{%_*mvvzV(6K}l2h-B?Aw`wO46+^1-H zFf8;A%};6Fo5KdjMZWMy%cDd=IuJsf1TO~FC3a1AFv_R+Hk$Z}EYYz)k&+;@pCt6% zEB;?hmI&9(4N~6*!Ob6Z>?XKDjOCSc|2Ya72 zP>oA7cL%MEez&FGdbCn%Y_x`;Dq>bo{O=F7zX=FRw)5ytek6=UvfQMsS<-GJHFv+s ztXeKLm*NEZlZ@h{I2q<4C(XF!gV%c{dTG(OHz4a*6yLJ2sj`g2MN}2a zxns8EFbVlh!`}t6nXS<PnvJp!RQ-8MGYDbt%?SR z-U-^)dAh55A`o%*R_WB`=iQ}ttl(6%wDq*}KK!*9N38Su#%YrFuO-pkR`kJ@M++iXC1X*>Hm+0^Pf%R@ZokUvMq*{aY`q4) zXmtSf&1%|}`l8imj;Ce2iN*<%@v#=ukFf0=aXC1>3r?ST*BYS-0XF{cr3}OYHl9(; zAfC|%SLk1n9fkP)zE7dERX-+Nh63q^{kPAjWdP@KYQKyietdrJ@BR5%!p|=>vEPF} zO9&Bj4P@nOQdtMqB$=-~*EDPmTEJye4v(cqW$)qZD8FS^nwifC)^idJvY#APptTH| z4O6BmjTJ8B_24Yf{{Q+;H$dM3AUqJP(I4+d5<_Q!7ODEVmy9WVXMVhEO{k2PJiXSo z4FUn$-xu zHDI6ve`d4d9yITlrF_!F3n%`prOZdeB3PaWO1Ks%U9X*Dy!r`yG<)j->EZHJqa+0N z(zRd2XX}clj%VoBVKJdk63oI0QKW0TZKatrhZ;bN^PE2!@Xjzx7iQL}`8Xc7vcFAr zLl(uT$8dBC4cr7@0i6^wbd9Ki{{cTR!wKx-fZxCXRABRtavL^W3dIywi;T9AoLN`j z&uRhID@T>*Rqt;WPFtKR^wJcp)T8vlDOo>Hpq14ln`&872ldD{a2v2ld;^UrG$DES z%$R3Zc!AKUHrAmHs`aqPaGMg<+iyYfJ06MTq=_IB=Bi*|-GgYRf=$(Fi>$|bKWfZ~ z*y*+Z=&*yvs1xQ)xJ_X+csUO}sH>pSt#ixm%oud!?tfidZn5fj#Rn-E#Sr$1)#Cdd z6m+@eZvEcb=idq~j~o6`-`tBF2!Squ0Tw!`UQlg^$%=LKcw~@=IOYCm>yLq^q6*LN zOk)ZZZq=S??qOqHFu)@yhW)jv$Z!7nk=_grL83_@N@6lNu5h z&(YSD2T!X^eZaFQYoNkjNyD!)^3^dnk+(uPco#dHhf1E?%<#&XRf{r#9hsL_kF`u7 zy&L>@2G8?@Ee2?IGfz|l#wd0(O=P^kHy7kn;k##}JI>f1jLtT zg$i@*!i&6P&J*1B*#ts}zFbIQ zMp@V@U2&49@gTmxbw`;6F{XSx;FuPT^nui_SRdZbpy02wdTR)U&^1f}|C@*nfg_n( z$s%f#nme4EZO1WF`MJ3nwR4Z@9+KByom~Gq_~PZA`^Sn)`N~pXErWoXRsef! z_P0d2&&BlPJ08^dKM@yws59dky{J#;LBj#BJix{q@w496tDPq*qc3^lMXm#f4>@~R zR*z-n&d7P1*2_aE$j+Nn&bS4Vcv4w~?9*DS6&UT+!zc8Oe=l>fS1@v& zo#fuINQ|CBb{^a;y9%_mbdl8JE<^fqO(D++k{PtCIyFG&sk`*592xW^DP`a2HjIgd z+zqI9b_y)TFhDr{noQ+@4iLgxQKmQ;puM9*7F<2(yd5Y%dhh*69 zuB#UQ3Rx5S+NitwC>|Qb0jp6-P{7PBn70;KrZB+k!AI;3Vs2{4tmO0H8fz$jK%xug_Wo$Kuq3UArE{qPz zDL$xPZv?1$g}+=ulLuu^rU1|SW6i>whdgu~rRqe!B8${nI%%COkfEi3 zD3-WIohRAC{C#@?$BcYW$gDfNswTK+md%d#*VY&ooHED=ozz7D*^@Z+L8J@-2lCVeKRQYOG8C7gG-v|Cw1 z6r+}k?dq0Wi&fiBlohVDHJD;Q+8&ycONNsRRuHKT-Fctz$>qF2Ffl_%Krb{u2=(=i z$@;_cBBD^C^R)T(V7L{6)JzQv z8_0tj?OL{JwvozbQhzI03v+Dk#2#35>vAm;SEe|Cg)C~*q!+ckHSJPCRGM~Sm(jT4 z{RsD67t+M05ujHx3T+}9CT4+NBVwDhAeG71n`rI3pZxBh>FCi<_1JtpQoz`nqC7II z%Cv8Xor6%q*vnIq+S0l%ndbTUCvxXZyC70>XkW$QDb^2zRph*&R*wI>ir5@vc#&*)nb4K^6FA9I2 zh@d(*+0z29sOk@!k3|=LDL4=5Qfk3>NU~m*K|$Uiy%%|6=%AggAQS`(ot<2#)oGd| zpoTq_s#jI1lU?p<)=C%s47F@&1{%NvdyX=Q4kR+daW{sUP{E)@SXJm65yY=c8^6I--e79;Qhdd6Dj%{wsp5?p2vg-X$ZJBb~6lsG&`*ikU*M zrvtOhOEk2?_yI9h>LCg>_APgRR-To0mFd>_~-oa5}X38loDDl%K^G_*UX8@=G+gchpSMl*`|WO?`cht90-S8WjhKMZ(Po? z(n-eOU$C_Uq4HkO9k#&b1jsSrByyt2<Q7~S~+^NOHSK72_i(f~7G0JmUSFp|KYr3%3=I|U5%fW0a|2v(UL z)=Xsqe^wbJWIt3UPwqM5BbF#_4J{^=JlCqPv)sjJp1z!9SMc0eB+xU=1?G48f8uM# z#T1h_sW3s(|D+)*B<3??O665NMpSM)51~WN_=pdxflVc`M;R%(qrB<^SBZXWrF9J! zqSq{X*MC%^L9mc?qs?VYI9{;hqH^@*CntfBQ$ft=L4S@E)9ArC_p62-wKDPxptbt zhV{x=sHn~71~X^6pY>qxQb;oGT9Lx^!<@)?+O9J3vlKh@pcF;y?77Z%x>X-0RV#oj z3t9_pY+Rl2qlT8d$a1Aw2SX;+&8OAq2)?V3AKd?icA#zW55$e}%BkIW7=PeH1uwbZ zT$dX0h1D{UqR(bcpQ`Z!w8%S{Ta3;Ia?5RrBcuh@FIhZX?gy3qfT!V?6S6)S zDt!eIDv_xQg`*n-Djd+0g)zuL~wZBr_2sQj!q zJeq}>t92v&s@>$0^#kOJDhDuv8M6^`jlN*CihT`r6YuoNN<1TujwxOzU$Bte^N!oR6mVLIU)(7D1Hx8kZ#g_n2 zVlm&~>^uMex&F2vaIh~Q*un#Fp+5j|1h#l73Cw~=>g*3bkUfNa>Zu9z+!P7wJ#kmi z8DY@=ZOS2op+GmH=Ezp1e0>U{adp4dG(yCFotyc$Az$tRn?+Jy6;KzepNlNhjU-I2 z-m&f6#r90OW9d`Av*Nc>hw)<-z}KOACxpMU#@UP`e zS}dv;UvorBNCD_^xR9A5aS?uyVXc;|{co6n(xC(b(_o0D%=t>1V{QKZLN#IODv6;y z_nAZXpIym#$O3O=WfHX;tgaoh2+`i8fpqI1V9V_-#1FPb%GjVAaYEd{HqIavB!l)j zE)PEU;!%#ihN<*WDJ`>Ie(gf%a>Z9B)l&(@TU+B05a5oCb$r!500njHxLi~rMt<{Y zAiK-*r(%fpW&ZGCZfE-%=QQz)ysu@d1DdNOL%azBm7yFalz^IPgX3d^Zo{3Ze3FYwceR; ziv#8t1hxMvLMqBB#6t|R>a4D#m%Ii}Q(K-g(~N1t#? zuhzqb(f=5x(5=_}XqF@h6>m`_V8PX=5%X*lRuTJ*hWW>}gj&fyV*i3aeqq;J*-KWt zdWbC#Y$ItTr^_<2$>#HM|9-%Ic&?#MZizf=n)cIO;!URD)NlEnBSO{`Wf-{}mlzB| zVh?U%ETUl7tVOm&LC-Xe)qCVN&q>e}06wEB(tb-843d9) zYGWTLnyPeHPZNr0vJr77TNVsFnnzG(J`+ajT%6tzq3paKC&_2 z&ayLD1)4nz8NK+K_6H;!*c_HW2K^o5tIIr@B_GDiC&L);+w;70_|IkT%!v$>!!i&n z)t*8`I}b_SC4;R(_J+$G3UC*5PH<3pw5uRLMh-ezV_DU^v{i0){Q3{P?tmFA@Rl;A z7w4oGhxdX@J&2Am?6KU$IZVGvXq|YnjCJ;-dIm$U*+V-rI)gjgJ{%if3%lqjLE5jD zdF@mnFxczm)*9h9s>U(3hJ@yR)n*HCGQ%DV9L7kZJszG#G8@2(jjU)As+g;KEPXZE z{n1_;jh=u+tc#P#^}GtzZKe2VjB;AhWe#s$UU!9>9Eg*>r`uiFT8oB0?I0>0 z;P@PAIh6wQ$SnOON~)9ooV*RBSWR^W>PF&&%);}eQ^u`EmXP$}rsPV`JE|sFLvUBQ z)+I^D$+w#_L!dj8W@EPi-X4I6&vQnK$K}`Vj2_P}bE{V7OmO~s$0lh7uAr60o?hg2 z-L@`j=7SPgX*P5fBNSmvvuwWVr&^hWpK{awW2X!`aY@0soI^<^z@(9f2ZN$@CpgO) zS0M6(HY_!w2%%8wveZsG?zT-Kye%B=!k>2S%~Fmm`RY=oe%3BSq$9u^q$idv0aQyu z%dhmDZO%)@H!}QG*b5hEyB>o%UqmYGMFgZb0?A5RVym{mZ@P%g8}?EG^Wn6bV`?L% z*Na4-u6Qkn;cmdCpD&q>1!_UGkEGE4Ip5q|%(Vbdv4tTDrI(ytKhC!H2-~;KgGZ=3 zv#G!xy&=(NE_&9Mosv&yA%^nlP)MPo*6C!O`b}0G*0$q@`5~aFDhg5f*25kHQ_6Lf z@^l$Gj|z#SBqH|th^h~Y%rM_Qh7Hh-5!!m=`tyambP(i5zVaTZ9q+0D%t>x3_k z`PuLSaVJbX`8>tE%x!S_#&tl#7k}Y=E|7SqwT9ajY+M%QM?hrLN!M zd(lZO=+>%>vJ(8#tJ;$C0yOI6?6xlm-%tTF0NEYh$OJLi+j<#f4Y{WcViG}#twoTY z7KRw#g05b&9*Ezb+dMK9dPP}eu*gPJpV_FgWkrr zHXR03ry++?%~YOw{S3V55b2CrH~oCwC=o;kFUreKYo=*7r>C zbS7)nrQyRd6xJx*D%>GK?SD-!I_IydFQQd0@h6-?Pnw55DB2c$s|5ES&X|L?9&14? z%-gvt*Z*4q;EypS$a?(uzZHP9d(8c_`y;j2h{_&FKU5{O1C5W2gWiJ=d|_w)x2eD1 zh?1sf6n9=vj}zsqKFJHZIfy7HkZAEXdU=_S2H+f?cO3;m3vIZgq;59q9 zVZ-6Q2?iHjmFRfmgioHGqN%EPc=B8YT@diRK5{i~6`rMmKz*cUirkXcu1)0$dJ_`I zL^r!~|0n&BIVyMMkTOQ6NK7_B2QQLNra7)4g`TP973#9~FP3ky2@LVG#xIa-?V`?l z+EHCc930Qsj)m}2bG)SDVVj*n{!g}>usjkcfyw_j`cHs;p7(cnojylW@l}6Q&J@ms z*cTS%4&@R5xzGJn#onUk+3U$z)z;nn+L2AP5=M zx3Um)c>B}>3zzTzxm5Us3KU~0a337`oYgr%XTb*$Uqx%dUVt(5`l86<(~5>6J*GfPocTzt^M>q>8b0Ye3kh3 z!u{O0VSD|z)@zyXkr9L1-vsBn5atJPNvyCeNlKc`;Y#K6Kaca%5G5;}e0*!`a`6G> zyi6M)dShZ#QvF0DB^lK#mMFCq{;r3!x9s%keoREE`5c8*Y!$Q+NaWi}@KIHsmHd;M zYdD~P<&*U<$6k!f0lkFqhE43?vIJQ3#Q9Lg`=g>^5@;btV3Q>k5hiRbR=lQ)Yyk~~Xx??sFb+v2{?el1zkvpe z0%yWaKO0>RjkHJ_J~?-7GU)pSt~tp%M$k{<^gms}2UmlvmtM^k0#~hrfp$q$z|Je4 zu@PFk62))CgY6Gi3h0Q!2XNr#_4oJ)HcJIaj1MyH@AX9(Uzvaf;ewBs9A#St;?YB# z2y{E0k!vFi<%wd1L-+JSiPBbNCO3u{mjxyQ07l9`9h*^*uCj}MRNG3BS^ECy>^IomUP zK$SRC&xjk-M!q_?>p$l8I?G*Fk+9XsMh^L%_F?!QVXpqW}i^-LsL>>w+>uzMKsc#P54xR;;JTASvtP-dMrhcMI#cR{!pU zbwwZij|=~a8~z|lUAEG8)$iBS?gG%293tcHae{aK*y{0Wt zs^Ys}3Dsw|-ZtmF1+WoN6(uSK57gWV%7ZIt`$#Y*%Ns4I6IQ*2W=+%_UA-~?wF?^I z0<;T?Q7K>aM%yKS0pUSTrQWP<2U7HNk5IwGr=O(o$+_Q=^Ms0^2CD^@pe0vU7+Vg2 z5KPY*Db(Jo;4b8iH(2oZ;3}MuF})WkBaRGaoV=2Z@qqOvVig>ds84b9Fge-Ac~L(P zBeALo&pha>wjkX9G+-87MS~f5X6-sW%*$LVneKL1XQEt>Hl&6#us@$wcQ2AJzT9_FKsnhM+jidcUQovX^4vzhkD8tNFO?~1J zGH{uyd(CwK6>x1dw32!dyyl<6vZV1eB!GB)K8rQDG@+I~Txw?7fLr!CLod4mT`Ayy zME>9d+h>IeO=Fr_O#&+|w(=Aon=al&AZ*oVcc^$>miYuqJ(fu1Ao%q=WFR?u&1o^YEG_Y!}m@KnLT%6}#CnkL`%Ms*pcpj`YxhiI*C!_1)b&x_g3xRrWU zuj547Aq3B|&w}J;#%sR0Yvsz}%;}k!XVuP#5LeZUY#3qg(tn+TNOfRCGZ?k{L1x2q zMiYpSvFPz#4elZ<#H!9UJ3WxbT}1qgv_D~=>N~d+uzky2o@p1v9a{4FoQ#9`gM|5k zf%%Dt_&P0pfH#?!foezpG2W&u+|Uz_g!w$!gCkbf-=dQT%3EoNTZ6kb8BLpC$*6uU zcXGt;Qwppd(+c4oYH(FtAi<)EbWl`mISPE~u)nuj;SFamHISF=MK2|oJ+%190kw=j zwmC>ZHChuf7u;{kqEvlWO<3-UctAFphZl=u;tkRmawQLBglT0?^I!G0pQUVh8!Vah z_uSlTzh(*Cn|S`D9Pn17X7wyAgS+#CtuqW#@ce>dG-$N!jV%fko?}I0I`;+GivIv4 zfteN!4VqB2_C zzIQ?gyr}3e{BK|f47dJ%ozVfin$C(K?v$uuc?pSpsiSnXcGcbUgv$oP3IN=HUw*0! z#C-I44Y16EMN8UU?8vkSRca;^HVE}V20E3?divWbId!jbl@#z)o&QaFtjjKSMG^uv zN=AvifUX5EhCriamR_@9!NxtzEX$AF?DW-iR(cokduetZ@5TkdvIr72r6Amahn|Wr?#7l(& z=xHTI`fwe1s93LI%(FameyHLB<}@|V^%Y{1s$c_efO=*tRHDcN zt1SfFy5CVf#*uT8jg3xEKUM5TO2$c+Rd)Zgu;0@$VNd!t{P^k%6WeS_XTH|W)!uUN zz|lamV`}falyp3G73Df^g|ZjNo^uFPdOUA7Zy7+S223_dA^arXoJYLi>hT*RO14Oe zO6{v!2I$X|XLD~7BAk53 zc;ORk$Id1K95am?!|74)DT_BODyh$w2JR-oZgbzC(J|%|P`Oj5#Q9#*mU{ENz$H@? zHbN2(k~&L| zTTc7R>PCR{2`WD^85Ma?jzuWWz&yw3_Zhlx23! zm*>x?w5@M}Jt|udT3}zAzI>|-3(+4F3Uh9Qu9Dowv?_Wt@M1Z#8-Ug#m}zDt>e5Th zZE%g9{0DyOeliiyQ7Zn-JN(#7)P?Vsm25(H;F*|v|9^)$$tG-l{&xm2BmV<#>i+-i z5V!zl4xc|klTW~+1b-EGNFGBxH+M(6V{DR5CD}8yxg4qHBMDsa@5$?W*jmw>scYtG zp9@~`$nGr<8)!?z@qC0BCZ3x+SRe2A_1&-=q=}V5-K$DXdH}RXSmFgjjbg=w!aWQ> zoktD3kO&R8y>@10UDO&^WnJ1G@)a82)$K)y*i}W++rn6(J(&NvM_5R3g=Dr;r3S(Q zRRH%W`>Aq`=W9&6Qk#k_sRJg2#F0i+=lba(>q;k!?qJUh8in>pKC{id;mBEF3r@Z@Tnzzil8)JmBf6ub5$7P#_6`H_+jHHZci!8tXQ?+crft`E z31momX67`$#QtbEyn}h{{WrL2^}2z;!e_s}u|Mz<+7~lgjRE3r_Mn?Gc#*Ty_1ps= zD4=y-$Ow7X`8Ng^c3(lD3_3xLn6#a!WxY!q?-r$hlf?Hw$%REe`85xnGl2H^X#L8* zX+PfkHt3Yk#PZq6-0TtOcMJ5F;bRu~=iZ+3vzh}w!KG`@yY+93Zm!gqP=8w*Ro5Is z-e<(E05X#sq*~XPGH>iPT&JlP#P3o+%}jpbx1Mtf23Q(RXYX*s`YSryrq& zji7EYQz$UX;tU=hgOtZJjMm-%9%MPwK@YTz*kqpy%W6HzbGI#9N`cD6VIWwA!9S!U+x z%h61Y*JoXwf@?;ZUt)d30shqgDeGCx4 zP^Rcfi6GG@ zoO3bHTemf6lA17sX=lkwSR!V+jsuZ6hgm#jSEwF@zb9YueF>HLPH1mBG(2aRK`JV| zy6=WUr>XXR$*UtW6EDTe;25*%d4@1*3!pj&OfaTzbMEZauGk!W*BQA4o!r(ybXPse z9A7c7ws@|CE=S47gicowvP_|kifNcJ>(-I3*IN#pCT5Us{6{@z59N{vr25QaYZ>C8 zR9rzSMkO-S68H9f$|FtRno`MAB#mYtLN!r&Dv@PD8y&lryYMXd)_AC!uvw)uM+fmH zhJ{vyQf$S>YtNHrXHt8SetCQ&WO1|LGzH)d2mFk{20Q42&Yg8%wxUq(gA=Jrs}?-i zz5H!yiJ7UXCSF|h@U{_}`{m$+Ar^z{Fs~IQRA%bD*SG3{?xzaw zdt#T|E1$J~O+}L7av@&_EM+GU^naK~D)iTms_%gM_?sT#v=HnTvE4)QVXClay|{MA zd|ISvN7XddtPiP0wNo#HjWay)o6Yqq@7R%m*PFc^v~gp9ubhzN+Mkh?Ke{zk1K{dE z*YW-bG|%q?buZuR)wlm-0#e>%OueurH|l~S#HGM@*)+g~imAo8gE-p2Yw;UY=$TvR zxDRlj4vznFmryHK$a+GINJs|*eXB6DsNPIN1EW*y2rL$QaY#}xiZB@+{kt_q>n&WOrs2NmbZxJO3)=a9T>-%>g~M0_{UXqNICIni*bb(*m?^*@01xc#Yh*1)*% z-K;pT$e52p?>gN$ovB(^8al5Y_0S@;5No)Gfx0%^~WzvjT@>C9qU>lwH3t zUh8y^MHFG{yl4rdYm}`a$#_J8!R`J6uAkN6UEd zdhsr;MvLB=7D478*^E#=%4xin>zy{r*&Woi%hB_8CSdR9)sgTgK=9{%<>&paqGXBFjg1?d z|KsiU^{45z;b(bZKCuYe#m)~7f47j+^JIQrVFK=>ytAdH1>ON7^)Gi?D`I7H_TEu| z<{Srn6#_&03Bi-%q_|d_$#(Ff;86S8xR*LFoK;WyhAt?A`eie)S7k>9#gsqlIWgwK zULcab@b>RzC8Sl%mEd74J~|JJSC-0PR&8h#x1YnykcM`67MG~|H`2K57VTi%Fw}%~ zoXe5NRTVu*5}#%f3y~%>VHA!j>7;BH%+pjeX!+-t@{Rd|V4i3z zi3z?VER6@f-9}p>IMD8Q*(nm{f)J_?lt1CwLO`P+;O=d9u@Y$h@WsYb(La@^7Wz-o zcfE#F%ZOYXoi5ahn-Q_%7FkHeiGYVUb0|>OWlhKcutA{9N z4cVb@$&<3{+vjr*refiL+@szy^kAo5ujrHk!p;yfJAEY_slR}!>sYd_Uv@V7q}cp& z?n|B~;F_6ZK3IgRClP@Ev4EIr%yw#GQ*k$a)WvrS3r_Yrw z^BQ{-WJKz#Oq?b+uMV|}2cT20h}l#qPjLPGn|OIeWSLz3oDfWY5qz61+LLzg>uV!_ z+PlPg^)&PBFySyo-z5$BmyTz9TBSApc~MbPFqi88)mAdqzLDo|b@{$o|7-1}bG(7yx=Hh@ByWL-tGeWxNZ|6c@RKz#gz!uX3iapC!q!;~a7V_tTE=NVsM5>Bg2w@gNnBo`$jA(yl#0>~!7Sf{9cS@hb^ z{}V_?)QFkr%#oi&v8J4GQhdaB#R1t30t zl#d5w%O;VPf4a+#xMnX`&HaDH$EN?pM<}u?_WfmscThA|`JABgrZ_H!W-OHS+02U& z8WGmMMU|C?tFkg{J6S0fc8g#2)5+!6>x&EFoJqTC;`b=~f& zq&pGYxG0N9!hMTRKnpNk`4<~*GWgSwl@)+^-f^b0@=L*F_bvk3o$*VmX0TYR;f}O) zWJ$zUT+Zlo)_D4Eh}*r0D5e8dShNp*`4ud`=x?8Jd6)rl99SS;Jr?#x6a!L8e`xy=CQgx^q$G*Bxp5<>H)Qpg~w4>m1Xz2}qsF5jWjqX?{SMlS=9 zkFr^80XMR{=BN>Ssut=Do1^eHGR#F8>zlQ&h$*x=KgetyKHa290R#0rM&B57w zJi|xltY9pJm~8%p2x!$N?QVr&bLIzewuCv>Da5AQ0;6)J{6Q6QO=g0bY+Gix(CBP& zma`nsGkSNqL(lO{xQ3BIQTh7W%MDj!E|aFve#M!+7|w_5Z&qctke0T3BFL^!f6Jzg z&#^x6x?Q27Ho4l$!QPn5)>NM?Cquu0@-kpGUZ<`~$32pu369pk@v*FJGNPKFJB4<@ zurW@Te&fjjw*zy)O^&HM4y=(8PQMs4NmtE36t3}(EmnIPhSEvfRuSxEl6)N6abv^j zlLrnjb=)4XQNe2Pld1RV^k<|aaq5JJwpOUf@#fR&{kwHoqE#v+FaKK)-7 zl9$LYol)&i{eY4mZ!al^T9?3zI4oL<2HLTR%UXpzw9SJ}Y7iE`;@lv1RQ9c4kGmq0{5+A3^%G!Io86@p`=RAynsTWxk*A)KTf<04^ZF!J^=^Ys-53F z*%V72OthzL;8c*M)(k)4+o|Qr{4(cSXjJ7j=I}b)x-(k_HBR&2iujR3ny&-?t0#Qp zl!>WSW7@G%n$7F&^bdD9t^A@bMa=K{b-_y530KR<4!jj|A_S;U!v z*XyvQO3os5dCXECnLC4(-FYuZPIe%g635{KRuu#1yFi?l$YFQocyER(y-oo5SpN0q z3Ohz2F5-c1dQ61QtSfN)@*;oZ-TDt0haKgD>`2)`jzQ#f)zWP642J9>)sKkJ^AhHI zyoyJl|7XpdIeskn;c1IcaQDOE)e&5N@Z~3Zeyhd1q63dmllE^AnudwVDG}QwnhvmV|hT5WQyE7H5$P4%;0jN$2s}S|n`)^A1h? z#kAQp%yard^p7;2dYun#ke;wMS{+x$OCQV8R>}sW;=F-ybMs?L&DqB|i=F?vO!oIy z4k_VCLjV;vsC;o=!|nF@aC90%Cs(X^DFSKI-<%E}v<*1}S3o8O>9J3~f@JnG>8{dW zBp$9$knaiHUs}$wENe-%uFFLrn;;Hkkl;HEZ69UIKvLRojN+&lHmwt>Gxh)66N4A+{<4Z zpV$%MCifh z3ge9%f;S{T5-Nqcq1{Xx6@OAvq804u(seaSHgdI`*xh_tx&-o$a6lFQQ~nQ0NJ~3F zdnA_i8htbi%7bZc5%tjj&~ij_rzb652*zsOleQQ9nQ6#zur46LDh0P$hH$Ro=It2G z5j;n4%fBP9e`1t6F`jb-Yc14K)+S=}c&fhEqAXbeml<5M`g-qq5zN&R>iePOyAUJX z=72j$-pi1i+s4_XtdK5pp;(x|o`Esq^BYPG$6VTjlE}5`_N6|(Z?47O*aKjX3BGc; zR-9D@>XaovrdY3LPXRLf>_69>SzyeLhTDKZW;3n47?q}jz8sheU#8L_!vRIx;?GSY zT!7Vb-3gws7Reyo=c`t$9wkZflnWvzv9yj&Cn+h1Ob)FG|C0p`JFIzia`9B@)ymF< z7Misj0QKWqJBX`p;vo{*V>fzMa-YbBthCpdNbMlaCi@MsL?tt;jWDGfOQR+#W>mAt zX)r$;blLs7GgN!r5~i)#s2TEqvB#_3Z!+ub9k-ciB}V}Ec!Ui6luASg9-*Z!K1=|u zj7k2S>=?l6VEFD%u!B3p&o|wTt8GqMaQQgu@PDz#$nL4C+-5!e#FpJmkReY})+t|e z8e=LBUg_pa&C#}(mGP#%j)H(zhU0O7^+@%f^~h=`g1{V1pXeq%knFM8XR5(Li5d2*a*Q0!SMg*wRcY}Qq+_Q-<%ANIJY z+F1>CG~a9%q}8B8_c!Y8B$0$Z zMYWqPQ~guDYPZ!2{u#x<=Y-x)Jz(S+g(6|TkY(~HnwZteeVn2~z=hlEs3^cHpqw%a zwVUmfwhwuXP1IHd+xREVV7!`&u84m}rBqc!{jy(jHIfAHE{eMX@J-=+d;n`=s!Ty5 zIVD>|#MDh+ZW(MHQ8&P zFn-Qo_w;d2n4U{S>*?d4w=o_(#_9c5=DdyL76ni#0KqrVu$c6my%nkvOqEoj6kXJg z*4pve;AwC3D;%%Q`*Xv7X_Q@vw<_;QHfD}X=BU=bUN%3(A>P7&$d<7fR0u<}LzUAsrZPV4^xploJU6D2rnx#;(0TIvFMdxmZkm5gXvUe=o-sEees_3%{Cgbo zX`ym4x3No4*o3Dr+TUA%G)y>6MeZgJqZuDTJohz=4{E@K$7MF;DbHuc7|?SL3P$m% zDghZZA- zrE)sY%5?#+1Zk4A+uN&IPSXQD$6mK^TCqw*b2b&S^hJ+|Lk@?T>PA}lgBI~WwEXdf zjl;H_*O&vc_e{v#VcC&>Yg)FgcnWzOn;&a_jfCD#rRzXb@!E3l?{!NwMjofhxda92 zR3ybbEqnSOCDL=MMRf(dUs?yVq%zf455zVf z(#G~T%h=bdVbd`{uFGKfx#o4W!cB_20QC&hd>Uo?*F!Y=`reXI5#^gq<7_3dA!75mUP*SA)Zw13) z>UBWbG~=18DxZ{0S+z`{Y1M3-#8R798H_+-cc5-W_kA&^v8MYo5iN$sIChYG$=p9GlHGBSit0 zRd5Qr?3QH-kHATV+3*F?aybz+E_oI8+;T{J2aWYm=(?+`b=27upaxsRJlNFjTuQH@ zGmc!4@10~zHC9+=1PV4S*keTsad_8E@(D*lSB^|`u?hQDiq(wsj!V>8bkvKQ9?p!( zInQ&rSTt_x4Gf>Xsy9Xqw}n@)uS`omw#9MH=(WoPsUUFTAhSSg21jQ1CP-nLpp6UO z)vPGlwRmr%eK2s`6=gPl4Bt1N*h)^cL&F>es-}+mEp%FPn}fzpgk%mMeaQo@GfM0(96dYz^z|D|kOmA-eHGnJ#cLW@AK(Ew>1Ezjw~a^Ex$a*OxBRrkd6}?j567zYH@_ca!mkvHIav{}W%&u8-sQ7e5Wi;bCi}V3{sI^F# zNQx2O^Z1MMFlo62EM2dbAyEG1vDhVQq0bolRIY;Mp^K-;dT7#sl`6N44Or}2A5Bew z(;3LDy(P0W&IC^ld@h09AgUP8d9G{$ineqIr)BCQOsTX4(K~ZuSMGSNz=t&gJs@PY z+zUnX<>h>1Mz!u(+RKbZwJjDi1xIEXBUzVCp$W(Ia;=kX?3rHXIwsYsP>!Od#Tu$j zHZ4_MyK24JTeZWs4m#-0mDo8zr3v$Exe1zD%rWuq29|A| zR8L-1aj3s%6F@K+p~3Eq21qCHpn>A80fD=Xc_D_pAS2#gz-fC8b3Pbt=}kC>k}Q7>lDyn@{?tX*DX?l+Mu%RluZ#0j(9%8clnE+5?_8bszw+X;@0B-C zysd=5+g1)hSrgRTyM=l&s-gR61#If})GpyX=m*%*8r-)|F^zS#CZ|np@Obsl1e?iuQYj+pX2Cw2rWnZdGbhElsbcTjj#h ztZI5xOVb})v+7E`SyQ-b>vf~&{sZX0kY&$cqG^Tq^n{#NG#j)qGH78f&u>u+^Q$zd zaoH*iA?ld7F*IAYx7Mz4{Z_P>Z743@5Tve98gzwpw(BJHOdPf=;ajCM21OH1W3vm= zD*UFi@lqSO?J(%ORdeoEk?DdmEJ1`u&CKtu%s;Am@m z21i@7)sN?BTMiJeerdYdZaE_Ocf-^Afyut_kVZ%;OnFNUp=^g|Ix$W9o@fwboA(V_nADS(dgC#+^d`kqbW-v#C=@wBxVvCFN4sJ4vrr{6gv9A+u5(q zqs_4K#$Ri(;y8s9Xw@XaKd(-*DjdA!jis3I*0G^rD?`7R-&s`g-zN3(Qt)>zsCj+= zf6E+7&jU?uMOZVo(%){I8oY~xcX9A8erDdqmMsqsM;l5WwDXDAEI~8=16%Z%z*@#} za(?y$TT~;_1F3$~@3mP+T88Ey9>K(gH&n*Y8I76ju&cOeuD((hy*IJi+@IBYhq{uo zh)hM!IgjIn-9XBIVF%jL?R&N;nS)S8X3(OoY*u6R`)(=GXW|C3SbxYRjdHLHy=M!v)$LYpA6I`hkw}R5+>`3DHnvlEc{zzA zHqveC3P?JIYY;dNWP#;zU?W=?$4QaTKm`b;j5h`5^G2IQLCWZqh|HLeG>_qVYOF2Q z3~fyj{kf3*7vRDjU!uLUiT=o#6HKFU_G4n0@`T96dzK=y3T+AIP|)%ptNKIk_Z(4l zQe>I0?n(e{|5h;BBH&sH`oHzN%PR~`kc>(?XZc1;-M?i!_DplPDqBOxl`g19ETH=?6)_GLulfh9}jXc?;AQA7W@8XQ=?1^1e10r?G;Tjv3 zXD}o*eSQ1cUw>9PsaEK^G2xf?pqYsT+#I&{WqATw`>wa^_iV9WgUyZ?jRUctX5O-e z1kbO#^bN1YG==Yk4Y0^<9xaUj#hpcv*_77t$M8aC#xd60o|I{n01J9>+e)4d}|J<~c z?dao)|N8N&c9S9chx%n^Yj=n!p}dPMJw&qpO~|DT)p>KX5`d zvdLbTUp4Fn@CS1L;D}u5F}DmAzEYVz(TsEoa|lq5JBV=VwBiz^JJWMT zCu7LcDic?#z`|4SSxR_~P@CS0XFd@_*3cb;G{=@ZuCf(+;8v(u8e@%v(td}!le=|1 zqd=Qs-=(Rqy7dLirFXhzLC5Z-*mV`TY_n#?PK)^%Zw1o)bs~I~c2;2l5?Bx;=W`~C z{E|f?jYFo~U8bWp<*Qn|ja^_1e-Jtsg|{G!&{utIA{XR_@|=v>L`X)a{2JoGGO|5d zBwhlzvwLyrP6_`B#$OYsRtC~-i*rM6sf0w{`(V@9b%J&pJqswSDHaJ z3liy(Ld;%I!Gys3CQlWM3dt_t^X$(|@`=aDvNX+};w}0JYPL?)d!DJ~*|*FOVT>Nj zY4t#L2&TX(Vk$&n#nOEe3ouF*iV>dbwT_FZzsWv5!F|gs^WcQJT4d}wPd!EP!pVB& zHi!%Ch*vllDXxb3XHQNYLnZw4c1@JJ^>a=BPe8zLd{sa5 z8e}>@j=7@agy|i5!D22^UpS}v?9NS{pWdm49Q?)12{XO;>$;gK z08yaQy3m6I7DmEEN50^kXkyFp5qQ36c+ji|C z9SL42eme~CIjmiea{4DBrft5w5ET`_breII# zLBsgHJ|!cOrY(qed^Xc`d;wwPvr}b1vOYTKh3(Iv7j`~_UTB`rLoFEe!s;3H!nGUu zNP1ycs8AV9T|IU8_l%LKkWgwQJMt*! zEd{qd&0eqlP?@!xmy ze9H0P4*P8!^?iPJQbo5ovEKIgsKLKsl0aMHAB7S(Wx9bQEZ8z8w1_#FJ6igBX#qLq98JDK#S+b*W%-C|P|MAP zP~Ix*5sGM!MT}CJJC7F9Z2- zIjzj&VI7+BOW4<<1+5SynC$09J}5hXb=UH!RrRW#t1>&HKA$VlSsEK)A(&Uvn97(W zbj%Xd0nBVp)0{`G?Vgwfoi$p_X&%i$hQaTvavXgA^n+FeRQqOJTAt=7sDwc7Sutr& z$Z*iSP0Oh0#cJsMc+j~ACV1i*sZp!!U$7Q}NOQ_lWi-isLNN#$;C!jp z>?O4?cXkTJiHsioo-N?xcFoj2A&~^{yW+}PD585cC_kLP{-LZuQ%;#?S;AWdZS^ec zceTHU1PfTI1rNU`JfK{Kn(O5~TijE%!cesvlz##6`7@+Hw#_4lo~8TbmB{t~JcVNh zmh*{V>XpdhmyPLzL)#X0Ohy@w$$|744G}xe?Li%oGdxyGN^+&Oav{xB{Twl4wi9gL z`b1KZjzDy^wr{8>WQ}-hc4fK&8H|6yt7)Qd>?AH=vT$djIh(fnOR8tiV%-(gFFQVP6hUEhvMvU|13HPZ^1!{mh)D|eoasgw1cF`-zWQ^<<_cP+hv zgZ@D>%B4CWCt&zVSnY2nQ?1iXXGf44TQAQwO&G?{(3CJtO z1|hF#byWkV zl^yAm0Y#2JKPqc~s~9_*K%5c;I_b4{T7gm-*OVu8+-}S&@2$-NW>U=fnCnBR*5s;} zSd5+uv7DUYoAtncI>(Ils(Auy|hajq*Dz^ge^9mlaeo~$r#;3EsygWa`OAQ`k zT8l959f+4SLOpA>K>4Hi*OHD_%cmq0is$^==4J58N%EiHk~#%DsS`FTXGBK0=q+SL zD(r}Pkry;c7KD9>l0xz8=D~x*ySF=|Y8M5#`FxN3@sFhZ72Dt2Bj1rf)ZZh2{NvKB zolg!F|Ap=Dk^dw|dj#(5uIebG(B~b#SQ;F4fQ4rRq}&2ajrZ*Mmp(Q}d|aLUiWJ*TLz@NuO^qzH?5dB~!veM;)tPffu zJ-{VHIwra3uvgWna}F;$H7?;+to3kH=aC@++i6lN?&&d&lY?z^dRc|Ka`xTD!Mg6Vey@2)wz9b4zSU|fHWA8e)9$- z5DT|!LUIxgwe;p81X)LS$D-n7LL<$kX(Qv&8Uv7p%31tIwgGAC!!U1Nyr^PH3z^u! zSN#jVLBf=FF*X@#c&~psZLjBR+WLFw#U!MQ8PZx}ikBdGVsbt4;+` z-IUKZvTCjO&iiM@)pv0VT}jGp=^ncJRu8D{2bEB`Q^l{A;=Dz@VjnW0SW}fCr~?^& z?MF6#voc!TU!r<0@kg8g~zsVen#}(R6W|P(BZtfb)8@)};RL|N8L? ziws(%T{p55gtB7N4q>g~LyeZu!9Oiu-qz5e`?Ur>;Zo(g`_REZt9`Jo36#TFYZ6nI zGRa$Z>eA@{gl{@IC~jsfpD{^v}u+CeoeJ9|NvK*Wypr z+uK?Q6Y;&yD){P0)>9|Ii#6GU-+mOylhD;Rzzcc{{BH-b)(m|0FYCoQ;Kdr@@mnDL zl;v<-!hmRw_nOWy69d+Vd?2-5VsFuA<+id$SRLn8SWeT+^5wSGF@<)jrSX8donz4y zUFu}e?M%}czAfoPCfoR=f=*Y=Rjp-vMjhMrZKNLY$0X?CoyDO$?~Q)@$yWE>*^_PR z*8eoFiyr&Gq&Wkh+$Ju79{c~JuO2k;pZAaMKYB3O|L@}YwC(>6`)$DmP$DUoy#VE( z+8hDZD3*Nz<=^hu9k7fFnTZ>uhL)l>&ly^)DzHdR{}SntMq=;>4E}(B5`RD`GCsLX z60Useiw-PjG31O`UWXxP#E>(B3^^l)oDs`&8gfQ-j(5lzG31OGaz=ctoDo}8{)X%j z-CYmaAwIS25W)HOTenwO68?QMUg%9oizMG~?l#;B!2G?{+|MS4Nh`w>`=F`B^JGDC zDyJ+b6b(@O2tLJL-AE<7<@q!fvTe6-obJDsRKYa>Hj_q%2+gZ#qdO$dT&SE#rngW8 z0ZWh~95wq+2}Y~7#w-!(6zp1aJ0iFJgwaL^wWaIqY1VF0NrC2GJ3o+Td;;fn zPOi|=K%N(4!c&z~eTKIR%^U>7nC%nB0h_Xuh=?XT`a-o6b7j1_@y_zsEG=3*sUrdn zwEXV07R~@&5W?j!yrDS4hB(QUt*_gGN_KQhhPb`q`CY&Nf8*Rwzw7n?-#>o%@L?nV z@6lHej|cz%T|A$*|9>lPfB09;+u!EoZ}IKlrAxo2xtyGzRhE;KJiod+N1yeCMyAj{ zS0!F87ep@^IJD7;st&a3Q7_Y^iYyaS-}>zMoeuS3oJn!bW2Qi*kwpXx*nr9Dt4=Mb z@PNEdBWARqoa-y|zPTt`_pm;nloApA(diQ|pEMM)}DO}WA?G#KFOuNNkC zN2v4D`7BB^bd1<>NmG3Sk_psf1gW38m2Pj*@$b%wO!+l94#0-$I)zJ1 zyrsLZNThwP9237o7_i&TSPG`Utq>v%7l6Qt=lpxV!-U{ViW1xPu!Z{>|r1w0!h4Df-m=Jnr!u5H#eF$xp#OkfE?@31AYm#6m#^_kM~eed94h2HP|0s1$1x?Q=mv$Om5@a@6dgSUr!zncI2 zm%W{xoxQ$BH7}e?HsK%E;4b{I!DGN(8T=)LyIhRTz+~q64KmpUo3eFy48C(%j1tMf zB%yD+2AvWxr;O%WE2tm$4%dyTVlfe*{cs5*?!noSRXC~_tz@6|*v?sWJ@S2LTca(b zB&6$E=$&4d=b`x+hWV-VIq3fO_DSvEIGpCMFsi+u4^XMx{osev0fqLgW8y!)CC5J2 z>n{#&-t*)Esh*It+J`}Fsfqx+( zyJoZU?}UhJCM6H5ivQZYYI3UR8$2nDxzRQgdh;bg3N|Lf@$CFw1vXTPFS-)CRL=@$ z=ej4SKUq$%TtFd&*>bda@g0?YY>UGwf9iz;-$T)EXg`vg zeaexdDYGq`4UVvWH6XwKTK!VUq&aHWrCfh%oN1hl6_mBYq*X3RMd&r<2_3i9YYT>{ zo5n8KWErP!{&tsebx)V%Gexbhla29qQuy61B5eSoeM(Oc{>uucjbLDX_^+=YK5FKF z|N7DW0snOu&!>(5D%o!fFfcPk__2ltGk<6Uh1H-^HEh^**;+qD%nhvsT+XRTin*oE zi2RQdslI|dCI@EyKQPQnRBadeHryf7_2d~wO@2Rzy5SQ`sU}i@t1pV54!)g``zQw?(TPw ztDk;-8-Mu|9sP1L`ah$ee>xg{WB(goetQu5^4^zwd*A6V{&m;=!@oi!wO`=Pf6+3o zF~#lHIPQeOt(@Vl4iRu0**3atMQ`ACKxV5G>bHh9gI|hq>C%5p{{D{^09pU$x$GHG7GUvtV#S?vb!%X%SlBv>%uddDsd?5$eRrw6Cs{wZP zxxud7-M<8ZvUn^^W-KPPw?lO=mgaJCu2*cWJnK)Z&ue3|pcrVLAV+|l1`L$u&-Qvn zPpkJ8nbB*8n5n8TZfw(n>sj-tKZ|_}bHpNY&K9cz9bSKRaD1o*JWr>GFmN2l@)e7a zCz$E}F`-FI>Go}>RL2vkXMJGV+gHJyr{UvVZrJ!AO0*0#*-!mGSHQAp>llOwt_I@H zowjb&-k{|2W^kX2qPm7bWtJ*urf#L{!}d(w_>7=YuWQL;yMYVwrW667SB)e<26<1x z-MgC{Yi<^7T^)WQH<>w)^7 zk&F+&(0n$kCg0I5(9rk!>fXnVOmIcR(ElA)_~2{D!)9&IiOjpwml44OZ7lfe|TFs=$HYKkSb%6pu- za#{x`P2)qT_gIrQ%g)uVE?1FqwofN(c9E%EGCD^U#n4cXA(P^R4|kMHI+^guTSPNV z*v%MC^4aN(MekRT5YOSONPkt8EP>w${D?`ppPH24uY9`@pFVf%DpMk04ownqbHQRR zS=1F6(K)@IN|^XOt9Mb-;bz95j*2Y*Vr&CrW`F&g)T7~r!?ImYF|1ma7ZY!|!13=!D+?1;VLD(<69dBr8_TVp^dqA>udNXSg6 zykDhQo~!w+Zm|Nxh?ta(2F%vnKXrSCQuY9^&D|I~wg~1VXym%4y{IXoMfK}R2xhqd zC~A9u9cBv>0%vB1wN;t`Ez@YxO6b+M_*X~%*c{UIgz_{W2|2=92Z;zo1FRLCQk(kB zIT*0btuoYHbb$~%2N|@CFGb8+=3!P$_ZqTbXA|q+*V1JwvuGb{b`=VNS<{R2(|XgH z6uF2*Vh;T=Gog6$+O>suKP8W7wQrl0UN?}Y9#N>L0gx2HLQFa<2iFFh%sc0&|8__73lo0ec35?@fNO`@g4av4#5M!wXv+cK{yMgK{`;qi2mp62*@uip zIg5=d4le{uG}3~jybr5Pq>8nw7AqdFVQZZ8ITJ+yAAhdL>lIG0woZ^m@EIXQzToAYb-;`{CL47O>}B~Y=Sr6iJ!mQL+N(0DYa2~8s=`@*`cZ2?N{ zet%DqXvULRvJ?W=(B6z}-#Z1tOCoYbCNx?0rq`cPOGheVrWLv^uXx$&M_F?{DOEvB^y(MN zc4}vgLgi?e+9o5N*IHh(EjnNo*RI3C z?s`LIj8{x#?PyduKA5WsG$lOJIA zCTeTRBdU+o7@GGtvw`Ai?=#PkrSvD^q`Fx8xK`WTiUz~3eF}8#dR2-K4{P^lMX9#X z)_e|0p=M{nCeJlI4sHiEHnWD-eXR=4d6IC&B9X=lez3YD43L#bL?b|MW<1dsqHJML zijvY}5eMCbPDsk8m`TWlg)oXKDxgck=W`ZwnzLj<=tPToeNd1a$#Yg8O-OIJFI*%K z#QjZEAz6$k&jq_?Qn7O>J}fFMCISo0+^E4DGCJ4uw!i;-pmjqP(X9MPAM$!GnDrRR z95=}9&|sy@}Ee)@FVmCYag-KCsH`PkXYQtX593Nu!w2vRcX!fdZZk2%s`T+=B>o0kJ zt9*57`lw4BJyWHB%|ybZ;Dv1y#O#_SS_B=;#VPxK zD~FdXA0cHA?ci>OxGXB>&=S!JOy0KFc-#)0D6@l8a3L5{Wd$Jd}Y= z@A3n70229f?=}QpFs>(5kIp5{*>uZF2DVwpND3MgG%4!qjP1APHwe_hE<};W7h=rQ zjz|N%<57&6nu~ewy)BS|Zy2A>wyGHa2rbqKg`K#0FD$E8{uH<)fKYS`%QV5GLFlht z3b8}F{YE?E0MX(Pq9o8(~^PVpSfRZXPT+3g)3)8(Md9qgA+|`TA8tL`FZ!46oqGb;Q&M@^2#x=mp{=4)kGxzQUf>O5 z&MZdd$XdJU;qO??Dep?!6GrwY*hDM%-!zYc6QCZ}M34)@l`3ir(s{^j%9Caot*wVA zv&V^=7)5I4hRg+tvo23wZI~yXw`B9^7|cuEcO7A)f2hXfJBWggc18VZ4eMIy$*V?T zf&zoQ-GucxI`07qpo0zb(g!Lo{W(v2kI|k4oS7#fR@mNpjZM@K(7I3Q>cu6#wU4{3 znXp>YIn%qq3P5uRr2b6uXA_bNtAoXOBYtP>vhS)swXUhR^HxP%p5QSuG6ZaGyMIIZ zuhroyX())OB#MuHZzr%bPZZLsMFPn8ES7YqnB|mrg+%m_OXZ@=)DgyEm%4#&p=iV$ytUu1 zd%zHabdPgPxmTqwg_~zh7UFP>ow!>Zev%>!#{N;Z94x`-EwDaY;@yt8>ilD8vcM_{ zmbZ=N??+_@9Oox3tA5|v(C1e}^>cng^8e*gwowW|fBwI(j*gFx>iPffAKia2TEp| z-n!}TtYXym^k%|aB~{aFka8ELAqbA5DNC8;(UQ>|3G2DJf8u%R`X>-J3G#VGmX^V3 zLq@u`=Tpf@*CUm-mXpq#cut=aeHqHuNCl^xZOaDdbmxy_f;4ekOa^yL5~kNjV4v*< zbbovqb4zgxL#+A`tKRkuvFgju5UXyUA;`M*`Pf0$aD<%aVW zm3i)N1JYo=Bip&Rx9|Y3&iYl&r$)jy3oz2ABwKe)xaJcUL%B*sPiTa}rxsTVMwNf| z&{8ax3tQ?5OXybPKdu^WHw>yYPIy|@#%1P`pjfW!BNFX%mZN2-%p|vzJi#2x(6k`OM@M~4c4R`Jx^3`8IxB>+OdW*a%ESvIiF<>c zp0G?Zy>jv6Wd;Grl5tN|VLUt~lOop}t#XH{eUc$csZeZr|1WLNrLK6Yaz=v^ko60} z)?fwqsn>Xf7zI?py|b&CjEhQ0K?WZGzFozqlB#-;nW?#1R@M3R7QRE zn(&PG%1Y9*==FL+@YZ9GMxc7#rnT%h7n-!L5#Jx2^qIsU;fbEm1(W0fIjm3ww-lVz zLhKL`-)8*J@$sWa$4l`)kM0lgKX>tbChAydGo{<|MTXFKmJD#1BGB~{7(^o zwD_MlPtMWb(ii=sUmT);8Z8geKST7-=N$d>=1D;G4{d%j#Q$_N$q@h3H_qjT_0dwr z|LA{hDgI}BU~@gFTL7EuX4}B#PIm*?eCZj$<^$M#0Gqcx1K51|8NlY|8NlYP&&LLv z5Ad_v^O50aYoVw92@URD_FpILd=t|zJYM_n@uP>w#}DfE-{Y^39~=$#-@AA|Vf(Mk zg6o=otNaEHt8ev(C4;ZiZ^PC*cU!wNGjHt}t;QXi?y36175pojJRF(;yyj3`>%)ZI z91ccg`wT|p!HE318IddD5Mn=W7bQNM6piC^$tJud450t2aAH4ptco;_NrpdGGO6Ff z2$uur17rdVZp>#mKU*Dh%qDupCslb}-gtk( zwZ~d+%4skaJ(E>A4U3;Y<1Fd8>xHq~^QxK3P;M)$PvGYgb_d(M$Y)wYLeL$MWlPv# z4`sf<;lOBCXH0$jqse>|B3r+3cHng<*SxalOHqUh{s($h8VXd8+5F zcO8i&i#2!9wZObSX<2zilS0bIBR_FA@$)C7h4^7lz66tb#eC zxivN#Rzc*jiD8(es5314Y*PDxeTW#d>Y-^~x4cg{>-*Vf4K zLcl%Fy-G~A7@_3B@mFNmOo%*9bDl5Al@R0wl~cA?)~4^>|3_pu6?XC+6PgG)r#aYM zA3gBwv2L3ztR;?UdyCm<&%2ss;eT9Fdsnlro)wnVw6oTl;u0Q!kFdU+508$>?wP&8 z;}w%Ul~TxRE&HPD?|Mzye5?C&xw+bk<}=BZ7N*W(;X>Zbcr>eRI2$d2@(7cC#9Y0% z6olLqsh)w5ommV^avmQ&__v2&KO(!wFZu0KbDKM)rM)%iX*lmQB&a?o7f(NA5{ut& zrpDEpY6R}&a-mQ0n4`I*`??ACs6)}wa`Ng4 z+5O`m_uv?KeL;4A{k2m@ZSnYqX|Zz3TUD&0S!)1r|5}{Rs<>p6>%|TKH-Yc)(!9eE zgilkaVksRbc+JJNC6W~iJoe5yL1?J}&_Tu-Ty-Wr9c{WIFqu_v#JvfbJJT`qIu@<^ z(*>Itu@H%QCR8W9s$79~9t{sdulEgGr{OVwSu2?0?Bm>c;u!{K)c6)V}7>4k?b z*##&HPl?KD8jly~66iQ5*Fey)Rn!PaQQ+k{Wd@3A*(9G%nKWvcZ2p)XRqpx07M z>}|7$>1Ods(fXn>sO`~OE4(gosUk{c

U_GzfMD`6Lclry@$|klG4703Mo90*5s||4WX&Q;R)hxV3_$T!*8aZoB zdxY6P^NB~Res>Z@EXzl>v3J%VV2n+5-zO2$TFSdlRjS!Gj;M^u?z=DFt>f#|CnNYy z<5Q95EX}VL*=A;or!DQZ#>qtZ0*ucjj-6-JIOojQBmKE0lTjjg8i~0kc4;Zs7waWX zEm<&~b}6v$XqF|$DRnrNS@aIBDaj38sFE&gT!VVWydPI;yxFU+$XUy0KEitjzshnn z3E%1T=~<53r0ATd+cnL#v{yG?^AwHOb5W!~bTH4s71$W$z&kN7R9=rSG@`fPM0|X7 z|H0M|qmpyhJCDlG>n0vx9f-x)CikxUh(?P*DS7lE@nwpQv`JL zY?a&CnW!iev&H2L`*l$>uR&2E%xlhQnw#xnb1Bsr!eO_VHl4Hfe#Q~A1hp(o|n&UV5ke;bG)oXY?i8X!ZTA!MkA3~Hw9^MHUlrVt7Z z%KK89|C3{Wn3O`UmqS8-d9Kd{M|pu@6l`=;%ugXxEnQ5LneK?EB;l;EbS>jLX%q>w z`ohgQA+^>5$L{m1t8;Q$**k7UKEt&2Kv%wK|E*xMqh>~!(D~oGftpJF=Hf+(*_EoB5^hP>At2e!LCdu+I1~m`3LIZq? z3uzAA4=NXT?=F)1w!SIo=u+F z)0xydu-;{Qsa1gGahnyVCPNo&yUqTsdCV>hHqBjz4rE%rqOBIhA9WZ8)k|6UJOjt zA2?|*cdedMu)Gcn*_e-yS+2nD4!HR==g6=Y0S5@M8$q}#9XDleP*^cA+)IJ=a#j)pDd?nP7Ld>~=1_>eB-`Ad5{&=Dn}<=!BvAV4yCz z!m?~D3**Ka7}r$htnUA;bj$^E>&4QCl`&e}l-t^{pHC63T|vri?_pEJ$(|-nH0!1| z?W9n%vmkTaiWY6R;Tro`Nr&c?~O#ZsNAa#Cadq(&`}{g7uX%) z^Erz-%~`TA<=WA?EqTrwQN(>0C*bv3gdA6dPg5an?#>H#&7@-IklMS<2Uf$GQIkW9 zQ3IO9-~YX*bAA0%MKr7Mefu~E1;-?kwhJl$qV-i+L1?mmMGLFu9)5v6k8IByoj3IubCoB*mO#)6tCMvD0u-H}E`Fc4vfaO^|I zWq;;%{rosH&{|YDttNn-?6)+!%9+^g;1?!Et<6*)_u<10H~xlH^B}z;)MiKZ)%11; z7hr8BaB;ol`K|EGrD?k^2lUL8{xuT`kAfDiO&qdomT19nFc-h@B%udFP7hf+dUL5o zr8@kPjSuzCJ~RM>!%LQrkcx+PU|S_5i;Awgx9-!#0TxcJ+qDIcJtpDco%1}`r={j+ zni7^qa*^p@s&d5vP44mob^x;RvJ>@HJ>fzs2yGFfapscdY`UeR8{4Xf^avVP3H;0c zYS!rhE#^WLX?!8Zyo@o0#ZpD46(pNqn3#ylxtM!zF98hMSI8ioEZr3jv>IoSPL}m5 z3q5GhAizo+f~pc)m!|GMyv;78_Cma~WD!?vAHqxkZO7(g7VB1Vj4Vbv6CkvQU;D-O zZPhFHIax#NV%NN`7@cf9twJJz70zP#iIrG1$yAX*2&9$|83tka@VnR9tJWdtaYPZo>iYa0BqCf z=J75uOSH09;$`t(-iR^)rOtC>+Y}CKX0uMj3ypy^s2r#(VeN_moAspQ(~jU!c&m$d z1Q^aL^J6ni16}Y^37mX&kqQ*SAp#BIjMAw9n48xfcFgw`h{&J@;W;gQEr; zt+lSH0jpT7YJCM8CaTscdr~TwY zFW8iAlv=)JWuVPQP=x*^7i3QJXx6<0)>w~<@@V2$ke3GNpCnaJS_{O^%kkV+q=kF5 ze4+oZ9lse2biR(n%9D_-a`ob}M*F(k!p7<1{nO)=s&0R4$fJHETtr`I7%>od^|Pr=D93@jm-o-?<&UJLLakYd=QEG;Z!6vogPlb;W!cF!>=D4(Fflg zO};*kkM2JjkH3!Z$H!kq$tR(PNp!GS@a_tuXDHj6MpL4DMQG zOA>MOTJkARH@ho1?U+QyMty}I0BI)h&s{uwO0{OM1cGnM+*9}!+4*wk6S78hMiBN> z%c}Ynw^)U46K0vyluqmBhi2v~kBYvjdT5$H`~pK4%>c}=t8yf`4^I(`32b#*Me~PT zt9;+LNn!u(2P}cM0@NzW1-eD=@(fqFGcY3eD!lC6w2ZkT!kd#Sf*9=d51LbG%ur!|MaA}pGcuL z10SW(Mz9XK0Q;7+)I`je)h8L0ZFMsSt3{gA4`jEz+`)|wJipod=^@<1v#z>ycShW& zA2P9$DXjBj-)6-ZKXa+}(t}s&rjfy-)arHcx$z9rYL-1`+nj>qGNRF}>n^c*p$!_x zf2MK~e1|x3-*3G(=|5NC`Yyj&E$JMMV-_Ep%BfXMg>O4|-3c`_b@-=yPkzjY@m#2` zIi9wC*T6kt&O!Ui2;cEf5azX(520)yd zg!qP6$$PY7$&Z#XG}E1E0>J^*Ql8#EMy1pHEX$Hb1q1NpNa!(kTJi+=aBrVJ-7eux z3FOmwdnhzvG%q9zKG$l#t!M7X?U{KyreYH77K)K`Cg&W%{H7sW@6cxo?k<2LWW+A7 zE`#;bXSEM}V*m2$(kxZStk^Y6D<#x%OL7H9-SwpX#0rX#$&^CHdwkUdSm3$!}K3&cZK{&zs-0Z5wbC8LxS#Rw0rYE>PlwR;jEbx*N` zH>!YpTFww#lGFE05y%;2g5veQ*atumAhNM1k&;A2G|}sXe}vGgOp3U`9fg-355#C8 z3UULEwS>QC_B<5Mda+9MDt`R()0!gaOh@A*eLo#D8 z-zN!!oc&rApx#LMzO9rsMdl_fvn+qzJ?8w?=Eti)s%5OWW37~e;K?kj~*nFwRG#sF>cv5StWX);Z?F@X2(SNMpo_gIKRdD$t zNOeG*y;36LvypHZ~B8TX0MTciES{tqM0N6q^(Yo|$;+nR2qAjwrIrK2R-z z9+Mpx6rpe1V&^g00k6Q0w^CDgbcRaoTCc%k_S1FQ>}i_I#kt^VUY?f_oFGdEG*R&z z@1ZL;&xE9MvB7MY+F18ab63;Om8su!S&UI53el=BuP&E9Yc#cE46gym zMYD{hPD-3hs2DOTBk@a{pxK0L79`O30+t9GQp)4<>e9U2I?c@dZIaNbJA-aD;8y2# zi4n&e1yo&KnpT<#6h~$GnssLY+O>%_KH7Jssi{cU=|tjZH3qjvg_JDK+k?S3Mfva) zXDQj=R*o-%N@W`X%&^v3Tbj?R44Umo#0F3%ewklTR{;L7|CcG+x+2mFot+XEB8!pxrSw$vmoXaL74wDtXQ%`1wt& zZO2)@xmUK);YLEFG4@Jy(ws!)&s>#A{izg1=HS$n0YYG8qbbIVD0AYk5)LBfnn{{i zl5vwm$mYQ|VZ}h@oX^>Q6$1+CV8@I|$~`slAPgzR)m1Dc)TZ|+>J1=9&D+zgaUPX_$1aFKNWqO=kKwULC=P7e>Z^CSI)k?40L@W6Kz2H)5ZZtJ@d)l;de0~CXEyiV2p@}&B7G(DwZvq18`srSU=TyFE ze%F~p+3O-9crkR2i>1oE8-;c_qI$)N3Ds&axB0@|gTOO4Xoi}EFy13><5&)#I-G$C zza1tTpbnpxpVx(bDNVPb30tkM(t%y|$$LI*^ITX_n5Ctp@? zH|p2a?&X^Ec5R}bE+b*%{qe$>!cWhhTZ|S`G2!@33MMwAD&%I~q zL>K}XVqm(&s4dS!%yP<;F6ITu7DYT3U=_uZ5V=a!2p4yxS9b)x`@B^FW>Te!;4&g- z@NzwAOfig_l|PTXkg9G}#`^vtzq zj*TJQ{+t08%JWqg^o9Avx1zS$kG-Vs23lc?ubt0A_vgo+Y9_@sPkr_2mZo`bKJiV_ zHv6%srL~qFq3;rAb}VHt?7eG*bX)kdp+e z&*l8uH?db(HNItbE$!gjTbOOoR$XhGqH-80Cftc{I3pxh=wu9Od$d~9=%CiFsn#0$ z{WkU5txoQ9QEaz5=}%Cz-Rk^4an<(L=86Ji%^Bmz9rNy)X1nCNgV}$An*CPi_lc|a zTbygJZr}4l#yZN!*BAfkOQKk=`m_Z%B)Q8ttxvJORJ3a+6U~xh%3Fk2XmC@ljBF+u z0K7*<`aTsm=?H4RtB!)Q0j6&lTpdYW*{X5q{Wk7!vop4+md(l@0!o^*7ku6(4*Mr~ zVLx_k`no~H6RmE(XQ=|m6$E;fb+iFIELp_#1%r|a<?|%{F*~~WjnL+f}AtSMSMUm1q_&C z17ntm8*(h!-wrz?zBMDHjK#`f2Wr|Q36)cT5z-X$zDFXxwcKpuLIy>Yb}sbyx`F00 zw}h?OmDR_Wln?>tL_bhD=DDPjCkvwHG)YK?v=9@(><6y>@okX_N7E6o+FcYqq#$}g zG4$Z@d@f?BQ0IK=QN_SqNiaOvULwLy$UNVH24B;g$?+oE3|Lox<(oG(+)>W>S zeZ;xW*}Mx_g=-UVR+*kjEAS?K8?kVvZJI|jtbG=nN@%RBLhZ&^HZvCJ`S6SOs#^ZT zA!Bk*yN%&>dy0LxHQRxkkbLx!tq?`~OG z40A+l=3RHosSc)G8iC=x8e$rM+ISS+y#ssvoUT`|_@er}wremWVn#QtS8N)xc;|dp zRdg!_A*!aiz>r%K#IoF{=K-+>fYo zMZB?H`BlGLWvLAms(Kq;%(V@@s)fZUFxJOYuSzCD4QoYC+DK1edC8y(LtyGWRZPSW>3E3;TT+}v*{`Y2k z0^pR6qC$<2qcWN2d~R}glQE6nGn?N@VxA%6f?|@yf?*yly#lQXpH37}LZszA&=eR? z)eWSXZFv4vE;5Cagxs}~O{t6%rc`w}n4-lPxq3TWG?$B&9aeeH=2=)t74vFM@1E2D zpS`PFj$1ddHOAM z10+a-BsfF;ZHOCNLlOiUU<3Vi9@2qf}1ySNdg)L zd4#Bu|8|W!lUxjD-d-YM#8sS7IK;~_s3+Kh)m$(uKs>2Ju3vD zgsRF|yFw%pscOC91q}^8-K{L`G|tKW`gkplL-sINa{h2bQ^~$`D4#uCEgf1Ea**Go z?2hlX?^u?PTN)KAg=|&)(9OnHJg~~SG8XEJnPumz-G^GFo(X(i)AQDY|~s}>yO_0MHN`N(Bwt`TBaUx|*;t3)0FjE@pg0|6!ju2!HNwn?_r zY6;>2a1)`P;TgIt=g5K^vw%rS)7DS&3p%%OLhotG>S^L*B$ydhF%-;?nb0%3zC~+k zd+WySMb6b)U-;hU#j;jM+qXW3c~O4xg$?myAN!e8D^<;@lIjRt8b=jFHiukv%vf9gD?c@#*{={#`5<^?yGvE-v1koPS=No}Hhbe!6(KIQjhP{L?$K7`3M@C6^gZ z-z^S)SG{v@q|9cs_cY=EV5tOcNfXX~W-NwOB**vvA(bM3IC+219+(z0lY&U}(jsvsXkcovm4XtajC_oJS!`p>p%;hsE*9r{k0N1pLr{BDE=4PR{pA zOR1{C^{kXnaRr~%@5MHME2_D@!jvNsm)T#N*NUvANtCBFsy6@?9*<$|s9k(dhzx|% zmfzLu6B+=mx$YV?XQq4ga6+SGLr<`}V8gc5=wy+w`10oZA7{(T&s{r*N(W3J;nj~X zWvUf4lmI+5Q5WjgvibJ9b-Ra!C<>smKmOl?^ zZe==HzaPXl6$C8FDe@@Omo!0Q5)5ZDc#f1MnM|s8g zPjd?H3jt{pvdF+zLxJj-8$eK_B{eLle*MMZpn6aG5TW}0_7Vq&;Y`;mHCo{S)&aTy zDgY4^8j#nH+TFTtcD*1-83Zg8HomeqdCsf4pfY$tas(bm>`KJ( zYm(}9wM}(?5KZo(rXGfaw=zqq&SA2gd&ZI(jrcsmmv88-Lg{RG==D7cnKIZcpdiE zDCm}oHN>hHsd6w!92cAbcozS4jgF&b-TJ*nh)C>&S{$fS^qj|&Zc-2QT^>a{@|f~s zgWVnY`4P{)V7#j&D-rIF;G>G$XjaAy<>s+uL7uYZJx~6@QhwKWI_A3ZK)DB6F27dD ze;?F!^q>)PUM=})t6$QzcrsS~QM-sTeqs;MqGu#9{xmykcYHjx6>7_~UfHqHdj zUGp?yELEH0zyG-IY4lBbXElnLseOX7c-58Kk@hv^v2!*pFTcb6VV;_)S5!1)NSt3* zDnxd5>1h)DsNC$Z2CgoRL0~!uXCY|jqH$fgN}BI)WT=!H!#AjXTIEM)>Nc z-zk&@iObVu`Gsgfn+RmBbj!j6{Y0*JYFwxwmJ177)Mxh>olX8CQzn1WIDtXTHQSZpK5Nh(&(l(+!% z#DoTrE-Gf(qe$;<%uKBtzq3>vHLD}kNi?Uv33LUOO9_5mAA>wiS)4^Xa&ln^0{#d9 zkjxV`3cy+GGCnZ7MJ56f0Xd8s8zdr@JDIWVG5N0BZf*nSf#Nn-JK;fnemfMHRUVsR z^;HtSj*$wAYl>iyNzB%eV#~!~;FOd>jvVmtK#Z%?mGn%rZ;A;peAn}Icf+j2hlrvJL~gXL^#ITQu($^Zj^zLldj!aucyOEbK-Udv4u`K>L}Nhh zHVC`rXw*|q{Vq(qA&B9)c3Y#1r}pFbY{9sj4c-^$CVuG)+VJj1Lq^2B$zHfO@gaNn zB6{y9dGE!+8{!#)g?F^S3nlmJ-+pA~{|-?4n=Ebke-=sPusV?Y<6S@ge{ylLsPlg; zE++i{S;{NM|E(#wFY15$b@{iX*!-7RfAM<*;V)lW!}W^`FNWq9jrQjG__`$cgw72I z8%9y$`k{UV`;%us%|Q9-471^QB;#574FZ6=dQ$=Mg6d=-&+ zuM)8muUR@to+u5femXfm9apCK<{7^E=|u`k<}&ZiUU602=zt6UAW0%39_$K9;q9(j zpJyAT9@;RU9;~xy#jWa+2h3S{pwe`$UumU59l#7A_el!{J0UF2TXI{^$ajJ5xMHc> z!pT86?Zq%yjiUD zT8D+?uLUCCGG5CHZe4*KLzYnY*xyC$Sl&CNxaIL7k}96ArI?Rjy`=0a z2T2U)G4A584&02~wAAHH_htOV8v#6Ow6Z@TbSvUD0Sn|YHe5-tt%VEaV)qB9+Pen7 zHjBYsuhv7crD{Edvo0GJTN8zd)cU|6l#V%v(dKlr%!*CEIu68kz7`RU*YmZQW1^J# z`NjF!qGc%Djx-tbWtQ@w@9@ad+}9ASnUOkczjd_N(IK$WP>NNat4cftXwqGAlIUOH zMk!#bA?IW!9J*FI@Lxz?HUj+H%m4i8yw3mp>GNXZe}0zoy76B<1rLCKm#T&)`U^k1 zz+Zf06Z@6Ao)?3Dp~XXxUwFXQjlXI{1A?no43dY4INBMQ1K&`I)rO_WSnt&kZ7#`{ zQKPAMA}0ajWgGgyNcJc&`Jui}n>EKI&(}bjgH2Px$kM zKfg)*88nqA{M=B3zEnN~IDBwo)uQ`AksT36gN^xVBcjlaa!_*5c5@q0NhpWR^)xKV zV`Q@{q|4NAYp+f#MD3Q^csDKt<|A;~A$@T_B~I0b`m_L5W`Tny?SW7g7*!?;vjM(3 zU#Q9>?PuLsD9g<1cq{bM89L)6TEZ368o)lfrN#rb?*vz1TP6pcY3>{CCmQPmN4j&I z+ef)`j5|hHOZ_h_W~oxB-iE+yZ0`f|Bz7*eNS!cAT>R@p%tXnbJ#j;q?(BbgvJpfY3v*BxV-#cg_C8D`wSYvt__aTSnX=nSI-r+ z*r~mM&PGHJEcFQ%*0;J9fW8K1gFYeJ(q>;D61D*Mm@?PWbts`SAZBht4Y zw^t<0f&@T*CT!I{BbP}M?Z_kJ>kVwe^iz_Em_&kxvlWeK98@*zjC|v1sx|;Ay#wcH zOe(^~vgi4HojE#{bL((fkcRUQY9`DY!-Zu+fhH7aLV?~I3RF>5URY4&3138L3+jr; z>pn6)b6=$y<*!=l9A<(c6Xw;11@|7??BC#SB*-+4!Wxh@69e%6{1eqf3uZy|?vw{@ z7D&H&b|=&d@`HsuWkK6qbWmKwcIHA+xidL5^rklY+`{<-C4-(L*9Tp<> zZ0S9QRQowqf+MNcsdiD&Foc~Ijc$77OMFed`t$$}P9wSi_I3p|XC{=)fQF&`(p)6W8QvQCrW2w|37B8Ia5adTCz zvfxa~1X7Xo9!|zmjIG*x93r`dx&o<9sq({8XDBuK`;V`f!QY^dovhNNV3zjPX5H-< zF09wxeo@1C?e?o{Pt^WyWdfFk@8ku;6*koo4Vt~cx=cShIc;$_9K0J$QAL%mb3#<>Eu4RVXS zi$266P^J)NliF&iV+=g0^e ztnOo6x)x<)rOeERmX5<`8s>Ps4)+Th@!R8sh@*uDqQpoBjF1Oh(Sx+a$7J=ewH<96 z&Em$=ZFl>3g$%L59o_2G-dJA79>?Nmm1FU-&9U@a=vao@>2@=ER!}Va+3fu-aBM^R z_gHr8JMDKY{Z_oIk6yNXZwECK@WB?n-DQsf>$mQ)^lZkk_-@IncMqRd9v}Eq*#20& z5CAND;s99s&;TrBVggva2c;Vya5T?j*bc)AuskDTfW;3tz~U|4ZVUm-UPwZ3cMj08 zKK<&%7F_-EL>Qj3Up@-04|8yI%^P{>Umg!z8$HIY4~uYh&kvF4?OdRg!YH_e-DjUM z?ZqgtytT#gRU#Nzd~ggb2Q02$8^U&E1ItMG29|b|14}p7VeaujJg|7pt-hV`kXhFt z80`(BCPh?F+UW|f7f8lo4r+0n%7z;r%=$-B$^BtA-Y|m5bUudQAe_oudPM+MllKCC zZ3wDU1cwUIvy&NrU|)Y3Z-!uf1$Xfgo;ruz`bM8vaat^Okve1TC`-H~Nv(e~~kxh}#F4H%|Dj+D`0Lst>QH<-mW&0`770IE&Vu8h92CXAkDWR+uv z36nEOX;729LMsU9mY@CZSUPCS-=#&sbCErc$eu9Ye>c*$4`k&6MVOBD0jy zt>c^Ymt3`zpd-?J4B@dfU~%V$bCA@qx+)D2O*1oJOjK(oG#=e8fn`CAW@uR!>d}*h zgFmI-^S*6wpIz9y$M)Y}d+)6WiMnp4f^7W6lsfm0r(tRxf*R zj*WfwD}FZ4K*AOQ{b)Q|Iu*oYq4M+x*}c85n0kd$?D%x`*WFnuDu_|M6HzWV*PhVn zVBdsYd1Xo&uoh??w>*ltPA3FEm|ZS3jum0mS}i_qc%%%pWLGAw*79A6(8DsjEVBP- zbX(IY2z(*o+bs(@%~-V4xme&R@ngy}R&7iFyYLIJU1LhcVostESI{5qfu)k&q~hnU z3@Vp)rh2Lary1RklnH=ajW^ri1c$D{*O^&^Vdg=QIL-%$N-%jI&(F_};8r5k zX5o?hY;$_VEo+(7Mw4hgXQaz$ZroIc{)5zaGosNju@)GxP2d)~!H@ zdp-=KzJf{+m9~CA6Vm`w#K!6O2Q;T=x!JLk=E$4T9lGmuodsL(L8XswUsA z&;_lx7&@(8DMG@2COqvkH%4`{iQz}Fl(svWkT)?b0i8?9PnwOts}%-E-sFqR(j5&rLMoKDO3-o`W1 zlyVTAl4UcL=iD@Hbdf@`xWNKl!ebrE zNhuyLL762MmhCOilw}Tiq-ac79HhGhI5xWSP&Ug)e$0+Rhb}u3PnBheD)WrQ@!QE} zDb3h=#Kj-$tHu%v8j|8*aPiKHN5N}H^h4xv_(QBpq7fK8Sw&O`#p9M+vF)*wye29h zb{DDvLdmL>~ z;$quhOue1ya;W)^^;k}{*Wf;T0>{}NF0;P%t@~Z?_Hu;v=JfS& ze)&y^7j<~;>+0$iPb*T^;ok9a?0C3zJjFhS8|NSg&K|BCU#HC>?wSto%07;oPFH{j zMT4IMW&lCMYje6hkGti?94$}jV)1mY9F{t`+m+%s@t)Cr^0bbV-ZW4?&Js_VJ*9)> zNnIm{IYs(J+~ElE6zoXOk7sdv^sf+ou8t>ha`?G7{2UuYT^f4B(SyK^>&)=Q{(Kx5 z!$9XJc3M2CyJ9Ryg|CaE-#IaoTf!4P_j5%In-8P7A6~@q;43r_XTxwe11v~AQW@Z2 z7~nkcQyrezY5N|n(@EgFFg}fAU_6&V&lKu%1Ne#H<)Hu3LH};0*~O#pg!nt=-=l6+ z4-;e2c3Zlx4jr2G0QXm3DGxMO=VH}xm-OBzCaHMfpp`9DDo8`U#Z|46Ga838 z3;%AL*VB=t=}6LaBxyR5RFvsR(sU%LaYO4x=Y{6-J|kO}(U4};`bq6+-nUi++rZFr zugFZKbj|cH@7`1~%Q#JvS;}a*Wyjla=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-10-11 + +* fix(schema): 🐛 targetPort can also be a string +* feat(deps): update traefik docker tag to v3.1.6 +* chore(release): 🚀 publish v32.1.1 +* Update topology spread constraints comments + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 73371f3..d6731c3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -860,7 +860,7 @@ topologySpreadConstraints: [] + # on nodes where no other traefik pods are scheduled. + # - labelSelector: + # matchLabels: +-# app: '{{ template "traefik.name" . }}' ++# app.kubernetes.io/name: '{{ template "traefik.name" . }}' + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule +``` + +## 32.1.0 ![AppVersion: v3.1.5](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.5&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-10-04 + +* fix: :bug: set disableIngressClassLookup until 3.1.4 +* feat(deps): update traefik docker tag to v3.1.5 +* feat(Traefik Proxy): update rbac following v3.2 migration guide +* chore(release): 🚀 publish v32.1.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f36a9dd..73371f3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -809,9 +809,9 @@ hostNetwork: false + rbac: # @schema additionalProperties: false + enabled: true + # When set to true: +- # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. +- # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1 +- # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+ ++ # 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`. ++ # 2. It adds `disableIngressClassLookup` on Kubernetes Ingress with Traefik Proxy v3 until v3.1.4 ++ # 3. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers with Traefik Proxy v3.1.2+ + # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. + # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details. + namespaced: false + +## 32.0.0 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-27 + +* chore(release): :rocket: publish 32.0.0 +* fix: replace `CLF` with `common` in `values.yaml` +* feat(Traefik Hub): add APIPlans and APIBundles CRDs + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 51dec67..f36a9dd 100644 +index d5173dc..f36a9dd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -345,7 +345,7 @@ logs: + # -- To enable access logs + enabled: false + # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) +- format: # @schema enum:["CLF", "json", null]; type:[string, null]; default: "CLF" ++ format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" + # filePath: "/var/log/traefik/access.log + # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) + bufferingSize: # @schema type:[integer, null] +@@ -911,35 +911,34 @@ hub: + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + +- ratelimit: +- redis: +- # -- Enable Redis Cluster. Default: true. +- cluster: # @schema type:[boolean, null] +- # -- Database used to store information. Default: "0". +- database: # @schema type:[string, null] +- # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: "" +- # -- The username to use when connecting to Redis endpoints. Default: "". ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: # @schema type:[boolean, null] ++ # -- Database used to store information. Default: "0". ++ database: # @schema type:[string, null] ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: "" ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: "" ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: "" ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: "" ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" +- # -- The password to use when connecting to Redis endpoints. Default: "". ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" +- sentinel: +- # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: "" +- # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: "" +- # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: "" +- # -- Timeout applied on connection with redis. Default: "0s". +- timeout: "" +- tls: +- # -- Path to the certificate authority used for the secured connection. +- ca: "" +- # -- Path to the public certificate used for the secure connection. +- cert: "" +- # -- Path to the private key used for the secure connection. +- key: "" +- # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: false ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: "" ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: "" ++ # -- Path to the public certificate used for the secure connection. ++ cert: "" ++ # -- Path to the private key used for the secure connection. ++ key: "" ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] +``` + +## 32.0.0-rc1 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-20 + +* feat(Traefik Hub): add APIPlans and APIBundles CRDs +* chore(release): 🚀 publish 32.0.0-rc1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d5173dc..51dec67 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -911,35 +911,34 @@ hub: + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + +- ratelimit: +- redis: +- # -- Enable Redis Cluster. Default: true. +- cluster: # @schema type:[boolean, null] +- # -- Database used to store information. Default: "0". +- database: # @schema type:[string, null] +- # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: "" +- # -- The username to use when connecting to Redis endpoints. Default: "". ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: # @schema type:[boolean, null] ++ # -- Database used to store information. Default: "0". ++ database: # @schema type:[string, null] ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: "" ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: "" ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: "" ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: "" ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" +- # -- The password to use when connecting to Redis endpoints. Default: "". ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" +- sentinel: +- # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: "" +- # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: "" +- # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: "" +- # -- Timeout applied on connection with redis. Default: "0s". +- timeout: "" +- tls: +- # -- Path to the certificate authority used for the secured connection. +- ca: "" +- # -- Path to the public certificate used for the secure connection. +- cert: "" +- # -- Path to the private key used for the secure connection. +- key: "" +- # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: false ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: "" ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: "" ++ # -- Path to the public certificate used for the secure connection. ++ cert: "" ++ # -- Path to the private key used for the secure connection. ++ key: "" ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] +``` + +## 31.1.1 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-20 + +* fix: 🐛 updateStrategy behavior +* feat(deps): update traefik docker tag to v3.1.4 +* chore(release): 🚀 publish v31.1.1 + +## 31.1.0 ![AppVersion: v3.1.3](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.3&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-18 + +* fix: 🐛 update CRD to v3.1 +* feat: ✨ input validation using schema +* feat: ✨ add AllowACMEByPass and improve schema/doc on ports values +* feat: add new webhooks and removes unnecessary ones +* feat(deps): update traefik docker tag to v3.1.3 +* chore(release): 🚀 publish v31.1.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2232d9e..1b9d0fd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -2,13 +2,13 @@ + # This is a YAML-formatted file. + # Declare variables to be passed into templates + +-image: ++image: # @schema additionalProperties: false + # -- Traefik image host registry + registry: docker.io + # -- Traefik image repository + repository: traefik + # -- defaults to appVersion +- tag: ++ tag: # @schema type:[string, null] + # -- Traefik image pull policy + pullPolicy: IfNotPresent + +@@ -23,27 +23,27 @@ deployment: + # -- Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) +- # revisionHistoryLimit: 1 ++ revisionHistoryLimit: # @schema type:[integer, null];minimum:0 + # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 +- ## Override the liveness/readiness port. This is useful to integrate traefik ++ ## -- Override the liveness/readiness port. This is useful to integrate traefik + ## with an external Load Balancer that performs healthchecks. + ## Default: ports.traefik.port +- # healthchecksPort: 9000 +- ## Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint. ++ healthchecksPort: # @schema type:[integer, null];minimum:0 ++ ## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint. + ## Default: ports.traefik.hostIP if set, otherwise Pod IP +- # healthchecksHost: localhost +- ## Override the liveness/readiness scheme. Useful for getting ping to ++ healthchecksHost: "" ++ ## -- Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. +- # healthchecksScheme: HTTPS +- ## Override the readiness path. ++ healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP ++ ## -- Override the readiness path. + ## Default: /ping +- # readinessPath: /ping +- # Override the liveness path. ++ readinessPath: "" ++ # -- Override the liveness path. + # Default: /ping +- # livenessPath: /ping ++ livenessPath: "" + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -80,7 +80,7 @@ deployment: + # -- Use process namespace sharing + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` +- # dnsPolicy: ClusterFirstWithHostNet ++ dnsPolicy: "" + # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) + dnsConfig: {} + # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +@@ -99,24 +99,24 @@ deployment: + # host: localhost + # scheme: HTTP + # -- Set a runtimeClassName on pod +- runtimeClassName: ++ runtimeClassName: "" + + # -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) +-podDisruptionBudget: +- enabled: +- maxUnavailable: +- minAvailable: ++podDisruptionBudget: # @schema additionalProperties: false ++ enabled: false ++ maxUnavailable: # @schema type:[string, integer, null];minimum:0 ++ minAvailable: # @schema type:[string, integer, null];minimum:0 + + # -- Create a default IngressClass for Traefik +-ingressClass: ++ingressClass: # @schema additionalProperties: false + enabled: true + isDefaultClass: true +- # name: my-custom-class ++ name: "" + +-core: ++core: # @schema additionalProperties: false + # -- Can be used to use globally v2 router syntax + # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes +- defaultRuleSyntax: ++ defaultRuleSyntax: "" + + # Traefik experimental features + experimental: +@@ -133,11 +133,11 @@ gateway: + # -- When providers.kubernetesGateway.enabled, deploy a default gateway + enabled: true + # -- Set a custom name to gateway +- name: ++ name: "" + # -- By default, Gateway is created in the same `Namespace` than Traefik. +- namespace: ++ namespace: "" + # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) +- annotations: ++ annotations: {} + # -- Define listeners + listeners: + web: +@@ -145,11 +145,11 @@ gateway: + # The port must match a port declared in ports section. + port: 8000 + # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) +- hostname: ++ hostname: "" + # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) + protocol: HTTP + # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces +- namespacePolicy: ++ namespacePolicy: # @schema type:[string, null] + # websecure listener is disabled by default because certificateRefs needs to be added, + # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section. + # websecure: +@@ -167,13 +167,13 @@ gateway: + # # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). + # mode: + +-gatewayClass: ++gatewayClass: # @schema additionalProperties: false + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass + enabled: true + # -- Set a custom name to GatewayClass +- name: ++ name: "" + # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) +- labels: ++ labels: {} + + ingressRoute: + dashboard: +@@ -218,14 +218,14 @@ ingressRoute: + # -- TLS options (e.g. secret containing certificate) + tls: {} + +-updateStrategy: ++updateStrategy: # @schema additionalProperties: false + # -- Customize updateStrategy: RollingUpdate or OnDelete + type: RollingUpdate + rollingUpdate: +- maxUnavailable: 0 +- maxSurge: 1 ++ maxUnavailable: 0 # @schema type:[integer, string, null] ++ maxSurge: 1 # @schema type:[integer, string, null] + +-readinessProbe: ++readinessProbe: # @schema additionalProperties: false + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 1 + # -- The number of seconds to wait before starting the first probe. +@@ -236,7 +236,7 @@ readinessProbe: + successThreshold: 1 + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 +-livenessProbe: ++livenessProbe: # @schema additionalProperties: false + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 3 + # -- The number of seconds to wait before starting the first probe. +@@ -249,9 +249,9 @@ livenessProbe: + timeoutSeconds: 2 + + # -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) +-startupProbe: ++startupProbe: {} + +-providers: ++providers: # @schema additionalProperties: false + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider + enabled: true +@@ -262,12 +262,12 @@ providers: + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: true + # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. +- ingressClass: ++ ingressClass: "" + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # -- Defines whether to use Native Kubernetes load-balancing mode by default. +- nativeLBByDefault: ++ nativeLBByDefault: false + + kubernetesIngress: + # -- Load Kubernetes Ingress provider +@@ -277,7 +277,7 @@ providers: + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: true + # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. +- ingressClass: ++ ingressClass: # @schema type:[string, null] + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +@@ -288,7 +288,7 @@ providers: + # By default this Traefik service + # pathOverride: "" + # -- Defines whether to use Native Kubernetes load-balancing mode by default. +- nativeLBByDefault: ++ nativeLBByDefault: false + + kubernetesGateway: + # -- Enable Traefik Gateway provider for Gateway API +@@ -299,7 +299,7 @@ providers: + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # -- A label selector can be defined to filter on specific GatewayClass objects only. +- labelselector: ++ labelselector: "" + + file: + # -- Create a file provider +@@ -307,7 +307,7 @@ providers: + # -- Allows Traefik to automatically watch for file changes + watch: true + # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) +- content: ++ content: "" + + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -333,90 +333,88 @@ additionalVolumeMounts: [] + logs: + general: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) +- # @default common +- format: ++ format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" + # By default, the level is set to INFO. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. +- level: INFO +- # +- # filePath: "/var/log/traefik/traefik.log +- # noColor: true ++ level: "INFO" # @schema enum:[INFO,WARN,ERROR,FATAL,PANIC,DEBUG]; default: "INFO" ++ # -- To write the logs into a log file, use the filePath option. ++ filePath: "" ++ # -- When set to true and format is common, it disables the colorized output. ++ noColor: false + access: + # -- To enable access logs + enabled: false + # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) +- format: ++ format: # @schema enum:["CLF", "json", null]; type:[string, null]; default: "CLF" + # filePath: "/var/log/traefik/access.log + # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) +- bufferingSize: ++ bufferingSize: # @schema type:[integer, null] + # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) + filters: {} +- # statuscodes: "200,300-302" +- # retryattempts: true +- # minduration: 10ms ++ statuscodes: "" ++ retryattempts: false ++ minduration: "" + # -- Enables accessLogs for internal resources. Default: false. +- addInternals: ++ addInternals: false + fields: + general: +- # -- Available modes: keep, drop, redact. +- defaultmode: keep ++ # -- Set default mode for fields.names ++ defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep + # -- Names of the fields to limit. + names: {} +- ## Examples: +- # ClientUsername: drop + # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) + headers: +- # -- Available modes: keep, drop, redact. +- defaultmode: drop ++ # -- Set default mode for fields.headers ++ defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop + names: {} + + metrics: + ## -- Enable metrics for internal resources. Default: false +- addInternals: ++ addInternals: false + + ## -- Prometheus is enabled by default. + ## -- It can be disabled by setting "prometheus: null" + prometheus: + # -- Entry point used to expose metrics. + entryPoint: metrics +- ## Enable metrics on entry points. Default=true +- # addEntryPointsLabels: false +- ## Enable metrics on routers. Default=false +- # addRoutersLabels: true +- ## Enable metrics on services. Default=true +- # addServicesLabels: false ++ ## Enable metrics on entry points. Default: true ++ addEntryPointsLabels: # @schema type:[boolean, null] ++ ## Enable metrics on routers. Default: false ++ addRoutersLabels: # @schema type:[boolean, null] ++ ## Enable metrics on services. Default: true ++ addServicesLabels: # @schema type:[boolean, null] + ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" +- # buckets: "0.5,1.0,2.5" ++ buckets: "" + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. +- # manualRouting: true ++ manualRouting: false + service: + # -- Create a dedicated metrics service to use with ServiceMonitor +- enabled: +- labels: +- annotations: ++ enabled: false ++ labels: {} ++ annotations: {} + # -- When set to true, it won't check if Prometheus Operator CRDs are deployed +- disableAPICheck: ++ disableAPICheck: # @schema type:[boolean, null] + serviceMonitor: + # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. + enabled: false +- metricRelabelings: +- relabelings: +- jobLabel: +- interval: +- honorLabels: +- scrapeTimeout: +- honorTimestamps: +- enableHttp2: +- followRedirects: +- additionalLabels: +- namespace: +- namespaceSelector: ++ metricRelabelings: [] ++ relabelings: [] ++ jobLabel: "" ++ interval: "" ++ honorLabels: false ++ scrapeTimeout: "" ++ honorTimestamps: false ++ enableHttp2: false ++ followRedirects: false ++ additionalLabels: {} ++ namespace: "" ++ namespaceSelector: {} + prometheusRule: + # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. + enabled: false +- additionalLabels: +- namespace: ++ additionalLabels: {} ++ namespace: "" + + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. +@@ -469,55 +467,55 @@ metrics: + # -- Set to true in order to enable the OpenTelemetry metrics + enabled: false + # -- Enable metrics on entry points. Default: true +- addEntryPointsLabels: ++ addEntryPointsLabels: # @schema type:[boolean, null] + # -- Enable metrics on routers. Default: false +- addRoutersLabels: ++ addRoutersLabels: # @schema type:[boolean, null] + # -- Enable metrics on services. Default: true +- addServicesLabels: ++ addServicesLabels: # @schema type:[boolean, null] + # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] +- explicitBoundaries: ++ explicitBoundaries: [] + # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s +- pushInterval: ++ pushInterval: "" + http: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- headers: ++ headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: # @schema type:[boolean, null] + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- insecure: ++ insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ +-tracing: ++tracing: # @schema additionalProperties: false + # -- Enables tracing for internal resources. Default: false. +- addInternals: ++ addInternals: false + otlp: + # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ + enabled: false +@@ -525,36 +523,36 @@ tracing: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- headers: ++ headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- insecure: ++ insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +@@ -587,13 +585,12 @@ ports: + traefik: + port: 9000 + # -- Use hostPort if set. +- # hostPort: 9000 +- # ++ hostPort: # @schema type:[integer, null]; minimum:0 + # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. +- # hostIP: 192.168.100.10 ++ hostIP: # @schema type:[string, null] + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. +@@ -617,112 +614,93 @@ ports: + default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB +- # targetPort: 80 ++ targetPort: # @schema type:[integer, null]; minimum:0 + # The port protocol (TCP/UDP) + protocol: TCP +- # -- Use nodeport if set. This is useful if you have configured Traefik in a +- # LoadBalancer. +- # nodePort: 32080 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) ++ nodePort: # @schema type:[integer, null]; minimum:0 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- # redirectTo: +- # port: websecure +- # (Optional) +- # priority: 10 +- # permanent: true +- # +- # -- Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # ++ redirectTo: {} ++ forwardedHeaders: ++ # -- Trust forwarded headers information (X-Forwarded-*). ++ trustedIPs: [] ++ insecure: false ++ proxyProtocol: ++ # -- Enable the Proxy Protocol header parsing for the entry point ++ trustedIPs: [] ++ insecure: false + # -- Set transport settings for the entrypoint; see also + # https://doc.traefik.io/traefik/routing/entrypoints/#transport + transport: + respondingTimeouts: +- readTimeout: +- writeTimeout: +- idleTimeout: ++ readTimeout: # @schema type:[string, integer, null] ++ writeTimeout: # @schema type:[string, integer, null] ++ idleTimeout: # @schema type:[string, integer, null] + lifeCycle: +- requestAcceptGraceTimeout: +- graceTimeOut: +- keepAliveMaxRequests: +- keepAliveMaxTime: ++ requestAcceptGraceTimeout: # @schema type:[string, integer, null] ++ graceTimeOut: # @schema type:[string, integer, null] ++ keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 ++ keepAliveMaxTime: # @schema type:[string, integer, null] + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 +- # hostPort: 8443 +- # containerPort: 8443 ++ hostPort: # @schema type:[integer, null]; minimum:0 ++ containerPort: # @schema type:[integer, null]; minimum:0 + expose: + default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB +- # targetPort: 80 ++ targetPort: # @schema type:[integer, null]; minimum:0 + ## -- The port protocol (TCP/UDP) + protocol: TCP +- # nodePort: 32443 +- ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. +- # appProtocol: https +- # +- ## -- Enable HTTP/3 on the entrypoint +- ## Enabling it will also enable http3 experimental feature +- ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 +- ## There are known limitations when trying to listen on same ports for +- ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. +- ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) ++ nodePort: # @schema type:[integer, null]; minimum:0 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) ++ appProtocol: # @schema type:[string, null] ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) ++ allowACMEByPass: false + http3: ++ ## -- Enable HTTP/3 on the entrypoint ++ ## Enabling it will also enable http3 experimental feature ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 ++ ## There are known limitations when trying to listen on same ports for ++ ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. ++ ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + enabled: false +- # advertisedPort: 4443 +- # +- # -- Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Set transport settings for the entrypoint; see also +- # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ advertisedPort: # @schema type:[integer, null]; minimum:0 ++ forwardedHeaders: ++ # -- Trust forwarded headers information (X-Forwarded-*). ++ trustedIPs: [] ++ insecure: false ++ proxyProtocol: ++ # -- Enable the Proxy Protocol header parsing for the entry point ++ trustedIPs: [] ++ insecure: false ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) + transport: + respondingTimeouts: +- readTimeout: +- writeTimeout: +- idleTimeout: ++ readTimeout: # @schema type:[string, integer, null] ++ writeTimeout: # @schema type:[string, integer, null] ++ idleTimeout: # @schema type:[string, integer, null] + lifeCycle: +- requestAcceptGraceTimeout: +- graceTimeOut: +- keepAliveMaxRequests: +- keepAliveMaxTime: +- # +- ## Set TLS at the entrypoint +- ## https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ requestAcceptGraceTimeout: # @schema type:[string, integer, null] ++ graceTimeOut: # @schema type:[string, integer, null] ++ keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 ++ keepAliveMaxTime: # @schema type:[string, integer, null] ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) + tls: + enabled: true +- # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] +- # - main: example.com +- # sans: +- # - foo.example.com +- # - bar.example.com +- # + # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace +- # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] +@@ -730,10 +708,6 @@ ports: + # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 +- # hostPort: 9100 +- # Defines whether the port is exposed if service.type is LoadBalancer or +- # NodePort. +- # + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +@@ -810,15 +784,15 @@ persistence: + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data +- # existingClaim: "" ++ existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi +- # storageClass: "" +- # volumeName: "" ++ storageClass: "" ++ volumeName: "" + path: /data + annotations: {} + # -- Only mount a subpath of the Volume into the pod +- # subPath: "" ++ subPath: "" + + # -- Certificates resolvers configuration. + # Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers +@@ -832,7 +806,7 @@ certResolvers: {} + hostNetwork: false + + # -- Whether Role Based Access Control objects like roles and rolebindings should be created +-rbac: ++rbac: # @schema additionalProperties: false + enabled: true + # When set to true: + # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. +@@ -843,7 +817,7 @@ rbac: + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +- # aggregateTo: [ "admin" ] ++ aggregateTo: [] + # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. + secretResourceNames: [] + +@@ -852,7 +826,7 @@ podSecurityPolicy: + enabled: false + + # -- The service account the pods will use to interact with the Kubernetes API +-serviceAccount: ++serviceAccount: # @schema additionalProperties: false + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" +@@ -918,54 +892,54 @@ extraObjects: [] + + # -- This field override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +-namespaceOverride: ++namespaceOverride: "" + + ## -- This field override the default app.kubernetes.io/instance label for all Objects. +-instanceLabelOverride: ++instanceLabelOverride: "" + + # Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ + hub: + # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. +- token: ++ token: "" + apimanagement: + # -- Set to true in order to enable API Management. Requires a valid license token. +- enabled: ++ enabled: false + admission: + # -- WebHook admission server listen address. Default: "0.0.0.0:9943". +- listenAddr: ++ listenAddr: "" + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". +- secretName: ++ secretName: "" + + ratelimit: + redis: + # -- Enable Redis Cluster. Default: true. +- cluster: ++ cluster: # @schema type:[boolean, null] + # -- Database used to store information. Default: "0". +- database: ++ database: # @schema type:[string, null] + # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: ++ endpoints: "" + # -- The username to use when connecting to Redis endpoints. Default: "". +- username: ++ username: "" + # -- The password to use when connecting to Redis endpoints. Default: "". +- password: ++ password: "" + sentinel: + # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: ++ masterset: "" + # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: ++ username: "" + # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: ++ password: "" + # -- Timeout applied on connection with redis. Default: "0s". +- timeout: ++ timeout: "" + tls: + # -- Path to the certificate authority used for the secured connection. +- ca: ++ ca: "" + # -- Path to the public certificate used for the secure connection. +- cert: ++ cert: "" + # -- Path to the private key used for the secure connection. +- key: ++ key: "" + # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. +- sendlogs: ++ sendlogs: # @schema type:[boolean, null] +``` + +## 31.0.0 ![AppVersion: v3.1.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-03 + +* fix(Traefik Hub): update CRDs to v1.5.0 +* fix(HTTP3): split udp and tcp Service when service.single is false +* fix!: 🐛 set allowEmptyServices to true by default +* feat(Traefik Hub): update CRDs to v1.7.0 +* chore(release): 🚀 publish v31.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 78eeacf..2232d9e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -260,7 +260,7 @@ providers: + # -- Allows to reference ExternalName services in IngressRoute + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available +- allowEmptyServices: false ++ allowEmptyServices: true + # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. + ingressClass: + # labelSelector: environment=production,method=traefik +@@ -275,7 +275,7 @@ providers: + # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available +- allowEmptyServices: false ++ allowEmptyServices: true + # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. + ingressClass: + # labelSelector: environment=production,method=traefik +``` + +## 30.1.0 ![AppVersion: v3.1.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-08-14 + +* fix: disable default HTTPS listener for gateway +* fix(Gateway API): wildcard support in hostname +* fix(Gateway API): use Standard channel by default +* feat: ✨ rework namespaced RBAC with `disableClusterScopeResources` +* chore(release): 🚀 publish v30.1.0 +* chore(deps): update traefik docker tag to v3.1.2 +* chore(deps): update traefik docker tag to v3.1.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 83b6d98..78eeacf 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -150,20 +150,22 @@ gateway: + protocol: HTTP + # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces + namespacePolicy: +- websecure: +- # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. +- # The port must match a port declared in ports section. +- port: 8443 +- # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) +- hostname: +- # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) +- protocol: HTTPS +- # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) +- namespacePolicy: +- # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) +- certificateRefs: +- # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). +- mode: ++ # websecure listener is disabled by default because certificateRefs needs to be added, ++ # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section. ++ # websecure: ++ # # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # # The port must match a port declared in ports section. ++ # port: 8443 ++ # # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ # hostname: ++ # # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ # protocol: HTTPS ++ # # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) ++ # namespacePolicy: ++ # # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ # certificateRefs: ++ # # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). ++ # mode: + + gatewayClass: + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass +@@ -279,10 +281,6 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" +- # Disable cluster IngressClass Lookup - Requires Traefik V3. +- # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName. +- disableIngressClassLookup: false + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -836,9 +834,12 @@ hostNetwork: false + # -- Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true +- # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace. +- # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled. ++ # When set to true: ++ # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. ++ # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1 ++ # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+ ++ # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. ++ # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +``` + +## 30.0.2 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-30 + +* fix(Traefik Hub): missing RBACs for Traefik Hub +* chore(release): 🚀 publish v30.0.2 + +## 30.0.1 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-29 + +* fix(Traefik Hub): support new RBACs for upcoming traefik hub release +* fix(Traefik Hub): RBACs missing with API Gateway +* feat: :release: v30.0.1 + +## 30.0.0 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-24 + +* fix: 🐛 ingressroute default name +* fix: namespaced RBACs hub api gateway +* fix: can't set gateway name +* fix(Gateway API): provide expected roles when using namespaced RBAC +* fix(Gateway API)!: revamp Gateway implementation +* feat: ✨ display release name and image full path in installation notes +* feat: use single ingressRoute template +* feat: handle log filePath and noColor +* chore(release): 🚀 publish v30.0.0 +* chore(deps): update traefik docker tag to v3.1.0 + +**Upgrade Notes** + +There is a breaking upgrade on how to configure Gateway with _values_. +This release supports Traefik Proxy v3.0 **and** v3.1. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c8bfd5b..83b6d98 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -134,14 +134,36 @@ gateway: + enabled: true + # -- Set a custom name to gateway + name: +- # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces) +- namespacePolicy: +- # -- See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) +- certificateRefs: + # -- By default, Gateway is created in the same `Namespace` than Traefik. + namespace: + # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) + annotations: ++ # -- Define listeners ++ listeners: ++ web: ++ # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # The port must match a port declared in ports section. ++ port: 8000 ++ # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ hostname: ++ # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ protocol: HTTP ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces ++ namespacePolicy: ++ websecure: ++ # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # The port must match a port declared in ports section. ++ port: 8443 ++ # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ hostname: ++ # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ protocol: HTTPS ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) ++ namespacePolicy: ++ # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ certificateRefs: ++ # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). ++ mode: + + gatewayClass: + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass +@@ -161,6 +183,10 @@ ingressRoute: + labels: {} + # -- The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) ++ # -- The internal service used for the dashboard ingressRoute ++ services: ++ - name: api@internal ++ kind: TraefikService + # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ +@@ -178,6 +204,10 @@ ingressRoute: + labels: {} + # -- The router match rule used for the healthcheck ingressRoute + matchRule: PathPrefix(`/ping`) ++ # -- The internal service used for the healthcheck ingressRoute ++ services: ++ - name: ping@internal ++ kind: TraefikService + # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + entryPoints: ["traefik"] +@@ -307,9 +337,12 @@ logs: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) + # @default common + format: +- # By default, the level is set to ERROR. ++ # By default, the level is set to INFO. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: INFO ++ # ++ # filePath: "/var/log/traefik/traefik.log ++ # noColor: true + access: + # -- To enable access logs + enabled: false +``` + + +## 29.0.1 ![AppVersion: v3.0.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-09 + +* fix: semverCompare failing on some legitimate tags +* fix: RBACs for hub and disabled namespaced RBACs +* chore(release): 🚀 publish v29.0.1 +* chore(deps): update jnorwood/helm-docs docker tag to v1.14.0 + +## 29.0.0 ![AppVersion: v3.0.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Upgrade Notes** + +This is a major breaking upgrade. [Migration guide](https://doc.traefik.io/traefik/v3.1/migration/v3/#v30-to-v31) from v3.0 to v3.1rc has been applied on this chart. + +This release supports both Traefik Proxy v3.0.x and v3.1rc. + +It comes with those breaking changes: + +- Far better support on Gateway API v1.1: Gateway, GatewayClass, CRDs & RBAC (#1107) +- Many changes on CRDs & RBAC (#1072 & #1108) +- Refactor on Prometheus Operator support. Values has changed (#1114) +- Dashboard `IngressRoute` is now disabled by default (#1111) + +CRDs needs to be upgraded: `kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/` + +**Release date:** 2024-07-05 + +* fix: 🐛 improve error message on additional service without ports +* fix: allow multiples values in the `secretResourceNames` slice +* fix(rbac)!: nodes API permissions for Traefik v3.1+ +* fix(dashboard): Only set ingressClass annotation when kubernetesCRD provider is listening for it +* fix!: prometheus operator settings +* feat: ✨ update CRDs & RBAC for Traefik Proxy +* feat: ✨ migrate to endpointslices rbac +* feat: allow to set hostAliases for traefik pod +* feat(providers): add nativeLBByDefault support +* feat(providers)!: improve kubernetesGateway and Gateway API support +* feat(dashboard)!: dashboard `IngressRoute` should be disabled by default +* docs: fix typos and broken link +* chore: update CRDs to v1.5.0 +* chore: update CRDs to v1.4.0 +* chore(release): publish v29.0.0 +* chore(deps): update traefik docker tag to v3.0.4 +* chore(deps): update traefik docker tag to v3.0.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e440dcf..c8bfd5b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -8,7 +8,7 @@ image: + # -- Traefik image repository + repository: traefik + # -- defaults to appVersion +- tag: "" ++ tag: + # -- Traefik image pull policy + pullPolicy: IfNotPresent + +@@ -81,19 +81,12 @@ deployment: + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) + dnsConfig: {} +- # nameservers: +- # - 192.0.2.1 # this is an example +- # searches: +- # - ns1.svc.cluster-domain.example +- # - my.dns.search.suffix +- # options: +- # - name: ndots +- # value: "2" +- # - name: edns0 +- # -- Additional imagePullSecrets ++ # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) ++ hostAliases: [] ++ # -- Pull secret for fetching traefik container image + imagePullSecrets: [] +- # - name: myRegistryKeySecretName + # -- Pod lifecycle actions + lifecycle: {} + # preStop: +@@ -135,24 +128,33 @@ experimental: + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +- ## Routes are restricted to namespace of the gateway by default. +- ## https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces +- # namespacePolicy: All +- # certificate: +- # group: "core" +- # kind: "Secret" +- # name: "mysecret" +- # -- By default, Gateway would be created to the Namespace you are deploying Traefik to. +- # You may create that Gateway in another namespace, setting its name below: +- # namespace: default +- # Additional gateway annotations (e.g. for cert-manager.io/issuer) +- # annotations: +- # cert-manager.io/issuer: letsencrypt ++ ++gateway: ++ # -- When providers.kubernetesGateway.enabled, deploy a default gateway ++ enabled: true ++ # -- Set a custom name to gateway ++ name: ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces) ++ namespacePolicy: ++ # -- See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ certificateRefs: ++ # -- By default, Gateway is created in the same `Namespace` than Traefik. ++ namespace: ++ # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) ++ annotations: ++ ++gatewayClass: ++ # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass ++ enabled: true ++ # -- Set a custom name to GatewayClass ++ name: ++ # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) ++ labels: + + ingressRoute: + dashboard: + # -- Create an IngressRoute for the dashboard +- enabled: true ++ enabled: false + # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) +@@ -227,11 +229,13 @@ providers: + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false +- # ingressClass: traefik-internal ++ # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. ++ ingressClass: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # -- Defines whether to use Native Kubernetes load-balancing mode by default. ++ nativeLBByDefault: + + kubernetesIngress: + # -- Load Kubernetes Ingress provider +@@ -240,7 +244,8 @@ providers: + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false +- # ingressClass: traefik-internal ++ # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. ++ ingressClass: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +@@ -254,6 +259,19 @@ providers: + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" ++ # -- Defines whether to use Native Kubernetes load-balancing mode by default. ++ nativeLBByDefault: ++ ++ kubernetesGateway: ++ # -- Enable Traefik Gateway provider for Gateway API ++ enabled: false ++ # -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation). ++ # This option currently enables support for TCPRoute and TLSRoute. ++ experimentalChannel: false ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. ++ namespaces: [] ++ # -- A label selector can be defined to filter on specific GatewayClass objects only. ++ labelselector: + + file: + # -- Create a file provider +@@ -341,6 +359,34 @@ metrics: + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true ++ service: ++ # -- Create a dedicated metrics service to use with ServiceMonitor ++ enabled: ++ labels: ++ annotations: ++ # -- When set to true, it won't check if Prometheus Operator CRDs are deployed ++ disableAPICheck: ++ serviceMonitor: ++ # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. ++ enabled: false ++ metricRelabelings: ++ relabelings: ++ jobLabel: ++ interval: ++ honorLabels: ++ scrapeTimeout: ++ honorTimestamps: ++ enableHttp2: ++ followRedirects: ++ additionalLabels: ++ namespace: ++ namespaceSelector: ++ prometheusRule: ++ # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. ++ enabled: false ++ additionalLabels: ++ namespace: ++ + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. + # address: "127.0.0.1:8125" +@@ -436,55 +482,6 @@ metrics: + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: + +- ## -- enable optional CRDs for Prometheus Operator +- ## +- ## Create a dedicated metrics service for use with ServiceMonitor +- # service: +- # enabled: false +- # labels: {} +- # annotations: {} +- ## When set to true, it won't check if Prometheus Operator CRDs are deployed +- # disableAPICheck: false +- # serviceMonitor: +- # metricRelabelings: [] +- # - sourceLabels: [__name__] +- # separator: ; +- # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ +- # replacement: $1 +- # action: drop +- # relabelings: [] +- # - sourceLabels: [__meta_kubernetes_pod_node_name] +- # separator: ; +- # regex: ^(.*)$ +- # targetLabel: nodename +- # replacement: $1 +- # action: replace +- # jobLabel: traefik +- # interval: 30s +- # honorLabels: true +- # # (Optional) +- # # scrapeTimeout: 5s +- # # honorTimestamps: true +- # # enableHttp2: true +- # # followRedirects: true +- # # additionalLabels: +- # # foo: bar +- # # namespace: "another-namespace" +- # # namespaceSelector: {} +- # prometheusRule: +- # additionalLabels: {} +- # namespace: "another-namespace" +- # rules: +- # - alert: TraefikDown +- # expr: up{job="traefik"} == 0 +- # for: 5m +- # labels: +- # context: traefik +- # severity: warning +- # annotations: +- # summary: "Traefik Down" +- # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +- + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: +``` + +## 28.3.0 ![AppVersion: v3.0.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-06-14 + +* fix: 🐛 namespaced rbac when kubernetesIngress provider is disabled +* fix: 🐛 add divisor: '1' to GOMAXPROCS and GOMEMLIMIT +* fix(security): 🐛 🔒️ mount service account token on pod level +* fix(Traefik Hub): remove obsolete CRD +* fix(Traefik Hub): remove namespace in mutating webhook +* feat: allow setting permanent on redirectTo +* chore(release): publish v28.3.0 +* chore(deps): update traefik docker tag to v3.0.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c558c78..e440dcf 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -602,6 +602,7 @@ ports: + # port: websecure + # (Optional) + # priority: 10 ++ # permanent: true + # + # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: +``` + +## 28.2.0 ![AppVersion: v3.0.1](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.1&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-28 + +* fix(IngressClass): provides annotation on IngressRoutes when it's enabled +* feat: ✨ simplify values and provide more examples +* feat: add deletecollection right on secrets +* chore(release): 🚀 publish v28.2.0 +* chore(deps): update traefik docker tag to v3.0.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2fd9282..c558c78 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,4 +1,7 @@ + # Default values for Traefik ++# This is a YAML-formatted file. ++# Declare variables to be passed into templates ++ + image: + # -- Traefik image host registry + registry: docker.io +@@ -12,9 +15,6 @@ image: + # -- Add additional label to all resources + commonLabels: {} + +-# +-# Configure the deployment +-# + deployment: + # -- Enable deployment + enabled: true +@@ -74,10 +74,6 @@ deployment: + # - name: volume-permissions + # image: busybox:latest + # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] +- # securityContext: +- # runAsNonRoot: true +- # runAsGroup: 65532 +- # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data +@@ -112,13 +108,11 @@ deployment: + # -- Set a runtimeClassName on pod + runtimeClassName: + +-# -- Pod disruption budget ++# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) + podDisruptionBudget: +- enabled: false +- # maxUnavailable: 1 +- # maxUnavailable: 33% +- # minAvailable: 0 +- # minAvailable: 25% ++ enabled: ++ maxUnavailable: ++ minAvailable: + + # -- Create a default IngressClass for Traefik + ingressClass: +@@ -155,7 +149,6 @@ experimental: + # annotations: + # cert-manager.io/issuer: letsencrypt + +-## Create an IngressRoute for the dashboard + ingressRoute: + dashboard: + # -- Create an IngressRoute for the dashboard +@@ -221,15 +214,7 @@ livenessProbe: + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + +-# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +-# eg. +-# `startupProbe: +-# exec: +-# command: +-# - mycommand +-# - foo +-# initialDelaySeconds: 5 +-# periodSeconds: 5` ++# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) + startupProbe: + + providers: +@@ -276,18 +261,8 @@ providers: + # -- Allows Traefik to automatically watch for file changes + watch: true + # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) +- content: "" +- # http: +- # routers: +- # router0: +- # entryPoints: +- # - web +- # middlewares: +- # - my-basic-auth +- # service: service-foo +- # rule: Path(`/foo`) ++ content: + +-# + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +@@ -311,26 +286,21 @@ additionalVolumeMounts: [] + + logs: + general: +- # -- By default, the logs use a text format (common), but you can +- # also ask for the json format in the format option +- # format: json ++ # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) ++ # @default common ++ format: + # By default, the level is set to ERROR. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: INFO + access: + # -- To enable access logs + enabled: false +- ## By default, logs are written using the Common Log Format (CLF) on stdout. +- ## To write logs in JSON, use json in the format option. +- ## If the given format is unsupported, the default (CLF) is used instead. +- # format: json ++ # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) ++ format: + # filePath: "/var/log/traefik/access.log +- ## To write the logs in an asynchronous fashion, specify a bufferingSize option. +- ## This option represents the number of log lines Traefik will keep in memory before writing +- ## them to the selected output. In some cases, this option can greatly help performances. +- # bufferingSize: 100 +- ## Filtering +- # -- https://docs.traefik.io/observability/access-logs/#filtering ++ # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) ++ bufferingSize: ++ # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true +@@ -345,15 +315,11 @@ logs: + names: {} + ## Examples: + # ClientUsername: drop ++ # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) + headers: + # -- Available modes: keep, drop, redact. + defaultmode: drop +- # -- Names of the headers to limit. + names: {} +- ## Examples: +- # User-Agent: redact +- # Authorization: drop +- # Content-Type: keep + + metrics: + ## -- Enable metrics for internal resources. Default: false +@@ -567,16 +533,15 @@ globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +-# +-# Configure Traefik static configuration + # -- Additional arguments to be passed at Traefik's binary +-# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` ++# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) ++# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + + # -- Environment variables to be passed to Traefik's binary ++# @default -- See _values.yaml_ + env: + - name: POD_NAME + valueFrom: +@@ -586,25 +551,9 @@ env: + valueFrom: + fieldRef: + fieldPath: metadata.namespace +-# - name: SOME_VAR +-# value: some-var-value +-# - name: SOME_VAR_FROM_CONFIG_MAP +-# valueFrom: +-# configMapRef: +-# name: configmap-name +-# key: config-key +-# - name: SOME_SECRET +-# valueFrom: +-# secretKeyRef: +-# name: secret-name +-# key: secret-key + + # -- Environment variables to be passed to Traefik's binary from configMaps or secrets + envFrom: [] +-# - configMapRef: +-# name: config-map-name +-# - secretRef: +-# name: secret-name + + ports: + traefik: +@@ -766,28 +715,12 @@ ports: + # -- The port protocol (TCP/UDP) + protocol: TCP + +-# -- TLS Options are created as TLSOption CRDs +-# https://doc.traefik.io/traefik/https/tls/#tls-options ++# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. +-# Example: +-# tlsOptions: +-# default: +-# labels: {} +-# sniStrict: true +-# custom-options: +-# labels: {} +-# curvePreferences: +-# - CurveP521 +-# - CurveP384 ++# See EXAMPLE.md for details. + tlsOptions: {} + +-# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +-# https://doc.traefik.io/traefik/https/tls/#default-certificate +-# Example: +-# tlsStore: +-# default: +-# defaultCertificate: +-# secretName: tls-cert ++# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. + tlsStore: {} + + service: +@@ -839,29 +772,8 @@ service: + + autoscaling: + # -- Create HorizontalPodAutoscaler object. ++ # See EXAMPLES.md for more details. + enabled: false +-# minReplicas: 1 +-# maxReplicas: 10 +-# metrics: +-# - type: Resource +-# resource: +-# name: cpu +-# target: +-# type: Utilization +-# averageUtilization: 60 +-# - type: Resource +-# resource: +-# name: memory +-# target: +-# type: Utilization +-# averageUtilization: 60 +-# behavior: +-# scaleDown: +-# stabilizationWindowSeconds: 300 +-# policies: +-# - type: Pods +-# value: 1 +-# periodSeconds: 60 + + persistence: + # -- Enable persistence using Persistent Volume Claims +@@ -879,27 +791,10 @@ persistence: + # -- Only mount a subpath of the Volume into the pod + # subPath: "" + +-# -- Certificates resolvers configuration ++# -- Certificates resolvers configuration. ++# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers ++# See EXAMPLES.md for more details. + certResolvers: {} +-# letsencrypt: +-# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +-# email: email@example.com +-# dnsChallenge: +-# # also add the provider's required configuration under env +-# # or expand then from secrets/configmaps with envfrom +-# # cf. https://doc.traefik.io/traefik/https/acme/#providers +-# provider: digitalocean +-# # add futher options for the dns challenge as needed +-# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge +-# delayBeforeCheck: 30 +-# resolvers: +-# - 1.1.1.1 +-# - 8.8.8.8 +-# tlsChallenge: true +-# httpChallenge: +-# entryPoint: "web" +-# # It has to match the path with a persistent volume +-# storage: /data/acme.json + + # -- If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true +@@ -933,14 +828,8 @@ serviceAccount: + # -- Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + +-# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. ++# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: {} +-# requests: +-# cpu: "100m" +-# memory: "50Mi" +-# limits: +-# cpu: "300m" +-# memory: "150Mi" + + # -- This example pod anti-affinity forces the scheduler to put traefik pods + # -- on nodes where no other traefik pods are scheduled. +@@ -970,30 +859,22 @@ topologySpreadConstraints: [] + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + +-# -- Pods can have priority. +-# -- Priority indicates the importance of a Pod relative to other Pods. ++# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: "" + +-# -- Set the container security context +-# -- To run the container with ports below 1024 this will need to be adjusted to run as root ++# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) ++# @default -- See _values.yaml_ + securityContext: ++ allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true +- allowPrivilegeEscalation: false + ++# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) ++# @default -- See _values.yaml_ + podSecurityContext: +- # /!\ When setting fsGroup, Kubernetes will recursively change ownership and +- # permissions for the contents of each volume to match the fsGroup. This can +- # be an issue when storing sensitive content like TLS Certificates /!\ +- # fsGroup: 65532 +- # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. +- fsGroupChangePolicy: "OnRootMismatch" +- # -- The ID of the group for all containers in the pod to run as. + runAsGroup: 65532 +- # -- Specifies whether the containers should run as a non-root user. + runAsNonRoot: true +- # -- The ID of the user for all containers in the pod to run as. + runAsUser: 65532 + + # +@@ -1003,16 +884,16 @@ podSecurityContext: + # See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] + +-# This will override the default Release Namespace for Helm. ++# -- This field override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +-# namespaceOverride: traefik +-# +-## -- This will override the default app.kubernetes.io/instance label for all Objects. +-# instanceLabelOverride: traefik ++namespaceOverride: ++ ++## -- This field override the default app.kubernetes.io/instance label for all Objects. ++instanceLabelOverride: + +-# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ ++# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ + hub: +- # Name of Secret with key 'token' set to a valid license token. ++ # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. + token: + apimanagement: +``` + +## 28.1.0 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +* fix(Traefik Hub): do not deploy mutating webhook when enabling only API Gateway +* feat(Traefik Hub): use Traefik Proxy otlp config +* chore: 🔧 update Traefik Hub CRD to v1.3.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 70297f6..2fd9282 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1010,3 +1010,49 @@ + ## -- This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik + ++# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ ++hub: ++ # Name of Secret with key 'token' set to a valid license token. ++ # It enables API Gateway. ++ token: ++ apimanagement: ++ # -- Set to true in order to enable API Management. Requires a valid license token. ++ enabled: ++ admission: ++ # -- WebHook admission server listen address. Default: "0.0.0.0:9943". ++ listenAddr: ++ # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". ++ secretName: ++ ++ ratelimit: ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: ++ # -- Database used to store information. Default: "0". ++ database: ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". ++ username: ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". ++ password: ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: ++ # -- Path to the public certificate used for the secure connection. ++ cert: ++ # -- Path to the private key used for the secure connection. ++ key: ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: ++ # Enable export of errors logs to the platform. Default: true. ++ sendlogs: +``` + +## 28.1.0-beta.3 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-03 + +* chore: 🔧 update Traefik Hub CRD to v1.3.2 +* chore(release): 🚀 publish v28.1.0-beta.3 + +## 28.1.0-beta.2 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-02 + +* fix: 🐛 refine Traefik Hub support +* chore(release): 🚀 publish v28.1.0-beta.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ce0a7a3..70297f6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1015,13 +1015,15 @@ hub: + # Name of Secret with key 'token' set to a valid license token. + # It enables API Gateway. + token: +- admission: +- # -- WebHook admission server listen address. Default: "0.0.0.0:9943". +- listenAddr: +- # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". +- secretName: +- # -- Set to true in order to enable API Management. Requires a valid license token. + apimanagement: ++ # -- Set to true in order to enable API Management. Requires a valid license token. ++ enabled: ++ admission: ++ # -- WebHook admission server listen address. Default: "0.0.0.0:9943". ++ listenAddr: ++ # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". ++ secretName: ++ + metrics: + opentelemetry: + # -- Set to true to enable OpenTelemetry metrics exporter of Traefik Hub. +``` + +## 28.1.0-beta.1 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-30 + +* feat: :rocket: add initial support for Traefik Hub Api Gateway +* chore(release): 🚀 publish v28.1.0-beta.1 + +## 28.0.0 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-30 + +* style: 🎨 consistent capitalization on `--entryPoints` CLI flag +* fix: 🐛 only expose http3 port on service when TCP variant is exposed +* fix: 🐛 logs filters on status codes +* feat: ✨ add support of `experimental-v3.0` unstable version +* feat: ability to override liveness and readiness probe paths +* feat(ports): add transport options +* chore(release): publish v28.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c0d72d8..2bff10d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -38,6 +38,12 @@ deployment: + ## Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. + # healthchecksScheme: HTTPS ++ ## Override the readiness path. ++ ## Default: /ping ++ # readinessPath: /ping ++ # Override the liveness path. ++ # Default: /ping ++ # livenessPath: /ping + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -648,15 +654,28 @@ ports: + # (Optional) + # priority: 10 + # +- # Trust forwarded headers information (X-Forwarded-*). ++ # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- # Enable the Proxy Protocol header parsing for the entry point ++ # -- Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false ++ # ++ # -- Set transport settings for the entrypoint; see also ++ # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ transport: ++ respondingTimeouts: ++ readTimeout: ++ writeTimeout: ++ idleTimeout: ++ lifeCycle: ++ requestAcceptGraceTimeout: ++ graceTimeOut: ++ keepAliveMaxRequests: ++ keepAliveMaxTime: + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true +@@ -684,16 +703,29 @@ ports: + enabled: false + # advertisedPort: 4443 + # +- ## -- Trust forwarded headers information (X-Forwarded-*). ++ # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- ## -- Enable the Proxy Protocol header parsing for the entry point ++ # -- Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false + # ++ # -- Set transport settings for the entrypoint; see also ++ # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ transport: ++ respondingTimeouts: ++ readTimeout: ++ writeTimeout: ++ idleTimeout: ++ lifeCycle: ++ requestAcceptGraceTimeout: ++ graceTimeOut: ++ keepAliveMaxRequests: ++ keepAliveMaxTime: ++ # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +``` + +## 28.0.0-rc1 ![AppVersion: v3.0.0-rc5](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0-rc5&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-17 + +**Upgrade Notes** + +This is a major breaking upgrade. [Migration guide](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) have been applied on the chart. + +It needs a Kubernetes v1.22 or higher. +All CRDs using _API Group_ `traefik.containo.us` are not supported anymore in Traefik Proxy v3 + +CRDs needs to be upgraded: `kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/` + +After upgrade, CRDs with _API Group_ `traefik.containo.us` can be removed: + +```shell +kubectl delete crds \ + ingressroutes.traefik.containo.us \ + ingressroutetcps.traefik.containo.us \ + ingressrouteudps.traefik.containo.us \ + middlewares.traefik.containo.us \ + middlewaretcps.traefik.containo.us \ + serverstransports.traefik.containo.us \ + tlsoptions.traefik.containo.us \ + tlsstores.traefik.containo.us \ + traefikservices.traefik.containo.us +``` + +**Changes** + +* feat(podtemplate): set GOMEMLIMIT, GOMAXPROCS when limits are defined +* feat: ✨ fail gracefully when required port number is not set +* feat!: :boom: initial support of Traefik Proxy v3 +* docs: 📚️ improve EXAMPLES on acme resolver +* chore(release): 🚀 publish v28 rc1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cd9fb6e..c0d72d8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,12 +120,13 @@ ingressClass: + isDefaultClass: true + # name: my-custom-class + ++core: ++ # -- Can be used to use globally v2 router syntax ++ # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes ++ defaultRuleSyntax: ++ + # Traefik experimental features + experimental: +- # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" +- # v3: +- # -- Enable traefik version 3 +- + # -- Enable traefik experimental plugins + plugins: {} + # demo: +@@ -309,7 +310,7 @@ logs: + # format: json + # By default, the level is set to ERROR. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. +- level: ERROR ++ level: INFO + access: + # -- To enable access logs + enabled: false +@@ -328,6 +329,8 @@ logs: + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms ++ # -- Enables accessLogs for internal resources. Default: false. ++ addInternals: + fields: + general: + # -- Available modes: keep, drop, redact. +@@ -347,6 +350,9 @@ logs: + # Content-Type: keep + + metrics: ++ ## -- Enable metrics for internal resources. Default: false ++ addInternals: ++ + ## -- Prometheus is enabled by default. + ## -- It can be disabled by setting "prometheus: null" + prometheus: +@@ -376,31 +382,6 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- # influxdb: +- # ## Address instructs exporter to send metrics to influxdb at this address. +- # address: localhost:8089 +- # ## InfluxDB's address protocol (udp or http). Default="udp" +- # protocol: udp +- # ## InfluxDB database used when protocol is http. Default="" +- # # database: "" +- # ## InfluxDB retention policy used when protocol is http. Default="" +- # # retentionPolicy: "" +- # ## InfluxDB username (only with http). Default="" +- # # username: "" +- # ## InfluxDB password (only with http). Default="" +- # # password: "" +- # ## The interval used by the exporter to push metrics to influxdb. Default=10s +- # # pushInterval: 30s +- # ## Additional labels (influxdb tags) on all metrics. +- # # additionalLabels: +- # # env: production +- # # foo: bar +- # ## Enable metrics on entry points. Default=true +- # # addEntryPointsLabels: false +- # ## Enable metrics on routers. Default=false +- # # addRoutersLabels: true +- # ## Enable metrics on services. Default=true +- # # addServicesLabels: false + # influxdb2: + # ## Address instructs exporter to send metrics to influxdb v2 at this address. + # address: localhost:8086 +@@ -435,43 +416,53 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- # openTelemetry: +- # ## Address of the OpenTelemetry Collector to send metrics to. +- # address: "localhost:4318" +- # ## Enable metrics on entry points. +- # addEntryPointsLabels: true +- # ## Enable metrics on routers. +- # addRoutersLabels: true +- # ## Enable metrics on services. +- # addServicesLabels: true +- # ## Explicit boundaries for Histogram data points. +- # explicitBoundaries: +- # - "0.1" +- # - "0.3" +- # - "1.2" +- # - "5.0" +- # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- # headers: +- # foo: bar +- # test: test +- # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- # insecure: true +- # ## Interval at which metrics are sent to the OpenTelemetry Collector. +- # pushInterval: 10s +- # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. +- # path: /foo/v1/traces +- # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. +- # tls: +- # ## The path to the certificate authority, it defaults to the system bundle. +- # ca: path/to/ca.crt +- # ## The path to the public certificate. When using this option, setting the key option is required. +- # cert: path/to/foo.cert +- # ## The path to the private key. When using this option, setting the cert option is required. +- # key: path/to/key.key +- # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- # insecureSkipVerify: true +- # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +- # grpc: true ++ otlp: ++ # -- Set to true in order to enable the OpenTelemetry metrics ++ enabled: false ++ # -- Enable metrics on entry points. Default: true ++ addEntryPointsLabels: ++ # -- Enable metrics on routers. Default: false ++ addRoutersLabels: ++ # -- Enable metrics on services. Default: true ++ addServicesLabels: ++ # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] ++ explicitBoundaries: ++ # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s ++ pushInterval: ++ http: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ headers: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: ++ grpc: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ insecure: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: + + ## -- enable optional CRDs for Prometheus Operator + ## +@@ -524,51 +515,46 @@ metrics: + + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ +-tracing: {} +-# openTelemetry: # traefik v3+ only +-# grpc: true +-# insecure: true +-# address: localhost:4317 +-# instana: +-# localAgentHost: 127.0.0.1 +-# localAgentPort: 42699 +-# logLevel: info +-# enableAutoProfile: true +-# datadog: +-# localAgentHostPort: 127.0.0.1:8126 +-# debug: false +-# globalTag: "" +-# prioritySampling: false +-# jaeger: +-# samplingServerURL: http://localhost:5778/sampling +-# samplingType: const +-# samplingParam: 1.0 +-# localAgentHostPort: 127.0.0.1:6831 +-# gen128Bit: false +-# propagation: jaeger +-# traceContextHeaderName: uber-trace-id +-# disableAttemptReconnecting: true +-# collector: +-# endpoint: "" +-# user: "" +-# password: "" +-# zipkin: +-# httpEndpoint: http://localhost:9411/api/v2/spans +-# sameSpan: false +-# id128Bit: true +-# sampleRate: 1.0 +-# haystack: +-# localAgentHost: 127.0.0.1 +-# localAgentPort: 35000 +-# globalTag: "" +-# traceIDHeaderName: "" +-# parentIDHeaderName: "" +-# spanIDHeaderName: "" +-# baggagePrefixHeaderName: "" +-# elastic: +-# serverURL: http://localhost:8200 +-# secretToken: "" +-# serviceEnvironment: "" ++tracing: ++ # -- Enables tracing for internal resources. Default: false. ++ addInternals: ++ otlp: ++ # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ ++ enabled: false ++ http: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ headers: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: ++ grpc: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ insecure: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +@@ -756,7 +742,6 @@ ports: + # default: + # labels: {} + # sniStrict: true +-# preferServerCipherSuites: true + # custom-options: + # labels: {} + # curvePreferences: +``` + +## 27.0.0 ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-02 + +**Upgrade notes** + +Custom services and port exposure have been redesigned, requiring the following changes: +- if you were overriding port exposure behavior using the `expose` or `exposeInternal` flags, you should replace them with a service name to boolean mapping, i.e. replace this: + +```yaml +ports: + web: + expose: false + exposeInternal: true +``` + +with this: + +```yaml +ports: + web: + expose: + default: false + internal: true +``` + +- if you were previously using the `service.internal` value, you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes! + +**Changes** + +* fix: remove null annotations on dashboard `IngressRoute` +* fix(rbac): do not create clusterrole for namespace deployment on Traefik v3 +* feat: restrict access to secrets +* feat!: :boom: refactor custom services and port exposure +* chore(release): 🚀 publish v27.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index dbd078f..363871d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -250,6 +250,9 @@ providers: + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" ++ # Disable cluster IngressClass Lookup - Requires Traefik V3. ++ # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName. ++ disableIngressClassLookup: false + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -626,22 +629,20 @@ ports: + # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +- expose: false ++ expose: ++ default: false + # -- The exposed port for this service + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 +- expose: true ++ expose: ++ default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 +@@ -650,10 +651,6 @@ ports: + # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +@@ -677,17 +674,14 @@ ports: + port: 8443 + # hostPort: 8443 + # containerPort: 8443 +- expose: true ++ expose: ++ default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. + # appProtocol: https + # +@@ -744,15 +738,12 @@ ports: + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +- expose: false ++ expose: ++ default: false + # -- The exposed port for this service + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + + # -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +@@ -814,6 +805,7 @@ service: + # - IPv4 + # - IPv6 + ## ++ additionalServices: {} + ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: +@@ -899,11 +891,14 @@ hostNetwork: false + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. ++ # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace. ++ # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] ++ # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. ++ secretResourceNames: [] + + # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: +``` + +## 26.1.0 ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-02-19 + +* fix: 🐛 set runtimeClassName at pod level +* fix: 🐛 missing quote on experimental plugin args +* fix: update traefik v3 serverstransporttcps CRD +* feat: set runtimeClassName on pod spec +* feat: create v1 Gateway and GatewayClass Version for Traefik v3 +* feat: allow exposure of ports on internal service only +* doc: fix invalid suggestion on TLSOption (#996) +* chore: 🔧 update maintainers +* chore: 🔧 promote jnoordsij to Traefik Helm Chart maintainer +* chore(release): 🚀 publish v26.1.0 +* chore(deps): update traefik docker tag to v2.11.0 +* chore(deps): update traefik docker tag to v2.10.7 +* chore(crds): update definitions for traefik v2.11 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f9dac91..dbd078f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,6 +100,8 @@ deployment: + # port: 9000 + # host: localhost + # scheme: HTTP ++ # -- Set a runtimeClassName on pod ++ runtimeClassName: + + # -- Pod disruption budget + podDisruptionBudget: +@@ -629,6 +631,10 @@ ports: + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true +@@ -644,6 +650,10 @@ ports: + # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +@@ -674,6 +684,10 @@ ports: + ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. + # appProtocol: https + # +@@ -735,6 +749,10 @@ ports: + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + + # -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +@@ -745,7 +763,7 @@ ports: + # labels: {} + # sniStrict: true + # preferServerCipherSuites: true +-# customOptions: ++# custom-options: + # labels: {} + # curvePreferences: + # - CurveP521 +@@ -796,7 +814,7 @@ service: + # - IPv4 + # - IPv6 + ## +- ## -- An additionnal and optional internal Service. ++ ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP +``` + +## 26.0.0 ![AppVersion: v2.10.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.6&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-12-05 + +* fix: 🐛 improve confusing suggested value on openTelemetry.grpc +* fix: 🐛 declare http3 udp port, with or without hostport +* feat: 💥 deployment.podannotations support interpolation with tpl +* feat: allow update of namespace policy for websecure listener +* feat: allow defining startupProbe +* feat: add file provider +* feat: :boom: unify plugin import between traefik and this chart +* chore(release): 🚀 publish v26 +* chore(deps): update traefik docker tag to v2.10.6 +* Release namespace for Prometheus Operator resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 71e377e..f9dac91 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,6 +40,7 @@ deployment: + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' + podAnnotations: {} + # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} +@@ -119,10 +120,12 @@ experimental: + # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + # v3: + # -- Enable traefik version 3 +- # enabled: false +- plugins: +- # -- Enable traefik experimental plugins +- enabled: false ++ ++ # -- Enable traefik experimental plugins ++ plugins: {} ++ # demo: ++ # moduleName: github.com/traefik/plugindemo ++ # version: v0.2.1 + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +@@ -206,6 +209,17 @@ livenessProbe: + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + ++# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes ++# eg. ++# `startupProbe: ++# exec: ++# command: ++# - mycommand ++# - foo ++# initialDelaySeconds: 5 ++# periodSeconds: 5` ++startupProbe: ++ + providers: + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider +@@ -241,6 +255,23 @@ providers: + # By default this Traefik service + # pathOverride: "" + ++ file: ++ # -- Create a file provider ++ enabled: false ++ # -- Allows Traefik to automatically watch for file changes ++ watch: true ++ # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) ++ content: "" ++ # http: ++ # routers: ++ # router0: ++ # entryPoints: ++ # - web ++ # middlewares: ++ # - my-basic-auth ++ # service: service-foo ++ # rule: Path(`/foo`) ++ + # + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -487,7 +518,7 @@ metrics: + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} + # openTelemetry: # traefik v3+ only +-# grpc: {} ++# grpc: true + # insecure: true + # address: localhost:4317 + # instana: +``` + +## 25.0.0 ![AppVersion: v2.10.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.5&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-10-23 + +* revert: "fix: 🐛 remove old CRDs using traefik.containo.us" +* fix: 🐛 remove old CRDs using traefik.containo.us +* fix: disable ClusterRole and ClusterRoleBinding when not needed +* fix: detect correctly v3 version when using sha in `image.tag` +* fix: allow updateStrategy.rollingUpdate.maxUnavailable to be passed in as an int or string +* fix: add missing separator in crds +* fix: add Prometheus scraping annotations only if serviceMonitor not created +* feat: ✨ add healthcheck ingressRoute +* feat: :boom: support http redirections and http challenges with cert-manager +* feat: :boom: rework and allow update of namespace policy for Gateway +* docs: Fix typo in the default values file +* chore: remove label whitespace at TLSOption +* chore(release): publish v25.0.0 +* chore(deps): update traefik docker tag to v2.10.5 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.3 +* chore(ci): 🔧 👷 add e2e test when releasing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index aeec85c..71e377e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -45,60 +45,60 @@ deployment: + podLabels: {} + # -- Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] +- # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host +- # - name: socat-proxy +- # image: alpine/socat:1.0.5 +- # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] +- # volumeMounts: +- # - name: dsdsocket +- # mountPath: /socket ++ # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host ++ # - name: socat-proxy ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket + # -- Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] +- # - name: dsdsocket +- # hostPath: +- # path: /var/run/statsd-exporter ++ # - name: dsdsocket ++ # hostPath: ++ # path: /var/run/statsd-exporter + # -- Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] +- # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 +- # - name: volume-permissions +- # image: busybox:latest +- # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] +- # securityContext: +- # runAsNonRoot: true +- # runAsGroup: 65532 +- # runAsUser: 65532 +- # volumeMounts: +- # - name: data +- # mountPath: /data ++ # The "volume-permissions" init container is required if you run into permission issues. ++ # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 ++ # - name: volume-permissions ++ # image: busybox:latest ++ # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ++ # securityContext: ++ # runAsNonRoot: true ++ # runAsGroup: 65532 ++ # runAsUser: 65532 ++ # volumeMounts: ++ # - name: data ++ # mountPath: /data + # -- Use process namespace sharing + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + dnsConfig: {} +- # nameservers: +- # - 192.0.2.1 # this is an example +- # searches: +- # - ns1.svc.cluster-domain.example +- # - my.dns.search.suffix +- # options: +- # - name: ndots +- # value: "2" +- # - name: edns0 ++ # nameservers: ++ # - 192.0.2.1 # this is an example ++ # searches: ++ # - ns1.svc.cluster-domain.example ++ # - my.dns.search.suffix ++ # options: ++ # - name: ndots ++ # value: "2" ++ # - name: edns0 + # -- Additional imagePullSecrets + imagePullSecrets: [] +- # - name: myRegistryKeySecretName ++ # - name: myRegistryKeySecretName + # -- Pod lifecycle actions + lifecycle: {} +- # preStop: +- # exec: +- # command: ["/bin/sh", "-c", "sleep 40"] +- # postStart: +- # httpGet: +- # path: /ping +- # port: 9000 +- # host: localhost +- # scheme: HTTP ++ # preStop: ++ # exec: ++ # command: ["/bin/sh", "-c", "sleep 40"] ++ # postStart: ++ # httpGet: ++ # path: /ping ++ # port: 9000 ++ # host: localhost ++ # scheme: HTTP + + # -- Pod disruption budget + podDisruptionBudget: +@@ -116,9 +116,9 @@ ingressClass: + + # Traefik experimental features + experimental: +- #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" +- #v3: +- # -- Enable traefik version 3 ++ # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" ++ # v3: ++ # -- Enable traefik version 3 + # enabled: false + plugins: + # -- Enable traefik experimental plugins +@@ -126,9 +126,9 @@ experimental: + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +- gateway: +- # -- Enable traefik regular kubernetes gateway +- enabled: true ++ ## Routes are restricted to namespace of the gateway by default. ++ ## https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces ++ # namespacePolicy: All + # certificate: + # group: "core" + # kind: "Secret" +@@ -159,6 +159,22 @@ ingressRoute: + middlewares: [] + # -- TLS options (e.g. secret containing certificate) + tls: {} ++ healthcheck: ++ # -- Create an IngressRoute for the healthcheck probe ++ enabled: false ++ # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ annotations: {} ++ # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ labels: {} ++ # -- The router match rule used for the healthcheck ingressRoute ++ matchRule: PathPrefix(`/ping`) ++ # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). ++ # By default, it's using traefik entrypoint, which is not exposed. ++ entryPoints: ["traefik"] ++ # -- Additional ingressRoute middlewares (e.g. for authentication) ++ middlewares: [] ++ # -- TLS options (e.g. secret containing certificate) ++ tls: {} + + updateStrategy: + # -- Customize updateStrategy: RollingUpdate or OnDelete +@@ -204,10 +220,10 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # - "default" + + kubernetesIngress: +- # -- Load Kubernetes IngressRoute provider ++ # -- Load Kubernetes Ingress provider + enabled: true + # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false +@@ -217,7 +233,7 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -243,9 +259,9 @@ volumes: [] + + # -- Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] +- # -- For instance when using a logshipper for access logs +- # - name: traefik-logs +- # mountPath: /var/log/traefik ++# -- For instance when using a logshipper for access logs ++# - name: traefik-logs ++# mountPath: /var/log/traefik + + logs: + general: +@@ -270,26 +286,26 @@ logs: + ## Filtering + # -- https://docs.traefik.io/observability/access-logs/#filtering + filters: {} +- # statuscodes: "200,300-302" +- # retryattempts: true +- # minduration: 10ms ++ # statuscodes: "200,300-302" ++ # retryattempts: true ++ # minduration: 10ms + fields: + general: + # -- Available modes: keep, drop, redact. + defaultmode: keep + # -- Names of the fields to limit. + names: {} +- ## Examples: +- # ClientUsername: drop ++ ## Examples: ++ # ClientUsername: drop + headers: + # -- Available modes: keep, drop, redact. + defaultmode: drop + # -- Names of the headers to limit. + names: {} +- ## Examples: +- # User-Agent: redact +- # Authorization: drop +- # Content-Type: keep ++ ## Examples: ++ # User-Agent: redact ++ # Authorization: drop ++ # Content-Type: keep + + metrics: + ## -- Prometheus is enabled by default. +@@ -308,118 +324,118 @@ metrics: + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true +-# datadog: +-# ## Address instructs exporter to send metrics to datadog-agent at this address. +-# address: "127.0.0.1:8125" +-# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s +-# # pushInterval: 30s +-# ## The prefix to use for metrics collection. Default="traefik" +-# # prefix: traefik +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# influxdb: +-# ## Address instructs exporter to send metrics to influxdb at this address. +-# address: localhost:8089 +-# ## InfluxDB's address protocol (udp or http). Default="udp" +-# protocol: udp +-# ## InfluxDB database used when protocol is http. Default="" +-# # database: "" +-# ## InfluxDB retention policy used when protocol is http. Default="" +-# # retentionPolicy: "" +-# ## InfluxDB username (only with http). Default="" +-# # username: "" +-# ## InfluxDB password (only with http). Default="" +-# # password: "" +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## Additional labels (influxdb tags) on all metrics. +-# # additionalLabels: +-# # env: production +-# # foo: bar +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# influxdb2: +-# ## Address instructs exporter to send metrics to influxdb v2 at this address. +-# address: localhost:8086 +-# ## Token with which to connect to InfluxDB v2. +-# token: xxx +-# ## Organisation where metrics will be stored. +-# org: "" +-# ## Bucket where metrics will be stored. +-# bucket: "" +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## Additional labels (influxdb tags) on all metrics. +-# # additionalLabels: +-# # env: production +-# # foo: bar +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# statsd: +-# ## Address instructs exporter to send metrics to statsd at this address. +-# address: localhost:8125 +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## The prefix to use for metrics collection. Default="traefik" +-# # prefix: traefik +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# openTelemetry: +-# ## Address of the OpenTelemetry Collector to send metrics to. +-# address: "localhost:4318" +-# ## Enable metrics on entry points. +-# addEntryPointsLabels: true +-# ## Enable metrics on routers. +-# addRoutersLabels: true +-# ## Enable metrics on services. +-# addServicesLabels: true +-# ## Explicit boundaries for Histogram data points. +-# explicitBoundaries: +-# - "0.1" +-# - "0.3" +-# - "1.2" +-# - "5.0" +-# ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +-# headers: +-# foo: bar +-# test: test +-# ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +-# insecure: true +-# ## Interval at which metrics are sent to the OpenTelemetry Collector. +-# pushInterval: 10s +-# ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. +-# path: /foo/v1/traces +-# ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. +-# tls: +-# ## The path to the certificate authority, it defaults to the system bundle. +-# ca: path/to/ca.crt +-# ## The path to the public certificate. When using this option, setting the key option is required. +-# cert: path/to/foo.cert +-# ## The path to the private key. When using this option, setting the cert option is required. +-# key: path/to/key.key +-# ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +-# insecureSkipVerify: true +-# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +-# grpc: true +- +-## -- enable optional CRDs for Prometheus Operator +-## ++ # datadog: ++ # ## Address instructs exporter to send metrics to datadog-agent at this address. ++ # address: "127.0.0.1:8125" ++ # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s ++ # # pushInterval: 30s ++ # ## The prefix to use for metrics collection. Default="traefik" ++ # # prefix: traefik ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # influxdb: ++ # ## Address instructs exporter to send metrics to influxdb at this address. ++ # address: localhost:8089 ++ # ## InfluxDB's address protocol (udp or http). Default="udp" ++ # protocol: udp ++ # ## InfluxDB database used when protocol is http. Default="" ++ # # database: "" ++ # ## InfluxDB retention policy used when protocol is http. Default="" ++ # # retentionPolicy: "" ++ # ## InfluxDB username (only with http). Default="" ++ # # username: "" ++ # ## InfluxDB password (only with http). Default="" ++ # # password: "" ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## Additional labels (influxdb tags) on all metrics. ++ # # additionalLabels: ++ # # env: production ++ # # foo: bar ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # influxdb2: ++ # ## Address instructs exporter to send metrics to influxdb v2 at this address. ++ # address: localhost:8086 ++ # ## Token with which to connect to InfluxDB v2. ++ # token: xxx ++ # ## Organisation where metrics will be stored. ++ # org: "" ++ # ## Bucket where metrics will be stored. ++ # bucket: "" ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## Additional labels (influxdb tags) on all metrics. ++ # # additionalLabels: ++ # # env: production ++ # # foo: bar ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # statsd: ++ # ## Address instructs exporter to send metrics to statsd at this address. ++ # address: localhost:8125 ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## The prefix to use for metrics collection. Default="traefik" ++ # # prefix: traefik ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # openTelemetry: ++ # ## Address of the OpenTelemetry Collector to send metrics to. ++ # address: "localhost:4318" ++ # ## Enable metrics on entry points. ++ # addEntryPointsLabels: true ++ # ## Enable metrics on routers. ++ # addRoutersLabels: true ++ # ## Enable metrics on services. ++ # addServicesLabels: true ++ # ## Explicit boundaries for Histogram data points. ++ # explicitBoundaries: ++ # - "0.1" ++ # - "0.3" ++ # - "1.2" ++ # - "5.0" ++ # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ # headers: ++ # foo: bar ++ # test: test ++ # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ # insecure: true ++ # ## Interval at which metrics are sent to the OpenTelemetry Collector. ++ # pushInterval: 10s ++ # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. ++ # path: /foo/v1/traces ++ # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ # tls: ++ # ## The path to the certificate authority, it defaults to the system bundle. ++ # ca: path/to/ca.crt ++ # ## The path to the public certificate. When using this option, setting the key option is required. ++ # cert: path/to/foo.cert ++ # ## The path to the private key. When using this option, setting the cert option is required. ++ # key: path/to/key.key ++ # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ # insecureSkipVerify: true ++ # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. ++ # grpc: true ++ ++ ## -- enable optional CRDs for Prometheus Operator ++ ## + ## Create a dedicated metrics service for use with ServiceMonitor + # service: + # enabled: false +@@ -470,55 +486,55 @@ metrics: + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} +- # openTelemetry: # traefik v3+ only +- # grpc: {} +- # insecure: true +- # address: localhost:4317 +- # instana: +- # localAgentHost: 127.0.0.1 +- # localAgentPort: 42699 +- # logLevel: info +- # enableAutoProfile: true +- # datadog: +- # localAgentHostPort: 127.0.0.1:8126 +- # debug: false +- # globalTag: "" +- # prioritySampling: false +- # jaeger: +- # samplingServerURL: http://localhost:5778/sampling +- # samplingType: const +- # samplingParam: 1.0 +- # localAgentHostPort: 127.0.0.1:6831 +- # gen128Bit: false +- # propagation: jaeger +- # traceContextHeaderName: uber-trace-id +- # disableAttemptReconnecting: true +- # collector: +- # endpoint: "" +- # user: "" +- # password: "" +- # zipkin: +- # httpEndpoint: http://localhost:9411/api/v2/spans +- # sameSpan: false +- # id128Bit: true +- # sampleRate: 1.0 +- # haystack: +- # localAgentHost: 127.0.0.1 +- # localAgentPort: 35000 +- # globalTag: "" +- # traceIDHeaderName: "" +- # parentIDHeaderName: "" +- # spanIDHeaderName: "" +- # baggagePrefixHeaderName: "" +- # elastic: +- # serverURL: http://localhost:8200 +- # secretToken: "" +- # serviceEnvironment: "" ++# openTelemetry: # traefik v3+ only ++# grpc: {} ++# insecure: true ++# address: localhost:4317 ++# instana: ++# localAgentHost: 127.0.0.1 ++# localAgentPort: 42699 ++# logLevel: info ++# enableAutoProfile: true ++# datadog: ++# localAgentHostPort: 127.0.0.1:8126 ++# debug: false ++# globalTag: "" ++# prioritySampling: false ++# jaeger: ++# samplingServerURL: http://localhost:5778/sampling ++# samplingType: const ++# samplingParam: 1.0 ++# localAgentHostPort: 127.0.0.1:6831 ++# gen128Bit: false ++# propagation: jaeger ++# traceContextHeaderName: uber-trace-id ++# disableAttemptReconnecting: true ++# collector: ++# endpoint: "" ++# user: "" ++# password: "" ++# zipkin: ++# httpEndpoint: http://localhost:9411/api/v2/spans ++# sameSpan: false ++# id128Bit: true ++# sampleRate: 1.0 ++# haystack: ++# localAgentHost: 127.0.0.1 ++# localAgentPort: 35000 ++# globalTag: "" ++# traceIDHeaderName: "" ++# parentIDHeaderName: "" ++# spanIDHeaderName: "" ++# baggagePrefixHeaderName: "" ++# elastic: ++# serverURL: http://localhost:8200 ++# secretToken: "" ++# serviceEnvironment: "" + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +- - "--global.checknewversion" +- - "--global.sendanonymoususage" ++- "--global.checknewversion" ++- "--global.sendanonymoususage" + + # + # Configure Traefik static configuration +@@ -531,14 +547,14 @@ additionalArguments: [] + + # -- Environment variables to be passed to Traefik's binary + env: +- - name: POD_NAME +- valueFrom: +- fieldRef: +- fieldPath: metadata.name +- - name: POD_NAMESPACE +- valueFrom: +- fieldRef: +- fieldPath: metadata.namespace ++- name: POD_NAME ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.name ++- name: POD_NAMESPACE ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.namespace + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP +@@ -600,7 +616,10 @@ ports: + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- # redirectTo: websecure ++ # redirectTo: ++ # port: websecure ++ # (Optional) ++ # priority: 10 + # + # Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: +@@ -638,14 +657,14 @@ ports: + # advertisedPort: 4443 + # + ## -- Trust forwarded headers information (X-Forwarded-*). +- #forwardedHeaders: +- # trustedIPs: [] +- # insecure: false ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false + # + ## -- Enable the Proxy Protocol header parsing for the entry point +- #proxyProtocol: +- # trustedIPs: [] +- # insecure: false ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false + # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls +@@ -728,16 +747,16 @@ service: + # -- Additional entries here will be added to the service spec. + # -- Cannot contain type, selector or ports entries. + spec: {} +- # externalTrafficPolicy: Cluster +- # loadBalancerIP: "1.2.3.4" +- # clusterIP: "2.3.4.5" ++ # externalTrafficPolicy: Cluster ++ # loadBalancerIP: "1.2.3.4" ++ # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] +- # - 192.168.0.1/32 +- # - 172.16.0.0/16 ++ # - 192.168.0.1/32 ++ # - 172.16.0.0/16 + ## -- Class of the load balancer implementation + # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] +- # - 1.2.3.4 ++ # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). +@@ -789,7 +808,7 @@ persistence: + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data +-# existingClaim: "" ++ # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" +@@ -852,12 +871,12 @@ serviceAccountAnnotations: {} + + # -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. + resources: {} +- # requests: +- # cpu: "100m" +- # memory: "50Mi" +- # limits: +- # cpu: "300m" +- # memory: "150Mi" ++# requests: ++# cpu: "100m" ++# memory: "50Mi" ++# limits: ++# cpu: "300m" ++# memory: "150Mi" + + # -- This example pod anti-affinity forces the scheduler to put traefik pods + # -- on nodes where no other traefik pods are scheduled. +``` + +## 24.0.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-08-10 + +* fix: 💥 BREAKING CHANGE on healthchecks and traefik port +* fix: tracing.opentelemetry.tls is optional for all values +* fix: http3 support broken when advertisedPort set +* feat: multi namespace RBAC manifests +* chore(tests): 🔧 fix typo on tracing test +* chore(release): 🚀 publish v24.0.0 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 947ba56..aeec85c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -28,6 +28,13 @@ deployment: + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 ++ ## Override the liveness/readiness port. This is useful to integrate traefik ++ ## with an external Load Balancer that performs healthchecks. ++ ## Default: ports.traefik.port ++ # healthchecksPort: 9000 ++ ## Override the liveness/readiness scheme. Useful for getting ping to ++ ## respond on websecure entryPoint. ++ # healthchecksScheme: HTTPS + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -112,7 +119,7 @@ experimental: + #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + #v3: + # -- Enable traefik version 3 +- # enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -564,15 +571,6 @@ ports: + # only. + # hostIP: 192.168.100.10 + +- # Override the liveness/readiness port. This is useful to integrate traefik +- # with an external Load Balancer that performs healthchecks. +- # Default: ports.traefik.port +- # healthchecksPort: 9000 +- +- # Override the liveness/readiness scheme. Useful for getting ping to +- # respond on websecure entryPoint. +- # healthchecksScheme: HTTPS +- + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +@@ -877,7 +875,7 @@ affinity: {} + nodeSelector: {} + # -- Tolerations allow the scheduler to schedule pods with matching taints. + tolerations: [] +-# -- You can use topology spread constraints to control ++# -- You can use topology spread constraints to control + # how Pods are spread across your cluster among failure-domains. + topologySpreadConstraints: [] + # This example topologySpreadConstraints forces the scheduler to put traefik pods +``` + +## 23.2.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-07-27 + +* ⬆️ Upgrade traefik Docker tag to v2.10.3 +* release: :rocket: publish v23.2.0 +* fix: 🐛 update traefik.containo.us CRDs to v2.10 +* fix: 🐛 traefik or metrics port can be disabled +* fix: ingressclass name should be customizable (#864) +* feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry +* feat: disable allowPrivilegeEscalation +* feat: add pod_name as default in values.yaml +* chore(tests): 🔧 use more accurate asserts on refactor'd isNull test +* chore(deps): update traefik docker tag to v2.10.4 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 345bbd8..947ba56 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -105,12 +105,14 @@ podDisruptionBudget: + ingressClass: + enabled: true + isDefaultClass: true ++ # name: my-custom-class + + # Traefik experimental features + experimental: +- v3: ++ #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" ++ #v3: + # -- Enable traefik version 3 +- enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -461,6 +463,10 @@ metrics: + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} ++ # openTelemetry: # traefik v3+ only ++ # grpc: {} ++ # insecure: true ++ # address: localhost:4317 + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 +@@ -517,7 +523,15 @@ additionalArguments: [] + # - "--log.level=DEBUG" + + # -- Environment variables to be passed to Traefik's binary +-env: [] ++env: ++ - name: POD_NAME ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.name ++ - name: POD_NAMESPACE ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.namespace + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP +@@ -563,7 +577,7 @@ ports: + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -571,7 +585,7 @@ ports: + # -- The port protocol (TCP/UDP) + protocol: TCP + web: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 +@@ -600,7 +614,7 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 +@@ -666,7 +680,7 @@ ports: + # NodePort. + # + # -- You may not want to expose the metrics port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -880,14 +894,15 @@ topologySpreadConstraints: [] + priorityClassName: "" + + # -- Set the container security context +-# -- To run the container with ports below 1024 this will need to be adjust to run as root ++# -- To run the container with ports below 1024 this will need to be adjusted to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true ++ allowPrivilegeEscalation: false + + podSecurityContext: +- # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++ # /!\ When setting fsGroup, Kubernetes will recursively change ownership and + # permissions for the contents of each volume to match the fsGroup. This can + # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 +``` + +## 23.1.0 ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-06-06 + +* release: 🚀 publish v23.1.0 +* fix: 🐛 use k8s version for hpa api version +* fix: 🐛 http3 support on traefik v3 +* fix: use `targetPort` instead of `port` on ServiceMonitor +* feat: ➖ remove Traefik Hub v1 integration +* feat: ✨ add a warning when labelSelector don't match +* feat: common labels for all resources +* feat: allow specifying service loadBalancerClass +* feat: add optional `appProtocol` field on Service ports +* doc: added values README via helm-docs cli + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 71273cc..345bbd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,70 +1,56 @@ + # Default values for Traefik + image: ++ # -- Traefik image host registry + registry: docker.io ++ # -- Traefik image repository + repository: traefik +- # defaults to appVersion ++ # -- defaults to appVersion + tag: "" ++ # -- Traefik image pull policy + pullPolicy: IfNotPresent + +-# +-# Configure integration with Traefik Hub +-# +-hub: +- ## Enabling Hub will: +- # * enable Traefik Hub integration on Traefik +- # * add `traefikhub-tunl` endpoint +- # * enable Prometheus metrics with addRoutersLabels +- # * enable allowExternalNameServices on KubernetesIngress provider +- # * enable allowCrossNamespace on KubernetesCRD provider +- # * add an internal (ClusterIP) Service, dedicated for Traefik Hub +- enabled: false +- ## Default port can be changed +- # tunnelPort: 9901 +- ## TLS is optional. Insecure is mutually exclusive with any other options +- # tls: +- # insecure: false +- # ca: "/path/to/ca.pem" +- # cert: "/path/to/cert.pem" +- # key: "/path/to/key.pem" ++# -- Add additional label to all resources ++commonLabels: {} + + # + # Configure the deployment + # + deployment: ++ # -- Enable deployment + enabled: true +- # Can be either Deployment or DaemonSet ++ # -- Deployment or DaemonSet + kind: Deployment +- # Number of pods of the deployment (only applies when kind == Deployment) ++ # -- Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 +- # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) ++ # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 +- # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down ++ # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 +- # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available ++ # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 +- # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} +- # Additional deployment labels (e.g. for filtering deployment by custom labels) ++ # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} +- # Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} +- # Additional Pod labels (e.g. for filtering Pod by custom labels) ++ # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} +- # Additional containers (e.g. for metric offloading sidecars) ++ # -- Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy +- # image: alpine/socat:1.0.5 +- # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] +- # volumeMounts: +- # - name: dsdsocket +- # mountPath: /socket +- # Additional volumes available for use with initContainers and additionalContainers ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket ++ # -- Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter +- # Additional initContainers (e.g. for setting file permission as shown below) ++ # -- Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 +@@ -78,9 +64,9 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data +- # Use process namespace sharing ++ # -- Use process namespace sharing + shareProcessNamespace: false +- # Custom pod DNS policy. Apply if `hostNetwork: true` ++ # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + dnsConfig: {} + # nameservers: +@@ -92,10 +78,10 @@ deployment: + # - name: ndots + # value: "2" + # - name: edns0 +- # Additional imagePullSecrets ++ # -- Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName +- # Pod lifecycle actions ++ # -- Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: +@@ -107,7 +93,7 @@ deployment: + # host: localhost + # scheme: HTTP + +-# Pod disruption budget ++# -- Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 +@@ -115,93 +101,112 @@ podDisruptionBudget: + # minAvailable: 0 + # minAvailable: 25% + +-# Create a default IngressClass for Traefik ++# -- Create a default IngressClass for Traefik + ingressClass: + enabled: true + isDefaultClass: true + +-# Enable experimental features ++# Traefik experimental features + experimental: + v3: ++ # -- Enable traefik version 3 + enabled: false + plugins: ++ # -- Enable traefik experimental plugins + enabled: false + kubernetesGateway: ++ # -- Enable traefik experimental GatewayClass CRD + enabled: false + gateway: ++ # -- Enable traefik regular kubernetes gateway + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" +- # By default, Gateway would be created to the Namespace you are deploying Traefik to. ++ # -- By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt + +-# Create an IngressRoute for the dashboard ++## Create an IngressRoute for the dashboard + ingressRoute: + dashboard: ++ # -- Create an IngressRoute for the dashboard + enabled: true +- # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} +- # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} +- # The router match rule used for the dashboard ingressRoute ++ # -- The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) +- # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). ++ # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] +- # Additional ingressRoute middlewares (e.g. for authentication) ++ # -- Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] +- # TLS options (e.g. secret containing certificate) ++ # -- TLS options (e.g. secret containing certificate) + tls: {} + +-# Customize updateStrategy of traefik pods + updateStrategy: ++ # -- Customize updateStrategy: RollingUpdate or OnDelete + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + +-# Customize liveness and readiness probe values. + readinessProbe: ++ # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 1 ++ # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 ++ # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 ++ # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 ++ # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 +- + livenessProbe: ++ # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 3 ++ # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 ++ # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 ++ # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 ++ # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + +-# +-# Configure providers +-# + providers: + kubernetesCRD: ++ # -- Load Kubernetes IngressRoute provider + enabled: true ++ # -- Allows IngressRoute to reference resources in namespace other than theirs + allowCrossNamespace: false ++ # -- Allows to reference ExternalName services in IngressRoute + allowExternalNameServices: false ++ # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + + kubernetesIngress: ++ # -- Load Kubernetes IngressRoute provider + enabled: true ++ # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false ++ # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints +@@ -212,13 +217,13 @@ providers: + # pathOverride: "" + + # +-# Add volumes to the traefik pod. The volume name will be passed to tpl. ++# -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +-# additionalArguments: ++# `additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" + # - "--ping" +-# - "--ping.entrypoint=web" ++# - "--ping.entrypoint=web"` + volumes: [] + # - name: public-cert + # mountPath: "/certs" +@@ -227,25 +232,22 @@ volumes: [] + # mountPath: "/config" + # type: configMap + +-# Additional volumeMounts to add to the Traefik container ++# -- Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] +- # For instance when using a logshipper for access logs ++ # -- For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + +-## Logs +-## https://docs.traefik.io/observability/logs/ + logs: +- ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: +- # By default, the logs use a text format (common), but you can ++ # -- By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. +- # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: +- # To enable access logs ++ # -- To enable access logs + enabled: false + ## By default, logs are written using the Common Log Format (CLF) on stdout. + ## To write logs in JSON, use json in the format option. +@@ -256,21 +258,24 @@ logs: + ## This option represents the number of log lines Traefik will keep in memory before writing + ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 +- ## Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ ## Filtering ++ # -- https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms +- ## Fields +- ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: ++ # -- Available modes: keep, drop, redact. + defaultmode: keep ++ # -- Names of the fields to limit. + names: {} + ## Examples: + # ClientUsername: drop + headers: ++ # -- Available modes: keep, drop, redact. + defaultmode: drop ++ # -- Names of the headers to limit. + names: {} + ## Examples: + # User-Agent: redact +@@ -278,10 +283,10 @@ logs: + # Content-Type: keep + + metrics: +- ## Prometheus is enabled by default. +- ## It can be disabled by setting "prometheus: null" ++ ## -- Prometheus is enabled by default. ++ ## -- It can be disabled by setting "prometheus: null" + prometheus: +- ## Entry point used to expose metrics. ++ # -- Entry point used to expose metrics. + entryPoint: metrics + ## Enable metrics on entry points. Default=true + # addEntryPointsLabels: false +@@ -404,11 +409,9 @@ metrics: + # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. + # grpc: true + +-## +-## enable optional CRDs for Prometheus Operator ++## -- enable optional CRDs for Prometheus Operator + ## + ## Create a dedicated metrics service for use with ServiceMonitor +- ## When hub.enabled is set to true, it's not needed: it will use hub service. + # service: + # enabled: false + # labels: {} +@@ -455,6 +458,8 @@ metrics: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + ++## Tracing ++# -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} + # instana: + # localAgentHost: 127.0.0.1 +@@ -497,20 +502,21 @@ tracing: {} + # secretToken: "" + # serviceEnvironment: "" + ++# -- Global command arguments to be passed to all traefik's pods + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + + # + # Configure Traefik static configuration +-# Additional arguments to be passed at Traefik's binary ++# -- Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + +-# Environment variables to be passed to Traefik's binary ++# -- Environment variables to be passed to Traefik's binary + env: [] + # - name: SOME_VAR + # value: some-var-value +@@ -525,22 +531,20 @@ env: [] + # name: secret-name + # key: secret-key + ++# -- Environment variables to be passed to Traefik's binary from configMaps or secrets + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + +-# Configure ports + ports: +- # The name of this one can't be changed as it is used for the readiness and +- # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 +- # Use hostPort if set. ++ # -- Use hostPort if set. + # hostPort: 9000 + # +- # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which ++ # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. +@@ -558,27 +562,27 @@ ports: + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +- # You SHOULD NOT expose the traefik port on production deployments. ++ # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false +- # The exposed port for this service ++ # -- The exposed port for this service + exposedPort: 9000 +- # The port protocol (TCP/UDP) ++ # -- The port protocol (TCP/UDP) + protocol: TCP + web: +- ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 + expose: true + exposedPort: 80 +- ## Different target traefik port on the cluster, useful for IP type LB ++ ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP +- # Use nodeport if set. This is useful if you have configured Traefik in a ++ # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 + # Port Redirections +@@ -596,20 +600,22 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: +- ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 + # containerPort: 8443 + expose: true + exposedPort: 443 +- ## Different target traefik port on the cluster, useful for IP type LB ++ ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 +- ## The port protocol (TCP/UDP) ++ ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. ++ # appProtocol: https + # +- ## Enable HTTP/3 on the entrypoint ++ ## -- Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for +@@ -619,12 +625,12 @@ ports: + enabled: false + # advertisedPort: 4443 + # +- ## Trust forwarded headers information (X-Forwarded-*). ++ ## -- Trust forwarded headers information (X-Forwarded-*). + #forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- ## Enable the Proxy Protocol header parsing for the entry point ++ ## -- Enable the Proxy Protocol header parsing for the entry point + #proxyProtocol: + # trustedIPs: [] + # insecure: false +@@ -642,33 +648,33 @@ ports: + # - foo.example.com + # - bar.example.com + # +- # One can apply Middlewares on an entrypoint ++ # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +- # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ ++ # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: +- # When using hostNetwork, use another port to avoid conflict with node exporter: ++ # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +- # You may not want to expose the metrics port on production deployments. ++ # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false +- # The exposed port for this service ++ # -- The exposed port for this service + exposedPort: 9100 +- # The port protocol (TCP/UDP) ++ # -- The port protocol (TCP/UDP) + protocol: TCP + +-# TLS Options are created as TLSOption CRDs ++# -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: +@@ -684,7 +690,7 @@ ports: + # - CurveP384 + tlsOptions: {} + +-# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate ++# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate + # https://doc.traefik.io/traefik/https/tls/#default-certificate + # Example: + # tlsStore: +@@ -693,24 +699,22 @@ tlsOptions: {} + # secretName: tls-cert + tlsStore: {} + +-# Options for the main traefik service, where the entrypoints traffic comes +-# from. + service: + enabled: true +- ## Single service is using `MixedProtocolLBService` feature gate. +- ## When set to false, it will create two Service, one for TCP and one for UDP. ++ ## -- Single service is using `MixedProtocolLBService` feature gate. ++ ## -- When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer +- # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) ++ # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} +- # Additional annotations for TCP service only ++ # -- Additional annotations for TCP service only + annotationsTCP: {} +- # Additional annotations for UDP service only ++ # -- Additional annotations for UDP service only + annotationsUDP: {} +- # Additional service labels (e.g. for filtering Service by custom labels) ++ # -- Additional service labels (e.g. for filtering Service by custom labels) + labels: {} +- # Additional entries here will be added to the service spec. +- # Cannot contain type, selector or ports entries. ++ # -- Additional entries here will be added to the service spec. ++ # -- Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" +@@ -718,6 +722,8 @@ service: + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 ++ ## -- Class of the load balancer implementation ++ # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. +@@ -728,7 +734,7 @@ service: + # - IPv4 + # - IPv6 + ## +- ## An additionnal and optional internal Service. ++ ## -- An additionnal and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP +@@ -739,9 +745,8 @@ service: + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + +-## Create HorizontalPodAutoscaler object. +-## + autoscaling: ++ # -- Create HorizontalPodAutoscaler object. + enabled: false + # minReplicas: 1 + # maxReplicas: 10 +@@ -766,10 +771,10 @@ autoscaling: + # value: 1 + # periodSeconds: 60 + +-# Enable persistence using Persistent Volume Claims +-# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +-# It can be used to store TLS certificates, see `storage` in certResolvers + persistence: ++ # -- Enable persistence using Persistent Volume Claims ++ # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ++ # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data + # existingClaim: "" +@@ -779,8 +784,10 @@ persistence: + # volumeName: "" + path: /data + annotations: {} +- # subPath: "" # only mount a subpath of the Volume into the pod ++ # -- Only mount a subpath of the Volume into the pod ++ # subPath: "" + ++# -- Certificates resolvers configuration + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +@@ -802,13 +809,13 @@ certResolvers: {} + # # It has to match the path with a persistent volume + # storage: /data/acme.json + +-# If hostNetwork is true, runs traefik in the host network namespace ++# -- If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the + # affinity is left as default. + hostNetwork: false + +-# Whether Role Based Access Control objects like roles and rolebindings should be created ++# -- Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +@@ -818,19 +825,20 @@ rbac: + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] + +-# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding ++# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + +-# The service account the pods will use to interact with the Kubernetes API ++# -- The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +-# Additional serviceAccount annotations (e.g. for oidc authentication) ++# -- Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + ++# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. + resources: {} + # requests: + # cpu: "100m" +@@ -839,8 +847,8 @@ resources: {} + # cpu: "300m" + # memory: "150Mi" + +-# This example pod anti-affinity forces the scheduler to put traefik pods +-# on nodes where no other traefik pods are scheduled. ++# -- This example pod anti-affinity forces the scheduler to put traefik pods ++# -- on nodes where no other traefik pods are scheduled. + # It should be used when hostNetwork: true to prevent port conflicts + affinity: {} + # podAntiAffinity: +@@ -851,11 +859,15 @@ affinity: {} + # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + ++# -- nodeSelector is the simplest recommended form of node selection constraint. + nodeSelector: {} ++# -- Tolerations allow the scheduler to schedule pods with matching taints. + tolerations: [] ++# -- You can use topology spread constraints to control ++# how Pods are spread across your cluster among failure-domains. + topologySpreadConstraints: [] +-# # This example topologySpreadConstraints forces the scheduler to put traefik pods +-# # on nodes where no other traefik pods are scheduled. ++# This example topologySpreadConstraints forces the scheduler to put traefik pods ++# on nodes where no other traefik pods are scheduled. + # - labelSelector: + # matchLabels: + # app: '{{ template "traefik.name" . }}' +@@ -863,29 +875,33 @@ topologySpreadConstraints: [] + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + +-# Pods can have priority. +-# Priority indicates the importance of a Pod relative to other Pods. ++# -- Pods can have priority. ++# -- Priority indicates the importance of a Pod relative to other Pods. + priorityClassName: "" + +-# Set the container security context +-# To run the container with ports below 1024 this will need to be adjust to run as root ++# -- Set the container security context ++# -- To run the container with ports below 1024 this will need to be adjust to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + + podSecurityContext: +-# # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and +-# # permissions for the contents of each volume to match the fsGroup. This can +-# # be an issue when storing sensitive content like TLS Certificates /!\ +-# fsGroup: 65532 ++ # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++ # permissions for the contents of each volume to match the fsGroup. This can ++ # be an issue when storing sensitive content like TLS Certificates /!\ ++ # fsGroup: 65532 ++ # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. + fsGroupChangePolicy: "OnRootMismatch" ++ # -- The ID of the group for all containers in the pod to run as. + runAsGroup: 65532 ++ # -- Specifies whether the containers should run as a non-root user. + runAsNonRoot: true ++ # -- The ID of the user for all containers in the pod to run as. + runAsUser: 65532 + + # +-# Extra objects to deploy (value evaluated as a template) ++# -- Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. + # See #595 for more details and traefik/tests/values/extra.yaml for example. +@@ -895,5 +911,5 @@ extraObjects: [] + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik + # +-## This will override the default app.kubernetes.io/instance label for all Objects. ++## -- This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik +``` + +## 23.0.1 ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-28 + +* fix: ⬆️ Upgrade traefik Docker tag to v2.10.1 + + +## 23.0.0 ![AppVersion: v2.10.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-26 + +* BREAKING CHANGE: Traefik 2.10 comes with CRDs update on API Group + + +## 22.3.0 ![AppVersion: v2.10.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-25 + +* ⬆️ Upgrade traefik Docker tag to v2.10.0 +* fix: 🐛 update rbac for both traefik.io and containo.us apigroups (#836) +* breaking: 💥 update CRDs needed for Traefik v2.10 + + +## 22.2.0 ![AppVersion: v2.9.10](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.10&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-24 + +* test: 👷 Update unit tests tooling +* fix: 🐛 annotations leaking between aliased subcharts +* fix: indentation on `TLSOption` +* feat: override container port +* feat: allow to set dnsConfig on pod template +* chore: 🔧 new release +* added targetPort support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9ece303..71273cc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -82,6 +82,16 @@ deployment: + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ dnsConfig: {} ++ # nameservers: ++ # - 192.0.2.1 # this is an example ++ # searches: ++ # - ns1.svc.cluster-domain.example ++ # - my.dns.search.suffix ++ # options: ++ # - name: ndots ++ # value: "2" ++ # - name: edns0 + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName +@@ -561,8 +571,11 @@ ports: + # asDefault: true + port: 8000 + # hostPort: 8000 ++ # containerPort: 8000 + expose: true + exposedPort: 80 ++ ## Different target traefik port on the cluster, useful for IP type LB ++ # targetPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a +@@ -587,8 +600,11 @@ ports: + # asDefault: true + port: 8443 + # hostPort: 8443 ++ # containerPort: 8443 + expose: true + exposedPort: 443 ++ ## Different target traefik port on the cluster, useful for IP type LB ++ # targetPort: 80 + ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +``` + +## 22.1.0 ![AppVersion: v2.9.10](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.10&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-07 + +* ⬆️ Upgrade traefik Docker tag to v2.9.10 +* feat: add additional labels to tlsoption + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4762b77..9ece303 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -654,12 +654,15 @@ ports: + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options ++# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: + # tlsOptions: + # default: ++# labels: {} + # sniStrict: true + # preferServerCipherSuites: true +-# foobar: ++# customOptions: ++# labels: {} + # curvePreferences: + # - CurveP521 + # - CurveP384 +``` + +## 22.0.0 ![AppVersion: v2.9.9](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.9&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-29 + +* BREAKING CHANGE: `image.repository` introduction may break during the upgrade. See PR #802. + + +## 21.2.1 ![AppVersion: v2.9.9](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.9&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-28 + +* 🎨 Introduce `image.registry` and add explicit default (it may impact custom `image.repository`) +* ⬆️ Upgrade traefik Docker tag to v2.9.9 +* :memo: Clarify the need of an initContainer when enabling persistence for TLS Certificates + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cadc7a6..4762b77 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,5 +1,6 @@ + # Default values for Traefik + image: ++ registry: docker.io + repository: traefik + # defaults to appVersion + tag: "" +@@ -66,10 +67,14 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik/issues/6825 ++ # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 + # - name: volume-permissions +- # image: busybox:1.35 +- # command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"] ++ # image: busybox:latest ++ # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ++ # securityContext: ++ # runAsNonRoot: true ++ # runAsGroup: 65532 ++ # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data +@@ -849,13 +854,17 @@ securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true ++ ++podSecurityContext: ++# # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++# # permissions for the contents of each volume to match the fsGroup. This can ++# # be an issue when storing sensitive content like TLS Certificates /!\ ++# fsGroup: 65532 ++ fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +-podSecurityContext: +- fsGroup: 65532 +- + # + # Extra objects to deploy (value evaluated as a template) + # +``` + +## 21.2.0 ![AppVersion: v2.9.8](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.8&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-08 + +* 🚨 Fail when enabling PSP on Kubernetes v1.25+ (#801) +* ⬆️ Upgrade traefik Docker tag to v2.9.8 +* Separate UDP hostPort for HTTP/3 +* :sparkles: release 21.2.0 (#805) + + +## 21.1.0 ![AppVersion: v2.9.7](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.7&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-02-15 + +* ⬆️ Upgrade traefik Docker tag to v2.9.7 +* ✨ release 21.1.0 +* fix: traefik image name for renovate +* feat: Add volumeName to PersistentVolumeClaim (#792) +* Allow setting TLS options on dashboard IngressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 780b04b..cadc7a6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -142,6 +142,8 @@ ingressRoute: + entryPoints: ["traefik"] + # Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] ++ # TLS options (e.g. secret containing certificate) ++ tls: {} + + # Customize updateStrategy of traefik pods + updateStrategy: +@@ -750,6 +752,7 @@ persistence: + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" ++ # volumeName: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod +``` + +## 21.0.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-02-10 + +* 🙈 Add a setting disable API check on Prometheus Operator (#769) +* 📝 Improve documentation on entrypoint options +* 💥 New release with BREAKING changes (#786) +* ✨ Chart.yaml - add kubeVersion: ">=1.16.0-0" +* fix: allowExternalNameServices for kubernetes ingress when hub enabled (#772) +* fix(service-metrics): invert prometheus svc & fullname length checking +* Configure Renovate (#783) +* :necktie: Improve labels settings behavior on metrics providers (#774) +* :bug: Disabling dashboard ingressroute should delete it (#785) +* :boom: Rename image.name => image.repository (#784) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 42a27f9..780b04b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,6 +1,6 @@ + # Default values for Traefik + image: +- name: traefik ++ repository: traefik + # defaults to appVersion + tag: "" + pullPolicy: IfNotPresent +@@ -396,6 +396,8 @@ metrics: + # enabled: false + # labels: {} + # annotations: {} ++ ## When set to true, it won't check if Prometheus Operator CRDs are deployed ++ # disableAPICheck: false + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] +@@ -580,7 +582,7 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 +- # The port protocol (TCP/UDP) ++ ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # +@@ -594,6 +596,16 @@ ports: + enabled: false + # advertisedPort: 4443 + # ++ ## Trust forwarded headers information (X-Forwarded-*). ++ #forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ ## Enable the Proxy Protocol header parsing for the entry point ++ #proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false ++ # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +@@ -607,16 +619,6 @@ ports: + # - foo.example.com + # - bar.example.com + # +- # Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +``` + +## 20.8.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-12-09 + +* ✨ update chart to version 20.8.0 +* ✨ add support for default entrypoints +* ✨ add support for OpenTelemetry and Traefik v3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b77539d..42a27f9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -107,6 +107,8 @@ ingressClass: + + # Enable experimental features + experimental: ++ v3: ++ enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -347,7 +349,43 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- ++# openTelemetry: ++# ## Address of the OpenTelemetry Collector to send metrics to. ++# address: "localhost:4318" ++# ## Enable metrics on entry points. ++# addEntryPointsLabels: true ++# ## Enable metrics on routers. ++# addRoutersLabels: true ++# ## Enable metrics on services. ++# addServicesLabels: true ++# ## Explicit boundaries for Histogram data points. ++# explicitBoundaries: ++# - "0.1" ++# - "0.3" ++# - "1.2" ++# - "5.0" ++# ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++# headers: ++# foo: bar ++# test: test ++# ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++# insecure: true ++# ## Interval at which metrics are sent to the OpenTelemetry Collector. ++# pushInterval: 10s ++# ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. ++# path: /foo/v1/traces ++# ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++# tls: ++# ## The path to the certificate authority, it defaults to the system bundle. ++# ca: path/to/ca.crt ++# ## The path to the public certificate. When using this option, setting the key option is required. ++# cert: path/to/foo.cert ++# ## The path to the private key. When using this option, setting the cert option is required. ++# key: path/to/key.key ++# ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++# insecureSkipVerify: true ++# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. ++# grpc: true + + ## + ## enable optional CRDs for Prometheus Operator +@@ -510,6 +548,8 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + web: ++ ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ # asDefault: true + port: 8000 + # hostPort: 8000 + expose: true +@@ -534,6 +574,8 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: ++ ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ # asDefault: true + port: 8443 + # hostPort: 8443 + expose: true +``` + +## 20.7.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-12-08 + +* 🐛 Don't fail when prometheus is disabled (#756) +* ⬆️ Update default Traefik release to v2.9.6 (#758) +* ✨ support for Gateway annotations +* add keywords [networking], for artifacthub category quering +* :bug: Fix typo on bufferingSize for access logs (#753) +* :adhesive_bandage: Add quotes for artifacthub changelog parsing (#748) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4f2fb2a..b77539d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,9 @@ experimental: + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default ++ # Additional gateway annotations (e.g. for cert-manager.io/issuer) ++ # annotations: ++ # cert-manager.io/issuer: letsencrypt + + # Create an IngressRoute for the dashboard + ingressRoute: +@@ -219,7 +222,8 @@ logs: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json +- # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ # By default, the level is set to ERROR. ++ # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs +``` + +## 20.6.0 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-30 + +* 🔍️ Add filePath support on access logs (#747) +* :memo: Improve documentation on using PVC with TLS certificates +* :bug: Add missing scheme in help on Traefik Hub integration (#746) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15f1682..4f2fb2a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -211,10 +211,10 @@ additionalVolumeMounts: [] + # - name: traefik-logs + # mountPath: /var/log/traefik + +-# Logs +-# https://docs.traefik.io/observability/logs/ ++## Logs ++## https://docs.traefik.io/observability/logs/ + logs: +- # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). ++ ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option +@@ -224,31 +224,32 @@ logs: + access: + # To enable access logs + enabled: false +- # By default, logs are written using the Common Log Format (CLF). +- # To write logs in JSON, use json in the format option. +- # If the given format is unsupported, the default (CLF) is used instead. ++ ## By default, logs are written using the Common Log Format (CLF) on stdout. ++ ## To write logs in JSON, use json in the format option. ++ ## If the given format is unsupported, the default (CLF) is used instead. + # format: json +- # To write the logs in an asynchronous fashion, specify a bufferingSize option. +- # This option represents the number of log lines Traefik will keep in memory before writing +- # them to the selected output. In some cases, this option can greatly help performances. ++ # filePath: "/var/log/traefik/access.log ++ ## To write the logs in an asynchronous fashion, specify a bufferingSize option. ++ ## This option represents the number of log lines Traefik will keep in memory before writing ++ ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 +- # Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ ## Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms +- # Fields +- # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers ++ ## Fields ++ ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} +- # Examples: ++ ## Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} +- # Examples: ++ ## Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep +@@ -693,10 +694,7 @@ autoscaling: + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +-# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +-# additionalArguments: +-# - "--certificatesresolvers.le.acme.storage=/data/acme.json" +-# It will persist TLS certificates. ++# It can be used to store TLS certificates, see `storage` in certResolvers + persistence: + enabled: false + name: data +@@ -726,7 +724,7 @@ certResolvers: {} + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" +-# # match the path to persistence ++# # It has to match the path with a persistent volume + # storage: /data/acme.json + + # If hostNetwork is true, runs traefik in the host network namespace +``` + +## 20.5.3 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-25 + +* 🐛 Fix template issue with obsolete helm version + add helm version requirement (#743) + + +## 20.5.2 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-24 + +* ⬆️Update Traefik to v2.9.5 (#740) + + +## 20.5.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-23 + +* 🐛 Fix namespaceSelector on ServiceMonitor (#737) + + +## 20.5.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-23 + +* 🚀 Add complete support on metrics options (#735) +* 🐛 make tests use fixed version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e49d02d..15f1682 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -12,7 +12,7 @@ hub: + ## Enabling Hub will: + # * enable Traefik Hub integration on Traefik + # * add `traefikhub-tunl` endpoint +- # * enable addRoutersLabels on prometheus metrics ++ # * enable Prometheus metrics with addRoutersLabels + # * enable allowExternalNameServices on KubernetesIngress provider + # * enable allowCrossNamespace on KubernetesCRD provider + # * add an internal (ClusterIP) Service, dedicated for Traefik Hub +@@ -254,16 +254,96 @@ logs: + # Content-Type: keep + + metrics: +- # datadog: +- # address: 127.0.0.1:8125 +- # influxdb: +- # address: localhost:8089 +- # protocol: udp ++ ## Prometheus is enabled by default. ++ ## It can be disabled by setting "prometheus: null" + prometheus: ++ ## Entry point used to expose metrics. + entryPoint: metrics +- # addRoutersLabels: true +- # statsd: +- # address: localhost:8125 ++ ## Enable metrics on entry points. Default=true ++ # addEntryPointsLabels: false ++ ## Enable metrics on routers. Default=false ++ # addRoutersLabels: true ++ ## Enable metrics on services. Default=true ++ # addServicesLabels: false ++ ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" ++ # buckets: "0.5,1.0,2.5" ++ ## When manualRouting is true, it disables the default internal router in ++ ## order to allow creating a custom router for prometheus@internal service. ++ # manualRouting: true ++# datadog: ++# ## Address instructs exporter to send metrics to datadog-agent at this address. ++# address: "127.0.0.1:8125" ++# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s ++# # pushInterval: 30s ++# ## The prefix to use for metrics collection. Default="traefik" ++# # prefix: traefik ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# influxdb: ++# ## Address instructs exporter to send metrics to influxdb at this address. ++# address: localhost:8089 ++# ## InfluxDB's address protocol (udp or http). Default="udp" ++# protocol: udp ++# ## InfluxDB database used when protocol is http. Default="" ++# # database: "" ++# ## InfluxDB retention policy used when protocol is http. Default="" ++# # retentionPolicy: "" ++# ## InfluxDB username (only with http). Default="" ++# # username: "" ++# ## InfluxDB password (only with http). Default="" ++# # password: "" ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## Additional labels (influxdb tags) on all metrics. ++# # additionalLabels: ++# # env: production ++# # foo: bar ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# influxdb2: ++# ## Address instructs exporter to send metrics to influxdb v2 at this address. ++# address: localhost:8086 ++# ## Token with which to connect to InfluxDB v2. ++# token: xxx ++# ## Organisation where metrics will be stored. ++# org: "" ++# ## Bucket where metrics will be stored. ++# bucket: "" ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## Additional labels (influxdb tags) on all metrics. ++# # additionalLabels: ++# # env: production ++# # foo: bar ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# statsd: ++# ## Address instructs exporter to send metrics to statsd at this address. ++# address: localhost:8125 ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## The prefix to use for metrics collection. Default="traefik" ++# # prefix: traefik ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++ ++ + ## + ## enable optional CRDs for Prometheus Operator + ## +``` + +## 20.4.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* 🐛 fix namespace references to support namespaceOverride + + +## 20.4.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* Add (optional) dedicated metrics service (#727) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ca15f6a..e49d02d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -267,6 +267,12 @@ metrics: + ## + ## enable optional CRDs for Prometheus Operator + ## ++ ## Create a dedicated metrics service for use with ServiceMonitor ++ ## When hub.enabled is set to true, it's not needed: it will use hub service. ++ # service: ++ # enabled: false ++ # labels: {} ++ # annotations: {} + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] +``` + +## 20.3.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* 🐛 Fix namespace override which was missing on `ServiceAccount` (#731) + + +## 20.3.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-17 + +* Add overwrite option for instance label value (#725) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c7f84a7..ca15f6a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -731,3 +731,6 @@ extraObjects: [] + # This will override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik ++# ++## This will override the default app.kubernetes.io/instance label for all Objects. ++# instanceLabelOverride: traefik +``` + +## 20.2.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-17 + +* 🙈 do not namespace ingress class (#723) +* ✨ copy LICENSE and README.md on release + + +## 20.2.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-15 + +* ✨ add support for namespace overrides (#718) +* Document recent changes in the README (#717) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 97a1b71..c7f84a7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -725,5 +725,9 @@ podSecurityContext: + # Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. +-# See #595 for more details and traefik/tests/extra.yaml for example. ++# See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] ++ ++# This will override the default Release Namespace for Helm. ++# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` ++# namespaceOverride: traefik +``` + +## 20.1.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-10 + +* fix: use consistent appVersion with Traefik Proxy + + +## 20.1.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-09 + +* 🔧 Adds more settings for dashboard ingressRoute (#710) +* 🐛 fix chart releases + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2ec3736..97a1b71 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -129,10 +129,14 @@ ingressRoute: + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} ++ # The router match rule used for the dashboard ingressRoute ++ matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] ++ # Additional ingressRoute middlewares (e.g. for authentication) ++ middlewares: [] + + # Customize updateStrategy of traefik pods + updateStrategy: +``` + +## 20.0.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-08 + +* 🐛 remove old deployment workflow +* ✨ migrate to centralised helm repository +* Allow updateStrategy to be configurable + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 413aa88..2ec3736 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -134,9 +134,12 @@ ingressRoute: + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + +-rollingUpdate: +- maxUnavailable: 0 +- maxSurge: 1 ++# Customize updateStrategy of traefik pods ++updateStrategy: ++ type: RollingUpdate ++ rollingUpdate: ++ maxUnavailable: 0 ++ maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: +``` + +## 19.0.4 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-08 + +* 🔧 Adds more settings & rename (wrong) scrapeInterval to (valid) interval on ServiceMonitor (#703) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b24c1cb..413aa88 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -261,10 +261,6 @@ metrics: + ## enable optional CRDs for Prometheus Operator + ## + # serviceMonitor: +- # additionalLabels: +- # foo: bar +- # namespace: "another-namespace" +- # namespaceSelector: {} + # metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; +@@ -279,9 +275,17 @@ metrics: + # replacement: $1 + # action: replace + # jobLabel: traefik +- # scrapeInterval: 30s +- # scrapeTimeout: 5s ++ # interval: 30s + # honorLabels: true ++ # # (Optional) ++ # # scrapeTimeout: 5s ++ # # honorTimestamps: true ++ # # enableHttp2: true ++ # # followRedirects: true ++ # # additionalLabels: ++ # # foo: bar ++ # # namespace: "another-namespace" ++ # # namespaceSelector: {} + # prometheusRule: + # additionalLabels: {} + # namespace: "another-namespace" +``` + +## 19.0.3 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* 🎨 Don't require exposed Ports when enabling Hub (#700) + + +## 19.0.2 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* :speech_balloon: Support volume secrets with '.' in name (#695) + + +## 19.0.1 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* 🐛 Fix IngressClass install on EKS (#699) + + +## 19.0.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-02 + +* ✨ Provides Default IngressClass for Traefik by default (#693) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 69190f1..b24c1cb 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,11 +100,10 @@ podDisruptionBudget: + # minAvailable: 0 + # minAvailable: 25% + +-# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ++# Create a default IngressClass for Traefik + ingressClass: +- # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 +- enabled: false +- isDefaultClass: false ++ enabled: true ++ isDefaultClass: true + + # Enable experimental features + experimental: +``` + +## 18.3.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-31 + +* ⬆️ Update Traefik appVersion to 2.9.4 (#696) + + +## 18.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-31 + +* 🚩 Add an optional "internal" service (#683) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8033a87..69190f1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -416,7 +416,7 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a +- # LoadBalancer ++ # LoadBalancer. + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. +@@ -549,13 +549,24 @@ service: + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 +- # One of SingleStack, PreferDualStack, or RequireDualStack. ++ ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack +- # List of IP families (e.g. IPv4 and/or IPv6). +- # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ++ ## List of IP families (e.g. IPv4 and/or IPv6). ++ ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 ++ ## ++ ## An additionnal and optional internal Service. ++ ## Same parameters as external Service ++ # internal: ++ # type: ClusterIP ++ # # labels: {} ++ # # annotations: {} ++ # # spec: {} ++ # # loadBalancerSourceRanges: [] ++ # # externalIPs: [] ++ # # ipFamilies: [ "IPv4","IPv6" ] + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 18.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-27 + +* 🚀 Add native support for Traefik Hub (#676) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index acce704..8033a87 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -5,6 +5,27 @@ image: + tag: "" + pullPolicy: IfNotPresent + ++# ++# Configure integration with Traefik Hub ++# ++hub: ++ ## Enabling Hub will: ++ # * enable Traefik Hub integration on Traefik ++ # * add `traefikhub-tunl` endpoint ++ # * enable addRoutersLabels on prometheus metrics ++ # * enable allowExternalNameServices on KubernetesIngress provider ++ # * enable allowCrossNamespace on KubernetesCRD provider ++ # * add an internal (ClusterIP) Service, dedicated for Traefik Hub ++ enabled: false ++ ## Default port can be changed ++ # tunnelPort: 9901 ++ ## TLS is optional. Insecure is mutually exclusive with any other options ++ # tls: ++ # insecure: false ++ # ca: "/path/to/ca.pem" ++ # cert: "/path/to/cert.pem" ++ # key: "/path/to/key.pem" ++ + # + # Configure the deployment + # +@@ -505,6 +526,8 @@ tlsStore: {} + # from. + service: + enabled: true ++ ## Single service is using `MixedProtocolLBService` feature gate. ++ ## When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) +``` + +## 18.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-26 + +* Refactor http3 and merge TCP with UDP ports into a single service (#656) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 807bd09..acce704 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -87,8 +87,6 @@ ingressClass: + + # Enable experimental features + experimental: +- http3: +- enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -421,12 +419,19 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +- # Enable HTTP/3. +- # Requires enabling experimental http3 feature and tls. +- # Note that you cannot have a UDP entrypoint with the same port. +- # http3: true +- # Set TLS at the entrypoint +- # https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ # ++ ## Enable HTTP/3 on the entrypoint ++ ## Enabling it will also enable http3 experimental feature ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 ++ ## There are known limitations when trying to listen on same ports for ++ ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. ++ ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 ++ http3: ++ enabled: false ++ # advertisedPort: 4443 ++ # ++ ## Set TLS at the entrypoint ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition +@@ -500,6 +505,7 @@ tlsStore: {} + # from. + service: + enabled: true ++ single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} +``` + +## 17.0.5 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-21 + +* 📝 Add annotations changelog for artifacthub.io & update Maintainers + + +## 17.0.4 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-21 + +* :art: Add helper function for label selector + + +## 17.0.3 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* 🐛 fix changing label selectors + + +## 17.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* fix: setting ports.web.proxyProtocol.insecure=true + + +## 17.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* :bug: Unify all labels selector with traefik chart labels (#681) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6a90bc6..807bd09 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -639,7 +639,7 @@ affinity: {} + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ template "traefik.name" . }}' +-# app.kubernetes.io/instance: '{{ .Release.Name }}' ++# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + + nodeSelector: {} +``` + +## 17.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* :bug: Fix `ClusterRole`, `ClusterRoleBinding` names and `app.kubernetes.io/instance` label (#662) + + +## 16.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* Add forwardedHeaders and proxyProtocol config (#673) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9b5afc4..6a90bc6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -403,6 +403,16 @@ ports: + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure ++ # ++ # Trust forwarded headers information (X-Forwarded-*). ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ # Enable the Proxy Protocol header parsing for the entry point ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false + websecure: + port: 8443 + # hostPort: 8443 +@@ -428,6 +438,16 @@ ports: + # - foo.example.com + # - bar.example.com + # ++ # Trust forwarded headers information (X-Forwarded-*). ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ # Enable the Proxy Protocol header parsing for the entry point ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false ++ # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +``` + +## 16.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-19 + +* ✨ add optional ServiceMonitor & PrometheusRules CRDs (#425) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e335b5..9b5afc4 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -237,8 +237,46 @@ metrics: + prometheus: + entryPoint: metrics + # addRoutersLabels: true +- # statsd: +- # address: localhost:8125 ++ # statsd: ++ # address: localhost:8125 ++## ++## enable optional CRDs for Prometheus Operator ++## ++ # serviceMonitor: ++ # additionalLabels: ++ # foo: bar ++ # namespace: "another-namespace" ++ # namespaceSelector: {} ++ # metricRelabelings: [] ++ # - sourceLabels: [__name__] ++ # separator: ; ++ # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ ++ # replacement: $1 ++ # action: drop ++ # relabelings: [] ++ # - sourceLabels: [__meta_kubernetes_pod_node_name] ++ # separator: ; ++ # regex: ^(.*)$ ++ # targetLabel: nodename ++ # replacement: $1 ++ # action: replace ++ # jobLabel: traefik ++ # scrapeInterval: 30s ++ # scrapeTimeout: 5s ++ # honorLabels: true ++ # prometheusRule: ++ # additionalLabels: {} ++ # namespace: "another-namespace" ++ # rules: ++ # - alert: TraefikDown ++ # expr: up{job="traefik"} == 0 ++ # for: 5m ++ # labels: ++ # context: traefik ++ # severity: warning ++ # annotations: ++ # summary: "Traefik Down" ++ # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + + tracing: {} + # instana: +``` + +## 16.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-19 + +* :fire: Remove `Pilot` and `fallbackApiVersion` (#665) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 03fdaed..7e335b5 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -84,15 +84,6 @@ ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false +- # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" +- fallbackApiVersion: "" +- +-# Activate Pilot integration +-pilot: +- enabled: false +- token: "" +- # Toggle Pilot Dashboard +- # dashboard: false + + # Enable experimental features + experimental: +``` + +## 15.3.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-18 + +* :art: Improve `IngressRoute` structure (#674) + + +## 15.3.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-18 + +* 📌 Add capacity to enable User-facing role + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 76aac93..03fdaed 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -553,10 +553,12 @@ hostNetwork: false + # Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true +- + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false ++ # Enable user-facing roles ++ # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles ++ # aggregateTo: [ "admin" ] + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: +``` + +## 15.2.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* Fix provider namespace changes + + +## 15.2.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* 🐛 fix provider namespace changes + + +## 15.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* :bug: Allow to watch on specific namespaces without using rbac.namespaced (#666) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 781ac15..76aac93 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -555,7 +555,7 @@ rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace ++ # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +``` + +## 15.1.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* :goal_net: Fail gracefully when http3 is not enabled correctly (#667) + + +## 15.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-14 + +* :sparkles: add optional topologySpreadConstraints (#663) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fc2c371..781ac15 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -593,6 +593,15 @@ affinity: {} + + nodeSelector: {} + tolerations: [] ++topologySpreadConstraints: [] ++# # This example topologySpreadConstraints forces the scheduler to put traefik pods ++# # on nodes where no other traefik pods are scheduled. ++# - labelSelector: ++# matchLabels: ++# app: '{{ template "traefik.name" . }}' ++# maxSkew: 1 ++# topologyKey: kubernetes.io/hostname ++# whenUnsatisfiable: DoNotSchedule + + # Pods can have priority. + # Priority indicates the importance of a Pod relative to other Pods. +``` + +## 15.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-13 + +* :rocket: Enable TLS by default on `websecure` port (#657) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 400a29a..fc2c371 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -389,7 +389,7 @@ ports: + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +- enabled: false ++ enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" +``` + +## 14.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-13 + +* :memo: Add Changelog (#661) + + +## 14.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* :memo: Update workaround for permissions 660 on acme.json + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a4e4ff2..400a29a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -45,10 +45,10 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik/issues/6972 ++ # Related issue: https://github.com/traefik/traefik/issues/6825 + # - name: volume-permissions +- # image: busybox:1.31.1 +- # command: ["sh", "-c", "chmod -Rv 600 /data/*"] ++ # image: busybox:1.35 ++ # command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"] + # volumeMounts: + # - name: data + # mountPath: /data +``` + +## 14.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Limit rbac to only required resources for Ingress and CRD providers + + +## 13.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Add helper function for common labels + + +## 13.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Moved list object to individual objects + + +## 12.0.7 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :lipstick: Affinity templating and example (#557) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4431c36..a4e4ff2 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -578,19 +578,19 @@ resources: {} + # limits: + # cpu: "300m" + # memory: "150Mi" ++ ++# This example pod anti-affinity forces the scheduler to put traefik pods ++# on nodes where no other traefik pods are scheduled. ++# It should be used when hostNetwork: true to prevent port conflicts + affinity: {} +-# # This example pod anti-affinity forces the scheduler to put traefik pods +-# # on nodes where no other traefik pods are scheduled. +-# # It should be used when hostNetwork: true to prevent port conflicts +-# podAntiAffinity: +-# requiredDuringSchedulingIgnoredDuringExecution: +-# - labelSelector: +-# matchExpressions: +-# - key: app.kubernetes.io/name +-# operator: In +-# values: +-# - {{ template "traefik.name" . }} +-# topologyKey: kubernetes.io/hostname ++# podAntiAffinity: ++# requiredDuringSchedulingIgnoredDuringExecution: ++# - labelSelector: ++# matchLabels: ++# app.kubernetes.io/name: '{{ template "traefik.name" . }}' ++# app.kubernetes.io/instance: '{{ .Release.Name }}' ++# topologyKey: kubernetes.io/hostname ++ + nodeSelector: {} + tolerations: [] + +``` + +## 12.0.6 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :bug: Ignore kustomization file used for CRDs update (#653) + + +## 12.0.5 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :memo: Establish Traefik & CRD update process + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3526729..4431c36 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -342,6 +342,7 @@ ports: + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. ++ # Default: ports.traefik.port + # healthchecksPort: 9000 + + # Override the liveness/readiness scheme. Useful for getting ping to +``` + +## 12.0.4 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* Allows ingressClass to be used without semver-compatible image tag + + +## 12.0.3 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :bug: Should check hostNetwork when hostPort != containerPort + + +## 12.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-07 + +* :goal_net: Fail gracefully when hostNetwork is enabled and hostPort != containerPort + + +## 12.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-07 + +* :bug: Fix a typo on `behavior` for HPA v2 + + +## 12.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-06 + +* Update default HPA API Version to `v2` and add support for behavior (#518) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2bd51f8..3526729 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -488,11 +488,22 @@ autoscaling: + # - type: Resource + # resource: + # name: cpu +-# targetAverageUtilization: 60 ++# target: ++# type: Utilization ++# averageUtilization: 60 + # - type: Resource + # resource: + # name: memory +-# targetAverageUtilization: 60 ++# target: ++# type: Utilization ++# averageUtilization: 60 ++# behavior: ++# scaleDown: ++# stabilizationWindowSeconds: 300 ++# policies: ++# - type: Pods ++# value: 1 ++# periodSeconds: 60 + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +``` + +## 11.1.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-05 + +* 🔊 add failure message when using maxUnavailable 0 and hostNetwork + + +## 11.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* Update Traefik to v2.9.1 + + +## 11.0.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* tweak default values to avoid downtime when updating + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 844cadc..2bd51f8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -126,20 +126,20 @@ ingressRoute: + entryPoints: ["traefik"] + + rollingUpdate: +- maxUnavailable: 1 ++ maxUnavailable: 0 + maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 +- initialDelaySeconds: 10 ++ initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 +- initialDelaySeconds: 10 ++ initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 +``` + +## 10.33.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* :rocket: Add `extraObjects` value that allows creating adhoc resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c926bd9..844cadc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -598,3 +598,10 @@ securityContext: + + podSecurityContext: + fsGroup: 65532 ++ ++# ++# Extra objects to deploy (value evaluated as a template) ++# ++# In some cases, it can avoid the need for additional, extended or adhoc deployments. ++# See #595 for more details and traefik/tests/extra.yaml for example. ++extraObjects: [] +``` + +## 10.32.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* Add support setting middleware on entrypoint + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3957448..c926bd9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -397,6 +397,16 @@ ports: + # sans: + # - foo.example.com + # - bar.example.com ++ # ++ # One can apply Middlewares on an entrypoint ++ # https://doc.traefik.io/traefik/middlewares/overview/ ++ # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares ++ # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ ++ # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace ++ # middlewares: ++ # - namespace-name1@kubernetescrd ++ # - namespace-name2@kubernetescrd ++ middlewares: [] + metrics: + # When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations +``` + +## 10.31.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* Support setting dashboard entryPoints for ingressRoute resource + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c9feb76..3957448 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,10 @@ ingressRoute: + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} ++ # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). ++ # By default, it's using traefik entrypoint, which is not exposed. ++ # /!\ Do not expose your dashboard without any protection over the internet /!\ ++ entryPoints: ["traefik"] + + rollingUpdate: + maxUnavailable: 1 +``` + +## 10.30.2 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* :test_tube: Fail gracefully when asked to provide a service without ports + + +## 10.30.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-30 + +* :arrow_up: Upgrade helm, ct & unittest (#638) + + +## 10.30.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-30 + +* Add support HTTPS scheme for healthcheks + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fed4a8a..c9feb76 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -340,6 +340,10 @@ ports: + # with an external Load Balancer that performs healthchecks. + # healthchecksPort: 9000 + ++ # Override the liveness/readiness scheme. Useful for getting ping to ++ # respond on websecure entryPoint. ++ # healthchecksScheme: HTTPS ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +``` + +## 10.29.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* Add missing tracing options + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d1708cc..fed4a8a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -247,12 +247,45 @@ metrics: + + tracing: {} + # instana: +- # enabled: true ++ # localAgentHost: 127.0.0.1 ++ # localAgentPort: 42699 ++ # logLevel: info ++ # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false ++ # jaeger: ++ # samplingServerURL: http://localhost:5778/sampling ++ # samplingType: const ++ # samplingParam: 1.0 ++ # localAgentHostPort: 127.0.0.1:6831 ++ # gen128Bit: false ++ # propagation: jaeger ++ # traceContextHeaderName: uber-trace-id ++ # disableAttemptReconnecting: true ++ # collector: ++ # endpoint: "" ++ # user: "" ++ # password: "" ++ # zipkin: ++ # httpEndpoint: http://localhost:9411/api/v2/spans ++ # sameSpan: false ++ # id128Bit: true ++ # sampleRate: 1.0 ++ # haystack: ++ # localAgentHost: 127.0.0.1 ++ # localAgentPort: 35000 ++ # globalTag: "" ++ # traceIDHeaderName: "" ++ # parentIDHeaderName: "" ++ # spanIDHeaderName: "" ++ # baggagePrefixHeaderName: "" ++ # elastic: ++ # serverURL: http://localhost:8200 ++ # secretToken: "" ++ # serviceEnvironment: "" + + globalArguments: + - "--global.checknewversion" +``` + +## 10.28.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* feat: add lifecycle for prestop and poststart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 19a133c..d1708cc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -59,6 +59,17 @@ deployment: + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName ++ # Pod lifecycle actions ++ lifecycle: {} ++ # preStop: ++ # exec: ++ # command: ["/bin/sh", "-c", "sleep 40"] ++ # postStart: ++ # httpGet: ++ # path: /ping ++ # port: 9000 ++ # host: localhost ++ # scheme: HTTP + + # Pod disruption budget + podDisruptionBudget: +``` + +## 10.27.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* feat: add create gateway option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d9c745e..19a133c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -91,6 +91,8 @@ experimental: + enabled: false + kubernetesGateway: + enabled: false ++ gateway: ++ enabled: true + # certificate: + # group: "core" + # kind: "Secret" +``` + +## 10.26.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* 🐛 fix rbac templating (#636) + + +## 10.26.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* :bug: Fix ingressClass support when rbac.namespaced=true (#499) + + +## 10.25.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* Add ingressclasses to traefik role + + +## 10.25.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-27 + +* Add TLSStore resource to chart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d4011c3..d9c745e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -373,6 +373,15 @@ ports: + # - CurveP384 + tlsOptions: {} + ++# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate ++# https://doc.traefik.io/traefik/https/tls/#default-certificate ++# Example: ++# tlsStore: ++# default: ++# defaultCertificate: ++# secretName: tls-cert ++tlsStore: {} ++ + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: +``` + +## 10.24.5 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-27 + +* Suggest an alternative port for metrics + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 81f2e85..d4011c3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -344,6 +344,8 @@ ports: + # - foo.example.com + # - bar.example.com + metrics: ++ # When using hostNetwork, use another port to avoid conflict with node exporter: ++ # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or +``` + +## 10.24.4 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-26 + +* Update Traefik to v2.8.7 + + +## 10.24.3 ![AppVersion: 2.8.5](https://img.shields.io/static/v1?label=AppVersion&message=2.8.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-14 + +* Update Traefik version to v2.8.5 + + +## 10.24.2 ![AppVersion: 2.8.4](https://img.shields.io/static/v1?label=AppVersion&message=2.8.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-05 + +* Update Traefik version to v2.8.4 + + +## 10.24.1 ![AppVersion: 2.8.0](https://img.shields.io/static/v1?label=AppVersion&message=2.8.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-08-29 + +* Update PodDisruptionBudget apiVersion to policy/v1 + + +## 10.24.0 ![AppVersion: 2.8.0](https://img.shields.io/static/v1?label=AppVersion&message=2.8.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-30 + +* Update Traefik version to v2.8.0 + + +## 10.23.0 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-27 + +* Support environment variable usage for Datadog + + +## 10.22.0 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-22 + +* Allow setting revisionHistoryLimit for Deployment and DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d5785ab..81f2e85 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 ++ # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) ++ # revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available +``` + +## 10.21.1 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-15 + +* Update Traefik version to 2.7.1 + + +## 10.21.0 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-15 + +* Support allowEmptyServices config for KubernetesCRD + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e141e29..d5785ab 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -133,6 +133,7 @@ providers: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false ++ allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] +``` + +## 10.20.1 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-01 + +* Add Acme certificate resolver configuration + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a16b107..e141e29 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -433,6 +433,27 @@ persistence: + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + ++certResolvers: {} ++# letsencrypt: ++# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ ++# email: email@example.com ++# dnsChallenge: ++# # also add the provider's required configuration under env ++# # or expand then from secrets/configmaps with envfrom ++# # cf. https://doc.traefik.io/traefik/https/acme/#providers ++# provider: digitalocean ++# # add futher options for the dns challenge as needed ++# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge ++# delayBeforeCheck: 30 ++# resolvers: ++# - 1.1.1.1 ++# - 8.8.8.8 ++# tlsChallenge: true ++# httpChallenge: ++# entryPoint: "web" ++# # match the path to persistence ++# storage: /data/acme.json ++ + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the +``` + +## 10.20.0 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-05-25 + +* Update Traefik Proxy to v2.7.0 + + +## 10.19.5 ![AppVersion: 2.6.6](https://img.shields.io/static/v1?label=AppVersion&message=2.6.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-05-04 + +* Upgrade Traefik to 2.6.6 + + +## 10.19.4 ![AppVersion: 2.6.3](https://img.shields.io/static/v1?label=AppVersion&message=2.6.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-31 + +* Update Traefik dependency version to 2.6.3 + + +## 10.19.3 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Update CRDs to match the ones defined in the reference documentation + + +## 10.19.2 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Revert Traefik version to 2.6.2 + + +## 10.19.1 ![AppVersion: 2.6.3](https://img.shields.io/static/v1?label=AppVersion&message=2.6.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Update Traefik version to 2.6.3 + + +## 10.19.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support ingressClass option for KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 02ab704..a16b107 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -142,6 +142,7 @@ providers: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false ++ # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.18.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support liveness and readyness probes customization + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15f1103..02ab704 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -110,6 +110,20 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++# Customize liveness and readiness probe values. ++readinessProbe: ++ failureThreshold: 1 ++ initialDelaySeconds: 10 ++ periodSeconds: 10 ++ successThreshold: 1 ++ timeoutSeconds: 2 ++ ++livenessProbe: ++ failureThreshold: 3 ++ initialDelaySeconds: 10 ++ periodSeconds: 10 ++ successThreshold: 1 ++ timeoutSeconds: 2 + + # + # Configure providers +``` + +## 10.17.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support Datadog tracing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4dccd1a..15f1103 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -217,6 +217,11 @@ metrics: + tracing: {} + # instana: + # enabled: true ++ # datadog: ++ # localAgentHostPort: 127.0.0.1:8126 ++ # debug: false ++ # globalTag: "" ++ # prioritySampling: false + + globalArguments: + - "--global.checknewversion" +``` + +## 10.16.1 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Update Traefik version to 2.6.2 + + +## 10.16.0 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support allowEmptyServices for KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1f9dbbe..4dccd1a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -127,6 +127,7 @@ providers: + kubernetesIngress: + enabled: true + allowExternalNameServices: false ++ allowEmptyServices: false + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.15.0 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-08 + +* Add metrics.prometheus.addRoutersLabels option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cd4d49b..1f9dbbe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -209,6 +209,7 @@ metrics: + # protocol: udp + prometheus: + entryPoint: metrics ++ # addRoutersLabels: true + # statsd: + # address: localhost:8125 + +``` + +## 10.14.2 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-18 + +* Update Traefik to v2.6.1 + + +## 10.14.1 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-09 + +* Add missing inFlightConn TCP middleware CRD + + +## 10.14.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-03 + +* Add experimental HTTP/3 support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d49122f..cd4d49b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -83,6 +83,8 @@ pilot: + + # Enable experimental features + experimental: ++ http3: ++ enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -300,6 +302,10 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # Enable HTTP/3. ++ # Requires enabling experimental http3 feature and tls. ++ # Note that you cannot have a UDP entrypoint with the same port. ++ # http3: true + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +``` + +## 10.13.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-01 + +* Add support for ipFamilies + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 32fce6f..d49122f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -366,6 +366,11 @@ service: + # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack ++ # List of IP families (e.g. IPv4 and/or IPv6). ++ # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ++ # ipFamilies: ++ # - IPv4 ++ # - IPv6 + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 10.12.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-01 + +* Add shareProcessNamespace option to podtemplate + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ab25456..32fce6f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,6 +50,8 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data ++ # Use process namespace sharing ++ shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets +``` + +## 10.11.1 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Fix anti-affinity example + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8c72905..ab25456 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -438,13 +438,13 @@ affinity: {} + # # It should be used when hostNetwork: true to prevent port conflicts + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: +-# - labelSelector: +-# matchExpressions: +-# - key: app +-# operator: In +-# values: +-# - {{ template "traefik.name" . }} +-# topologyKey: failure-domain.beta.kubernetes.io/zone ++# - labelSelector: ++# matchExpressions: ++# - key: app.kubernetes.io/name ++# operator: In ++# values: ++# - {{ template "traefik.name" . }} ++# topologyKey: kubernetes.io/hostname + nodeSelector: {} + tolerations: [] + +``` + +## 10.11.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Add setting to enable Instana tracing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7fe4a2c..8c72905 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -208,6 +208,10 @@ metrics: + # statsd: + # address: localhost:8125 + ++tracing: {} ++ # instana: ++ # enabled: true ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +``` + +## 10.10.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Update Traefik to v2.6 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8ae4bd8..7fe4a2c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -85,9 +85,8 @@ experimental: + enabled: false + kubernetesGateway: + enabled: false +- appLabelSelector: "traefik" +- certificates: [] +- # - group: "core" ++ # certificate: ++ # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. +``` + +## 10.9.1 ![AppVersion: 2.5.6](https://img.shields.io/static/v1?label=AppVersion&message=2.5.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-24 + +* Bump traefik version to 2.5.6 + + +## 10.9.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-20 + +* feat: add allowExternalNameServices to KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 79df205..8ae4bd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -123,6 +123,7 @@ providers: + + kubernetesIngress: + enabled: true ++ allowExternalNameServices: false + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.8.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-20 + +* Add support to specify minReadySeconds on Deployment/DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e9186b..79df205 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + replicas: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 ++ # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available ++ minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) +``` + +## 10.7.1 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-06 + +* Fix pod disruption when using percentages + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e0655c8..7e9186b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -52,13 +52,15 @@ deployment: + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] +- # - name: myRegistryKeySecretName ++ # - name: myRegistryKeySecretName + + # Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 ++ # maxUnavailable: 33% + # minAvailable: 0 ++ # minAvailable: 25% + + # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x + ingressClass: +``` + +## 10.7.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-06 + +* Add support for ipFamilyPolicy + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3ec7105..e0655c8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -343,8 +343,8 @@ service: + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} +- # Additional entries here will be added to the service spec. Cannot contains +- # type, selector or ports entries. ++ # Additional entries here will be added to the service spec. ++ # Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" +@@ -354,6 +354,8 @@ service: + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 ++ # One of SingleStack, PreferDualStack, or RequireDualStack. ++ # ipFamilyPolicy: SingleStack + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 10.6.2 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-11-15 + +* Bump Traefik version to 2.5.4 + + +## 10.6.1 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-11-05 + +* Add missing Gateway API resources to ClusterRole + + +## 10.6.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* feat: allow termination grace period to be configurable + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f06ebc6..3ec7105 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 ++ # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down ++ terminationGracePeriodSeconds: 60 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) +``` + +## 10.5.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* feat: add allowExternalNameServices to Kubernetes CRD provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3bcb350..f06ebc6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -109,6 +109,7 @@ providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false ++ allowExternalNameServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] +``` + +## 10.4.2 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* fix(crd): add permissionsPolicy to headers middleware + + +## 10.4.1 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* fix(crd): add peerCertURI option to ServersTransport + + +## 10.4.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-12 + +* Add Kubernetes CRD labelSelector and ingressClass options + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f54f5fe..3bcb350 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -109,8 +109,11 @@ providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false ++ # ingressClass: traefik-internal ++ # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" ++ + kubernetesIngress: + enabled: true + # labelSelector: environment=production,method=traefik +``` + +## 10.3.6 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-24 + +* Fix missing RequireAnyClientCert value to TLSOption CRD + + +## 10.3.5 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-23 + +* Bump Traefik version to 2.5.3 + + +## 10.3.4 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-17 + +* Add allowCrossNamespace option on kubernetesCRD provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e3a579..f54f5fe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -108,6 +108,7 @@ rollingUpdate: + providers: + kubernetesCRD: + enabled: true ++ allowCrossNamespace: false + namespaces: [] + # - "default" + kubernetesIngress: +``` + +## 10.3.3 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-17 + +* fix(crd): missing alpnProtocols in TLSOption + + +## 10.3.2 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-23 + +* Releasing 2.5.1 + + +## 10.3.1 ![AppVersion: 2.5.0](https://img.shields.io/static/v1?label=AppVersion&message=2.5.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-20 + +* Fix Ingress RBAC for namespaced scoped deployment + + +## 10.3.0 ![AppVersion: 2.5.0](https://img.shields.io/static/v1?label=AppVersion&message=2.5.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-18 + +* Releasing Traefik 2.5.0 + + +## 10.2.0 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-18 + +* Allow setting TCP and UDP service annotations separately + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 72a01ea..7e3a579 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -328,8 +328,12 @@ tlsOptions: {} + service: + enabled: true + type: LoadBalancer +- # Additional annotations (e.g. for cloud provider specific config) ++ # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} ++ # Additional annotations for TCP service only ++ annotationsTCP: {} ++ # Additional annotations for UDP service only ++ annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. Cannot contains +``` + +## 10.1.6 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix: missing service labels + + +## 10.1.5 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix(pvc-annotaions): see traefik/traefik-helm-chart#471 + + +## 10.1.4 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix(ingressclass): fallbackApiVersion default shouldn't be `nil` + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 04d336c..72a01ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -64,7 +64,7 @@ ingressClass: + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" +- fallbackApiVersion: ++ fallbackApiVersion: "" + + # Activate Pilot integration + pilot: +``` + +## 10.1.3 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-16 + +* Move Prometheus annotations to Pods + + +## 10.1.2 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-10 + +* Version bumped 2.4.13 + + +## 10.1.1 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-20 + +* Fixing Prometheus.io/port annotation + + +## 10.1.0 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-20 + +* Add metrics framework, and prom annotations + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f6e370a..04d336c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -186,6 +186,17 @@ logs: + # Authorization: drop + # Content-Type: keep + ++metrics: ++ # datadog: ++ # address: 127.0.0.1:8125 ++ # influxdb: ++ # address: localhost:8089 ++ # protocol: udp ++ prometheus: ++ entryPoint: metrics ++ # statsd: ++ # address: localhost:8125 ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +@@ -284,6 +295,20 @@ ports: + # sans: + # - foo.example.com + # - bar.example.com ++ metrics: ++ port: 9100 ++ # hostPort: 9100 ++ # Defines whether the port is exposed if service.type is LoadBalancer or ++ # NodePort. ++ # ++ # You may not want to expose the metrics port on production deployments. ++ # If you want to access it from outside of your cluster, ++ # use `kubectl port-forward` or create a secure ingress ++ expose: false ++ # The exposed port for this service ++ exposedPort: 9100 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +``` + +## 10.0.2 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-14 + +* feat(gateway): introduces param / pick Namespace installing Gateway + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9bf90ea..f6e370a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -84,6 +84,9 @@ experimental: + # - group: "core" + # kind: "Secret" + # name: "mysecret" ++ # By default, Gateway would be created to the Namespace you are deploying Traefik to. ++ # You may create that Gateway in another namespace, setting its name below: ++ # namespace: default + + # Create an IngressRoute for the dashboard + ingressRoute: +``` + +## 10.0.1 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-14 + +* Add RBAC for middlewaretcps + + +## 10.0.0 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-07 + +* Update CRD versions + + +## 9.20.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-05 + +* Revert CRD templating + + +## 9.20.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-05 + +* Add support for apiextensions v1 CRDs + + +## 9.19.2 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-06-16 + +* Add name-metadata for service "List" object + + +## 9.19.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-05-13 + +* fix simple typo + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b30afac..9bf90ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -363,7 +363,7 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +-# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding ++# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + +``` + +## 9.19.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-29 + +* Fix IngressClass api version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 0aa2d6b..b30afac 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -63,6 +63,8 @@ ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false ++ # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" ++ fallbackApiVersion: + + # Activate Pilot integration + pilot: +``` + +## 9.18.3 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-26 + +* Fix: ignore provider namespace args on disabled + + +## 9.18.2 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-02 + +* Fix pilot dashboard deactivation + + +## 9.18.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-29 + +* Do not disable Traefik Pilot in the dashboard by default + + +## 9.18.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-24 + +* Add an option to toggle the pilot dashboard + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 017f771..0aa2d6b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -68,6 +68,8 @@ ingressClass: + pilot: + enabled: false + token: "" ++ # Toggle Pilot Dashboard ++ # dashboard: false + + # Enable experimental features + experimental: +``` + +## 9.17.6 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-24 + +* Bump Traefik to 2.4.8 + + +## 9.17.5 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* feat(labelSelector): option matching Ingresses based on labelSelectors + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 868a985..017f771 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -105,6 +105,7 @@ providers: + # - "default" + kubernetesIngress: + enabled: true ++ # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints +``` + +## 9.17.4 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* Add helm resource-policy annotation on PVC + + +## 9.17.3 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* Throw error with explicit latest tag + + +## 9.17.2 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-10 + +* fix(keywords): removed by mistake + + +## 9.17.1 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-10 + +* feat(healthchecksPort): Support for overriding the liveness/readiness probes port + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 56abb93..868a985 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,8 @@ providers: + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" ++# - "--ping" ++# - "--ping.entrypoint=web" + volumes: [] + # - name: public-cert + # mountPath: "/certs" +@@ -225,6 +227,10 @@ ports: + # only. + # hostIP: 192.168.100.10 + ++ # Override the liveness/readiness port. This is useful to integrate traefik ++ # with an external Load Balancer that performs healthchecks. ++ # healthchecksPort: 9000 ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +``` + +## 9.16.2 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-09 + +* Bump Traefik to 2.4.7 + + +## 9.16.1 ![AppVersion: 2.4.6](https://img.shields.io/static/v1?label=AppVersion&message=2.4.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-09 + +* Adding custom labels to deployment + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ba24be7..56abb93 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + replicas: 1 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} ++ # Additional deployment labels (e.g. for filtering deployment by custom labels) ++ labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) +``` + +## 9.15.2 ![AppVersion: 2.4.6](https://img.shields.io/static/v1?label=AppVersion&message=2.4.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* Upgrade Traefik to 2.4.6 + + +## 9.15.1 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* Configurable PVC name + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1e0e5a9..ba24be7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -327,6 +327,7 @@ autoscaling: + # It will persist TLS certificates. + persistence: + enabled: false ++ name: data + # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi +``` + +## 9.14.4 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* fix typo + + +## 9.14.3 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-19 + +* Bump Traefik to 2.4.5 + + +## 9.14.2 ![AppVersion: 2.4.2](https://img.shields.io/static/v1?label=AppVersion&message=2.4.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-03 + +* docs: indent nit for dsdsocket example + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 56485ad..1e0e5a9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -33,7 +33,7 @@ deployment: + additionalVolumes: [] + # - name: dsdsocket + # hostPath: +- # path: /var/run/statsd-exporter ++ # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +``` + +## 9.14.1 ![AppVersion: 2.4.2](https://img.shields.io/static/v1?label=AppVersion&message=2.4.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-03 + +* Update Traefik to 2.4.2 + + +## 9.14.0 ![AppVersion: 2.4.0](https://img.shields.io/static/v1?label=AppVersion&message=2.4.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-01 + +* Enable Kubernetes Gateway provider with an experimental flag + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 50cab94..56485ad 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -71,6 +71,13 @@ pilot: + experimental: + plugins: + enabled: false ++ kubernetesGateway: ++ enabled: false ++ appLabelSelector: "traefik" ++ certificates: [] ++ # - group: "core" ++ # kind: "Secret" ++ # name: "mysecret" + + # Create an IngressRoute for the dashboard + ingressRoute: +``` + +## 9.13.0 ![AppVersion: 2.4.0](https://img.shields.io/static/v1?label=AppVersion&message=2.4.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-01-22 + +* Update Traefik to 2.4 and add resources + + +## 9.12.3 ![AppVersion: 2.3.6](https://img.shields.io/static/v1?label=AppVersion&message=2.3.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-31 + +* Revert API Upgrade + + +## 9.12.2 ![AppVersion: 2.3.6](https://img.shields.io/static/v1?label=AppVersion&message=2.3.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-31 + +* Bump Traefik to 2.3.6 + + +## 9.12.1 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-30 + +* Resolve #303, change CRD version from v1beta1 to v1 + + +## 9.12.0 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-30 + +* Implement support for DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 60a721d..50cab94 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,7 +10,9 @@ image: + # + deployment: + enabled: true +- # Number of pods of the deployment ++ # Can be either Deployment or DaemonSet ++ kind: Deployment ++ # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} +``` + +## 9.11.0 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-20 + +* add podLabels - custom labels + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a187df7..60a721d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} ++ # Additional Pod labels (e.g. for filtering Pod by custom labels) ++ podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host +``` + +## 9.10.2 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-20 + +* Bump Traefik to 2.3.3 + + +## 9.10.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-04 + +* Specify IngressClass resource when checking for cluster capability + + +## 9.10.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* Add list of watched provider namespaces + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e6b85ca..a187df7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -88,8 +88,12 @@ rollingUpdate: + providers: + kubernetesCRD: + enabled: true ++ namespaces: [] ++ # - "default" + kubernetesIngress: + enabled: true ++ namespaces: [] ++ # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +``` + +## 9.9.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* Add additionalVolumeMounts for traefik container + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 37dd151..e6b85ca 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -111,6 +111,12 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++# Additional volumeMounts to add to the Traefik container ++additionalVolumeMounts: [] ++ # For instance when using a logshipper for access logs ++ # - name: traefik-logs ++ # mountPath: /var/log/traefik ++ + # Logs + # https://docs.traefik.io/observability/logs/ + logs: +``` + +## 9.8.4 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* fix: multiple ImagePullSecrets + + +## 9.8.3 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-30 + +* Add imagePullSecrets + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 87f60c0..37dd151 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -42,6 +42,9 @@ deployment: + # mountPath: /data + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ # Additional imagePullSecrets ++ imagePullSecrets: [] ++ # - name: myRegistryKeySecretName + + # Pod disruption budget + podDisruptionBudget: +``` + +## 9.8.2 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-28 + +* Add chart repo to source + + +## 9.8.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-23 + +* fix semver compare + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4ca1f8f..87f60c0 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,8 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.3.1 ++ # defaults to appVersion ++ tag: "" + pullPolicy: IfNotPresent + + # +``` + +## 9.8.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-20 + +* feat: Enable entrypoint tls config + TLSOption + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index eee3622..4ca1f8f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -231,6 +231,31 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # Set TLS at the entrypoint ++ # https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ tls: ++ enabled: false ++ # this is the name of a TLSOption definition ++ options: "" ++ certResolver: "" ++ domains: [] ++ # - main: example.com ++ # sans: ++ # - foo.example.com ++ # - bar.example.com ++ ++# TLS Options are created as TLSOption CRDs ++# https://doc.traefik.io/traefik/https/tls/#tls-options ++# Example: ++# tlsOptions: ++# default: ++# sniStrict: true ++# preferServerCipherSuites: true ++# foobar: ++# curvePreferences: ++# - CurveP521 ++# - CurveP384 ++tlsOptions: {} + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +``` + +## 9.7.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Add a configuration option for an emptyDir as plugin storage + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b7153a1..eee3622 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -54,10 +54,16 @@ ingressClass: + enabled: false + isDefaultClass: false + ++# Activate Pilot integration + pilot: + enabled: false + token: "" + ++# Enable experimental features ++experimental: ++ plugins: ++ enabled: false ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 9.6.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Add additional volumes for init and additional containers + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9bac45e..b7153a1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -17,6 +17,18 @@ deployment: + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] ++ # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host ++ # - name: socat-proxy ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket ++ # Additional volumes available for use with initContainers and additionalContainers ++ additionalVolumes: [] ++ # - name: dsdsocket ++ # hostPath: ++ # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +``` + +## 9.5.2 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Replace extensions with policy because of deprecation + + +## 9.5.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-14 + +* Template custom volume name + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5a8d8ea..9bac45e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -76,7 +76,7 @@ providers: + # pathOverride: "" + + # +-# Add volumes to the traefik pod. ++# Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: +@@ -85,7 +85,7 @@ volumes: [] + # - name: public-cert + # mountPath: "/certs" + # type: secret +-# - name: configs ++# - name: '{{ printf "%s-configs" .Release.Name }}' + # mountPath: "/config" + # type: configMap + +``` + +## 9.5.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Create PodSecurityPolicy and RBAC when needed. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8c4d866..5a8d8ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -281,6 +281,10 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + ++# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding ++podSecurityPolicy: ++ enabled: false ++ + # The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used +``` + +## 9.4.3 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Update traefik to v2.3.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3df75a4..8c4d866 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.3.0 ++ tag: 2.3.1 + pullPolicy: IfNotPresent + + # +``` + +## 9.4.2 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Add Artifact Hub repository metadata file + + +## 9.4.1 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-01 + +* Fix broken chart icon url + + +## 9.4.0 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-01 + +* Allow to specify custom labels on Service + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a6175ff..3df75a4 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -221,6 +221,8 @@ service: + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} ++ # Additional service labels (e.g. for filtering Service by custom labels) ++ labels: {} + # Additional entries here will be added to the service spec. Cannot contains + # type, selector or ports entries. + spec: {} +``` + +## 9.3.0 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-24 + +* Release Traefik 2.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fba955d..a6175ff 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.8 ++ tag: 2.3.0 + pullPolicy: IfNotPresent + + # +@@ -36,6 +36,16 @@ podDisruptionBudget: + # maxUnavailable: 1 + # minAvailable: 0 + ++# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ++ingressClass: ++ # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 ++ enabled: false ++ isDefaultClass: false ++ ++pilot: ++ enabled: false ++ token: "" ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 9.2.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-18 + +* Add new helm url + + +## 9.2.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-16 + +* chore: move to new organization. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9f52c39..fba955d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -20,7 +20,7 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/containous/traefik/issues/6972 ++ # Related issue: https://github.com/traefik/traefik/issues/6972 + # - name: volume-permissions + # image: busybox:1.31.1 + # command: ["sh", "-c", "chmod -Rv 600 /data/*"] +``` + +## 9.1.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-04 + +* Update reference to using kubectl proxy to kubectl port-forward + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7b74a39..9f52c39 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -175,7 +175,7 @@ ports: + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, +- # use `kubectl proxy` or create a secure ingress ++ # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 +``` + +## 9.1.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-24 + +* PublishedService option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e161a14..7b74a39 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -58,6 +58,12 @@ providers: + enabled: true + kubernetesIngress: + enabled: true ++ # IP used for Kubernetes Ingress endpoints ++ publishedService: ++ enabled: false ++ # Published Kubernetes Service to copy status from. Format: namespace/servicename ++ # By default this Traefik service ++ # pathOverride: "" + + # + # Add volumes to the traefik pod. +``` + +## 9.0.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-21 + +* feat: Move Chart apiVersion: v2 + + +## 8.13.3 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-21 + +* bug: Check for port config + + +## 8.13.2 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-19 + +* Fix log level configuration + + +## 8.13.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-18 + +* Dont redirect to websecure by default + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 67276f7..e161a14 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -188,7 +188,7 @@ ports: + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- redirectTo: websecure ++ # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 +``` + +## 8.13.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-18 + +* Add logging, and http redirect config + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6f79580..67276f7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -73,6 +73,48 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++# Logs ++# https://docs.traefik.io/observability/logs/ ++logs: ++ # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). ++ general: ++ # By default, the logs use a text format (common), but you can ++ # also ask for the json format in the format option ++ # format: json ++ # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ level: ERROR ++ access: ++ # To enable access logs ++ enabled: false ++ # By default, logs are written using the Common Log Format (CLF). ++ # To write logs in JSON, use json in the format option. ++ # If the given format is unsupported, the default (CLF) is used instead. ++ # format: json ++ # To write the logs in an asynchronous fashion, specify a bufferingSize option. ++ # This option represents the number of log lines Traefik will keep in memory before writing ++ # them to the selected output. In some cases, this option can greatly help performances. ++ # bufferingSize: 100 ++ # Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ filters: {} ++ # statuscodes: "200,300-302" ++ # retryattempts: true ++ # minduration: 10ms ++ # Fields ++ # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers ++ fields: ++ general: ++ defaultmode: keep ++ names: {} ++ # Examples: ++ # ClientUsername: drop ++ headers: ++ defaultmode: drop ++ names: {} ++ # Examples: ++ # User-Agent: redact ++ # Authorization: drop ++ # Content-Type: keep ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +@@ -143,6 +185,10 @@ ports: + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 ++ # Port Redirections ++ # Added in 2.2, you can make permanent redirects via entrypoints. ++ # https://docs.traefik.io/routing/entrypoints/#redirection ++ redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 +``` + +## 8.12.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-14 + +* Add image pull policy + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 10b3949..6f79580 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -2,6 +2,7 @@ + image: + name: traefik + tag: 2.2.8 ++ pullPolicy: IfNotPresent + + # + # Configure the deployment +``` + +## 8.11.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-12 + +* Add dns policy option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 80ddaaa..10b3949 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -26,6 +26,8 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data ++ # Custom pod DNS policy. Apply if `hostNetwork: true` ++ # dnsPolicy: ClusterFirstWithHostNet + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.10.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-11 + +* Add hostIp to port configuration + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 936ab92..80ddaaa 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -112,6 +112,12 @@ ports: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 ++ # ++ # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which ++ # means it's listening on all your interfaces and all your IPs. You may want ++ # to set this value if you need traefik to listen on specific interface ++ # only. ++ # hostIP: 192.168.100.10 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. +``` + +## 8.9.2 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-10 + +* Bump Traefik to 2.2.8 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 42ee893..936ab92 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.5 ++ tag: 2.2.8 + + # + # Configure the deployment +``` + +## 8.9.1 ![AppVersion: 2.2.5](https://img.shields.io/static/v1?label=AppVersion&message=2.2.5&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-15 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a7fb668..42ee893 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.1 ++ tag: 2.2.5 + + # + # Configure the deployment +``` + +## 8.9.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-08 + +* run init container to set proper permissions on volume + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 62e3a77..a7fb668 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,16 @@ deployment: + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] ++ # Additional initContainers (e.g. for setting file permission as shown below) ++ initContainers: [] ++ # The "volume-permissions" init container is required if you run into permission issues. ++ # Related issue: https://github.com/containous/traefik/issues/6972 ++ # - name: volume-permissions ++ # image: busybox:1.31.1 ++ # command: ["sh", "-c", "chmod -Rv 600 /data/*"] ++ # volumeMounts: ++ # - name: data ++ # mountPath: /data + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.8.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-02 + +* Additional container fix + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 85df29c..62e3a77 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -15,7 +15,7 @@ deployment: + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) +- additionalContainers: {} ++ additionalContainers: [] + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.8.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-01 + +* added additionalContainers option to chart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6a9dfd8..85df29c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} ++ # Additional containers (e.g. for metric offloading sidecars) ++ additionalContainers: {} + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.7.2 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-30 + +* Update image + + +## 8.7.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-26 + +* Update values.yaml + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 05f9eab..6a9dfd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -196,7 +196,7 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +-# The service account the pods will use to interact with the Kubernates API ++# The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template +``` + +## 8.7.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-23 + +* Add option to disable providers + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 102ae00..05f9eab 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -34,6 +34,16 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++ ++# ++# Configure providers ++# ++providers: ++ kubernetesCRD: ++ enabled: true ++ kubernetesIngress: ++ enabled: true ++ + # + # Add volumes to the traefik pod. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +``` + +## 8.6.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-18 + +* Fix read-only /tmp + + +## 8.6.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-17 + +* Add existing PVC support(#158) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b2f4fc3..102ae00 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -164,6 +164,7 @@ autoscaling: + # It will persist TLS certificates. + persistence: + enabled: false ++# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" +``` + +## 8.5.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-16 + +* UDP support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9a9b668..b2f4fc3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,11 +100,15 @@ ports: + expose: false + # The exposed port for this service + exposedPort: 9000 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 +@@ -113,6 +117,8 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes +``` + +## 8.4.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-10 + +* Fix PDB with minAvailable set + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e812b98..9a9b668 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -18,7 +18,7 @@ deployment: + # Pod disruption budget + podDisruptionBudget: + enabled: false +- maxUnavailable: 1 ++ # maxUnavailable: 1 + # minAvailable: 0 + + # Create an IngressRoute for the dashboard +``` + +## 8.4.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-09 + +* Add pod disruption budget (#192) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5f44e5c..e812b98 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -15,6 +15,12 @@ deployment: + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + ++# Pod disruption budget ++podDisruptionBudget: ++ enabled: false ++ maxUnavailable: 1 ++ # minAvailable: 0 ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 8.3.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-08 + +* Add option to disable RBAC and ServiceAccount + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 96bba18..5f44e5c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -165,6 +165,20 @@ persistence: + # affinity is left as default. + hostNetwork: false + ++# Whether Role Based Access Control objects like roles and rolebindings should be created ++rbac: ++ enabled: true ++ ++ # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. ++ # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace ++ namespaced: false ++ ++# The service account the pods will use to interact with the Kubernates API ++serviceAccount: ++ # If set, an existing service account is used ++ # If not set, a service account is created automatically using the fullname template ++ name: "" ++ + # Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + +``` + +## 8.2.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-25 + +* Remove suggested providers.kubernetesingress value + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e35bdf9..96bba18 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,9 +50,9 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--log.level=DEBUG}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] +-# - "--providers.kubernetesingress" ++# - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + + # Environment variables to be passed to Traefik's binary +``` + +## 8.2.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-18 + +* Add kubernetes ingress by default + + +## 8.1.5 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-18 + +* Fix example log params in values.yml + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index abe2334..e35bdf9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,10 +50,10 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--logs.level=DEBUG}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress" +-# - "--logs.level=DEBUG" ++# - "--log.level=DEBUG" + + # Environment variables to be passed to Traefik's binary + env: [] +``` + +## 8.1.4 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-30 + +* Update Traefik to v2.2.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 57cc7e1..abe2334 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.0 ++ tag: 2.2.1 + + # + # Configure the deployment +``` + +## 8.1.3 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-29 + +* Clarify additionnal arguments log + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d639f72..57cc7e1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,9 +50,10 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--logs.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress" ++# - "--logs.level=DEBUG" + + # Environment variables to be passed to Traefik's binary + env: [] +``` + +## 8.1.2 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-23 + +* Remove invalid flags. (#161) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 0e7aaef..d639f72 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -34,8 +34,6 @@ rollingUpdate: + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" +-# - "--tls.certificates.certFile=/certs/tls.crt" +-# - "--tls.certificates.keyFile=/certs/tls.key" + volumes: [] + # - name: public-cert + # mountPath: "/certs" +``` + +## 8.1.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-23 + +* clarify project philosophy and guidelines + + +## 8.1.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-22 + +* Add priorityClassName & securityContext + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d55a40a..0e7aaef 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -191,3 +191,20 @@ affinity: {} + # topologyKey: failure-domain.beta.kubernetes.io/zone + nodeSelector: {} + tolerations: [] ++ ++# Pods can have priority. ++# Priority indicates the importance of a Pod relative to other Pods. ++priorityClassName: "" ++ ++# Set the container security context ++# To run the container with ports below 1024 this will need to be adjust to run as root ++securityContext: ++ capabilities: ++ drop: [ALL] ++ readOnlyRootFilesystem: true ++ runAsGroup: 65532 ++ runAsNonRoot: true ++ runAsUser: 65532 ++ ++podSecurityContext: ++ fsGroup: 65532 +``` + +## 8.0.4 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-20 + +* Possibility to bind environment variables via envFrom + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7f8092e..d55a40a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -71,6 +71,12 @@ env: [] + # name: secret-name + # key: secret-key + ++envFrom: [] ++# - configMapRef: ++# name: config-map-name ++# - secretRef: ++# name: secret-name ++ + # Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and +``` + +## 8.0.3 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-15 + +* Add support for data volume subPath. (#147) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 152339b..7f8092e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -152,6 +152,7 @@ persistence: + # storageClass: "" + path: /data + annotations: {} ++ # subPath: "" # only mount a subpath of the Volume into the pod + + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true +``` + +## 8.0.2 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-10 + +* Ability to add custom labels to dashboard's IngressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5d294b7..152339b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -21,6 +21,8 @@ ingressRoute: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} ++ # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ labels: {} + + rollingUpdate: + maxUnavailable: 1 +``` + +## 8.0.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-10 + +* rbac does not need "pods" per documentation + + +## 8.0.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-07 + +* follow helm best practices + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e61a9fd..5d294b7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,7 +10,7 @@ deployment: + enabled: true + # Number of pods of the deployment + replicas: 1 +- # Addtional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} +@@ -19,7 +19,7 @@ deployment: + ingressRoute: + dashboard: + enabled: true +- # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + + rollingUpdate: +``` + +## 7.2.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-07 + +* add annotations to ingressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15d1c25..e61a9fd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -19,6 +19,8 @@ deployment: + ingressRoute: + dashboard: + enabled: true ++ # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ annotations: {} + + rollingUpdate: + maxUnavailable: 1 +``` + +## 7.2.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-03 + +* Add support for helm 2 + + +## 7.1.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-31 + +* Add support for externalIPs + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6d6d13f..15d1c25 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -116,6 +116,8 @@ service: + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 ++ externalIPs: [] ++ # - 1.2.3.4 + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 7.0.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* Remove secretsEnv value key + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1ac720d..6d6d13f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -52,18 +52,20 @@ globalArguments: + additionalArguments: [] + # - "--providers.kubernetesingress" + +-# Secret to be set as environment variables to be passed to Traefik's binary +-secretEnv: [] +- # - name: SOME_VAR +- # secretName: my-secret-name +- # secretKey: my-secret-key +- + # Environment variables to be passed to Traefik's binary + env: [] +- # - name: SOME_VAR +- # value: some-var-value +- # - name: SOME_OTHER_VAR +- # value: some-other-var-value ++# - name: SOME_VAR ++# value: some-var-value ++# - name: SOME_VAR_FROM_CONFIG_MAP ++# valueFrom: ++# configMapRef: ++# name: configmap-name ++# key: config-key ++# - name: SOME_SECRET ++# valueFrom: ++# secretKeyRef: ++# name: secret-name ++# key: secret-key + + # Configure ports + ports: +``` + +## 6.4.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* Add ability to set serviceAccount annotations + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 85abe42..1ac720d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -151,6 +151,9 @@ persistence: + # affinity is left as default. + hostNetwork: false + ++# Additional serviceAccount annotations (e.g. for oidc authentication) ++serviceAccountAnnotations: {} ++ + resources: {} + # requests: + # cpu: "100m" +``` + +## 6.3.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* hpa + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2f5d132..85abe42 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -115,6 +115,22 @@ service: + # - 192.168.0.1/32 + # - 172.16.0.0/16 + ++## Create HorizontalPodAutoscaler object. ++## ++autoscaling: ++ enabled: false ++# minReplicas: 1 ++# maxReplicas: 10 ++# metrics: ++# - type: Resource ++# resource: ++# name: cpu ++# targetAverageUtilization: 60 ++# - type: Resource ++# resource: ++# name: memory ++# targetAverageUtilization: 60 ++ + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +``` + +## 6.2.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-26 + +* Update to v2.2 (#96) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ebd2fde..2f5d132 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.8 ++ tag: 2.2.0 + + # + # Configure the deployment +``` + +## 6.1.2 ![AppVersion: 2.1.8](https://img.shields.io/static/v1?label=AppVersion&message=2.1.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 65c7665..ebd2fde 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.4 ++ tag: 2.1.8 + + # + # Configure the deployment +``` + +## 6.1.1 ![AppVersion: 2.1.4](https://img.shields.io/static/v1?label=AppVersion&message=2.1.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 89c7ac1..65c7665 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.3 ++ tag: 2.1.4 + + # + # Configure the deployment +``` + +## 6.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Add ability to add annotations to deployment + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8d66111..89c7ac1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,6 +10,8 @@ deployment: + enabled: true + # Number of pods of the deployment + replicas: 1 ++ # Addtional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + +``` + +## 6.0.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-16 + +* Correct storage class key name + + +## 6.0.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-16 + +* Change default values of arrays from objects to actual arrays + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 490b2b6..8d66111 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -51,13 +51,13 @@ additionalArguments: [] + # - "--providers.kubernetesingress" + + # Secret to be set as environment variables to be passed to Traefik's binary +-secretEnv: {} ++secretEnv: [] + # - name: SOME_VAR + # secretName: my-secret-name + # secretKey: my-secret-key + + # Environment variables to be passed to Traefik's binary +-env: {} ++env: [] + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_OTHER_VAR +@@ -109,7 +109,7 @@ service: + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" +- loadBalancerSourceRanges: {} ++ loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + +``` + +## 6.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-15 + +* Cleanup + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7aebefe..490b2b6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -18,15 +18,10 @@ ingressRoute: + dashboard: + enabled: true + +-additional: +- checkNewVersion: true +- sendAnonymousUsage: true +- + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +- + # + # Add volumes to the traefik pod. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -43,9 +38,14 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++globalArguments: ++ - "--global.checknewversion" ++ - "--global.sendanonymoususage" ++ + # +-# Configure Traefik entry points ++# Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary ++# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` + additionalArguments: [] + # - "--providers.kubernetesingress" +@@ -63,7 +63,7 @@ env: {} + # - name: SOME_OTHER_VAR + # value: some-other-var-value + +-# ++# Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking +@@ -94,7 +94,7 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 +- # nodePort: 32443 ++ # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +@@ -113,9 +113,6 @@ service: + # - 192.168.0.1/32 + # - 172.16.0.0/16 + +-logs: +- loglevel: WARN +- + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +``` + +## 5.6.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Add field enabled for resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 38bb263..7aebefe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -7,11 +7,17 @@ image: + # Configure the deployment + # + deployment: ++ enabled: true + # Number of pods of the deployment + replicas: 1 + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + ++# Create an IngressRoute for the dashboard ++ingressRoute: ++ dashboard: ++ enabled: true ++ + additional: + checkNewVersion: true + sendAnonymousUsage: true +@@ -93,6 +99,7 @@ ports: + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: ++ enabled: true + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} +``` + +## 5.5.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* expose hostnetwork option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ecb2833..38bb263 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -123,6 +123,12 @@ persistence: + path: /data + annotations: {} + ++# If hostNetwork is true, runs traefik in the host network namespace ++# To prevent unschedulabel pods due to port collisions, if hostNetwork=true ++# and replicas>1, a pod anti-affinity is recommended and will be set if the ++# affinity is left as default. ++hostNetwork: false ++ + resources: {} + # requests: + # cpu: "100m" +@@ -131,5 +137,17 @@ resources: {} + # cpu: "300m" + # memory: "150Mi" + affinity: {} ++# # This example pod anti-affinity forces the scheduler to put traefik pods ++# # on nodes where no other traefik pods are scheduled. ++# # It should be used when hostNetwork: true to prevent port conflicts ++# podAntiAffinity: ++# requiredDuringSchedulingIgnoredDuringExecution: ++# - labelSelector: ++# matchExpressions: ++# - key: app ++# operator: In ++# values: ++# - {{ template "traefik.name" . }} ++# topologyKey: failure-domain.beta.kubernetes.io/zone + nodeSelector: {} + tolerations: [] +``` + +## 5.4.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Add support for hostport + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ec1d619..ecb2833 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -63,6 +63,9 @@ ports: + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 ++ # Use hostPort if set. ++ # hostPort: 9000 ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +@@ -74,6 +77,7 @@ ports: + exposedPort: 9000 + web: + port: 8000 ++ # hostPort: 8000 + expose: true + exposedPort: 80 + # Use nodeport if set. This is useful if you have configured Traefik in a +@@ -81,6 +85,7 @@ ports: + # nodePort: 32080 + websecure: + port: 8443 ++ # hostPort: 8443 + expose: true + exposedPort: 443 + # nodePort: 32443 +``` + +## 5.3.3 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Fix replica check + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7f31548..ec1d619 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,7 +40,7 @@ volumes: [] + # + # Configure Traefik entry points + # Additional arguments to be passed at Traefik's binary +-## Use curly braces to pass values: `helm install --set="{--providers.kubernetesingress,--global.checknewversion=true}" ." ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` + additionalArguments: [] + # - "--providers.kubernetesingress" + +``` + +## 5.3.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Fixed typo in README + + +## 5.3.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Production ready + + +## 5.3.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Not authorise acme if replica > 1 + + +## 5.2.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Fix volume mount + + +## 5.2.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Add secret as env var + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ccea845..7f31548 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -44,12 +44,18 @@ volumes: [] + additionalArguments: [] + # - "--providers.kubernetesingress" + ++# Secret to be set as environment variables to be passed to Traefik's binary ++secretEnv: {} ++ # - name: SOME_VAR ++ # secretName: my-secret-name ++ # secretKey: my-secret-key ++ + # Environment variables to be passed to Traefik's binary + env: {} +-# - name: SOME_VAR +-# value: some-var-value +-# - name: SOME_OTHER_VAR +-# value: some-other-var-value ++ # - name: SOME_VAR ++ # value: some-var-value ++ # - name: SOME_OTHER_VAR ++ # value: some-other-var-value + + # + ports: +``` + +## 5.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Enhance security by add loadBalancerSourceRanges to lockdown ip address. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 78bbee0..ccea845 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -91,6 +91,9 @@ service: + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" ++ loadBalancerSourceRanges: {} ++ # - 192.168.0.1/32 ++ # - 172.16.0.0/16 + + logs: + loglevel: WARN +``` + +## 5.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Expose dashboard by default but only on traefik entrypoint + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a442fca..78bbee0 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -92,15 +92,6 @@ service: + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + +-dashboard: +- # Enable the dashboard on Traefik +- enable: true +- +- # Expose the dashboard and api through an ingress route at /dashboard +- # and /api This is not secure and SHOULD NOT be enabled on production +- # deployments +- ingressRoute: false +- + logs: + loglevel: WARN + +``` + +## 4.1.3 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add annotations for PVC (#98) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8b2f4db..a442fca 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -116,6 +116,7 @@ persistence: + size: 128Mi + # storageClass: "" + path: /data ++ annotations: {} + + resources: {} + # requests: +``` + +## 4.1.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Added persistent volume support. (#86) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2a2554f..8b2f4db 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -103,7 +103,20 @@ dashboard: + + logs: + loglevel: WARN +-# ++ ++# Enable persistence using Persistent Volume Claims ++# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ++# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: ++# additionalArguments: ++# - "--certificatesresolvers.le.acme.storage=/data/acme.json" ++# It will persist TLS certificates. ++persistence: ++ enabled: false ++ accessMode: ReadWriteOnce ++ size: 128Mi ++ # storageClass: "" ++ path: /data ++ + resources: {} + # requests: + # cpu: "100m" +``` + +## 4.1.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add values to mount secrets or configmaps as volumes to the traefik pod (#84) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5401832..2a2554f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -20,6 +20,23 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++ ++# ++# Add volumes to the traefik pod. ++# This can be used to mount a cert pair or a configmap that holds a config.toml file. ++# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: ++# additionalArguments: ++# - "--providers.file.filename=/config/dynamic.toml" ++# - "--tls.certificates.certFile=/certs/tls.crt" ++# - "--tls.certificates.keyFile=/certs/tls.key" ++volumes: [] ++# - name: public-cert ++# mountPath: "/certs" ++# type: secret ++# - name: configs ++# mountPath: "/config" ++# type: configMap ++ + # + # Configure Traefik entry points + # Additional arguments to be passed at Traefik's binary +``` + +## 4.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add podAnnotations to the deployment (#83) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5eab74b..5401832 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -9,6 +9,8 @@ image: + deployment: + # Number of pods of the deployment + replicas: 1 ++ # Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ podAnnotations: {} + + additional: + checkNewVersion: true +``` + +## 4.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-06 + +* Migrate to helm v3 (#94) + + +## 3.5.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-18 + +* Publish helm chart (#81) + + +## 3.4.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-13 + +* fix: tests. +* feat: bump traefik to v2.1.3 +* Enable configuration of global checknewversion and sendanonymoususage (#80) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index bcc42f8..5eab74b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.1 ++ tag: 2.1.3 + + # + # Configure the deployment +@@ -10,6 +10,10 @@ deployment: + # Number of pods of the deployment + replicas: 1 + ++additional: ++ checkNewVersion: true ++ sendAnonymousUsage: true ++ + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 +``` + +## 3.3.3 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-05 + +* fix: deployment environment variables. +* fix: chart version. + + +## 3.3.2 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-03 + +* ix: deployment environment variables. + + +## 3.3.1 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-27 + +* fix: deployment environment variables. + + +## 3.3.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-24 + +* Enable configuration of environment variables in traefik deployment (#71) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4462359..bcc42f8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -21,6 +21,13 @@ rollingUpdate: + additionalArguments: [] + # - "--providers.kubernetesingress" + ++# Environment variables to be passed to Traefik's binary ++env: {} ++# - name: SOME_VAR ++# value: some-var-value ++# - name: SOME_OTHER_VAR ++# value: some-other-var-value ++ + # + ports: + # The name of this one can't be changed as it is used for the readiness and +``` + +## 3.2.1 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-22 + +* Add Unit Tests for the chart (#60) + + +## 3.2.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-22 + +* Make NodePort configurable (#67) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b1fe42a..4462359 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,10 +40,14 @@ ports: + port: 8000 + expose: true + exposedPort: 80 ++ # Use nodeport if set. This is useful if you have configured Traefik in a ++ # LoadBalancer ++ # nodePort: 32080 + websecure: + port: 8443 + expose: true + exposedPort: 443 ++ # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +``` + +## 3.1.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-20 + +* Switch Chart linting to ct (#59) + +### Default value changes + +```diff +# Default values for Traefik +image: + name: traefik + tag: 2.1.1 + +# +# Configure the deployment +# +deployment: + # Number of pods of the deployment + replicas: 1 + +rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +# +# Configure Traefik entry points +# Additional arguments to be passed at Traefik's binary +## Use curly braces to pass values: `helm install --set="{--providers.kubernetesingress,--global.checknewversion=true}" ." +additionalArguments: [] +# - "--providers.kubernetesingress" + +# +ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl proxy` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + web: + port: 8000 + expose: true + exposedPort: 80 + websecure: + port: 8443 + expose: true + exposedPort: 443 + +# Options for the main traefik service, where the entrypoints traffic comes +# from. +service: + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} + # Additional entries here will be added to the service spec. Cannot contains + # type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + +dashboard: + # Enable the dashboard on Traefik + enable: true + + # Expose the dashboard and api through an ingress route at /dashboard + # and /api This is not secure and SHOULD NOT be enabled on production + # deployments + ingressRoute: false + +logs: + loglevel: WARN +# +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" +affinity: {} +nodeSelector: {} +tolerations: [] +``` + +--- +Autogenerated from Helm Chart and git history using [helm-changelog](https://github.com/mogensen/helm-changelog) diff --git a/charts/traefik/traefik/32.1.1/Chart.yaml b/charts/traefik/traefik/32.1.1/Chart.yaml new file mode 100644 index 000000000..7b5d57abe --- /dev/null +++ b/charts/traefik/traefik/32.1.1/Chart.yaml @@ -0,0 +1,32 @@ +annotations: + artifacthub.io/changes: "- \"fix(schema): \U0001F41B targetPort can also be a string\"\n- + \"feat(deps): update traefik docker tag to v3.1.6\"\n- \"chore(release): \U0001F680 + publish v32.1.1\"\n- \"Update topology spread constraints comments\"\n" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: traefik +apiVersion: v2 +appVersion: v3.1.6 +description: A Traefik based Kubernetes ingress controller +home: https://traefik.io/ +icon: file://assets/icons/traefik.png +keywords: +- traefik +- ingress +- networking +kubeVersion: '>=1.22.0-0' +maintainers: +- email: michel.loiseleur@traefik.io + name: mloiseleur +- email: charlie.haley@traefik.io + name: charlie-haley +- email: remi.buisson@traefik.io + name: darkweaver87 +- name: jnoordsij +name: traefik +sources: +- https://github.com/traefik/traefik +- https://github.com/traefik/traefik-helm-chart +type: application +version: 32.1.1 diff --git a/charts/traefik/traefik/32.1.1/EXAMPLES.md b/charts/traefik/traefik/32.1.1/EXAMPLES.md new file mode 100644 index 000000000..9fb939d96 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/EXAMPLES.md @@ -0,0 +1,1007 @@ +# Install as a DaemonSet + +Default install is using a `Deployment` but it's possible to use `DaemonSet` + +```yaml +deployment: + kind: DaemonSet +``` + +# Configure traefik Pod parameters + +## Extending /etc/hosts records + +In some specific cases, you'll need to add extra records to the `/etc/hosts` file for the Traefik containers. +You can configure it using [hostAliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/): + +```yaml +deployment: + hostAliases: + - ip: "127.0.0.1" # this is an example + hostnames: + - "foo.local" + - "bar.local" +``` +## Extending DNS config + +In order to configure additional DNS servers for your traefik pod, you can use `dnsConfig` option: + +```yaml +deployment: + dnsConfig: + nameservers: + - 192.0.2.1 # this is an example + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 +``` + +# Install in a dedicated namespace, with limited RBAC + +Default install is using Cluster-wide RBAC but it can be restricted to target namespace. + +```yaml +rbac: + namespaced: true +``` + +# Install with auto-scaling + +When enabling [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +to adjust replicas count according to CPU Usage, you'll need to set resources and nullify replicas. + +```yaml +deployment: + replicas: null +resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "300m" + memory: "150Mi" +autoscaling: + enabled: true + maxReplicas: 2 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 +``` + +# Access Traefik dashboard without exposing it + +This Chart does not expose the Traefik local dashboard by default. It's explained in upstream [documentation](https://doc.traefik.io/traefik/operations/api/) why: + +> Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data. + +It says also: + +> In production, it should be at least secured by authentication and authorizations. + +Thus, there are multiple ways to expose the dashboard. For instance, after enabling the creation of dashboard `IngressRoute` in the values: + +```yaml +ingressRoute: + dashboard: + enabled: true +``` + +The traefik admin port can be forwarded locally: + +```bash +kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 +``` + +This command makes the dashboard accessible on the url: http://127.0.0.1:9000/dashboard/ + +# Publish and protect Traefik Dashboard with basic Auth + +To expose the dashboard in a secure way as [recommended](https://doc.traefik.io/traefik/operations/dashboard/#dashboard-router-rule) +in the documentation, it may be useful to override the router rule to specify +a domain to match, or accept requests on the root path (/) in order to redirect +them to /dashboard/. + +```yaml +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: true + # Custom match rule with host domain + matchRule: Host(`traefik-dashboard.example.com`) + entryPoints: ["websecure"] + # Add custom middlewares : authentication and redirection + middlewares: + - name: traefik-dashboard-auth + +# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way). +# /!\ Yes, you need to replace "changeme" password with a better one. /!\ +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: traefik-dashboard-auth-secret + type: kubernetes.io/basic-auth + stringData: + username: admin + password: changeme + + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + spec: + basicAuth: + secret: traefik-dashboard-auth-secret +``` + +# Publish and protect Traefik Dashboard with an Ingress + +To expose the dashboard without IngressRoute, it's more complicated and less +secure. You'll need to create an internal Service exposing Traefik API with +special _traefik_ entrypoint. This internal Service can be created from an other tool, with the `extraObjects` section or using [custom services](#add-custom-internal-services). + +You'll need to double check: +1. Service selector with your setup. +2. Middleware annotation on the ingress, _default_ should be replaced with traefik's namespace + +```yaml +ingressRoute: + dashboard: + enabled: false +additionalArguments: +- "--api.insecure=true" +# Create the service, middleware and Ingress used to expose the dashboard (can also be created in another way). +# /!\ Yes, you need to replace "changeme" password with a better one. /!\ +extraObjects: + - apiVersion: v1 + kind: Service + metadata: + name: traefik-api + spec: + type: ClusterIP + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-default + ports: + - port: 8080 + name: traefik + targetPort: 9000 + protocol: TCP + + - apiVersion: v1 + kind: Secret + metadata: + name: traefik-dashboard-auth-secret + type: kubernetes.io/basic-auth + stringData: + username: admin + password: changeme + + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + spec: + basicAuth: + secret: traefik-dashboard-auth-secret + + - apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: traefik-dashboard + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: default-traefik-dashboard-auth@kubernetescrd + spec: + rules: + - host: traefik-dashboard.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik-api + port: + name: traefik +``` + + +# Install on AWS + +It can use [native AWS support](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support) on Kubernetes + +```yaml +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb +``` + +Or if [AWS LB controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#legacy-cloud-provider) is installed : +```yaml +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip +``` + +# Install on GCP + +A [regional IP with a Service](https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip#use_a_service) can be used +```yaml +service: + spec: + loadBalancerIP: "1.2.3.4" +``` + +Or a [global IP on Ingress](https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip#use_an_ingress) +```yaml +service: + type: NodePort +extraObjects: + - apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: traefik + annotations: + kubernetes.io/ingress.global-static-ip-name: "myGlobalIpName" + spec: + defaultBackend: + service: + name: traefik + port: + number: 80 +``` + +Or a [global IP on a Gateway](https://cloud.google.com/kubernetes-engine/docs/how-to/deploying-gateways) with continuous HTTPS encryption. + +```yaml +ports: + websecure: + appProtocol: HTTPS # Hint for Google L7 load balancer +service: + type: ClusterIP +extraObjects: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: traefik + annotations: + networking.gke.io/certmap: "myCertificateMap" + spec: + gatewayClassName: gke-l7-global-external-managed + addresses: + - type: NamedAddress + value: "myGlobalIPName" + listeners: + - name: https + protocol: HTTPS + port: 443 +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + name: traefik + spec: + parentRefs: + - kind: Gateway + name: traefik + rules: + - backendRefs: + - name: traefik + port: 443 +- apiVersion: networking.gke.io/v1 + kind: HealthCheckPolicy + metadata: + name: traefik + spec: + default: + config: + type: HTTP + httpHealthCheck: + port: 9000 + requestPath: /ping + targetRef: + group: "" + kind: Service + name: traefik +``` + +# Install on Azure + +A [static IP on a resource group](https://learn.microsoft.com/en-us/azure/aks/static-ip) can be used: + +```yaml +service: + spec: + loadBalancerIP: "1.2.3.4" + annotations: + service.beta.kubernetes.io/azure-load-balancer-resource-group: myResourceGroup +``` + +Here is a more complete example, using also native Let's encrypt feature of Traefik Proxy with Azure DNS: + +```yaml +persistence: + enabled: true + size: 128Mi +certResolvers: + letsencrypt: + email: "{{ letsencrypt_email }}" + #caServer: https://acme-v02.api.letsencrypt.org/directory # Production server + caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server + dnsChallenge: + provider: azuredns + storage: /data/acme.json +env: + - name: AZURE_CLIENT_ID + value: "{{ azure_dns_challenge_application_id }}" + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: azuredns-secret + key: client-secret + - name: AZURE_SUBSCRIPTION_ID + value: "{{ azure_subscription_id }}" + - name: AZURE_TENANT_ID + value: "{{ azure_tenant_id }}" + - name: AZURE_RESOURCE_GROUP + value: "{{ azure_resource_group }}" +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "ls -la /; touch /data/acme.json; chmod -v 600 /data/acme.json"] + volumeMounts: + - mountPath: /data + name: data +podSecurityContext: + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" +service: + spec: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/azure-load-balancer-resource-group: "{{ azure_node_resource_group }}" + service.beta.kubernetes.io/azure-pip-name: "{{ azure_resource_group }}" + service.beta.kubernetes.io/azure-dns-label-name: "{{ azure_resource_group }}" + service.beta.kubernetes.io/azure-allowed-ip-ranges: "{{ ip_range | join(',') }}" +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: azuredns-secret + namespace: traefik + type: Opaque + stringData: + client-secret: "{{ azure_dns_challenge_application_secret }}" +``` + +# Use an IngressClass + +Default install comes with an `IngressClass` resource that can be enabled on providers. + +Here's how one can enable it on CRD & Ingress Kubernetes provider: + +```yaml +ingressClass: + name: traefik +providers: + kubernetesCRD: + ingressClass: traefik + kubernetesIngress: + ingressClass: traefik +``` + +# Use HTTP3 + +By default, it will use a Load balancers with mixed protocols on `websecure` +entrypoint. They are available since v1.20 and in beta as of Kubernetes v1.24. +Availability may depend on your Kubernetes provider. + +When using TCP and UDP with a single service, you may encounter [this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741) from Kubernetes. +If you want to avoid this issue, you can set `ports.websecure.http3.advertisedPort` +to an other value than 443 + +```yaml +ports: + websecure: + http3: + enabled: true +``` + +You can also create two `Service`, one for TCP and one for UDP: + +```yaml +ports: + websecure: + http3: + enabled: true +service: + single: false +``` + +# Use PROXY protocol on Digital Ocean + +PROXY protocol is a protocol for sending client connection information, such as origin IP addresses and port numbers, to the final backend server, rather than discarding it at the load balancer. + +```yaml +.DOTrustedIPs: &DOTrustedIPs + - 127.0.0.1/32 + - 10.120.0.0/16 + +service: + enabled: true + type: LoadBalancer + annotations: + # This will tell DigitalOcean to enable the proxy protocol. + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" + spec: + # This is the default and should stay as cluster to keep the DO health checks working. + externalTrafficPolicy: Cluster + +ports: + web: + forwardedHeaders: + trustedIPs: *DOTrustedIPs + proxyProtocol: + trustedIPs: *DOTrustedIPs + websecure: + forwardedHeaders: + trustedIPs: *DOTrustedIPs + proxyProtocol: + trustedIPs: *DOTrustedIPs +``` + +# Enable plugin storage + +This chart follows common security practices: it runs as non root with a readonly root filesystem. +When enabling a plugin which needs storage, you have to add it to the deployment. + +Here is a simple example with crowdsec. You may want to replace with your plugin or see complete exemple on crowdsec [here](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/kubernetes/README.md). + +```yaml +deployment: + additionalVolumes: + - name: plugins +additionalVolumeMounts: +- name: plugins + mountPath: /plugins-storage +additionalArguments: +- "--experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" +- "--experimental.plugins.bouncer.version=v1.1.9" +``` + +# Use Traefik native Let's Encrypt integration, without cert-manager + +In Traefik Proxy, ACME certificates are stored in a JSON file. + +This file needs to have 0600 permissions, meaning, only the owner of the file has full read and write access to it. +By default, Kubernetes recursively changes ownership and permissions for the content of each volume. + +=> An initContainer can be used to avoid an issue on this sensitive file. +See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. + +Once the provider is ready, it can be used in an `IngressRoute`: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: [...] +spec: + entryPoints: [...] + routes: [...] + tls: + certResolver: letsencrypt +``` + +:information_source: Change `apiVersion` to `traefik.containo.us/v1alpha1` for charts prior to v28.0.0 + +See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others. + +## Example with CloudFlare + +This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`. + +**Step 1**: Create `Secret` with CloudFlare token: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare +type: Opaque +stringData: + token: {{ SET_A_VALID_TOKEN_HERE }} +``` + +**Step 2**: + +```yaml +persistence: + enabled: true + storageClass: xxx +certResolvers: + letsencrypt: + dnsChallenge: + provider: cloudflare + storage: /data/acme.json +env: + - name: CF_DNS_API_TOKEN + valueFrom: + secretKeyRef: + name: cloudflare + key: token +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + volumeMounts: + - mountPath: /data + name: data +podSecurityContext: + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" +``` + +# Provide default certificate with cert-manager and CloudFlare DNS + +Setup: + +* cert-manager installed in `cert-manager` namespace +* A cloudflare account on a DNS Zone + +**Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token. +See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/) +for creating this token with needed rights: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare + namespace: traefik +type: Opaque +stringData: + api-token: XXX +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: cloudflare + namespace: traefik +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: cloudflare-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare + key: api-token +``` + +**Step 2**: Create `Certificate` in traefik namespace + +```yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-example-com + namespace: traefik +spec: + secretName: wildcard-example-com-tls + dnsNames: + - "example.com" + - "*.example.com" + issuerRef: + name: cloudflare + kind: Issuer +``` + +**Step 3**: Check that it's ready + +```bash +kubectl get certificate -n traefik +``` + +If needed, logs of cert-manager pod can give you more information + +**Step 4**: Use it on the TLS Store in **values.yaml** file for this Helm Chart + +```yaml +tlsStore: + default: + defaultCertificate: + secretName: wildcard-example-com-tls +``` + +**Step 5**: Enjoy. All your `IngressRoute` use this certificate by default now. + +They should use websecure entrypoint like this: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: example-com-tls +spec: + entryPoints: + - websecure + routes: + - match: Host(`test.example.com`) + kind: Rule + services: + - name: XXXX + port: 80 +``` + +# Add custom (internal) services + +In some cases you might want to have more than one Traefik service within your cluster, +e.g. a default (external) one and a service that is only exposed internally to pods within your cluster. + +The `service.additionalServices` allows you to add an arbitrary amount of services, +provided as a name to service details mapping; for example you can use the following values: + +```yaml +service: + additionalServices: + internal: + type: ClusterIP + labels: + traefik-service-label: internal +``` + +Ports can then be exposed on this service by using the port name to boolean mapping `expose` on the respective port; +e.g. to expose the `traefik` API port on your internal service so pods within your cluster can use it, you can do: + +```yaml +ports: + traefik: + expose: + # Sensitive data should not be exposed on the internet + # => Keep this disabled ! + default: false + internal: true +``` + +This will then provide an additional Service manifest, looking like this: + +```yaml +--- +# Source: traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: traefik-internal + namespace: traefik +[...] +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + ports: + - port: 9000 + name: "traefik" + targetPort: traefik + protocol: TCP +``` + +# Use this Chart as a dependency of your own chart + + +First, let's create a default Helm Chart, with Traefik as a dependency. +```bash +helm create foo +cd foo +echo " +dependencies: + - name: traefik + version: "24.0.0" + repository: "https://traefik.github.io/charts" +" >> Chart.yaml +``` + +Second, let's tune some values like enabling HPA: + +```bash +cat <<-EOF >> values.yaml +traefik: + autoscaling: + enabled: true + maxReplicas: 3 +EOF +``` + +Third, one can see if it works as expected: +```bash +helm dependency update +helm dependency build +helm template . | grep -A 14 -B 3 Horizontal +``` + +It should produce this output: + +```yaml +--- +# Source: foo/charts/traefik/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: release-name-traefik + namespace: flux-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-flux-system + helm.sh/chart: traefik-24.0.0 + app.kubernetes.io/managed-by: Helm +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: release-name-traefik + maxReplicas: 3 +``` + +# Configure TLS + +The [TLS options](https://doc.traefik.io/traefik/https/tls/#tls-options) allow one to configure some parameters of the TLS connection. + +```yaml +tlsOptions: + default: + labels: {} + sniStrict: true + custom-options: + labels: {} + curvePreferences: + - CurveP521 + - CurveP384 +``` + +# Use latest build of Traefik v3 from master + +An experimental build of Traefik Proxy is available on a specific repository. + +It can be used with those _values_: + +```yaml +image: + repository: traefik/traefik + tag: experimental-v3.0 +``` + +# Use Prometheus Operator + +An optional support of this operator is included in this Chart. See documentation of this operator for more details. + +It can be used with those _values_: + +```yaml +metrics: + prometheus: + service: + enabled: true + disableAPICheck: false + serviceMonitor: + enabled: true + metricRelabelings: + - sourceLabels: [__name__] + separator: ; + regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + replacement: $1 + action: drop + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + separator: ; + regex: ^(.*)$ + targetLabel: nodename + replacement: $1 + action: replace + jobLabel: traefik + interval: 30s + honorLabels: true + prometheusRule: + enabled: true + rules: + - alert: TraefikDown + expr: up{job="traefik"} == 0 + for: 5m + labels: + context: traefik + severity: warning + annotations: + summary: "Traefik Down" + description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +``` + +# Use kubernetes Gateway API + +One can use the new stable kubernetes gateway API provider setting the following _values_: + +```yaml +providers: + kubernetesGateway: + enabled: true +``` + +

+ +With those values, a whoami service can be exposed with a HTTPRoute + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami +spec: + replicas: 2 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + +--- +apiVersion: v1 +kind: Service +metadata: + name: whoami +spec: + selector: + app: whoami + ports: + - protocol: TCP + port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: whoami +spec: + parentRefs: + - name: traefik-gateway + hostnames: + - whoami.docker.localhost + rules: + - matches: + - path: + type: Exact + value: / + + backendRefs: + - name: whoami + port: 80 + weight: 1 +``` + +Once it's applied, whoami should be accessible on http://whoami.docker.localhost/ + +
+ +# Use Kubernetes Gateway API with cert-manager + +One can use the new stable kubernetes gateway API provider with automatic TLS certificates delivery (with cert-manager) setting the following _values_: + +```yaml +providers: + kubernetesGateway: + enabled: true +gateway: + enabled: true + annotations: + cert-manager.io/issuer: selfsigned-issuer + listeners: + websecure: + hostname: whoami.docker.localhost + port: 8443 + protocol: HTTPS + certificateRefs: + - name: whoami-tls +``` + +Install cert-manager: + +```bash +helm repo add jetstack https://charts.jetstack.io --force-update +helm upgrade --install \ +cert-manager jetstack/cert-manager \ +--namespace cert-manager \ +--create-namespace \ +--version v1.15.1 \ +--set crds.enabled=true \ +--set "extraArgs={--enable-gateway-api}" +``` + +
+ +With those values, a whoami service can be exposed with HTTPRoute on both HTTP and HTTPS + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami +spec: + replicas: 2 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + +--- +apiVersion: v1 +kind: Service +metadata: + name: whoami +spec: + selector: + app: whoami + ports: + - protocol: TCP + port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: whoami +spec: + parentRefs: + - name: traefik-gateway + hostnames: + - whoami.docker.localhost + rules: + - matches: + - path: + type: Exact + value: / + + backendRefs: + - name: whoami + port: 80 + weight: 1 + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +``` + +Once it's applied, whoami should be accessible on https://whoami.docker.localhost/ + +
diff --git a/charts/traefik/traefik/32.1.1/Guidelines.md b/charts/traefik/traefik/32.1.1/Guidelines.md new file mode 100644 index 000000000..3b72a40cd --- /dev/null +++ b/charts/traefik/traefik/32.1.1/Guidelines.md @@ -0,0 +1,34 @@ +# Traefik Helm Chart Guidelines + +This document outlines the guidelines for developing, managing and extending the Traefik helm chart. + +This Helm Chart is documented using field description from comments with [helm-docs](https://github.com/norwoodj/helm-docs). + +It comes with a JSON schema generated from values with [helm schema](https://github.com/losisin/helm-values-schema-json) plugin. + +## Feature Example + +```yaml +logs: + general: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) + format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" +``` + +Documention is on the first comment, starting with `# --` +Specific instructions for schema, when needed, are done with the inline comment starting with `# @schema`. + +## Whitespace + +Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace: + +```yaml +{{- if .Values }} +{{- end }} +``` + +There should be an empty commented line between each primary key in the values.yaml file to separate features from each other. + +## Values YAML Design + +The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the template if it is not conducive. diff --git a/charts/traefik/traefik/32.1.1/LICENSE b/charts/traefik/traefik/32.1.1/LICENSE new file mode 100644 index 000000000..907ff8321 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2020 Containous + Copyright 2020 Traefik Labs + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/traefik/traefik/32.1.1/README.md b/charts/traefik/traefik/32.1.1/README.md new file mode 100644 index 000000000..cd963c199 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/README.md @@ -0,0 +1,158 @@ +# Traefik + +[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy +microservices with ease. + +## Introduction + +Starting with v28.x, this chart now bootstraps Traefik Proxy version 3 as a Kubernetes ingress controller, +using Custom Resources `IngressRoute`: . + +It's possible to use this chart with Traefik Proxy v2 using v27.x +This chart support policy is aligned with [upstream support policy](https://doc.traefik.io/traefik/deprecation/releases/) of Traefik Proxy. + +See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs. + +### Philosophy + +The Traefik HelmChart is focused on Traefik deployment configuration. + +To keep this HelmChart as generic as possible we tend +to avoid integrating any third party solutions nor any specific use cases. + +Accordingly, the encouraged approach to fulfill your needs: + +1. Override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/)) +2. Append your own configurations (`kubectl apply -f myconf.yaml`) + +[Examples](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md) of common usage are provided. + +If needed, one may use [extraObjects](./traefik/tests/values/extra.yaml) or extend this HelmChart [as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/). + +## Installing + +### Prerequisites + +1. [x] Helm **v3 > 3.9.0** [installed](https://helm.sh/docs/using_helm/#installing-helm): `helm version` +2. [x] Traefik's chart repository: `helm repo add traefik https://traefik.github.io/charts` + +### Kubernetes Version Support + +Due to changes in CRD version support, the following versions of the chart are usable and supported on the following Kubernetes versions: + +| | Kubernetes v1.15 and below | Kubernetes v1.16-v1.21 | Kubernetes v1.22 and above | +|-------------------------|-----------------------------|------------------------|----------------------------| +| Chart v9.20.2 and below | [x] | [x] | | +| Chart v10.0.0 and above | | [x] | [x] | +| Chart v22.0.0 and above | | | [x] | + +### CRDs Support of Traefik Proxy + +Due to changes in API Group of Traefik CRDs from `containo.us` to `traefik.io`, this Chart install CRDs needed by default Traefik Proxy version, following this table: + +| | `containo.us` | `traefik.io` | +|-------------------------|-----------------------------|------------------------| +| Chart v22.0.0 and below | [x] | | +| Chart v23.0.0 and above | [x] | [x] | +| Chart v28.0.0 and above | | [x] | + +### Deploying Traefik + +```bash +helm install traefik traefik/traefik +``` + +or: + +```bash +helm install traefik oci://ghcr.io/traefik/helm/traefik +``` + +You can customize the install with a `values` file. There are some [EXAMPLES](./EXAMPLES.md) provided. +Complete documentation on all available parameters is in the [default file](./traefik/values.yaml). + +```bash +helm install -f myvalues.yaml traefik traefik/traefik +``` + +🛂 **Warning**: Helm v2 support was removed in the chart version 10.0.0. + +## Upgrading + +One can check what has changed in the [Changelog](./traefik/Changelog.md). + +:information_source: With Helm v3, CRDs created by this chart can not be updated, cf. the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). + +:warning: Please read carefully release notes of this chart before upgrading CRDs. + +```bash +# Update repository +helm repo update +# See current Chart & Traefik version +helm search repo traefik/traefik +# Update CRDs (Traefik Proxy v3 CRDs) +kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/ +# Upgrade Traefik +helm upgrade traefik traefik/traefik +``` + +New major version indicates that there is an incompatible breaking change. + +#### Upgrade up to 27.X + +When upgrading on Traefik Proxy v2 version, one need to stay at Traefik Helm Chart v27.x. The command to upgrade to the latest Traefik Proxy v2 CRD is: + +```bash +kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/?ref=v27 +``` + +### Upgrading after 18.X+ + +It's detailed in [release notes](https://github.com/traefik/traefik-helm-chart/releases). + +### Upgrading from 17.x to 18.x + +Since v18.x, this chart by default merges TCP and UDP ports into a single (LoadBalancer) `Service`. +Load balancers with mixed protocols are available since v1.20 and in +[beta as of Kubernetes v1.24](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types). +Availability may depend on your Kubernetes provider. + +To retain the old default behavior, set `service.single` to `false` in your values. + +When using TCP and UDP with a single service, you may encounter +[this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741) +from Kubernetes. + +On HTTP/3, if you want to avoid this issue, you can set +`ports.websecure.http3.advertisedPort` to an other value than `443` + +If you were previously using HTTP/3, you should update your values as follows: + - Replace the old value (`true`) of `ports.websecure.http3` with a key `enabled: true` + - Remove `experimental.http3.enabled=true` entry + +### Upgrading from 16.x to 17.x + +Since v17.x, this chart provides unified labels following +[Kubernetes recommendation](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). + +This version needs to change an immutable field, which is not supported by +Kubernetes and Helm, see [this issue](https://github.com/helm/helm/issues/7350) +for more details. +So you will have to delete your `Service`, `Deployment` or `DaemonSet` in +order to be able to upgrade. + +You may also upgrade by deploying another Traefik to a different namespace and +removing after your first Traefik. + +Alternatively, since version 20.3.0 of this chart, you may set `instanceLabelOverride` to the previous value of that label. +This will override the new `Release.Name-Release.Namespace` pattern to avoid any (longer) downtime. + +## Contributing + +If you want to contribute to this chart, please read the [Contributing Guide](./CONTRIBUTING.md). + +Thanks to all the people who have already contributed! + + + + diff --git a/charts/traefik/traefik/32.1.1/VALUES.md b/charts/traefik/traefik/32.1.1/VALUES.md new file mode 100644 index 000000000..13f52d212 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/VALUES.md @@ -0,0 +1,316 @@ +# traefik + +![Version: 32.1.1](https://img.shields.io/badge/Version-32.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.1.6](https://img.shields.io/badge/AppVersion-v3.1.6-informational?style=flat-square) + +A Traefik based Kubernetes ingress controller + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| mloiseleur | | | +| charlie-haley | | | +| darkweaver87 | | | +| jnoordsij | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` | +| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container | +| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts | +| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. | +| certResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. | +| commonLabels | object | `{}` | Add additional label to all resources | +| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes | +| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) | +| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers | +| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) | +| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) | +| deployment.dnsPolicy | string | `""` | Custom pod DNS policy. Apply if `hostNetwork: true` | +| deployment.enabled | bool | `true` | Enable deployment | +| deployment.healthchecksHost | string | `""` | | +| deployment.healthchecksPort | string | `nil` | | +| deployment.healthchecksScheme | string | `nil` | | +| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) | +| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image | +| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) | +| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet | +| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) | +| deployment.lifecycle | object | `{}` | Pod lifecycle actions | +| deployment.livenessPath | string | `""` | Override the liveness path. Default: /ping | +| deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available | +| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' | +| deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) | +| deployment.readinessPath | string | `""` | | +| deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) | +| deployment.revisionHistoryLimit | string | `nil` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | +| deployment.runtimeClassName | string | `""` | Set a runtimeClassName on pod | +| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing | +| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down | +| env | list | See _values.yaml_ | Environment variables to be passed to Traefik's binary | +| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets | +| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD | +| experimental.plugins | object | `{}` | Enable traefik experimental plugins | +| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. | +| gateway.annotations | object | `{}` | Additional gateway annotations (e.g. for cert-manager.io/issuer) | +| gateway.enabled | bool | `true` | When providers.kubernetesGateway.enabled, deploy a default gateway | +| gateway.listeners | object | `{"web":{"hostname":"","namespacePolicy":null,"port":8000,"protocol":"HTTP"}}` | Define listeners | +| gateway.listeners.web.hostname | string | `""` | Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) | +| gateway.listeners.web.namespacePolicy | string | `nil` | Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces | +| gateway.listeners.web.port | int | `8000` | Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section. | +| gateway.name | string | `""` | Set a custom name to gateway | +| gateway.namespace | string | `""` | By default, Gateway is created in the same `Namespace` than Traefik. | +| gatewayClass.enabled | bool | `true` | When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass | +| gatewayClass.labels | object | `{}` | Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) | +| gatewayClass.name | string | `""` | Set a custom name to GatewayClass | +| globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods | +| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. | +| hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". | +| hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". | +| hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. | +| hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. | +| hub.redis.database | string | `nil` | Database used to store information. Default: "0". | +| hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". | +| hub.redis.password | string | `""` | The password to use when connecting to Redis endpoints. Default: "". | +| hub.redis.sentinel.masterset | string | `""` | Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". | +| hub.redis.sentinel.password | string | `""` | Password to use for sentinel authentication (can be different from endpoint password). Default: "". | +| hub.redis.sentinel.username | string | `""` | Username to use for sentinel authentication (can be different from endpoint username). Default: "". | +| hub.redis.timeout | string | `""` | Timeout applied on connection with redis. Default: "0s". | +| hub.redis.tls.ca | string | `""` | Path to the certificate authority used for the secured connection. | +| hub.redis.tls.cert | string | `""` | Path to the public certificate used for the secure connection. | +| hub.redis.tls.insecureSkipVerify | bool | `false` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. | +| hub.redis.tls.key | string | `""` | Path to the private key used for the secure connection. | +| hub.redis.username | string | `""` | The username to use when connecting to Redis endpoints. Default: "". | +| hub.sendlogs | string | `nil` | | +| hub.token | string | `""` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. | +| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy | +| image.registry | string | `"docker.io"` | Traefik image host registry | +| image.repository | string | `"traefik"` | Traefik image repository | +| image.tag | string | `nil` | defaults to appVersion | +| ingressClass | object | `{"enabled":true,"isDefaultClass":true,"name":""}` | Create a default IngressClass for Traefik | +| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) | +| ingressRoute.dashboard.enabled | bool | `false` | Create an IngressRoute for the dashboard | +| ingressRoute.dashboard.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\ | +| ingressRoute.dashboard.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) | +| ingressRoute.dashboard.matchRule | string | `"PathPrefix(`/dashboard`) || PathPrefix(`/api`)"` | The router match rule used for the dashboard ingressRoute | +| ingressRoute.dashboard.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) | +| ingressRoute.dashboard.services | list | `[{"kind":"TraefikService","name":"api@internal"}]` | The internal service used for the dashboard ingressRoute | +| ingressRoute.dashboard.tls | object | `{}` | TLS options (e.g. secret containing certificate) | +| ingressRoute.healthcheck.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) | +| ingressRoute.healthcheck.enabled | bool | `false` | Create an IngressRoute for the healthcheck probe | +| ingressRoute.healthcheck.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. | +| ingressRoute.healthcheck.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) | +| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute | +| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) | +| ingressRoute.healthcheck.services | list | `[{"kind":"TraefikService","name":"ping@internal"}]` | The internal service used for the healthcheck ingressRoute | +| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) | +| instanceLabelOverride | string | `""` | | +| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. | +| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. | +| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. | +| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. | +| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. | +| logs.access.addInternals | bool | `false` | Enables accessLogs for internal resources. Default: false. | +| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) | +| logs.access.enabled | bool | `false` | To enable access logs | +| logs.access.fields.general.defaultmode | string | `"keep"` | Set default mode for fields.names | +| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. | +| logs.access.fields.headers | object | `{"defaultmode":"drop","names":{}}` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) | +| logs.access.fields.headers.defaultmode | string | `"drop"` | Set default mode for fields.headers | +| logs.access.filters | object | `{}` | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) | +| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) | +| logs.access.minduration | string | `""` | | +| logs.access.retryattempts | bool | `false` | | +| logs.access.statuscodes | string | `""` | | +| logs.general.filePath | string | `""` | To write the logs into a log file, use the filePath option. | +| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) | +| logs.general.level | string | `"INFO"` | Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. | +| logs.general.noColor | bool | `false` | When set to true and format is common, it disables the colorized output. | +| metrics.addInternals | bool | `false` | | +| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true | +| metrics.otlp.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false | +| metrics.otlp.addServicesLabels | string | `nil` | Enable metrics on services. Default: true | +| metrics.otlp.enabled | bool | `false` | Set to true in order to enable the OpenTelemetry metrics | +| metrics.otlp.explicitBoundaries | list | `[]` | Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] | +| metrics.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC | +| metrics.otlp.grpc.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| metrics.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | +| metrics.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| metrics.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| metrics.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| metrics.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| metrics.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. | +| metrics.otlp.http.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| metrics.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. | +| metrics.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| metrics.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| metrics.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| metrics.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| metrics.otlp.pushInterval | string | `""` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s | +| metrics.prometheus.addEntryPointsLabels | string | `nil` | | +| metrics.prometheus.addRoutersLabels | string | `nil` | | +| metrics.prometheus.addServicesLabels | string | `nil` | | +| metrics.prometheus.buckets | string | `""` | | +| metrics.prometheus.disableAPICheck | string | `nil` | When set to true, it won't check if Prometheus Operator CRDs are deployed | +| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. | +| metrics.prometheus.manualRouting | bool | `false` | | +| metrics.prometheus.prometheusRule.additionalLabels | object | `{}` | | +| metrics.prometheus.prometheusRule.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. | +| metrics.prometheus.prometheusRule.namespace | string | `""` | | +| metrics.prometheus.service.annotations | object | `{}` | | +| metrics.prometheus.service.enabled | bool | `false` | Create a dedicated metrics service to use with ServiceMonitor | +| metrics.prometheus.service.labels | object | `{}` | | +| metrics.prometheus.serviceMonitor.additionalLabels | object | `{}` | | +| metrics.prometheus.serviceMonitor.enableHttp2 | bool | `false` | | +| metrics.prometheus.serviceMonitor.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. | +| metrics.prometheus.serviceMonitor.followRedirects | bool | `false` | | +| metrics.prometheus.serviceMonitor.honorLabels | bool | `false` | | +| metrics.prometheus.serviceMonitor.honorTimestamps | bool | `false` | | +| metrics.prometheus.serviceMonitor.interval | string | `""` | | +| metrics.prometheus.serviceMonitor.jobLabel | string | `""` | | +| metrics.prometheus.serviceMonitor.metricRelabelings | list | `[]` | | +| metrics.prometheus.serviceMonitor.namespace | string | `""` | | +| metrics.prometheus.serviceMonitor.namespaceSelector | object | `{}` | | +| metrics.prometheus.serviceMonitor.relabelings | list | `[]` | | +| metrics.prometheus.serviceMonitor.scrapeTimeout | string | `""` | | +| namespaceOverride | string | `""` | This field override the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` | +| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. | +| persistence.accessMode | string | `"ReadWriteOnce"` | | +| persistence.annotations | object | `{}` | | +| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ It can be used to store TLS certificates, see `storage` in certResolvers | +| persistence.existingClaim | string | `""` | | +| persistence.name | string | `"data"` | | +| persistence.path | string | `"/data"` | | +| persistence.size | string | `"128Mi"` | | +| persistence.storageClass | string | `""` | | +| persistence.subPath | string | `""` | Only mount a subpath of the Volume into the pod | +| persistence.volumeName | string | `""` | | +| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) | +| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | +| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding | +| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.metrics.exposedPort | int | `9100` | The exposed port for this service | +| ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations | +| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | +| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.traefik.exposedPort | int | `9000` | The exposed port for this service | +| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. | +| ports.traefik.hostPort | string | `nil` | Use hostPort if set. | +| ports.traefik.port | int | `9000` | | +| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | +| ports.web.expose.default | bool | `true` | | +| ports.web.exposedPort | int | `80` | | +| ports.web.forwardedHeaders.insecure | bool | `false` | | +| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). | +| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) | +| ports.web.port | int | `8000` | | +| ports.web.protocol | string | `"TCP"` | | +| ports.web.proxyProtocol.insecure | bool | `false` | | +| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point | +| ports.web.redirectTo | object | `{}` | | +| ports.web.targetPort | string | `nil` | | +| ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport | +| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) | +| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) | +| ports.websecure.containerPort | string | `nil` | | +| ports.websecure.expose.default | bool | `true` | | +| ports.websecure.exposedPort | int | `443` | | +| ports.websecure.forwardedHeaders.insecure | bool | `false` | | +| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). | +| ports.websecure.hostPort | string | `nil` | | +| ports.websecure.http3.advertisedPort | string | `nil` | | +| ports.websecure.http3.enabled | bool | `false` | | +| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd | +| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) | +| ports.websecure.port | int | `8443` | | +| ports.websecure.protocol | string | `"TCP"` | | +| ports.websecure.proxyProtocol.insecure | bool | `false` | | +| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point | +| ports.websecure.targetPort | string | `nil` | | +| ports.websecure.tls | object | `{"certResolver":"","domains":[],"enabled":true,"options":""}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) | +| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) | +| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) | +| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) | +| providers.file.enabled | bool | `false` | Create a file provider | +| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes | +| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs | +| providers.kubernetesCRD.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available | +| providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute | +| providers.kubernetesCRD.enabled | bool | `true` | Load Kubernetes IngressRoute provider | +| providers.kubernetesCRD.ingressClass | string | `""` | When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. | +| providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesCRD.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. | +| providers.kubernetesGateway.enabled | bool | `false` | Enable Traefik Gateway provider for Gateway API | +| providers.kubernetesGateway.experimentalChannel | bool | `false` | Toggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute. | +| providers.kubernetesGateway.labelselector | string | `""` | A label selector can be defined to filter on specific GatewayClass objects only. | +| providers.kubernetesGateway.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available | +| providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress | +| providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider | +| providers.kubernetesIngress.ingressClass | string | `nil` | When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. | +| providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesIngress.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. | +| providers.kubernetesIngress.publishedService.enabled | bool | `false` | | +| rbac | object | `{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}` | Whether Role Based Access Control objects like roles and rolebindings should be created | +| readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. | +| readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. | +| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. | +| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. | +| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. | +| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. | +| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | +| service.additionalServices | object | `{}` | | +| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) | +| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only | +| service.annotationsUDP | object | `{}` | Additional annotations for UDP service only | +| service.enabled | bool | `true` | | +| service.externalIPs | list | `[]` | | +| service.labels | object | `{}` | Additional service labels (e.g. for filtering Service by custom labels) | +| service.loadBalancerSourceRanges | list | `[]` | | +| service.single | bool | `true` | | +| service.spec | object | `{}` | Cannot contain type, selector or ports entries. | +| service.type | string | `"LoadBalancer"` | | +| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API | +| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) | +| startupProbe | object | `{}` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) | +| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. | +| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. | +| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. | +| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. | +| tracing | object | `{"addInternals":false,"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}}}` | https://doc.traefik.io/traefik/observability/tracing/overview/ | +| tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. | +| tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ | +| tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC | +| tracing.otlp.grpc.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| tracing.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | +| tracing.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| tracing.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| tracing.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| tracing.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| tracing.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. | +| tracing.otlp.http.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| tracing.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. | +| tracing.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| updateStrategy.rollingUpdate.maxSurge | int | `1` | | +| updateStrategy.rollingUpdate.maxUnavailable | int | `0` | | +| updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy of Deployment or DaemonSet | +| volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/traefik/traefik/32.1.1/app-readme.md b/charts/traefik/traefik/32.1.1/app-readme.md new file mode 100644 index 000000000..7289af5d0 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/app-readme.md @@ -0,0 +1,5 @@ +# Traefik Proxy + +[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. + +This chart bootstraps Traefik version 2 as a Kubernetes ingress controller. diff --git a/charts/traefik/traefik/32.1.1/crds/gateway-standard-install-v1.1.0.yaml b/charts/traefik/traefik/32.1.1/crds/gateway-standard-install-v1.1.0.yaml new file mode 100644 index 000000000..fcb65e66f --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/gateway-standard-install-v1.1.0.yaml @@ -0,0 +1,13478 @@ +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Gateway API Standard channel install +# +--- +# +# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, the GatewayClass's "InvalidParameters" + status condition will be true. + + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, the GatewayClass's "InvalidParameters" + status condition will be true. + + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_gateways.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + + Support: Extended + + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on their + targeted conformance profile: + + + HTTP Profile + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + + TLS Profile + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + The implementation can match inbound requests to a single distinct + Listener. When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + + For example, the following Listener scenarios are distinct: + + + 1. Multiple Listeners with the same Port that all use the "HTTP" + Protocol that all have unique Hostname values. + 2. Multiple Listeners with the same Port that use either the "HTTPS" or + "TLS" Protocol that all have unique Hostname values. + 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + with the same Protocol has the same Port value. + + + Some fields in the Listener struct have possible values that affect + whether the Listener is distinct. Hostname is particularly relevant + for HTTP or HTTPS protocols. + + + When using the Hostname value to select between same-Port, same-Protocol + Listeners, the Hostname value must be different on each Listener for the + Listener to be distinct. + + + When the Listeners are distinct based on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + + Exact matches must be processed before wildcard matches, and wildcard + matches must be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are Conflicted, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. To put this another way, implementations may + accept a partial Listener set only if they throw out *all* the conflicting + Listeners. No picking one of the conflicting listeners as the winner. + This also means that the Gateway must have at least one non-conflicting + Listener in this case, otherwise it violates the requirement that at + least one Listener must be present. + + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + + A Gateway's Listeners are considered "compatible" if: + + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + + Note that requests SHOULD match at most one Listener. For example, if + Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + This concept is known as "Listener Isolation". Implementations that do + not support Listener Isolation MUST clearly document this. + + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + + This list may differ from the addresses provided in the spec under some + conditions: + + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + + Support: Extended + + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on their + targeted conformance profile: + + + HTTP Profile + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + + TLS Profile + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + The implementation can match inbound requests to a single distinct + Listener. When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + + For example, the following Listener scenarios are distinct: + + + 1. Multiple Listeners with the same Port that all use the "HTTP" + Protocol that all have unique Hostname values. + 2. Multiple Listeners with the same Port that use either the "HTTPS" or + "TLS" Protocol that all have unique Hostname values. + 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + with the same Protocol has the same Port value. + + + Some fields in the Listener struct have possible values that affect + whether the Listener is distinct. Hostname is particularly relevant + for HTTP or HTTPS protocols. + + + When using the Hostname value to select between same-Port, same-Protocol + Listeners, the Hostname value must be different on each Listener for the + Listener to be distinct. + + + When the Listeners are distinct based on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + + Exact matches must be processed before wildcard matches, and wildcard + matches must be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are Conflicted, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. To put this another way, implementations may + accept a partial Listener set only if they throw out *all* the conflicting + Listeners. No picking one of the conflicting listeners as the winner. + This also means that the Gateway must have at least one non-conflicting + Listener in this case, otherwise it violates the requirement that at + least one Listener must be present. + + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + + A Gateway's Listeners are considered "compatible" if: + + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + + Note that requests SHOULD match at most one Listener. For example, if + Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + This concept is known as "Listener Isolation". Implementations that do + not support Listener Isolation MUST clearly document this. + + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + + This list may differ from the addresses provided in the spec under some + conditions: + + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST match every gRPC request. + + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + + Support: Implementation-specific (Exact with method specified but no service specified) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} + - deprecated: true + deprecationWarning: The v1alpha2 version of GRPCRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST match every gRPC request. + + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + + Support: Implementation-specific (Exact with method specified but no service specified) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches are implementation-specific. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches are implementation-specific. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated + and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + + A ReferenceGrant is required for all cross-namespace references in Gateway API + (with the exception of cross-namespace Route-Gateway attachment, which is + governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + Service ParentRefs on a "consumer" mesh Route, which defines routing rules + applicable only to workloads in the Route namespace). ReferenceGrants allowing + a reference from a Route to a Service are only applicable to BackendRefs. + + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: false + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_accesscontrolpolicies.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_accesscontrolpolicies.yaml new file mode 100644 index 000000000..821f969b6 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_accesscontrolpolicies.yaml @@ -0,0 +1,368 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: accesscontrolpolicies.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: AccessControlPolicy + listKind: AccessControlPolicyList + plural: accesscontrolpolicies + singular: accesscontrolpolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AccessControlPolicy defines an access control policy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AccessControlPolicySpec configures an access control policy. + properties: + apiKey: + description: AccessControlPolicyAPIKey configure an APIKey control + policy. + properties: + forwardHeaders: + additionalProperties: + type: string + description: ForwardHeaders instructs the middleware to forward + key metadata as header values upon successful authentication. + type: object + keySource: + description: KeySource defines how to extract API keys from requests. + properties: + cookie: + description: Cookie is the name of a cookie. + type: string + header: + description: Header is the name of a header. + type: string + headerAuthScheme: + description: |- + HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". + If set, this scheme is removed from the token, and all requests not including it are dropped. + type: string + query: + description: Query is the name of a query parameter. + type: string + type: object + keys: + description: Keys define the set of authorized keys to access + a protected resource. + items: + description: AccessControlPolicyAPIKeyKey defines an API key. + properties: + id: + description: ID is the unique identifier of the key. + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds arbitrary metadata for this + key, can be used by ForwardHeaders. + type: object + value: + description: Value is the SHAKE-256 hash (using 64 bytes) + of the API key. + type: string + required: + - id + - value + type: object + type: array + required: + - keySource + type: object + basicAuth: + description: AccessControlPolicyBasicAuth holds the HTTP basic authentication + configuration. + properties: + forwardUsernameHeader: + type: string + realm: + type: string + stripAuthorizationHeader: + type: boolean + users: + items: + type: string + type: array + type: object + jwt: + description: AccessControlPolicyJWT configures a JWT access control + policy. + properties: + claims: + type: string + forwardHeaders: + additionalProperties: + type: string + type: object + jwksFile: + type: string + jwksUrl: + type: string + publicKey: + type: string + signingSecret: + type: string + signingSecretBase64Encoded: + type: boolean + stripAuthorizationHeader: + type: boolean + tokenQueryKey: + type: string + type: object + oAuthIntro: + description: AccessControlOAuthIntro configures an OAuth 2.0 Token + Introspection access control policy. + properties: + claims: + type: string + clientConfig: + description: AccessControlOAuthIntroClientConfig configures the + OAuth 2.0 client for issuing token introspection requests. + properties: + headers: + additionalProperties: + type: string + description: Headers to set when sending requests to the Authorization + Server. + type: object + maxRetries: + default: 3 + description: MaxRetries defines the number of retries for + introspection requests. + type: integer + timeoutSeconds: + default: 5 + description: TimeoutSeconds configures the maximum amount + of seconds to wait before giving up on requests. + type: integer + tls: + description: TLS configures TLS communication with the Authorization + Server. + properties: + ca: + description: CA sets the CA bundle used to sign the Authorization + Server certificate. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify skips the Authorization Server certificate validation. + For testing purposes only, do not use in production. + type: boolean + type: object + tokenTypeHint: + description: |- + TokenTypeHint is a hint to pass to the Authorization Server. + See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. + type: string + url: + description: URL of the Authorization Server. + type: string + required: + - url + type: object + forwardHeaders: + additionalProperties: + type: string + type: object + tokenSource: + description: |- + TokenSource describes how to extract tokens from HTTP requests. + If multiple sources are set, the order is the following: header > query > cookie. + properties: + cookie: + description: Cookie is the name of a cookie. + type: string + header: + description: Header is the name of a header. + type: string + headerAuthScheme: + description: |- + HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". + If set, this scheme is removed from the token, and all requests not including it are dropped. + type: string + query: + description: Query is the name of a query parameter. + type: string + type: object + required: + - clientConfig + - tokenSource + type: object + oidc: + description: AccessControlPolicyOIDC holds the OIDC authentication + configuration. + properties: + authParams: + additionalProperties: + type: string + type: object + claims: + type: string + clientId: + type: string + disableAuthRedirectionPaths: + items: + type: string + type: array + forwardHeaders: + additionalProperties: + type: string + type: object + issuer: + type: string + logoutUrl: + type: string + redirectUrl: + type: string + scopes: + items: + type: string + type: array + secret: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + session: + description: Session holds session configuration. + properties: + domain: + type: string + path: + type: string + refresh: + type: boolean + sameSite: + type: string + secure: + type: boolean + type: object + stateCookie: + description: StateCookie holds state cookie configuration. + properties: + domain: + type: string + path: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + oidcGoogle: + description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication + configuration. + properties: + authParams: + additionalProperties: + type: string + type: object + clientId: + type: string + emails: + description: Emails are the allowed emails to connect. + items: + type: string + minItems: 1 + type: array + forwardHeaders: + additionalProperties: + type: string + type: object + logoutUrl: + type: string + redirectUrl: + type: string + secret: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + session: + description: Session holds session configuration. + properties: + domain: + type: string + path: + type: string + refresh: + type: boolean + sameSite: + type: string + secure: + type: boolean + type: object + stateCookie: + description: StateCookie holds state cookie configuration. + properties: + domain: + type: string + path: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + type: object + status: + description: The current status of this access control policy. + properties: + specHash: + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiaccesses.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiaccesses.yaml new file mode 100644 index 000000000..ee8ecaf4e --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiaccesses.yaml @@ -0,0 +1,188 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiaccesses.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIAccess + listKind: APIAccessList + plural: apiaccesses + singular: apiaccess + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIAccess defines who can access to a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIAccess. + properties: + apiBundles: + description: |- + APIBundles defines a set of APIBundle that will be accessible to the configured audience. + Multiple APIAccesses can select the same APIBundles. + items: + description: APIBundleReference references an APIBundle. + properties: + name: + description: Name of the APIBundle. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apiBundles + rule: self.all(x, self.exists_one(y, x.name == y.name)) + apiPlan: + description: APIPlan defines which APIPlan will be used. + properties: + name: + description: Name of the APIPlan. + maxLength: 253 + type: string + required: + - name + type: object + apiSelector: + description: |- + APISelector selects the APIs that will be accessible to the configured audience. + Multiple APIAccesses can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be accessible to the configured audience. + Multiple APIAccesses can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + everyone: + description: Everyone indicates that all users will have access to + the selected APIs. + type: boolean + groups: + description: Groups are the consumer groups that will gain access + to the selected APIs. + items: + type: string + type: array + operationFilter: + description: |- + OperationFilter specifies the allowed operations on APIs and APIVersions. + If not set, all operations are available. + An empty OperationFilter prohibits all operations. + properties: + include: + description: Include defines the names of OperationSets that will + be accessible. + items: + type: string + maxItems: 100 + type: array + type: object + weight: + description: Weight specifies the evaluation order of the plan. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + type: object + x-kubernetes-validations: + - message: groups and everyone are mutually exclusive + rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && + self.groups.size() > 0) : true' + status: + description: The current status of this APIAccess. + properties: + hash: + description: Hash is a hash representing the APIAccess. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apibundles.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apibundles.yaml new file mode 100644 index 000000000..a45a0b137 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apibundles.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apibundles.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIBundle + listKind: APIBundleList + plural: apibundles + singular: apibundle + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIBundle defines a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIBundle. + properties: + apiSelector: + description: |- + APISelector selects the APIs that will be accessible to the configured audience. + Multiple APIBundles can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be accessible to the configured audience. + Multiple APIBundles can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + type: object + status: + description: The current status of this APIBundle. + properties: + hash: + description: Hash is a hash representing the APIBundle. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiplans.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiplans.yaml new file mode 100644 index 000000000..92e1b9b5c --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiplans.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiplans.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIPlan + listKind: APIPlanList + plural: apiplans + singular: apiplan + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIPlan defines API Plan policy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIPlan. + properties: + description: + description: Description describes the plan. + type: string + quota: + description: Quota defines the quota policy. + properties: + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 9999h + rule: self >= duration('1s') && self <= duration('9999h') + required: + - limit + type: object + rateLimit: + description: RateLimit defines the rate limit policy. + properties: + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 1h + rule: self >= duration('1s') && self <= duration('1h') + required: + - limit + type: object + title: + description: Title is the human-readable name of the plan. + type: string + required: + - title + type: object + status: + description: The current status of this APIPlan. + properties: + hash: + description: Hash is a hash representing the APIPlan. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiportals.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiportals.yaml new file mode 100644 index 000000000..bc0417016 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiportals.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiportals.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIPortal + listKind: APIPortalList + plural: apiportals + singular: apiportal + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIPortal defines a developer portal for accessing the documentation + of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIPortal. + properties: + description: + description: Description of the APIPortal. + type: string + title: + description: Title is the public facing name of the APIPortal. + type: string + trustedUrls: + description: TrustedURLs are the urls that are trusted by the OAuth + 2.0 authorization server. + items: + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-validations: + - message: must be a valid URLs + rule: self.all(x, isURL(x)) + ui: + description: UI holds the UI customization options. + properties: + logoUrl: + description: LogoURL is the public URL of the logo. + type: string + type: object + required: + - trustedUrls + type: object + status: + description: The current status of this APIPortal. + properties: + hash: + description: Hash is a hash representing the APIPortal. + type: string + oidc: + description: OIDC is the OIDC configuration for accessing the exposed + APIPortal WebUI. + properties: + clientId: + description: ClientID is the OIDC ClientID for accessing the exposed + APIPortal WebUI. + type: string + companyClaim: + description: CompanyClaim is the name of the JWT claim containing + the user company. + type: string + emailClaim: + description: EmailClaim is the name of the JWT claim containing + the user email. + type: string + firstnameClaim: + description: FirstnameClaim is the name of the JWT claim containing + the user firstname. + type: string + generic: + description: Generic indicates whether or not the APIPortal authentication + relies on Generic OIDC. + type: boolean + groupsClaim: + description: GroupsClaim is the name of the JWT claim containing + the user groups. + type: string + issuer: + description: Issuer is the OIDC issuer for accessing the exposed + APIPortal WebUI. + type: string + lastnameClaim: + description: LastnameClaim is the name of the JWT claim containing + the user lastname. + type: string + scopes: + description: Scopes is the OIDC scopes for getting user attributes + during the authentication to the exposed APIPortal WebUI. + type: string + secretName: + description: SecretName is the name of the secret containing the + OIDC ClientSecret for accessing the exposed APIPortal WebUI. + type: string + syncedAttributes: + description: SyncedAttributes configure the user attributes to + sync. + items: + type: string + type: array + userIdClaim: + description: UserIDClaim is the name of the JWT claim containing + the user ID. + type: string + type: object + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiratelimits.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiratelimits.yaml new file mode 100644 index 000000000..8e328d3c5 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiratelimits.yaml @@ -0,0 +1,166 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiratelimits.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIRateLimit + listKind: APIRateLimitList + plural: apiratelimits + singular: apiratelimit + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIRateLimit defines how group of consumers are rate limited + on a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIRateLimit. + properties: + apiSelector: + description: |- + APISelector selects the APIs that will be rate limited. + Multiple APIRateLimits can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be rate limited. + Multiple APIRateLimits can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + everyone: + description: |- + Everyone indicates that all users will, by default, be rate limited with this configuration. + If an APIRateLimit explicitly target a group, the default rate limit will be ignored. + type: boolean + groups: + description: |- + Groups are the consumer groups that will be rate limited. + Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies. + When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies. + items: + type: string + type: array + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 1h + rule: self >= duration('1s') && self <= duration('1h') + strategy: + description: |- + Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances. + It can be, either "local" or "distributed". + enum: + - local + - distributed + type: string + required: + - limit + type: object + x-kubernetes-validations: + - message: groups and everyone are mutually exclusive + rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && + self.groups.size() > 0) : true' + status: + description: The current status of this APIRateLimit. + properties: + hash: + description: Hash is a hash representing the APIRateLimit. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apis.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apis.yaml new file mode 100644 index 000000000..a7b9e5e60 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apis.yaml @@ -0,0 +1,190 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apis.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: API + listKind: APIList + plural: apis + singular: api + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + API defines an HTTP interface that is exposed to external clients. It specifies the supported versions + and provides instructions for accessing its documentation. Once instantiated, an API object is associated + with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APISpec describes the API. + properties: + openApiSpec: + description: OpenAPISpec defines the API contract as an OpenAPI specification. + properties: + operationSets: + description: OperationSets defines the sets of operations to be + referenced for granular filtering in APIAccesses. + items: + description: |- + OperationSet gives a name to a set of matching OpenAPI operations. + This set of operations can then be referenced for granular filtering in APIAccesses. + properties: + matchers: + description: Matchers defines a list of alternative rules + for matching OpenAPI operations. + items: + description: OperationMatcher defines criteria for matching + an OpenAPI operation. + minProperties: 1 + properties: + methods: + description: Methods specifies the HTTP methods to + be included for selection. + items: + type: string + maxItems: 10 + type: array + path: + description: Path specifies the exact path of the + operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathPrefix: + description: PathPrefix specifies the path prefix + of the operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathRegex: + description: PathRegex specifies a regular expression + pattern for matching operations based on their paths. + type: string + type: object + x-kubernetes-validations: + - message: path, pathPrefix and pathRegex are mutually + exclusive + rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, + x).size() <= 1' + maxItems: 100 + minItems: 1 + type: array + name: + description: Name is the name of the OperationSet to reference + in APIAccesses. + maxLength: 253 + type: string + required: + - matchers + - name + type: object + maxItems: 100 + type: array + override: + description: Override holds data used to override OpenAPI specification. + properties: + servers: + items: + properties: + url: + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + required: + - url + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - servers + type: object + path: + description: |- + Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. + The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. + It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. + The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + url: + description: |- + URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. + The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + type: object + x-kubernetes-validations: + - message: path or url must be defined + rule: has(self.path) || has(self.url) + versions: + description: Versions are the different APIVersions available. + items: + description: APIVersionRef references an APIVersion. + properties: + name: + description: Name of the APIVersion. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + minItems: 1 + type: array + type: object + status: + description: The current status of this API. + properties: + hash: + description: Hash is a hash representing the API. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiversions.yaml b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiversions.yaml new file mode 100644 index 000000000..97184effe --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/hub.traefik.io_apiversions.yaml @@ -0,0 +1,194 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiversions.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIVersion + listKind: APIVersionList + plural: apiversions + singular: apiversion + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.title + name: Title + type: string + - jsonPath: .spec.release + name: Release + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: APIVersion defines a version of an API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIVersion. + properties: + openApiSpec: + description: OpenAPISpec defines the API contract as an OpenAPI specification. + properties: + operationSets: + description: OperationSets defines the sets of operations to be + referenced for granular filtering in APIAccesses. + items: + description: |- + OperationSet gives a name to a set of matching OpenAPI operations. + This set of operations can then be referenced for granular filtering in APIAccesses. + properties: + matchers: + description: Matchers defines a list of alternative rules + for matching OpenAPI operations. + items: + description: OperationMatcher defines criteria for matching + an OpenAPI operation. + minProperties: 1 + properties: + methods: + description: Methods specifies the HTTP methods to + be included for selection. + items: + type: string + maxItems: 10 + type: array + path: + description: Path specifies the exact path of the + operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathPrefix: + description: PathPrefix specifies the path prefix + of the operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathRegex: + description: PathRegex specifies a regular expression + pattern for matching operations based on their paths. + type: string + type: object + x-kubernetes-validations: + - message: path, pathPrefix and pathRegex are mutually + exclusive + rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, + x).size() <= 1' + maxItems: 100 + minItems: 1 + type: array + name: + description: Name is the name of the OperationSet to reference + in APIAccesses. + maxLength: 253 + type: string + required: + - matchers + - name + type: object + maxItems: 100 + type: array + override: + description: Override holds data used to override OpenAPI specification. + properties: + servers: + items: + properties: + url: + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + required: + - url + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - servers + type: object + path: + description: |- + Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. + The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. + It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. + The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + url: + description: |- + URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. + The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + type: object + x-kubernetes-validations: + - message: path or url must be defined + rule: has(self.path) || has(self.url) + release: + description: |- + Release is the version number of the API. + This value must follow the SemVer format: https://semver.org/ + maxLength: 100 + type: string + x-kubernetes-validations: + - message: must be a valid semver version + rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""") + title: + description: Title is the public facing name of the APIVersion. + type: string + required: + - release + type: object + status: + description: The current status of this APIVersion. + properties: + hash: + description: Hash is a hash representing the APIVersion. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutes.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutes.yaml new file mode 100644 index 000000000..6ce60d68e --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutes.yaml @@ -0,0 +1,366 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressroutes.traefik.io +spec: + group: traefik.io + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the desired state of IngressRoute. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: Route holds the HTTP route configuration. + properties: + kind: + description: |- + Kind defines the kind of the route. + Rule is the only supported kind. + enum: + - Rule + type: string + match: + description: |- + Match defines the router's rule. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule + type: string + middlewares: + description: |- + Middlewares defines the list of references to Middleware resources. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware + items: + description: MiddlewareRef is a reference to a Middleware + resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + priority: + description: |- + Priority defines the router's priority. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority + type: integer + services: + description: |- + Services defines the list of Service. + It can contain any combination of TraefikService and/or reference to a Kubernetes Service. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be + sent to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for + the health check endpoint. + type: string + port: + description: Port defines the server URL port for + the health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme + for the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + syntax: + description: |- + Syntax defines the router's rule syntax. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax + type: string + required: + - kind + - match + type: object + type: array + tls: + description: |- + TLS defines the TLS configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls + properties: + certResolver: + description: |- + CertResolver defines the name of the certificate resolver to use. + Cert resolvers have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers + type: string + domains: + description: |- + Domains defines the list of domains that will be used to issue certificates. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: |- + Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + If not defined, the `default` TLSOption is used. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + name: + description: |- + Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption + type: string + namespace: + description: |- + Namespace defines the namespace of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: |- + Store defines the reference to the TLSStore, that will be used to store certificates. + Please note that only `default` TLSStore can be used. + properties: + name: + description: |- + Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore + type: string + namespace: + description: |- + Namespace defines the namespace of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutetcps.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutetcps.yaml new file mode 100644 index 000000000..9db38f869 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressroutetcps.yaml @@ -0,0 +1,247 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressroutetcps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteTCP holds the TCP route configuration. + properties: + match: + description: |- + Match defines the router's rule. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1 + type: string + middlewares: + description: Middlewares defines the list of references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: array + priority: + description: |- + Priority defines the router's priority. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1 + type: integer + services: + description: Services defines the list of TCP services. + items: + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + proxyProtocol: + description: |- + ProxyProtocol defines the PROXY protocol configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol + properties: + version: + description: Version defines the PROXY Protocol version + to use. + type: integer + type: object + serversTransport: + description: |- + ServersTransport defines the name of ServersTransportTCP resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + terminationDelay: + description: |- + TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, to close the reading capability as well, + hence fully terminating the connection. + It is a duration in milliseconds, defaulting to 100. + A negative value means an infinite deadline (i.e. the reading capability is never closed). + Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead. + type: integer + tls: + description: TLS determines whether to use TLS when dialing + with the backend. + type: boolean + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + syntax: + description: |- + Syntax defines the router's rule syntax. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1 + type: string + required: + - match + type: object + type: array + tls: + description: |- + TLS defines the TLS configuration on a layer 4 / TCP Route. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1 + properties: + certResolver: + description: |- + CertResolver defines the name of the certificate resolver to use. + Cert resolvers have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers + type: string + domains: + description: |- + Domains defines the list of domains that will be used to issue certificates. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: |- + Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + If not defined, the `default` TLSOption is used. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: |- + Store defines the reference to the TLSStore, that will be used to store certificates. + Please note that only `default` TLSStore can be used. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressrouteudps.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressrouteudps.yaml new file mode 100644 index 000000000..9b04a8355 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_ingressrouteudps.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressrouteudps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteUDP holds the UDP route configuration. + properties: + services: + description: Services defines the list of UDP services. + items: + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewares.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewares.yaml new file mode 100644 index 000000000..7bc7f0546 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewares.yaml @@ -0,0 +1,1098 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: middlewares.traefik.io +spec: + group: traefik.io + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/ + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MiddlewareSpec defines the desired state of a Middleware. + properties: + addPrefix: + description: |- + AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding it. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/ + properties: + prefix: + description: |- + Prefix is the string to add before the current path in the requested URL. + It should include a leading slash (/). + type: string + type: object + basicAuth: + description: |- + BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/ + properties: + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield + type: string + realm: + description: |- + Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + Default: traefik. + type: string + removeHeader: + description: |- + RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service. + Default: false. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + buffering: + description: |- + Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can be forwarded to backends. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes + properties: + maxRequestBodyBytes: + description: |- + MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes). + If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response. + Default: 0 (no maximum). + format: int64 + type: integer + maxResponseBodyBytes: + description: |- + MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes). + If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead. + Default: 0 (no maximum). + format: int64 + type: integer + memRequestBodyBytes: + description: |- + MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory. + Default: 1048576 (1Mi). + format: int64 + type: integer + memResponseBodyBytes: + description: |- + MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory. + Default: 1048576 (1Mi). + format: int64 + type: integer + retryExpression: + description: |- + RetryExpression defines the retry conditions. + It is a logical combination of functions with operators AND (&&) and OR (||). + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression + type: string + type: object + chain: + description: |- + Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other pieces of middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/ + properties: + middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. + items: + description: MiddlewareRef is a reference to a Middleware resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: CircuitBreaker holds the circuit breaker configuration. + properties: + checkPeriod: + anyOf: + - type: integer + - type: string + description: CheckPeriod is the interval between successive checks + of the circuit breaker condition (when in standby state). + x-kubernetes-int-or-string: true + expression: + description: Expression is the condition that triggers the tripped + state. + type: string + fallbackDuration: + anyOf: + - type: integer + - type: string + description: FallbackDuration is the duration for which the circuit + breaker will wait before trying to recover (from a tripped state). + x-kubernetes-int-or-string: true + recoveryDuration: + anyOf: + - type: integer + - type: string + description: RecoveryDuration is the duration for which the circuit + breaker will try to recover (as soon as it is in recovering + state). + x-kubernetes-int-or-string: true + responseCode: + description: ResponseCode is the status code that the circuit + breaker will return while it is in the open state. + type: integer + type: object + compress: + description: |- + Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the client, using gzip compression. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/ + properties: + defaultEncoding: + description: DefaultEncoding specifies the default encoding if + the `Accept-Encoding` header is not in the request or contains + a wildcard (`*`). + type: string + excludedContentTypes: + description: |- + ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing. + `application/grpc` is always excluded. + items: + type: string + type: array + includedContentTypes: + description: IncludedContentTypes defines the list of content + types to compare the Content-Type header of the responses before + compressing. + items: + type: string + type: array + minResponseBodyBytes: + description: |- + MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed. + Default: 1024. + type: integer + type: object + contentType: + description: |- + ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. + properties: + autoDetect: + description: |- + AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend, + be automatically set to a value derived from the contents of the response. + Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option. + type: boolean + type: object + digestAuth: + description: |- + DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/ + properties: + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield + type: string + realm: + description: |- + Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + Default: traefik. + type: string + removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + errors: + description: |- + ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/ + properties: + query: + description: |- + Query defines the URL for the error page (hosted by service). + The {status} variable can be used in order to insert the status code in the URL. + type: string + service: + description: |- + Service defines the reference to a Kubernetes Service that will serve the error page. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname in + the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status code + of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + description: |- + Status defines which status or range of statuses should result in an error page. + It can be either a status code as a number (500), + as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), + or a combination of the two (404,418,500-599). + items: + type: string + type: array + type: object + forwardAuth: + description: |- + ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/ + properties: + addAuthCookiesToResponse: + description: AddAuthCookiesToResponse defines the list of cookies + to copy from the authentication server response to the response. + items: + type: string + type: array + address: + description: Address defines the authentication server address. + type: string + authRequestHeaders: + description: |- + AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server. + If not set or empty then all request headers are passed. + items: + type: string + type: array + authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. + items: + type: string + type: array + authResponseHeadersRegex: + description: |- + AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex + type: string + tls: + description: TLS defines the configuration used to secure the + connection to the authentication server. + properties: + caOptional: + description: 'Deprecated: TLS client authentication is a server + side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).' + type: boolean + caSecret: + description: |- + CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. + type: string + certSecret: + description: |- + CertSecret is the name of the referenced Kubernetes Secret containing the client certificate. + The client certificate is extracted from the keys `tls.crt` and `tls.key`. + type: string + insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. + type: boolean + type: object + trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' + type: boolean + type: object + grpcWeb: + description: |- + GrpcWeb holds the gRPC web middleware configuration. + This middleware converts a gRPC web request to an HTTP/2 gRPC request. + properties: + allowOrigins: + description: |- + AllowOrigins is a list of allowable origins. + Can also be a wildcard origin "*". + items: + type: string + type: array + type: object + headers: + description: |- + Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials defines whether the + request can include user credentials. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge defines the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. + type: boolean + allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. + items: + type: string + type: array + browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. + type: boolean + contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. + type: string + contentSecurityPolicyReportOnly: + description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only + header value. + type: string + contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. + type: boolean + customBrowserXSSValue: + description: |- + CustomBrowserXSSValue defines the X-XSS-Protection header value. + This overrides the BrowserXssFilter option. + type: string + customFrameOptionsValue: + description: |- + CustomFrameOptionsValue defines the X-Frame-Options header value. + This overrides the FrameDeny option. + type: string + customRequestHeaders: + additionalProperties: + type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. + type: object + customResponseHeaders: + additionalProperties: + type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. + type: object + featurePolicy: + description: 'Deprecated: FeaturePolicy option is deprecated, + please use PermissionsPolicy instead.' + type: string + forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. + type: boolean + frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. + type: boolean + hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. + items: + type: string + type: array + isDevelopment: + description: |- + IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain. + If you would like your development environment to mimic production with complete Host blocking, SSL redirects, + and STS headers, leave this as false. + type: boolean + permissionsPolicy: + description: |- + PermissionsPolicy defines the Permissions-Policy header value. + This allows sites to control browser features. + type: string + publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. + type: string + referrerPolicy: + description: |- + ReferrerPolicy defines the Referrer-Policy header value. + This allows sites to control whether browsers forward the Referer header to other sites. + type: string + sslForceHost: + description: 'Deprecated: SSLForceHost option is deprecated, please + use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: SSLHost option is deprecated, please + use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + description: |- + SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request. + It can be useful when using other proxies (example: "X-Forwarded-Proto": "https"). + type: object + sslRedirect: + description: 'Deprecated: SSLRedirect option is deprecated, please + use EntryPoint redirection or RedirectScheme instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: SSLTemporaryRedirect option is deprecated, + please use EntryPoint redirection or RedirectScheme instead.' + type: boolean + stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. + type: boolean + stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. + type: boolean + stsSeconds: + description: |- + STSSeconds defines the max-age of the Strict-Transport-Security header. + If set to 0, the header is not set. + format: int64 + type: integer + type: object + inFlightReq: + description: |- + InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and served concurrently. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/ + properties: + amount: + description: |- + Amount defines the maximum amount of allowed simultaneous in-flight request. + The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy). + format: int64 + type: integer + sourceCriterion: + description: |- + SourceCriterion defines what criterion is used to group requests as originating from a common source. + If several strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + ipAllowList: + description: |- + IPAllowList holds the IP allowlist middleware configuration. + This middleware limits allowed requests based on the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/ + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + rejectStatusCode: + description: |- + RejectStatusCode defines the HTTP status code used for refused requests. + If not set, the default is 403 (Forbidden). + type: integer + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + ipWhiteList: + description: 'Deprecated: please use IPAllowList instead.' + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). Required. + items: + type: string + type: array + type: object + passTLSClientCert: + description: |- + PassTLSClientCert holds the pass TLS client cert middleware configuration. + This middleware adds the selected data from the passed client TLS certificate to a header. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/ + properties: + info: + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + issuer: + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. + type: boolean + country: + description: Country defines whether to add the country + information into the issuer. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the issuer. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the issuer. + type: boolean + province: + description: Province defines whether to add the province + information into the issuer. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. + type: boolean + type: object + notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. + type: boolean + notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. + type: boolean + sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. + type: boolean + subject: + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. + type: boolean + country: + description: Country defines whether to add the country + information into the subject. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the subject. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the subject. + type: boolean + organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. + type: boolean + province: + description: Province defines whether to add the province + information into the subject. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. + type: boolean + type: object + type: object + pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the certificate. + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: |- + Plugin defines the middleware plugin configuration. + More info: https://doc.traefik.io/traefik/plugins/ + type: object + rateLimit: + description: |- + RateLimit holds the rate limit configuration. + This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/ + properties: + average: + description: |- + Average is the maximum rate, by default in requests/s, allowed for the given source. + It defaults to 0, which means no rate limiting. + The rate is actually defined by dividing Average by Period. So for a rate below 1req/s, + one needs to define a Period larger than a second. + format: int64 + type: integer + burst: + description: |- + Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time. + It defaults to 1. + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + description: |- + Period, in combination with Average, defines the actual maximum rate, such as: + r = Average / Period. It defaults to a second. + x-kubernetes-int-or-string: true + sourceCriterion: + description: |- + SourceCriterion defines what criterion is used to group requests as originating from a common source. + If several strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote address field (as an ipStrategy). + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + redirectRegex: + description: |- + RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + regex: + description: Regex defines the regex used to match and capture + elements from the request URL. + type: string + replacement: + description: Replacement defines how to modify the URL to have + the new target URL. + type: string + type: object + redirectScheme: + description: |- + RedirectScheme holds the redirect scheme middleware configuration. + This middleware redirects requests from a scheme/port to another. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/ + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + port: + description: Port defines the port of the new URL. + type: string + scheme: + description: Scheme defines the scheme of the new URL. + type: string + type: object + replacePath: + description: |- + ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/ + properties: + path: + description: Path defines the path to use as replacement in the + request URL. + type: string + type: object + replacePathRegex: + description: |- + ReplacePathRegex holds the replace path regex middleware configuration. + This middleware replaces the path of a URL using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/ + properties: + regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. + type: string + replacement: + description: Replacement defines the replacement path format, + which can include captured variables. + type: string + type: object + retry: + description: |- + Retry holds the retry middleware configuration. + This middleware reissues requests a given number of times to a backend server if that server does not reply. + As soon as the server answers, the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/ + properties: + attempts: + description: Attempts defines how many times the request should + be retried. + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + description: |- + InitialInterval defines the first wait time in the exponential backoff series. + The maximum interval is calculated as twice the initialInterval. + If unspecified, requests will be retried immediately. + The value of initialInterval should be provided in seconds or as a valid duration format, + see https://pkg.go.dev/time#ParseDuration. + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: |- + StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/ + properties: + forceSlash: + description: |- + Deprecated: ForceSlash option is deprecated, please remove any usage of this option. + ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary. + Default: true. + type: boolean + prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. + items: + type: string + type: array + type: object + stripPrefixRegex: + description: |- + StripPrefixRegex holds the strip prefix regex middleware configuration. + This middleware removes the matching prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/ + properties: + regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewaretcps.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewaretcps.yaml new file mode 100644 index 000000000..f09e3d412 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_middlewaretcps.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: middlewaretcps.traefik.io +spec: + group: traefik.io + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/ + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. + properties: + inFlightConn: + description: InFlightConn defines the InFlightConn middleware configuration. + properties: + amount: + description: |- + Amount defines the maximum amount of allowed simultaneous connections. + The middleware closes the connection if there are already amount connections opened. + format: int64 + type: integer + type: object + ipAllowList: + description: |- + IPAllowList defines the IPAllowList middleware configuration. + This middleware accepts/refuses connections based on the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/ + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + ipWhiteList: + description: |- + IPWhiteList defines the IPWhiteList middleware configuration. + This middleware accepts/refuses connections based on the client IP. + Deprecated: please use IPAllowList instead. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/ + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransports.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransports.yaml new file mode 100644 index 000000000..a447c97f1 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransports.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: serverstransports.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1 + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServersTransportSpec defines the desired state of a ServersTransport. + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. + type: boolean + forwardingTimeouts: + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: InsecureSkipVerify disables SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. + type: integer + peerCertURI: + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact the + server. + type: string + spiffe: + description: Spiffe defines the SPIFFE configuration. + properties: + ids: + description: IDs defines the allowed SPIFFE IDs (takes precedence + over the SPIFFE TrustDomain). + items: + type: string + type: array + trustDomain: + description: TrustDomain defines the allowed SPIFFE trust domain. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransporttcps.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransporttcps.yaml new file mode 100644 index 000000000..319044709 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_serverstransporttcps.yaml @@ -0,0 +1,120 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: serverstransporttcps.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransportTCP + listKind: ServersTransportTCPList + plural: serverstransporttcps + singular: serverstransporttcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ServersTransportTCP is the CRD implementation of a TCPServersTransport. + If no tcpServersTransport is specified, a default one named default@internal will be used. + The default@internal tcpServersTransport can be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3 + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP. + properties: + dialKeepAlive: + anyOf: + - type: integer + - type: string + description: DialKeepAlive is the interval between keep-alive probes + for an active network connection. If zero, keep-alive probes are + sent with a default value (currently 15 seconds), if supported by + the protocol and operating system. Network protocols or operating + systems that do not support keep-alives ignore this field. If negative, + keep-alive probes are disabled. + x-kubernetes-int-or-string: true + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a connection + to a backend server can be established. + x-kubernetes-int-or-string: true + terminationDelay: + anyOf: + - type: integer + - type: string + description: TerminationDelay defines the delay to wait before fully + terminating the connection, after one connected peer has closed + its writing capability. + x-kubernetes-int-or-string: true + tls: + description: TLS defines the TLS configuration + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + insecureSkipVerify: + description: InsecureSkipVerify disables TLS certificate verification. + type: boolean + peerCertURI: + description: |- + MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host. + PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to + validate self-signed certificates. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact + the server. + type: string + spiffe: + description: Spiffe defines the SPIFFE configuration. + properties: + ids: + description: IDs defines the allowed SPIFFE IDs (takes precedence + over the SPIFFE TrustDomain). + items: + type: string + type: array + trustDomain: + description: TrustDomain defines the allowed SPIFFE trust + domain. + type: string + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsoptions.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsoptions.yaml new file mode 100644 index 000000000..932f95811 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsoptions.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: tlsoptions.traefik.io +spec: + group: traefik.io + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSOptionSpec defines the desired state of a TLSOption. + properties: + alpnProtocols: + description: |- + ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols + items: + type: string + type: array + cipherSuites: + description: |- + CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the server's policy for TLS Client + Authentication. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. + items: + type: string + type: array + type: object + curvePreferences: + description: |- + CurvePreferences defines the preferred elliptic curves in a specific order. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences + items: + type: string + type: array + maxVersion: + description: |- + MaxVersion defines the maximum TLS version that Traefik will accept. + Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + Default: None. + type: string + minVersion: + description: |- + MinVersion defines the minimum TLS version that Traefik will accept. + Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + Default: VersionTLS10. + type: string + preferServerCipherSuites: + description: |- + PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's. + It is enabled automatically when minVersion or maxVersion is set. + Deprecated: https://github.com/golang/go/issues/45430 + type: boolean + sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsstores.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsstores.yaml new file mode 100644 index 000000000..37afedc02 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_tlsstores.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: tlsstores.traefik.io +spec: + group: traefik.io + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TLSStore is the CRD implementation of a Traefik TLS Store. + For the time being, only the TLSStore named default is supported. + This means that you cannot have two stores that are named default in different Kubernetes namespaces. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSStoreSpec defines the desired state of a TLSStore. + properties: + certificates: + description: Certificates is a list of secret names, each secret holding + a key/certificate pair to add to the store. + items: + description: Certificate holds a secret name for the TLSStore resource. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + type: array + defaultCertificate: + description: DefaultCertificate defines the default certificate configuration. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + defaultGeneratedCert: + description: DefaultGeneratedCert defines the default generated certificate + configuration. + properties: + domain: + description: Domain is the domain definition for the DefaultCertificate. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain names. + items: + type: string + type: array + type: object + resolver: + description: Resolver is the name of the resolver that will be + used to issue the DefaultCertificate. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/crds/traefik.io_traefikservices.yaml b/charts/traefik/traefik/32.1.1/crds/traefik.io_traefikservices.yaml new file mode 100644 index 000000000..1e1b279d5 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/crds/traefik.io_traefikservices.yaml @@ -0,0 +1,639 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: traefikservices.traefik.io +spec: + group: traefik.io + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: + - Apply weight to Services on load-balancing + - Mirror traffic on services + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TraefikServiceSpec defines the desired state of a TraefikService. + properties: + mirroring: + description: Mirroring defines the Mirroring service configuration. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent to + the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname in the + Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the health + check endpoint. + type: string + port: + description: Port defines the server URL port for the health + check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for the + health check endpoint. + type: string + status: + description: Status defines the expected HTTP status code + of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + maxBodySize: + description: |- + MaxBodySize defines the maximum size allowed for the body of the request. + If the body is larger, the request is not mirrored. + Default value is -1, which means unlimited size. + format: int64 + type: integer + mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. + items: + description: MirrorService holds the mirror configuration. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + percent: + description: |- + Percent defines the part of the traffic to mirror. + Supported values: 0 to 100. + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: Weighted defines the Weighted Round Robin configuration. + properties: + services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: |- + Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.1.1/templates/NOTES.txt b/charts/traefik/traefik/32.1.1/templates/NOTES.txt new file mode 100644 index 000000000..a1a10bfb3 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/NOTES.txt @@ -0,0 +1,36 @@ + + +{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace ! + +{{- if .Values.persistence }} +{{- if and .Values.persistence.enabled (empty .Values.deployment.initContainer)}} + +🚨 When enabling persistence for certificates, permissions on acme.json can be +lost when Traefik restarts. You can ensure correct permissions with an +initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager +for more info. 🚨 + +{{- end }} +{{- end }} +{{- with .Values.providers.kubernetesCRD.labelSelector }} + {{- $labelsApplied := include "traefik.labels" $ }} + {{- $labelSelectors := regexSplit "," . -1 }} + {{- range $labelSelectors }} + {{- $labelSelectorRaw := regexSplit "=" . -1 }} + {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }} + {{- if not (contains $labelSelector $labelsApplied) }} +🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider 🚨 + {{- end }} + {{- end }} +{{- end }} +{{- with .Values.providers.kubernetesIngress.labelSelector }} + {{- $labelsApplied := include "traefik.labels" $ }} + {{- $labelSelectors := regexSplit "," . -1 }} + {{- range $labelSelectors }} + {{- $labelSelectorRaw := regexSplit "=" . -1 }} + {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }} + {{- if not (contains $labelSelector $labelsApplied) }} +🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider 🚨 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/_helpers.tpl b/charts/traefik/traefik/32.1.1/templates/_helpers.tpl new file mode 100644 index 000000000..2183f84ab --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/_helpers.tpl @@ -0,0 +1,161 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "traefik.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "traefik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the chart image name. +*/}} +{{- define "traefik.image-name" -}} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "traefik.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow customization of the instance label value. +*/}} +{{- define "traefik.instance-name" -}} +{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Shared labels used for selector*/}} +{{/* This is an immutable field: this should not change between upgrade */}} +{{- define "traefik.labelselector" -}} +app.kubernetes.io/name: {{ template "traefik.name" . }} +app.kubernetes.io/instance: {{ template "traefik.instance-name" . }} +{{- end }} + +{{/* Shared labels used in metada */}} +{{- define "traefik.labels" -}} +{{ include "traefik.labelselector" . }} +helm.sh/chart: {{ template "traefik.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Construct the namespace for all namespaced resources +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Preserve the default behavior of the Release namespace if no override is provided +*/}} +{{- define "traefik.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +The name of the service account to use +*/}} +{{- define "traefik.serviceAccountName" -}} +{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}} +{{- end -}} + +{{/* +The name of the ClusterRole and ClusterRoleBinding to use. +Adds the namespace to name to prevent duplicate resource names when there +are multiple namespaced releases with the same release name. +*/}} +{{- define "traefik.clusterRoleName" -}} +{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. +By convention this will simply use the / to match the name of the +service generated. +Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` +*/}} +{{- define "providers.kubernetesIngress.publishedServicePath" -}} +{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct a comma-separated list of whitelisted namespaces +*/}} +{{- define "providers.kubernetesCRD.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesGateway.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesGateway.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesIngress.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- end -}} + +{{/* +Renders a complete tree, even values that contains template. +*/}} +{{- define "traefik.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{ else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{- define "imageVersion" -}} +{{/* +Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are +based on semverCompare +*/}} +{{- if $.Values.hub.token -}} +{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "=3.1.2-0" $version) }} + - "--providers.kubernetescrd.disableClusterScopeResources=true" + {{- end }} + {{- if .Values.providers.kubernetesCRD.nativeLBByDefault }} + - "--providers.kubernetescrd.nativeLBByDefault=true" + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress" + {{- if .Values.providers.kubernetesIngress.allowExternalNameServices }} + - "--providers.kubernetesingress.allowExternalNameServices=true" + {{- end }} + {{- if .Values.providers.kubernetesIngress.allowEmptyServices }} + - "--providers.kubernetesingress.allowEmptyServices=true" + {{- end }} + {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }} + - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.labelSelector }} + - "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.ingressClass }} + - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}" + {{- end }} + {{- if .Values.rbac.namespaced }} + {{- if semverCompare "<3.1.5-0" $version }} + - "--providers.kubernetesingress.disableIngressClassLookup=true" + {{- if semverCompare ">=3.1.2-0" $version }} + - "--providers.kubernetesingress.disableClusterScopeResources=true" + {{- end }} + {{- else }} + - "--providers.kubernetesingress.disableClusterScopeResources=true" + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesIngress.nativeLBByDefault }} + - "--providers.kubernetesingress.nativeLBByDefault=true" + {{- end }} + {{- end }} + {{- if .Values.experimental.kubernetesGateway.enabled }} + - "--experimental.kubernetesgateway" + {{- end }} + {{- with .Values.providers.kubernetesCRD }} + {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }} + - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" $ }}" + {{- end }} + {{- end }} + {{- with .Values.providers.kubernetesGateway }} + {{- if .enabled }} + - "--providers.kubernetesgateway" + {{- if or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced) }} + - "--providers.kubernetesgateway.namespaces={{ template "providers.kubernetesGateway.namespaces" $ }}" + {{- end }} + {{- if .experimentalChannel }} + - "--providers.kubernetesgateway.experimentalchannel=true" + {{- end }} + {{- with .labelselector }} + - "--providers.kubernetesgateway.labelselector={{ . }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.providers.kubernetesIngress }} + {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }} + - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" $ }}" + {{- end }} + {{- end }} + {{- with .Values.providers.file }} + {{- if .enabled }} + - "--providers.file.directory=/etc/traefik/dynamic" + {{- if .watch }} + - "--providers.file.watch=true" + {{- end }} + {{- end }} + {{- end }} + {{- range $entrypoint, $config := $.Values.ports }} + {{- if $config }} + {{- if $config.redirectTo }} + {{- $toPort := index $.Values.ports $config.redirectTo.port }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}" + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- if $config.redirectTo.priority }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ $config.redirectTo.priority }}" + {{- end }} + {{- if $config.redirectTo.permanent }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent=true" + {{- end }} + {{- end }} + {{- if $config.middlewares }} + - "--entryPoints.{{ $entrypoint }}.http.middlewares={{ join "," $config.middlewares }}" + {{- end }} + {{- if $config.tls }} + {{- if $config.tls.enabled }} + - "--entryPoints.{{ $entrypoint }}.http.tls=true" + {{- if $config.tls.options }} + - "--entryPoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}" + {{- end }} + {{- if $config.tls.certResolver }} + - "--entryPoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}" + {{- end }} + {{- if $config.tls.domains }} + {{- range $index, $domain := $config.tls.domains }} + {{- if $domain.main }} + - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}" + {{- end }} + {{- if $domain.sans }} + - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}" + {{- end }} + {{- end }} + {{- end }} + {{- if $config.http3 }} + {{- if $config.http3.enabled }} + - "--entryPoints.{{ $entrypoint }}.http3" + {{- if $config.http3.advertisedPort }} + - "--entryPoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if $config.allowACMEByPass }} + {{- if (semverCompare "<3.1.3-0" $version) }} + {{- fail "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+" -}} + {{- end }} + - "--entryPoints.name.allowACMEByPass=true" + {{- end }} + {{- if $config.forwardedHeaders }} + {{- if $config.forwardedHeaders.trustedIPs }} + - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}" + {{- end }} + {{- if $config.forwardedHeaders.insecure }} + - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.insecure" + {{- end }} + {{- end }} + {{- if $config.proxyProtocol }} + {{- if $config.proxyProtocol.trustedIPs }} + - "--entryPoints.{{ $entrypoint }}.proxyProtocol.trustedIPs={{ join "," $config.proxyProtocol.trustedIPs }}" + {{- end }} + {{- if $config.proxyProtocol.insecure }} + - "--entryPoints.{{ $entrypoint }}.proxyProtocol.insecure" + {{- end }} + {{- end }} + {{- with $config.transport }} + {{- with .respondingTimeouts }} + {{- if and (ne .readTimeout nil) (toString .readTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.readTimeout={{ .readTimeout }}" + {{- end }} + {{- if and (ne .writeTimeout nil) (toString .writeTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.writeTimeout={{ .writeTimeout }}" + {{- end }} + {{- if and (ne .idleTimeout nil) (toString .idleTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.idleTimeout={{ .idleTimeout }}" + {{- end }} + {{- end }} + {{- with .lifeCycle }} + {{- if and (ne .requestAcceptGraceTimeout nil) (toString .requestAcceptGraceTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.requestAcceptGraceTimeout={{ .requestAcceptGraceTimeout }}" + {{- end }} + {{- if and (ne .graceTimeOut nil) (toString .graceTimeOut) }} + - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.graceTimeOut={{ .graceTimeOut }}" + {{- end }} + {{- end }} + {{- if and (ne .keepAliveMaxRequests nil) (toString .keepAliveMaxRequests) }} + - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxRequests={{ .keepAliveMaxRequests }}" + {{- end }} + {{- if and (ne .keepAliveMaxTime nil) (toString .keepAliveMaxTime) }} + - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxTime={{ .keepAliveMaxTime }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.logs }} + {{- if and .general.format (not (has .general.format (list "common" "json"))) }} + {{- fail "ERROR: .Values.logs.general.format must be either common or json" }} + {{- end }} + {{- with .general.format }} + - "--log.format={{ . }}" + {{- end }} + {{- with .general.filePath }} + - "--log.filePath={{ . }}" + {{- end }} + {{- if and (or (eq .general.format "common") (not .general.format)) (eq .general.noColor true) }} + - "--log.noColor={{ .general.noColor }}" + {{- end }} + {{- with .general.level }} + - "--log.level={{ . | upper }}" + {{- end }} + {{- if .access.enabled }} + - "--accesslog=true" + {{- with .access.format }} + - "--accesslog.format={{ . }}" + {{- end }} + {{- with .access.filePath }} + - "--accesslog.filepath={{ . }}" + {{- end }} + {{- if .access.addInternals }} + - "--accesslog.addinternals" + {{- end }} + {{- with .access.bufferingSize }} + - "--accesslog.bufferingsize={{ . }}" + {{- end }} + {{- with .access.filters }} + {{- with .statuscodes }} + - "--accesslog.filters.statuscodes={{ . }}" + {{- end }} + {{- if .retryattempts }} + - "--accesslog.filters.retryattempts" + {{- end }} + {{- with .minduration }} + - "--accesslog.filters.minduration={{ . }}" + {{- end }} + {{- end }} + - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.general.names }} + - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.headers.names }} + - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $resolver, $config := $.Values.certResolvers }} + {{- range $option, $setting := $config }} + {{- if kindIs "map" $setting }} + {{- range $field, $value := $setting }} + - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}.{{ $field }}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}" + {{- end }} + {{- else }} + - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}={{ $setting }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.additionalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.hub }} + {{- if .token }} + - "--hub.token=$(HUB_TOKEN)" + {{- if and (not .apimanagement.enabled) ($.Values.hub.apimanagement.admission.listenAddr) }} + {{- fail "ERROR: Cannot configure admission without enabling hub.apimanagement" }} + {{- end }} + {{- with .apimanagement }} + {{- if .enabled }} + {{- $listenAddr := default ":9943" .admission.listenAddr }} + - "--hub.apimanagement" + - "--hub.apimanagement.admission.listenAddr={{ $listenAddr }}" + {{- with .admission.secretName }} + - "--hub.apimanagement.admission.secretName={{ . }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .platformUrl }} + - "--hub.platformUrl={{ . }}" + {{- end -}} + {{- range $field, $value := .redis }} + {{- if has $field (list "cluster" "database" "endpoints" "username" "password" "timeout") -}} + {{- with $value }} + - "--hub.redis.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $field, $value := .redis.sentinel }} + {{- if has $field (list "masterset" "password" "username") -}} + {{- with $value }} + - "--hub.redis.sentinel.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $field, $value := .redis.tls }} + {{- if has $field (list "ca" "cert" "insecureSkipVerify" "key") -}} + {{- with $value }} + - "--hub.redis.tls.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .sendlogs }} + - "--hub.sendlogs={{ . }}" + {{- end }} + {{- end }} + {{- end }} + env: + {{- if ($.Values.resources.limits).cpu }} + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + {{- end }} + {{- if ($.Values.resources.limits).memory }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + {{- end }} + {{- with .Values.hub.token }} + - name: HUB_TOKEN + valueFrom: + secretKeyRef: + name: {{ . }} + key: token + {{- end }} + {{- with .Values.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} + {{- toYaml .Values.deployment.additionalContainers | nindent 6 }} + {{- end }} + volumes: + - name: {{ .Values.persistence.name }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + emptyDir: {} + {{- $root := . }} + {{- range .Values.volumes }} + - name: {{ tpl (.name) $root | replace "." "-" }} + {{- if eq .type "secret" }} + secret: + secretName: {{ tpl (.name) $root }} + {{- else if eq .type "configMap" }} + configMap: + name: {{ tpl (.name) $root }} + {{- end }} + {{- end }} + {{- if .Values.deployment.additionalVolumes }} + {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }} + {{- end }} + {{- if gt (len .Values.experimental.plugins) 0 }} + - name: plugins + emptyDir: {} + {{- end }} + {{- if .Values.providers.file.enabled }} + - name: traefik-extra-config + configMap: + name: {{ template "traefik.fullname" . }}-file-provider + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- tpl (toYaml .Values.affinity) . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + {{- if (semverCompare "<1.19.0-0" .Capabilities.KubeVersion.Version) }} + {{- fail "ERROR: topologySpreadConstraints are supported only on kubernetes >= v1.19" -}} + {{- end }} + topologySpreadConstraints: + {{- tpl (toYaml .Values.topologySpreadConstraints) . | nindent 8 }} + {{- end }} +{{ end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/_service-metrics.tpl b/charts/traefik/traefik/32.1.1/templates/_service-metrics.tpl new file mode 100644 index 000000000..d16a3629d --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/_service-metrics.tpl @@ -0,0 +1,25 @@ +{{- define "traefik.metrics-service-metadata" }} + labels: + {{- include "traefik.metricsservicelabels" . | nindent 4 -}} + {{- with .Values.metrics.prometheus.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{/* Labels used for metrics-relevant selector*/}} +{{/* This is an immutable field: this should not change between upgrade */}} +{{- define "traefik.metricslabelselector" -}} +{{- include "traefik.labelselector" . }} +app.kubernetes.io/component: metrics +{{- end }} + +{{/* Shared labels used in metadata of metrics-service and servicemonitor */}} +{{- define "traefik.metricsservicelabels" -}} +{{ include "traefik.metricslabelselector" . }} +helm.sh/chart: {{ template "traefik.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + diff --git a/charts/traefik/traefik/32.1.1/templates/_service.tpl b/charts/traefik/traefik/32.1.1/templates/_service.tpl new file mode 100644 index 000000000..27d5bc477 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/_service.tpl @@ -0,0 +1,84 @@ +{{- define "traefik.service-name" -}} +{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}} +{{- if eq .name "default" -}} +{{- $fullname = include "traefik.fullname" .root -}} +{{- end -}} + +{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60 + {{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}} +{{- end -}} + +{{- $fullname -}} +{{- end -}} + +{{- define "traefik.service-metadata" }} + labels: + {{- include "traefik.labels" .root | nindent 4 -}} + {{- with .service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- define "traefik.service-spec" -}} + {{- $type := default "LoadBalancer" .service.type }} + type: {{ $type }} + {{- with .service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end}} + {{- with .service.spec }} + {{- toYaml . | nindent 2 }} + {{- end }} + selector: + {{- include "traefik.labelselector" .root | nindent 4 }} + {{- if eq $type "LoadBalancer" }} + {{- with .service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 2 }} + {{- end -}} + {{- end -}} + {{- with .service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 2 }} + {{- end -}} + {{- with .service.ipFamilyPolicy }} + ipFamilyPolicy: {{ . }} + {{- end }} + {{- with .service.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 2 }} + {{- end -}} +{{- end }} + +{{- define "traefik.service-ports" }} + {{- range $name, $config := .ports }} + {{- if (index (default dict $config.expose) $.serviceName) }} + {{- $port := default $config.port $config.exposedPort }} + {{- if empty $port }} + {{- fail (print "ERROR: Cannot create " (trim $name) " port on Service without .port or .exposedPort") }} + {{- end }} + - port: {{ $port }} + name: {{ $name | quote }} + targetPort: {{ default $name $config.targetPort }} + protocol: {{ default "TCP" $config.protocol }} + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- if $config.appProtocol }} + appProtocol: {{ $config.appProtocol }} + {{- end }} + {{- if and ($config.http3).enabled ($config.single) }} + {{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }} + - port: {{ $http3Port }} + name: "{{ $name }}-http3" + targetPort: "{{ $name }}-http3" + protocol: UDP + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- if $config.appProtocol }} + appProtocol: {{ $config.appProtocol }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/daemonset.yaml b/charts/traefik/traefik/32.1.1/templates/daemonset.yaml new file mode 100644 index 000000000..b370c2269 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/daemonset.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} + {{- with .Values.updateStrategy }} + {{- if and (eq (.type) "RollingUpdate") (.rollingUpdate) }} + {{- if not (contains "%" (toString .rollingUpdate.maxUnavailable)) }} + {{- if and ($.Values.hostNetwork) (lt (float64 .rollingUpdate.maxUnavailable) 1.0) }} + {{- fail "maxUnavailable should be greater than 1 when using hostNetwork." }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- with .Values.updateStrategy }} + updateStrategy: + type: {{ .type }} + {{- if (eq .type "RollingUpdate") }} + rollingUpdate: + maxUnavailable: {{ .rollingUpdate.maxUnavailable }} + maxSurge: {{ .rollingUpdate.maxSurge }} + {{- end }} + {{- end }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- if .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- end }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/deployment.yaml b/charts/traefik/traefik/32.1.1/templates/deployment.yaml new file mode 100644 index 000000000..4b3a1aeaa --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/deployment.yaml @@ -0,0 +1,58 @@ +{{/* check helm version */}} +{{- if (semverCompare "= 3.9.0 is required" -}} +{{- end -}} + +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}} + {{- if gt (int .Values.deployment.replicas) 1 -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "You can not enable acme if you set more than one traefik replica") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.deployment.replicas }} + {{- end }} + {{- if .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- with .Values.updateStrategy }} + strategy: + type: {{ .type }} + {{- if (eq .type "RollingUpdate") }} + rollingUpdate: + maxUnavailable: {{ .rollingUpdate.maxUnavailable }} + maxSurge: {{ .rollingUpdate.maxSurge }} + {{- end }} + {{- end }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/extra-objects.yaml b/charts/traefik/traefik/32.1.1/templates/extra-objects.yaml new file mode 100644 index 000000000..fb38e9773 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/extra-objects.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraObjects }} +--- +{{ include "traefik.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/gateway.yaml b/charts/traefik/traefik/32.1.1/templates/gateway.yaml new file mode 100644 index 000000000..13696dffc --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/gateway.yaml @@ -0,0 +1,58 @@ +{{- if and (.Values.gateway).enabled (.Values.providers.kubernetesGateway).enabled }} + {{- if not .Values.gateway.listeners }} + {{- fail "ERROR: gateway must have at least one listener or should be disabled" }} + {{- end }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ default "traefik-gateway" .Values.gateway.name }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.gateway.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + gatewayClassName: {{ default "traefik" .Values.gatewayClass.name }} + listeners: + {{- range $name, $config := .Values.gateway.listeners }} + - name: {{ $name }} + {{ if not .port }} + {{- fail "ERROR: port needs to be specified" }} + {{- end -}} + {{ $found := false }} + {{- range $portName, $portConfig := $.Values.ports -}} + {{- if eq $portConfig.port $config.port -}} + {{ $found = true }} + {{- end -}} + {{- end -}} + {{ if not $found }} + {{- fail (printf "ERROR: port %0.f is not declared in ports" .port ) }} + {{- end -}} + port: {{ .port }} + protocol: {{ .protocol }} + {{- with .hostname }} + hostname: {{ . | toYaml }} + {{- end }} + {{- with .namespacePolicy }} + allowedRoutes: + namespaces: + from: {{ . }} + {{- end }} + {{ if and (eq .protocol "HTTPS") (not .certificateRefs) }} + {{- fail "ERROR: certificateRefs needs to be specified using HTTPS" }} + {{- end }} + {{ if or .certificateRefs .mode }} + tls: + {{ with .mode }} + mode: {{ . }} + {{- end }} + {{ with .certificateRefs }} + certificateRefs: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/gatewayclass.yaml b/charts/traefik/traefik/32.1.1/templates/gatewayclass.yaml new file mode 100644 index 000000000..7f98c1ed4 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/gatewayclass.yaml @@ -0,0 +1,14 @@ +{{- if and (.Values.gatewayClass).enabled (.Values.providers.kubernetesGateway).enabled }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{ default "traefik" .Values.gatewayClass.name }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.gatewayClass.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + controllerName: traefik.io/gateway-controller +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/hpa.yaml b/charts/traefik/traefik/32.1.1/templates/hpa.yaml new file mode 100644 index 000000000..cfa1e5a49 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/hpa.yaml @@ -0,0 +1,35 @@ +{{- if .Values.autoscaling.enabled }} + +{{- if not .Values.autoscaling.maxReplicas }} + {{- fail "ERROR: maxReplicas is required on HPA" }} +{{- end }} + +{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "traefik.fullname" . }} +{{- if .Values.autoscaling.minReplicas }} + minReplicas: {{ .Values.autoscaling.minReplicas }} +{{- end }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} +{{- if .Values.autoscaling.metrics }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} +{{- if .Values.autoscaling.behavior }} + behavior: +{{ toYaml .Values.autoscaling.behavior | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/hub-admission-controller.yaml b/charts/traefik/traefik/32.1.1/templates/hub-admission-controller.yaml new file mode 100644 index 000000000..37b2314f5 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/hub-admission-controller.yaml @@ -0,0 +1,198 @@ +{{- if .Values.hub.token -}} +{{- if .Values.hub.apimanagement.enabled }} +{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: hub-agent-cert + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +data: + tls.crt: {{ $cert.Cert }} + tls.key: {{ $cert.Key }} + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: hub-acp + labels: + {{- include "traefik.labels" . | nindent 4 }} +webhooks: + - name: admission.traefik.svc + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /acp + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - accesscontrolpolicies + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: hub-api + labels: + {{- include "traefik.labels" . | nindent 4 }} +webhooks: + - name: hub-agent.traefik.portal + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-portal + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiportals + - name: hub-agent.traefik.api + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apis + - name: hub-agent.traefik.access + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-access + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiaccesses + - name: hub-agent.traefik.plan + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-plan + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiplans + - name: hub-agent.traefik.bundle + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-bundle + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apibundles + - name: hub-agent.traefik.version + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-version + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiversions + +--- +apiVersion: v1 +kind: Service +metadata: + name: admission + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: admission + selector: + {{- include "traefik.labelselector" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/hub-apiportal.yaml b/charts/traefik/traefik/32.1.1/templates/hub-apiportal.yaml new file mode 100644 index 000000000..246b127ed --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/hub-apiportal.yaml @@ -0,0 +1,19 @@ +{{- if .Values.hub.apimanagement.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: apiportal + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + ports: + - name: apiportal + port: 9903 + protocol: TCP + targetPort: apiportal + selector: + {{- include "traefik.labelselector" . | nindent 4 }} +{{- end -}} + diff --git a/charts/traefik/traefik/32.1.1/templates/ingressclass.yaml b/charts/traefik/traefik/32.1.1/templates/ingressclass.yaml new file mode 100644 index 000000000..6a8ff8199 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/ingressclass.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + name: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }} +spec: + controller: traefik.io/ingress-controller +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/ingressroute.yaml b/charts/traefik/traefik/32.1.1/templates/ingressroute.yaml new file mode 100644 index 000000000..2f35abb2a --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/ingressroute.yaml @@ -0,0 +1,43 @@ +{{ range $name, $config := .Values.ingressRoute }} +{{ if $config.enabled }} +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: {{ $.Release.Name }}-{{ $name }} + namespace: {{ template "traefik.namespace" $ }} + annotations: + {{- if and $.Values.ingressClass.enabled $.Values.providers.kubernetesCRD.enabled $.Values.providers.kubernetesCRD.ingressClass }} + kubernetes.io/ingress.class: {{ $.Values.providers.kubernetesCRD.ingressClass }} + {{- end }} + {{- with $config.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "traefik.labels" $ | nindent 4 }} + {{- with $config.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + entryPoints: + {{- range $config.entryPoints }} + - {{ . }} + {{- end }} + routes: + - match: {{ $config.matchRule }} + kind: Rule + {{- with $config.services }} + services: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- with $config.middlewares }} + middlewares: + {{- toYaml . | nindent 6 }} + {{- end -}} + + {{- with $config.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} +{{ end }} diff --git a/charts/traefik/traefik/32.1.1/templates/poddisruptionbudget.yaml b/charts/traefik/traefik/32.1.1/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..f1716397c --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/poddisruptionbudget.yaml @@ -0,0 +1,23 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/prometheusrules.yaml b/charts/traefik/traefik/32.1.1/templates/prometheusrules.yaml new file mode 100644 index 000000000..3231aba6c --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/prometheusrules.yaml @@ -0,0 +1,28 @@ +{{- if .Values.metrics.prometheus }} +{{- if (.Values.metrics.prometheus.prometheusRule).enabled }} + {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }} + {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }} + {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }} + {{- end }} + {{- end }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.prometheus.prometheusRule.rules }} + groups: + - name: {{ template "traefik.name" $ }} + rules: + {{- with .Values.metrics.prometheus.prometheusRule.rules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.1.1/templates/provider-file-cm.yaml b/charts/traefik/traefik/32.1.1/templates/provider-file-cm.yaml new file mode 100644 index 000000000..139a5a6ab --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/provider-file-cm.yaml @@ -0,0 +1,12 @@ +{{- if .Values.providers.file.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "traefik.fullname" . }}-file-provider + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +data: + config.yml: + {{ toYaml .Values.providers.file.content | nindent 4 }} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/pvc.yaml b/charts/traefik/traefik/32.1.1/templates/pvc.yaml new file mode 100644 index 000000000..7ab96f960 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + annotations: + {{- with .Values.persistence.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + helm.sh/resource-policy: keep + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} + {{- if .Values.persistence.volumeName }} + volumeName: {{ .Values.persistence.volumeName | quote }} + {{- end }} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/rbac/clusterrole.yaml b/charts/traefik/traefik/32.1.1/templates/rbac/clusterrole.yaml new file mode 100644 index 000000000..79239fa42 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/rbac/clusterrole.yaml @@ -0,0 +1,268 @@ +{{- $version := include "imageVersion" $ }} +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.clusterRoleName" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- range .Values.rbac.aggregateTo }} + rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true" + {{- end }} +rules: + {{- if semverCompare ">=v3.1.0-0" $version }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + {{- end }} + {{- if (semverCompare "=v3.1.0-0" $version) }} + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + {{- end }} + - apiGroups: + - gateway.networking.k8s.io + resources: + {{- if semverCompare ">=v3.2.0-0" $version }} + - backendtlspolicies + {{- end }} + - gatewayclasses + - gateways + {{- if semverCompare ">=v3.2.0-0" $version }} + - grpcroutes + {{- end }} + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + {{- if semverCompare ">=v3.2.0-0" $version }} + - backendtlspolicies/status + {{- end }} + - gatewayclasses/status + - gateways/status + {{- if semverCompare ">=v3.2.0-0" $version }} + - grpcroutes/status + {{- end }} + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update + {{- end }} + {{- if .Values.hub.token }} + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + {{- end }} + {{- if .Values.hub.token }} + {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }} + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + {{- end }} + - apiGroups: + - "" + resources: + - namespaces + {{- if .Values.hub.apimanagement.enabled }} + - pods + {{- end }} + verbs: + - get + - list + {{- if .Values.hub.apimanagement.enabled }} + - watch + {{- end }} + {{- if .Values.hub.apimanagement.enabled }} + - apiGroups: + - hub.traefik.io + resources: + - accesscontrolpolicies + - apiaccesses + - apiportals + - apiratelimits + - apis + - apiversions + - apibundles + - apiplans + verbs: + - list + - watch + - create + - update + - patch + - delete + - get + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + {{- if (semverCompare "=1.25.0-0" .Capabilities.KubeVersion.Version }} + {{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }} +{{- end }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: {{ template "traefik.fullname" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL +{{- if not .Values.securityContext.runAsNonRoot }} + allowedCapabilities: + - NET_BIND_SERVICE +{{- end }} + hostNetwork: {{ .Values.hostNetwork }} + hostIPC: false + hostPID: false + fsGroup: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} +{{- if .Values.hostNetwork }} + hostPorts: + - max: 65535 + min: 1 +{{- end }} + readOnlyRootFilesystem: true + runAsUser: +{{- if .Values.securityContext.runAsNonRoot }} + rule: MustRunAsNonRoot +{{- else }} + rule: RunAsAny +{{- end }} + seLinux: + rule: RunAsAny + supplementalGroups: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} + volumes: + - configMap + - downwardAPI + - secret + - emptyDir + - projected +{{- if .Values.persistence.enabled }} + - persistentVolumeClaim +{{- end -}} +{{- end -}} diff --git a/charts/traefik/traefik/32.1.1/templates/rbac/role.yaml b/charts/traefik/traefik/32.1.1/templates/rbac/role.yaml new file mode 100644 index 000000000..e81aaa8a6 --- /dev/null +++ b/charts/traefik/traefik/32.1.1/templates/rbac/role.yaml @@ -0,0 +1,143 @@ +{{- $version := include "imageVersion" $ }} +{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}} + +{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}} +{{- range $allNamespaces }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} + labels: + {{- include "traefik.labels" $ | nindent 4 }} +rules: + {{- if (semverCompare "://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: # @schema type:[boolean, null] + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + +## Tracing +# -- https://doc.traefik.io/traefik/observability/tracing/overview/ +tracing: # @schema additionalProperties: false + # -- Enables tracing for internal resources. Default: false. + addInternals: false + otlp: + # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ + enabled: false + http: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + +# -- Global command arguments to be passed to all traefik's pods +globalArguments: +- "--global.checknewversion" +- "--global.sendanonymoususage" + +# -- Additional arguments to be passed at Traefik's binary +# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) +# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# -- Environment variables to be passed to Traefik's binary +# @default -- See _values.yaml_ +env: +- name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + +# -- Environment variables to be passed to Traefik's binary from configMaps or secrets +envFrom: [] + +ports: + traefik: + port: 9000 + # -- Use hostPort if set. + hostPort: # @schema type:[integer, null]; minimum:0 + # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + hostIP: # @schema type:[string, null] + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: + default: false + # -- The exposed port for this service + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 + expose: + default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB + targetPort: # @schema type:[string, integer, null]; minimum:0 + # The port protocol (TCP/UDP) + protocol: TCP + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) + nodePort: # @schema type:[integer, null]; minimum:0 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + redirectTo: {} + forwardedHeaders: + # -- Trust forwarded headers information (X-Forwarded-*). + trustedIPs: [] + insecure: false + proxyProtocol: + # -- Enable the Proxy Protocol header parsing for the entry point + trustedIPs: [] + insecure: false + # -- Set transport settings for the entrypoint; see also + # https://doc.traefik.io/traefik/routing/entrypoints/#transport + transport: + respondingTimeouts: + readTimeout: # @schema type:[string, integer, null] + writeTimeout: # @schema type:[string, integer, null] + idleTimeout: # @schema type:[string, integer, null] + lifeCycle: + requestAcceptGraceTimeout: # @schema type:[string, integer, null] + graceTimeOut: # @schema type:[string, integer, null] + keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 + keepAliveMaxTime: # @schema type:[string, integer, null] + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + hostPort: # @schema type:[integer, null]; minimum:0 + containerPort: # @schema type:[integer, null]; minimum:0 + expose: + default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB + targetPort: # @schema type:[string, integer, null]; minimum:0 + ## -- The port protocol (TCP/UDP) + protocol: TCP + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) + nodePort: # @schema type:[integer, null]; minimum:0 + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) + appProtocol: # @schema type:[string, null] + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) + allowACMEByPass: false + http3: + ## -- Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for + ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. + ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + enabled: false + advertisedPort: # @schema type:[integer, null]; minimum:0 + forwardedHeaders: + # -- Trust forwarded headers information (X-Forwarded-*). + trustedIPs: [] + insecure: false + proxyProtocol: + # -- Enable the Proxy Protocol header parsing for the entry point + trustedIPs: [] + insecure: false + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) + transport: + respondingTimeouts: + readTimeout: # @schema type:[string, integer, null] + writeTimeout: # @schema type:[string, integer, null] + idleTimeout: # @schema type:[string, integer, null] + lifeCycle: + requestAcceptGraceTimeout: # @schema type:[string, integer, null] + graceTimeOut: # @schema type:[string, integer, null] + keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 + keepAliveMaxTime: # @schema type:[string, integer, null] + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) + tls: + enabled: true + options: "" + certResolver: "" + domains: [] + # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: + default: false + # -- The exposed port for this service + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP + +# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) +# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. +# See EXAMPLE.md for details. +tlsOptions: {} + +# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. +tlsStore: {} + +service: + enabled: true + ## -- Single service is using `MixedProtocolLBService` feature gate. + ## -- When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # -- Additional annotations for TCP service only + annotationsTCP: {} + # -- Additional annotations for UDP service only + annotationsUDP: {} + # -- Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # -- Additional entries here will be added to the service spec. + # -- Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + ## -- Class of the load balancer implementation + # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + ## + additionalServices: {} + ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP + # # labels: {} + # # annotations: {} + # # spec: {} + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + +autoscaling: + # -- Create HorizontalPodAutoscaler object. + # See EXAMPLES.md for more details. + enabled: false + +persistence: + # -- Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data + existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + storageClass: "" + volumeName: "" + path: /data + annotations: {} + # -- Only mount a subpath of the Volume into the pod + subPath: "" + +# -- Certificates resolvers configuration. +# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers +# See EXAMPLES.md for more details. +certResolvers: {} + +# -- If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# -- Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: # @schema additionalProperties: false + enabled: true + # When set to true: + # 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`. + # 2. It adds `disableIngressClassLookup` on Kubernetes Ingress with Traefik Proxy v3 until v3.1.4 + # 3. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers with Traefik Proxy v3.1.2+ + # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. + # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateTo: [] + # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. + secretResourceNames: [] + +# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +podSecurityPolicy: + enabled: false + +# -- The service account the pods will use to interact with the Kubernetes API +serviceAccount: # @schema additionalProperties: false + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# -- Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. +resources: {} + +# -- This example pod anti-affinity forces the scheduler to put traefik pods +# -- on nodes where no other traefik pods are scheduled. +# It should be used when hostNetwork: true to prevent port conflicts +affinity: {} +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: '{{ template "traefik.name" . }}' +# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' +# topologyKey: kubernetes.io/hostname + +# -- nodeSelector is the simplest recommended form of node selection constraint. +nodeSelector: {} +# -- Tolerations allow the scheduler to schedule pods with matching taints. +tolerations: [] +# -- You can use topology spread constraints to control +# how Pods are spread across your cluster among failure-domains. +topologySpreadConstraints: [] +# This example topologySpreadConstraints forces the scheduler to put traefik pods +# on nodes where no other traefik pods are scheduled. +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: '{{ template "traefik.name" . }}' +# maxSkew: 1 +# topologyKey: kubernetes.io/hostname +# whenUnsatisfiable: DoNotSchedule + +# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) +priorityClassName: "" + +# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) +# @default -- See _values.yaml_ +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + +# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) +# @default -- See _values.yaml_ +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +# +# -- Extra objects to deploy (value evaluated as a template) +# +# In some cases, it can avoid the need for additional, extended or adhoc deployments. +# See #595 for more details and traefik/tests/values/extra.yaml for example. +extraObjects: [] + +# -- This field override the default Release Namespace for Helm. +# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +namespaceOverride: "" + +## -- This field override the default app.kubernetes.io/instance label for all Objects. +instanceLabelOverride: "" + +# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ +hub: + # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. + token: "" + apimanagement: + # -- Set to true in order to enable API Management. Requires a valid license token. + enabled: false + admission: + # -- WebHook admission server listen address. Default: "0.0.0.0:9943". + listenAddr: "" + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + + redis: + # -- Enable Redis Cluster. Default: true. + cluster: # @schema type:[boolean, null] + # -- Database used to store information. Default: "0". + database: # @schema type:[string, null] + # -- Endpoints of the Redis instances to connect to. Default: "". + endpoints: "" + # -- The username to use when connecting to Redis endpoints. Default: "". + username: "" + # -- The password to use when connecting to Redis endpoints. Default: "". + password: "" + sentinel: + # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". + masterset: "" + # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" + # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" + # -- Timeout applied on connection with redis. Default: "0s". + timeout: "" + tls: + # -- Path to the certificate authority used for the secured connection. + ca: "" + # -- Path to the public certificate used for the secure connection. + cert: "" + # -- Path to the private key used for the secure connection. + key: "" + # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. + insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] diff --git a/index.yaml b/index.yaml index 7d6b683cb..f6cba922a 100644 --- a/index.yaml +++ b/index.yaml @@ -42458,6 +42458,42 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 traefik: + - annotations: + artifacthub.io/changes: "- \"fix(schema): \U0001F41B targetPort can also be + a string\"\n- \"feat(deps): update traefik docker tag to v3.1.6\"\n- \"chore(release): + \U0001F680 publish v32.1.1\"\n- \"Update topology spread constraints comments\"\n" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: traefik + apiVersion: v2 + appVersion: v3.1.6 + created: "2024-10-12T00:37:14.245794026Z" + description: A Traefik based Kubernetes ingress controller + digest: bc21cc748df23711fc3803d5766d4143461f954775576cdddab95cc72f232dda + home: https://traefik.io/ + icon: file://assets/icons/traefik.png + keywords: + - traefik + - ingress + - networking + kubeVersion: '>=1.22.0-0' + maintainers: + - email: michel.loiseleur@traefik.io + name: mloiseleur + - email: charlie.haley@traefik.io + name: charlie-haley + - email: remi.buisson@traefik.io + name: darkweaver87 + - name: jnoordsij + name: traefik + sources: + - https://github.com/traefik/traefik + - https://github.com/traefik/traefik-helm-chart + type: application + urls: + - assets/traefik/traefik-32.1.1.tgz + version: 32.1.1 - annotations: artifacthub.io/changes: "- \"fix: :bug: set disableIngressClassLookup until 3.1.4\"\n- \"feat(deps): update traefik docker tag to v3.1.5\"\n- \"feat(Traefik @@ -44832,4 +44868,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-10-11T00:35:26.244020247Z" +generated: "2024-10-12T00:37:09.128616817Z"